Skip to content

Replace PAT with WIF service connection for VS insertion#19683

Open
missymessa wants to merge 1 commit intodotnet:mainfrom
missymessa:dev/migrate-pat-to-wif-10091
Open

Replace PAT with WIF service connection for VS insertion#19683
missymessa wants to merge 1 commit intodotnet:mainfrom
missymessa:dev/migrate-pat-to-wif-10091

Conversation

@missymessa
Copy link
Copy Markdown
Member

@missymessa missymessa commented May 5, 2026

Summary

Migrate the VS insertion pipeline authentication from the dn-bot-devdiv-build-rw-code-rw-release-rw PAT to the dnceng-fsharp-vs-insertion-wif Entra Workload Identity Federation (WIF) service connection.

Changes

  • Remove DotNet-VSTS-Infra-Access variable group reference (no longer needed)
  • Remove InsertAccessToken variable that pulled from the PAT secret
  • Add AzureCLI@2 step that authenticates via the WIF service connection and acquires a bearer token for Azure DevOps
  • Set InsertAccessToken as a secret pipeline variable from the WIF-acquired token

Context

This is part of the dnceng PAT-to-Entra migration (WI 10091). The 1ES PAT disable policy requires all non-packaging PATs to be migrated to Entra-based credentials.

The replacement service connection \dnceng-fsharp-vs-insertion-wif\ uses:

  • App Registration: \dnceng-fsharp-vs-insertion-wif\ (appId: \�f297404-7399-4e71-ac5f-f9be7bca6904)
  • WIF Service Connection in dnceng/internal (id: \84a9d9d1-ab12-4359-a544-0ac10c2934fd)
  • DevDiv enrollment: SP enrolled with Contribute, Contribute to PRs, Create tag, Manage notes, Read on the VS repo

Validation

  • Post-merge: monitor the first insertion build to confirm \AzureCLI@2\ authenticates successfully and \MicroBuildInsertVsPayload@5\ creates the VS insertion PR

@missymessa
Replace PAT with WIF service connection for VS insertion
79cf56e 
Migrate from dn-bot-devdiv-build-rw-code-rw-release-rw PAT to the
dnceng-fsharp-vs-insertion-wif Entra WIF service connection for
authenticating to DevDiv when creating VS insertion PRs.

- Remove DotNet-VSTS-Infra-Access variable group reference
- Add AzureCLI@2 step to acquire bearer token via WIF SC
- Set InsertAccessToken as secret variable from WIF token

Resolves: https://dev.azure.com/dnceng/internal/_workitems/edit/10091
@missymessa missymessa requested a review from a team as a code owner May 5, 2026 21:10
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented May 5, 2026

✅ No release notes required

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

F# Compiler and Tooling
Status: New

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@missymessa