fix: migrate Docker push from deprecated MSI to WIF service connection#2536
Merged
BrendanWalsh merged 1 commit intomasterfrom Mar 31, 2026
Merged
fix: migrate Docker push from deprecated MSI to WIF service connection#2536BrendanWalsh merged 1 commit intomasterfrom
BrendanWalsh merged 1 commit intomasterfrom
Conversation
The 'SynapseML MCR MSI' service connection uses Managed Service Identity auth, which was deprecated by OneBranch (June 2025). The MSI can no longer fetch access tokens on hosted agents, blocking Docker image publishing to mmlsparkmcr ACR. Switch all three Docker push steps to use the existing 'SynapseML MCR' service connection, which uses Workload Identity Federation and is already configured and ready in ADO. Related: IcM 31000000570827 (CVE-2023-44487 in mmlspark/release)
|
Hey @BrendanWalsh 👋! We use semantic commit messages to streamline the release process. Examples of commit messages with semantic prefixes:
To test your commit locally, please follow our guild on building from source. |
Dependency Review✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.Snapshot WarningsEnsure that dependencies are being submitted on PR branches and consider enabling retry-on-snapshot-warnings. See the documentation for more information and troubleshooting advice. Scanned FilesNone |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Switches Docker image push steps from the deprecated
SynapseML MCR MSIservice connection (Managed Service Identity) to the existingSynapseML MCRconnection (Workload Identity Federation).Problem
The
SynapseML MCR MSIservice connection uses MSI-based auth, which was deprecated by OneBranch in June 2025. The MSI can no longer fetch access tokens on hosted build agents, blocking any Docker image publishing tommlsparkmcrACR.Fix
A WIF-based service connection (
SynapseML MCR) already exists in ADO, is ready, and not disabled. This PR simply updates the 3 Docker push steps to reference it:Verification
After merge, run the pipeline with
publishDockerImages: true(no tag) to validate that auth tommlsparkmcrACR works. This will pushbuild-demoandbuild-minimalwithout touchingrelease.Related