Path: blob/main/extensions/copilot/script/setup/getEnv.mts
13388 views
/*---------------------------------------------------------------------------------------------
* Copyright (c) Microsoft Corporation. All rights reserved.
* Licensed under the MIT License. See License.txt in the project root for license information.
*--------------------------------------------------------------------------------------------*/
import { AzureCliCredential, ChainedTokenCredential, DeviceCodeCredential, InteractiveBrowserCredential, ManagedIdentityCredential, TokenCredential } from '@azure/identity';
import { SecretClient } from '@azure/keyvault-secrets';
import * as fs from 'fs';
import * as process from 'process';
const useColors = (process.stdout.isTTY && typeof process.stdout.hasColors === 'function' && process.stdout.hasColors());
function red(s: string) { return useColors ? `\x1b[31m${s}\x1b[0m` : s; }
async function setupSecretClient(vaultUri: string) {
const credentialOptions: TokenCredential[] = [];
// Only add managed identity credential if the client ID is provided
if (process.env.AZURE_CLIENT_ID) {
credentialOptions.push(new ManagedIdentityCredential({ clientId: process.env.AZURE_CLIENT_ID }));
}
// Always add the Azure CLI as an option
credentialOptions.push(new AzureCliCredential({ tenantId: '72f988bf-86f1-41af-91ab-2d7cd011db47' }));
// Check if terminal is interactive, non-interactive environments can't use
// InteractiveBrowserCredential and don't necessarily have access to a keychain
// For SSH sessions into Azure VMs, keychain is not available, requires managed identity
if (process.stdin.isTTY && !process.env.AZURE_CLIENT_ID && !process.env.CODESPACES) {
credentialOptions.push(new InteractiveBrowserCredential({ tenantId: '72f988bf-86f1-41af-91ab-2d7cd011db47' }));
}
// Use DeviceCodeCredential in Codespaces
if (process.env.CODESPACES) {
const deviceCodeCredential = new DeviceCodeCredential({
tenantId: '72f988bf-86f1-41af-91ab-2d7cd011db47',
userPromptCallback: (info) => {
console.log('To authenticate, visit:', info.verificationUri);
console.log('Enter the code:', info.userCode);
}
});
credentialOptions.push(deviceCodeCredential);
}
const credential = new ChainedTokenCredential(...credentialOptions);
return new SecretClient(vaultUri, credential);
}
async function fetchSecret(secretClient: SecretClient, secretName: string): Promise<string | undefined> {
const secret = await secretClient.getSecret(secretName);
return secret.value;
}
async function fetchSecrets(): Promise<{ [key: string]: string | undefined }> {
const keyVaultClient = await setupSecretClient('https://copilot-automation.vault.azure.net/');
const secrets: { [key: string]: string | undefined } = {};
secrets['HMAC_SECRET'] = await fetchSecret(keyVaultClient, 'hmac-secret');
if (!process.stdin.isTTY) { // only in automation
secrets['GITHUB_OAUTH_TOKEN'] = await fetchSecret(keyVaultClient, 'capi-oauth');
secrets['VSCODE_COPILOT_CHAT_TOKEN'] = await fetchSecret(keyVaultClient, 'copilot-token');
secrets['BLACKBIRD_EMBEDDINGS_KEY'] = await fetchSecret(keyVaultClient, 'vsc-aoai-key');
secrets['BLACKBIRD_REDIS_CACHE_KEY'] = await fetchSecret(keyVaultClient, 'blackbird-redis-cache-key');
try {
secrets['ANTHROPIC_API_KEY'] = await fetchSecret(keyVaultClient, 'anthropic-key');
secrets['DEEPSEEK_API_KEY'] = await fetchSecret(keyVaultClient, 'deepseek-key');
} catch (error) {
console.log(red(`Failed to fetch optional evaluation tokens. Skipping...`));
}
}
return secrets;
}
async function main() {
const env = Object.entries(await fetchSecrets());
const raw = fs.existsSync('.env') ? fs.readFileSync('.env', 'utf8') : '';
const result = raw.split('\n')
.filter(line => !env.some(([key]) => line.startsWith(`${key}=`)))
.concat(env.map(([key, value]) => `${key}=${value}`))
.filter(line => line.trim() !== '') // Remove empty lines
.join('\n');
fs.writeFileSync('.env', result);
console.log('Wrote secrets to .env');
process.exit(0);
}
main().catch(error => {
console.error(red(`Error when setting up .env file:\n${error}`));
process.exit(1);
});