Skip to content

[release/9.0] Use WIF-based Entra auth for OneLocBuild ceapex feed access#17085

Open
missymessa wants to merge 2 commits into
release/9.0from
onelocbuild-wif-migration-9.0
Open

[release/9.0] Use WIF-based Entra auth for OneLocBuild ceapex feed access#17085
missymessa wants to merge 2 commits into
release/9.0from
onelocbuild-wif-migration-9.0

Conversation

@missymessa

Copy link
Copy Markdown
Member

Cherry-pick of #17083 to release/9.0.

Replaces PAT-based authentication for OneLocBuild's ceapex feed access with WIF-based Entra token via AzureCLI@2 and the dnceng-onelocbuild-ceapex service connection.

Related: AzDO#10151

Cherry-pick of onelocbuild-wif-migration (main) to release/9.0.

Replace PAT-based authentication with Entra token acquired via
AzureCLI@2 and the dnceng-onelocbuild-ceapex service connection.

Related: AzDO#10151
Copilot AI review requested due to automatic review settings July 8, 2026 20:05

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates the OneLocBuild job template to support accessing ceapex feeds using a WIF-based Entra token (via an Azure service connection) instead of relying solely on a PAT, enabling more secure authentication for internal pipelines.

Changes:

  • Adds a CeapexServiceConnection parameter (defaulting to dnceng-onelocbuild-ceapex) with an opt-out ('') to fall back to PAT auth.
  • Acquires an Entra access token via AzureCLI@2 when the service connection is set, and wires it into the OneLocBuild task’s patVariable.
  • Updates the OneLocBuild task reference to OneLocBuild@3.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment on lines +81 to +93
# Acquire Entra token for ceapex feed access when using WIF-based auth
- ${{ if ne(parameters.CeapexServiceConnection, '') }}:
- task: AzureCLI@2
displayName: 'Acquire Entra token for ceapex feed access'
inputs:
azureSubscription: ${{ parameters.CeapexServiceConnection }}
scriptType: 'pscore'
scriptLocation: 'inlineScript'
inlineScript: |
$token = az account get-access-token --query accessToken --resource 499b84ac-1321-427f-aa17-267ca6975798 -o tsv
if (-not $token) { Write-Error "Failed to acquire AzDO token"; exit 1 }
Write-Host "##vso[task.setvariable variable=CeapexEntraToken;issecret=true]${token}"
condition: ${{ parameters.condition }}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants