chore: update publishing pipelines to use federated credentials inste…

…ad of PATs and client secrets (#2082)

#### Details

Our release pipelines for the ADO extension utilize a Visual Studio
Marketplace Service Connection with a PAT to publish to the Visual
Studio Marketplace. This PR creates a new template task
(`generate-vs-marketplace-token.yaml`) that uses AzureCLI to generate an
access token for that service connection to use instead. This template
is then used directly before the tasks that involve the VS Marketplace
SC (the `QueryVersion` task in `package-vsix-file.yaml` and the
`PublishAzureDevOpsExtension` task in `publish-vsix-file.yaml`).

Additionally, this PR implements the new ESRP signing task that uses
managed identity with federated credentials instead of client secrets to
authenticate.

It also deletes the yaml file for the pipeline that creates a new ESRP
service connection since that type of service connection is no longer
used in the signing task and we won't need to regenerate the entire SC
during secret rotation anymore.

##### Motivation

Security improvements

##### Context

This solution for removing PAT usage in the VS Marketplace Publishing
step was based on [this
workflow](https://jessehouwing.net/publish-azure-devops-extensions-using-workload-identity-oidc/),
linked from [this
issue](microsoft/azure-devops-extension-tasks#506)
in microsoft/azure-devops-extension-tasks.

These changes coincide with the addition of the following new variables
to the pipeline in ADO (documenting here in case they ever need to be
changed):
`linuxImage`: the name of the linux image in the hosted pool to be used
for this pipeline (currently set to `ubuntu-22.04-secure`)
`MARKETPLACE_RESOURCE_ID`: the resource ID of the VS Marketplace SC
`esrp-app-registration-client-id`: the client ID of the ESRP Signing app
registration
`esrp-app-registration-tenant-id`: the tenant where the ESRP Signing app
registration lives

#### Pull request checklist
<!-- If a checklist item is not applicable to this change, write "n/a"
in the checkbox -->
- [n/a] Addresses an existing issue: Fixes #0000
- [n/a] Added relevant unit test for your changes. (`yarn test`)
- [n/a] Verified code coverage for the changes made. Check coverage
report at: `<rootDir>/test-results/unit/coverage`
- [x] Ran precheckin (`yarn precheckin`)

pipelines/canary-release.yaml

@@ -19,7 +19,10 @@ variables:
 trigger: none
 
 pool:
-    vmImage: ubuntu-latest
+    name: $(a11yInsightsPool)
+    vmImage: $(linuxImage)
+    demands:
+        - ImageOverride -equals $(linuxImage)
 
 resources:
     pipelines:

pipelines/generate-vs-marketplace-token.yaml

@@ -0,0 +1,17 @@
+# Copyright (c) Microsoft Corporation. All rights reserved.
+# Licensed under the MIT License.
+
+steps:
+    - task: AzureCLI@2
+      displayName: Get accessToken
+      name: getAccessToken
+      inputs:
+          azureSubscription: a11y-insights-action-prod
+          scriptType: pscore
+          scriptLocation: 'inlineScript'
+          ## The guid after --resource in the following command maps to the Azure DevOps Services
+          ## REST API (https://learn.microsoft.com/en-us/rest/api/azure/devops/tokens/)
+          inlineScript: |
+              $accessToken = az account get-access-token --resource 499b84ac-1321-427f-aa17-267ca6975798 --query "accessToken" --output tsv
+              write-host "##vso[task.setsecret]$accessToken"
+              write-host "##vso[task.setendpoint id=$(MARKETPLACE_RESOURCE_ID);field=authParameter;key=password]$accessToken"

pipelines/package-vsix-file.yaml

@@ -35,7 +35,7 @@ steps:
           runId: $(resources.pipeline.accessibility-insights-action-ci.runID)
           artifact: ado-extension-drop
           path: '$(System.DefaultWorkingDirectory)/ado-extension-drop'
-
+    - template: generate-vs-marketplace-token.yaml
     - task: QueryAzureDevOpsExtensionVersion@4
       name: QueryVersion
       inputs:
@@ -81,16 +81,21 @@ steps:
           outputPath: '$(Build.ArtifactStagingDirectory)/${{ parameters.environment }}.vsix'
 
     - task: UseDotNet@2
-      displayName: 'Use .NET Core sdk 2.1.x'
+      displayName: 'Use .NET Core sdk 6.0.x'
       inputs:
           packageType: 'sdk'
-          version: '2.1.x'
+          version: '6.0.x'
 
-    - task: SFP.build-tasks.custom-build-task-1.EsrpCodeSigning@1
+    - task: EsrpCodeSigning@5
       condition: and(succeeded(), eq('${{ parameters.shouldSign }}', 'true'))
       displayName: 'ESRP: Sign VSIX file '
       inputs:
-          ConnectedServiceName: 'a11y-insights-esrp-code-signing'
+          ConnectedServiceName: 'a11y-insights-esrp-code-signing-mi'
+          AppRegistrationClientId: $(esrp-app-registration-client-id)
+          AppRegistrationTenantId: $(esrp-app-registration-tenant-id)
+          AuthAKVName: 'a11y-insights-esrp-certs'
+          AuthCertName: 'a11y-insights-action-esrp-auth-cert'
+          AuthSignCertName: 'a11y-insights-action-esrp-cert'
           FolderPath: '$(Build.ArtifactStagingDirectory)'
           Pattern: '${{ parameters.environment }}.vsix'
           signConfigType: inlineSignParams

pipelines/prod-release.yaml

@@ -14,7 +14,10 @@ parameters:
 trigger: none
 
 pool:
-    vmImage: ubuntu-latest
+    name: $(a11yInsightsPool)
+    vmImage: $(linuxImage)
+    demands:
+        - ImageOverride -equals $(linuxImage)
 
 resources:
     pipelines:

pipelines/publish-vsix-file.yaml

@@ -20,6 +20,7 @@ steps:
           downloadType: 'single'
           artifactName: '${{ parameters.environment }}-vsix'
           downloadPath: '$(System.DefaultWorkingDirectory)'
+    - template: generate-vs-marketplace-token.yaml
     - task: PublishAzureDevOpsExtension@3
       inputs:
           connectTo: 'VsTeam'

pipelines/release-template.yaml

@@ -14,6 +14,11 @@ parameters:
 
 jobs:
     - job: package_job
+      pool:
+          name: $(a11yInsightsPool)
+          vmImage: $(linuxImage)
+          demands:
+              - ImageOverride -equals $(linuxImage)
       steps:
           - template: package-vsix-file.yaml
             parameters: