Removal of Insider SAS Token (#728)

This PR will remove all references to the Insider SAS Token.
Currently, this uses a local version of BcContainerHelper - needs to be
replaced with preview or latest when this ships.

---------

Co-authored-by: freddydk <freddydk@users.noreply.github.com>

.github/workflows/E2E.yaml

@@ -62,10 +62,6 @@ jobs:
             Write-Host "::Error::In order to run end to end tests, you need a Secret called licenseFileUrl containing a secure Url to a build license file"
             $err = $true
           }
-          if ('${{ Secrets.insiderSasToken }}' -eq '') {
-            Write-Host "::Error::In order to run end to end tests, you need a Secret called insiderSasToken containing the Insider SAS token from https://aka.ms/collaborate"
-            $err = $true
-          }
           if ($err) {
             exit 1
           }
@@ -196,7 +192,7 @@ jobs:
       - name: Run test
         run: |
           try {
-            . (Join-Path "." "e2eTests/scenarios/${{ matrix.scenario }}/runtest.ps1") -github -githubOwner '${{ needs.Check.outputs.githubowner }}' -repoName ${{ steps.calculateParams.outputs.repoName }} -token '${{ Secrets.E2EPAT }}' -InsiderSasToken '${{ Secrets.InsiderSasToken }}' -pteTemplate '${{ needs.Check.outputs.githubowner }}/${{ needs.SetupRepositories.outputs.perTenantExtensionRepo }}' -appSourceTemplate '${{ needs.Check.outputs.githubowner }}/${{ needs.SetupRepositories.outputs.appSourceAppRepo }}' -adminCenterApiToken '${{ Secrets.adminCenterApiCredentials }}' -licenseFileUrl '${{ Secrets.licenseFileUrl }}'
+            . (Join-Path "." "e2eTests/scenarios/${{ matrix.scenario }}/runtest.ps1") -github -githubOwner '${{ needs.Check.outputs.githubowner }}' -repoName ${{ steps.calculateParams.outputs.repoName }} -token '${{ Secrets.E2EPAT }}' -pteTemplate '${{ needs.Check.outputs.githubowner }}/${{ needs.SetupRepositories.outputs.perTenantExtensionRepo }}' -appSourceTemplate '${{ needs.Check.outputs.githubowner }}/${{ needs.SetupRepositories.outputs.appSourceAppRepo }}' -adminCenterApiToken '${{ Secrets.adminCenterApiCredentials }}' -licenseFileUrl '${{ Secrets.licenseFileUrl }}'
           }
           catch {
             Write-Host $_.Exception.Message
@@ -242,7 +238,7 @@ jobs:
       - name: Run tests
         run: |
           try {
-            . (Join-Path "." "e2eTests/Test-AL-Go.ps1") -github -githubOwner '${{ needs.Check.outputs.githubowner }}' -repoName ${{ steps.calculateParams.outputs.repoName }} -token '${{ Secrets.E2EPAT }}' -InsiderSasToken '${{ Secrets.InsiderSasToken }}' -template ${{ steps.calculateParams.outputs.template }} -adminCenterApiToken ${{ steps.calculateParams.outputs.adminCenterApiCredentials }} -licenseFileUrl ${{ steps.calculateParams.outputs.licenseFileUrl }} -multiProject:('${{ matrix.style }}' -eq 'multiProject') -appSource:('${{ matrix.type }}' -eq 'appSourceApp') -linux:('${{ matrix.os }}' -eq 'linux') -private:('${{ matrix.visibility }}' -eq 'private') -useCompilerFolder:('${{ matrix.Compiler }}' -eq 'CompilerFolder')
+            . (Join-Path "." "e2eTests/Test-AL-Go.ps1") -github -githubOwner '${{ needs.Check.outputs.githubowner }}' -repoName ${{ steps.calculateParams.outputs.repoName }} -token '${{ Secrets.E2EPAT }}' -template ${{ steps.calculateParams.outputs.template }} -adminCenterApiToken ${{ steps.calculateParams.outputs.adminCenterApiCredentials }} -licenseFileUrl ${{ steps.calculateParams.outputs.licenseFileUrl }} -multiProject:('${{ matrix.style }}' -eq 'multiProject') -appSource:('${{ matrix.type }}' -eq 'appSourceApp') -linux:('${{ matrix.os }}' -eq 'linux') -private:('${{ matrix.visibility }}' -eq 'private') -useCompilerFolder:('${{ matrix.Compiler }}' -eq 'CompilerFolder')
           }
           catch {
             Write-Host $_.Exception.Message

Actions/AL-Go-Helper.ps1

@@ -553,7 +553,6 @@ function ReadSettings {
         "appRevision"                                   = 0
         "keyVaultName"                                  = ""
         "licenseFileUrlSecretName"                      = "licenseFileUrl"
-        "insiderSasTokenSecretName"                     = "insiderSasToken"
         "ghTokenWorkflowSecretName"                     = "ghTokenWorkflow"
         "adminCenterApiCredentialsSecretName"           = "adminCenterApiCredentials"
         "applicationInsightsConnectionStringSecretName" = "applicationInsightsConnectionString"
@@ -842,7 +841,6 @@ function AnalyzeRepo {
         [hashTable] $settings,
         [string] $baseFolder = $ENV:GITHUB_WORKSPACE,
         [string] $project = '.',
-        [string] $insiderSasToken,
         [switch] $doNotCheckArtifactSetting,
         [switch] $doNotIssueWarnings,
         [string[]] $includeOnlyAppIds
@@ -992,7 +990,7 @@ function AnalyzeRepo {
     }
 
     if (!$doNotCheckArtifactSetting) {
-        $artifactUrl = DetermineArtifactUrl -projectSettings $settings -insiderSasToken $insiderSasToken -doNotIssueWarnings:$doNotIssueWarnings
+        $artifactUrl = DetermineArtifactUrl -projectSettings $settings -doNotIssueWarnings:$doNotIssueWarnings
         $version = $artifactUrl.Split('/')[4]
         Write-Host "Downloading artifacts from $($artifactUrl.Split('?')[0])"
         $folders = Download-Artifacts -artifactUrl $artifactUrl -includePlatform -ErrorAction SilentlyContinue
@@ -1506,8 +1504,8 @@ function CreateDevEnv {
         [pscredential] $credential,
         [Parameter(ParameterSetName = 'local')]
         [string] $containerName = "",
-        [string] $insiderSasToken = "",
-        [string] $licenseFileUrl = ""
+        [string] $licenseFileUrl = "",
+        [switch] $accept_insiderEula
     )
 
     if ($PSCmdlet.ParameterSetName -ne $kind) {
@@ -1595,9 +1593,6 @@ function CreateDevEnv {
                     $LicenseFileSecret = Get-AzKeyVaultSecret -VaultName $settings.keyVaultName -Name $settings.licenseFileUrlSecretName
                     if ($LicenseFileSecret) { $licenseFileUrl = $LicenseFileSecret.SecretValue | Get-PlainText }
 
-                    $insiderSasTokenSecret = Get-AzKeyVaultSecret -VaultName $settings.keyVaultName -Name $settings.insiderSasTokenSecretName
-                    if ($insiderSasTokenSecret) { $insiderSasToken = $insiderSasTokenSecret.SecretValue | Get-PlainText }
-
                     # do not add codesign cert.
 
                     if ($settings.applicationInsightsConnectionStringSecretName) {
@@ -1640,18 +1635,20 @@ function CreateDevEnv {
         }
 
         $params = @{}
-        if ($kind -eq "local") {
-            $params += @{
-                "insiderSasToken" = $insiderSasToken
-            }
-        }
-        elseif ($kind -eq "cloud") {
+        if ($kind -eq "cloud") {
+            $accept_insiderEula = $true
             $params += @{
                 "doNotCheckArtifactSetting" = $true
             }
         }
         $settings = AnalyzeRepo -settings $settings -baseFolder $baseFolder -project $project @params
         $settings = CheckAppDependencyProbingPaths -settings $settings -baseFolder $baseFolder -project $project
+
+        if (!$accept_insiderEula -and ($repo.artifact -like 'https://bcinsider.blob.core.windows.net/*' -or $repo.artifact -like 'https://bcinsider.azureedge.net/*')) {
+            Read-Host 'Press ENTER to accept the Business Central insider EULA (https://go.microsoft.com/fwlink/?linkid=2245051) or break the script to cancel'
+            $accept_insiderEula = $true
+        }
+
         if ((-not $settings.appFolders) -and (-not $settings.testFolders)) {
             Write-Host "Repository is empty"
         }
@@ -1749,7 +1746,7 @@ function CreateDevEnv {
 
         if ($kind -eq "local") {
             $runAlPipelineParams += @{
-                "artifact"   = $settings.artifact.replace('{INSIDERSASTOKEN}', $insiderSasToken)
+                "artifact"   = $settings.artifact.replace('{INSIDERSASTOKEN}', '')
                 "auth"       = $auth
                 "credential" = $credential
             }
@@ -1841,6 +1838,7 @@ function CreateDevEnv {
         }
 
         Run-AlPipeline @runAlPipelineParams `
+            -accept_insiderEula:$accept_insiderEula `
             -vsixFile $settings.vsixFile `
             -pipelinename $workflowName `
             -imageName "" `
@@ -2108,32 +2106,23 @@ function GetProject {
 function DetermineArtifactUrl {
     Param(
         [hashtable] $projectSettings,
-        [string] $insiderSasToken = "",
         [switch] $doNotIssueWarnings
     )
 
     $artifact = $projectSettings.artifact
     if ($artifact.Contains('{INSIDERSASTOKEN}')) {
-        if ($insiderSasToken) {
-            $artifact = $artifact.replace('{INSIDERSASTOKEN}', $insiderSasToken)
-        }
-        else {
-            throw "Artifact definition $artifact requires you to create a secret called InsiderSasToken, containing the Insider SAS Token from https://aka.ms/collaborate"
-        }
+        $artifact = $artifact.replace('{INSIDERSASTOKEN}', '')
+        Write-Host "::Warning::Please update your artifact setting and remove {INSIDERSASTOKEN} from the setting. This is no longer needed."
     }
 
     Write-Host "Checking artifact setting for project"
     if ($artifact -eq "" -and $projectSettings.updateDependencies) {
         $artifact = Get-BCArtifactUrl -country $projectSettings.country -select all | Where-Object { [Version]$_.Split("/")[4] -ge [Version]$projectSettings.applicationDependency } | Select-Object -First 1
         if (-not $artifact) {
-            if ($insiderSasToken) {
-                $artifact = Get-BCArtifactUrl -storageAccount bcinsider -country $projectSettings.country -select all -sasToken $insiderSasToken | Where-Object { [Version]$_.Split("/")[4] -ge [Version]$projectSettings.applicationDependency } | Select-Object -First 1
-                if (-not $artifact) {
-                    throw "No artifacts found for application dependency $($projectSettings.applicationDependency)."
-                }
-            }
-            else {
-                throw "No artifacts found for application dependency $($projectSettings.applicationDependency). If you are targetting an insider version, you need to create a secret called InsiderSasToken, containing the Insider SAS Token from https://aka.ms/collaborate"
+            # Check Insider Artifacts
+            $artifact = Get-BCArtifactUrl -storageAccount bcinsider -accept_insiderEula -country $projectSettings.country -select all | Where-Object { [Version]$_.Split("/")[4] -ge [Version]$projectSettings.applicationDependency } | Select-Object -First 1
+            if (-not $artifact) {
+                throw "No artifacts found for application dependency $($projectSettings.applicationDependency)."
             }
         }
     }
@@ -2144,7 +2133,6 @@ function DetermineArtifactUrl {
         $artifactType = ("$artifactUrl////".Split('/')[3])
         $version = ("$artifactUrl////".Split('/')[4])
         $country = ("$artifactUrl////".Split('?')[0].Split('/')[5])
-        $sasToken = "$($artifactUrl)?".Split('?')[1]
     }
     else {
         $segments = "$artifact/////".Split('/')
@@ -2153,8 +2141,7 @@ function DetermineArtifactUrl {
         $version = $segments[2]
         $country = $segments[3]; if ($country -eq "") { $country = $projectSettings.country }
         $select = $segments[4]; if ($select -eq "") { $select = "latest" }
-        $sasToken = $segments[5]
-        $artifactUrl = Get-BCArtifactUrl -storageAccount $storageAccount -type $artifactType -version $version -country $country -select $select -sasToken $sasToken | Select-Object -First 1
+        $artifactUrl = Get-BCArtifactUrl -storageAccount $storageAccount -type $artifactType -version $version -country $country -select $select -accept_insiderEula | Select-Object -First 1
         if (-not $artifactUrl) {
             throw "No artifacts found for the artifact setting ($artifact) in $ALGoSettingsFile"
         }
@@ -2170,10 +2157,10 @@ function DetermineArtifactUrl {
         # AT is the latest published language - use this to determine available country codes (combined with mapping)
         $ver = [Version]$version
         Write-Host "https://$storageAccount/$artifactType/$version/$country"
-        $atArtifactUrl = Get-BCArtifactUrl -storageAccount $storageAccount -type $artifactType -country at -version "$($ver.Major).$($ver.Minor)" -select Latest -sasToken $sasToken
+        $atArtifactUrl = Get-BCArtifactUrl -storageAccount $storageAccount -type $artifactType -country at -version "$($ver.Major).$($ver.Minor)" -select Latest -accept_insiderEula
         Write-Host "Latest AT artifacts $atArtifactUrl"
         $latestATversion = $atArtifactUrl.Split('/')[4]
-        $countries = Get-BCArtifactUrl -storageAccount $storageAccount -type $artifactType -version $latestATversion -sasToken $sasToken -select All | ForEach-Object {
+        $countries = Get-BCArtifactUrl -storageAccount $storageAccount -type $artifactType -version $latestATversion -accept_insiderEula -select All | ForEach-Object {
             $countryArtifactUrl = $_.Split('?')[0] # remove sas token
             $countryArtifactUrl.Split('/')[5] # get country
         }

Actions/DetermineArtifactUrl/DetermineArtifactUrl.ps1

@@ -17,16 +17,9 @@ try {
     #region Action: Determine artifacts to use
     $telemetryScope = CreateScope -eventId 'DO0084' -parentTelemetryScopeJson $parentTelemetryScopeJson
 
-    $insiderSasToken = ""
-    # ENV:Secrets is not set when running Pull_Request trigger
-    if ($env:Secrets) {
-        $secrets = $env:Secrets | ConvertFrom-Json | ConvertTo-HashTable
-        $insiderSasToken = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($secrets.insiderSasToken))
-    }
-
     $settings = $env:Settings | ConvertFrom-Json | ConvertTo-HashTable
     $settings = AnalyzeRepo -settings $settings -project $project -doNotCheckArtifactSetting -doNotIssueWarnings
-    $artifactUrl = DetermineArtifactUrl -projectSettings $settings -insiderSasToken $insiderSasToken
+    $artifactUrl = DetermineArtifactUrl -projectSettings $settings
     $artifactCacheKey = ''
     if ($settings.useCompilerFolder) {
         $artifactCacheKey = $artifactUrl.Split('?')[0]

Actions/DetermineArtifactUrl/README.md

@@ -7,7 +7,6 @@ Determines the artifactUrl to use for a given project
 | Name | Description |
 | :-- | :-- |
 | Settings | env.Settings must be set by a prior call to the ReadSettings Action |
-| Secrets | env.Secrets with insiderSasToken must be read by a prior call to the ReadSecrets Action |
 
 ### Parameters
 | Name | Required | Description | Default value |

Actions/RunPipeline/README.md

@@ -7,7 +7,7 @@ Run pipeline in AL-Go repository
 | Name | Description |
 | :-- | :-- |
 | Settings | env.Settings must be set by a prior call to the ReadSettings Action |
-| Secrets | env.Secrets with licenseFileUrl, insiderSasToken, codeSignCertificateUrl, codeSignCertificatePassword, keyVaultCertificateUrl, keyVaultCertificatePassword, keyVaultClientId, gitHubPackagesContext, applicationInsightsConnectionString must be read by a prior call to the ReadSecets Action |
+| Secrets | env.Secrets with licenseFileUrl, codeSignCertificateUrl, codeSignCertificatePassword, keyVaultCertificateUrl, keyVaultCertificatePassword, keyVaultClientId, gitHubPackagesContext, applicationInsightsConnectionString must be read by a prior call to the ReadSecets Action |
 
 ### Parameters
 | Name | Required | Description | Default value |

Actions/RunPipeline/RunPipeline.ps1

@@ -87,7 +87,7 @@ try {
 
     $appBuild = $settings.appBuild
     $appRevision = $settings.appRevision
-    'licenseFileUrl','insiderSasToken','codeSignCertificateUrl','*codeSignCertificatePassword','keyVaultCertificateUrl','*keyVaultCertificatePassword','keyVaultClientId','gitHubPackagesContext','applicationInsightsConnectionString' | ForEach-Object {
+    'licenseFileUrl','codeSignCertificateUrl','*codeSignCertificatePassword','keyVaultCertificateUrl','*keyVaultCertificatePassword','keyVaultClientId','gitHubPackagesContext','applicationInsightsConnectionString' | ForEach-Object {
         # Secrets might not be read during Pull Request runs
         if ($secrets.Keys -contains $_) {
             $value = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($secrets."$_"))
@@ -122,7 +122,7 @@ try {
         }
     }
 
-    $settings = AnalyzeRepo -settings $settings -baseFolder $baseFolder -project $project -insiderSasToken $insiderSasToken @analyzeRepoParams
+    $settings = AnalyzeRepo -settings $settings -baseFolder $baseFolder -project $project @analyzeRepoParams
     $settings = CheckAppDependencyProbingPaths -settings $settings -token $token -baseFolder $baseFolder -project $project
 
     if ((-not $settings.appFolders) -and (-not $settings.testFolders) -and (-not $settings.bcptTestFolders)) {
@@ -369,12 +369,13 @@ try {
 
     Write-Host "Invoke Run-AlPipeline with buildmode $buildMode"
     Run-AlPipeline @runAlPipelineParams `
+        -accept_insiderEula `
         -pipelinename $workflowName `
         -containerName $containerName `
         -imageName $imageName `
         -bcAuthContext $authContext `
         -environment $environmentName `
-        -artifact $settings.artifact.replace('{INSIDERSASTOKEN}',$insiderSasToken) `
+        -artifact $settings.artifact.replace('{INSIDERSASTOKEN}','') `
         -vsixFile $settings.vsixFile `
         -companyName $settings.companyName `
         -memoryLimit $settings.memoryLimit `

RELEASENOTES.md

@@ -16,6 +16,12 @@ Note that when using the preview version of AL-Go for GitHub, we recommend you U
 - Issue 683 Settings from GitHub variables ALGoRepoSettings and ALGoOrgSettings are not applied during build pipeline
 - Issue 708 Inconsistent AuthTokenSecret Behavior in Multiple Projects: 'Secrets are not available'
 
+### Removal of the InsiderSasToken
+
+As of October 1st 2023, Business Central insider builds are now publicly available. When creating local containers with the insider builds, you will have to accept the insider EULA (https://go.microsoft.com/fwlink/?linkid=2245051) in order to continue.
+
+AL-Go for GitHub allows you to build and test using insider builds without any explicit approval, but please note that the insider artifacts contains the insider Eula and you automatically accept this when using the builds.
+
 ### Breaking changes
 
 Earlier, you could specify a mapping to an environment name in an environment secret called `<environmentname>_EnvironmentName`, `<environmentname>-EnvironmentName` or just `EnvironmentName`. You could also specify the projects you want to deploy to an environment as an environment secret called `Projects`.

Scenarios/Contribute.md

@@ -56,7 +56,6 @@ In your personal fork, you can now run the end to end tests, if the following pr
   - E2EPAT needs to be a Personal Access Token with these permissions: _admin:org, delete:packages, delete_repo, repo, workflow, write:packages_
   - AdminCenterApiCredentials needs to be the adminCenterApiCredentials as described [here](CreateOnlineDevEnv2.md).
   - LicenseFileUrl needs to be a direct download URL to a developer .bclicense file
-  - InsiderSasToken needs to contain the Insider Sas Token from https://aka.ms/collaborate
 - Beside the secrets, you need to have a GitHub organization setup, which will contain all the temporary repositories created by the end to end testing. This organization needs to have at least two instances of a GitHub runner registered as self-hosted (for running all private repo builds)
 
 Run the End to end tests by running the *End to end tests* workflow and specify your organization in the corresponding field.
@@ -71,7 +70,6 @@ You can also run the end to end tests directly from VS Code, by providing the fo
 |$global:SecureE2EPAT| SecureString | A personal access token with workflow permissions |
 |$global:SecureAdminCenterApiToken| SecureString | Admin Center API Credentials |
 |$global:SecureLicenseFileUrl| SecureString | Direct download URL to a license file |
-|$global:SecureInsiderSasToken | SecureString | The Insider SAS Token from https://aka.ms/collaborate  |
 |$global:pteTemplate| String | URL for your PTE template (like `freddyk/AL-Go-PTE@main` or `freddydk/AL-Go@main\|Templates/Per Tenant Extension` for using your AL-Go fork directly) |
 |$global:appSourceTemplate| String | URL for your PTE template (like `freddyk/AL-Go-AppSource@main` or `freddydk/AL-Go@main\|Templates/AppSource App` for using your AL-Go fork directly) |