Replace PAT with WIF service connection for VS insertion (#19683)

missymessa · T-Gro · abonie · web-flow · commit ba48c78076ef · 2026-05-07T12:34:02.000+02:00
Migrate from dn-bot-devdiv-build-rw-code-rw-release-rw PAT to the dnceng-fsharp-vs-insertion-wif Entra WIF service connection for authenticating to DevDiv when creating VS insertion PRs. - Remove DotNet-VSTS-Infra-Access variable group reference - Add AzureCLI@2 step to acquire bearer token via WIF SC - Set InsertAccessToken as secret variable from WIF token Resolves: https://dev.azure.com/dnceng/internal/_workitems/edit/10091 Co-authored-by: Tomas Grosup <Tomas.Grosup@gmail.com> Co-authored-by: Adam Boniecki <20281641+abonie@users.noreply.github.com>
diff --git a/eng/release/insert-into-vs.yml b/eng/release/insert-into-vs.yml
@@ -17,9 +17,6 @@ stages:
       name: NetCore1ESPool-Svc-Internal
       image: windows.vs2026preview.scout.amd64
     variables:
-    - group: DotNet-VSTS-Infra-Access
-    - name: InsertAccessToken
-      value: $(dn-bot-devdiv-build-rw-code-rw-release-rw)
     - name: InsertBuildPolicy
       value: ${{ parameters.insertBuildPolicy }}
     - name: InsertTargetBranch
@@ -70,6 +67,16 @@ stages:
           $autoCompleteStr = if ($autoComplete) { 'true' } else { 'false' }
           Write-Host "Setting InsertAutoComplete to '$autoCompleteStr'"
           Write-Host "##vso[task.setvariable variable=InsertAutoComplete]$autoCompleteStr"
+    - task: AzureCLI@2
+      displayName: 'Get DevDiv Access Token (WIF)'
+      inputs:
+        azureSubscription: 'dnceng-fsharp-vs-insertion-wif'
+        scriptType: 'pscore'
+        scriptLocation: 'inlineScript'
+        inlineScript: |
+          $token = az account get-access-token --resource "499b84ac-1321-427f-aa17-267ca6975798" --query accessToken -o tsv
+          Write-Host "##vso[task.setvariable variable=InsertAccessToken;issecret=true]$token"
+      condition: and(succeeded(), or(eq(variables['Build.SourceBranch'], '${{ parameters.componentBranchName }}'), eq(variables['Build.SourceBranch'], 'refs/heads/${{ parameters.componentBranchName }}')))
     - task: ms-vseng.MicroBuildShipTasks.55100717-a81d-45ea-a363-b8fe3ec375ad.MicroBuildInsertVsPayload@5
       displayName: 'Insert VS Payload'
       inputs:
