Use federated connections for storage account (#6939)

jander-msft · web-flow · commit 6de4b5d5a5d4 · 2024-07-02T11:24:29.000-07:00
diff --git a/eng/pipelines/jobs/build.yml b/eng/pipelines/jobs/build.yml
@@ -108,7 +108,6 @@ jobs:
       - _CrossBuildArgs: '-cross'
 
     - ${{ if eq(variables['System.TeamProject'], 'internal') }}:
-      - group: DotNetBuilds storage account read tokens
       - _InternalInstallArgs: >-
           -RuntimeSourceFeed https://dotnetbuilds.blob.core.windows.net/internal
           -RuntimeSourceFeedKey $(dotnetbuilds-internal-container-read-token-base64)
@@ -140,6 +139,9 @@ jobs:
     - ${{ each step in parameters.preBuildSteps }}:
       - ${{ step }}
 
+    # Populate internal runtime access variables
+    - template: /eng/common/templates/steps/enable-internal-runtimes.yml
+
     - script: >-
         $(Build.SourcesDirectory)/eng/cibuild$(scriptExt)
         -configuration ${{ parameters.configuration }}
diff --git a/eng/pipelines/jobs/pack-sign-publish.yml b/eng/pipelines/jobs/pack-sign-publish.yml
@@ -15,7 +15,6 @@ jobs:
     variables:
     - _BuildConfig: Release
     - _SignType: real
-    - group: DotNetBuilds storage account read tokens
     steps:
     - task: DownloadPipelineArtifact@2
       displayName: Download Binaries
@@ -35,6 +34,8 @@ jobs:
     - template: /eng/pipelines/steps/setup-nuget-sources.yml@self
       parameters:
         osGroup: Windows
+    # Populate internal runtime access variables
+    - template: /eng/common/templates/steps/enable-internal-runtimes.yml
     - script: >-
         $(Build.SourcesDirectory)/eng/cipacksignpublish.cmd
         /p:TeamName=$(_TeamName)
diff --git a/eng/pipelines/jobs/sign-binaries.yml b/eng/pipelines/jobs/sign-binaries.yml
@@ -15,7 +15,6 @@ jobs:
     variables:
     - _BuildConfig: ${{ parameters.configuration }}
     - _SignType: real
-    - group: DotNetBuilds storage account read tokens
 
     steps:
     - task: DownloadPipelineArtifact@2
@@ -28,6 +27,9 @@ jobs:
       parameters:
         osGroup: Windows
 
+    # Populate internal runtime access variables
+    - template: /eng/common/templates/steps/enable-internal-runtimes.yml
+
     - script: >-
         $(Build.SourcesDirectory)/restore.cmd
         -configuration ${{ parameters.configuration }}
diff --git a/eng/pipelines/jobs/test-binaries.yml b/eng/pipelines/jobs/test-binaries.yml
@@ -79,21 +79,11 @@ jobs:
 
     - ${{ if eq(parameters.useHelix, 'true')}}:
       - ${{ if ne(parameters.osGroup, 'Linux_Musl')}}:
-        # Linux builds (of all variants) run in Mariner containers and do not include pwsh by default
         - ${{ if eq(parameters.osGroup, 'Linux') }}:
-          - script: |
-              $(Build.SourcesDirectory)/restore.sh
-              $(Build.SourcesDirectory)/.dotnet/dotnet tool install --global PowerShell
-              echo "##vso[task.prependpath]/home/cloudtest_azpcontainer/.dotnet/tools"
-            displayName: Install pwsh
-
           # Calculate the fully qualified Nodejs version first so that any new releases will result in a new cache key
           - script: |
-              pwsh ../eng/helix/GetNodejsVersion.ps1 -MajorVersion $(NodeMajorVersion) -TaskVariableName 'FqNodejsVersion'
+              pwsh ./eng/helix/GetNodejsVersion.ps1 -MajorVersion $(NodeMajorVersion) -TaskVariableName 'FqNodejsVersion'
             displayName: Calculate Node.js version Linux
-            workingDirectory: "$(Build.SourcesDirectory)/.dotnet"
-            env:
-              DOTNET_ROOT: "$(Build.SourcesDirectory)/.dotnet"
   
           - task: Cache@2
             displayName: Node.js Cache Linux
@@ -103,11 +93,8 @@ jobs:
               path: $(HelixNodejsPayloadPath)
   
           - script: |
-              pwsh ../eng/helix/InstallNodejs.ps1 -Version $(FqNodejsVersion) -Architecture ${{ parameters.architecture }} -DestinationFolder "$(HelixNodejsPayloadPath)"
+              pwsh ./eng/helix/InstallNodejs.ps1 -Version $(FqNodejsVersion) -Architecture ${{ parameters.architecture }} -DestinationFolder "$(HelixNodejsPayloadPath)"
             displayName: Hydrate Node.js Installation Linux
-            workingDirectory: "$(Build.SourcesDirectory)/.dotnet"
-            env:
-              DOTNET_ROOT: "$(Build.SourcesDirectory)/.dotnet"
 
         - ${{ else }}:
           - pwsh: eng/helix/GetNodejsVersion.ps1
diff --git a/eng/pipelines/jobs/tpn.yml b/eng/pipelines/jobs/tpn.yml
@@ -8,7 +8,6 @@ jobs:
     variables:
     - _InternalInstallArgs: ''
     - ${{ if eq(variables['System.TeamProject'], 'internal') }}:
-      - group: DotNetBuilds storage account read tokens
       - _InternalInstallArgs: >-
           /p:DotNetRuntimeSourceFeed=https://dotnetbuilds.blob.core.windows.net/internal
           /p:DotNetRuntimeSourceFeedKey=$(dotnetbuilds-internal-container-read-token-base64)
@@ -17,6 +16,9 @@ jobs:
       parameters:
         osGroup: Windows
 
+    # Populate internal runtime access variables
+    - template: /eng/common/templates/steps/enable-internal-runtimes.yml
+
     # Only restore the projects that are shipped so only packages we ship get included in the below CG scan
     - script: >-
         $(Build.SourcesDirectory)/restore.cmd -ci
diff --git a/eng/pipelines/stages/preparerelease.yml b/eng/pipelines/stages/preparerelease.yml
@@ -20,7 +20,6 @@ stages:
       - group: DotNet-Diagnostics-Storage
       - group: DotNet-DotNetStage-Storage
       - group: Release-Pipeline
-      - group: DotNetBuilds storage account read tokens
     steps:
     - task: UseDotNet@2
       displayName: 'Use .NET 6'
@@ -49,6 +48,28 @@ stages:
             -MaestroToken $(MaestroAccessToken)
             -TaskVariableName 'BuildVersion'
 
+      # Populate dotnetbuilds-internal-container-read-token
+      - template: /eng/common/templates-official/steps/get-delegation-sas.yml
+        parameters:
+          federatedServiceConnection: 'dotnetbuilds-internal-read'
+          outputVariableName: 'dotnetbuilds-internal-checksums-container-read-token'
+          expiryInHours: 1
+          base64Encode: false
+          storageAccount: dotnetbuilds
+          container: internal-checksums
+          permissions: rl
+
+      # Populate dotnetbuilds-internal-container-read-token
+      - template: /eng/common/templates-official/steps/get-delegation-sas.yml
+        parameters:
+          federatedServiceConnection: 'dotnetbuilds-internal-read'
+          outputVariableName: 'dotnetbuilds-internal-container-read-token'
+          expiryInHours: 1
+          base64Encode: false
+          storageAccount: dotnetbuilds
+          container: internal
+          permissions: rl
+
       - task: AzureCLI@2
         displayName: 'Download Build Assets'
         inputs:
