Refresh GitHub App installation token before pushing to azure-sdk-for-net

[Copilot]

Submit-AzureSdkForNetPr.ps1 fails at git push with Invalid username or token. Password authentication is not supported for Git operations. after regenerating Azure data-plane / mgmt libraries.

#10710 fixed the URL scheme (x-access-token:<token>) but didn't address token lifetime: the CreatePR job mints a GitHub App installation token once up front, then Submit-AzureSdkForNetPr.ps1 regenerates SDKs (118 files / 6353 insertions in the failing run) before pushing. Installation tokens expire after 1 hour, so the regen routinely outlives the token.

Changes

• Submit-AzureSdkForNetPr.ps1 — Immediately before git push, invoke eng/common/scripts/login-to-github.ps1 to mint a fresh installation token, then use it for both the push URL and (via $env:GH_TOKEN) gh pr create. The login script is invoked with the same params as the login-to-github.yml template at publish.yml#L221 (-InstallationTokenOwners 'Azure' -VariableNamePrefix 'GH_TOKEN'). Existence of the refreshed token is checked via Test-Path Env:GH_TOKEN to avoid dereferencing the value. Falls back to the original $AuthToken with a warning when the login script is unavailable or fails (e.g., local/manual runs with a classic PAT).

• packages/http-client-csharp/eng/pipeline/publish.yml — Switch the step that runs Submit-AzureSdkForNetPr.ps1 from PowerShell@2 to AzureCLI@2 (with azureSubscription: "AzureSDKEngKeyVault Secrets", the same subscription login-to-github.yml uses). The az CLI auth from the upstream AzureCLI@2-based login-to-github.yml step does not persist into the next task, so the in-script call to login-to-github.ps1 previously failed to sign the JWT with Key Vault (ERROR: Please run 'az login' to setup account.). Running the script under AzureCLI@2 gives it the az auth context it needs to mint a fresh installation token mid-run.

$loginScript = Join-Path $PSScriptRoot "../../../../eng/common/scripts/login-to-github.ps1"
if (Test-Path $loginScript) {
    try {
        & $loginScript -InstallationTokenOwners 'Azure' -VariableNamePrefix 'GH_TOKEN'
        if ($LASTEXITCODE -eq 0 -and (Test-Path Env:GH_TOKEN)) {
            $AuthToken = $env:GH_TOKEN
        }
    } catch {
        Write-Warning "Failed to refresh token: $($_.Exception.Message). Falling back."
    }
}

$remoteUrl = "******github.com/$RepoOwner/$RepoName.git"
git push $remoteUrl $PRBranch

[pkg-pr-new]

Open in StackBlitz

npm i https://pkg.pr.new/@typespec/http-client-csharp@10737

commit: c233721

[jorgerangel-msft]

@copilot it looks like this is failing in CI on regeneration:

Refreshing GitHub App installation token before push...
Generating GitHub App JWT by signing via Azure Key Vault (no key export)...
ERROR: Please run 'az login' to setup account.
WARNING: Failed to refresh GitHub App installation token: Failed to sign JWT with Azure Key Vault. Error: . Falling back to existing token.
Pushing branch to remote...
remote: Invalid username or token. Password authentication is not supported for Git operations.

[Copilot]

Good catch — root cause is that az login context from the prior AzureCLI@2 task in login-to-github.yml does not persist into the next PowerShell@2 task. So when Submit-AzureSdkForNetPr.ps1 later invokes login-to-github.ps1 to mint a fresh token, the JWT-signing call to Key Vault fails with Please run 'az login'.

Fixed in 32061c1 by switching the script's task in publish.yml from PowerShell@2 to AzureCLI@2 (with azureSubscription: "AzureSDKEngKeyVault Secrets" — the same subscription login-to-github.yml uses). The script now runs inside an az-authenticated context, so the in-script login-to-github.ps1 call right before git push can sign the JWT and produce a fresh installation token.