From 0f22a370c0ed681276f9ebf60e6ddcd36036a0db Mon Sep 17 00:00:00 2001 From: Missy Messa Date: Tue, 7 Apr 2026 08:26:54 -0700 Subject: [PATCH] Use Entra credential for symbol upload, removing dnceng-symbol-server-pat dependency When TempSymbolsAzureDevOpsOrgToken is not provided, use DefaultIdentityTokenCredential (the same credential already used for symbol promotion) instead of PATCredential for symbol uploads. This enables the pipeline to use the AzureCLI@2 task's federated identity (maestro-build-promotion) for symbol management, eliminating the need for the dnceng-symbol-server-pat PAT. - PublishArtifactsInManifestBase.cs: Fall back to DefaultIdentityTokenCredential when TempSymbolsAzureDevOpsOrgToken is empty/null; retain PATCredential for backward compat - publish.yml: Remove DotNet-Symbol-Server-Pats variable group and TempSymbolsAzureDevOpsOrgToken - publish-logs.yml: Remove dnceng-symbol-server-pat from redaction list Fixes: AB#10150 --- eng/common/core-templates/steps/publish-logs.yml | 1 - eng/publishing/v3/publish.yml | 2 -- .../src/PublishArtifactsInManifestBase.cs | 11 ++++++++++- 3 files changed, 10 insertions(+), 4 deletions(-) diff --git a/eng/common/core-templates/steps/publish-logs.yml b/eng/common/core-templates/steps/publish-logs.yml index a9ea99ba6aa..357a4cf57d5 100644 --- a/eng/common/core-templates/steps/publish-logs.yml +++ b/eng/common/core-templates/steps/publish-logs.yml @@ -35,7 +35,6 @@ steps: '$(akams-client-id)' '$(microsoft-symbol-server-pat)' '$(symweb-symbol-server-pat)' - '$(dnceng-symbol-server-pat)' '$(dn-bot-all-orgs-build-rw-code-rw)' '$(System.AccessToken)' ${{parameters.CustomSensitiveDataList}} diff --git a/eng/publishing/v3/publish.yml b/eng/publishing/v3/publish.yml index 383ac1b8e5d..bad62654e07 100644 --- a/eng/publishing/v3/publish.yml +++ b/eng/publishing/v3/publish.yml @@ -12,7 +12,6 @@ stages: displayName: Publish Assets and Symbols timeoutInMinutes: 120 variables: - - group: DotNet-Symbol-Server-Pats - group: AzureDevOps-Artifact-Feeds-Pats - group: Publish-Build-Assets @@ -157,7 +156,6 @@ stages: /p:PDBArtifactsBasePath='$(Build.ArtifactStagingDirectory)/PDBArtifacts/' /p:SymbolPublishingExclusionsFile='$(Build.ArtifactStagingDirectory)/ReleaseConfigs/SymbolPublishingExclusionsFile.txt' /p:TempSymbolsAzureDevOpsOrg='dnceng' - /p:TempSymbolsAzureDevOpsOrgToken='$(dnceng-symbol-server-pat)' /p:SymbolRequestProject='dotnet' ${{ parameters.symbolPublishingAdditionalParameters}} /p:BuildQuality='${{ parameters.buildQuality }}' diff --git a/src/Microsoft.DotNet.Build.Tasks.Feed/src/PublishArtifactsInManifestBase.cs b/src/Microsoft.DotNet.Build.Tasks.Feed/src/PublishArtifactsInManifestBase.cs index 90f94d2cee9..dd418c315a0 100644 --- a/src/Microsoft.DotNet.Build.Tasks.Feed/src/PublishArtifactsInManifestBase.cs +++ b/src/Microsoft.DotNet.Build.Tasks.Feed/src/PublishArtifactsInManifestBase.cs @@ -22,6 +22,7 @@ using Microsoft.Arcade.Common; using Microsoft.Build.Framework; using Microsoft.DotNet.Build.Tasks.Feed.Model; +using Azure.Core; using Azure.Identity; using Microsoft.DotNet.ProductConstructionService.Client; using Microsoft.DotNet.ProductConstructionService.Client.Models; @@ -718,7 +719,15 @@ public async Task HandleSymbolPublishingAsync( Task CreatePublishSymbolHelper(string symbolPublishingExclusionsFile, bool publishSpecialClrFiles, bool dryRun) { FrozenSet exclusions = LoadExclusions(symbolPublishingExclusionsFile); - PATCredential creds = new(TempSymbolsAzureDevOpsOrgToken); + + TokenCredential creds = string.IsNullOrEmpty(TempSymbolsAzureDevOpsOrgToken) + ? new DefaultIdentityTokenCredential( + new DefaultIdentityTokenCredentialOptions + { + ManagedIdentityClientId = ManagedIdentityClientId + }) + : new PATCredential(TempSymbolsAzureDevOpsOrgToken); + TaskTracer tracer = new(Log, verbose: true); SymbolPublisherOptions options = new(