Switch PAT to GitHubApps

[chidozieononiwu]

This pull request updates several pipeline templates to standardize GitHub authentication and token usage. The main improvements are the switch from the azuresdk-github-pat variable to GH_TOKEN for GitHub authentication, and the addition of a shared login step to ensure tokens are properly configured. These changes improve maintainability and security by centralizing authentication logic and making token ownership explicit.

Authentication and Token Management Improvements:

• Replaced usage of the azuresdk-github-pat variable with GH_TOKEN for the GitHubToken and GitHubPat parameters in multiple pipeline templates, including publish-cli.yml, publish-extension.yml, publish-cli-winget.yml, set-git-credentials.yml, and update-prcomment.yml. This ensures consistency and better aligns with current token management practices. [1] [2] [3] [4] [5] [6] [7] [8]

• Added the /eng/common/pipelines/templates/steps/login-to-github.yml template step to all relevant pipeline templates. This step ensures that GitHub authentication is properly established before any GitHub-related actions are performed. [1] [2] [3] [4] [5]

Token Ownership Explicitness:

• Updated the login step to explicitly set TokenOwners based on repository or username context, improving traceability and clarity of token usage in the pipeline. [1] [2] [3] [4]

These changes collectively improve the security, clarity, and maintainability of the CI/CD pipeline authentication process.

[github-actions]

🔗 Linked Issue Required

Thanks for the contribution! Please link a GitHub issue to this PR by adding Fixes #123 to the description or using the sidebar.
No issue yet? Feel free to create one!

[Copilot]

Pull request overview

This PR updates Azure DevOps pipeline step templates to standardize GitHub authentication by switching from the legacy azuresdk-github-pat variable to a GitHub App–minted GH_TOKEN, and by adding a shared login-to-github.yml step to centralize token acquisition.

Changes:

• Replaced $(azuresdk-github-pat) usage with $(GH_TOKEN) (or parameters defaulting to it) across multiple templates.
• Added /eng/common/pipelines/templates/steps/login-to-github.yml ahead of GitHub CLI / token-dependent actions, with explicit TokenOwners in most templates.
• Updated templates to make token ownership more explicit/traceable via TokenOwners.

Reviewed changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated 2 comments.

Show a summary per file

File	Description
eng/pipelines/templates/steps/update-prcomment.yml	Uses GH_TOKEN by default and adds a GitHub App login step with owner derived from Repo.
eng/pipelines/templates/steps/set-git-credentials.yml	Switches git credential token default to GH_TOKEN and adds a GitHub App login step.
eng/pipelines/templates/steps/publish-extension.yml	Adds GitHub App login step and replaces PAT usage with GH_TOKEN for gh operations.
eng/pipelines/templates/steps/publish-cli.yml	Adds GitHub App login step (conditional) and replaces PAT usage with GH_TOKEN for gh operations.
eng/pipelines/templates/steps/publish-cli-winget.yml	Switches default token to GH_TOKEN and adds GitHub App login step before WinGet submission.