Remove dn-bot-all-orgs-build-rw-code-rw PAT from publishing (Phase 2)#16892
Conversation
Phase 1 (PR #16806) added Entra credential fallback to CreateAzdoClient() so it uses DefaultIdentityTokenCredential when no PAT is provided. That change has shipped via Arcade SDK >= 11.0.0-beta.26262.x and flowed to consumers (e.g. aspnetcore at 26272.101). This Phase 2 commit completes the migration by: - Removing /p:AzdoApiToken from publish.yml (no longer needed) - Removing the PAT from binlog redaction in publish-logs.yml - Deleting the PAT entry from the secret manifest The maestro-build-promotion WIF service connection provides the Entra identity (maestro-build-promotion-mi) that the code now uses for AzDO API authentication during build artifact publishing. Closes: https://dev.azure.com/dnceng/internal/_workitems/edit/10141
There was a problem hiding this comment.
Pull request overview
Completes Phase 2 of the PAT-to-Entra migration for the publishing pipeline by removing the remaining references to the dn-bot-all-orgs-build-rw-code-rw PAT, relying on the Phase 1 SDK Entra fallback for AzDO auth.
Changes:
- Remove the
/p:AzdoApiToken='$(dn-bot-all-orgs-build-rw-code-rw)'MSBuild property from the V3 publishing pipeline. - Remove the PAT from the binlog redaction token list (since it should no longer appear in builds).
- Delete the PAT secret entry from the EngKeyVault secret manifest.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| eng/publishing/v3/publish.yml | Stops passing the AzDO PAT into PublishArtifactsInManifest, enabling Entra-based auth path. |
| eng/common/core-templates/steps/publish-logs.yml | Removes the PAT from the explicit binlog secret redaction list. |
| .vault-config/product-builds-engkeyvault.yaml | Removes the PAT from the vault secret manifest to complete decommissioning. |
| -runtimeSourceFeed https://ci.dot.net/internal | ||
| -runtimeSourceFeedKey '$(dotnetbuilds-internal-container-read-token-base64)' | ||
| '$(publishing-dnceng-devdiv-code-r-build-re)' | ||
| '$(dn-bot-all-orgs-artifact-feeds-rw)' | ||
| '$(akams-client-id)' | ||
| '$(dnceng-symbol-server-pat)' | ||
| '$(dn-bot-all-orgs-build-rw-code-rw)' | ||
| '$(System.AccessToken)' |
There was a problem hiding this comment.
Thanks for the observation. The broader redaction list cleanup (reconciling with current publish.yml variables) is a valid improvement but out of scope for this PR, which is specifically removing the decommissioned PAT. The remaining entries still correspond to secrets that could appear in binlogs from other paths. I'll track a follow-up for a full redaction list audit.
|
@copilot resolve the merge conflicts in this pull request |
Merge conflicts are resolved in |
|
@copilot resolve the merge conflicts in this pull request |
|
@copilot resolve the merge conflicts in this pull request |
Conflicts are already resolved in |
Conflicts are already resolved in |
mmitche
left a comment
mmitche
left a comment
There was a problem hiding this comment.
I would validate that the new code path is being used in both the devdiv and dnceng promotion pipelines. If that's the case, then this is good to merge.
|
@copilot resolve the merge conflicts in this pull request |
Merge conflicts are already resolved in |
|
@copilot resolve the merge conflicts in this pull request |
Merge conflicts are already resolved in |
Summary
Completes the PAT-to-Entra migration for \dn-bot-all-orgs-build-rw-code-rw\ (Phase 2 of 2).
Phase 1 (#16806, merged 2026-05-12) added a backward-compatible Entra credential fallback to \CreateAzdoClient()\ — when \AzdoApiToken\ is empty/missing, the code falls through to \DefaultIdentityTokenCredential\ (bearer auth via the pipeline's WIF service connection identity).
Phase 1 SDK has shipped and flowed to consumers (e.g. aspnetcore at \11.0.0-beta.26272.101).
Changes (Phase 2)
Identity
The \maestro-build-promotion\ WIF service connection (\maestro-build-promotion-mi, AppId: \6e870007-e236-4eb1-8734-8bf8cd54c748) provides Entra auth. Already enrolled in dnceng/internal with Readers access.
Post-merge steps
Risk & Rollback
If the Entra fallback fails in production, revert this PR to restore PAT usage. The Phase 1 C# code is backward-compatible — re-adding the PAT line will make it use PAT auth again.
Resolves: https://dev.azure.com/dnceng/internal/_workitems/edit/10141