Skip to content

Migrate dn-bot-all-orgs-build-rw-code-rw from PAT to Entra auth#16785

Merged
premun merged 4 commits into
dotnet:mainfrom
missymessa:migrate-dn-bot-all-orgs-build-rw-code-rw-10141
May 12, 2026
Merged

Migrate dn-bot-all-orgs-build-rw-code-rw from PAT to Entra auth#16785
premun merged 4 commits into
dotnet:mainfrom
missymessa:migrate-dn-bot-all-orgs-build-rw-code-rw-10141

Conversation

@missymessa
Copy link
Copy Markdown
Member

@missymessa missymessa commented May 8, 2026

Summary

Migrates the dn-bot-all-orgs-build-rw-code-rw PAT from Basic auth to Entra-based authentication using the existing maestro-build-promotion WIF service connection in the V3 publishing pipeline.

Work Item: https://dev.azure.com/dnceng/internal/_workitems/edit/10141

Changes

C# (PublishArtifactsInManifestBase.cs)

  • CreateAzdoClient(): When no PAT is provided, falls back to DefaultIdentityTokenCredential with bearer token for AzDO resource (499b84ac-1321-427f-aa17-267ca6975798/.default). Supports AzurePipelinesCredential (from AzureCLI@2 with addSpnToEnvironment:true), ManagedIdentityCredential, WorkloadIdentityCredential, and AzureCliCredential.
  • HasEntraCredentialsAvailable(): New method to check for available Entra credentials, used in validation to avoid false errors when streaming publishing is configured without a PAT.
  • AnyMissingRequiredBaseProperties(): Relaxed validation — only errors on missing AzdoApiToken when Entra credentials are also unavailable.

YAML (eng/publishing/v3/publish.yml)

  • Added addSpnToEnvironment: true to the 'Publish packages, blobs and symbols' AzureCLI@2 task (azureSubscription: maestro-build-promotion)
  • Removed /p:AzdoApiToken='' from MSBuild arguments

YAML (eng/common/core-templates/steps/publish-logs.yml)

  • Removed '' from binlog secret redaction list

Secret Manifest (.vault-config/product-builds-engkeyvault.yaml)

  • Fully deleted the dn-bot-all-orgs-build-rw-code-rw entry

Post-merge steps

  1. Un-map dn-bot-all-orgs-build-rw-code-rw from VG 20 (Publish-Build-Assets) and VG 110 (DotNet-Source-Build-All-Orgs-Source-Access) before secret-manager runs
  2. Monitor the first post-merge build promotion to verify Entra auth works end-to-end
  3. The maestro-build-promotion-mi is already enrolled in dnceng org with Readers group access (verified)

Identity details

  • MI: maestro-build-promotion-mi (AppId: 6e870007-e236-4eb1-8734-8bf8cd54c748)
  • SC: maestro-build-promotion (ID: df3b9892-c5c9-4d64-8b72-edd72e049305, type: azurerm, auth: WorkloadIdentityFederation)
  • Enrollment: Confirmed in dnceng/internal Readers group

missymessa and others added 4 commits May 8, 2026 08:13
@missymessa
Migrate dn-bot-all-orgs-build-rw-code-rw from PAT to Entra auth (WI 1…
462872a 
…0141)

Replace PAT-based AzDO API authentication in the publishing pipeline with
Entra-based auth using the existing maestro-build-promotion WIF service
connection.

Changes:
- CreateAzdoClient(): Fall back to DefaultIdentityTokenCredential (bearer
  token for AzDO resource 499b84ac-...) when no PAT is provided
- HasEntraCredentialsAvailable(): New validation helper checking for
  AzurePipelinesCredential, WorkloadIdentityCredential, or MI environment
- publish.yml: Remove AzdoApiToken PAT reference, add addSpnToEnvironment
- publish-logs.yml: Remove PAT from binlog redaction list
- product-builds-engkeyvault.yaml: Delete PAT from Key Vault manifest

Post-merge: Un-map dn-bot-all-orgs-build-rw-code-rw from VGs 20
(Publish-Build-Assets) and 110 (DotNet-Source-Build-All-Orgs-Source-Access)
before the secret-manager deletes the Key Vault secret.
@missymessa
Merge branch 'main' into migrate-dn-bot-all-orgs-build-rw-code-rw-10141
90ba872
@missymessa
Merge branch 'main' into migrate-dn-bot-all-orgs-build-rw-code-rw-10141
2212fbe
@premun
Fix build error: use global:: prefix for Azure.Core namespace
cb0d89b 
The unqualified Azure.Core.TokenRequestContext was being resolved as
Microsoft.Azure.Core.TokenRequestContext due to the Microsoft namespace
being in scope, causing CS0234. Using global::Azure.Core disambiguates.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@premun premun merged commit 3ee66a8 into dotnet:main May 12, 2026
9 checks passed
@premun premun mentioned this pull request May 12, 2026
Merged
@missymessa missymessa mentioned this pull request May 12, 2026
Merged
@dotnet-maestro dotnet-maestro Bot mentioned this pull request May 13, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@premun premun premun approved these changes

@pavel-purma pavel-purma pavel-purma approved these changes

@oleksandr-didyk oleksandr-didyk oleksandr-didyk approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@missymessa @premun @pavel-purma @oleksandr-didyk