Sync eng/common directory with azure-sdk-tools for PR 14219

[azure-sdk]

Sync eng/common directory with azure-sdk-tools for PR Azure/azure-sdk-tools#14219 See eng/common workflow

[Copilot]

Pull request overview

Synchronizes eng/common GitHub authentication tooling with azure-sdk-tools by extending the existing login-to-github.ps1 script to support GitHub Actions and introducing a composite action wrapper for workflows.

Changes:

• Update login-to-github.ps1 to support exporting/masking tokens in GitHub Actions and improve signing error output.
• Add a new composite GitHub Action (eng/common/actions/login-to-github) that wraps the PowerShell script for workflow usage.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.

File	Description
eng/common/scripts/login-to-github.ps1	Adds GitHub Actions export/masking behavior and updates error handling text when Key Vault signing fails.
eng/common/actions/login-to-github/action.yml	Introduces a composite action wrapper that invokes login-to-github.ps1 from GitHub Actions with configurable inputs.

[Copilot]

In GitHub Actions, $variableName is derived from the owner string (e.g., azure-sdk), which can produce environment variable names containing -. Those are awkward or invalid to reference in common shells and in Actions expressions (env.GH_TOKEN_azure-sdk won’t work without bracket syntax). Consider normalizing/sanitizing $InstallationTokenOwner when composing $variableName (e.g., replace non [A-Za-z0-9_] with _) and document the normalization so callers know which name to reference.

[Copilot]

az keyvault key sign ... | ConvertFrom-Json can throw before the $LASTEXITCODE check if the CLI emits non-JSON on failure (common when errors are written to stderr). To make the new error message reliable, capture the raw output/stderr first (e.g., 2>&1), check $LASTEXITCODE, then conditionally ConvertFrom-Json only on success (or wrap ConvertFrom-Json in try/catch and include the raw output in the thrown error).

[Copilot]

The multi-owner example includes azure-sdk, which would export GH_TOKEN_azure-sdk. That name can’t be referenced via env.GH_TOKEN_azure-sdk in GitHub Actions expressions and is awkward in bash. Either document the required bracket syntax (env['GH_TOKEN_azure-sdk']) or (preferably) ensure the underlying script/action normalizes owner names to a safe env-var identifier (e.g., azure_sdk) and update the docs accordingly.

Suggested change

	# - run: gh pr list --repo Azure/azure-sdk-tools
	# env:
	# GH_TOKEN: ${{ env.GH_TOKEN_Azure }}
	#
	# Tokens are exported to GITHUB_ENV so all subsequent steps can reference
	# them as ${{ env.GH_TOKEN }} (single owner) or ${{ env.GH_TOKEN_<Owner> }}
	# (multiple owners). This matches the Azure DevOps behavior where tokens
	# are set as pipeline variables.
	# # Example: use the token for the "Azure" owner (simple name)
	# - run: gh pr list --repo Azure/azure-sdk-tools
	# env:
	# GH_TOKEN: ${{ env.GH_TOKEN_Azure }}
	#
	# # Example: use the token for the "azure-sdk" owner (hyphenated name)
	# # Note the required bracket syntax because "-" is not valid in
	# # GitHub Actions dot-notation identifiers.
	# - run: gh pr list --repo azure-sdk/azure-sdk-tools
	# env:
	# GH_TOKEN: ${{ env['GH_TOKEN_azure-sdk'] }}
	#
	# Tokens are exported to GITHUB_ENV so all subsequent steps can reference
	# them as ${{ env.GH_TOKEN }} (single owner) or ${{ env.GH_TOKEN_<Owner> }}
	# (multiple owners). When <Owner> contains characters that are not valid in
	# GitHub Actions identifiers (for example, "azure-sdk" with a "-"), you must
	# use bracket syntax instead, e.g. ${{ env['GH_TOKEN_azure-sdk'] }}.
	# This matches the Azure DevOps behavior where tokens are set as pipeline
	# variables, while documenting the correct GitHub Actions expression syntax.