Remove symbol server PATs from release/8.0 publish.yml#16896
Open
missymessa wants to merge 1 commit into
Open
Conversation
Replace microsoft-symbol-server-pat and symweb-symbol-server-pat with a bearer token acquired from the maestro-build-promotion service connection identity. symbol.exe accepts bearer tokens, so no C# code changes needed. This removes the dependency on the DotNet-Symbol-Server-Pats variable group for this branch, allowing the PATs to be decommissioned.
Contributor
There was a problem hiding this comment.
Pull request overview
This PR updates the v3 publishing pipeline to stop using stored PATs for symbol publishing (MSDL and SymWeb) and instead acquire an Entra access token via the maestro-build-promotion service connection, aligning this servicing branch with the PAT-to-Entra migration approach used elsewhere in Arcade.
Changes:
- Removed the
DotNet-Symbol-Server-Patsvariable group from the publishing job. - Added an
AzureCLI@2step to acquire an Azure DevOps resource access token and expose it as an output variable. - Updated symbol publishing MSBuild properties (
MsdlToken,SymWebToken) to use the acquired bearer token.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
+161
to
+170
| - task: AzureCLI@2 | ||
| displayName: Get Symbol Server Token | ||
| name: GetSymbolToken | ||
| inputs: | ||
| azureSubscription: maestro-build-promotion | ||
| scriptType: ps | ||
| scriptLocation: inlineScript | ||
| inlineScript: | | ||
| $token = (az account get-access-token --resource "499b84ac-1321-427f-aa17-267ca6975798" --query accessToken -o tsv) | ||
| echo "##vso[task.setvariable variable=SymbolServerToken;isOutput=true;isSecret=true]$token" |
Member
|
Unnecessary. This YAML isn't used. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Removes
microsoft-symbol-server-patandsymweb-symbol-server-patfrom the release/8.0 publish pipeline by replacing them with an Entra bearer token from themaestro-build-promotionservice connection.Approach
maestro-build-promotionSC to acquire a bearer token for the AzDO resource scope (499b84ac-1321-427f-aa17-267ca6975798)/p:MsdlTokenand/p:SymWebTokennow reference the bearer token output variable instead of the PAT variablesWhy this works
symbol.exe(used byPublishSymbolsHelper.PublishAsync) accepts both PATs and Entra bearer tokens via theAzureDevOpsTokenenv var. Themaestro-build-promotionidentity already successfully publishes symbols to MSDL and SymWeb on main.Context
Part of the PAT-to-Entra migration for WI 10149 (
symweb-symbol-server-pat) and WI 10148 (microsoft-symbol-server-pat). The main branch migration was completed in PR #16808 (merged May 12). For this servicing branch, the YAML-only approach avoids risky C# code changes.Risk and Rollback
If
maestro-build-promotionlacks permissions to a specific symbol server, symbol publishing will fail. Revert this PR to restore PAT usage.Related: https://dev.azure.com/dnceng/internal/_workitems/edit/10149