Skip to content

Remove unused dn-dependabot-dnceng-package-rw-pat from secret manifest#16818

Open
missymessa wants to merge 1 commit into
mainfrom
dev/mjanecke/remove-dependabot-pat
Open

Remove unused dn-dependabot-dnceng-package-rw-pat from secret manifest#16818
missymessa wants to merge 1 commit into
mainfrom
dev/mjanecke/remove-dependabot-pat

Conversation

@missymessa
Copy link
Copy Markdown
Member

@missymessa missymessa commented May 14, 2026

Summary

Removes the dn-dependabot-dnceng-package-rw-pat entry from .vault-config/dnceng-partners-kv.yaml. This stops secret-manager from continuously rotating a PAT that has no consumer.

Evidence

Check Result
User last accessed AzDO 2023-01-17 (3+ years ago)
Audit log (90 days) 0 events for dn-dependabot
Code references 0 consumers (only manifest + wiki docs)
Variable groups DncEng-Partners-Tokens does NOT include this secret
GitHub Dependabot config No registries section — no private feed auth
AzDO Dependabot Explicitly disabled in arcade
NuGet feeds All feeds are public (dnceng/public/_packaging/*)

The current PAT version expires naturally on 2026-05-17 — no manual revocation needed.

Related

  • Work item: dnceng/internal#10153

@missymessa
Remove unused dn-dependabot-dnceng-package-rw-pat from secret manifest
54325a2 
The dn-dependabot user hasn't accessed AzDO since 2023-01-17.

No code, pipeline, or variable group references this PAT.

GitHub Dependabot has no private feed registries configured.

Secret-manager rotates this PAT every ~3 days but nothing reads it.

Related: dnceng/internal#10153
@build-analysis build-analysis Bot mentioned this pull request May 15, 2026
Open
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@wfurt wfurt wfurt approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@missymessa @wfurt