[main] Update common Docker engineering infrastructure with latest (#5410)

Author: dotnet-docker-bot

eng/common/templates/1es-unofficial.yml

@@ -44,6 +44,8 @@ extends:
         ignoreDirectories: $(Build.SourcesDirectory)/versions
         whatIf: true
         showAlertLink: true
+      sbom:
+        enabled: true
       sourceRepositoriesToScan:
         exclude:
         - repository: InternalVersionsRepo

eng/common/templates/jobs/build-images.yml

@@ -97,7 +97,7 @@ jobs:
       New-Item -Path $(imageInfoHostDir) -ItemType Directory -Force
       $imageBuilderBuildArgs = "$env:IMAGEBUILDERBUILDARGS $(imageBuilder.queueArgs) --image-info-output-path $(imageInfoContainerDir)/$(legName)-image-info.json"
       if ($env:SYSTEM_TEAMPROJECT -eq "${{ parameters.internalProjectName }}" -and $env:BUILD_REASON -ne "PullRequest") {
-        $imageBuilderBuildArgs = "$imageBuilderBuildArgs --registry-override $(acr.server) --repo-prefix $(stagingRepoPrefix) --source-repo-prefix $(mirrorRepoPrefix) --push --registry-creds ""$(acr.server)=$(acr.userName);$(acr.password)"""
+        $imageBuilderBuildArgs = "$imageBuilderBuildArgs --registry-override $(acr.server) --repo-prefix $(stagingRepoPrefix) --source-repo-prefix $(mirrorRepoPrefix) --push"
       }
 
       # If the pipeline isn't configured to disable the cache and a build variable hasn't been set to disable the cache
@@ -107,25 +107,27 @@ jobs:
 
       echo "##vso[task.setvariable variable=imageBuilderBuildArgs]$imageBuilderBuildArgs"
     displayName: Set Image Builder Build Args
-  - powershell: >
-      $(runImageBuilderCmd) build
-      --manifest $(manifest)
-      $(imageBuilderPaths)
-      $(osVersions)
-      --os-type $(osType)
-      --architecture $(architecture)
-      --retry
-      --source-repo $(publicGitRepoUri)
-      --digests-out-var 'builtImages'
-      --acr-subscription '$(acr.subscription)'
-      --acr-resource-group '$(acr.resourceGroup)'
-      --acr-client-id '$(acr.servicePrincipalName)'
-      --acr-password '$(acr.servicePrincipalPassword)'
-      --acr-tenant '$(acr.servicePrincipalTenant)'
-      $(manifestVariables)
-      $(imageBuilderBuildArgs)
-    name: BuildImages
-    displayName: Build Images
+  - template: /eng/common/templates/steps/run-imagebuilder.yml@self
+    parameters:
+      name: BuildImages
+      displayName: Build Images
+      serviceConnection: $(acr.serviceConnectionName)
+      internalProjectName: ${{ parameters.internalProjectName }}
+      dockerClientOS: ${{ parameters.dockerClientOS }}
+      args: >
+        build
+        --manifest $(manifest)
+        $(imageBuilderPaths)
+        $(osVersions)
+        --os-type $(osType)
+        --architecture $(architecture)
+        --retry
+        --source-repo $(publicGitRepoUri)
+        --digests-out-var 'builtImages'
+        --acr-subscription '$(acr.subscription)'
+        --acr-resource-group '$(acr.resourceGroup)'
+        $(manifestVariables)
+        $(imageBuilderBuildArgs)
   - template: /eng/common/templates/steps/publish-artifact.yml@self
     parameters:
       path: $(imageInfoHostDir)

eng/common/templates/jobs/copy-base-images.yml

@@ -3,6 +3,7 @@ parameters:
   pool: {}
   additionalOptions: null
   publicProjectName: null
+  internalProjectName: null
   customInitSteps: []
 
 jobs:
@@ -15,4 +16,5 @@ jobs:
     parameters:
       additionalOptions: ${{ parameters.additionalOptions }}
       publicProjectName: ${{ parameters.publicProjectName }}
+      internalProjectName: ${{ parameters.internalProjectName }}
       continueOnError: true

eng/common/templates/jobs/publish.yml

@@ -64,33 +64,38 @@ jobs:
       $(runImageBuilderCmd) trimUnchangedPlatforms
       '$(imageInfoContainerDir)/image-info.json'
     displayName: Trim Unchanged Images
-  - script: >
-      $(runImageBuilderCmd) copyAcrImages
-      '$(acr.servicePrincipalName)'
-      '$(acr.servicePrincipalPassword)'
-      '$(acr.servicePrincipalTenant)'
-      '$(acr.subscription)'
-      '$(acr.resourceGroup)'
-      '$(stagingRepoPrefix)'
-      --os-type '*'
-      --architecture '*'
-      --repo-prefix '$(publishRepoPrefix)'
-      --image-info '$(imageInfoContainerDir)/image-info.json'
-      $(dryRunArg)
-      $(imageBuilder.pathArgs)
-      $(imageBuilder.commonCmdArgs)
-    displayName: Copy Images
-  - script: >
-      $(runImageBuilderCmd) publishManifest
-      '$(imageInfoContainerDir)/image-info.json'
-      --repo-prefix '$(publishRepoPrefix)'
-      --registry-creds '$(acr.server)=$(acr.userName);$(acr.password)'
-      --os-type '*'
-      --architecture '*'
-      $(dryRunArg)
-      $(imageBuilder.pathArgs)
-      $(imageBuilder.commonCmdArgs)
-    displayName: Publish Manifest
+  - template: /eng/common/templates/steps/run-imagebuilder.yml@self
+    parameters:
+      displayName: Copy Images
+      serviceConnection: $(acr.serviceConnectionName)
+      internalProjectName: ${{ parameters.internalProjectName }}
+      args: >
+        copyAcrImages
+        '$(acr.subscription)'
+        '$(acr.resourceGroup)'
+        '$(stagingRepoPrefix)'
+        --os-type '*'
+        --architecture '*'
+        --repo-prefix '$(publishRepoPrefix)'
+        --image-info '$(imageInfoContainerDir)/image-info.json'
+        $(dryRunArg)
+        $(imageBuilder.pathArgs)
+        $(imageBuilder.commonCmdArgs)
+  - template: /eng/common/templates/steps/run-imagebuilder.yml@self
+    parameters:
+      displayName: Publish Manifest
+      serviceConnection: $(acr.serviceConnectionName)
+      internalProjectName: ${{ parameters.internalProjectName }}
+      dockerClientOS: ${{ parameters.dockerClientOS }}
+      args: >
+        publishManifest
+        '$(imageInfoContainerDir)/image-info.json'
+        --repo-prefix '$(publishRepoPrefix)'
+        --os-type '*'
+        --architecture '*'
+        $(dryRunArg)
+        $(imageBuilder.pathArgs)
+        $(imageBuilder.commonCmdArgs)
   - template: /eng/common/templates/steps/publish-artifact.yml@self
     parameters:
       path: $(imageInfoHostDir)
@@ -122,22 +127,23 @@ jobs:
       $(imageBuilder.commonCmdArgs)
     condition: and(succeeded(), eq(variables['publishImageInfo'], 'true'))
     displayName: Publish Image Info
-  - script: >
-      $(runImageBuilderCmd) ingestKustoImageInfo
-      '$(imageInfoContainerDir)/image-info.json'
-      '$(kusto.cluster)'
-      '$(kusto.database)'
-      '$(kusto.imageTable)'
-      '$(kusto.layerTable)'
-      '$(kusto.servicePrincipalName)'
-      '$(kusto.servicePrincipalPassword)'
-      '$(kusto.servicePrincipalTenant)'
-      --os-type '*'
-      --architecture '*'
-      $(dryRunArg)
-      $(imageBuilder.commonCmdArgs)
-    displayName: Ingest Kusto Image Info
-    condition: and(succeeded(), eq(variables['ingestKustoImageInfo'], 'true'))
+  - template: /eng/common/templates/steps/run-imagebuilder.yml@self
+    parameters:
+      displayName: Ingest Kusto Image Info
+      serviceConnection: $(kusto.serviceConnectionName)
+      internalProjectName: ${{ parameters.internalProjectName }}
+      condition: and(succeeded(), eq(variables['ingestKustoImageInfo'], 'true'))
+      args: >
+        ingestKustoImageInfo
+        '$(imageInfoContainerDir)/image-info.json'
+        '$(kusto.cluster)'
+        '$(kusto.database)'
+        '$(kusto.imageTable)'
+        '$(kusto.layerTable)'
+        --os-type '*'
+        --architecture '*'
+        $(dryRunArg)
+        $(imageBuilder.commonCmdArgs)
   - script: >
       $(runImageBuilderCmd) postPublishNotification
       '$(publishNotificationRepoName)'
@@ -151,13 +157,13 @@ jobs:
       '$(gitHubNotificationsRepoInfo.org)'
       '$(gitHubNotificationsRepoInfo.repo)'
       --repo-prefix '$(publishRepoPrefix)'
-      --task "Copy Images"
-      --task "Publish Manifest"
-      --task "Wait for Image Ingestion"
+      --task "Copy Images (Authenticated)"
+      --task "Publish Manifest (Authenticated)"
+      --task "Wait for Image Ingestion (Authenticated)"
       --task "Publish Readmes"
-      --task "Wait for MCR Doc Ingestion"
+      --task "Wait for MCR Doc Ingestion (Authenticated)"
       --task "Publish Image Info"
-      --task "Ingest Kusto Image Info"
+      --task "Ingest Kusto Image Info (Authenticated)"
       $(dryRunArg)
       $(imageBuilder.commonCmdArgs)
     displayName: Post Publish Notification

eng/common/templates/stages/build-test-publish-repo.yml

@@ -8,7 +8,7 @@ parameters:
   customTestInitSteps: []
   customPublishInitSteps: []
   customPublishVariables: []
-  
+
   linuxAmdBuildJobTimeout: 60
   linuxArmBuildJobTimeout: 60
   windowsAmdBuildJobTimeout: 60
@@ -70,7 +70,8 @@ stages:
       pool: ${{ parameters.linuxAmd64Pool }}
       additionalOptions: "--manifest '$(manifest)' $(imageBuilder.pathArgs) $(manifestVariables)"
       publicProjectName: ${{ parameters.publicProjectName }}
-      customInitSteps: ${{ parameters.customCopyBaseImagesInitSteps}}
+      internalProjectName: ${{ parameters.internalProjectName }}
+      customInitSteps: ${{ parameters.customCopyBaseImagesInitSteps }}
   - template: /eng/common/templates/jobs/generate-matrix.yml@self
     parameters:
       matrixType: ${{ parameters.buildMatrixType }}

eng/common/templates/steps/clean-acr-images.yml

@@ -3,17 +3,19 @@ parameters:
   action: null
   age: null
   customArgs: ""
+  internalProjectName: null
 steps:
-  - script: >
-      $(runImageBuilderCmd) cleanAcrImages
-      ${{ parameters.repo }}
-      $(acr.servicePrincipalName)
-      $(app-dotnetdockerbuild-client-secret)
-      $(acr.servicePrincipalTenant)
-      $(acr.subscription)
-      $(acr.resourceGroup)
-      $(acr.server)
-      --action ${{ parameters.action }}
-      --age ${{ parameters.age }}
-      ${{ parameters.customArgs }}
-    displayName: Clean ACR Images - ${{ parameters.repo }}
+  - template: /eng/common/templates/steps/run-imagebuilder.yml@self
+    parameters:
+      displayName: Clean ACR Images - ${{ parameters.repo }}
+      serviceConnection: $(acr.serviceConnectionName)
+      internalProjectName: ${{ parameters.internalProjectName }}
+      args: >
+        cleanAcrImages
+        ${{ parameters.repo }}
+        $(acr.subscription)
+        $(acr.resourceGroup)
+        $(acr.server)
+        --action ${{ parameters.action }}
+        --age ${{ parameters.age }}
+        ${{ parameters.customArgs }}

eng/common/templates/steps/copy-base-images.yml

@@ -1,26 +1,30 @@
 parameters:
   additionalOptions: null
   publicProjectName: null
+  internalProjectName: null
   continueOnError: false
 
 steps:
 - ${{ if or(eq(variables['System.TeamProject'], parameters.publicProjectName), eq(variables['Build.Reason'], 'PullRequest')) }}:
   - template: /eng/common/templates/steps/set-dry-run.yml@self
-- script: >
-    $(runImageBuilderCmd)
-    copyBaseImages
-    '$(acr.servicePrincipalName)'
-    '$(acr.servicePrincipalPassword)'
-    '$(acr.servicePrincipalTenant)'
-    '$(acr.subscription)'
-    '$(acr.resourceGroup)'
-    $(dockerHubRegistryCreds)
-    $(customCopyBaseImagesArgs)
-    --repo-prefix $(mirrorRepoPrefix)
-    --registry-override '$(acr.server)'
-    --os-type 'linux'
-    --architecture '*'
-    $DRYRUNARG
-    ${{ parameters.additionalOptions }}
-  displayName: Copy Base Images
-  continueOnError: ${{ parameters.continueOnError }}
+- template: /eng/common/templates/steps/run-imagebuilder.yml@self
+  parameters:
+    displayName: Copy Base Images
+    serviceConnection: $(acr.serviceConnectionName)
+    continueOnError: ${{ parameters.continueOnError }}
+    internalProjectName: ${{ parameters.internalProjectName }}
+    # Use environment variable to reference $(dryRunArg). Since $(dryRunArg) might be undefined,
+    # PowerShell will treat the Azure Pipelines variable macro syntax as a command and throw an
+    # error
+    args: >
+      copyBaseImages
+      '$(acr.subscription)'
+      '$(acr.resourceGroup)'
+      $(dockerHubRegistryCreds)
+      $(customCopyBaseImagesArgs)
+      --repo-prefix $(mirrorRepoPrefix)
+      --registry-override '$(acr.server)'
+      --os-type 'linux'
+      --architecture '*'
+      $env:DRYRUNARG
+      ${{ parameters.additionalOptions }}

eng/common/templates/steps/init-docker-linux.yml

@@ -34,16 +34,45 @@ steps:
       -f $(engCommonPath)/Dockerfile.WithRepo .
     displayName: Build Image for Image Builder
     condition: and(succeeded(), ${{ parameters.condition }})
-  - script: >
-      echo "##vso[task.setvariable variable=runImageBuilderCmd]
-      docker run --rm
-      -v /var/run/docker.sock:/var/run/docker.sock
-      -v $(Build.ArtifactStagingDirectory):$(artifactsPath)
-      -w /repo
-      $(imageBuilderDockerRunExtraOptions)
-      $(imageNames.imageBuilder.withrepo)"
-    displayName: Define runImageBuilderCmd Variable
+  - task: PowerShell@2
+    displayName: Define ImageBuilder Command Variables
     condition: and(succeeded(), ${{ parameters.condition }})
+    inputs:
+      targetType: 'inline'
+      script: |
+        $tokenHostPath = '$(Agent.TempDirectory)'
+        $tokenHostFilePath = "${tokenHostPath}/token"
+        $tokenContainerPath = "/tmp"
+        $tokenContainerFilePath = "${tokenContainerPath}/token"
+
+        $dockerRunBaseCmd = @(
+          "docker run --rm"
+        )
+
+        $dockerRunArgs = @(
+          "-v /var/run/docker.sock:/var/run/docker.sock"
+          "-v $(Build.ArtifactStagingDirectory):$(artifactsPath)"
+          "-w /repo"
+          "$(imageBuilderDockerRunExtraOptions)"
+          "$(imageNames.imageBuilder.withrepo)"
+        )
+
+        $authedDockerRunArgs = @(
+          '-e AZURE_TENANT_ID=$env:tenantId'
+          '-e AZURE_CLIENT_ID=$env:servicePrincipalId'
+          "-e AZURE_FEDERATED_TOKEN_FILE=$tokenContainerFilePath"
+          "-v ${tokenHostPath}:${tokenContainerPath}"
+        )
+
+        $dockerRunCmd = $dockerRunBaseCmd + $dockerRunArgs
+        $authedDockerRunCmd = $dockerRunBaseCmd + $authedDockerRunArgs + $dockerRunArgs
+
+        $runImageBuilderCmd = $($dockerRunCmd -join ' ')
+        $runAuthedImageBuilderCmd = $($authedDockerRunCmd -join ' ')
+
+        Write-Host "##vso[task.setvariable variable=runImageBuilderCmd]$runImageBuilderCmd"
+        Write-Host "##vso[task.setvariable variable=runAuthedImageBuilderCmd]$runAuthedImageBuilderCmd"
+        Write-Host "##vso[task.setvariable variable=tokenHostFilePath]$tokenHostFilePath"
 
   ################################################################################
   # Setup Test Runner (Optional)

eng/common/templates/steps/init-docker-windows.yml

@@ -37,8 +37,26 @@ steps:
     displayName: Cleanup Setup Container
     condition: and(always(), ${{ parameters.condition }})
     continueOnError: true
-  - powershell: >
-      echo "##vso[task.setvariable variable=runImageBuilderCmd]
-      $(Build.BinariesDirectory)\.Microsoft.DotNet.ImageBuilder\Microsoft.DotNet.ImageBuilder.exe"
-    displayName: Define runImageBuilderCmd Variable
+  - task: PowerShell@2
+    displayName: Define runImageBuilderCmd Variables
     condition: and(succeeded(), ${{ parameters.condition }})
+    inputs:
+      targetType: 'inline'
+      script: |
+        $tokenHostPath = '$(Agent.TempDirectory)'
+        $tokenHostFilePath = "$tokenHostPath\token"
+
+        $runImageBuilderCmd = "$(Build.BinariesDirectory)\.Microsoft.DotNet.ImageBuilder\Microsoft.DotNet.ImageBuilder.exe"
+
+        $authedImageBuilderCmds = @(
+          '$env:AZURE_TENANT_ID = $env:tenantId'
+          '$env:AZURE_CLIENT_ID = $env:servicePrincipalId'
+          '$env:AZURE_FEDERATED_TOKEN_FILE' + " = $tokenHostFilePath"
+          $runImageBuilderCmd
+        )
+
+        $runAuthedImageBuilderCmd = $($authedImageBuilderCmds -join "; ")
+
+        Write-Host "##vso[task.setvariable variable=runImageBuilderCmd]$runImageBuilderCmd"
+        Write-Host "##vso[task.setvariable variable=runAuthedImageBuilderCmd]$runAuthedImageBuilderCmd"
+        Write-Host "##vso[task.setvariable variable=tokenHostFilePath]$tokenHostFilePath"