Migrate VS insertion from RIT+PAT to roslyn-tools CLI+WIF#13010
Migrate VS insertion from RIT+PAT to roslyn-tools CLI+WIF#13010davidwengier merged 2 commits intodotnet:mainfrom
Conversation
|
Hey Razor team, let me know how I can best test this so I can make sure the Service Connection works here. Thanks! |
|
@davidwengier Thanks! I'll work on a fix. |
Replace the RoslynTools.VisualStudioInsertionTool (RIT) with the roslyn-tools
create-insertion CLI, which supports bearer token auth via DefaultAzureCredential.
The dnceng AzDO connection now uses a WIF service connection ('DncEng Insertion:
Roslyn and Razor') instead of the dn-bot-dnceng-build-e-code-full-release-e-packaging-r PAT.
The DevDiv token (dn-bot-devdiv-build-e-code-full-release-e-packaging-r) is still
passed as a PAT since DevDiv org auth is separate.
Part of dnceng/internal work item 10097.
missymessa
force-pushed
the
missymessa-10097-wif
branch
from
ed84be4 to
73f5fdd
Compare
…eCredential DefaultAzureCredential on build agents may pick up the agent's managed identity rather than the WIF service connection's SP. Explicitly acquire the token via 'az account get-access-token' within the AzureCLI@2 task context, where the correct SP is already logged in via federated token.
|
Update (April 9, 2026): Explicit AzDO token for dnceng auth Previous builds were failing with Fix in Service Principal details:
Build 2946752 queued with this fix. |
|
Work item: dnceng/internal#10097 |
|
@davidwengier I think this is good to go, if you're good with the testing done. |
davidwengier
left a comment
davidwengier
left a comment
There was a problem hiding this comment.
If you're happy, I'm happy
|
/backport to stable |
|
Started backporting to |
|
/backport to release/stable |
|
@JoeRobich an error occurred while backporting to |
|
Started backporting to |
|
/backport to release/insiders |
|
Started backporting to |
|
/backport to release/dev18.3 |
|
/backport to release/dev18.0 |
|
Started backporting to |
|
Started backporting to |
|
/backport to release/dev17.14 |
|
Started backporting to |
|
/backport to release/dev17.12 |
|
Started backporting to |
…CLI+WIF (#13083) Backport of #13010 to release/dev17.12 /cc @JoeRobich @missymessa ## Customer Impact ## Regression - [ ] Yes - [ ] No [If yes, specify when the regression was introduced. Provide the PR or commit if known.] ## Testing [How was the fix verified? How was the issue missed previously? What tests were added?] ## Risk [High/Medium/Low. Justify the indication by mentioning how risks were measured and addressed.]
…CLI+WIF (#13082) Backport of #13010 to release/dev17.14 /cc @JoeRobich @missymessa ## Customer Impact ## Regression - [ ] Yes - [ ] No [If yes, specify when the regression was introduced. Provide the PR or commit if known.] ## Testing [How was the fix verified? How was the issue missed previously? What tests were added?] ## Risk [High/Medium/Low. Justify the indication by mentioning how risks were measured and addressed.]
…CLI+WIF (#13079) Backport of #13010 to release/insiders /cc @JoeRobich @missymessa ## Customer Impact ## Regression - [ ] Yes - [ ] No [If yes, specify when the regression was introduced. Provide the PR or commit if known.] ## Testing [How was the fix verified? How was the issue missed previously? What tests were added?] ## Risk [High/Medium/Low. Justify the indication by mentioning how risks were measured and addressed.]
…I+WIF (#13078) Backport of #13010 to release/stable /cc @JoeRobich @missymessa ## Customer Impact ## Regression - [ ] Yes - [ ] No [If yes, specify when the regression was introduced. Provide the PR or commit if known.] ## Testing [How was the fix verified? How was the issue missed previously? What tests were added?] ## Risk [High/Medium/Low. Justify the indication by mentioning how risks were measured and addressed.]
…LI+WIF (#13080) Backport of #13010 to release/dev18.3 /cc @JoeRobich @missymessa ## Customer Impact ## Regression - [ ] Yes - [ ] No [If yes, specify when the regression was introduced. Provide the PR or commit if known.] ## Testing [How was the fix verified? How was the issue missed previously? What tests were added?] ## Risk [High/Medium/Low. Justify the indication by mentioning how risks were measured and addressed.]
…LI+WIF (#13081) Backport of #13010 to release/dev18.0 /cc @JoeRobich @missymessa ## Customer Impact ## Regression - [ ] Yes - [ ] No [If yes, specify when the regression was introduced. Provide the PR or commit if known.] ## Testing [How was the fix verified? How was the issue missed previously? What tests were added?] ## Risk [High/Medium/Low. Justify the indication by mentioning how risks were measured and addressed.]
3 participants
Summary
Replace the RoslynTools.VisualStudioInsertionTool (RIT) with the
roslyn-tools create-insertionCLI for VS insertion PRs. The CLI supports bearer token authentication viaDefaultAzureCredential, enabling migration from thedn-bot-dnceng-build-e-code-full-release-e-packaging-rPAT to a Workload Identity Federation (WIF) service connection for the dnceng AzDO org.Changes
eng/pipelines/insert.yml
dotnet tool install Microsoft.RoslynToolsbuildUserName,buildPassword,componentUserName,componentPasswordparametersdevDivAzdoToken(for DevDiv org, still PAT-based) anddncEngAzureSubscription(WIF service connection) parametersOneOffInsertion.ps1execution withAzureCLI@2task runningroslyn-tools create-insertionAzureCLI@2task authenticates via the WIF service connection, enablingroslyn-toolsto acquire a dnceng bearer token viaDefaultAzureCredential(AzureCliCredential)prid.txtreport step (CLI outputs PR URL to stdout)azure-pipelines-official.yml
devDivAzdoTokenanddncEngAzureSubscriptioninstead of username/password pairsAuth Details
DncEng Insertion: Roslyn and Razor(Entra app:Roslyn-Razor-Insertion-DncEng)dn-bot-devdiv-build-e-code-full-release-e-packaging-rPAT (DevDiv migration is separate)Context
Part of PAT migration work item dnceng/internal#10097.
cc @dotnet/razor-compiler