Use Entra credential for symbol upload, removing dnceng-symbol-server-pat

eng/common/core-templates/steps/publish-logs.yml

@@ -35,7 +35,6 @@ steps:
       '$(akams-client-id)'
       '$(microsoft-symbol-server-pat)'
       '$(symweb-symbol-server-pat)'
-      '$(dnceng-symbol-server-pat)'
       '$(dn-bot-all-orgs-build-rw-code-rw)'
       '$(System.AccessToken)'
       ${{parameters.CustomSensitiveDataList}}

eng/publishing/v3/publish.yml

@@ -12,7 +12,6 @@ stages:
     displayName: Publish Assets and Symbols
     timeoutInMinutes: 120
     variables:
-    - group: DotNet-Symbol-Server-Pats
     - group: AzureDevOps-Artifact-Feeds-Pats
     - group: Publish-Build-Assets
 
@@ -157,7 +156,6 @@ stages:
           /p:PDBArtifactsBasePath='$(Build.ArtifactStagingDirectory)/PDBArtifacts/'
           /p:SymbolPublishingExclusionsFile='$(Build.ArtifactStagingDirectory)/ReleaseConfigs/SymbolPublishingExclusionsFile.txt'
           /p:TempSymbolsAzureDevOpsOrg='dnceng'
-          /p:TempSymbolsAzureDevOpsOrgToken='$(dnceng-symbol-server-pat)'
           /p:SymbolRequestProject='dotnet'
           ${{ parameters.symbolPublishingAdditionalParameters}}
           /p:BuildQuality='${{ parameters.buildQuality }}'

src/Microsoft.DotNet.Build.Tasks.Feed.Tests/PublishToSymbolServerTest.cs

@@ -186,7 +186,63 @@ await task.HandleSymbolPublishingAsync(
             Assert.Contains("to last 3650 days", registerLog.Message);
         }
 
-        private static (MockBuildEngine, PublishArtifactsInManifestV3, ReadOnlyDictionary<string, Asset>, string, string, ProductConstructionService.Client.Models.Build) GetCanonicalSymbolTestAssets(SymbolPublishVisibility targetServer = SymbolPublishVisibility.Public)
+        [Fact]
+        public async Task PublishSymbolsWithPatDoesNotLogDefaultIdentityFallback()
+        {
+            (var buildEngine, var task, var symbolPackages, var symbolFilesDir, var exclusionFile, var buildInfo) =
+                GetCanonicalSymbolTestAssets();
+
+            try
+            {
+                await task.HandleSymbolPublishingAsync(
+                    buildInfo: buildInfo,
+                    symbolPackages,
+                    pdbArtifactsBasePath: symbolFilesDir,
+                    symbolPublishingExclusionsFile: exclusionFile,
+                    publishSpecialClrFiles: false,
+                    clientThrottle: null,
+                    dryRun: true,
+                    Internal.SymbolHelper.SymbolPromotionHelper.Environment.PPE);
+            }
+            catch (InvalidOperationException ex) when (ex.Message.Contains("Windows x64 hosting"))
+            {
+            }
+
+            Assert.DoesNotContain(buildEngine.BuildMessageEvents, x => x.Message.Contains("Using DefaultIdentityTokenCredential for temporary symbol publishing"));
+        }
+
+        [Fact]
+        public async Task PublishSymbolsWithoutPatLogsDefaultIdentityFallback()
+        {
+            (var buildEngine, var task, var symbolPackages, var symbolFilesDir, var exclusionFile, var buildInfo) =
+                GetCanonicalSymbolTestAssets(
+                    SymbolPublishVisibility.Public,
+                    tempSymbolsAzureDevOpsOrgToken: null,
+                    managedIdentityClientId: "11111111-1111-1111-1111-111111111111");
+
+            try
+            {
+                await task.HandleSymbolPublishingAsync(
+                    buildInfo: buildInfo,
+                    symbolPackages,
+                    pdbArtifactsBasePath: symbolFilesDir,
+                    symbolPublishingExclusionsFile: exclusionFile,
+                    publishSpecialClrFiles: false,
+                    clientThrottle: null,
+                    dryRun: true,
+                    Internal.SymbolHelper.SymbolPromotionHelper.Environment.PPE);
+            }
+            catch (InvalidOperationException ex) when (ex.Message.Contains("Windows x64 hosting"))
+            {
+            }
+
+            Assert.Contains(buildEngine.BuildMessageEvents, x => x.Message.Contains("Using DefaultIdentityTokenCredential for temporary symbol publishing"));
+        }
+
+        private static (MockBuildEngine, PublishArtifactsInManifestV3, ReadOnlyDictionary<string, Asset>, string, string, ProductConstructionService.Client.Models.Build) GetCanonicalSymbolTestAssets(
+            SymbolPublishVisibility targetServer = SymbolPublishVisibility.Public,
+            string tempSymbolsAzureDevOpsOrgToken = "token",
+            string managedIdentityClientId = null)
         {
             const string symbolPackageName= "test-package-a.1.0.0.symbols.nupkg";
 
@@ -221,8 +277,9 @@ private static (MockBuildEngine, PublishArtifactsInManifestV3, ReadOnlyDictionar
                 BuildEngine = buildEngine,
                 ArtifactsBasePath = "testPath",
                 BlobAssetsBasePath = symbolFilesDir,
+                ManagedIdentityClientId = managedIdentityClientId,
                 TempSymbolsAzureDevOpsOrg = "dncengtest",
-                TempSymbolsAzureDevOpsOrgToken = "token",
+                TempSymbolsAzureDevOpsOrgToken = tempSymbolsAzureDevOpsOrgToken,
                 SymbolRequestProject = "dotnettest"
             };
             task.FeedConfigs.Add(TargetFeedContentType.Symbols, feedConfigsForSymbols);

src/Microsoft.DotNet.Build.Tasks.Feed/src/PublishArtifactsInManifestBase.cs

@@ -22,6 +22,7 @@
 using Microsoft.Arcade.Common;
 using Microsoft.Build.Framework;
 using Microsoft.DotNet.Build.Tasks.Feed.Model;
+using Azure.Core;
 using Azure.Identity;
 using Microsoft.DotNet.ProductConstructionService.Client;
 using Microsoft.DotNet.ProductConstructionService.Client.Models;
@@ -718,12 +719,12 @@ public async Task HandleSymbolPublishingAsync(
             Task<SymbolUploadHelper> CreatePublishSymbolHelper(string symbolPublishingExclusionsFile, bool publishSpecialClrFiles, bool dryRun)
             {
                 FrozenSet<string> exclusions = LoadExclusions(symbolPublishingExclusionsFile);
-                PATCredential creds = new(TempSymbolsAzureDevOpsOrgToken);
                 TaskTracer tracer = new(Log, verbose: true);
+                TokenCredential symbolUploadCredential = GetTemporarySymbolCredential();
 
                 SymbolPublisherOptions options = new(
                     TempSymbolsAzureDevOpsOrg,
-                    creds,
+                    symbolUploadCredential,
                     packageFileExcludeList: exclusions,
                     convertPortablePdbs: false,
                     treatPdbConversionIssuesAsInfo: false,
@@ -773,6 +774,21 @@ FrozenSet<string> LoadExclusions(string symbolPublishingExclusionsFile)
             }
         }
 
+        private TokenCredential GetTemporarySymbolCredential()
+        {
+            if (string.IsNullOrEmpty(TempSymbolsAzureDevOpsOrgToken))
+            {
+                Log.LogMessage(MessageImportance.High, "Using DefaultIdentityTokenCredential for temporary symbol publishing because no TempSymbolsAzureDevOpsOrgToken was provided.");
+                return new DefaultIdentityTokenCredential(
+                    new DefaultIdentityTokenCredentialOptions
+                    {
+                        ManagedIdentityClientId = ManagedIdentityClientId
+                    });
+            }
+
+            return new PATCredential(TempSymbolsAzureDevOpsOrgToken);
+        }
+
         /// <summary>
         /// Prep loose PDBs for publishing by downloading (V4 streaming only), and copying to a temporary directory.
         /// </summary>