Skip to content

Fix E2E .NET Semantic Kernel workflow failure when secrets are unavailable (fork PRs)#302

Closed
gwharris7 with Copilot wants to merge 2 commits into
mainfrom
copilot/fix-e2e-dotnet-semantic-kernel
Closed

Fix E2E .NET Semantic Kernel workflow failure when secrets are unavailable (fork PRs)#302
gwharris7 with Copilot wants to merge 2 commits into
mainfrom
copilot/fix-e2e-dotnet-semantic-kernel

Conversation

Copilot AI commented May 5, 2026

Copy link
Copy Markdown
Contributor

On fork PRs, GitHub doesn't expose repository secrets, causing Acquire-BearerToken.ps1 to be invoked with empty strings and PowerShell to throw Cannot bind argument to parameter 'ClientId' because it is an empty string, failing the job.

Workflow (e2e-dotnet-semantic-kernel.yml)

  • Guard on token step: Acquire ****** (ROPC) only runs when all four secrets (MCP_CLIENT_ID, MCP_TENANT_ID, MCP_TEST_USERNAME, MCP_TEST_PASSWORD) are non-empty:
    if: ${{ secrets.MCP_CLIENT_ID != '' && secrets.MCP_TENANT_ID != '' && secrets.MCP_TEST_USERNAME != '' && secrets.MCP_TEST_PASSWORD != '' }}
  • Explicit skip step: New Skip E2E (missing secrets) step with the inverse condition prints a clear message rather than silently doing nothing.
  • Gate downstream steps: Start Agent, Verify Agent Running, Restore E2E Test Dependencies, and Run .NET E2E Tests are gated on steps.token.outputs.BEARER_TOKEN != '' — skipped automatically when the token step is skipped.
  • Cleanup steps unchanged: if: always() steps (Emit Test Conversations, Capture Agent Logs, Stop Agent Process, Upload Test Results) are untouched; they already tolerate a no-op run.

Script (scripts/e2e/Acquire-BearerToken.ps1)

  • Changed all four required params from Mandatory = $trueMandatory = $false to prevent PowerShell's binder from throwing before any user code runs.
  • Added explicit pre-validation that collects all missing/empty params and emits a single actionable error naming the missing secrets:
    $missingParams = @()
    if ([string]::IsNullOrEmpty($ClientId))  { $missingParams += 'ClientId' }
    # ...
    if ($missingParams.Count -gt 0) {
        Write-Error "Cannot acquire bearer token: the following required parameters are missing or empty: $($missingParams -join ', '). Ensure the required secrets (MCP_CLIENT_ID, ...) are configured for this workflow run."
        exit 1
    }
Original prompt

Fix failing E2E - .NET Semantic Kernel workflow when secrets are unavailable (e.g., fork PRs) by preventing PowerShell token acquisition from being invoked with empty parameters.

Context

  • Workflow: .github/workflows/e2e-dotnet-semantic-kernel.yml
  • Failure observed in Actions logs: PowerShell error Cannot bind argument to parameter 'ClientId' because it is an empty string. when running token acquisition.
  • The workflow calls scripts/e2e/Acquire-BearerToken.ps1 with secrets (MCP_CLIENT_ID, MCP_TENANT_ID, MCP_TEST_USERNAME, MCP_TEST_PASSWORD). On fork PRs, secrets are not provided, causing empty string arguments.

Required changes

  1. Update .github/workflows/e2e-dotnet-semantic-kernel.yml to:

    • Add a guard so the "Acquire Bearer Token (ROPC)" step only runs when required secrets are present (non-empty).
    • Add a clear "Skip E2E (missing secrets)" step that runs when secrets are missing to explain why tests are skipped.
    • Gate downstream steps that depend on the bearer token (Start Agent, Verify Agent Running, Run .NET E2E Tests) so they only run when a bearer token is available.
    • Ensure cleanup / artifact steps that use if: always() still run and do not fail when E2E steps are skipped.
  2. (Optional but preferred) Make the scripts more robust:

    • Update scripts/e2e/Acquire-BearerToken.ps1 (and/or any wrapper logic) so it validates parameters and emits a friendly error message if called with empty values, rather than a PowerShell parameter binding failure. If this script is not present or not used, skip.

Acceptance criteria

  • On runs where secrets are not available, the workflow job should not fail at token acquisition; it should skip E2E execution with a clear message and complete successfully.
  • On runs where secrets are provided, the workflow should behave exactly as before and still run full E2E.
  • Keep changes minimal and well-commented.

Repository: microsoft/Agent365-Samples
Base branch: main

The following is the prior conversation context from the user's chat exploration (may be truncated):

User: Please find a solution for this failing job. Use the logs, job definition, and any referenced files where the failure occurred. Keep your response focused on the solution and include code suggestions when appropriate.

Assistant: The job is failing because one of the PowerShell scripts is being invoked with an empty -ClientId argument:

Cannot bind argument to parameter 'ClientId' because it is an empty string.

This comes from the workflow step “Acquire Bearer Token (ROPC)” in .github/workflows/e2e-dotnet-semantic-kernel.yml at ref e442d7856ee43d49951ff6ec3daecb80be9552a9, which calls:

- name: Acquire Bearer Token (ROPC)
  run: |
    $token = & "scripts/e2e/Acquire-BearerToken.ps1" `
      -ClientId "${{ secrets.MCP_CLIENT_ID }}" `
      -TenantId "${{ secrets.MCP_TENANT_ID }}" `
      -Username "${{ secrets.MCP_TEST_USERNAME }}" `
      -Password "${{ secrets.MCP_TEST_PASSWORD }}"

On PR runs from forks (and in some repo setups), GitHub does not provide repository secrets to the workflow, so ${{ secrets.MCP_CLIENT_ID }} resolves to an empty string, which PowerShell rejects for a mandatory parameter.

Fix (recommended): Guard the step + skip E2E when secrets are unavailable

Update the workflow to only attempt token acquisition (and subsequent agent start/tests) when the required secrets exist, and otherwise skip with a clear message. Example patch:

      - name: Acquire Bearer Token (ROPC)
        id: token
        if: ${{ secrets.MCP_CLIENT_ID != '' && secrets.MCP_TENANT_ID != '' && secrets.MCP_TEST_USERNAME != '' && secrets.MCP_TEST_PASSWORD != '' }}
        shell: pwsh
        run: |
          $token = & "${{ env.SCRIPTS_PATH }}/Acquire-BearerToken.ps1" `
            -ClientId "${{ secrets.MCP_CLIENT_ID }}" `
            -TenantId "${{ secrets.MCP_TENANT_ID }}" `
            -Username "${{ secrets.MCP_TEST_USERNAME }}" `
            -Password "${{ secrets.MCP_TEST_PASSWORD }}"
          echo "BEARER_TOKEN=$token" >> $env:GITHUB_OUTPUT
          echo "::add-mask::$token"

      - name: Skip E2E (missing secrets)
        if: ${{ secrets.MCP_CLIENT_ID == '' || secrets.MCP_TENANT_ID == '' || secrets.MCP_TEST_USERNAME == '' || secrets.MCP_TEST_PASSWORD == '' }}
        shell: pwsh
        run: |
          Write-Host "E2E secrets are not available for this run (likely a fork PR). Skipping token acquisition and E2E steps."

Then gate the dependent steps (Start Agent / Verify Agent Running / Run .NET E2E Tests) so they only run when the token step ran successfully:

      - name: Start Agent
        id: start-agent
        if: ${{ steps.token.outputs.BEARER_TOKEN != '' }}
        shell: pwsh
        run: |
          $agentPid = & "${{ env.SCRIPTS_PATH }}/Start-Agent.ps1" `
            -AgentPath "${{ env.SAMPLE_PATH }}" `
            -StartCommand "dotnet run --no-build" `
            -Port ${{ env.AGENT_PORT }} `
 ...

</details>



<!-- START COPILOT CODING AGENT SUFFIX -->

*This pull request was created from Copilot chat.*
>

…nstream steps; harden Acquire-BearerToken.ps1 param validation

Agent-Logs-Url: https://github.com/microsoft/Agent365-Samples/sessions/39cf2346-86ab-4967-9c7f-6472420af3a7

Co-authored-by: gwharris7 <96964444+gwharris7@users.noreply.github.com>
Copilot AI changed the title [WIP] Fix failing E2E for .NET Semantic Kernel workflow when secrets are unavailable Fix E2E .NET Semantic Kernel workflow failure when secrets are unavailable (fork PRs) May 5, 2026
Copilot AI requested a review from gwharris7 May 5, 2026 22:14
@github-actions

github-actions Bot commented May 5, 2026

Copy link
Copy Markdown

⚠️ Deprecation Warning: The deny-licenses option is deprecated for possible removal in the next major release. For more information, see issue 997.

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

Scanned Files

None

@gwharris7 gwharris7 closed this May 5, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants