ESRP publishing (#3065)

## Do I need to review this as a service owner? 

Probably not. This PR is for EngSys. You're probably seeing this review
because I updated your `ci.yml` file to use "release intent" which
allows you to choose which packages to release at release build time. We
in EngSys will merge this after reviewing.

## Notes

Fixes #3035

* Release packages using ESRP 
* Release intent (check boxes to release packages) 
* You can run live tests without releasing packages
* Packages are released in dependency order
* Dependency enforcement (build fails if a dependency is not released or
being released in the current build)

Updated runs with release intent: 

Sample pipeline run with 2 release crates:
https://dev.azure.com/azure-sdk/internal/_build/results?buildId=5424835&view=results

Sample pipeline run with no releases and live tests:
https://dev.azure.com/azure-sdk/internal/_build/results?buildId=5424839&view=logs&j=b766ebde-1fdb-5f11-1350-46ddc53b23cf&t=9494b470-f365-50d2-5008-6394593b39c5
-- In this case note that necessary dependencies were built (e.g.
`typespec`) even though it was outside the scope of the service. Test
failures notwithstanding.

Sample pipeline run with no releases (also no live tests):
https://dev.azure.com/azure-sdk/internal/_build/results?buildId=5424838&view=results

Example unified version increment PR:
#3134

Sample releases: 
*
https://github.com/Azure/azure-sdk-for-rust/releases/tag/azure_canary_core%401.0.0-beta.5397226
*
https://github.com/Azure/azure-sdk-for-rust/releases/tag/azure_canary%401.0.0-beta.5397226

## Open questions

* Right now `Pack-Crates.ps1` fails in release scenarios when releasing
a package that has unreleased dependencies (e.g. `dependency_crate = {
workspace = true }`. The expectation here is that dependencies will go
from `workspace = true` to `{ version = "1.2.3" }` when releasing. Is
this a correct expectation?

Author: danieljurek

eng/pipelines/templates/jobs/pack.yml

@@ -55,15 +55,46 @@ jobs:
       ServiceDirectory: ${{ parameters.ServiceDirectory }}
       PackageInfoDirectory: $(Build.ArtifactStagingDirectory)/PackageInfo
 
-  - task: Powershell@2
-    displayName: "Pack Crates"
-    condition: and(succeeded(), ne(variables['NoPackagesChanged'],'true'))
-    inputs:
-      pwsh: true
-      filePath: $(Build.SourcesDirectory)/eng/scripts/Pack-Crates.ps1
-      arguments: >
-        -OutputPath '$(Build.ArtifactStagingDirectory)'
-        -PackageInfoDirectory '$(Build.ArtifactStagingDirectory)/PackageInfo'
+  - ${{ if eq('auto', parameters.ServiceDirectory) }}:
+    - task: Powershell@2
+      displayName: Pack Crates
+      condition: and(succeeded(), ne(variables['NoPackagesChanged'],'true'))
+      inputs:
+        pwsh: true
+        filePath: $(Build.SourcesDirectory)/eng/scripts/Pack-Crates.ps1
+        arguments: >
+          -OutputPath '$(Build.ArtifactStagingDirectory)'
+          -PackageInfoDirectory '$(Build.ArtifactStagingDirectory)/PackageInfo'
+
+  - ${{ else }}:
+    - pwsh: |
+        $artifacts = '${{ convertToJson(parameters.Artifacts) }}' | ConvertFrom-Json
+        $requireDependencies = $true
+        $artifactsToBuild = $artifacts | Where-Object { $_.releaseInBatch -eq 'True' }
+
+        if (!$artifactsToBuild) {
+          Write-Host "No packages to release. Building all packages in the service directory with no dependency validation."
+          $artifactsToBuild = $artifacts
+          $requireDependencies = $false
+        }
+
+        $packageNames = $artifactsToBuild.name -join ','
+
+        Write-Host "##vso[task.setvariable variable=PackageNames]$packageNames"
+        Write-Host "##vso[task.setvariable variable=RequireDependencies]$requireDependencies"
+      displayName: Create package list
+
+    - task: Powershell@2
+      displayName: Pack Crates
+      condition: and(succeeded(), ne(variables['NoPackagesChanged'],'true'))
+      inputs:
+        pwsh: true
+        filePath: $(Build.SourcesDirectory)/eng/scripts/Pack-Crates.ps1
+        arguments: >
+          -OutputPath '$(Build.ArtifactStagingDirectory)'
+          -PackageNames $(PackageNames)
+          -RequireDependencies:$$(RequireDependencies)
+          -OutBuildOrderFile '$(Build.ArtifactStagingDirectory)/release-order.json'
 
   - template: /eng/common/pipelines/templates/steps/publish-1es-artifact.yml
     parameters:

eng/pipelines/templates/stages/archetype-rust-release.yml

@@ -14,16 +14,13 @@ parameters:
 - name: DevFeedName
   type: string
   default: 'public/azure-sdk-for-rust'
-- name: Environment
-  type: string
-  default: 'cratesio'
 
 stages:
 - ${{ if eq(variables['System.TeamProject'], 'internal') }}:
   - ${{ if in(variables['Build.Reason'], 'Manual', '') }}:
-    - ${{ each artifact in parameters.Artifacts }}:
-      - stage: Release_${{artifact.safeName}}
-        displayName: "Release: ${{artifact.name}}"
+    - ${{ if gt(length(parameters.Artifacts), 0) }}:
+      - stage: Release_Batch
+        displayName: "Releasing: ${{length(parameters.Artifacts)}} crates"
         dependsOn: ${{parameters.DependsOn}}
         condition: and(succeeded(), ne(variables['SetDevVersion'], 'true'), ne(variables['Skip.Release'], 'true'), ne(variables['Build.Repository.Name'], 'Azure/azure-sdk-for-rust-pr'))
         variables:
@@ -50,16 +47,17 @@ stages:
 
           - template: /eng/common/pipelines/templates/steps/retain-run.yml
 
-          - script: |
-              echo "##vso[build.addbuildtag]${{artifact.name}}"
-            displayName: Add build tag '${{artifact.name}}'
+          - ${{ each artifact in parameters.Artifacts }}:
+            - script: |
+                echo "##vso[build.addbuildtag]${{artifact.name}}"
+              displayName: Add build tag '${{artifact.name}}'
 
-          - template: /eng/common/pipelines/templates/steps/create-tags-and-git-release.yml
-            parameters:
-              ArtifactLocation: $(Pipeline.Workspace)/${{parameters.PipelineArtifactName}}/${{artifact.name}}
-              PackageRepository: Crates.io
-              ReleaseSha: $(Build.SourceVersion)
-              WorkingDirectory: $(Pipeline.Workspace)/_work
+            - template: /eng/common/pipelines/templates/steps/create-tags-and-git-release.yml
+              parameters:
+                ArtifactLocation: $(Pipeline.Workspace)/${{parameters.PipelineArtifactName}}/${{artifact.name}}
+                PackageRepository: Crates.io
+                ReleaseSha: $(Build.SourceVersion)
+                WorkingDirectory: $(Pipeline.Workspace)/_work
 
         - deployment: PublishPackage
           displayName: "Publish to Crates.io"
@@ -71,7 +69,10 @@ stages:
             - input: pipelineArtifact  # Required, type of the input artifact
               artifactName: ${{parameters.PipelineArtifactName}}  # Required, name of the pipeline artifact
               targetPath: $(Pipeline.Workspace)/drop  # Optional, specifies where the artifact is downloaded to
-          environment: ${{parameters.Environment}}
+          ${{if parameters.TestPipeline}}:
+            environment: none
+          ${{else}}:
+            environment: cratesio
           # This timeout shouldn't be necessary once we're able to parallelize better. Right now,
           # this is here to ensure larger areas (30+) libraries don't time out.
           timeoutInMinutes: 120
@@ -84,33 +85,77 @@ stages:
             runOnce:
               deploy:
                 steps:
-                - template: /eng/pipelines/templates/steps/use-rust.yml@self
-                  parameters:
-                    Toolchain: stable
-
-                - pwsh: |
-                    $additionalOwners = @('heaths', 'hallipr')
-                    $token = $env:CARGO_REGISTRY_TOKEN
-                    $crateName = '${{artifact.name}}'
-
-                    $manifestPath = "$(Pipeline.Workspace)/drop/$crateName/contents/Cargo.toml"
-                    Write-Host "> cargo publish --manifest-path `"$manifestPath`""
-                    cargo publish --manifest-path $manifestPath
-                    if (!$?) {
-                      Write-Error "Failed to publish package: '$crateName'"
-                      exit 1
-                    }
-
-                    $existingOwners = (cargo owner --list $crateName) -replace " \(.*", ""
-                    $missingOwners = $additionalOwners | Where-Object { $existingOwners -notcontains $_ }
-
-                    foreach ($owner in $missingOwners) {
-                      Write-Host "> cargo owner --add $owner $crateName"
-                      cargo owner --add $owner $crateName
-                    }
-                  displayName: Publish Crate
-                  env:
-                    CARGO_REGISTRY_TOKEN: $(azure-sdk-cratesio-token)
+                  - pwsh: |
+                      Write-Host "##vso[task.setvariable variable=ArtifactIndex]0"
+                    displayName: Set ArtifactIndex to 0
+
+                  - ${{ each artifact in parameters.Artifacts }}:
+                    - pwsh: |
+                        # Read artifact release order from release-order.json 
+                        # and use ArtifactIndex to select the right one
+                        $index = [int]'$(ArtifactIndex)'
+                        $artifacts = Get-Content '$(Pipeline.Workspace)/drop/release-order.json' | ConvertFrom-Json
+                        if ($index -ge $artifacts.Count) {
+                          Write-Error "ArtifactIndex $index is out of range (0..$($artifacts.Count - 1))"
+                          exit 1
+                        }
+
+                        $artifactName = $artifacts[$index]
+                        Write-Host "Releasing artifact $artifactName (index $index)"
+
+                        $artifactRootPath = '$(Pipeline.Workspace)/drop'
+                        $outDir = '$(Pipeline.Workspace)/esrp-release'
+
+                        if (Test-Path $outDir) {
+                          Write-Host "Cleaning output directory: $outDir"
+                          Remove-Item -Path $outDir -Recurse -Force
+                        }
+                        New-Item -ItemType Directory -Path $outDir -Force | Out-Null
+
+                        Write-Host "Artifact name: $artifactName"
+
+                        $packageMetadataPath = "$artifactRootPath/PackageInfo/$artifactName.json"
+                        if (!(Test-Path $packageMetadataPath)) {
+                          Write-Error "Package metadata file not found: $packageMetadataPath"
+                          exit 1
+                        }
+
+                        $packageMetadata = Get-Content -Raw $packageMetadataPath | ConvertFrom-Json
+                        $packageVersion = $packageMetadata.version
+                        Write-Host "Package version: $packageVersion"
+
+                        $cratePath = "$artifactRootPath/$artifactName/$artifactName-$packageVersion.crate"
+                        Copy-Item `
+                          -Path $cratePath `
+                          -Destination $outDir
+                        Write-Host "Contents of $outDir"
+                        Get-ChildItem -Path $outDir | ForEach-Object { Write-Host $_.FullName }
+                      displayName: 'Copy crate for ESRP'
+
+                    - task: EsrpRelease@10
+                      displayName: 'ESRP Release'
+                      inputs:
+                        connectedservicename: 'Azure SDK PME Managed Identity'
+                        ClientId: '5f81938c-2544-4f1f-9251-dd9de5b8a81b'
+                        DomainTenantId: '975f013f-7f24-47e8-a7d3-abc4752bf346'
+                        Usemanagedidentity: true
+                        KeyVaultName: 'kv-azuresdk-codesign'
+                        SignCertName: 'azure-sdk-esrp-release-certificate'
+                        intent: 'packagedistribution'
+                        contenttype: 'Rust'
+                        contentsource: 'Folder'
+                        folderlocation: '$(Pipeline.Workspace)/esrp-release'
+                        waitforreleasecompletion: true
+                        owners: ${{ coalesce(variables['Build.RequestedForEmail'], '[email protected]') }}
+                        approvers: ${{ coalesce(variables['Build.RequestedForEmail'], '[email protected]') }}
+                        serviceendpointurl: 'https://api.esrp.microsoft.com/'
+                        mainpublisher: 'ESRPRELPACMANTEST'
+
+                    - pwsh: |
+                        $index = [int]'$(ArtifactIndex)' + 1
+                        Write-Host "Setting ArtifactIndex to $index"
+                        Write-Host "##vso[task.setvariable variable=ArtifactIndex]$index"
+                      displayName: Increment ArtifactIndex
 
         - job: UpdatePackageVersion
           displayName: "API Review and Package Version Update"
@@ -130,69 +175,32 @@ stages:
             displayName: Download ${{parameters.PipelineArtifactName}} artifact
             artifact: ${{parameters.PipelineArtifactName}}
 
-          - template: /eng/common/pipelines/templates/steps/create-apireview.yml
-            parameters:
-              ArtifactPath: $(Pipeline.Workspace)/${{parameters.PipelineArtifactName}}
-              Artifacts: ${{parameters.Artifacts}}
-              ConfigFileDir: $(Pipeline.Workspace)/${{parameters.PipelineArtifactName}}/PackageInfo
-              MarkPackageAsShipped: true
-              ArtifactName: ${{parameters.PipelineArtifactName}}
-              SourceRootPath: $(System.DefaultWorkingDirectory)
-              PackageName: ${{artifact.name}}
-
-          # Apply the version increment to each library, which updates the Cargo.toml and changelog files.
-          - task: PowerShell@2
-            displayName: Increment ${{artifact.name}} version
-            inputs:
-              targetType: filePath
-              filePath: $(Build.SourcesDirectory)/eng/scripts/Update-PackageVersion.ps1
-              arguments: >
-                -ServiceDirectory '${{parameters.ServiceDirectory}}'
-                -PackageName '${{artifact.name}}'
+          - ${{each artifact in parameters.Artifacts }}:
+            - template: /eng/common/pipelines/templates/steps/create-apireview.yml
+              parameters:
+                ArtifactPath: $(Pipeline.Workspace)/${{parameters.PipelineArtifactName}}
+                Artifacts: ${{parameters.Artifacts}}
+                ConfigFileDir: $(Pipeline.Workspace)/${{parameters.PipelineArtifactName}}/PackageInfo
+                MarkPackageAsShipped: true
+                ArtifactName: ${{parameters.PipelineArtifactName}}
+                SourceRootPath: $(System.DefaultWorkingDirectory)
+                PackageName: ${{artifact.name}}
+
+            # Apply the version increment to each library, which updates the Cargo.toml and changelog files.
+            - task: PowerShell@2
+              displayName: Increment ${{artifact.name}} version
+              inputs:
+                targetType: filePath
+                filePath: $(Build.SourcesDirectory)/eng/scripts/Update-PackageVersion.ps1
+                arguments: >
+                  -ServiceDirectory '${{parameters.ServiceDirectory}}'
+                  -PackageName '${{artifact.name}}'
 
           - template: /eng/common/pipelines/templates/steps/create-pull-request.yml
             parameters:
               PRBranchName: increment-package-version-${{parameters.ServiceDirectory}}-$(Build.BuildId)
-              CommitMsg: "Increment package version after release of ${{ artifact.name }}"
+              CommitMsg: "Increment package version after release of ${{ join(', ', parameters.Artifacts.*.name) }}"
               PRTitle: "Increment versions for ${{parameters.ServiceDirectory}} releases"
               CloseAfterOpenForTesting: '${{parameters.TestPipeline}}'
               ${{ if startsWith(variables['Build.SourceBranch'], 'refs/pull/') }}:
                 BaseBranchName: main
-
-        - ${{ if eq(parameters.TestPipeline, true) }}:
-          - job: ManualApproval
-            displayName: "Manual approval"
-            dependsOn: PublishPackage
-            condition: ne(variables['Skip.PublishPackage'], 'true')
-            pool: server
-            timeoutInMinutes: 120 # 2 hours
-            steps:
-            - task: ManualValidation@1
-              timeoutInMinutes: 60 # 1 hour
-              inputs:
-                notifyUsers: '' # Required, but empty string allowed
-                allowApproversToApproveTheirOwnRuns: true
-                instructions: "Approve yank of ${{ artifact.name }}"
-                onTimeout: 'resume'
-
-          - job: YankCrates
-            displayName: "Yank Crates"
-            dependsOn: ManualApproval
-            condition: and(succeeded(), ne(variables['Skip.PublishPackage'], 'true'))
-            steps:
-            - template: /eng/common/pipelines/templates/steps/sparse-checkout.yml
-
-            - download: current
-              displayName: Download ${{parameters.PipelineArtifactName}} artifact
-              artifact: ${{parameters.PipelineArtifactName}}
-
-            - task: PowerShell@2
-              displayName: Yank Crates
-              env:
-                CARGO_REGISTRY_TOKEN: $(azure-sdk-cratesio-token)
-              inputs:
-                targetType: filePath
-                filePath: $(Build.SourcesDirectory)/eng/scripts/Yank-Crates.ps1
-                arguments:
-                  -CrateNames '${{artifact.name}}'
-                  -PackageInfoDirectory '$(Pipeline.Workspace)/${{parameters.PipelineArtifactName}}/PackageInfo'

eng/pipelines/templates/stages/archetype-sdk-client.yml

@@ -148,6 +148,9 @@ extends:
             parameters:
               DependsOn: "Build"
               ServiceDirectory: ${{ parameters.ServiceDirectory }}
-              Artifacts: ${{ parameters.Artifacts }}
+              Artifacts: 
+                - ${{ each artifact in parameters.Artifacts }}: 
+                  - ${{ if ne(artifact.releaseInBatch, 'false')}}: 
+                    - ${{ artifact }}
               TestPipeline: ${{ eq(parameters.ServiceDirectory, 'canary') }}
               PipelineArtifactName: packages

eng/scripts/Language-Settings.ps1

@@ -1,7 +1,7 @@
 $Language = "rust"
 $LanguageDisplayName = "Rust"
 $PackageRepository = "crates.io"
-$packagePattern = "Cargo.toml"
+$packagePattern = "*.crate"
 #$MetadataUri = "https://raw.githubusercontent.com/Azure/azure-sdk/main/_data/releases/latest/rust-packages.csv"
 $GithubUri = "https://github.com/Azure/azure-sdk-for-rust"
 $PackageRepositoryUri = "https://crates.io/crates"
@@ -139,15 +139,32 @@ function Get-rust-AdditionalValidationPackagesFromPackageSet ($packagesWithChang
   return $additionalPackages ?? @()
 }
 
+# $GetPackageInfoFromPackageFileFn = "Get-${Language}-PackageInfoFromPackageFile"
 function Get-rust-PackageInfoFromPackageFile([IO.FileInfo]$pkg, [string]$workingDirectory) {
-  #$pkg will be a FileInfo object for the Cargo.toml file in a package artifact directory
-  $package = cargo read-manifest --manifest-path $pkg.FullName | ConvertFrom-Json
+  # Create a temporary folder for extraction
+  $extractionPath = [System.IO.Path]::Combine([System.IO.Path]::GetTempPath(), [System.IO.Path]::GetRandomFileName())
+  New-Item -ItemType Directory -Path $extractionPath | Out-Null
+
+  # Extract the .crate file (which is a tarball) to the temporary folder
+  tar -xvf $pkg.FullName -C $extractionPath
+  $cargoTomlPath = [System.IO.Path]::Combine($extractionPath, $pkg.BaseName, 'Cargo.toml')
+
+  Write-Host "Reading package info from $cargoTomlPath"
+  if (!(Test-Path $cargoTomlPath)) {
+    $message = "The Cargo.toml file was not found in the package artifact at $cargoTomlPath"
+    LogError $message
+    throw $message
+  }
+
+  $package = cargo read-manifest --manifest-path $cargoTomlPath | ConvertFrom-Json
 
   $packageName = $package.name
   $packageVersion = $package.version
 
-  $changeLogLoc = Get-ChildItem -Path $pkg.DirectoryName -Filter "CHANGELOG.md" | Select-Object -First 1
-  $readmeContentLoc = Get-ChildItem -Path $pkg.DirectoryName -Filter "README.md" | Select-Object -First 1
+  $packageAssetPath = [System.IO.Path]::Combine($extractionPath, "$packageName-$packageVersion")
+
+  $changeLogLoc = Get-ChildItem -Path $packageAssetPath -Filter "CHANGELOG.md" | Select-Object -First 1
+  $readmeContentLoc = Get-ChildItem -Path $packageAssetPath -Filter "README.md" | Select-Object -First 1
 
   if ($changeLogLoc) {
     $releaseNotes = Get-ChangeLogEntryAsString -ChangeLogLocation $changeLogLoc -VersionString $packageVersion