Remove symbol server PATs from release/8.0 publish.yml#16896
Remove symbol server PATs from release/8.0 publish.yml#16896missymessa wants to merge 2 commits into
Conversation
Replace microsoft-symbol-server-pat and symweb-symbol-server-pat with a bearer token acquired from the maestro-build-promotion service connection identity. symbol.exe accepts bearer tokens, so no C# code changes needed. This removes the dependency on the DotNet-Symbol-Server-Pats variable group for this branch, allowing the PATs to be decommissioned.
There was a problem hiding this comment.
Pull request overview
This PR updates the v3 publishing pipeline to stop using stored PATs for symbol publishing (MSDL and SymWeb) and instead acquire an Entra access token via the maestro-build-promotion service connection, aligning this servicing branch with the PAT-to-Entra migration approach used elsewhere in Arcade.
Changes:
- Removed the
DotNet-Symbol-Server-Patsvariable group from the publishing job. - Added an
AzureCLI@2step to acquire an Azure DevOps resource access token and expose it as an output variable. - Updated symbol publishing MSBuild properties (
MsdlToken,SymWebToken) to use the acquired bearer token.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| - task: AzureCLI@2 | ||
| displayName: Get Symbol Server Token | ||
| name: GetSymbolToken | ||
| inputs: | ||
| azureSubscription: maestro-build-promotion | ||
| scriptType: ps | ||
| scriptLocation: inlineScript | ||
| inlineScript: | | ||
| $token = (az account get-access-token --resource "499b84ac-1321-427f-aa17-267ca6975798" --query accessToken -o tsv) | ||
| echo "##vso[task.setvariable variable=SymbolServerToken;isOutput=true;isSecret=true]$token" |
|
Unnecessary. This YAML isn't used. |
|
@mmitche it's showing up in the sourcelink 8.0 build. I need to get rid of the PAT usage so I can delete the PATs entirely. |
I don't think so. publish.yml is only ever used from arcade's main branch. We can effectively delete the whole file here. I can't find any references in sourcelink's 8.0.0 build. I do see one in 9.0.0, but it's not actually active. It only gets the unexpanded variable value as there is no reference to the variable group that populates the value. |
|
@mmitche if I remove the PAT names from the variable group, you don't expect things to break? |
Summary
Removes
microsoft-symbol-server-patandsymweb-symbol-server-patfrom the release/8.0 publish pipeline by replacing them with an Entra bearer token from themaestro-build-promotionservice connection.Approach
maestro-build-promotionSC to acquire a bearer token for the AzDO resource scope (499b84ac-1321-427f-aa17-267ca6975798)/p:MsdlTokenand/p:SymWebTokennow reference the bearer token output variable instead of the PAT variablesWhy this works
symbol.exe(used byPublishSymbolsHelper.PublishAsync) accepts both PATs and Entra bearer tokens via theAzureDevOpsTokenenv var. Themaestro-build-promotionidentity already successfully publishes symbols to MSDL and SymWeb on main.Context
Part of the PAT-to-Entra migration for WI 10149 (
symweb-symbol-server-pat) and WI 10148 (microsoft-symbol-server-pat). The main branch migration was completed in PR #16808 (merged May 12). For this servicing branch, the YAML-only approach avoids risky C# code changes.Risk and Rollback
If
maestro-build-promotionlacks permissions to a specific symbol server, symbol publishing will fail. Revert this PR to restore PAT usage.Related: https://dev.azure.com/dnceng/internal/_workitems/edit/10149