Closed
Fix E2E .NET Semantic Kernel workflow failure when secrets are unavailable (fork PRs)#302
Conversation
…nstream steps; harden Acquire-BearerToken.ps1 param validation Agent-Logs-Url: https://github.com/microsoft/Agent365-Samples/sessions/39cf2346-86ab-4967-9c7f-6472420af3a7 Co-authored-by: gwharris7 <96964444+gwharris7@users.noreply.github.com>
Copilot
AI
changed the title
[WIP] Fix failing E2E for .NET Semantic Kernel workflow when secrets are unavailable
Fix E2E .NET Semantic Kernel workflow failure when secrets are unavailable (fork PRs)
May 5, 2026
Dependency Review✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.Scanned FilesNone |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
On fork PRs, GitHub doesn't expose repository secrets, causing
Acquire-BearerToken.ps1to be invoked with empty strings and PowerShell to throwCannot bind argument to parameter 'ClientId' because it is an empty string, failing the job.Workflow (
e2e-dotnet-semantic-kernel.yml)Acquire ****** (ROPC)only runs when all four secrets (MCP_CLIENT_ID,MCP_TENANT_ID,MCP_TEST_USERNAME,MCP_TEST_PASSWORD) are non-empty:Skip E2E (missing secrets)step with the inverse condition prints a clear message rather than silently doing nothing.Start Agent,Verify Agent Running,Restore E2E Test Dependencies, andRun .NET E2E Testsare gated onsteps.token.outputs.BEARER_TOKEN != ''— skipped automatically when the token step is skipped.if: always()steps (Emit Test Conversations,Capture Agent Logs,Stop Agent Process,Upload Test Results) are untouched; they already tolerate a no-op run.Script (
scripts/e2e/Acquire-BearerToken.ps1)Mandatory = $true→Mandatory = $falseto prevent PowerShell's binder from throwing before any user code runs.Original prompt
Fix failing E2E - .NET Semantic Kernel workflow when secrets are unavailable (e.g., fork PRs) by preventing PowerShell token acquisition from being invoked with empty parameters.
Context
.github/workflows/e2e-dotnet-semantic-kernel.ymlCannot bind argument to parameter 'ClientId' because it is an empty string.when running token acquisition.scripts/e2e/Acquire-BearerToken.ps1with secrets (MCP_CLIENT_ID,MCP_TENANT_ID,MCP_TEST_USERNAME,MCP_TEST_PASSWORD). On fork PRs, secrets are not provided, causing empty string arguments.Required changes
Update
.github/workflows/e2e-dotnet-semantic-kernel.ymlto:if: always()still run and do not fail when E2E steps are skipped.(Optional but preferred) Make the scripts more robust:
scripts/e2e/Acquire-BearerToken.ps1(and/or any wrapper logic) so it validates parameters and emits a friendly error message if called with empty values, rather than a PowerShell parameter binding failure. If this script is not present or not used, skip.Acceptance criteria
Repository: microsoft/Agent365-Samples
Base branch: main
The following is the prior conversation context from the user's chat exploration (may be truncated):
User: Please find a solution for this failing job. Use the logs, job definition, and any referenced files where the failure occurred. Keep your response focused on the solution and include code suggestions when appropriate.
Assistant: The job is failing because one of the PowerShell scripts is being invoked with an empty
-ClientIdargument:This comes from the workflow step “Acquire Bearer Token (ROPC)” in
.github/workflows/e2e-dotnet-semantic-kernel.ymlat refe442d7856ee43d49951ff6ec3daecb80be9552a9, which calls:On PR runs from forks (and in some repo setups), GitHub does not provide repository secrets to the workflow, so
${{ secrets.MCP_CLIENT_ID }}resolves to an empty string, which PowerShell rejects for a mandatory parameter.Fix (recommended): Guard the step + skip E2E when secrets are unavailable
Update the workflow to only attempt token acquisition (and subsequent agent start/tests) when the required secrets exist, and otherwise skip with a clear message. Example patch:
Then gate the dependent steps (Start Agent / Verify Agent Running / Run .NET E2E Tests) so they only run when the token step ran successfully: