From 79cf56e3b623ca4f36ee113c9be76c4ec2eabb65 Mon Sep 17 00:00:00 2001
From: missymessa <mjanecke@microsoft.com>
Date: Tue, 5 May 2026 14:09:40 -0700
Subject: [PATCH] Replace PAT with WIF service connection for VS insertion

Migrate from dn-bot-devdiv-build-rw-code-rw-release-rw PAT to the
dnceng-fsharp-vs-insertion-wif Entra WIF service connection for
authenticating to DevDiv when creating VS insertion PRs.

- Remove DotNet-VSTS-Infra-Access variable group reference
- Add AzureCLI@2 step to acquire bearer token via WIF SC
- Set InsertAccessToken as secret variable from WIF token

Resolves: https://dev.azure.com/dnceng/internal/_workitems/edit/10091
---
 eng/release/insert-into-vs.yml | 13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)

diff --git a/eng/release/insert-into-vs.yml b/eng/release/insert-into-vs.yml
index 7ea2007c503..c93a855eb77 100644
--- a/eng/release/insert-into-vs.yml
+++ b/eng/release/insert-into-vs.yml
@@ -17,9 +17,6 @@ stages:
       name: NetCore1ESPool-Svc-Internal
       image: windows.vs2026preview.scout.amd64
     variables:
-    - group: DotNet-VSTS-Infra-Access
-    - name: InsertAccessToken
-      value: $(dn-bot-devdiv-build-rw-code-rw-release-rw)
     - name: InsertBuildPolicy
       value: ${{ parameters.insertBuildPolicy }}
     - name: InsertTargetBranch
@@ -70,6 +67,16 @@ stages:
           $autoCompleteStr = if ($autoComplete) { 'true' } else { 'false' }
           Write-Host "Setting InsertAutoComplete to '$autoCompleteStr'"
           Write-Host "##vso[task.setvariable variable=InsertAutoComplete]$autoCompleteStr"
+    - task: AzureCLI@2
+      displayName: 'Get DevDiv Access Token (WIF)'
+      inputs:
+        azureSubscription: 'dnceng-fsharp-vs-insertion-wif'
+        scriptType: 'pscore'
+        scriptLocation: 'inlineScript'
+        inlineScript: |
+          $token = az account get-access-token --resource "499b84ac-1321-427f-aa17-267ca6975798" --query accessToken -o tsv
+          Write-Host "##vso[task.setvariable variable=InsertAccessToken;issecret=true]$token"
+      condition: and(succeeded(), or(eq(variables['Build.SourceBranch'], '${{ parameters.componentBranchName }}'), eq(variables['Build.SourceBranch'], 'refs/heads/${{ parameters.componentBranchName }}')))
     - task: ms-vseng.MicroBuildShipTasks.55100717-a81d-45ea-a363-b8fe3ec375ad.MicroBuildInsertVsPayload@5
       displayName: 'Insert VS Payload'
       inputs: