microsoft · dotnet-docker-bot · Oct 16, 2025
@@ -32,6 +32,13 @@ parameters:
     name: $(defaultSourceAnalysisPoolName)
     image: $(defaultSourceAnalysisPoolImage)
     os: windows
+# Container image SBOMs are generated manually during the build job. 1ESPT's
+# automatic SBOM generation only adds unnecessary steps and artifacts to
+# builds. SBOM is not needed for JSON outputs. If a pipeline outputs binary
+# artifacts that ship to customers, then set this parameter to true.
+- name: enableSbom
+  type: boolean
+  default: false
 
 resources:
   repositories:
@@ -47,10 +54,8 @@ extends:
     templateParameters:
       pool: ${{ parameters.pool }}
       sdl:
-        # Required for unofficial pipelines because we rely on the ManifestGeneratorTask that is
-        # automatically installed by 1ES pipeline templates
         sbom:
-          enabled: true
+          enabled: ${{ parameters.enableSbom }}
         binskim:
           enabled: true
         componentgovernance:

@@ -236,7 +236,7 @@ jobs:
 
   - template: /eng/common/templates/steps/annotate-eol-digests.yml@self
     parameters:
-      publishConfig: ${{ parameters.publishConfig }}
+      acr: ${{ parameters.publishConfig.publishAcr }}
       dataFile: $(artifactsPath)/eol-annotation-data/eol-annotation-data.json
 
   - script: >
@@ -284,8 +284,8 @@ jobs:
       --task "🟪 Publish Image Info"
       --task "🟪 Ingest Kusto Image Info"
       --task "🟪 Generate EOL Annotation Data"
-      --task "🟪 Annotate EOL Images"
-      --task "🟪 Wait for Annotation Ingestion"
+      --task "🟪 Annotate EOL Images (${{ parameters.publishConfig.publishAcr.server }})"
+      --task "🟪 Wait for Annotation Ingestion (${{ parameters.publishConfig.publishAcr.server }})"
       $(dryRunArg)
       $(imageBuilder.commonCmdArgs)
     displayName: Post Publish Notification

@@ -61,6 +61,13 @@ stages:
 
       publicMirrorAcr:
         server: $(public-mirror.server)
+        resourceGroup: $(public-mirror.resourceGroup)
+        subscription: $(public-mirror.subscription)
+        serviceConnection:
+          name: $(public-mirror.serviceConnectionName)
+          id: $(public-mirror.serviceConnection.id)
+          tenantId: $(public-mirror.serviceConnection.tenantId)
+          clientId: $(public-mirror.serviceConnection.clientId)
 
       buildAcr:
         server: $(acr-staging-test.server)
@@ -73,6 +80,12 @@ stages:
           clientId: $(build-test.serviceConnection.clientId)
           tenantId: $(testTenant)
 
+      cleanServiceConnection:
+        name: $(clean-test.serviceConnectionName)
+        id: $(clean-test.serviceConnection.id)
+        clientId: $(clean-test.serviceConnection.clientId)
+        tenantId: $(testTenant)
+
       testServiceConnection:
         name: $(test-nonprod.serviceConnectionName)
         id: $(test-nonprod.serviceConnection.id)

@@ -61,6 +61,13 @@ stages:
 
       publicMirrorAcr:
         server: $(public-mirror.server)
+        resourceGroup: $(public-mirror.resourceGroup)
+        subscription: $(public-mirror.subscription)
+        serviceConnection:
+          name: $(public-mirror.serviceConnectionName)
+          id: $(public-mirror.serviceConnection.id)
+          tenantId: $(public-mirror.serviceConnection.tenantId)
+          clientId: $(public-mirror.serviceConnection.clientId)
 
       buildAcr:
         server: $(acr-staging.server)
@@ -73,6 +80,12 @@ stages:
           clientId: $(build.serviceConnection.clientId)
           tenantId: $(build.serviceConnection.tenantId)
 
+      cleanServiceConnection:
+        name: $(clean.serviceConnectionName)
+        id: $(clean.serviceConnection.id)
+        clientId: $(clean.serviceConnection.clientId)
+        tenantId: $(clean.serviceConnection.tenantId)
+
       testServiceConnection:
         name: $(test.serviceConnectionName)
         id: $(test.serviceConnection.id)

@@ -1,5 +1,5 @@
 parameters:
-- name: publishConfig
+- name: acr
   type: object
 # Path to EOL annotation data JSON file generated by 'generateEolAnnotationData*' command
 - name: dataFile
@@ -10,33 +10,32 @@ steps:
     displayName: Create Annotation Digests Directory
   - template: /eng/common/templates/steps/run-imagebuilder.yml@self
     parameters:
-      name: AnnotateEOLImages
-      displayName: Annotate EOL Images
+      displayName: Annotate EOL Images (${{ parameters.acr.server }})
       serviceConnections:
       - name: acr
-        id: ${{ parameters.publishConfig.publishAcr.serviceConnection.id }}
-        tenantId: ${{ parameters.publishConfig.publishAcr.serviceConnection.tenantId }}
-        clientId: ${{ parameters.publishConfig.publishAcr.serviceConnection.clientId }}
+        id: ${{ parameters.acr.serviceConnection.id }}
+        tenantId: ${{ parameters.acr.serviceConnection.tenantId }}
+        clientId: ${{ parameters.acr.serviceConnection.clientId }}
       internalProjectName: internal
       condition: and(succeeded(), eq(variables['publishEolAnnotations'], 'true'))
       args: >-
         annotateEolDigests
-        ${{ parameters.dataFile }}
-        ${{ parameters.publishConfig.publishAcr.server }}
-        ${{ parameters.publishConfig.publishAcr.repoPrefix }}
+        "${{ parameters.dataFile }}"
+        "${{ parameters.acr.server }}"
+        "${{ parameters.acr.repoPrefix }}"
         $(artifactsPath)/annotation-digests/annotation-digests.txt
         $(dryRunArg)
   - template: /eng/common/templates/steps/publish-artifact.yml@self
     parameters:
       path: $(Build.ArtifactStagingDirectory)/annotation-digests
-      artifactName: annotation-digests-$(System.JobAttempt)
-      displayName: Publish Annotation Digests List
+      artifactName: annotation-digests-${{ parameters.acr.server }}-$(System.JobAttempt)
+      displayName: Publish Annotation Digests List (${{ parameters.acr.server }})
       internalProjectName: internal
       publicProjectName: public
       condition: and(succeeded(), eq(variables['publishEolAnnotations'], 'true'))
   - template: /eng/common/templates/steps/run-imagebuilder.yml@self
     parameters:
-      displayName: Wait for Annotation Ingestion
+      displayName: Wait for Annotation Ingestion (${{ parameters.acr.server }})
       serviceConnections:
       - name: mar
         id: $(marStatus.serviceConnection.id)

@@ -1,28 +1,33 @@
 parameters:
   repo: null
-  subscription: null
-  resourceGroup: null
   acr: null
   action: null
   age: null
-  customArgs: ""
+  customArgs: "--dry-run"
   internalProjectName: null
+  publishConfig: null
 steps:
   - template: /eng/common/templates/steps/run-imagebuilder.yml@self
     parameters:
-      displayName: Clean ACR Images - ${{ parameters.repo }}
+      # Options are documented in CleanAcrImagesOptions.cs
+      ${{ if eq(parameters.action, 'delete') }}:
+        displayName: "Delete ${{ parameters.repo }}"
+      ${{ elseif parameters.age }}:
+        displayName: "Clean ${{ parameters.repo }} (${{ parameters.action }} > ${{ parameters.age }}d)"
+      ${{ else }}:
+        displayName: "Clean ${{ parameters.repo }} (${{ parameters.action }})"
       serviceConnections:
       - name: acr
-        id: $(clean.serviceConnection.id)
-        tenantId: $(clean.serviceConnection.tenantId)
-        clientId: $(clean.serviceConnection.clientId)
+        id: ${{ parameters.publishConfig.cleanServiceConnection.id }}
+        tenantId: ${{ parameters.publishConfig.cleanServiceConnection.tenantId }}
+        clientId: ${{ parameters.publishConfig.cleanServiceConnection.clientId }}
       internalProjectName: ${{ parameters.internalProjectName }}
       args: >-
         cleanAcrImages
         ${{ parameters.repo }}
-        ${{ parameters.subscription }}
-        ${{ parameters.resourceGroup }}
-        ${{ parameters.acr }}
+        ${{ parameters.acr.subscription }}
+        ${{ parameters.acr.resourceGroup }}
+        ${{ parameters.acr.server }}
         --action ${{ parameters.action }}
         --age ${{ parameters.age }}
         ${{ parameters.customArgs }}
@@ -7,26 +7,39 @@ steps:
   - powershell: |
       if ("$env:ONEESPT_BUILDTYPE" -eq "Unofficial")
       {
-        echo "Build is from an unofficial pipeline, continuing..."
+        echo "Build is from an unofficial pipeline, continuing."
         exit 0
       }
 
-      if ("$(officialBranches)".Split(',').Contains("$(sourceBranch)") `
-          -and "$(officialRepoPrefixes)".Split(',').Contains("${{ parameters.publishConfig.publishAcr.repoPrefix }}"))
+      $isOfficialRepoPrefix = "$(officialRepoPrefixes)".Split(',').Contains("${{ parameters.publishConfig.publishAcr.repoPrefix }}")
+      if (-not $isOfficialRepoPrefix)
       {
-        echo "Conditions met for official build, continuing..."
+        echo "This build will not publish to an official repo prefix, continuing."
+        echo "Publish repo prefix: ${{ parameters.publishConfig.publishAcr.repoPrefix }}"
+        echo "Official repo prefixes: $(officialRepoPrefixes)"
         exit 0
       }
 
-      if (-not "$(officialRepoPrefixes)".Split(',').Contains("${{ parameters.publishConfig.publishAcr.repoPrefix }}"))
+      $isOfficialBranch = "$(officialBranches)".Split(',').Contains("$(sourceBranch)")
+      if ($isOfficialBranch)
       {
-        echo "This build is a test build, continuing..."
+        echo "$(sourceBranch) is an official branch, continuing."
+        echo "Official branches: $(officialBranches)"
         exit 0
       }
 
-      if ("${{ variables['overrideOfficialBranchValidation'] }}" -eq "true")
+      $hasOfficialBranchPrefix = $false
+      foreach ($prefix in "$(officialBranchPrefixes)".Split(',')) {
+        if ("$(sourceBranch)".StartsWith($prefix)) {
+          $hasOfficialBranchPrefix = $true
+          break
+        }
+      }
+
+      if ($hasOfficialBranchPrefix)
       {
-        echo "Variable overrideOfficialBranchValidation is set to true, continuing..."
+        echo "$(sourceBranch) has an official branch prefix, continuing."
+        echo "Official branch prefixes: $(officialBranchPrefixes)"
         exit 0
       }
 

@@ -1,5 +1,5 @@
 variables:
-  imageNames.imageBuilderName: mcr.microsoft.com/dotnet-buildtools/image-builder:2786011
+  imageNames.imageBuilderName: mcr.microsoft.com/dotnet-buildtools/image-builder:2817852
   imageNames.imageBuilder: $(imageNames.imageBuilderName)
   imageNames.imageBuilder.withrepo: imagebuilder-withrepo:$(Build.BuildId)-$(System.JobId)
   imageNames.testRunner: mcr.microsoft.com/dotnet-buildtools/prereqs:azurelinux3.0-docker-testrunner