Task 42348: Fix forked repo local SQL Server passwords

paulmedynski · paulmedynski · commit 06b581082bae · 2026-02-11T10:08:23.000-04:00
- Addressed Copilot feedback.
diff --git a/eng/pipelines/common/templates/jobs/ci-run-tests-job.yml b/eng/pipelines/common/templates/jobs/ci-run-tests-job.yml
@@ -162,9 +162,9 @@ jobs:
   # DevOps Library groups.  This includes the $(Password) used to configure local SQL Server
   # instances.  In such a case, we must generate a random password and clobber $(Password).
   #
-  # From this point forward in this stage, any pipeline runtime expansion of $(Password) will use
-  # the random value.  This includes the SQL Server config templates (configure-sql-server-*.yml),
-  # and the expansion of connection strings via our configProperties parameter.
+  # From this point forward in this job, any pipeline runtime expansion of $(Password) will use the
+  # random value.  This includes the SQL Server config templates (configure-sql-server-*.yml), and
+  # the expansion of connection strings via our configProperties parameter.
   #
   # Azure Pipelines provides the System.PullRequest.IsFork variable that is available at template
   # expansion time.  See:
diff --git a/eng/pipelines/common/templates/steps/configure-sql-server-win-step.yml b/eng/pipelines/common/templates/steps/configure-sql-server-win-step.yml
@@ -259,7 +259,6 @@ steps:
         }
     }
   displayName: 'Start Sql Server Browser [Win]'
-  condition: ${{parameters.condition }}
 
 - ${{ if parameters.enableLocalDB }}:
   - powershell: |
diff --git a/eng/pipelines/dotnet-sqlclient-ci-core.yml b/eng/pipelines/dotnet-sqlclient-ci-core.yml
@@ -442,10 +442,10 @@ stages:
             TCPConnectionString: $(AZURE_DB_TCP_CONN_STRING)
             NPConnectionString: $(AZURE_DB_NP_CONN_STRING)
             AADAuthorityURL: $(AADAuthorityURL)
-            # Note: Using the isFork variable to determine if secrets are available is not ideal since
-            # it's an indirect association. But everything else (referencing secret variables various
-            # ways to detect if they were present) won't run consistently across forks and non-forks.
-            ${{ if eq(variables['system.pullRequest.isFork'], 'False') }}:
+            # Pipeline runs against forks of the repo don't have access to Library secrets, so we
+            # omit them entirely from the configProperties, which causes the dependent tests to be
+            # skipped.
+            ${{ if eq(variables['System.PullRequest.IsFork'], 'False') }}:
               AADPasswordConnectionString: $(AAD_PASSWORD_CONN_STR)
               AADServicePrincipalSecret: $(AADServicePrincipalSecret)
             AADServicePrincipalId: $(AADServicePrincipalId)
@@ -474,7 +474,7 @@ stages:
             TCPConnectionString: $(AZURE_DB_TCP_CONN_STRING_eastus)
             NPConnectionString: $(AZURE_DB_NP_CONN_STRING_eastus)
             AADAuthorityURL: $(AADAuthorityURL)
-            ${{ if eq(variables['system.pullRequest.isFork'], 'False') }}:
+            ${{ if eq(variables['System.PullRequest.IsFork'], 'False') }}:
               AADPasswordConnectionString: $(AAD_PASSWORD_CONN_STR_eastus)
               AADServicePrincipalSecret: $(AADServicePrincipalSecret)
             AADServicePrincipalId: $(AADServicePrincipalId)
@@ -529,7 +529,7 @@ stages:
             TCPConnectionString: $(AZURE_DB_TCP_CONN_STRING)
             NPConnectionString: $(AZURE_DB_NP_CONN_STRING)
             AADAuthorityURL: $(AADAuthorityURL)
-            ${{ if eq(variables['system.pullRequest.isFork'], 'False') }}:
+            ${{ if eq(variables['System.PullRequest.IsFork'], 'False') }}:
               AADPasswordConnectionString: $(AAD_PASSWORD_CONN_STR)
               AADServicePrincipalSecret: $(AADServicePrincipalSecret)
             AADServicePrincipalId: $(AADServicePrincipalId)
@@ -565,9 +565,9 @@ stages:
 
         # Enclave tests
         #
-        # Only run the AE tests if enable and if we have access to the necessary
-        # secrets.
-        ${{ if and(eq(parameters.runAlwaysEncryptedTests, true), eq(variables['system.pullRequest.isFork'], 'False')) }}:
+        # Only run these tests if explicitly enabled, and if we're not a forked repo (which won't
+        # have access to the necessary Library secrets).
+        ${{ if and(eq(parameters.runAlwaysEncryptedTests, true), eq(variables['System.PullRequest.IsFork'], 'False')) }}:
           windows_enclave_sql:
             pool: ADO-CI-AE-1ES-Pool
             images:
@@ -588,8 +588,7 @@ stages:
               EnclaveEnabled: true
               AADAuthorityURL: $(AADAuthorityURL)
               AADServicePrincipalId: $(AADServicePrincipalId)
-              ${{ if eq(variables['system.pullRequest.isFork'], 'False') }}:
-                AADServicePrincipalSecret: $(AADServicePrincipalSecret)
+              AADServicePrincipalSecret: $(AADServicePrincipalSecret)
               AzureKeyVaultUrl: $(AzureKeyVaultUrl)
               AzureKeyVaultTenantId: $(AzureKeyVaultTenantId)
               SupportsIntegratedSecurity: $(SupportsIntegratedSecurity)
@@ -617,8 +616,7 @@ stages:
               TCPConnectionStringAASSGX: $(SQL_TCP_CONN_STRING_AASSGX)
               EnclaveEnabled: true
               AADServicePrincipalId: $(AADServicePrincipalId)
-              ${{ if eq(variables['system.pullRequest.isFork'], 'False') }}:
-                AADServicePrincipalSecret: $(AADServicePrincipalSecret)
+              AADServicePrincipalSecret: $(AADServicePrincipalSecret)
               AzureKeyVaultUrl: $(AzureKeyVaultUrl)
               AzureKeyVaultTenantId: $(AzureKeyVaultTenantId)
               SupportsIntegratedSecurity: false
diff --git a/eng/pipelines/jobs/test-azure-package-ci-job.yml b/eng/pipelines/jobs/test-azure-package-ci-job.yml
@@ -238,12 +238,7 @@ jobs:
           # Avoid exposing secrets to pipeline jobs triggered via forks.  This
           # prevents external contributors from creating PRs and running
           # pipelines that could expose these secrets.
-          #
-          # Note that this isn't a perfect restriction since internal
-          # contributors may want to use forks, but this would prevent them from
-          # running the full test suite.  We don't have a better way to detect
-          # external parties though.
-          ${{ if eq(variables['system.pullRequest.isFork'], 'False') }}:
+          ${{ if eq(variables['System.PullRequest.IsFork'], 'False') }}:
             AADPasswordConnectionString: $(AAD_PASSWORD_CONN_STR)
             AADServicePrincipalSecret: $(AADServicePrincipalSecret)
 

Original file line number	Diff line number	Diff line change
`@@ -162,9 +162,9 @@ jobs:`
`162`	`162`	`# DevOps Library groups. This includes the $(Password) used to configure local SQL Server`
`163`	`163`	`# instances. In such a case, we must generate a random password and clobber $(Password).`
`164`	`164`	`#`
`165`		`- # From this point forward in this stage, any pipeline runtime expansion of $(Password) will use`
`166`		`- # the random value. This includes the SQL Server config templates (configure-sql-server-*.yml),`
`167`		`- # and the expansion of connection strings via our configProperties parameter.`
	`165`	`+ # From this point forward in this job, any pipeline runtime expansion of $(Password) will use the`
	`166`	`+ # random value. This includes the SQL Server config templates (configure-sql-server-*.yml), and`
	`167`	`+ # the expansion of connection strings via our configProperties parameter.`
`168`	`168`	`#`
`169`	`169`	`# Azure Pipelines provides the System.PullRequest.IsFork variable that is available at template`
`170`	`170`	`# expansion time. See:`
Original file line number	Diff line number	Diff line change
`@@ -259,7 +259,6 @@ steps:`
`259`	`259`	`}`
`260`	`260`	`}`
`261`	`261`	`displayName: 'Start Sql Server Browser [Win]'`
`262`		`- condition: ${{parameters.condition }}`
`263`	`262`
`264`	`263`	`- ${{ if parameters.enableLocalDB }}:`
`265`	`264`	`- powershell: \|`