From a48c12fc6e20ec77a6485db4332275cbe4e38ba9 Mon Sep 17 00:00:00 2001 From: Cheena Malhotra Date: Fri, 23 Jan 2026 18:30:46 -0800 Subject: [PATCH 1/5] Remove OneBranchType parameter and use Official type only --- eng/pipelines/akv-official-pipeline.yml | 12 ++---------- .../dotnet-sqlclient-signing-pipeline.yml | 14 +------------- 2 files changed, 3 insertions(+), 23 deletions(-) diff --git a/eng/pipelines/akv-official-pipeline.yml b/eng/pipelines/akv-official-pipeline.yml index ac5837b331..dfc5189518 100644 --- a/eng/pipelines/akv-official-pipeline.yml +++ b/eng/pipelines/akv-official-pipeline.yml @@ -9,14 +9,6 @@ name: $(Year:YY)$(DayOfYear)$(Rev:.r) # @TODO: Add triggers and schedules parameters: - - name: oneBranchType - displayName: 'OneBranch template' - type: 'string' - values: - - 'Official' - - 'NonOfficial' - default: 'Official' - - name: buildConfiguration displayName: 'Build configuration' type: 'string' @@ -49,7 +41,7 @@ resources: ref: 'refs/heads/main' extends: - template: /v2/OneBranch.${{ parameters.oneBranchType }}.CrossPlat.yml@templates + template: 'v2/OneBranch.Official.CrossPlat.yml@templates' parameters: featureFlags: @@ -118,7 +110,7 @@ extends: tsa: # OneBranch publishes all sdl results to TSA. If TSA is disabled all SDL tools will # be forced into 'break' build mode. - enabled: ${{ eq(parameters.oneBranchType, 'Official') }} + enabled: true configFile: '$(REPO_ROOT)/.config/tsaoptions.json' stages: diff --git a/eng/pipelines/dotnet-sqlclient-signing-pipeline.yml b/eng/pipelines/dotnet-sqlclient-signing-pipeline.yml index 2c27a1c407..96dee0ea15 100644 --- a/eng/pipelines/dotnet-sqlclient-signing-pipeline.yml +++ b/eng/pipelines/dotnet-sqlclient-signing-pipeline.yml @@ -54,13 +54,6 @@ parameters: # parameters are shown up in ADO UI in a build queue time type: string default: 'net462' -- name: oneBranchType - displayName: 'Select OneBranch template' - default: Official - values: - - NonOfficial - - Official - - name: isPreview displayName: 'Is this a preview build?' type: boolean @@ -89,7 +82,7 @@ resources: ref: refs/heads/main extends: - template: /v2/OneBranch.${{parameters.oneBranchType }}.CrossPlat.yml@templates # https://aka.ms/obpipelines/templates + template: v2/OneBranch.Official.CrossPlat.yml@templates # https://aka.ms/obpipelines/templates parameters: featureFlags: # Suggested by MerlinBot (https://sqlclientdrivers.visualstudio.com/ADO.Net/_git/dotnet-sqlclient/pullrequest/4882) @@ -103,11 +96,6 @@ extends: enabled: true apiscan: enabled: true - # For non-official builds, the OneBranch template seems to set APIScan's - # 'break' to true even when TSA is enabled. We don't want APIScan to - # break non-official builds, so we explicitly set 'break' to false here. - ${{ if ne(parameters.oneBranchType, 'Official') }}: - break: false softwareFolder: $(softwareFolder) symbolsFolder: $(symbolsFolder) softwarename: Microsoft.Data.SqlClient From 2aff163b99c4ac99f6d75e91de0940102e6c2443 Mon Sep 17 00:00:00 2001 From: Cheena Malhotra Date: Thu, 29 Jan 2026 11:53:51 -0800 Subject: [PATCH 2/5] Add nonofficial pipelines --- eng/pipelines/akv-non-official-pipeline.yml | 137 ++++++++++++++++ ...dotnet-sqlclient-non-official-pipeline.yml | 151 ++++++++++++++++++ 2 files changed, 288 insertions(+) create mode 100644 eng/pipelines/akv-non-official-pipeline.yml create mode 100644 eng/pipelines/dotnet-sqlclient-non-official-pipeline.yml diff --git a/eng/pipelines/akv-non-official-pipeline.yml b/eng/pipelines/akv-non-official-pipeline.yml new file mode 100644 index 0000000000..d625497fda --- /dev/null +++ b/eng/pipelines/akv-non-official-pipeline.yml @@ -0,0 +1,137 @@ +################################################################################# +# Licensed to the .NET Foundation under one or more agreements. # +# The .NET Foundation licenses this file to you under the MIT license. # +# See the LICENSE file in the project root for more information. # +################################################################################# + +name: $(Year:YY)$(DayOfYear)$(Rev:.r) + +parameters: + - name: buildConfiguration + displayName: 'Build configuration' + type: 'string' + values: + - 'Release' + - 'Debug' + default: 'Release' + + - name: publishSymbols + displayName: 'Publish symbols' + type: 'boolean' + default: false + + - name: runSdlTasks + displayName: 'Run SDL Tasks' + type: 'boolean' + default: true + +variables: + - template: /eng/pipelines/variables/common-variables.yml@self + - template: /eng/pipelines/variables/onebranch-variables.yml@self + - template: /eng/pipelines/variables/esrp-signing-variables.yml@self + - template: /eng/pipelines/variables/akv-official-variables.yml@self + +resources: + repositories: + - repository: templates + type: 'git' + name: 'OneBranch.Pipelines/GovernedTemplates' + ref: 'refs/heads/main' + +extends: + template: 'v2/OneBranch.NonOfficial.CrossPlat.yml@templates' + + parameters: + featureFlags: + WindowsHostVersion: + Version: '2022' + + globalSdl: + # See https://aka.ms/obpipelines/sdl + + apiscan: + enabled: ${{ parameters.runSdlTasks }} + softwareFolder: '${{ variables.apiScanDllPath }}' + softwareName: 'Microsoft.Data.SqlClient' # Note: This name is registered with ApiScan + softwareVersionNum: '${{ variables.assemblyFileVersion }}' + symbolsFolder: '${{ variables.apiScanPdbPath }}' + + armory: + enabled: ${{ parameters.runSdlTasks }} + break: true + + asyncSdl: + # If this should be enabled, move supported tools under this item, + # see https://aka.ms/obpipelines/asyncsdl + enabled: false + + binskim: + enabled: ${{ parameters.runSdlTasks }} + break: true + + codeinspector: + enabled: ${{ parameters.runSdlTasks }} + logLevel: Error + + codeql: + enabled: ${{ parameters.runSdlTasks }} + sourceRoot: '$(REPO_ROOT)/src/Microsoft.Data.SqlClient/add-ons/AzureKeyVaultProvider' + # Note, this can only be done if project doesn't depend on other projects. In + # package reference mode, this is true, but if we ever enable project reference + # builds, this will have to be removed. + + credscan: + enabled: ${{ parameters.runSdlTasks }} + suppressionsFile: '$(REPO_ROOT)/.config/CredScanSuppressions.json' + + eslint: + enabled: false + + policheck: + enabled: ${{ parameters.runSdlTasks }} + break: true + exclusionFile: '$(REPO_ROOT)/.config/PolicheckExclusions.xml' + + roslyn: + enabled: ${{ parameters.runSdlTasks }} + break: true + # Requires RoslynAnalyzers task to be added after build task + + publishLogs: + enabled: ${{ parameters.runSdlTasks }} + + sbom: + enabled: ${{ parameters.runSdlTasks }} + packageName: 'Microsoft.Data.SqlClient.AlwaysEncrypted.AzureKeyVaultProvider' + packageVersion: ${{ variables.nugetPackageVersion }} + + tsa: + # OneBranch publishes all sdl results to TSA. If TSA is disabled all SDL tools will + # be forced into 'break' build mode. + enabled: true + configFile: '$(REPO_ROOT)/.config/tsaoptions.json' + + stages: + - stage: BuildAkv + displayName: 'Build AKV' + jobs: + - template: /eng/pipelines/jobs/build-akv-official-job.yml@self + parameters: + apiScanDllPath: '${{ variables.apiScanDllPath }}' + apiScanPdbPath: '${{ variables.apiScanPdbPath }}' + assemblyFileVersion: '${{ variables.assemblyFileVersion }}' + buildConfiguration: '${{ parameters.buildConfiguration }}' + nugetPackageVersion: '${{ variables.nugetPackageVersion }}' + mdsPackageVersion: '${{ variables.mdsPackageVersion }}' + publishSymbols: '${{ parameters.publishSymbols }}' + signingAppRegistrationClientId: '$(SigningAppRegistrationClientId)' + signingAppRegistrationTenantId: '$(SigningAppRegistrationTenantId)' + signingAuthAkvName: '$(SigningAuthAkvName)' + signingAuthSignCertName: '$(SigningAuthSignCertName)' + signingEsrpClientId: '$(SigningEsrpClientId)' + signingEsrpConnectedServiceName: '$(SigningEsrpConnectedServiceName)' + symbolsAzureSubscription: '$(SymbolsAzureSubscription)' + symbolsPublishProjectName: '$(SymbolsPublishProjectName)' + symbolsPublishServer: '$(SymbolsPublishServer)' + symbolsPublishTokenUri: '$(SymbolsPublishTokenUri)' + symbolsUploadAccount: '$(SymbolsUploadAccount)' diff --git a/eng/pipelines/dotnet-sqlclient-non-official-pipeline.yml b/eng/pipelines/dotnet-sqlclient-non-official-pipeline.yml new file mode 100644 index 0000000000..f785932406 --- /dev/null +++ b/eng/pipelines/dotnet-sqlclient-non-official-pipeline.yml @@ -0,0 +1,151 @@ +################################################################################# +# Licensed to the .NET Foundation under one or more agreements. # +# The .NET Foundation licenses this file to you under the MIT license. # +# See the LICENSE file in the project root for more information. # +################################################################################# + +name: $(Year:YY)$(DayOfYear)$(Rev:.r) +trigger: + branches: + include: + - internal/main + paths: + include: + - .azuredevops + - .config + - doc + - eng/pipelines + - src + - tools + - azurepipelines-coverage.yml + - build.proj + - NuGet.config + +parameters: # parameters are shown up in ADO UI in a build queue time +- name: 'debug' + displayName: 'Enable debug output' + type: boolean + default: false + +- name: publishSymbols + displayName: 'Publish symbols' + type: boolean + default: false + +- name: CurrentNetFxVersion + displayName: 'Lowest supported .NET Framework version (MDS validation)' + type: string + default: 'net462' + +- name: isPreview + displayName: 'Is this a preview build?' + type: boolean + default: false + +# The timeout, in minutes, for each test job. +- name: testJobTimeout + displayName: 'Test job timeout (in minutes)' + type: number + default: 60 + +variables: + - template: /eng/pipelines/libraries/variables.yml@self + - name: packageFolderName + value: drop_buildMDS_build_signed_package + - name: PublishSymbols + value: ${{ parameters['publishSymbols'] }} + - name: CurrentNetFxVersion + value: ${{ parameters['CurrentNetFxVersion'] }} + +resources: + repositories: + - repository: templates + type: git + name: OneBranch.Pipelines/GovernedTemplates + ref: refs/heads/main + +extends: + template: v2/OneBranch.NonOfficial.CrossPlat.yml@templates # https://aka.ms/obpipelines/templates + parameters: + featureFlags: + # Suggested by MerlinBot (https://sqlclientdrivers.visualstudio.com/ADO.Net/_git/dotnet-sqlclient/pullrequest/4882) + EnableCDPxPAT: false + WindowsHostVersion: 1ESWindows2022 + globalSdl: # https://aka.ms/obpipelines/sdl + tsa: + # The OneBranch template will set 'break' to false for the other SDL + # tools when TSA is enabled. This allows TSA to gather the results + # and publish them for downstream analysis. + enabled: true + apiscan: + enabled: true + softwareFolder: $(softwareFolder) + symbolsFolder: $(symbolsFolder) + softwarename: Microsoft.Data.SqlClient + versionNumber: $(AssemblyFileVersion) + codeql: + compiled: + enabled: ${{ not(parameters['isPreview']) }} + sbom: + enabled: ${{ not(parameters['isPreview']) }} + packageName: Microsoft.Data.SqlClient + packageVersion: $(NugetPackageVersion) + policheck: + enabled: ${{ not(parameters['isPreview']) }} + break: true # always break the build on policheck issues. You can disable it by setting to 'false' + exclusionsFile: $(REPOROOT)\.config\PolicheckExclusions.xml + asyncSdl: + enabled: false + credscan: + enabled: ${{ not(parameters['isPreview']) }} + suppressionsFile: $(REPOROOT)/.config/CredScanSuppressions.json + binskim: + enabled: ${{ not(parameters['isPreview']) }} + armory: + enabled: ${{ not(parameters['isPreview']) }} + break: true + eslint: # TypeScript and JavaScript + enabled: false + roslyn: + enabled: ${{ not(parameters['isPreview']) }} + break: true + publishLogs: + enabled: ${{ not(parameters['isPreview']) }} + tsaOptionsPath: $(REPOROOT)\.config\tsaoptions.json + disableLegacyManifest: true + stages: + - stage: buildMDS + displayName: 'Build MDS' + jobs: + - template: eng/pipelines/common/templates/jobs/build-signed-package-job.yml@self + parameters: + symbolsFolder: $(symbolsFolder) + softwareFolder: $(softwareFolder) + publishSymbols: ${{ parameters['publishSymbols'] }} + isPreview: ${{ parameters['isPreview'] }} + + - stage: mds_package_validation + displayName: 'MDS Package Validation' + dependsOn: buildMDS + jobs: + - template: eng/pipelines/common/templates/jobs/validate-signed-package-job.yml@self + parameters: + packageFolderName: $(packageFolderName) + isPreview: ${{ parameters['isPreview'] }} + downloadPackageStep: + download: current + artifact: $(packageFolderName) + patterns: '**/*.*nupkg' + displayName: 'Download NuGet Package' + +# Disabling as of 10/15/2025 due to OneBranch apparently disallowing MSBuild tasks in validation stages. +# - template: eng/pipelines/common/templates/jobs/run-tests-package-reference-job.yml@self +# parameters: +# packageFolderName: $(packageFolderName) +# isPreview: ${{ parameters['isPreview'] }} +# timeout: ${{ parameters.testJobTimeout }} +# downloadPackageStep: +# download: current +# artifact: $(packageFolderName) +# patterns: '**/*.nupkg' +# displayName: 'Download NuGet Package' From 6acf4bac91b741aa4d0e13d51c68d526dc9e9bbd Mon Sep 17 00:00:00 2001 From: Cheena Malhotra Date: Mon, 9 Feb 2026 15:02:26 -0800 Subject: [PATCH 3/5] Rename official pipeline --- ...igning-pipeline.yml => dotnet-sqlclient-official-pipeline.yml} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename eng/pipelines/{dotnet-sqlclient-signing-pipeline.yml => dotnet-sqlclient-official-pipeline.yml} (100%) diff --git a/eng/pipelines/dotnet-sqlclient-signing-pipeline.yml b/eng/pipelines/dotnet-sqlclient-official-pipeline.yml similarity index 100% rename from eng/pipelines/dotnet-sqlclient-signing-pipeline.yml rename to eng/pipelines/dotnet-sqlclient-official-pipeline.yml From 25d20726ec087ad84fcd52b9fa412e796d450ebf Mon Sep 17 00:00:00 2001 From: Cheena Malhotra Date: Tue, 17 Feb 2026 10:32:07 -0800 Subject: [PATCH 4/5] touch-ups --- eng/pipelines/akv-non-official-pipeline.yml | 10 +++--- ...dotnet-sqlclient-non-official-pipeline.yml | 35 ++++++++----------- 2 files changed, 19 insertions(+), 26 deletions(-) diff --git a/eng/pipelines/akv-non-official-pipeline.yml b/eng/pipelines/akv-non-official-pipeline.yml index d625497fda..7ebd5a4a14 100644 --- a/eng/pipelines/akv-non-official-pipeline.yml +++ b/eng/pipelines/akv-non-official-pipeline.yml @@ -7,7 +7,7 @@ name: $(Year:YY)$(DayOfYear)$(Rev:.r) parameters: - - name: buildConfiguration + - name: buildConfiguration displayName: 'Build configuration' type: 'string' values: @@ -95,7 +95,7 @@ extends: roslyn: enabled: ${{ parameters.runSdlTasks }} break: true - # Requires RoslynAnalyzers task to be added after build task + # Requires RoslynAnalyzers task to be added somewhere in the build stage. publishLogs: enabled: ${{ parameters.runSdlTasks }} @@ -103,7 +103,7 @@ extends: sbom: enabled: ${{ parameters.runSdlTasks }} packageName: 'Microsoft.Data.SqlClient.AlwaysEncrypted.AzureKeyVaultProvider' - packageVersion: ${{ variables.nugetPackageVersion }} + packageVersion: ${{ variables.akvPackageVersion }} tsa: # OneBranch publishes all sdl results to TSA. If TSA is disabled all SDL tools will @@ -117,11 +117,11 @@ extends: jobs: - template: /eng/pipelines/jobs/build-akv-official-job.yml@self parameters: + akvAssemblyFileVersion: '${{ variables.assemblyFileVersion }}' + akvPackageVersion: '${{ variables.akvPackageVersion }}' apiScanDllPath: '${{ variables.apiScanDllPath }}' apiScanPdbPath: '${{ variables.apiScanPdbPath }}' - assemblyFileVersion: '${{ variables.assemblyFileVersion }}' buildConfiguration: '${{ parameters.buildConfiguration }}' - nugetPackageVersion: '${{ variables.nugetPackageVersion }}' mdsPackageVersion: '${{ variables.mdsPackageVersion }}' publishSymbols: '${{ parameters.publishSymbols }}' signingAppRegistrationClientId: '$(SigningAppRegistrationClientId)' diff --git a/eng/pipelines/dotnet-sqlclient-non-official-pipeline.yml b/eng/pipelines/dotnet-sqlclient-non-official-pipeline.yml index f785932406..883e32e81e 100644 --- a/eng/pipelines/dotnet-sqlclient-non-official-pipeline.yml +++ b/eng/pipelines/dotnet-sqlclient-non-official-pipeline.yml @@ -8,6 +8,9 @@ name: $(Year:YY)$(DayOfYear)$(Rev:.r) trigger: branches: include: + + # This pipeline is intended to only run against the ADO.Net dotnet-sqlclient + # repo. - internal/main paths: include: @@ -50,7 +53,7 @@ parameters: # parameters are shown up in ADO UI in a build queue time variables: - template: /eng/pipelines/libraries/variables.yml@self - - name: packageFolderName + - name: mdsArtifactName value: drop_buildMDS_build_signed_package - name: PublishSymbols value: ${{ parameters['publishSymbols'] }} @@ -58,7 +61,7 @@ variables: value: ${{ parameters['CurrentNetFxVersion'] }} resources: - repositories: + repositories: - repository: templates type: git name: OneBranch.Pipelines/GovernedTemplates @@ -76,26 +79,26 @@ extends: # The OneBranch template will set 'break' to false for the other SDL # tools when TSA is enabled. This allows TSA to gather the results # and publish them for downstream analysis. - enabled: true + enabled: false apiscan: enabled: true softwareFolder: $(softwareFolder) symbolsFolder: $(symbolsFolder) softwarename: Microsoft.Data.SqlClient - versionNumber: $(AssemblyFileVersion) + versionNumber: $(mdsAssemblyFileVersion) codeql: compiled: enabled: ${{ not(parameters['isPreview']) }} sbom: enabled: ${{ not(parameters['isPreview']) }} packageName: Microsoft.Data.SqlClient - packageVersion: $(NugetPackageVersion) + packageVersion: $(mdsPackageVersion) policheck: enabled: ${{ not(parameters['isPreview']) }} break: true # always break the build on policheck issues. You can disable it by setting to 'false' exclusionsFile: $(REPOROOT)\.config\PolicheckExclusions.xml asyncSdl: - enabled: false + enabled: false credscan: enabled: ${{ not(parameters['isPreview']) }} suppressionsFile: $(REPOROOT)/.config/CredScanSuppressions.json @@ -117,7 +120,7 @@ extends: - stage: buildMDS displayName: 'Build MDS' jobs: - - template: eng/pipelines/common/templates/jobs/build-signed-package-job.yml@self + - template: /eng/pipelines/common/templates/jobs/build-signed-package-job.yml@self parameters: symbolsFolder: $(symbolsFolder) softwareFolder: $(softwareFolder) @@ -128,24 +131,14 @@ extends: displayName: 'MDS Package Validation' dependsOn: buildMDS jobs: - - template: eng/pipelines/common/templates/jobs/validate-signed-package-job.yml@self + - template: /eng/pipelines/common/templates/jobs/validate-signed-package-job.yml@self parameters: - packageFolderName: $(packageFolderName) + artifactName: $(mdsArtifactName) isPreview: ${{ parameters['isPreview'] }} - downloadPackageStep: - download: current - artifact: $(packageFolderName) - patterns: '**/*.*nupkg' - displayName: 'Download NuGet Package' # Disabling as of 10/15/2025 due to OneBranch apparently disallowing MSBuild tasks in validation stages. -# - template: eng/pipelines/common/templates/jobs/run-tests-package-reference-job.yml@self +# - template: /eng/pipelines/common/templates/jobs/run-tests-package-reference-job.yml@self # parameters: -# packageFolderName: $(packageFolderName) +# artifactName: $(mdsArtifactName) # isPreview: ${{ parameters['isPreview'] }} # timeout: ${{ parameters.testJobTimeout }} -# downloadPackageStep: -# download: current -# artifact: $(packageFolderName) -# patterns: '**/*.nupkg' -# displayName: 'Download NuGet Package' From 04bf4819d4555422e8d39d67d34e90f87fe05dce Mon Sep 17 00:00:00 2001 From: Cheena Malhotra Date: Tue, 17 Feb 2026 10:33:27 -0800 Subject: [PATCH 5/5] Disable TSA for non-official pipelines --- eng/pipelines/akv-non-official-pipeline.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/eng/pipelines/akv-non-official-pipeline.yml b/eng/pipelines/akv-non-official-pipeline.yml index 7ebd5a4a14..40f93fc33a 100644 --- a/eng/pipelines/akv-non-official-pipeline.yml +++ b/eng/pipelines/akv-non-official-pipeline.yml @@ -108,7 +108,7 @@ extends: tsa: # OneBranch publishes all sdl results to TSA. If TSA is disabled all SDL tools will # be forced into 'break' build mode. - enabled: true + enabled: false configFile: '$(REPO_ROOT)/.config/tsaoptions.json' stages: