Remove symbol server PATs from release/9.0 publish.yml#16895
Closed
missymessa wants to merge 2 commits into
Closed
Remove symbol server PATs from release/9.0 publish.yml#16895missymessa wants to merge 2 commits into
missymessa wants to merge 2 commits into
Conversation
Replace microsoft-symbol-server-pat and symweb-symbol-server-pat with a bearer token acquired from the maestro-build-promotion service connection identity. symbol.exe accepts bearer tokens, so no C# code changes needed. This removes the dependency on the DotNet-Symbol-Server-Pats variable group for this branch, allowing the PATs to be decommissioned.
Contributor
There was a problem hiding this comment.
Pull request overview
Updates the release/9.0 v3 publishing pipeline to stop using symbol server PATs and instead acquire an Entra (AAD) bearer token from the maestro-build-promotion service connection for publishing to MSDL and SymWeb.
Changes:
- Removed the
DotNet-Symbol-Server-Patsvariable group from the publish stage. - Added an AzureCLI step to acquire an Azure DevOps resource access token (
499b84ac-1321-427f-aa17-267ca6975798) and store it as a secret output variable. - Switched
/p:MsdlTokenand/p:SymWebTokento use the acquired bearer token.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
124
to
+127
| /p:SymbolPublishingExclusionsFile='$(Build.ArtifactStagingDirectory)/ReleaseConfigs/SymbolPublishingExclusionsFile.txt' | ||
| ${{ parameters.symbolPublishingAdditionalParameters}} | ||
| /p:MsdlToken=$(microsoft-symbol-server-pat) | ||
| /p:SymWebToken=$(symweb-symbol-server-pat) | ||
| /p:MsdlToken=$(GetSymbolToken.SymbolServerToken) | ||
| /p:SymWebToken=$(GetSymbolToken.SymbolServerToken) |
Comment on lines
+93
to
+95
| inlineScript: | | ||
| $token = (az account get-access-token --resource "499b84ac-1321-427f-aa17-267ca6975798" --query accessToken -o tsv) | ||
| echo "##vso[task.setvariable variable=SymbolServerToken;isOutput=true;isSecret=true]$token" |
Member
|
Unnecessary. This YAML isn't used. |
Member
Author
|
@mmitche it's showing up as being used in the dotnet-scenario-tests 9.0 build, so I need to remove the usage of the PATs so I can delete them entirely. |
Member
|
I think for 9.0, the real reference is coming from the eng/common/core-templates/steps/publish-logs.yml reference. It's not active, but would show up in the YAML. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Removes
microsoft-symbol-server-patandsymweb-symbol-server-patfrom the release/9.0 publish pipeline by replacing them with an Entra bearer token from themaestro-build-promotionservice connection.Approach
maestro-build-promotionSC to acquire a bearer token for the AzDO resource scope (499b84ac-1321-427f-aa17-267ca6975798)/p:MsdlTokenand/p:SymWebTokennow reference the bearer token output variable instead of the PAT variablesWhy this works
symbol.exe(used byPublishSymbolsHelper.PublishAsync) accepts both PATs and Entra bearer tokens via theAzureDevOpsTokenenv var. Themaestro-build-promotionidentity already successfully publishes symbols to MSDL and SymWeb on main.Context
Part of the PAT-to-Entra migration for WI 10149 (
symweb-symbol-server-pat) and WI 10148 (microsoft-symbol-server-pat). The main branch migration was completed in PR #16808 (merged May 12). For this servicing branch, the YAML-only approach avoids risky C# code changes.Risk and Rollback
If
maestro-build-promotionlacks permissions to a specific symbol server, symbol publishing will fail. Revert this PR to restore PAT usage.Related: https://dev.azure.com/dnceng/internal/_workitems/edit/10149