[ci] Update OneLocBuildToken (#1220)

Update the token in the Localization step to one backed by a managed identity.
dotnet · May 22, 2024 · d6dfe4a · d6dfe4a
1 parent 78d5937
commit d6dfe4a
Showing 1 changed file with 17 additions and 1 deletion.
diff --git a/build-tools/automation/azure-pipelines.yaml b/build-tools/automation/azure-pipelines.yaml
@@ -173,6 +173,22 @@ jobs:
   - checkout: self
     clean: true
 
+  # https://eng.ms/docs/cloud-ai-platform/devdiv/one-engineering-system-1es/1es-docs/1es-security-configuration/configuration-guides/pat-burndown-guidance#authentication-from-pipelines
+  # Requires Azure client 2.x
+  - task: AzureCLI@2
+    displayName: 'Set AzDO.OneLocBuildToken'
+    enabled: true
+    inputs:
+      azureSubscription: 'VSEng-AzureDevOps-ceapex-OneLocBuild'   # Azure DevOps service connection
+      scriptType: 'pscore'
+      scriptLocation: 'inlineScript'
+      inlineScript: |
+        # if this fails, check out this bash script that includes diagnostics:
+        # https://gist.github.com/johnterickson/19f80a3e969e39f1000d118739176e62
+        # Note that the resource is specified to limit the token to Azure DevOps
+        $token = az account get-access-token --query accessToken --resource 499b84ac-1321-427f-aa17-267ca6975798 -o tsv
+        Write-Host "##vso[task.setvariable variable=AzDO.OneLocBuildToken;issecret=true]${token}"
+
   - task: OneLocBuild@2
     displayName: OneLocBuild
     env:
@@ -181,7 +197,7 @@ jobs:
       locProj: Localize/LocProject.json
       outDir: $(Build.StagingDirectory)
       packageSourceAuth: patAuth
-      patVariable: $(OneLocBuild--PAT)
+      patVariable: $(AzDO.OneLocBuildToken)
       isCreatePrSelected: true
       repoType: gitHub
       gitHubPatVariable: $(github--pat--vs-mobiletools-engineering-service2)