Backport Entra credential fallback for dn-bot-all-orgs-build-rw-code-rw (WI 10724)#16833
Closed
missymessa wants to merge 2 commits into
Closed
Backport Entra credential fallback for dn-bot-all-orgs-build-rw-code-rw (WI 10724)#16833missymessa wants to merge 2 commits into
missymessa wants to merge 2 commits into
Conversation
…rw (WI 10724) Backports the Entra-based authentication fallback from main (PR dotnet#16806) to release/10.0, allowing the V3 publishing pipeline to authenticate without the expired dn-bot-all-orgs-build-rw-code-rw PAT. Changes: - Add Entra fallback to CreateAzdoClient in PublishArtifactsInManifestBase - Add addSpnToEnvironment: true to Publish task - Remove /p:AzdoApiToken from publish.yml - Remove PAT from publish-logs.yml redaction list - Delete PAT entry from product-builds-engkeyvault.yaml AB#10724
Contributor
There was a problem hiding this comment.
Pull request overview
Backports Entra-based Azure DevOps authentication for V3 publishing so streaming publishing can fall back from the expired dn-bot-all-orgs-build-rw-code-rw PAT to service-connection credentials.
Changes:
- Adds bearer-token fallback in
CreateAzdoClientand relaxes missing PAT validation when Entra credentials are available. - Updates V3 publishing YAML to expose service connection credentials and stop passing the expired PAT.
- Removes the retired PAT from log redaction and Key Vault configuration.
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
src/Microsoft.DotNet.Build.Tasks.Feed/src/PublishArtifactsInManifestBase.cs |
Adds Entra credential fallback and validation changes for streaming AzDO access. |
eng/publishing/v3/publish.yml |
Enables SPN environment injection and removes the AzDO PAT MSBuild parameter. |
eng/common/core-templates/steps/publish-logs.yml |
Removes the retired PAT from sensitive log redaction inputs. |
.vault-config/product-builds-engkeyvault.yaml |
Deletes the expired PAT secret definition. |
Comment on lines
+1980
to
+1982
| if (UseStreamingPublishing && string.IsNullOrEmpty(AzdoApiToken) && !HasEntraCredentialsAvailable()) | ||
| { | ||
| Log.LogError($"The property {nameof(AzdoApiToken)} is required when using streaming publishing, but doesn't have a value set."); | ||
| Log.LogError($"The property {nameof(AzdoApiToken)} is required when using streaming publishing (unless Entra credentials are available via AzureCLI@2 or Managed Identity), but doesn't have a value set."); |
Open
3 tasks
Member
|
@missymessa This PR is not necessary, as this code is not ever active in downlevel branches. |
Member
Author
|
@mmitche sweet! dumping this PR then! |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Backports the Entra-based authentication fallback from main (PR #16806) to release/10.0.
The V3 publishing pipeline was failing because
dn-bot-all-orgs-build-rw-code-rwexpired on 2026-05-14. This change adds the Entra credential fallback so the publish task usesAzurePipelinesCredentialfrom themaestro-build-promotionservice connection.Changes
CreateAzdoClientinPublishArtifactsInManifestBaseaddSpnToEnvironment: trueto Publish task/p:AzdoApiTokenfrompublish.ymlpublish-logs.ymlredaction listproduct-builds-engkeyvault.yamlWork Item: https://dev.azure.com/dnceng/internal/_workitems/edit/10724