feat: add {#[TOKEN_NAME]#} substitution step to publish pipelines (APIOps Toolkit parity)#127
Merged
Merged
Conversation
Closed
6 tasks
Copilot
AI
changed the title
[WIP] Add pipeline token substitution in publish pipeline
feat: add {#[TOKEN_NAME]#} substitution step to publish pipelines (APIOps Toolkit parity)
Jun 9, 2026
EMaher
requested changes
Jun 9, 2026
|
|
||
| 1. **Install the [Replace Tokens extension](https://marketplace.visualstudio.com/items?itemName=qetza.replacetokens)** in your Azure DevOps organization (if not already installed). | ||
|
|
||
| 2. **Add secret variables** to the `apim-<env>` variable group (e.g., `PROD_SECRET_VALUE`). Mark them as secret. |
Contributor
There was a problem hiding this comment.
- Add links to official documentation on how to add secrets to Azure DevOps.
- Add example usage of a token value in a config overrides file.
| value: "{#[BACKEND_API_URL]#}" | ||
| ``` | ||
|
|
||
| 2. **Store actual values** in your pipeline's secret store (GitHub Actions Secrets or Azure DevOps variable groups / Key Vault). |
Contributor
There was a problem hiding this comment.
Why is Key Vault mentioned here?
|
|
||
| ## Azure DevOps Setup | ||
|
|
||
| ### Generated Step |
Contributor
There was a problem hiding this comment.
Implementation details not needed.
|
|
||
| The `replacetokens` task automatically reads from pipeline variables (including those from variable groups). Add your secret values as variables in the `apim-<env>` variable group: | ||
|
|
||
| 1. Go to **Pipelines → Library → apim-prod** |
|
|
||
| If you are migrating from APIOps Toolkit, your existing `configuration.<env>.yaml` files that use `{#[TOKEN_NAME]#}` placeholders work without modification. The same syntax is supported. | ||
|
|
||
| The only difference is where secrets are stored and mapped: |
Contributor
There was a problem hiding this comment.
Is the table necessary? table just shows everything is identity, which you've already stated.
| | **Azure DevOps** | `qetza.replacetokens@6` | `replacetokens@6` (same extension) | | ||
| | **Token prefix/suffix** | `{#[` / `]#}` | `{#[` / `]#}` (identical) | | ||
|
|
||
| ### Migration Steps |
Contributor
There was a problem hiding this comment.
Remove this. We'll have an all-up migration doc elsewhere
|
|
||
| ## Security Notes | ||
|
|
||
| - Tokens are replaced **in the pipeline runner's memory** — they are never committed to the repository. |
Contributor
There was a problem hiding this comment.
Is this really true? We are using extensions, so how can we state their behavior? Are there links to extension documentation that state this?
Contributor
Author
All review feedback addressed in commit
|
Adds {#[TOKEN_NAME]#} substitution as a dedicated step in both
GitHub Actions and Azure DevOps publish pipelines generated by
`apiops init`, compatible with APIOps Toolkit configuration files.
- GitHub Actions: cschleiden/replace-tokens@v1.3 with {#[ / ]#}
- Azure DevOps: replacetokens@6 with {#[ / ]#}
- Step runs before apiops publish so secrets are never committed
- New docs/guides/token-substitution.md covering syntax, setup,
migration from APIOps Toolkit, and common examples
- Updated ci-cd/github-actions.md and ci-cd/azure-devops.md
Closes #36
EMaher
force-pushed
the
copilot/enable-pipeline-token-substitution
branch
from
966636d to
89d547f
Compare
EMaher
approved these changes
Jun 10, 2026
petehauge
approved these changes
Jun 10, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Users migrating from APIOps Toolkit expect
{#[TOKEN_NAME]#}placeholders inconfiguration.<env>.yamlto be substituted from pipeline secrets before publish runs. Previously the generated pipelines had no substitution step, so tokens were passed as literal strings to APIM.Pipeline changes
Both GitHub Actions and Azure DevOps publish templates now include a dedicated substitution step before
apiops publish, using the same tools APIOps Toolkit uses:GitHub Actions —
cschleiden/replace-tokens@v1.3:Azure DevOps —
replacetokens@6(reads from variable groups automatically):The step is generated once per environment, scoped to
configuration.<env>.yaml.Documentation
docs/guides/token-substitution.md— new guide covering syntax, GitHub Actions setup (secret → env var mapping), Azure DevOps setup (variable group), Toolkit migration guide, and common examplesdocs/ci-cd/github-actions.md/docs/ci-cd/azure-devops.md— updated pipeline step descriptions and added customization tips linking to the new guide