Skip to content

Replace PAT with WIF service connection for VS insertion#19683

Merged
T-Gro merged 3 commits intodotnet:mainfrom
missymessa:dev/migrate-pat-to-wif-10091
May 7, 2026
Merged

Replace PAT with WIF service connection for VS insertion#19683
T-Gro merged 3 commits intodotnet:mainfrom
missymessa:dev/migrate-pat-to-wif-10091

Conversation

@missymessa
Copy link
Copy Markdown
Member

@missymessa missymessa commented May 5, 2026

Summary

Migrate the VS insertion pipeline authentication from the dn-bot-devdiv-build-rw-code-rw-release-rw PAT to the dnceng-fsharp-vs-insertion-wif Entra Workload Identity Federation (WIF) service connection.

Changes

  • Remove DotNet-VSTS-Infra-Access variable group reference (no longer needed)
  • Remove InsertAccessToken variable that pulled from the PAT secret
  • Add AzureCLI@2 step that authenticates via the WIF service connection and acquires a bearer token for Azure DevOps
  • Set InsertAccessToken as a secret pipeline variable from the WIF-acquired token

Context

This is part of the dnceng PAT-to-Entra migration (WI 10091). The 1ES PAT disable policy requires all non-packaging PATs to be migrated to Entra-based credentials.

The replacement service connection \dnceng-fsharp-vs-insertion-wif\ uses:

  • App Registration: \dnceng-fsharp-vs-insertion-wif\ (appId: \�f297404-7399-4e71-ac5f-f9be7bca6904)
  • WIF Service Connection in dnceng/internal (id: \84a9d9d1-ab12-4359-a544-0ac10c2934fd)
  • DevDiv enrollment: SP enrolled with Contribute, Contribute to PRs, Create tag, Manage notes, Read on the VS repo

Validation

  • Post-merge: monitor the first insertion build to confirm \AzureCLI@2\ authenticates successfully and \MicroBuildInsertVsPayload@5\ creates the VS insertion PR

@missymessa
Replace PAT with WIF service connection for VS insertion
79cf56e 
Migrate from dn-bot-devdiv-build-rw-code-rw-release-rw PAT to the
dnceng-fsharp-vs-insertion-wif Entra WIF service connection for
authenticating to DevDiv when creating VS insertion PRs.

- Remove DotNet-VSTS-Infra-Access variable group reference
- Add AzureCLI@2 step to acquire bearer token via WIF SC
- Set InsertAccessToken as secret variable from WIF token

Resolves: https://dev.azure.com/dnceng/internal/_workitems/edit/10091
@missymessa missymessa requested a review from a team as a code owner May 5, 2026 21:10
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented May 5, 2026

✅ No release notes required

@github-project-automation github-project-automation Bot moved this from New to In Progress in F# Compiler and Tooling May 6, 2026
@T-Gro T-Gro enabled auto-merge (squash) May 6, 2026 12:17
@T-Gro T-Gro disabled auto-merge May 7, 2026 10:33
@T-Gro T-Gro merged commit ba48c78 into dotnet:main May 7, 2026
3 of 33 checks passed
This was referenced May 7, 2026
Merged
Merged
@abonie abonie mentioned this pull request May 7, 2026
Merged
T-Gro pushed a commit that referenced this pull request May 7, 2026
@abonie
Revert "Replace PAT with WIF service connection for VS insertion (#19683
8adfa2b 
)" (#19701)

This reverts commit ba48c78.
@missymessa missymessa mentioned this pull request May 7, 2026
Open
@dotnet-maestro dotnet-maestro Bot mentioned this pull request May 8, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@abonie abonie abonie approved these changes

@T-Gro T-Gro T-Gro approved these changes

Assignees

No one assigned

Labels

None yet

Projects

F# Compiler and Tooling
Archived in project

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@missymessa @abonie @T-Gro