You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
* feat: Redact secrets from policies. Includes publish pre-flight check for redaction markers.
* test: Add redact-secrets integration test
* docs: extend integration prerequisite skill to redact-secrets workflow
* fix: Set-ScriptLogPreferences in ScriptRuntime.psm1 to set the caller's VerbosePreference/DebugPreference via $PSCmdlet.SessionState. The previous Set-Variable -Scope 1 from a module function only affected the module's
scope chain, so Write-Verbose output was silently suppressed.
---------
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: Elizabeth Maher <enewman@microsoft.com>
Copy file name to clipboardExpand all lines: .github/skills/integration-test-prerequisites/SKILL.md
+7-4Lines changed: 7 additions & 4 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -1,18 +1,21 @@
1
1
---
2
2
name: "integration-test-prerequisites"
3
-
description: "Set up Azure and GitHub prerequisites for the integration-test workflow using a user-assigned managed identity, OIDC federated credentials, RBAC roles, and environment secrets. Use when troubleshooting AADSTS70025/AADSTS700213 or authorization failures during integration-test workflow runs."
3
+
description: "Set up Azure and GitHub prerequisites for integration workflows using a user-assigned managed identity, OIDC federated credentials, RBAC roles, and environment secrets. Use when troubleshooting AADSTS70025/AADSTS700213 or authorization failures during integration-test or integration-redact-secrets workflow runs."
4
4
domain: "ci-cd"
5
5
confidence: "high"
6
6
source: "manual + observed from integration-test OIDC and RBAC troubleshooting"
7
7
---
8
8
9
9
## Context
10
10
11
-
Use this skill when preparing or repairing prerequisites for`.github/workflows/integration-test.yml`.
11
+
Use this skill when preparing or repairing prerequisites for:
Copy file name to clipboardExpand all lines: .squad/agents/apimexpert/history.md
+14Lines changed: 14 additions & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -116,3 +116,17 @@ When comparing a *link-imported* API (e.g. Petstore via `swagger-link`/`openapi-
116
116
117
117
Round-trip comparison harness (`tests/integration/all-resource-types`) normalizes both via `RepresentationSchemaRefIgnoredProperties` and `ParameterIgnoredProperties`. Symptom if not stripped: every operation shows a `properties.request/responses/templateParameters` DIFF present-on-one-side-only.
118
118
119
+
### 2026-07-01: Overriding a policy to clear a redacted secret — possible but rarely the right fix
120
+
121
+
**Question that comes up:** when the extract-time secret redactor leaves `*** REDACTED ***` inline in a policy, can you clear the publish pre-flight guard by *overriding the policy* instead of fixing the source?
122
+
123
+
**Answer: yes, technically — but it's almost never the intended path.**
124
+
125
+
- All five policy types are wired into the override system (`src/services/override-merger.ts`): `ServicePolicy → policies`, `PolicyFragment → policyFragments` (direct); `ApiPolicy → apis.<api>.policies`, `ProductPolicy → products.<product>.policies` (child); `ApiOperationPolicy → apis.<api>.operations.<op>.policies` (grandchild).
126
+
- The publish payload for a policy is `{ properties: { value, format } }`, and `applyOverrides` deep-merges `properties`, so an override supplying `properties.value` replaces the policy XML wholesale.
127
+
- The pre-flight guard (`src/services/secret-redaction-guard.ts`) applies overrides **before** scanning for the marker — by design — so a policy override that yields clean content passes the check.
128
+
129
+
**Why it's the wrong tool for redacted secrets:**
130
+
- The marker is inserted **inline** inside the XML (e.g. inside a `set-header``<value>`), but overrides are **whole-value** replacements of `properties.value` — there is no inline/sub-string patch. You'd have to paste the entire policy XML (with the real secret) into a committed override file, re-introducing the plaintext secret that redaction removed.
131
+
- Intended remediation: change the **source** policy to reference a named value (`{{my-secret}}`) so redaction never triggers, then supply the secret via a named-value override or Key Vault reference. The docs' "Gotcha: Redacted secrets" section (`docs/guides/environment-overrides.md`) only covers named values — there is no documented "override a redacted policy" workflow, reflecting this.
0 commit comments