Skip to content

Migrate dn-bot-devdiv-drop-rw-code-rw PAT to WIF service connection#15792

Merged
nohwnd merged 1 commit into
microsoft:mainfrom
missymessa:dev/migrate-devdiv-drop-pat-to-wif
May 27, 2026
Merged

Migrate dn-bot-devdiv-drop-rw-code-rw PAT to WIF service connection#15792
nohwnd merged 1 commit into
microsoft:mainfrom
missymessa:dev/migrate-devdiv-drop-pat-to-wif

Conversation

@missymessa
Copy link
Copy Markdown
Contributor

@missymessa missymessa commented May 15, 2026

Summary

Replaces the \dn-bot-devdiv-drop-rw-code-rw\ PAT with a WIF-based service connection (\dnceng-devdiv-drop-rw-code-rw-wif) for DevDiv drop access.

Changes

  • Add AzureCLI@2 task in the Publish job to acquire an Entra token via the WIF service connection before the MicroBuildVstsDrop task
  • *Set _DevDivDropAccessToken* at runtime using the WIF-acquired token instead of the static PAT from \DotNet-VSTS-Infra-Access\ variable group
  • Remove static PAT variable reference from the variable declarations

Context

This is part of the PAT-to-Entra migration tracked by AB#10146. The WIF service connection \dnceng-devdiv-drop-rw-code-rw-wif\ (backed by app registration \dnceng-devdiv-drop-rw-code-rw-wif, App ID: \7106a410-fbcb-4750-a202-879077f925ec) was previously created and verified. The same pattern was successfully deployed in dotnet/fsharp#19598.

Validation

Note: PR validation pipelines read YAML from \main, not the PR branch. The actual WIF migration will be validated on the first post-merge CI build.

@missymessa
Migrate dn-bot-devdiv-drop-rw-code-rw PAT to WIF service connection
ca7f7be 
Replace the dn-bot-devdiv-drop-rw-code-rw PAT with a WIF-based
service connection (dnceng-devdiv-drop-rw-code-rw-wif) for DevDiv
drop access.

- Add AzureCLI@2 task to acquire an Entra token via the WIF SC
- Set _DevDivDropAccessToken at runtime via the WIF token
- Remove static PAT variable reference from DotNet-VSTS-Infra-Access
Copilot AI review requested due to automatic review settings May 15, 2026 21:48
Copilot AI reviewed May 15, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR migrates DevDiv drop publishing in the official Azure Pipelines build from a static PAT (dn-bot-devdiv-drop-rw-code-rw) to a WIF-based service connection, acquiring an Entra ID access token at runtime before the VSTS drop upload task.

Changes:

  • Replaced the _DevDivDropAccessToken variable’s static PAT value with an empty placeholder to be populated at runtime.
  • Added an AzureCLI@2 step in the Publish job to acquire an Azure DevOps access token via the dnceng-devdiv-drop-rw-code-rw-wif service connection.
  • Continued passing _DevDivDropAccessToken into 1ES.MicroBuildVstsDrop@1 for drop upload, now sourced from the WIF-acquired token.

Comment thread azure-pipelines-official.yml
Comment on lines 95 to +100
- group: DotNet-Symbol-Server-Pats
# Group gives access to $dn-bot-devdiv-drop-rw-code-rw and dn-bot-dnceng-build-rw-code-rw
- group: DotNet-VSTS-Infra-Access
# DevDiv drop access token is acquired via WIF service connection (dnceng-devdiv-drop-rw-code-rw-wif)
- name: _DevDivDropAccessToken
value: $(dn-bot-devdiv-drop-rw-code-rw)
value: ''
Comment thread azure-pipelines-official.yml
scriptType: pscore
scriptLocation: inlineScript
inlineScript: |
$token = az account get-access-token --resource 499b84ac-1321-427f-aa17-267ca6975798 --query accessToken -o tsv
This was referenced May 16, 2026
Closed
Closed
Closed
@nohwnd nohwnd mentioned this pull request May 26, 2026
Open
@nohwnd
Copy link
Copy Markdown
Member

nohwnd commented May 26, 2026

/azp run

@azure-pipelines
Copy link
Copy Markdown

azure-pipelines Bot commented May 26, 2026

Azure Pipelines could not run because the pipeline triggers exclude this branch/path.

@missymessa
Copy link
Copy Markdown
Contributor Author

missymessa commented May 26, 2026
edited
Loading

Thanks for looking at this @nohwnd! The pipeline trigger exclusion is expected — the PR validation YAML on the main branch excludes paths or the PR source branch isn't covered by the trigger config.

Important: Even if PR validation runs, it will execute the old YAML from main (not the PR branch), so it won't actually validate the WIF change. The real validation happens post-merge on the first CI build from main.

Context on why this is safe:

  • The WIF service connection (dnceng-devdiv-drop-rw-code-rw-wif) has been validated in roslyn (builds green since May 22), fsharp, test-templates, and interactive-window — all use the same SC and the same 1ES.MicroBuildVstsDrop@1 task pattern.
  • The SC is already authorized for the vstest pipeline (def 1222).
  • The only change is swapping $(dn-bot-devdiv-drop-rw-code-rw) (PAT from variable group) for the WIF-based $(_DevDivDropAccessToken) sourced from an AzureCLI@2 task.

If you'd like a manual test build before merge, I can queue one from the dnceng/internal side with the source branch override. Otherwise, merging and monitoring the first post-merge build is the standard approach we've used for the other repos.

@nohwnd nohwnd merged commit 46afcea into microsoft:main May 27, 2026
20 of 22 checks passed
This was referenced May 27, 2026
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@nohwnd nohwnd nohwnd approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@missymessa @nohwnd