[release/10.0] Replace dn-bot-dnceng-build-rw-code-rw PAT with WIF service connection in mirror-within-azdo

[missymessa]

Summary

Migrate the azure-pipelines-mirror-within-azdo.yml pipeline from using the dn-bot-dnceng-build-rw-code-rw PAT (from the Mirror-Credentials variable group) to the dnceng-build-rw-code-rw-wif Workload Identity Federation service connection.

This is the same change as #66074 (merged to main), ported to the release/10.0 branch.

Changes

• Remove Mirror-Credentials variable group reference
• New AzureCLI@2 step – mints an AzDO bearer token via az account get-access-token using the dnceng-build-rw-code-rw-wif WIF service connection and stores it as the secret pipeline variable WifAzdoToken
• Clone step now uses header-based auth (http.extraheader) instead of PAT embedded in the URL
• Push step now uses header-based auth as well

Related

• Part of PAT migration work item WI 10139
• Service connection: dnceng-build-rw-code-rw-wif (Entra app 21f66e0-bb35-4fd3-bc70-ba084d1e7a52)

[Copilot]

Pull request overview

Migrates the azure-pipelines-mirror-within-azdo.yml pipeline off the dn-bot-dnceng-build-rw-code-rw PAT and onto the dnceng-build-rw-code-rw-wif Workload Identity Federation (WIF) service connection for authenticating Git operations against Azure DevOps.

Changes:

• Removed the Mirror-Credentials variable group reference (PAT no longer required).
• Added an AzureCLI@2 step to mint an Azure DevOps AAD access token and store it as a secret pipeline variable (WifAzdoToken).
• Updated git clone and git push to use http.extraheader with the minted bearer token.

[missymessa]

/azp run aspnetcore-ci

[azure-pipelines]

Azure Pipelines successfully started running 1 pipeline(s).

[wtgodbe]

Failure unrelated