Skip to content

Replace PAT with WIF service connection for VS insertion (v2)#19703

Merged
T-Gro merged 1 commit into
dotnet:mainfrom
missymessa:dev/migrate-pat-to-wif-10091-v2
May 12, 2026
Merged

Replace PAT with WIF service connection for VS insertion (v2)#19703
T-Gro merged 1 commit into
dotnet:mainfrom
missymessa:dev/migrate-pat-to-wif-10091-v2

Conversation

@missymessa
Copy link
Copy Markdown
Member

@missymessa missymessa commented May 7, 2026

Summary

Re-apply the VS insertion pipeline migration from the dn-bot-devdiv-build-rw-code-rw-release-rw PAT to the dnceng-fsharp-vs-insertion-wif Entra Workload Identity Federation (WIF) service connection.

This is a v2 of #19683, which was reverted. This version adds a GCM credential-store fix.

Changes

  • Remove DotNet-VSTS-Infra-Access variable group reference (no longer needed)
  • Remove InsertAccessToken variable that pulled from the PAT secret
  • Add AzureCLI@2 step that authenticates via the WIF service connection and acquires a bearer token for Azure DevOps
  • Set InsertAccessToken as a secret pipeline variable from the WIF-acquired token
  • NEW: Disable Git Credential Manager before MicroBuildInsertVsPayload@5 to prevent 0x6f7 errors caused by Entra JWT tokens exceeding the Windows Credential Store size limit

Context

This is part of the dnceng PAT-to-Entra migration (WI 10091). The 1ES PAT disable policy requires all non-packaging PATs to be migrated to Entra-based credentials.

The replacement service connection dnceng-fsharp-vs-insertion-wif uses:

  • App Registration: dnceng-fsharp-vs-insertion-wif (appId: bf297404-7399-4e71-ac5f-f9be7bca6904)
  • WIF Service Connection in dnceng/internal (id: 84a9d9d1-ab12-4359-a544-0ac10c2934fd)
  • DevDiv enrollment: SP enrolled with Contribute, Contribute to PRs, Create tag, Manage notes, Read on the VS repo

What changed since v1 (#19683)

  1. DevDiv repo permissions fixed — the VSEng team confirmed permissions were set but they weren't actually applied; this has been corrected
  2. GCM credential store fix — added git config --global credential.helper "" step before the insertion task to prevent the fatal: Failed to write item to store. [0x6f7] error and ~8-minute clone delay caused by GCM trying to cache the oversized Entra JWT
  3. Update build information permission — granted to the SP at project level in dnceng/internal (bit 64, Build security namespace)

Validation

Post-merge: monitor the first insertion build to confirm AzureCLI@2 authenticates successfully, git operations complete without GCM delays, and MicroBuildInsertVsPayload@5 creates the VS insertion PR.

@missymessa
Replace PAT with WIF service connection for VS insertion
14769f8 
- Remove DotNet-VSTS-Infra-Access variable group reference
- Add AzureCLI@2 step to acquire bearer token via dnceng-fsharp-vs-insertion-wif SC
- Set InsertAccessToken as secret pipeline variable from WIF-acquired token
- Disable GCM credential store to prevent 0x6f7 errors with oversized Entra JWTs
@missymessa missymessa requested a review from a team as a code owner May 7, 2026 19:42
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented May 7, 2026

✅ No release notes required

@github-project-automation github-project-automation Bot moved this from New to In Progress in F# Compiler and Tooling May 12, 2026
@T-Gro T-Gro merged commit 7890363 into dotnet:main May 12, 2026
57 checks passed
@github-project-automation github-project-automation Bot moved this from In Progress to Done in F# Compiler and Tooling May 12, 2026
This was referenced May 13, 2026
Merged
Closed
Closed
Merged
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@T-Gro T-Gro T-Gro approved these changes

Assignees

No one assigned

Labels

None yet

Projects

F# Compiler and Tooling
Archived in project

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@missymessa @T-Gro