fix: prevent publish abort on auto-generated logger-credential named values#220
Merged
Merged
Conversation
…values The publish pre-flight redaction guard scanned every named value, including APIM auto-generated logger credentials (24-char hex IDs, e.g. Logger-Credentials--<hex>) whose secret values are redacted on extract. Because splitNamedValues() already skips these during publish (APIM recreates them when the referencing logger is published), the guard flagged markers in artifacts that are never sent to APIM and aborted the publish with a false positive. Make the guard mirror the publisher: skip auto-generated named values that have no explicit override. Extract hasNamedValueOverride() into override-merger.ts as the single source of truth shared by both call sites.
petehauge
reviewed
Jul 2, 2026
Contributor
Author
|
@copilot - Revert the change to CHANGELOG.md |
Contributor
petehauge
approved these changes
Jul 2, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
apiops publishaborts with a false-positive secret-redaction error when the source APIM has loggers (Application Insights / Event Hub).APIM auto-generates secret named values named
Logger-Credentials--<hex>(24-char hex IDs) to hold logger credentials. These are redacted to*** REDACTED ***on extract. The publish pre-flight redaction guard scanned them and aborted before issuing a single PUT:However, the publisher already skips these auto-generated named values in
splitNamedValues()— APIM recreates them when the referencing logger is published — unless the user supplies an explicit override. The guard did not apply the same filter, so it flagged redaction markers in artifacts that are never sent to APIM.Fix
scanNamedValue(), skip auto-generated named values that have no explicit override. This guarantees the invariant the guard skips a named value iff publish skips it — no path exists where a placeholder secret is skipped by the guard but still PUT to APIM.hasNamedValueOverride()intooverride-merger.tsas the single source of truth shared by both call sites (also avoids apublish-service↔secret-redaction-guardcircular import).Testing
secret-redaction-guard.test.ts:all-resource-typesintegration test): publish now clears the pre-flight guard on theLogger-Credentials--*named values.Notes
copilot/delete-unmatched-parameter-fixbranch (originally commitf0894aa) so this important fix can land independently and be approved ASAP.Related Issue(s)
None.