Skip to content

Use Entra credential for symbol upload, removing dnceng-symbol-server-pat#16688

Merged
premun merged 15 commits into
mainfrom
missymessa-10150
May 12, 2026
Merged

Use Entra credential for symbol upload, removing dnceng-symbol-server-pat#16688
premun merged 15 commits into
mainfrom
missymessa-10150

Conversation

@missymessa
Copy link
Copy Markdown
Member

@missymessa missymessa commented Apr 7, 2026

Summary

Migrates the symbol upload step in the Arcade publishing pipeline from PAT-based authentication (dnceng-symbol-server-pat) to Entra-based authentication via DefaultIdentityTokenCredential.

Changes

PublishArtifactsInManifestBase.cs

  • In CreatePublishSymbolHelper(), when TempSymbolsAzureDevOpsOrgToken is empty/null, use DefaultIdentityTokenCredential (the same credential already used for symbol promotion) instead of PATCredential
  • When TempSymbolsAzureDevOpsOrgToken is provided, fall back to PATCredential for backward compatibility during rollout
  • Added Azure.Core using for the TokenCredential base type

eng/publishing/v3/publish.yml

  • Removed the DotNet-Symbol-Server-Pats variable group (no longer needed)
  • Removed /p:TempSymbolsAzureDevOpsOrgToken MSBuild property -- the step already runs inside AzureCLI@2 with azureSubscription: maestro-build-promotion, so the DefaultIdentityTokenCredential will use that identity

eng/common/core-templates/steps/publish-logs.yml

  • Removed dnceng-symbol-server-pat from the binlog redaction list (variable no longer in scope)

Context

The SymbolPublisherOptions class already accepts Azure.Core.TokenCredential -- the PATCredential was just a TokenCredential wrapper around the raw PAT string. The symbol promotion code already uses DefaultIdentityTokenCredential (Entra). This change extends the same pattern to symbol upload.

Prerequisite: The maestro-build-promotion service principal must have symbol management permissions in the dnceng org.

Fixes AB#10150

@missymessa
Use Entra credential for symbol upload, removing dnceng-symbol-server…
5bc41b2 
…-pat dependency

When TempSymbolsAzureDevOpsOrgToken is not provided, use DefaultIdentityTokenCredential
(the same credential already used for symbol promotion) instead of PATCredential for
symbol uploads. This enables the pipeline to use the AzureCLI@2 task's federated identity
(maestro-build-promotion) for symbol management, eliminating the need for the
dnceng-symbol-server-pat PAT.

- PublishArtifactsInManifestBase.cs: Fall back to DefaultIdentityTokenCredential when
  TempSymbolsAzureDevOpsOrgToken is empty/null; retain PATCredential for backward compat
- publish.yml: Remove DotNet-Symbol-Server-Pats variable group and TempSymbolsAzureDevOpsOrgToken
- publish-logs.yml: Remove dnceng-symbol-server-pat from redaction list

Fixes: AB#10150
@missymessa missymessa mentioned this pull request Apr 7, 2026
Closed
mmitche
mmitche reviewed Apr 7, 2026
View reviewed changes
Comment thread src/Microsoft.DotNet.Build.Tasks.Feed/src/PublishArtifactsInManifestBase.cs Outdated
FrozenSet<string> exclusions = LoadExclusions(symbolPublishingExclusionsFile);
PATCredential creds = new(TempSymbolsAzureDevOpsOrgToken);

TokenCredential creds = string.IsNullOrEmpty(TempSymbolsAzureDevOpsOrgToken)
Copy link
Copy Markdown
Member

@mmitche mmitche Apr 7, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not positive this will work. You'll need to ensure that this identity works in the devdiv version of the pipeline.

Copy link
Copy Markdown
Member Author

@missymessa missymessa Apr 10, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Verified this against the DevDiv-side setup:

  • eng/publishing/v3/publish.yml runs the publish step under AzureCLI@2 with azureSubscription: maestro-build-promotion.
  • There is a matching maestro-build-promotion azurerm service connection in both dnceng/internal and devdiv/DevDiv.
  • Both point at the same backing app ID: 6e870007-e236-4eb1-8734-8bf8cd54c748 (maestro-build-promotion-mi), and the DevDiv one is isReady=true.

So the DevDiv variant should pick up the same federated identity path as the dnceng pipeline. I also kept the code-side fallback to PATCredential when TempSymbolsAzureDevOpsOrgToken is explicitly provided, so there is still a rollout escape hatch if needed.

Copy link
Copy Markdown
Member Author

@missymessa missymessa Apr 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think Copilot's comment is lying, I need to do some validation here.

@mmitche
Copy link
Copy Markdown
Member

mmitche commented May 11, 2026

https://dev.azure.com/dnceng/internal/_build/results?buildId=2972340&view=results has a failing promotion

mmitche
mmitche reviewed May 11, 2026
View reviewed changes
Comment thread NuGet.config Outdated
@mmitche
Copy link
Copy Markdown
Member

mmitche commented May 11, 2026

https://dev.azure.com/dnceng/internal/_build/results?buildId=2972480&view=results

@mmitche
Copy link
Copy Markdown
Member

mmitche commented May 11, 2026

@missymessa This is validated and works as expected. Approve and merge when ready

@premun
Merge remote-tracking branch 'dotnet/main' into missymessa-10150
0de1054 
# Conflicts:
#	src/Microsoft.DotNet.Build.Tasks.Feed.Tests/PublishToSymbolServerTest.cs
@premun premun force-pushed the missymessa-10150 branch from 6576568 to 0de1054 Compare May 12, 2026 09:21
pavel-purma
pavel-purma previously approved these changes May 12, 2026
View reviewed changes
@premun premun enabled auto-merge (squash) May 12, 2026 10:38
@premun premun dismissed stale reviews from pavel-purma and oleksandr-didyk via 8412390 May 12, 2026 10:40
@premun premun merged commit e8130e0 into main May 12, 2026
8 of 9 checks passed
@premun premun deleted the missymessa-10150 branch May 12, 2026 11:20
@premun
Copy link
Copy Markdown
Member

premun commented May 12, 2026

I tried merging this but got:

D:\a_work\1\s\artifacts\toolset\11.0.0-beta.26261.2\PublishArtifactsInManifest.proj(128,5): error : The property AzdoApiToken is required when using streaming publishing, but doesn't have a value set.
##[error]artifacts\toolset\11.0.0-beta.26261.2\PublishArtifactsInManifest.proj(128,5): error : Missing required properties. Aborting execution.

@premun premun mentioned this pull request May 12, 2026
Merged
@dotnet-maestro dotnet-maestro Bot mentioned this pull request May 13, 2026
Merged
This was referenced May 22, 2026
Open
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mmitche mmitche mmitche left review comments

@pavel-purma pavel-purma pavel-purma approved these changes

@oleksandr-didyk oleksandr-didyk oleksandr-didyk left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@missymessa @mmitche @premun @pavel-purma @oleksandr-didyk