chore: update publishing pipelines to use federated credentials instead of PATs and client secrets #2082
Conversation
Add task to get service principal id for later step
change azureSubscription from service principal name to service connection name
use newer version of azure cli
v3 doesn't exist, change it back and instead assign Reader role to managed identity
attempt to generate the access token and set the PAT env variable
remove azureSubscription from ps task
dedent stuff in ps task
attempt to fix indentation again
…ights-action into fix-esrp-signing-v5
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## main #2082 +/- ##
=======================================
Coverage 94.51% 94.51%
=======================================
Files 38 38
Lines 1058 1058
Branches 141 141
=======================================
Hits 1000 1000
Misses 58 58 ☔ View full report in Codecov by Sentry. |
madalynrose
force-pushed
the
fix-esrp-signing-v5
branch
from
0f34116 to
2257ba4
Compare
| scriptType: pscore | ||
| scriptLocation: 'inlineScript' | ||
| inlineScript: | | ||
| $accessToken = az account get-access-token --resource 499b84ac-1321-427f-aa17-267ca6975798 --query "accessToken" --output tsv |
There was a problem hiding this comment.
Is this the azure resource id? Is there any concern with having the actual guid here?
There was a problem hiding this comment.
I've added a comment in the code to address this.
| displayName: Get accessToken | ||
| name: getAccessToken | ||
| inputs: | ||
| azureSubscription: a11y-insights-action-prod |
There was a problem hiding this comment.
Is it going to be same for canary, staging and prod environments?
There was a problem hiding this comment.
Adding answer for posterity: yes!
Details
Our release pipelines for the ADO extension utilize a Visual Studio Marketplace Service Connection with a PAT to publish to the Visual Studio Marketplace. This PR creates a new template task (
generate-vs-marketplace-token.yaml) that uses AzureCLI to generate an access token for that service connection to use instead. This template is then used directly before the tasks that involve the VS Marketplace SC (theQueryVersiontask inpackage-vsix-file.yamland thePublishAzureDevOpsExtensiontask inpublish-vsix-file.yaml).Additionally, this PR implements the new ESRP signing task that uses managed identity with federated credentials instead of client secrets to authenticate.
It also deletes the yaml file for the pipeline that creates a new ESRP service connection since that type of service connection is no longer used in the signing task and we won't need to regenerate the entire SC during secret rotation anymore.
Motivation
Security improvements
Context
This solution for removing PAT usage in the VS Marketplace Publishing step was based on this workflow, linked from this issue in microsoft/azure-devops-extension-tasks.
These changes coincide with the addition of the following new variables to the pipeline in ADO (documenting here in case they ever need to be changed):
linuxImage: the name of the linux image in the hosted pool to be used for this pipeline (currently set toubuntu-22.04-secure)MARKETPLACE_RESOURCE_ID: the resource ID of the VS Marketplace SCesrp-app-registration-client-id: the client ID of the ESRP Signing app registrationesrp-app-registration-tenant-id: the tenant where the ESRP Signing app registration livesPull request checklist
yarn test)<rootDir>/test-results/unit/coverageyarn precheckin)