Skip to content

fix(server): Send Azure DevOps token via git extra headers (#23478) #23631

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Jul 29, 2025
Merged

fix(server): Send Azure DevOps token via git extra headers (#23478) #23631

merged 2 commits into from
Jul 29, 2025

Conversation

mikebordon
Copy link
Contributor

@mikebordon mikebordon commented Jul 1, 2025
edited
Loading

The project's "Git Askpass" implementation only supports username-password authentication, but Azure DevOps specifically requires the token be provided via an Authorization-Bearer request header. This change replaces the "store" approach required by the former in favor of the environment variable mechanism currently leveraged for HTTPS credentials when a bearer token is provided.

Fixes #23478

Checklist:

  • Either (a) I've created an enhancement proposal and discussed it with the community, (b) this is a bug fix, or (c) this does not need to be in the release notes.
  • The title of the PR states what changed and the related issues number (used for the release note).
  • The title of the PR conforms to the Toolchain Guide
  • I've included "Closes [ISSUE #]" or "Fixes [ISSUE #]" in the description to automatically close the associated issue.
  • I've updated both the CLI and UI to expose my feature, or I plan to submit a second PR with them.
  • Does this PR require documentation updates?
  • I've updated documentation as required by this PR.
  • I have signed off all my commits as required by DCO
  • I have written unit and/or e2e tests for my change. PRs without these are unlikely to be merged.
  • My build is green (troubleshooting builds).
  • My new feature complies with the feature status guidelines.
  • I have added a brief description of why this PR is necessary and/or what this PR solves.
  • Optional. My organization is added to USERS.md.
  • Optional. For bug fixes, I've indicated what older releases this fix should be cherry-picked into (this may or may not happen depending on risk/complexity).

@bunnyshell Bunnyshell
Copy link

bunnyshell bot commented Jul 1, 2025
edited
Loading

❌ Preview Environment deleted from Bunnyshell

Available commands (reply to this comment):

  • 🚀 /bns:deploy to deploy the environment

@codecov Codecov
Copy link

codecov bot commented Jul 1, 2025
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 60.17%. Comparing base (d5383de) to head (cc2f650).
⚠️ Report is 32 commits behind head on master.

Additional details and impacted files 
@@            Coverage Diff             @@
##           master   #23631      +/-   ##
==========================================
- Coverage   60.18%   60.17%   -0.01%     
==========================================
  Files         346      346              
  Lines       59248    59249       +1     
==========================================
- Hits        35656    35652       -4     
- Misses      20730    20732       +2     
- Partials     2862     2865       +3

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@mikebordon mikebordon force-pushed the fix/azure-workload-identity-repos-p2 branch from 1397e2a to cf6f56e Compare July 2, 2025 12:56
@mikebordon mikebordon marked this pull request as ready for review July 2, 2025 13:40
@mikebordon mikebordon requested a review from a team as a code owner July 2, 2025 13:40
@agaudreault
Copy link
Member

@jagpreetstamber do you mind validating this issue/pr?

agaudreault
agaudreault requested changes Jul 2, 2025
View reviewed changes
util/git/creds.go
return nil
}), env, nil
var env []string
env = append(env, fmt.Sprintf("%s=Authorization: Bearer %s", bearerAuthHeaderEnv, token))
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't see a reason to remove the credsStore. Perhaps the only change necessary is to do an approach similar to HTTPSCreds?

argo-cd/util/git/creds.go

Lines 243 to 246 in c60a727

} else if creds.bearerToken != "" {
// If bearer token is set, we will set ARGOCD_BEARER_AUTH_HEADER to hold the HTTP authorization header
env = append(env, fmt.Sprintf("%s=%s", bearerAuthHeaderEnv, creds.BearerAuthHeader()))
}

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Initially I had left it in there, but then I realized it ultimately becomes unused (because it doesn't work as-is). But I can definitely restore it if you'd prefer that.

@mikebordon mikebordon force-pushed the fix/azure-workload-identity-repos-p2 branch 2 times, most recently from a1b19e8 to f77c759 Compare July 2, 2025 20:31
@mikebordon mikebordon requested a review from agaudreault July 2, 2025 21:21
@mikebordon
Copy link
Contributor Author

Hi @agaudreault. Have you had a chance to review after the last push to incorporate your requested change? Please let me know if you have any other concerns which I can address.

@mikebordon mikebordon force-pushed the fix/azure-workload-identity-repos-p2 branch 2 times, most recently from 5107b7d to 53997fe Compare July 11, 2025 14:58
@mikebordon mikebordon force-pushed the fix/azure-workload-identity-repos-p2 branch from 53997fe to 7419946 Compare July 21, 2025 14:28
@mikebordon
Send Azure DevOps token via git extra headers
8d0cd95 
Signed-off-by: Mike Bordon <mikebordon@gmail.com>
@mikebordon
Restore CredsStore, per PR feedback
cc2f650 
Signed-off-by: Mike Bordon <mikebordon@gmail.com>
@mikebordon mikebordon force-pushed the fix/azure-workload-identity-repos-p2 branch from 7419946 to cc2f650 Compare July 22, 2025 14:06
@mikebordon mikebordon mentioned this pull request Jul 22, 2025
Closed
3 tasks
@mikebordon
Copy link
Contributor Author

@agaudreault This PR is still blocked by your previous change for request. Could you please re-review when you have a chance (or clear your vote since @rumstead has now approved)?

@agaudreault agaudreault merged commit 796f72c into argoproj:master Jul 29, 2025
28 checks passed
@rumstead
Copy link
Member

/cherry-pick release-3.1

rumstead pushed a commit to rumstead/argo-cd that referenced this pull request Aug 21, 2025
@mikebordon @rumstead
fix(server): Send Azure DevOps token via git extra headers (argoproj#…
637f3c2 
…23478) (argoproj#23631)

Signed-off-by: Mike Bordon <mikebordon@gmail.com>
rumstead pushed a commit to rumstead/argo-cd that referenced this pull request Aug 21, 2025
@mikebordon @rumstead
fix(server): Send Azure DevOps token via git extra headers (argoproj#…
6de308d 
…23478) (argoproj#23631)

Signed-off-by: Mike Bordon <mikebordon@gmail.com>
Signed-off-by: rumstead <37445536+rumstead@users.noreply.github.com>
rumstead pushed a commit to rumstead/argo-cd that referenced this pull request Aug 21, 2025
@mikebordon @rumstead
fix(server): Send Azure DevOps token via git extra headers (argoproj#…
1986531 
…23478) (argoproj#23631)

Signed-off-by: Mike Bordon <mikebordon@gmail.com>
Signed-off-by: rumstead <37445536+rumstead@users.noreply.github.com>
@rumstead rumstead mentioned this pull request Aug 21, 2025
Merged
14 tasks
agaudreault pushed a commit that referenced this pull request Aug 21, 2025
@rumstead @mikebordon
fix(server): Send Azure DevOps token via git extra headers (#23478) (#…
eb72a0b 
…23631) (#24223)

Signed-off-by: Mike Bordon <mikebordon@gmail.com>
Signed-off-by: rumstead <37445536+rumstead@users.noreply.github.com>
Co-authored-by: mikebordon <31316193+mikebordon@users.noreply.github.com>
rumstead added a commit that referenced this pull request Aug 22, 2025
@rumstead @mikebordon
fix(server): Send Azure DevOps token via git extra headers (#23478) (#…
46e7c00 
…23631) (#24222)

Signed-off-by: Mike Bordon <mikebordon@gmail.com>
Signed-off-by: rumstead <37445536+rumstead@users.noreply.github.com>
Co-authored-by: mikebordon <31316193+mikebordon@users.noreply.github.com>
enneitex pushed a commit to enneitex/argo-cd that referenced this pull request Aug 24, 2025
@mikebordon @enneitex
fix(server): Send Azure DevOps token via git extra headers (argoproj#…
c29a6ba 
…23478) (argoproj#23631)

Signed-off-by: Mike Bordon <mikebordon@gmail.com>
Signed-off-by: enneitex <etienne.divet@gmail.com>
downfa11 pushed a commit to downfa11/argo-cd that referenced this pull request Aug 25, 2025
@mikebordon @downfa11
fix(server): Send Azure DevOps token via git extra headers (argoproj#…
3b7d384 
…23478) (argoproj#23631)

Signed-off-by: Mike Bordon <mikebordon@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rumstead rumstead rumstead approved these changes

@agaudreault agaudreault agaudreault approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Unable to use workload identity for AzureDevops repository
3 participants
@mikebordon @agaudreault @rumstead