Remove distro PAT

build/.cachesalt

@@ -1 +1 @@
-2026-06-19T12:30:00.000Z
+2026-06-22T15:10:10.546Z

build/azure-pipelines/alpine/product-build-alpine-cli.yml

@@ -34,14 +34,21 @@ jobs:
         versionSource: fromFile
         versionFilePath: .nvmrc
 
+    - task: AzureKeyVault@2
+      displayName: "Azure Key Vault: Get GitHub token"
+      inputs:
+        azureSubscription: vscode-oss-build-secrets
+        KeyVaultName: vscode-oss-build-secrets
+        SecretsFilter: "github-token-code-oss"
+
     - template: ../cli/cli-apply-patches.yml@self
 
     - script: |
         set -e
         npm ci
       workingDirectory: build
       env:
-        GITHUB_TOKEN: "$(github-distro-mixin-password)"
+        GITHUB_TOKEN: "$(github-token-code-oss)"
       displayName: Install build dependencies
 
     - task: Npm@1

build/azure-pipelines/alpine/product-build-alpine-node-modules.yml

@@ -25,9 +25,9 @@ jobs:
       - task: AzureKeyVault@2
         displayName: "Azure Key Vault: Get Secrets"
         inputs:
-          azureSubscription: vscode
-          KeyVaultName: vscode-build-secrets
-          SecretsFilter: "github-distro-mixin-password"
+          azureSubscription: vscode-oss-build-secrets
+          KeyVaultName: vscode-oss-build-secrets
+          SecretsFilter: "github-token-code-oss"
 
       - script: node build/setup-npm-registry.ts $NPM_REGISTRY
         condition: and(succeeded(), ne(variables['NPM_REGISTRY'], 'none'))
@@ -88,11 +88,20 @@ jobs:
           mkdir -p .build/nodejs-musl
           NODE_VERSION=$(grep '^target=' remote/.npmrc | cut -d '"' -f 2)
           BUILD_ID=$(grep '^ms_build_id=' remote/.npmrc | cut -d '"' -f 2)
-          gh release download "v${NODE_VERSION}-${BUILD_ID}" -R microsoft/vscode-node -p "node-v${NODE_VERSION}-linux-${VSCODE_ARCH}-musl.tar.gz" --dir .build/nodejs-musl --clobber
+          az extension add --name azure-devops --upgrade --only-show-errors
+          az artifacts universal download \
+            --organization "https://dev.azure.com/monacotools" \
+            --project "Monaco" \
+            --scope project \
+            --feed "vscode-node" \
+            --name "node-v${NODE_VERSION}-linux-${VSCODE_ARCH}-musl.tar" \
+            --version "${NODE_VERSION}-${BUILD_ID}" \
+            --path .build/nodejs-musl \
+            --only-show-errors
           tar -xzf ".build/nodejs-musl/node-v${NODE_VERSION}-linux-${VSCODE_ARCH}-musl.tar.gz" -C ".build/nodejs-musl" --strip-components=1
           rm ".build/nodejs-musl/node-v${NODE_VERSION}-linux-${VSCODE_ARCH}-musl.tar.gz"
         env:
-          GITHUB_TOKEN: "$(github-distro-mixin-password)"
+          AZURE_DEVOPS_EXT_PAT: "$(System.AccessToken)"
         displayName: Download NodeJS MUSL
         condition: and(succeeded(), ne(variables.NODE_MODULES_RESTORED, 'true'))
 
@@ -111,7 +120,7 @@ jobs:
           npm_config_arch: $(NPM_ARCH)
           ELECTRON_SKIP_BINARY_DOWNLOAD: 1
           PLAYWRIGHT_SKIP_BROWSER_DOWNLOAD: 1
-          GITHUB_TOKEN: "$(github-distro-mixin-password)"
+          GITHUB_TOKEN: "$(github-token-code-oss)"
           VSCODE_REMOTE_DEPENDENCIES_CONTAINER_NAME: vscodehub.azurecr.io/vscode-linux-build-agent:alpine-$(VSCODE_ARCH)
           VSCODE_HOST_MOUNT: "/mnt/vss/_work/1/s"
           VSCODE_NPMRC_PATH: $(NPMRC_PATH)

build/azure-pipelines/alpine/product-build-alpine.yml

@@ -67,9 +67,9 @@ jobs:
       - task: AzureKeyVault@2
         displayName: "Azure Key Vault: Get Secrets"
         inputs:
-          azureSubscription: vscode
-          KeyVaultName: vscode-build-secrets
-          SecretsFilter: "github-distro-mixin-password"
+          azureSubscription: vscode-oss-build-secrets
+          KeyVaultName: vscode-oss-build-secrets
+          SecretsFilter: "github-token-code-oss"
 
       - script: node build/setup-npm-registry.ts $NPM_REGISTRY
         condition: and(succeeded(), ne(variables['NPM_REGISTRY'], 'none'))
@@ -134,11 +134,20 @@ jobs:
           mkdir -p .build/nodejs-musl
           NODE_VERSION=$(grep '^target=' remote/.npmrc | cut -d '"' -f 2)
           BUILD_ID=$(grep '^ms_build_id=' remote/.npmrc | cut -d '"' -f 2)
-          gh release download "v${NODE_VERSION}-${BUILD_ID}" -R microsoft/vscode-node -p "node-v${NODE_VERSION}-linux-${VSCODE_ARCH}-musl.tar.gz" --dir .build/nodejs-musl --clobber
+          az extension add --name azure-devops --upgrade --only-show-errors
+          az artifacts universal download \
+            --organization "https://dev.azure.com/monacotools" \
+            --project "Monaco" \
+            --scope project \
+            --feed "vscode-node" \
+            --name "node-v${NODE_VERSION}-linux-${VSCODE_ARCH}-musl.tar" \
+            --version "${NODE_VERSION}-${BUILD_ID}" \
+            --path .build/nodejs-musl \
+            --only-show-errors
           tar -xzf ".build/nodejs-musl/node-v${NODE_VERSION}-linux-${VSCODE_ARCH}-musl.tar.gz" -C ".build/nodejs-musl" --strip-components=1
           rm ".build/nodejs-musl/node-v${NODE_VERSION}-linux-${VSCODE_ARCH}-musl.tar.gz"
         env:
-          GITHUB_TOKEN: "$(github-distro-mixin-password)"
+          AZURE_DEVOPS_EXT_PAT: "$(System.AccessToken)"
         displayName: Download NodeJS MUSL
         condition: and(succeeded(), ne(variables.NODE_MODULES_RESTORED, 'true'))
 
@@ -157,7 +166,7 @@ jobs:
           npm_config_arch: $(NPM_ARCH)
           ELECTRON_SKIP_BINARY_DOWNLOAD: 1
           PLAYWRIGHT_SKIP_BROWSER_DOWNLOAD: 1
-          GITHUB_TOKEN: "$(github-distro-mixin-password)"
+          GITHUB_TOKEN: "$(github-token-code-oss)"
           VSCODE_REMOTE_DEPENDENCIES_CONTAINER_NAME: vscodehub.azurecr.io/vscode-linux-build-agent:alpine-$(VSCODE_ARCH)
           VSCODE_HOST_MOUNT: "/mnt/vss/_work/1/s"
           VSCODE_NPMRC_PATH: $(NPMRC_PATH)
@@ -194,7 +203,7 @@ jobs:
 
       - script: npm run gulp core-ci
         env:
-          GITHUB_TOKEN: "$(github-distro-mixin-password)"
+          GITHUB_TOKEN: "$(github-token-code-oss)"
         displayName: Compile
 
       - script: npx deemon --attach -- node build/azure-pipelines/common/downloadCopilotVsix.ts
@@ -214,7 +223,8 @@ jobs:
           echo "##vso[task.setvariable variable=SERVER_DIR_PATH]$DIR_PATH"
           echo "##vso[task.setvariable variable=SERVER_PATH]$ARCHIVE_PATH"
         env:
-          GITHUB_TOKEN: "$(github-distro-mixin-password)"
+          GITHUB_TOKEN: "$(github-token-code-oss)"
+          AZURE_DEVOPS_EXT_PAT: $(System.AccessToken)
         displayName: Build server
 
       - script: |
@@ -229,5 +239,6 @@ jobs:
           echo "##vso[task.setvariable variable=WEB_DIR_PATH]$DIR_PATH"
           echo "##vso[task.setvariable variable=WEB_PATH]$ARCHIVE_PATH"
         env:
-          GITHUB_TOKEN: "$(github-distro-mixin-password)"
+          GITHUB_TOKEN: "$(github-token-code-oss)"
+          AZURE_DEVOPS_EXT_PAT: $(System.AccessToken)
         displayName: Build server (web)

build/azure-pipelines/cli/cli-compile.yml

@@ -135,7 +135,7 @@ steps:
         env:
           CARGO_NET_GIT_FETCH_WITH_CLI: true
           VSCODE_CLI_COMMIT: $(Build.SourceVersion)
-          GITHUB_TOKEN: "$(github-distro-mixin-password)"
+          GITHUB_TOKEN: "$(github-token-code-oss)"
           RUSTC_WRAPPER: sccache
           SCCACHE_DIR: $(Pipeline.Workspace)/sccache
           ${{ each pair in parameters.VSCODE_CLI_ENV }}:

build/azure-pipelines/common/checkDistroCommit.ts

@@ -5,10 +5,16 @@
 
 import path from 'path';
 import fs from 'fs';
-import { retry } from './retry.ts';
+import { execSync } from 'child_process';
 
 const root = path.dirname(path.dirname(path.dirname(import.meta.dirname)));
 
+// The microsoft/vscode-distro repository is checked out locally by
+// download-distro.yml (into .build/distro) using the agent's GitHub App
+// (Monaco) credentials, so we can resolve branch heads without a token that
+// has private repository access.
+const distroPath = path.join(root, '.build', 'distro');
+
 function getEnv(name: string): string {
 	const result = process.env[name];
 
@@ -19,30 +25,14 @@ function getEnv(name: string): string {
 	return result;
 }
 
-interface GitHubBranchResponse {
-	commit: {
-		sha: string;
-	};
-}
-
-async function getDistroBranchHead(branch: string, token: string): Promise<string> {
-	const url = `https://api.github.com/repos/microsoft/vscode-distro/branches/${encodeURIComponent(branch)}`;
-
-	const response = await fetch(url, {
-		headers: {
-			'Accept': 'application/vnd.github+json',
-			'Authorization': `Bearer ${token}`,
-			'X-GitHub-Api-Version': '2022-11-28',
-			'User-Agent': 'VSCode Build'
-		}
-	});
-
-	if (!response.ok) {
-		throw new Error(`Failed to fetch branch ${branch} from vscode-distro: ${response.status} ${response.statusText}`);
+function assertDistroCheckout(): void {
+	if (!fs.existsSync(path.join(distroPath, '.git'))) {
+		throw new Error(`Expected a vscode-distro checkout at ${distroPath} but found none. Ensure download-distro.yml ran before this check.`);
 	}
+}
 
-	const data = await response.json() as GitHubBranchResponse;
-	return data.commit.sha;
+function getDistroBranchHead(branch: string): string {
+	return execSync(`git -C "${distroPath}" rev-parse "refs/remotes/origin/${branch}"`, { encoding: 'utf8' }).trim();
 }
 
 async function checkDistroCommit(): Promise<void> {
@@ -71,16 +61,18 @@ async function checkDistroCommit(): Promise<void> {
 	const branch = branchMatch[1];
 	console.log(`Current branch: ${branch}`);
 
-	// Get the GitHub token
-	const token = getEnv('GITHUB_TOKEN');
+	// Make sure the distro repository is actually checked out before we try to
+	// resolve a branch head from it; otherwise a missing checkout would be
+	// indistinguishable from a branch that simply doesn't exist in distro.
+	assertDistroCheckout();
 
-	// Fetch the HEAD of the matching branch in vscode-distro
+	// Resolve the HEAD of the matching branch from the local distro checkout
 	let distroBranchHead: string;
 	try {
-		distroBranchHead = await retry(() => getDistroBranchHead(branch, token));
+		distroBranchHead = getDistroBranchHead(branch);
 	} catch (error) {
 		// If the branch doesn't exist in distro, that's expected for feature branches
-		console.log(`Could not fetch branch '${branch}' from vscode-distro: ${error}`);
+		console.log(`Could not resolve branch '${branch}' from local vscode-distro checkout: ${error}`);
 		console.log('This is expected for feature branches that have not been merged to distro');
 		return;
 	}

build/azure-pipelines/common/checkout.yml

@@ -1,5 +1,10 @@
 steps:
+  # Pin self to the default sources directory (`s`) so that adding a second
+  # checkout (e.g. the distro repository in download-distro.yml) does not relocate
+  # self into a repo-named subfolder, which would break every script that assumes
+  # self lives at $(Build.SourcesDirectory).
   - checkout: self
+    path: s
     fetchDepth: 1
     fetchTags: false
     retryCountOnTaskFailure: 3

build/azure-pipelines/common/install-builtin-extensions.yml

@@ -19,6 +19,6 @@ steps:
 
   - script: node build/lib/builtInExtensions.ts
     env:
-      GITHUB_TOKEN: "$(github-distro-mixin-password)"
+      GITHUB_TOKEN: "$(github-token-code-oss)"
     condition: and(succeeded(), ne(variables.BUILTIN_EXTENSIONS_RESTORED, 'true'))
     displayName: Download built-in extensions

build/azure-pipelines/common/mixin-vscode-capi.yml

@@ -1,4 +1,13 @@
 steps:
+  # Check out the private microsoft/vscode-capi repository using the agent's
+  # GitHub App (Monaco) credentials instead of cloning it with a PAT. The
+  # repository resource is declared in the top-level pipeline (resources.repositories).
+  - checkout: capi
+    path: s/.build/vscode-capi
+    fetchDepth: 1
+    retryCountOnTaskFailure: 3
+    displayName: Checkout microsoft/vscode-capi
+
   - pwsh: |
       $ErrorActionPreference = 'Stop'
 
@@ -10,25 +19,14 @@ steps:
         }
       }
 
-      $CapiPath = Join-Path '$(Agent.BuildDirectory)' 'vscode-capi'
-      if (Test-Path $CapiPath) {
-        Remove-Item -Recurse -Force $CapiPath
-      }
+      $CapiPath = Join-Path '$(Build.SourcesDirectory)' '.build/vscode-capi'
+      Push-Location $CapiPath
 
       try {
-        Invoke-CheckedCommand { git clone https://github.com/microsoft/vscode-capi.git --depth 1 $CapiPath }
-        Push-Location $CapiPath
-
-        try {
-          Invoke-CheckedCommand { npm ci }
-          $env:BUILD_SOURCESDIRECTORY = '$(Build.SourcesDirectory)'
-          Invoke-CheckedCommand { npm run mixin_vscode }
-        } finally {
-          Pop-Location
-        }
+        Invoke-CheckedCommand { npm ci }
+        $env:BUILD_SOURCESDIRECTORY = '$(Build.SourcesDirectory)'
+        Invoke-CheckedCommand { npm run mixin_vscode }
       } finally {
-        if (Test-Path $CapiPath) {
-          Remove-Item -Recurse -Force $CapiPath
-        }
+        Pop-Location
       }
     displayName: Mixin vscode-capi

build/azure-pipelines/copilot/build-steps.yml

@@ -1,10 +1,18 @@
 steps:
+  # Check out the private microsoft/vscode-capi repository using the agent's
+  # GitHub App (Monaco) credentials instead of cloning it with a PAT. The
+  # repository resource is declared in the top-level pipeline (resources.repositories).
+  - checkout: capi
+    path: s/.build/vscode-capi
+    fetchDepth: 1
+    retryCountOnTaskFailure: 3
+    displayName: Checkout microsoft/vscode-capi
+
   - script: |
       set -e
-      git clone https://github.com/microsoft/vscode-capi.git --depth 1 $(Agent.BuildDirectory)/vscode-capi
-      cd $(Agent.BuildDirectory)/vscode-capi
-      npm ci && BUILD_SOURCESDIRECTORY=$(Build.SourcesDirectory)/extensions/copilot npm run mixin
-      rm -rf $(Agent.BuildDirectory)/vscode-capi
+      cd $(Build.SourcesDirectory)/.build/vscode-capi
+      npm ci
+      BUILD_SOURCESDIRECTORY=$(Build.SourcesDirectory)/extensions/copilot npm run mixin
     displayName: Mixin vscode-capi
 
   - script: npm run build

build/azure-pipelines/copilot/l10n-steps.yml

@@ -1,21 +1,23 @@
 steps:
+  # Check out the private microsoft/vscode-extensions-loc repository using the
+  # agent's GitHub App (Monaco) credentials instead of cloning it with a PAT.
+  # The repository resource is declared in the top-level pipeline (resources.repositories).
+  - checkout: vscode_loc
+    path: s/.build/vscode-extensions-loc
+    fetchDepth: 1
+    sparseCheckoutDirectories: out/GitHub.copilot-chat
+    retryCountOnTaskFailure: 3
+    displayName: Checkout microsoft/vscode-extensions-loc
+
   - script: |
       set -e
 
       EXTENSION_ID="GitHub.copilot-chat"
-      L10N_REPO="https://github.com/microsoft/vscode-extensions-loc.git"
-      L10N_DIR="$(Agent.TempDirectory)/vscode-extensions-loc"
-
-      echo "Cloning vscode-extensions-loc (sparse checkout)..."
-      git clone --depth 1 --filter=blob:none --sparse "$L10N_REPO" "$L10N_DIR"
-      cd "$L10N_DIR"
-      git sparse-checkout set "out/$EXTENSION_ID"
-
+      L10N_DIR="$(Build.SourcesDirectory)/.build/vscode-extensions-loc"
       TRANSLATED_DIR="$L10N_DIR/out/$EXTENSION_ID"
 
       if [ ! -d "$TRANSLATED_DIR" ] || [ -z "$(ls -A "$TRANSLATED_DIR" 2>/dev/null)" ]; then
         echo "No translated strings found for $EXTENSION_ID, skipping l10n import."
-        rm -rf "$L10N_DIR"
         exit 0
       fi
 
@@ -36,7 +38,4 @@ steps:
       echo "Localized files:"
       ls -la package.nls.*.json 2>/dev/null || echo "  (no package.nls.*.json)"
       ls -la "$L10N_ROOT"/bundle.l10n.*.json 2>/dev/null || echo "  (no bundle.l10n.*.json)"
-
-      # Cleanup
-      rm -rf "$L10N_DIR"
     displayName: Import localized strings

build/azure-pipelines/copilot/setup-steps.yml

@@ -3,28 +3,6 @@ steps:
     inputs:
       versionSpec: "22.21.x"
 
-  - task: AzureKeyVault@2
-    displayName: "Azure Key Vault: Get Secrets"
-    inputs:
-      azureSubscription: vscode
-      KeyVaultName: vscode-build-secrets
-      SecretsFilter: "github-distro-mixin-password"
-
-  - pwsh: |
-      "machine github.com`nlogin vscode`npassword $(github-distro-mixin-password)" | Out-File "$Home/_netrc" -Encoding ASCII
-    condition: and(succeeded(), contains(variables['Agent.OS'], 'windows'))
-    displayName: Setup distro auth (Windows)
-
-  - script: |
-      mkdir -p .build
-      cat << EOF | tee ~/.netrc .build/.netrc > /dev/null
-      machine github.com
-      login vscode
-      password $(github-distro-mixin-password)
-      EOF
-    condition: and(succeeded(), not(contains(variables['Agent.OS'], 'windows')))
-    displayName: Setup distro auth (non-Windows)
-
   - pwsh: node build/setup-npm-registry.ts $env:NPM_REGISTRY
     workingDirectory: $(Build.SourcesDirectory)
     condition: and(succeeded(), ne(variables['NPM_REGISTRY'], 'none'), contains(variables['Agent.OS'], 'windows'))