Get rid of the mintsas job and Managed Identity in favor of Workload …

…Identity Federation

scripts/azure-pipelines/android/azure-pipelines.yml

@@ -25,24 +25,15 @@ jobs:
     clean: resources
   timeoutInMinutes: 1440 # 1 day
   cancelTimeoutInMinutes: 1
-  dependsOn: mintsas
   variables:
   - name: WORKING_ROOT
     value: /mnt/vcpkg-ci
   - name: VCPKG_DOWNLOADS
     value: /mnt/vcpkg-ci/downloads
-  - name: X_VCPKG_ASSET_SOURCES
-    value: $[ dependencies.mintsas.outputs['mintsasstep.X_VCPKG_ASSET_SOURCES'] ]
-  - name: X_VCPKG_BINARY_SOURCE_STUB
-    value: $[ dependencies.mintsas.outputs['mintsasstep.X_VCPKG_BINARY_SOURCE_STUB'] ]
   - name: ANDROID_NDK_HOME
     value: /android-ndk-r26d
   steps:
     # Note: /mnt is the Azure machines' temporary disk.
-  - bash: |
-      az login --identity
-      az acr login --name vcpkgandroidwus3
-    displayName: 'Set up managed identity'
   - bash: |
       sudo mkdir /home/agent -m=777
       sudo chown `id -u` /home/agent
@@ -58,9 +49,16 @@ jobs:
         docker rm -f $CONTAINERS
       fi
     displayName: 'Stop and remove all docker containers'
-  - bash: |
-      docker pull ${{ parameters.dockerImage }}
+  - task: AzureCLI@2
     displayName: 'Pull Docker Container'
+    inputs:
+      azureSubscription: 'VcpkgPrFleet'
+      scriptType: bash
+      failOnStandardError: true
+      scriptLocation: 'inlineScript'
+      inlineScript: |
+          az acr login --name vcpkgandroidwus3
+          docker pull ${{ parameters.dockerImage }}
   - bash: |
       docker run --rm \
       --mount type=bind,source=$(Build.Repository.LocalPath),target=/vcpkg \
@@ -75,10 +73,18 @@ jobs:
       ./scripts/azure-pipelines/bootstrap-from-source.sh ${{ parameters.vcpkgToolSha }}
     displayName: "Build vcpkg with CMake"
     condition: ne('use default', '${{ parameters.vcpkgToolSha }}')
-  - task: Bash@3
+  - task: AzureCLI@2
+    displayName: '*** Test Modified Ports'
     inputs:
-      targetType: inline
-      script: |
+      azureSubscription: 'VcpkgPrFleet'
+      scriptType: bash
+      failOnStandardError: true
+      scriptLocation: 'inlineScript'
+      inlineScript: |
+        end=`date -u -d "2 days" '+%Y-%m-%dT%H:%MZ'`
+        assetSas=`az storage container generate-sas --name cache --account-name vcpkgassetcachewus3 --as-user --auth-mode login --https-only --permissions rcl --expiry $end -o tsv`
+        binarySas=`az storage container generate-sas --name cache --account-name vcpkgbinarycachewus3 --as-user --auth-mode login --https-only --permissions rclw --expiry $end -o tsv`
+        echo Minting SAS tokens valid through $end
         USER=$(id --user)
         docker run --init -i \
         -a stderr \
@@ -87,17 +93,15 @@ jobs:
         --mount type=bind,source=$(Build.Repository.LocalPath),target=/vcpkg \
         --mount type=bind,source=$(WORKING_ROOT)/failure-logs,target=/vcpkg/failure-logs \
         --mount type=bind,source=/mnt/vcpkg-ci,target=/mnt/vcpkg-ci \
-        --env X_VCPKG_ASSET_SOURCES="$(X_VCPKG_ASSET_SOURCES)" \
+        --env X_VCPKG_ASSET_SOURCES="x-azurl,https://vcpkgassetcachewus3.blob.core.windows.net/cache,$assetSas,readwrite" \
         --env ANDROID_NDK_HOME="${{ variables.ANDROID_NDK_HOME }}" \
         ${{ parameters.dockerImage }} \
         pwsh \
          -File /vcpkg/scripts/azure-pipelines/test-modified-ports.ps1 \
          -Triplet ${{ replace(parameters.jobName, '_', '-') }} \
          -BuildReason $(Build.Reason) \
-         -BinarySourceStub "$(X_VCPKG_BINARY_SOURCE_STUB)" \
+         -BinarySourceStub "x-azblob,https://vcpkgbinarycachewus3.blob.core.windows.net/cache,$binarySas" \
          -WorkingRoot ${{ variables.WORKING_ROOT }}
-      failOnStderr: true
-    displayName: '*** Test Modified Ports'
   - bash: |
       CONTAINERS=$(docker ps -a -q)
       if [ -n "$CONTAINERS" ]; then

scripts/azure-pipelines/azure-pipelines.yml

@@ -15,21 +15,6 @@ parameters:
     default: '-'
 
 jobs:
-- job: mintsas
-  displayName: 'Mint SAS token for Asset and Binary Caches'
-  pool:
-    name: PrToken-1ES
-  steps:
-    - checkout: none
-    - script: |
-        az login --identity --username a81b4cd3-9d8d-4cb9-9a74-f2038f24f224
-        end=`date -u -d "2 days" '+%Y-%m-%dT%H:%MZ'`
-        echo Minting SAS tokens valid through $end
-        echo "##vso[task.setvariable variable=X_VCPKG_ASSET_SOURCES;isSecret=true;isOutput=true;isreadonly=true]x-azurl,https://vcpkgassetcachewus3.blob.core.windows.net/cache,`az storage container generate-sas --name cache --account-name vcpkgassetcachewus3 --as-user --auth-mode login --https-only --permissions rcl --expiry $end -o tsv`,readwrite"
-        echo "##vso[task.setvariable variable=X_VCPKG_BINARY_SOURCE_STUB;isSecret=true;isOutput=true;isreadonly=true]x-azblob,https://vcpkgbinarycachewus3.blob.core.windows.net/cache,`az storage container generate-sas --name cache --account-name vcpkgbinarycachewus3 --as-user --auth-mode login --https-only --permissions rclw --expiry $end -o tsv`"
-      name: mintsasstep
-      displayName: 'Mint Tokens'
-
 - template: windows/azure-pipelines.yml
   parameters:
     jobName: x86_windows

scripts/azure-pipelines/linux/azure-pipelines.yml

@@ -23,16 +23,11 @@ jobs:
   workspace:
     clean: resources
   timeoutInMinutes: 1440 # 1 day
-  dependsOn: mintsas
   variables:
   - name: WORKING_ROOT
     value: /mnt/vcpkg-ci
   - name: VCPKG_DOWNLOADS
     value: /mnt/vcpkg-ci/downloads
-  - name: X_VCPKG_ASSET_SOURCES
-    value: $[ dependencies.mintsas.outputs['mintsasstep.X_VCPKG_ASSET_SOURCES'] ]
-  - name: X_VCPKG_BINARY_SOURCE_STUB
-    value: $[ dependencies.mintsas.outputs['mintsasstep.X_VCPKG_BINARY_SOURCE_STUB'] ]
   steps:
     # Note: /mnt is the Azure machines' temporary disk.
   - bash: |
@@ -48,15 +43,23 @@ jobs:
   - bash: ./scripts/azure-pipelines/bootstrap-from-source.sh ${{ parameters.vcpkgToolSha }}
     displayName: "Build vcpkg with CMake"
     condition: ne('use default', '${{ parameters.vcpkgToolSha }}')
-  - task: PowerShell@2
+  - task: AzureCLI@2
     displayName: '*** Test Modified Ports'
-    env:
-      X_VCPKG_ASSET_SOURCES: $(X_VCPKG_ASSET_SOURCES)
     inputs:
-      failOnStderr: true
-      filePath: 'scripts/azure-pipelines/test-modified-ports.ps1'
-      arguments: "-Triplet ${{ replace(parameters.jobName, '_', '-') }} -BuildReason $(Build.Reason) -BinarySourceStub \"$(X_VCPKG_BINARY_SOURCE_STUB)\" -WorkingRoot ${{ variables.WORKING_ROOT }} -ArtifactStagingDirectory $(Build.ArtifactStagingDirectory)"
-      pwsh: true
+      azureSubscription: 'VcpkgPrFleet'
+      scriptType: 'pscore'
+      failOnStandardError: true
+      scriptLocation: 'inlineScript'
+      inlineScript: |
+          $current = Get-Date -AsUtc
+          $endDate = $current.AddDays(2)
+          $end = Get-Date -Date $endDate -UFormat '+%Y-%m-%dT%H:%MZ'
+          $assetSas = az storage container generate-sas --name cache --account-name vcpkgassetcachewus3 --as-user --auth-mode login --https-only --permissions rcl --expiry $end -o tsv | Out-String
+          $assetSas = $assetSas.Trim()
+          $binarySas = az storage container generate-sas --name cache --account-name vcpkgbinarycachewus3 --as-user --auth-mode login --https-only --permissions rclw --expiry $end -o tsv | Out-String
+          $binarySas = $binarySas.Trim()
+          $env:X_VCPKG_ASSET_SOURCES = "x-azurl,https://vcpkgassetcachewus3.blob.core.windows.net/cache,$assetSas,readwrite"
+          & scripts/azure-pipelines/test-modified-ports.ps1 -Triplet ${{ replace(parameters.jobName, '_', '-') }} -BuildReason $(Build.Reason) -BinarySourceStub "x-azblob,https://vcpkgbinarycachewus3.blob.core.windows.net/cache,$binarySas" -WorkingRoot $env:WORKING_ROOT -ArtifactStagingDirectory $(Build.ArtifactStagingDirectory)
   - task: PublishBuildArtifacts@1
     displayName: "Publish Artifact: failure logs for ${{ replace(parameters.jobName, '_', '-') }}"
     inputs:

scripts/azure-pipelines/osx/azure-pipelines.yml

@@ -25,16 +25,11 @@ jobs:
   workspace:
     clean: resources
   timeoutInMinutes: 2880 # 2 days
-  dependsOn: mintsas
   variables:
   - name: WORKING_ROOT
     value: /Users/vcpkg/Data
   - name: VCPKG_DOWNLOADS
     value: /Users/vcpkg/Data/downloads
-  - name: X_VCPKG_ASSET_SOURCES
-    value: $[ dependencies.mintsas.outputs['mintsasstep.X_VCPKG_ASSET_SOURCES'] ]
-  - name: X_VCPKG_BINARY_SOURCE_STUB
-    value: $[ dependencies.mintsas.outputs['mintsasstep.X_VCPKG_BINARY_SOURCE_STUB'] ]
   steps:
   - bash: |
       sudo mkdir ${{ variables.VCPKG_DOWNLOADS }} || 0
@@ -47,20 +42,23 @@ jobs:
   - bash: ./scripts/azure-pipelines/bootstrap-from-source.sh ${{ parameters.vcpkgToolSha }}
     displayName: "Build vcpkg with CMake"
     condition: ne('use default', '${{ parameters.vcpkgToolSha }}')
-  - task: PowerShell@2
+  - task: AzureCLI@2
     displayName: '*** Test Modified Ports'
-    env:
-      X_VCPKG_ASSET_SOURCES: $(X_VCPKG_ASSET_SOURCES)
     inputs:
-      failOnStderr: true
-      filePath: 'scripts/azure-pipelines/test-modified-ports.ps1'
-      arguments: >
-        -Triplet ${{ replace(parameters.jobName, '_', '-') }}
-        -BuildReason "$(Build.Reason)"
-        -BinarySourceStub "$(X_VCPKG_BINARY_SOURCE_STUB)"
-        -WorkingRoot "$(WORKING_ROOT)"
-        -ArtifactStagingDirectory "$(Build.ArtifactStagingDirectory)"
-      pwsh: true
+      azureSubscription: 'VcpkgPrFleet'
+      scriptType: 'pscore'
+      failOnStandardError: true
+      scriptLocation: 'inlineScript'
+      inlineScript: |
+          $current = Get-Date -AsUtc
+          $endDate = $current.AddDays(2)
+          $end = Get-Date -Date $endDate -UFormat '+%Y-%m-%dT%H:%MZ'
+          $assetSas = az storage container generate-sas --name cache --account-name vcpkgassetcachewus3 --as-user --auth-mode login --https-only --permissions rcl --expiry $end -o tsv | Out-String
+          $assetSas = $assetSas.Trim()
+          $binarySas = az storage container generate-sas --name cache --account-name vcpkgbinarycachewus3 --as-user --auth-mode login --https-only --permissions rclw --expiry $end -o tsv | Out-String
+          $binarySas = $binarySas.Trim()
+          $env:X_VCPKG_ASSET_SOURCES = "x-azurl,https://vcpkgassetcachewus3.blob.core.windows.net/cache,$assetSas,readwrite"
+          & scripts/azure-pipelines/test-modified-ports.ps1 -Triplet ${{ replace(parameters.jobName, '_', '-') }} -BuildReason $(Build.Reason) -BinarySourceStub "x-azblob,https://vcpkgbinarycachewus3.blob.core.windows.net/cache,$binarySas" -WorkingRoot $env:WORKING_ROOT -ArtifactStagingDirectory $(Build.ArtifactStagingDirectory)
   - task: PublishBuildArtifacts@1
     displayName: 'Publish Artifact: failure logs for x64-osx'
     inputs:

scripts/azure-pipelines/windows/azure-pipelines.yml

@@ -24,7 +24,6 @@ jobs:
   workspace:
     clean: resources
   timeoutInMinutes: 2880 # 2 days
-  dependsOn: mintsas
   variables:
   - name: WORKING_ROOT
     value: D:\
@@ -34,10 +33,6 @@ jobs:
     value: $(Build.ArtifactStagingDirectory)\format.diff
   - name: ExtraChecksTriplet
     value: x86-windows
-  - name: X_VCPKG_ASSET_SOURCES
-    value: $[ dependencies.mintsas.outputs['mintsasstep.X_VCPKG_ASSET_SOURCES'] ]
-  - name: X_VCPKG_BINARY_SOURCE_STUB
-    value: $[ dependencies.mintsas.outputs['mintsasstep.X_VCPKG_BINARY_SOURCE_STUB'] ]
   steps:
   - script: .\bootstrap-vcpkg.bat
     displayName: 'Bootstrap vcpkg'
@@ -61,15 +56,23 @@ jobs:
     inputs:
       PathtoPublish: '$(DiffFile)'
       ArtifactName: 'format.diff'
-  - task: PowerShell@2
+  - task: AzureCLI@2
     displayName: '*** Test Modified Ports'
-    env:
-      X_VCPKG_ASSET_SOURCES: $(X_VCPKG_ASSET_SOURCES)
     inputs:
-      failOnStderr: true
-      filePath: 'scripts/azure-pipelines/test-modified-ports.ps1'
-      arguments: "-Triplet ${{ replace(parameters.jobName, '_', '-') }} -BuildReason $(Build.Reason) -BinarySourceStub \"$(X_VCPKG_BINARY_SOURCE_STUB)\" -WorkingRoot ${{ variables.WORKING_ROOT }} -ArtifactStagingDirectory $(Build.ArtifactStagingDirectory)"
-      pwsh: true
+      azureSubscription: 'VcpkgPrFleet'
+      scriptType: 'pscore'
+      failOnStandardError: true
+      scriptLocation: 'inlineScript'
+      inlineScript: |
+          $current = Get-Date -AsUtc
+          $endDate = $current.AddDays(2)
+          $end = Get-Date -Date $endDate -UFormat '+%Y-%m-%dT%H:%MZ'
+          $assetSas = az storage container generate-sas --name cache --account-name vcpkgassetcachewus3 --as-user --auth-mode login --https-only --permissions rcl --expiry $end -o tsv | Out-String
+          $assetSas = $assetSas.Trim()
+          $binarySas = az storage container generate-sas --name cache --account-name vcpkgbinarycachewus3 --as-user --auth-mode login --https-only --permissions rclw --expiry $end -o tsv | Out-String
+          $binarySas = $binarySas.Trim()
+          $env:X_VCPKG_ASSET_SOURCES = "x-azurl,https://vcpkgassetcachewus3.blob.core.windows.net/cache,$assetSas,readwrite"
+          & scripts/azure-pipelines/test-modified-ports.ps1 -Triplet ${{ replace(parameters.jobName, '_', '-') }} -BuildReason $(Build.Reason) -BinarySourceStub "x-azblob,https://vcpkgbinarycachewus3.blob.core.windows.net/cache,$binarySas" -WorkingRoot $env:WORKING_ROOT -ArtifactStagingDirectory $(Build.ArtifactStagingDirectory)
   - task: PowerShell@2
     displayName: 'Validate version files'
     condition: eq('${{ replace(parameters.jobName, '_', '-') }}', '${{ variables.ExtraChecksTriplet }}')