Replace dn-bot PAT with WIF token for internal VMR push (8.0.1xx)#20822
Replace dn-bot PAT with WIF token for internal VMR push (8.0.1xx)#20822ellahathaway merged 3 commits intorelease/8.0.1xxfrom
Conversation
There was a problem hiding this comment.
Pull request overview
Updates the VMR synchronization pipeline for internal/release/* branches to authenticate darc vmr push using a WIF-minted Azure DevOps access token instead of the legacy dn-bot PAT, aligning with the broader PAT migration effort.
Changes:
- Added an
AzureCLI@2step to mint an Azure DevOps token via thednceng-build-rw-code-rw-wifservice connection. - Updated the internal VMR push invocation to pass the minted token via
--azdev-pat.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Related PRs (full branch coverage)This PAT exists on 6 release branches. PRs for all of them:
The file does not exist on main, so no new branches will inherit this PAT. |
|
@missymessa - can this be merged? |
|
@ellahathaway If the PR does enough validation for this change, sure! But if you have suggestions for how to validate this change, let me know :) |
I don't think we can run the sync pipeline manually, so AFAIK there's not a way to tests these changes before merging them. That said, I'm monitoring the sync pipelines this week, so worst case we just revert the change if something doesn't work :) Setting the PR to automerge |
|
@ellahathaway okay! Let me know if you see anything weird with the build after the merge, let me know! 🤞 |
…0822) Co-authored-by: Ella Hathaway <67609881+ellahathaway@users.noreply.github.com>
AB#10139
Migrate the \darc vmr push\ command for \internal/release\ branches from using the \dn-bot-dnceng-build-rw-code-rw\ PAT (via \DotNetBot-AzDO-PAT\ variable group) to a WIF-minted Entra token obtained through the \dnceng-build-rw-code-rw-wif\ service connection. ## Changes - Added an \AzureCLI@2\ step that authenticates via the \dnceng-build-rw-code-rw-wif\ service connection and mints an AzDO bearer token using ^Gz account get-access-token\ - Replaced --azdev-pat ''\ with --azdev-pat ''\ in the internal VMR push step ## Context This is the \ elease/8.0.1xx\ counterpart to #20821 (which targets \ elease/8.0.4xx). Only 8.0.1xx actually pushes to the internal VMR, so this is where the change takes effect. Part of PAT migration work item: https://dev.azure.com/dnceng/internal/_workitems/edit/10139 ## Prerequisites Before merging, the \dnceng-build-rw-code-rw-wif\ service principal needs: 1. Enrollment in the dnceng AzDO org 2. Contribute permission on the \dotnet-dotnet\ repo 3. Bypass policies when pushing on the \dotnet-dotnet\ repo