Use WIF rather than PAT for push to azure-public/vs-impl feed (#9496)

* Use WIF rather than PAT for push to azure-public/vs-impl feed

Author: smitpatel

eng/pipelines/templates/WIFtoPATauth.yml

@@ -0,0 +1,22 @@
+parameters:
+- name: deadPATServiceConnectionId # The GUID of the PAT-based service connection whose access token must be replaced.
+  type: string
+- name: wifServiceConnectionName # The name of the WIF service connection to use to get the access token.
+  type: string
+- name: resource # The scope for which the access token is requested.
+  type: string
+  default: 499b84ac-1321-427f-aa17-267ca6975798 # Azure Artifact feeds (any of them)
+
+steps:
+- task: AzureCLI@2
+  displayName: 🔏 Authenticate with WIF service connection
+  inputs:
+    azureSubscription: ${{ parameters.wifServiceConnectionName }}
+    scriptType: pscore
+    scriptLocation: inlineScript
+    inlineScript: |
+      $accessToken = az account get-access-token --query accessToken --resource '${{ parameters.resource }}' -o tsv
+      # Set the access token as a secret, so it doesn't get leaked in the logs
+      Write-Host "##vso[task.setsecret]$accessToken"
+      # Override the apitoken of the nuget service connection, for the duration of this stage
+      Write-Host "##vso[task.setendpoint id=${{ parameters.deadPATServiceConnectionId }};field=authParameter;key=apitoken]$accessToken"

eng/pipelines/templates/build-official-release.yml

@@ -82,7 +82,6 @@ jobs:
         displayName: Publish Nuget Packages to azure-publish
         packagesToPush: $(Build.SourcesDirectory)/artifacts/$(BuildConfiguration)/packages/*.nupkg
         packageParentPath: $(Build.SourcesDirectory)/artifacts/$(BuildConfiguration)/packages
-        publishVstsFeed: DevDiv/vs-green
         publishFeedCredentials: azure-public/vs-impl
         allowPackageConflicts: true
         nuGetFeedType: external
@@ -269,12 +268,9 @@ jobs:
         !bin\Dlls\net472\Setup.dll
         !SymStore\**    
         !VSSetup\Insertion\bootstrapper\**\vs_enterprise.exe
-        
-    
-    # Authenticate with a service connection to be able to publish packages to external (different DevOps organization) NuGet feeds.
-  # See: https://docs.microsoft.com/azure/devops/pipelines/tasks/package/nuget-authenticate?view=azure-devops
-  # This connecction is used in the templateContext nuget outputs.
-  - task: NuGetAuthenticate@1
-    displayName: Authenticate NuGet
-    inputs:
-      nuGetServiceConnections: azure-public/vs-impl
+
+  - template: WIFtoPATauth.yml
+    parameters:
+      wifServiceConnectionName: azure-public/vside package push
+      deadPATServiceConnectionId: 207efd62-fd0f-43e7-aeae-17c4febcc660 # azure-public/vs-impl
+