Skip to content

Fix service connection references in response to Azure DevOps OIDC changes#2013

Merged
lbussell merged 11 commits intodotnet:mainfrom
lbussell:fix-oidc-service-connections
Mar 12, 2026
Merged

Fix service connection references in response to Azure DevOps OIDC changes#2013
lbussell merged 11 commits intodotnet:mainfrom
lbussell:fix-oidc-service-connections

Conversation

@lbussell
Copy link
Member

@lbussell lbussell commented Mar 12, 2026

This PR fixes #2012.

Azure DevOps changed OIDC token scoping so that service connections must be referenced in the same stage that requests the token. This broke all pipelines because we were referencing them in a separate SetupServiceConnectionsStage. This PR replaces that pattern with reference-service-connections.yml, a step template included in each job that needs OIDC, referencing only the connections that job uses. The setup stage and its plumbing in the 1ES templates have been removed.

Internal unofficial pipeline run demonstrating that the new approach works: build#2924511

lbussell and others added 8 commits March 11, 2026 15:52
@lbussell
Add per-job service connection references for OIDC token requests
18ca5e2 
Azure DevOps now requires service connections to be explicitly referenced
within the stage that requests the OIDC token. Previously, referencing them
in the SetupServiceConnectionsStage was sufficient for the entire pipeline.

- Create reference-service-connections.yml step template that emits
  AzureCLI@2 steps for specified registries from publishConfig
- Include it in copy-base-images.yml job template (unofficial pipeline)
- Include it in check-base-image-updates.yml job template (official pipeline)

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@lbussell
Add service connection references to build, publish, and sign jobs
1cffcb1 
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@lbussell
Fix reference-service-connections for Windows: use ps instead of pscore
a2e38d4 
Windows agents don't have pwsh (PowerShell Core). Added dockerClientOS
parameter to select the correct script type.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@lbussell
Thread additionalServiceConnections to publish job for OIDC references
36eb299 
Non-registry service connections (kusto, marStatus) need OIDC token
references too. Thread the additionalServiceConnections parameter from
build-test-publish.yml through to publish.yml job template, and pass
it to reference-service-connections.yml.

Also update reference-service-connections.yml to accept a direct
serviceConnections list alongside the publishConfig-based registries.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@lbussell
Move cleanup and stage registration to per-job service references
157f185 
- add per-job service connection references to cleanup stages
- remove setup-service-connections stage usage from build, check, and mirror stage templates
- stop cleanup pipelines from passing serviceConnections into 1ES templates

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@lbussell
Remove setup-service-connections stage and serviceConnections params
5162eaa 
The setup-service-connections stage no longer works due to Azure DevOps
OIDC scoping changes - service connections must be referenced from the
stage that requests the token. All jobs now self-reference their service
connections via reference-service-connections.yml.

- Delete setup-service-connections.yml
- Remove serviceConnections param from 1es-official.yml and 1es-unofficial.yml
- Fix annotate-eol-digests.yml to use inline reference step

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@lbussell
Add documentation, parameter descriptions, and CHANGELOG
afc308e 
- Rewrite reference-service-connections.yml header with full usage docs
- Add descriptions to additionalServiceConnections across template chain
- Create CHANGELOG.md documenting the breaking change

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@lbussell
Reference storageAccountServiceConnection in build jobs
672d1fc 
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@lbussell lbussell requested a review from a team as a code owner March 12, 2026 01:59
lbussell and others added 3 commits March 12, 2026 07:19
@lbussell
Update AGENTS.md
34ef77b
@lbussell
Add PR link to CHANGELOG, update AGENTS.md
43d6e3f 
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@lbussell
Gate reference-service-connections on internal non-PR builds
b1b00d3 
Service connections don't exist in the public project, so the
AzureCLI@2 reference steps must be skipped for PR validation and
public project builds.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@lbussell lbussell enabled auto-merge (squash) March 12, 2026 14:57
@lbussell lbussell merged commit 7dae93c into dotnet:main Mar 12, 2026
19 checks passed
@lbussell lbussell deleted the fix-oidc-service-connections branch March 12, 2026 14:59
lbussell added a commit to lbussell/docker-tools that referenced this pull request Mar 13, 2026
@lbussell
Add service connection reference to generate-matrix job
cf65444 
The generate-matrix.yml job template was missed in PR dotnet#2013 when
reference-service-connections.yml was added to other job templates.
This causes OIDC auth failures when --trim-cached-images checks
base image digests in the ACR mirror registry.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@lbussell lbussell mentioned this pull request Mar 13, 2026
Merged
lbussell added a commit to lbussell/docker-tools that referenced this pull request Mar 13, 2026
@lbussell
Add service connection reference to generate-matrix job
1f4758b 
The generate-matrix.yml job template was missed in PR dotnet#2013 when
reference-service-connections.yml was added to other job templates.
This causes OIDC auth failures when --trim-cached-images checks
base image digests in the ACR mirror registry.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
lbussell added a commit that referenced this pull request Mar 13, 2026
@lbussell
Add service connection reference to generate-matrix job (#2017)
e1824da 
The generate-matrix.yml job template was missed in PR #2013 when
reference-service-connections.yml was added to other job templates. This
causes OIDC auth failures when --trim-cached-images checks base image
digests in the ACR mirror registry.

This fixes the build error seen in dotnet-buildtools-prereqs-docker
build#2925830.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mthalman mthalman mthalman approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Azure DevOps OIDC token requests failing for service connections used via AzurePipelinesCredential

2 participants

@lbussell @mthalman