From fc300432be54a0b141d9e9f59f3fa33769ad20f9 Mon Sep 17 00:00:00 2001
From: Matt Sylvia <msylvia@microsoft.com>
Date: Tue, 21 May 2024 18:27:44 -0400
Subject: [PATCH] Update OneLocBuildToken

---
 Localize/onelocbuild.yaml | 18 +++++++++++++++++-
 1 file changed, 17 insertions(+), 1 deletion(-)

diff --git a/Localize/onelocbuild.yaml b/Localize/onelocbuild.yaml
index 8af9f103..c390acc4 100644
--- a/Localize/onelocbuild.yaml
+++ b/Localize/onelocbuild.yaml
@@ -33,6 +33,22 @@ jobs:
   - checkout: self
     clean: true
 
+  # https://eng.ms/docs/cloud-ai-platform/devdiv/one-engineering-system-1es/1es-docs/1es-security-configuration/configuration-guides/pat-burndown-guidance#authentication-from-pipelines
+  # Requires Azure client 2.x
+  - task: AzureCLI@2
+    displayName: 'Set AzDO.OneLocBuildToken'
+    enabled: true
+    inputs:
+      azureSubscription: 'VSEng-AzureDevOps-ceapex-OneLocBuild'   # Azure DevOps service connection
+      scriptType: 'pscore'
+      scriptLocation: 'inlineScript'
+      inlineScript: |
+        # if this fails, check out this bash script that includes diagnostics:
+        # https://gist.github.com/johnterickson/19f80a3e969e39f1000d118739176e62
+        # Note that the resource is specified to limit the token to Azure DevOps
+        $token = az account get-access-token --query accessToken --resource 499b84ac-1321-427f-aa17-267ca6975798 -o tsv
+        Write-Host "##vso[task.setvariable variable=AzDO.OneLocBuildToken;issecret=true]${token}"
+
   - task: OneLocBuild@2
     displayName: OneLocBuild
     env:
@@ -41,7 +57,7 @@ jobs:
       locProj: Localize/LocProject.json
       outDir: $(Build.StagingDirectory)
       packageSourceAuth: patAuth
-      patVariable: $(OneLocBuild--PAT)
+      patVariable: $(AzDO.OneLocBuildToken)
       isCreatePrSelected: true
       repoType: gitHub
       gitHubPatVariable: $(github--pat--vs-mobiletools-engineering-service2)