Build and release activity separated in release pipeline (#446)

d3r3kk · web-flow · commit ff4143c2841d · 2025-06-28T08:41:04.000-07:00
* Udpate pipeline to classify as a 'release job' for internal Microsoft compliance.
  * Separate the release tasks from the build tasks (requirement of 1ES template).
  * Added missing template context for the build job.
* Upgrade pool used to Azure Linux (3.0) as Mariner 2.0 is being deprecated in July.
  * Use our test pool to ensure the new Azure Linux machines are set up properly
  * Corrections for Azure Linux agents
* Disable guardian anti-malware scan, not supported on AzLinux yet.
  * Dry-runs should not fail the build.
NOTE: Pool remains on JEG-test-pool until after the July PSU.
diff --git a/.devops/gctoolkit-release.yml b/.devops/gctoolkit-release.yml
@@ -42,7 +42,7 @@ extends:
   template: v1/1ES.Official.PipelineTemplate.yml@1esPipelines
   parameters:
     pool:
-      name: JEG-mariner2.0-x64-release
+      name: JEG-test-pool
       os: linux
     sdl:
       sourceAnalysisPool:
@@ -60,12 +60,36 @@ extends:
         - job: build_gctoolkit
           workspace:
             clean: all
-          displayName: Build with Maven
+          displayName: Build GCToolkit with Maven
+          templateContext:
+          # Disable Defender for Linux since it is not supported by Azure Linux.
+          # More info here: https://eng.ms/docs/cloud-ai-platform/devdiv/one-engineering-system-1es/1es-docs/1es-pipeline-templates/features/sdlanalysis/antimalware
+            sdl:
+              antimalwareScan:
+                enabled: false
+                justificationForDisabling: Disabling Defender for Linux as its not supported in Azure Linux 3
+            outputs:
+            - output: pipelineArtifact
+              targetPath: $(Build.ArtifactStagingDirectory)/staging
+              artifactName: staged-artifacts
+
           steps:
             - checkout: gctoolkit
               path: gctoolkit
               clean: true
 
+            # Find out what is installed on the agents...
+            - bash: |
+                echo "Installed Tools and versions:"
+                find /opt/hostedtoolcache -mindepth 1 -type d | while read dir; do
+                  if [[ "$dir" == *jdk* ]]; then
+                    echo "👉 $dir"
+                  else
+                    echo "$dir"
+                  fi
+                done
+              displayName: 'Show installed tools'
+
             # Use modern Java to build
             - task: JavaToolInstaller@0
               inputs:
@@ -200,11 +224,23 @@ extends:
               workingDirectory: $(Build.ArtifactStagingDirectory)
               displayName: Create sha256sums
 
-            - task: 1ES.PublishPipelineArtifact@1
-              inputs:
-                targetPath: '$(Build.ArtifactStagingDirectory)/staging'
-                artifactName: staged-artifacts
 
+        # Release jobs have to be separated from build jobs for our internal release service to be compliant
+        - job: release_gctoolkit_to_maven_central
+          dependsOn: build_gctoolkit
+          workspace:
+            clean: all
+          displayName: Release GCToolkit to Maven Central
+          templateContext:
+            type: releaseJob
+            isProduction: true
+            inputs: # Pull the staged artifacts from the build job.
+            - input: pipelineArtifact
+              artifactName: staged-artifacts
+              targetPath: '$(Build.ArtifactStagingDirectory)/staging'
+
+          steps:
+            # ESRP Release task docs at aka.ms/esrp under 'ESRP Portal Help'
             - task: EsrpRelease@8
               inputs:
                 connectedservicename: 'JEG-Tooling-Prod'
@@ -214,6 +250,8 @@ extends:
                 clientid: '516af6d8-6ab4-4069-8f64-b18c64d16688'
                 intent: 'PackageDistribution'
                 # Test with contentype PyPI to avoid publishing to Maven Central
+                # NOTE: This is the guidance given in ESRP portal for testing
+                #       the flow during dry-runs, see aka.ms/esrp.
                 ${{ if eq(parameters.release_type, 'release') }}:
                   contenttype: 'Maven'
                 ${{ else }}:
@@ -222,8 +260,12 @@ extends:
                 folderlocation: '$(Build.ArtifactStagingDirectory)/staging/com/microsoft/gctoolkit'
                 waitforreleasecompletion: true
                 owners: 'dekeeler@microsoft.com'
-                approvers: 'milderhc@microsoft.com,john.oliver@microsoft.com,dagrieve@microsoft.com,kirk.pepperdine@microsoft.com'
+                approvers: 'maverbur@microsoft.com,john.oliver@microsoft.com'
                 serviceendpointurl: 'https://api.esrp.microsoft.com'
                 mainpublisher: 'ESRPRELPACMAN'
                 domaintenantid: '33e01921-4d64-4f8c-a055-5bdaffd5e33d'
               displayName: 'Publish to Maven Central'
+              # For non-release runs, allow this task to fail (it should!) so the
+              # pipeline does not appear to fail when it doesn't.
+              continueOnError: ${{ ne(parameters.release_type, 'release') }}
+
diff --git a/.devops/weekly-build.yml b/.devops/weekly-build.yml
@@ -12,7 +12,7 @@ variables:
   JAVA_HOME_11_X64: /usr/lib/jvm/msopenjdk-11
 
 pool:
-  name: JEG-mariner2.0-x64-release
+  name: JEG-azurelinux-x64-release
 
 steps:
   - task: JavaToolInstaller@0
