The secret called BotAccount-dotnet-bot-repo-PAT is used in a few places, one of them being OneLoc builds.

Unfortunately, this secret also exists in two different Key Vaults:

maestroprod:

• Secret Manager manifest: https://github.com/dotnet/arcade-services/blob/c3307105b454462f895f6b69beb4b719491a26d7/.vault-config/maestroprod.yaml#L29

EngKeyVault:

• Secret Manager manifest: https://github.com/dotnet/dotnet/blob/2fdd6a8562511b6f9bfb892ba0ad950bbf3a042a/src/arcade/.vault-config/product-builds-engkeyvault.yaml#L32

Since this is a GitHub PAT, it is required to be manually rotated by creating a new PAT within the GitHub bot account PATs and then copied into the prompt when running Secret Manager locally. However, this means that it's possible for errors to occur if a PAT is rotated and updated in only one of the locations.

Let's determine a path forward for these two secrets.

Suggestions:

• Use only one of the PATs. We'd have to determine which will be the only secret to keep and then this will require updating any existing references to the old secret (custom build YAML, variable groups, et cetera, will be impacted).
• Rename either or both secrets. Reduces confusion for the next dev manually handling this, however, then we'd still have to update any existing references.
• Implement a naming convention for PATs created (in this case, what's created in GitHub) and keep both secrets as is.

Release Note Category

• Feature changes/additions
• Bug fixes
• Internal Infrastructure Improvements

Release Note Description