As part of handling a different issue I noticed these Yamls used the Helix API token to send telemetry:
https://github.com/dotnet/arcade/blob/master/eng/common/templates/steps/telemetry-start.yml
https://github.com/dotnet/arcade/blob/master/eng/common/templates/steps/telemetry-end.yml
Since all they're sending is the build Uri (inaccessible without authenticated access, at which point they can be enumerated just by browsing) I thought we might just remove the auth part (saving a key vault access) but from discussions with @ChadNedzlek we use timeline APIs for this now so fake jobs / work items are no longer desirable from builds.
@alexperovich depending on the outcome of this issue it's likely good to just nerf out but not delete the telemetry endpoints in the API.
As part of handling a different issue I noticed these Yamls used the Helix API token to send telemetry:
https://github.com/dotnet/arcade/blob/master/eng/common/templates/steps/telemetry-start.yml
https://github.com/dotnet/arcade/blob/master/eng/common/templates/steps/telemetry-end.yml
Since all they're sending is the build Uri (inaccessible without authenticated access, at which point they can be enumerated just by browsing) I thought we might just remove the auth part (saving a key vault access) but from discussions with @ChadNedzlek we use timeline APIs for this now so fake jobs / work items are no longer desirable from builds.
@alexperovich depending on the outcome of this issue it's likely good to just nerf out but not delete the telemetry endpoints in the API.