Backport Entra credential fallback for dn-bot-all-orgs-build-rw-code-rw (WI 10724)#16832
Open
missymessa wants to merge 1 commit into
Open
Conversation
…rw (WI 10724) Backports the Entra-based authentication fallback from main (PR dotnet#16806) to release/9.0, allowing the V3 publishing pipeline to authenticate without the expired dn-bot-all-orgs-build-rw-code-rw PAT. Changes: - Add Microsoft.DotNet.ArcadeAzureIntegration project (from main) - Add Entra fallback to CreateAzdoClient in PublishArtifactsInManifestBase - Remove /p:AzdoApiToken from publish.yml (addSpnToEnvironment already set) - Remove PAT from publish-logs.yml redaction list - Delete PAT entry from product-builds-engkeyvault.yaml AB#10724
Contributor
There was a problem hiding this comment.
Pull request overview
Backport of PR #16806 (Entra credential fallback) plus the Phase-2 YAML/secret manifest cleanup to release/9.0. The combined change allows PublishArtifactsInManifestBase.CreateAzdoClient to authenticate via Entra (AzurePipelinesCredential / Managed Identity / Workload Identity / Azure CLI) when AzdoApiToken is not supplied, and removes the now-expired dn-bot-all-orgs-build-rw-code-rw PAT from the V3 publish pipeline and secret manifest.
Changes:
- Add new
Microsoft.DotNet.ArcadeAzureIntegrationproject (DefaultIdentityTokenCredential, AzureCliCredentialWithAzNoUpdateWrapper, TokenCredentialShortCache) and reference it fromMicrosoft.DotNet.Build.Tasks.Feed. - Update
CreateAzdoClientto fall back to bearer-token auth, addHasEntraCredentialsAvailableand relaxAnyMissingRequiredBasePropertiesaccordingly. - Drop
AzdoApiTokenusage frompublish.yml, remove the PAT from thepublish-logs.ymlredaction list, and delete it fromproduct-builds-engkeyvault.yaml.
Reviewed changes
Copilot reviewed 10 out of 10 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
| src/Microsoft.DotNet.ArcadeAzureIntegration/Microsoft.DotNet.ArcadeAzureIntegration.csproj | New project targeting $(NetMinimum) with conditional Azure.Identity reference. |
| src/Microsoft.DotNet.ArcadeAzureIntegration/DefaultIdentityTokenCredential.cs | Implements chained Entra credential with AzurePipelines/Workload/MI/AzureCLI options. |
| src/Microsoft.DotNet.ArcadeAzureIntegration/DefaultIdentityTokenCredentialOptions.cs | Options POCO for the new credential. |
| src/Microsoft.DotNet.ArcadeAzureIntegration/AzureCliCredentialWithAzNoUpdateWrapper.cs | Wrapper that disables az auto-update before first use. |
| src/Microsoft.DotNet.ArcadeAzureIntegration/TokenCredentialShortCache.cs | Short-lived in-process token cache wrapper. |
| src/Microsoft.DotNet.Build.Tasks.Feed/Microsoft.DotNet.Build.Tasks.Feed.csproj | Adds ProjectReference (excluded from source-only build). |
| src/Microsoft.DotNet.Build.Tasks.Feed/src/PublishArtifactsInManifestBase.cs | Adds Entra fallback in CreateAzdoClient, new HasEntraCredentialsAvailable, relaxed validation. |
| eng/publishing/v3/publish.yml | Removes /p:AzdoApiToken=... argument. |
| eng/common/core-templates/steps/publish-logs.yml | Removes PAT from binlog redaction list. |
| .vault-config/product-builds-engkeyvault.yaml | Deletes the expired PAT secret entry. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| </PropertyGroup> | ||
|
|
||
| <ItemGroup> | ||
| <PackageReference Include="Azure.Identity" Condition="'$(DotNetBuildSourceOnly)' != 'true'" /> |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Backports the Entra-based authentication fallback from main (PR #16806) to release/9.0.
The V3 publishing pipeline was failing because
dn-bot-all-orgs-build-rw-code-rwexpired on 2026-05-14. This change adds the Entra credential fallback so the publish task usesAzurePipelinesCredentialfrom the existingmaestro-build-promotionservice connection (withaddSpnToEnvironment: truealready set on this branch).Changes
Microsoft.DotNet.ArcadeAzureIntegrationproject (from main)CreateAzdoClientinPublishArtifactsInManifestBase/p:AzdoApiTokenfrompublish.ymlpublish-logs.ymlredaction listproduct-builds-engkeyvault.yamlWork Item: https://dev.azure.com/dnceng/internal/_workitems/edit/10724