Replace dn-bot PAT with WIF token for internal VMR push (8.0.2xx)#20823
Replace dn-bot PAT with WIF token for internal VMR push (8.0.2xx)#20823missymessa wants to merge 1 commit intorelease/8.0.2xxfrom
Conversation
There was a problem hiding this comment.
Pull request overview
Migrates internal VMR push authentication from a stored PAT to a WIF-minted Azure DevOps bearer token for internal/release/* branches.
Changes:
- Adds an
AzureCLI@2step intended to mint an AzDO access token via thednceng-build-rw-code-rw-wifservice connection. - Updates the
darc vmr pushinvocation to use the minted token instead of thedn-bot-dnceng-build-rw-code-rwPAT.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Add AzureCLI@2 step to mint an Azure DevOps access token via the dnceng-build-rw-code-rw-wif service connection (workload identity federation). The minted token replaces the dn-bot-dnceng-build-rw-code-rw PAT for darc vmr push to internal/release/* branches. Includes error handling for token acquisition failures.
missymessa
force-pushed
the
pat-migration/wif-vmr-push-8.0.2xx
branch
from
2cae6c6 to
1d20a91
Compare
|
Force-pushed to fix broken YAML from the original commit. The previous version had the |
Build Failure AnalysisThe build failure is not related to this PR's change. The failing job (\Windows_NT_Build_Debug_x64) errors during toolset restore: \ This causes \Microsoft.DotNet.Arcade.Sdk\ resolution to fail. The disabled feed is a pre-existing issue on the |
|
2xx and 3xx are out of support so you don't have to worry about those branches. only 1xx and 4xx. |
AB#10139
Migrate the darc vmr push command for internal/release branches from using the dn-bot-dnceng-build-rw-code-rw PAT (via DotNetBot-AzDO-PAT variable group) to a WIF-minted Entra token obtained through the dnceng-build-rw-code-rw-wif service connection. ## Changes - Added an AzureCLI@2 step that authenticates via the dnceng-build-rw-code-rw-wif service connection and mints an AzDO bearer token - Replaced --azdev-pat with WIF-minted token in the internal VMR push step ## Context Part of a set of PRs migrating this PAT across all active release branches: - #20821 (release/8.0.4xx) - #20822 (release/8.0.1xx) - This PR (release/8.0.2xx) Part of PAT migration work item: https://dev.azure.com/dnceng/internal/_workitems/edit/10139 ## Prerequisites Before merging, the dnceng-build-rw-code-rw-wif service principal needs: 1. Enrollment in the dnceng AzDO org 2. Contribute permission on the dotnet-dotnet repo 3. Bypass policies when pushing on the dotnet-dotnet repo