From cd0b2ef6516d98cf6966505f47de17db52271fb8 Mon Sep 17 00:00:00 2001
From: Djuradj Kurepa <dkurepa@microsoft.com>
Date: Fri, 13 Mar 2026 12:42:31 +0100
Subject: [PATCH] remove azdo token from the vmr-sync pipeline, use a MI
 instead

---
 eng/pipelines/templates/jobs/vmr-synchronization.yml | 8 ++++++--
 eng/pipelines/templates/steps/vmr-pull-updates.yml   | 4 ++--
 2 files changed, 8 insertions(+), 4 deletions(-)

diff --git a/eng/pipelines/templates/jobs/vmr-synchronization.yml b/eng/pipelines/templates/jobs/vmr-synchronization.yml
index bb2738990051..e9b1062bef69 100644
--- a/eng/pipelines/templates/jobs/vmr-synchronization.yml
+++ b/eng/pipelines/templates/jobs/vmr-synchronization.yml
@@ -35,8 +35,6 @@ jobs:
       - name: vmrPublicUrl
         value: https://github.com/dotnet/dotnet
     - ${{ if and( eq(variables['System.TeamProject'], 'internal'), startswith(variables['Build.SourceBranch'], 'refs/heads/internal/release/')) }}:
-      # https://dev.azure.com/dnceng/internal/_library?itemType=VariableGroups&view=VariableGroupView&variableGroupId=172&path=DotNetBot-AzDO-PAT
-      - group: DotNetBot-AzDO-PAT
       - name: vmrInternalUrl
         value: https://dnceng@dev.azure.com/dnceng/internal/_git/dotnet-dotnet
 
@@ -55,6 +53,12 @@ jobs:
     parameters:
       vmrBranch: ${{ parameters.vmrBranch }}
 
+  - ${{ if and(not(parameters.noPush), eq(variables['System.TeamProject'], 'internal'), startswith(variables['Build.SourceBranch'], 'refs/heads/internal/release/')) }}:
+    - template: ./eng/common/templates-official/steps/get-federated-access-token.yml
+      parameters:
+        federatedServiceConnection: VmrSyncPipeline
+        outputVariableName: AzdoToken
+
   - template: ../steps/vmr-pull-updates.yml
     parameters:
       vmrPath: $(vmrPath)
diff --git a/eng/pipelines/templates/steps/vmr-pull-updates.yml b/eng/pipelines/templates/steps/vmr-pull-updates.yml
index 21fab30961cf..7cf9ec666ddf 100644
--- a/eng/pipelines/templates/steps/vmr-pull-updates.yml
+++ b/eng/pipelines/templates/steps/vmr-pull-updates.yml
@@ -52,7 +52,7 @@ steps:
     ./eng/vmr-sync.sh
     --vmr ${{ parameters.vmrPath }}
     --tmp $(Agent.TempDirectory)
-    --azdev-pat '$(dn-bot-all-orgs-code-r)'
+    --azdev-pat '$(AzdoToken)'
     --branch ${{ parameters.vmrBranch }}
     --repository "sdk:${{ parameters.targetRef }}"
     --recursive
@@ -74,7 +74,7 @@ steps:
     ./eng/vmr-sync.ps1 `
     -vmr ${{ parameters.vmrPath }} `
     -tmp $(Agent.TempDirectory) `
-    -azdevPat '$(dn-bot-all-orgs-code-r)' `
+    -azdevPat '$(AzdoToken)' `
     -branch ${{ parameters.vmrBranch }} `
     -repository "sdk:${{ parameters.targetRef }}" `
     -recursive `