Replace dn-bot-dnceng-build-rw-code-rw PAT with WIF service connection in mirror-within-azdo

[missymessa]

Summary

Migrate the azure-pipelines-mirror-within-azdo.yml pipeline from using the dn-bot-dnceng-build-rw-code-rw PAT (from the Mirror-Credentials variable group) to the dnceng-build-rw-code-rw-wif Workload Identity Federation service connection.

This is the same change as #66074 (merged to main), ported to the release/8.0 branch.

Changes

• Remove Mirror-Credentials variable group reference
• New AzureCLI@2 step – mints an AzDO bearer token via az account get-access-token using the dnceng-build-rw-code-rw-wif WIF service connection and stores it as the secret pipeline variable WifAzdoToken
• Clone step now uses header-based auth (http.extraheader) instead of PAT embedded in the URL
• Push step now uses header-based auth as well

Related

• Part of PAT migration work item WI 10139
• Service connection: dnceng-build-rw-code-rw-wif (Entra app 21f66e0-bb35-4fd3-bc70-ba084d1e7a52)

[dotnet-policy-service]

Hi @@missymessa. If this is not a tell-mode PR, please make sure to follow the instructions laid out in the servicing process document.
Otherwise, please add tell-mode label.

[Copilot]

Pull request overview

This PR migrates the internal AzDO “mirror-within-azdo” pipeline from using a stored PAT (via the Mirror-Credentials variable group) to using a Workload Identity Federation (WIF) service connection, aligning the release/8.0 branch with the already-merged change on main.

Changes:

• Removed the Mirror-Credentials variable group dependency.
• Added an AzureCLI@2 step to mint an AzDO bearer token via az account get-access-token using the dnceng-build-rw-code-rw-wif service connection and store it as a secret variable.
• Updated git clone and git push to use header-based auth (http.https://dev.azure.com/.extraheader) instead of embedding credentials in the URL.

[missymessa]

/azp run aspnetcore-ci

[azure-pipelines]

Azure Pipelines successfully started running 1 pipeline(s).