From 931ecd055e3a6f1b911a4f355216197bc67adc9b Mon Sep 17 00:00:00 2001
From: Cheena Malhotra <13396919+cheenamalhotra@users.noreply.github.com>
Date: Wed, 9 Apr 2025 13:49:34 -0700
Subject: [PATCH] ESRP federated credential update (move to AME) (#3261)

---
 .../steps/esrp-code-signing-step.yml          | 46 +++++++++++++------
 eng/pipelines/libraries/common-variables.yml  | 12 +++--
 2 files changed, 40 insertions(+), 18 deletions(-)

diff --git a/eng/pipelines/common/templates/steps/esrp-code-signing-step.yml b/eng/pipelines/common/templates/steps/esrp-code-signing-step.yml
index 84647a88b3..795fb41a21 100644
--- a/eng/pipelines/common/templates/steps/esrp-code-signing-step.yml
+++ b/eng/pipelines/common/templates/steps/esrp-code-signing-step.yml
@@ -17,6 +17,10 @@ parameters:
     type: string
     default: $(artifactDirectory)
 
+  - name: ESRPConnectedServiceName
+    type: string
+    default: $(ESRPConnectedServiceName)
+
   - name: appRegistrationClientId
     type: string
     default: $(appRegistrationClientId)
@@ -25,16 +29,28 @@ parameters:
     type: string
     default: $(appRegistrationTenantId)
 
+  - name: AuthAKVName
+    type: string
+    default: $(AuthAKVName)
+
+  - name: AuthSignCertName
+    type: string
+    default: $(AuthSignCertName)
+
+  - name: EsrpClientId
+    type: string
+    default: $(EsrpClientId)
+
 steps:
 - ${{ if eq(parameters.artifactType, 'dll') }}:
   - task: EsrpMalwareScanning@5
     displayName: 'ESRP MalwareScanning'
     inputs:
-      ConnectedServiceName: 'ESRP Workload Identity federation service-ADO.Net'
+      ConnectedServiceName: '${{parameters.ESRPConnectedServiceName }}'
       AppRegistrationClientId: '${{parameters.appRegistrationClientId }}'
       AppRegistrationTenantId: '${{parameters.appRegistrationTenantId }}'
-      AuthAKVName: SqlClientDrivers
-      AuthCertName: 'ESRP-Release-Auth'
+      EsrpClientId: '${{parameters.EsrpClientId }}'
+      UseMSIAuthentication: true
       FolderPath: '${{parameters.sourceRoot }}'
       Pattern: '*.dll'
       CleanupTempStorage: 1
@@ -42,12 +58,13 @@ steps:
   - task: EsrpCodeSigning@5
     displayName: 'ESRP CodeSigning'
     inputs:
-      ConnectedServiceName: 'ESRP Workload Identity federation service-ADO.Net'
+      ConnectedServiceName: '${{parameters.ESRPConnectedServiceName }}'
       AppRegistrationClientId: '${{parameters.appRegistrationClientId }}'
       AppRegistrationTenantId: '${{parameters.appRegistrationTenantId }}'
-      AuthAKVName: SqlClientDrivers
-      AuthCertName: 'ESRP-Release-Auth'
-      AuthSignCertName: 'ESRP-Release-Sign2'
+      EsrpClientId: '${{parameters.EsrpClientId }}'
+      UseMSIAuthentication: true
+      AuthAKVName: '${{parameters.AuthAKVName }}'
+      AuthSignCertName: '${{parameters.AuthSignCertName }}'
       FolderPath: '${{parameters.sourceRoot }}'
       Pattern: '*.dll'
       signConfigType: inlineSignParams
@@ -94,11 +111,11 @@ steps:
   - task: EsrpMalwareScanning@5
     displayName: 'ESRP MalwareScanning Nuget Package'
     inputs:
-      ConnectedServiceName: 'ESRP Workload Identity federation service-ADO.Net'
+      ConnectedServiceName: '${{parameters.ESRPConnectedServiceName }}'
       AppRegistrationClientId: '${{parameters.appRegistrationClientId }}'
       AppRegistrationTenantId: '${{parameters.appRegistrationTenantId }}'
-      AuthAKVName: SqlClientDrivers
-      AuthCertName: 'ESRP-Release-Auth'
+      EsrpClientId: '${{parameters.EsrpClientId }}'
+      UseMSIAuthentication: true
       FolderPath: '${{parameters.artifactDirectory }}'
       Pattern: '*.*nupkg'
       CleanupTempStorage: 1
@@ -106,12 +123,13 @@ steps:
   - task: EsrpCodeSigning@5
     displayName: 'ESRP CodeSigning Nuget Package'
     inputs:
-      ConnectedServiceName: 'ESRP Workload Identity federation service-ADO.Net'
+      ConnectedServiceName: '${{parameters.ESRPConnectedServiceName }}'
       AppRegistrationClientId: '${{parameters.appRegistrationClientId }}'
       AppRegistrationTenantId: '${{parameters.appRegistrationTenantId }}'
-      AuthAKVName: SqlClientDrivers
-      AuthCertName: 'ESRP-Release-Auth'
-      AuthSignCertName: 'ESRP-Release-Sign2'
+      EsrpClientId: '${{parameters.EsrpClientId }}'
+      UseMSIAuthentication: true
+      AuthAKVName: '${{parameters.AuthAKVName }}'
+      AuthSignCertName: '${{parameters.AuthSignCertName }}'
       FolderPath: '${{parameters.artifactDirectory }}'
       Pattern: '*.*nupkg'
       signConfigType: inlineSignParams
diff --git a/eng/pipelines/libraries/common-variables.yml b/eng/pipelines/libraries/common-variables.yml
index 7b2bc00cb1..718633691b 100644
--- a/eng/pipelines/libraries/common-variables.yml
+++ b/eng/pipelines/libraries/common-variables.yml
@@ -5,6 +5,14 @@
 #################################################################################
 
 variables:
+  - group: ESRP Federated Creds (AME)
+    # ESRPConnectedServiceName
+    # ESRPClientId
+    # AppRegistrationClientId
+    # AppRegistrationTenantId
+    # AuthAKVName
+    # AuthSignCertName
+
   - name: Configuration
     value: Release
   - name: CommitHead
@@ -17,7 +25,3 @@ variables:
     value: $(REPOROOT)/symbols
   - name: artifactDirectory
     value: '$(REPOROOT)/packages'
-  - name: appRegistrationClientId
-    value: 'a0d18a38-fde1-4ba7-92e1-15be16cb6a8e'
-  - name: appRegistrationTenantId
-    value: '72f988bf-86f1-41af-91ab-2d7cd011db47'