From 650cc4339af5325bb56593991927f55f49d3f544 Mon Sep 17 00:00:00 2001 From: dotnet-docker-bot <60522487+dotnet-docker-bot@users.noreply.github.com> Date: Thu, 16 Oct 2025 13:29:29 -0700 Subject: [PATCH] Update common Docker engineering infrastructure with latest --- eng/common/templates/1es.yml | 11 +++++-- eng/common/templates/jobs/publish.yml | 6 ++-- .../stages/dotnet/publish-config-nonprod.yml | 13 +++++++++ .../stages/dotnet/publish-config-prod.yml | 13 +++++++++ .../templates/steps/annotate-eol-digests.yml | 23 +++++++-------- .../templates/steps/clean-acr-images.yml | 25 +++++++++------- .../templates/steps/validate-branch.yml | 29 ++++++++++++++----- .../templates/variables/docker-images.yml | 2 +- 8 files changed, 85 insertions(+), 37 deletions(-) diff --git a/eng/common/templates/1es.yml b/eng/common/templates/1es.yml index 19f8c1f1..95a44b2a 100644 --- a/eng/common/templates/1es.yml +++ b/eng/common/templates/1es.yml @@ -32,6 +32,13 @@ parameters: name: $(defaultSourceAnalysisPoolName) image: $(defaultSourceAnalysisPoolImage) os: windows +# Container image SBOMs are generated manually during the build job. 1ESPT's +# automatic SBOM generation only adds unnecessary steps and artifacts to +# builds. SBOM is not needed for JSON outputs. If a pipeline outputs binary +# artifacts that ship to customers, then set this parameter to true. +- name: enableSbom + type: boolean + default: false resources: repositories: @@ -47,10 +54,8 @@ extends: templateParameters: pool: ${{ parameters.pool }} sdl: - # Required for unofficial pipelines because we rely on the ManifestGeneratorTask that is - # automatically installed by 1ES pipeline templates sbom: - enabled: true + enabled: ${{ parameters.enableSbom }} binskim: enabled: true componentgovernance: diff --git a/eng/common/templates/jobs/publish.yml b/eng/common/templates/jobs/publish.yml index 68cfb4fe..463d9af4 100644 --- a/eng/common/templates/jobs/publish.yml +++ b/eng/common/templates/jobs/publish.yml @@ -236,7 +236,7 @@ jobs: - template: /eng/common/templates/steps/annotate-eol-digests.yml@self parameters: - publishConfig: ${{ parameters.publishConfig }} + acr: ${{ parameters.publishConfig.publishAcr }} dataFile: $(artifactsPath)/eol-annotation-data/eol-annotation-data.json - script: > @@ -284,8 +284,8 @@ jobs: --task "🟪 Publish Image Info" --task "🟪 Ingest Kusto Image Info" --task "🟪 Generate EOL Annotation Data" - --task "🟪 Annotate EOL Images" - --task "🟪 Wait for Annotation Ingestion" + --task "🟪 Annotate EOL Images (${{ parameters.publishConfig.publishAcr.server }})" + --task "🟪 Wait for Annotation Ingestion (${{ parameters.publishConfig.publishAcr.server }})" $(dryRunArg) $(imageBuilder.commonCmdArgs) displayName: Post Publish Notification diff --git a/eng/common/templates/stages/dotnet/publish-config-nonprod.yml b/eng/common/templates/stages/dotnet/publish-config-nonprod.yml index bc236962..eddd7859 100644 --- a/eng/common/templates/stages/dotnet/publish-config-nonprod.yml +++ b/eng/common/templates/stages/dotnet/publish-config-nonprod.yml @@ -61,6 +61,13 @@ stages: publicMirrorAcr: server: $(public-mirror.server) + resourceGroup: $(public-mirror.resourceGroup) + subscription: $(public-mirror.subscription) + serviceConnection: + name: $(public-mirror.serviceConnectionName) + id: $(public-mirror.serviceConnection.id) + tenantId: $(public-mirror.serviceConnection.tenantId) + clientId: $(public-mirror.serviceConnection.clientId) buildAcr: server: $(acr-staging-test.server) @@ -73,6 +80,12 @@ stages: clientId: $(build-test.serviceConnection.clientId) tenantId: $(testTenant) + cleanServiceConnection: + name: $(clean-test.serviceConnectionName) + id: $(clean-test.serviceConnection.id) + clientId: $(clean-test.serviceConnection.clientId) + tenantId: $(testTenant) + testServiceConnection: name: $(test-nonprod.serviceConnectionName) id: $(test-nonprod.serviceConnection.id) diff --git a/eng/common/templates/stages/dotnet/publish-config-prod.yml b/eng/common/templates/stages/dotnet/publish-config-prod.yml index 7ac47d69..d45807dd 100644 --- a/eng/common/templates/stages/dotnet/publish-config-prod.yml +++ b/eng/common/templates/stages/dotnet/publish-config-prod.yml @@ -61,6 +61,13 @@ stages: publicMirrorAcr: server: $(public-mirror.server) + resourceGroup: $(public-mirror.resourceGroup) + subscription: $(public-mirror.subscription) + serviceConnection: + name: $(public-mirror.serviceConnectionName) + id: $(public-mirror.serviceConnection.id) + tenantId: $(public-mirror.serviceConnection.tenantId) + clientId: $(public-mirror.serviceConnection.clientId) buildAcr: server: $(acr-staging.server) @@ -73,6 +80,12 @@ stages: clientId: $(build.serviceConnection.clientId) tenantId: $(build.serviceConnection.tenantId) + cleanServiceConnection: + name: $(clean.serviceConnectionName) + id: $(clean.serviceConnection.id) + clientId: $(clean.serviceConnection.clientId) + tenantId: $(clean.serviceConnection.tenantId) + testServiceConnection: name: $(test.serviceConnectionName) id: $(test.serviceConnection.id) diff --git a/eng/common/templates/steps/annotate-eol-digests.yml b/eng/common/templates/steps/annotate-eol-digests.yml index 0e7d5c32..57c5221f 100644 --- a/eng/common/templates/steps/annotate-eol-digests.yml +++ b/eng/common/templates/steps/annotate-eol-digests.yml @@ -1,5 +1,5 @@ parameters: -- name: publishConfig +- name: acr type: object # Path to EOL annotation data JSON file generated by 'generateEolAnnotationData*' command - name: dataFile @@ -10,33 +10,32 @@ steps: displayName: Create Annotation Digests Directory - template: /eng/common/templates/steps/run-imagebuilder.yml@self parameters: - name: AnnotateEOLImages - displayName: Annotate EOL Images + displayName: Annotate EOL Images (${{ parameters.acr.server }}) serviceConnections: - name: acr - id: ${{ parameters.publishConfig.publishAcr.serviceConnection.id }} - tenantId: ${{ parameters.publishConfig.publishAcr.serviceConnection.tenantId }} - clientId: ${{ parameters.publishConfig.publishAcr.serviceConnection.clientId }} + id: ${{ parameters.acr.serviceConnection.id }} + tenantId: ${{ parameters.acr.serviceConnection.tenantId }} + clientId: ${{ parameters.acr.serviceConnection.clientId }} internalProjectName: internal condition: and(succeeded(), eq(variables['publishEolAnnotations'], 'true')) args: >- annotateEolDigests - ${{ parameters.dataFile }} - ${{ parameters.publishConfig.publishAcr.server }} - ${{ parameters.publishConfig.publishAcr.repoPrefix }} + "${{ parameters.dataFile }}" + "${{ parameters.acr.server }}" + "${{ parameters.acr.repoPrefix }}" $(artifactsPath)/annotation-digests/annotation-digests.txt $(dryRunArg) - template: /eng/common/templates/steps/publish-artifact.yml@self parameters: path: $(Build.ArtifactStagingDirectory)/annotation-digests - artifactName: annotation-digests-$(System.JobAttempt) - displayName: Publish Annotation Digests List + artifactName: annotation-digests-${{ parameters.acr.server }}-$(System.JobAttempt) + displayName: Publish Annotation Digests List (${{ parameters.acr.server }}) internalProjectName: internal publicProjectName: public condition: and(succeeded(), eq(variables['publishEolAnnotations'], 'true')) - template: /eng/common/templates/steps/run-imagebuilder.yml@self parameters: - displayName: Wait for Annotation Ingestion + displayName: Wait for Annotation Ingestion (${{ parameters.acr.server }}) serviceConnections: - name: mar id: $(marStatus.serviceConnection.id) diff --git a/eng/common/templates/steps/clean-acr-images.yml b/eng/common/templates/steps/clean-acr-images.yml index abfb9fb9..0361df44 100644 --- a/eng/common/templates/steps/clean-acr-images.yml +++ b/eng/common/templates/steps/clean-acr-images.yml @@ -1,28 +1,33 @@ parameters: repo: null - subscription: null - resourceGroup: null acr: null action: null age: null - customArgs: "" + customArgs: "--dry-run" internalProjectName: null + publishConfig: null steps: - template: /eng/common/templates/steps/run-imagebuilder.yml@self parameters: - displayName: Clean ACR Images - ${{ parameters.repo }} + # Options are documented in CleanAcrImagesOptions.cs + ${{ if eq(parameters.action, 'delete') }}: + displayName: "Delete ${{ parameters.repo }}" + ${{ elseif parameters.age }}: + displayName: "Clean ${{ parameters.repo }} (${{ parameters.action }} > ${{ parameters.age }}d)" + ${{ else }}: + displayName: "Clean ${{ parameters.repo }} (${{ parameters.action }})" serviceConnections: - name: acr - id: $(clean.serviceConnection.id) - tenantId: $(clean.serviceConnection.tenantId) - clientId: $(clean.serviceConnection.clientId) + id: ${{ parameters.publishConfig.cleanServiceConnection.id }} + tenantId: ${{ parameters.publishConfig.cleanServiceConnection.tenantId }} + clientId: ${{ parameters.publishConfig.cleanServiceConnection.clientId }} internalProjectName: ${{ parameters.internalProjectName }} args: >- cleanAcrImages ${{ parameters.repo }} - ${{ parameters.subscription }} - ${{ parameters.resourceGroup }} - ${{ parameters.acr }} + ${{ parameters.acr.subscription }} + ${{ parameters.acr.resourceGroup }} + ${{ parameters.acr.server }} --action ${{ parameters.action }} --age ${{ parameters.age }} ${{ parameters.customArgs }} diff --git a/eng/common/templates/steps/validate-branch.yml b/eng/common/templates/steps/validate-branch.yml index 0bfcf9c9..0fb1a841 100644 --- a/eng/common/templates/steps/validate-branch.yml +++ b/eng/common/templates/steps/validate-branch.yml @@ -7,26 +7,39 @@ steps: - powershell: | if ("$env:ONEESPT_BUILDTYPE" -eq "Unofficial") { - echo "Build is from an unofficial pipeline, continuing..." + echo "Build is from an unofficial pipeline, continuing." exit 0 } - if ("$(officialBranches)".Split(',').Contains("$(sourceBranch)") ` - -and "$(officialRepoPrefixes)".Split(',').Contains("${{ parameters.publishConfig.publishAcr.repoPrefix }}")) + $isOfficialRepoPrefix = "$(officialRepoPrefixes)".Split(',').Contains("${{ parameters.publishConfig.publishAcr.repoPrefix }}") + if (-not $isOfficialRepoPrefix) { - echo "Conditions met for official build, continuing..." + echo "This build will not publish to an official repo prefix, continuing." + echo "Publish repo prefix: ${{ parameters.publishConfig.publishAcr.repoPrefix }}" + echo "Official repo prefixes: $(officialRepoPrefixes)" exit 0 } - if (-not "$(officialRepoPrefixes)".Split(',').Contains("${{ parameters.publishConfig.publishAcr.repoPrefix }}")) + $isOfficialBranch = "$(officialBranches)".Split(',').Contains("$(sourceBranch)") + if ($isOfficialBranch) { - echo "This build is a test build, continuing..." + echo "$(sourceBranch) is an official branch, continuing." + echo "Official branches: $(officialBranches)" exit 0 } - if ("${{ variables['overrideOfficialBranchValidation'] }}" -eq "true") + $hasOfficialBranchPrefix = $false + foreach ($prefix in "$(officialBranchPrefixes)".Split(',')) { + if ("$(sourceBranch)".StartsWith($prefix)) { + $hasOfficialBranchPrefix = $true + break + } + } + + if ($hasOfficialBranchPrefix) { - echo "Variable overrideOfficialBranchValidation is set to true, continuing..." + echo "$(sourceBranch) has an official branch prefix, continuing." + echo "Official branch prefixes: $(officialBranchPrefixes)" exit 0 } diff --git a/eng/common/templates/variables/docker-images.yml b/eng/common/templates/variables/docker-images.yml index abf257cc..172ed723 100644 --- a/eng/common/templates/variables/docker-images.yml +++ b/eng/common/templates/variables/docker-images.yml @@ -1,5 +1,5 @@ variables: - imageNames.imageBuilderName: mcr.microsoft.com/dotnet-buildtools/image-builder:2786011 + imageNames.imageBuilderName: mcr.microsoft.com/dotnet-buildtools/image-builder:2817852 imageNames.imageBuilder: $(imageNames.imageBuilderName) imageNames.imageBuilder.withrepo: imagebuilder-withrepo:$(Build.BuildId)-$(System.JobId) imageNames.testRunner: mcr.microsoft.com/dotnet-buildtools/prereqs:azurelinux3.0-docker-testrunner