From 53f5ff5840b148e679e01f9842af8fc50e91043f Mon Sep 17 00:00:00 2001
From: Jerome Brown <jerome@solideogloria.tech>
Date: Thu, 20 Feb 2025 17:49:18 +1300
Subject: [PATCH] Add support for authenticating to GitHub with a token (#884)

---
 .../Sync-ALZPolicies.ps1                      | 21 ++++++++++++--
 Scripts/Operations/Export-PolicyToEPAC.ps1    | 29 ++++++++++++++-----
 2 files changed, 40 insertions(+), 10 deletions(-)

diff --git a/Scripts/CloudAdoptionFramework/Sync-ALZPolicies.ps1 b/Scripts/CloudAdoptionFramework/Sync-ALZPolicies.ps1
index 87a8854e..5e147dc7 100644
--- a/Scripts/CloudAdoptionFramework/Sync-ALZPolicies.ps1
+++ b/Scripts/CloudAdoptionFramework/Sync-ALZPolicies.ps1
@@ -10,11 +10,26 @@ Param(
 
     [Parameter(Mandatory = $false)]
     [ValidateSet('AzureCloud', 'AzureChinaCloud', 'AzureUSGovernment')]
-    [string] $CloudEnvironment = 'AzureCloud'
+    [string] $CloudEnvironment = 'AzureCloud',
+
+    [Parameter(Mandatory = $false)]
+    [securestring] $GithubToken
 )
 
+# Setup headers for connecting to GitHub
+$GitHubHeaders = @{
+    'Accept'               = 'application/vnd.github.v3+json'
+    'X-GitHub-Api-Version' = '2022-11-28'
+}
+if ($null -ne $GithubToken) {
+    $GitHubHeaders['Authorization'] = "Bearer $((New-Object PSCredential 0, $GithubToken).GetNetworkCredential().Password)"
+}
+elseif ($null -ne $env:GITHUB_TOKEN) {
+    $GitHubHeaders['Authorization'] = "Bearer $env:GITHUB_TOKEN"
+}
+
 # Verify release exists
-$GithubReleaseTag = Invoke-RestMethod -Method Get -Uri "https://api.github.com/repos/Azure/Enterprise-Scale/releases/$GithubRelease" -ErrorAction Stop | Select-Object -ExpandProperty tag_name
+$GithubReleaseTag = Invoke-RestMethod -Method Get -Uri "https://api.github.com/repos/Azure/Enterprise-Scale/releases/$GithubRelease" -Headers $GitHubHeaders -ErrorAction Stop | Select-Object -ExpandProperty tag_name
 $defaultPolicyURIs = @(
     "https://raw.githubusercontent.com/Azure/Enterprise-Scale/$GithubReleaseTag/eslzArm/managementGroupTemplates/policyDefinitions/policies.json",
     "https://raw.githubusercontent.com/Azure/Enterprise-Scale/$GithubReleaseTag/eslzArm/managementGroupTemplates/policyDefinitions/initiatives.json"
@@ -57,7 +72,7 @@ New-Item -Path "$DefinitionsRootFolder\policyAssignments\ALZ" -ItemType Director
 . "$PSScriptRoot/../Helpers/ConvertTo-HashTable.ps1"
 
 foreach ($policyUri in $defaultPolicyURIs) {
-    $rawContent = (Invoke-WebRequest -Uri $policyUri).Content | ConvertFrom-Json
+    $rawContent = (Invoke-WebRequest -Uri $policyUri -Headers $GitHubHeaders).Content | ConvertFrom-Json
     $jsonPolicyDefsHash = $rawContent.variables | ConvertTo-HashTable
     $jsonPolicyDefsHash.GetEnumerator() | Foreach-Object {
         if ($_.Key -match 'fxv') {
diff --git a/Scripts/Operations/Export-PolicyToEPAC.ps1 b/Scripts/Operations/Export-PolicyToEPAC.ps1
index 5e29f668..7a05694d 100644
--- a/Scripts/Operations/Export-PolicyToEPAC.ps1
+++ b/Scripts/Operations/Export-PolicyToEPAC.ps1
@@ -77,9 +77,24 @@ param (
     [string] $OverwritePacSelector,
 
     [Parameter(Mandatory = $false, HelpMessage = "Used to Overwrite the contents of the output folder with each run. Helpful when running consecutively")]
-    [bool] $OverwriteOutput = $true
+    [bool] $OverwriteOutput = $true,
+
+    [Parameter(Mandatory = $false)]
+    [securestring] $GithubToken
 )
 
+# Setup headers for connecting to GitHub
+$GitHubHeaders = @{
+    'Accept'               = 'application/vnd.github.v3+json'
+    'X-GitHub-Api-Version' = '2022-11-28'
+}
+if ($null -ne $GithubToken) {
+    $GitHubHeaders['Authorization'] = "Bearer $((New-Object PSCredential 0, $GithubToken).GetNetworkCredential().Password)"
+}
+elseif ($null -ne $env:GITHUB_TOKEN) {
+    $GitHubHeaders['Authorization'] = "Bearer $env:GITHUB_TOKEN"
+}
+
 # Validate session with Azure exists
 if (-not (Get-AzContext)) {
     $null = Connect-AzAccount
@@ -345,9 +360,9 @@ elseif ($PolicySetDefinitionId) {
 }
 #region ALZ Definitions
 elseif ($ALZPolicyDefinitionId) {
-    $GithubReleaseTag = Invoke-RestMethod -Method Get -Uri "https://api.github.com/repos/Azure/Enterprise-Scale/releases/latest" -ErrorAction Stop | Select-Object -ExpandProperty tag_name
+    $GithubReleaseTag = Invoke-RestMethod -Method Get -Uri "https://api.github.com/repos/Azure/Enterprise-Scale/releases/latest" -Headers $GitHubHeaders -ErrorAction Stop | Select-Object -ExpandProperty tag_name
     $defaultPolicyURI = "https://raw.githubusercontent.com/Azure/Enterprise-Scale/$GithubReleaseTag/eslzArm/managementGroupTemplates/policyDefinitions/policies.json"
-    $rawContent = (Invoke-WebRequest -Uri $defaultPolicyURI).Content | ConvertFrom-Json
+    $rawContent = (Invoke-WebRequest -Uri $defaultPolicyURI -Headers $GitHubHeaders).Content | ConvertFrom-Json
     $variables = $rawContent.variables
     [hashtable] $jsonPolicyDefsHash = @{}
     if ($null -ne $variables) {
@@ -425,9 +440,9 @@ elseif ($ALZPolicyDefinitionId) {
 elseif ($ALZPolicySetDefinitionId) { 
     $builtInPolicies = Get-AzPolicyDefinition -Builtin
     $builtInPolicyNames = $builtInPolicies.name
-    $GithubReleaseTag = Invoke-RestMethod -Method Get -Uri "https://api.github.com/repos/Azure/Enterprise-Scale/releases/latest" -ErrorAction Stop | Select-Object -ExpandProperty tag_name
+    $GithubReleaseTag = Invoke-RestMethod -Method Get -Uri "https://api.github.com/repos/Azure/Enterprise-Scale/releases/latest" -Headers $GitHubHeaders -ErrorAction Stop | Select-Object -ExpandProperty tag_name
     $defaultPolicyURI = "https://raw.githubusercontent.com/Azure/Enterprise-Scale/$GithubReleaseTag/eslzArm/managementGroupTemplates/policyDefinitions/policies.json"
-    $rawContent = (Invoke-WebRequest -Uri $defaultPolicyURI).Content | ConvertFrom-Json
+    $rawContent = (Invoke-WebRequest -Uri $defaultPolicyURI -Headers $GitHubHeaders).Content | ConvertFrom-Json
     $variables = $rawContent.variables
     [hashtable] $jsonPolicyDefsHash = @{}
     if ($null -ne $variables) {
@@ -463,7 +478,7 @@ elseif ($ALZPolicySetDefinitionId) {
     }
     
     $defaultPolicySetURI = "https://raw.githubusercontent.com/Azure/Enterprise-Scale/$GithubReleaseTag/eslzArm/managementGroupTemplates/policyDefinitions/initiatives.json"
-    $rawContent = (Invoke-WebRequest -Uri $defaultPolicySetURI).Content | ConvertFrom-Json
+    $rawContent = (Invoke-WebRequest -Uri $defaultPolicySetURI -Headers $GitHubHeaders).Content | ConvertFrom-Json
     $variables = $rawContent.variables
     [hashtable] $jsonPolicySetDefsHash = @{}
     if ($null -ne $variables) {
@@ -852,4 +867,4 @@ if ($policyObject) {
     Write-Information "Created Policy Assignment - $policyName.jsonc" -InformationAction Continue
     Write-Information "" -InformationAction Continue
     $assignmentJson | Out-File -FilePath "$OutputFolder/Export/policyAssignments/$policyName.jsonc"
-}
\ No newline at end of file
+}