[release/v7.5.6] Separate Official and NonOfficial templates for ADO pipelines#27155
Conversation
…hell#26897) Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
adityapatwardhan
added
the
CL-BuildPackaging
There was a problem hiding this comment.
Pull request overview
Backport of #26897 to release/v7.5.6, restructuring Azure DevOps pipeline definitions to split Official vs NonOfficial pipelines and extracting shared variables/stages into reusable templates to align with current OneBranch template patterns.
Changes:
- Added shared variable/stage templates for Packages, Coordinated Packages, Release, and vPack pipelines.
- Refactored Official pipeline YAMLs to reference the extracted templates instead of inlining variables/stages.
- Added new NonOfficial pipeline YAMLs that reuse the same shared templates while hardcoding NonOfficial governed templates.
Reviewed changes
Copilot reviewed 22 out of 23 changed files in this pull request and generated 11 comments.
Show a summary per file
| File | Description |
|---|---|
.pipelines/templates/variables/release-shared.yml |
New shared variable set for release publishing jobs (GH/NuGet/MSIX). |
.pipelines/templates/variables/PowerShell-vPack-Variables.yml |
Extracted vPack pipeline variables into a template. |
.pipelines/templates/variables/PowerShell-Release-Variables.yml |
Extracted Release pipeline variables into a template. |
.pipelines/templates/variables/PowerShell-Release-Azure-Variables.yml |
Extracted Release-Azure pipeline variables into a template. |
.pipelines/templates/variables/PowerShell-Packages-Variables.yml |
Extracted Packages pipeline variables into a template. |
.pipelines/templates/variables/PowerShell-Coordinated_Packages-Variables.yml |
Extracted Coordinated Packages variables and adds CodeQL gating variables. |
.pipelines/templates/stages/PowerShell-vPack-Stages.yml |
Extracted vPack stages/jobs into a template. |
.pipelines/templates/stages/PowerShell-Release-Stages.yml |
Extracted Release stage orchestration into a template. |
.pipelines/templates/stages/PowerShell-Packages-Stages.yml |
Extracted Packages stages into a template. |
.pipelines/templates/stages/PowerShell-Coordinated_Packages-Stages.yml |
Extracted Coordinated Packages stages into a template. |
.pipelines/templates/release-MSIX-Publish.yml |
Updates shared variable template reference path. |
.pipelines/templates/release-githubNuget.yml |
Updates shared variable template reference path (and relies on stage output variables). |
.pipelines/PowerShell-vPack-Official.yml |
Refactors Official vPack pipeline to use shared variable/stage templates. |
.pipelines/PowerShell-Release-Official.yml |
Refactors Official Release pipeline to use shared variable/stage templates. |
.pipelines/PowerShell-Release-Official-Azure.yml |
Refactors Official Release-Azure pipeline to use shared variables template. |
.pipelines/PowerShell-Packages-Official.yml |
Refactors Official Packages pipeline to use shared variable/stage templates. |
.pipelines/PowerShell-Coordinated_Packages-Official.yml |
Refactors Official Coordinated Packages pipeline to use shared templates and new CodeQL wiring. |
.pipelines/NonOfficial/PowerShell-vPack-NonOfficial.yml |
Adds NonOfficial vPack pipeline using shared templates. |
.pipelines/NonOfficial/PowerShell-Release-NonOfficial.yml |
Adds NonOfficial Release pipeline using shared templates and NonOfficial artifact sources. |
.pipelines/NonOfficial/PowerShell-Release-Azure-NonOfficial.yml |
Adds NonOfficial Release-Azure pipeline wiring. |
.pipelines/NonOfficial/PowerShell-Packages-NonOfficial.yml |
Adds NonOfficial Packages pipeline using shared templates. |
.pipelines/NonOfficial/PowerShell-Coordinated_Packages-NonOfficial.yml |
Adds NonOfficial Coordinated Packages pipeline using shared templates and CodeQL wiring. |
.github/agents/SplitADOPipelines.agent.md |
Adds an internal guide/agent spec documenting the split/templating process. |
| - template: ./variable/release-shared.yml@self | ||
| - template: ./variables/release-shared.yml@self | ||
| parameters: | ||
| VERSION: $[ stageDependencies.setReleaseTagAndChangelog.SetTagAndChangelog.outputs['OutputVersion.Version'] ] |
There was a problem hiding this comment.
In NuGetPublish, the stageDependencies reference uses SetTagAndChangelog (capital S/T/C), but the job name in release-SetTagAndChangelog.yml is setTagAndChangelog. This will fail to resolve OutputVersion.Version. Update the reference to use the correct job name casing.
| VERSION: $[ stageDependencies.setReleaseTagAndChangelog.SetTagAndChangelog.outputs['OutputVersion.Version'] ] | |
| VERSION: $[ stageDependencies.setReleaseTagAndChangelog.setTagAndChangelog.outputs['OutputVersion.Version'] ] |
| - ${{ if eq(parameters['FORCE_CODEQL'],'true') }}: | ||
| # Cadence is hours before CodeQL will allow a re-upload of the database | ||
| - name: CodeQL.Cadence | ||
| value: 1 | ||
| - name: CODEQL_ENABLED | ||
| ${{ if or(eq(variables['Build.SourceBranch'], 'refs/heads/master'), eq(parameters['FORCE_CODEQL'],'true')) }}: |
There was a problem hiding this comment.
FORCE_CODEQL is declared as a boolean parameter, but the condition compares it to the string 'true'. This prevents the CodeQL.Cadence override from ever being set when the parameter is true. Compare against the boolean true (or use an if parameters.FORCE_CODEQL check).
| - ${{ if eq(parameters['FORCE_CODEQL'],'true') }}: | |
| # Cadence is hours before CodeQL will allow a re-upload of the database | |
| - name: CodeQL.Cadence | |
| value: 1 | |
| - name: CODEQL_ENABLED | |
| ${{ if or(eq(variables['Build.SourceBranch'], 'refs/heads/master'), eq(parameters['FORCE_CODEQL'],'true')) }}: | |
| - ${{ if eq(parameters['FORCE_CODEQL'], true) }}: | |
| # Cadence is hours before CodeQL will allow a re-upload of the database | |
| - name: CodeQL.Cadence | |
| value: 1 | |
| - name: CODEQL_ENABLED | |
| ${{ if or(eq(variables['Build.SourceBranch'], 'refs/heads/master'), eq(parameters['FORCE_CODEQL'], true)) }}: |
| - ${{ if eq(parameters['FORCE_CODEQL'],'true') }}: | ||
| # Cadence is hours before CodeQL will allow a re-upload of the database | ||
| - name: CodeQL.Cadence | ||
| value: 1 | ||
| - name: CODEQL_ENABLED | ||
| ${{ if or(eq(variables['Build.SourceBranch'], 'refs/heads/master'), eq(parameters['FORCE_CODEQL'],'true')) }}: |
There was a problem hiding this comment.
FORCE_CODEQL is a boolean parameter, but CODEQL_ENABLED is computed by comparing it to the string 'true', so forcing CodeQL on won't work. Use a boolean comparison (and consider whether refs/heads/master is the only branch that should enable CodeQL).
| - ${{ if eq(parameters['FORCE_CODEQL'],'true') }}: | |
| # Cadence is hours before CodeQL will allow a re-upload of the database | |
| - name: CodeQL.Cadence | |
| value: 1 | |
| - name: CODEQL_ENABLED | |
| ${{ if or(eq(variables['Build.SourceBranch'], 'refs/heads/master'), eq(parameters['FORCE_CODEQL'],'true')) }}: | |
| - ${{ if eq(parameters.FORCE_CODEQL, true) }}: | |
| # Cadence is hours before CodeQL will allow a re-upload of the database | |
| - name: CodeQL.Cadence | |
| value: 1 | |
| - name: CODEQL_ENABLED | |
| ${{ if or(eq(variables['Build.SourceBranch'], 'refs/heads/master'), eq(parameters.FORCE_CODEQL, true)) }}: |
| env: | ||
| ob_restore_phase: true # This ensures checkout is done at the beginning of the restore phase | ||
|
|
||
| - pwsh: | | ||
| Get-ChildItem Env: | Out-String -width 9999 -Stream | write-Verbose -Verbose | ||
| displayName: Capture environment variables | ||
| env: | ||
| ob_restore_phase: true # This ensures checkout is done at the beginning of the restore phase |
There was a problem hiding this comment.
This job explicitly disables OneBranch signing setup (ob_signing_setup_enabled: false), but the following steps still force ob_restore_phase: true. Per OneBranch signing guidance, restore phase is only useful when signing is enabled; otherwise it adds overhead/confusion. Remove ob_restore_phase from these steps (or re-enable signing setup if this stage actually needs signing).
| env: | |
| ob_restore_phase: true # This ensures checkout is done at the beginning of the restore phase | |
| - pwsh: | | |
| Get-ChildItem Env: | Out-String -width 9999 -Stream | write-Verbose -Verbose | |
| displayName: Capture environment variables | |
| env: | |
| ob_restore_phase: true # This ensures checkout is done at the beginning of the restore phase | |
| - pwsh: | | |
| Get-ChildItem Env: | Out-String -width 9999 -Stream | write-Verbose -Verbose | |
| displayName: Capture environment variables |
| env: | ||
| ob_restore_phase: true # This ensures checkout is done at the beginning of the restore phase | ||
|
|
||
| - pwsh: | | ||
| Get-ChildItem Env: | Out-String -width 9999 -Stream | write-Verbose -Verbose | ||
| displayName: Capture environment variables | ||
| env: | ||
| ob_restore_phase: true # This ensures checkout is done at the beginning of the restore phase |
There was a problem hiding this comment.
This PowerShell step also runs in ob_restore_phase even though the job has signing setup disabled. If this stage is build-only (no signing), drop ob_restore_phase here as well to avoid running a restore phase without signing.
| env: | |
| ob_restore_phase: true # This ensures checkout is done at the beginning of the restore phase | |
| - pwsh: | | |
| Get-ChildItem Env: | Out-String -width 9999 -Stream | write-Verbose -Verbose | |
| displayName: Capture environment variables | |
| env: | |
| ob_restore_phase: true # This ensures checkout is done at the beginning of the restore phase | |
| - pwsh: | | |
| Get-ChildItem Env: | Out-String -width 9999 -Stream | write-Verbose -Verbose | |
| displayName: Capture environment variables |
| throw "No files found in $(Pipeline.Workspace)\Symbols_$(Architecture)" | ||
| } | ||
| $vpackFiles | ||
| displayName: Debug Output Directory and Version |
There was a problem hiding this comment.
These two debug steps use the same display name (Debug Output Directory and Version). Duplicate display names make logs harder to interpret; rename one (for example, clarify which step is validating file presence vs printing versions).
| displayName: Debug Output Directory and Version | |
| displayName: Validate vPack Output Files |
| ob_createvpack_verbose: true | ||
| ob_createvpack_packagename: '${{ parameters.vPackName }}.$(architecture)' | ||
| ob_createvpack_description: PowerShell $(architecture) $(version) | ||
| # I think the variables reload after we transition back to the host so this works. 🤷♂️ |
There was a problem hiding this comment.
This comment indicates uncertainty about behavior and includes an emoji. Please replace it with a deterministic explanation of why this works (or remove it) so future maintainers don't have to guess about variable evaluation behavior.
| # I think the variables reload after we transition back to the host so this works. 🤷♂️ | |
| # These values use Azure Pipelines macro syntax, so they are expanded at runtime | |
| # from variables set earlier in the job by SetVersionVariables.yml. |
| This agent will implement and restructure the repository's existing ADO pipelines into Official and NonOfficial pipelines. | ||
|
|
||
| A repository will have under the ./pipelines directory a series of yaml files that define the ADO pipelines for the repository. | ||
|
|
There was a problem hiding this comment.
This agent guide refers to a ./pipelines directory, but this repository uses .pipelines/. Update the paths/examples so they match the actual repo layout.
| disableNetworkIsolation: ${{ variables.disableNetworkIsolation }} | ||
| globalSdl: | ||
| disableLegacyManifest: true | ||
| # disabled Armorty as we dont have any ARM templates to scan. It fails on some sample ARM templates. |
There was a problem hiding this comment.
Typo in comment: Armorty should be Armory (and consider "don't" instead of "dont").
| # disabled Armorty as we dont have any ARM templates to scan. It fails on some sample ARM templates. | |
| # disabled Armory as we don't have any ARM templates to scan. It fails on some sample ARM templates. |
| incrementalSDLBinaryAnalysis: true | ||
| globalSdl: | ||
| disableLegacyManifest: true | ||
| # disabled Armorty as we dont have any ARM templates to scan. It fails on some sample ARM templates. |
There was a problem hiding this comment.
Typo in comment: Armorty should be Armory (and consider "don't" instead of "dont").
| # disabled Armorty as we dont have any ARM templates to scan. It fails on some sample ARM templates. | |
| # disabled Armory as we don't have any ARM templates to scan. It fails on some sample ARM templates. |
Backport of #26897 to release/v7.5.6
Triggered by @adityapatwardhan on behalf of @jshigetomi
Original CL Label: CL-BuildPackaging
/cc @PowerShell/powershell-maintainers
Impact
REQUIRED: Choose either Tooling Impact or Customer Impact (or both). At least one checkbox must be selected.
Tooling Impact
Separates official and non-official ADO pipeline templates and shared stage/variable templates so release/v7.5.6 pipeline definitions follow current structure and remain maintainable.
Customer Impact
Regression
REQUIRED: Check exactly one box.
This is not a regression.
Testing
Verified the backport by successful cherry-pick onto release/v7.5.6, resolving YAML conflicts in three official pipeline files, and confirming the resulting commit contains the expected file adds/renames/template references from the original PR.
Risk
REQUIRED: Check exactly one box.
This is a broad pipeline refactor affecting multiple YAML definitions, but the changes are a direct backport of a merged PR and conflicts were resolved by taking the original PR intent/template-based structure.
Merge Conflicts
Resolved conflicts in .pipelines/PowerShell-Coordinated_Packages-Official.yml, .pipelines/PowerShell-Release-Official.yml, and .pipelines/PowerShell-vPack-Official.yml by accepting the incoming template-based sections from PR #26897 to preserve backport intent.