[ci] Update OneLocBuildToken (#8973)

Update the token in the Localization step to one backed by a managed identity.

Author: MSylvia

build-tools/automation/onelocbuild.yaml

@@ -34,6 +34,22 @@ jobs:
       filePath: $(Build.SourcesDirectory)\Localize\update-locproject.ps1
       arguments: -SourcesDirectory "$(Build.SourcesDirectory)" -LocProjectPath "$(Build.SourcesDirectory)\Localize\LocProject.json"
 
+  # https://eng.ms/docs/cloud-ai-platform/devdiv/one-engineering-system-1es/1es-docs/1es-security-configuration/configuration-guides/pat-burndown-guidance#authentication-from-pipelines
+  # Requires Azure client 2.x
+  - task: AzureCLI@2
+    displayName: 'Set AzDO.OneLocBuildToken'
+    enabled: true
+    inputs:
+      azureSubscription: 'VSEng-AzureDevOps-ceapex-OneLocBuild'   # Azure DevOps service connection
+      scriptType: 'pscore'
+      scriptLocation: 'inlineScript'
+      inlineScript: |
+        # if this fails, check out this bash script that includes diagnostics:
+        # https://gist.github.com/johnterickson/19f80a3e969e39f1000d118739176e62
+        # Note that the resource is specified to limit the token to Azure DevOps
+        $token = az account get-access-token --query accessToken --resource 499b84ac-1321-427f-aa17-267ca6975798 -o tsv
+        Write-Host "##vso[task.setvariable variable=AzDO.OneLocBuildToken;issecret=true]${token}"
+
   - task: OneLocBuild@2
     displayName: OneLocBuild
     env:
@@ -42,7 +58,7 @@ jobs:
       locProj: Localize/LocProject.json
       outDir: $(Build.StagingDirectory)
       packageSourceAuth: patAuth
-      patVariable: $(OneLocBuild--PAT)
+      patVariable: $(AzDO.OneLocBuildToken)
       isCreatePrSelected: true
       repoType: gitHub
       gitHubPatVariable: $(github--pat--vs-mobiletools-engineering-service2)