Skip to content

Replace dn-bot-all-drop-rw-code-rw-release-all PAT with WIF token#5832

Merged
hoyosjs merged 1 commit into
dotnet:mainfrom
missymessa:migrate-pat-to-wif-10105
May 8, 2026
Merged

Replace dn-bot-all-drop-rw-code-rw-release-all PAT with WIF token#5832
hoyosjs merged 1 commit into
dotnet:mainfrom
missymessa:migrate-pat-to-wif-10105

Conversation

@missymessa

@missymessa missymessa commented May 6, 2026

Copy link
Copy Markdown
Member

Summary

Migrate the DARC Gather build task in \�ng/pipelines/prepare-release.yml\ from using the \dn-bot-all-drop-rw-code-rw-release-all\ PAT to acquiring an AzDO access token from the DotNetStaging service connection via \�z account get-access-token.

What changed

The \AzureCLI@2\ task already runs with the \DotNetStaging\ service connection (WIF), so the Azure CLI is already authenticated. Instead of passing the PAT variable, we now:

  1. Acquire an AzDO token: \�z account get-access-token --resource 499b84ac-1321-427f-aa17-267ca6975798\
  2. Pass that token to \AcquireBuild.ps1 -AzdoToken\

This switches from \scriptPath+\�rguments\ to \inlineScript\ to allow the token acquisition step.

Why

Part of the 1ES PAT Disable Policy migration. The \dn-bot-all-drop-rw-code-rw-release-all\ PAT is being retired in favor of Entra-based authentication.

Tracked by: https://dev.azure.com/dnceng/internal/_workitems/edit/10105

Validation

  • The DotNetStaging SP is already enrolled in the \dnceng\ AzDO org with appropriate group memberships
  • The SP already authenticates blob storage downloads (--use-azure-credential-for-blobs) in the same task
  • Post-merge, the first release pipeline run on a
    elease/*\ branch will validate end-to-end

@missymessa
Replace dn-bot-all-drop-rw-code-rw-release-all PAT with WIF token
62bb0ab 
Migrate DARC Gather build task from using the dn-bot-all-drop-rw-code-rw-release-all
PAT to acquiring an AzDO access token from the DotNetStaging service connection
via az account get-access-token. The task already runs inside AzureCLI@2 with
DotNetStaging, so the SP is already authenticated.

Part of PAT migration work item dnceng/internal#10105.
Copilot AI review requested due to automatic review settings May 6, 2026 18:31
@hoyosjs hoyosjs merged commit 8093677 into dotnet:main May 8, 2026
22 of 23 checks passed
@dotnet-maestro dotnet-maestro Bot mentioned this pull request May 13, 2026
Merged
@github-actions github-actions Bot locked and limited conversation to collaborators Jun 7, 2026
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@hoyosjs hoyosjs hoyosjs approved these changes

Copilot code review Copilot Awaiting requested review from Copilot

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@missymessa @hoyosjs