Major Refactoring of Azure DevOps Pipelines (#26008)

This pull request introduces a significant refactoring of the Azure
Pipelines CI/CD infrastructure. The primary goals of these changes are
to:
1. Solve the problem that vcpkg/cmake version can get changed when the
CI build machine image changes, which can make pipeline suddenly broken
and interrupt our release process.
2. Reduce the `Zip-Nuget-Java-Nodejs Packaging Pipeline`'s running time
by changing how macOS universal2 binaries are built.
3. Add the support for RC releases for Java packages. 

#### Key Changes:

**1. Standardized Build Tool Setup (`setup-build-tools.yml`)**

A new reusable template, `setup-build-tools.yml`, has been created to
centralize the setup of essential build tools.

* **Pinned Dependencies:** This new template allows us to pin specific
versions of `cmake` and `vcpkg`, which was not previously possible. This
ensures a more stable and predictable build environment across all
pipelines.
* **Reduced Redundancy:** By consolidating the setup logic into a single
template, we have significantly reduced code duplication across numerous
pipeline files, making them cleaner and easier to maintain.

Currently this file is only used in macOS and Windows pipelines since
most Linux pipelines use docker to manage their environment.

**2. Reworked macOS Universal Binary Build Process**

The methodology for building macOS `universal2` binaries has been
fundamentally changed to improve reliability and flexibility.

* **Python Packaging:** The Python packaging pipeline will no longer
produce `universal2` wheels. Instead, it will generate separate wheels
for `x86_64` and `arm64` architectures.
* **NuGet C-API Packaging:** The NuGet C-API pipeline has been updated
to first build the `x86_64` and `arm64` binaries independently. These
single-architecture binaries are then combined to create the final
universal package, rather than building a `universal2` package in a
single pass.

The change is made mainly because:
- Building for both ARCHs in a single pass is too slow, which may take
about 5 hours in the ADO machine pool.
- A lot of MLAS features are disabled when ORT is built in such a way.

**3. Java Packaging and Testing Overhaul**

The Download_Java_Tools stage in "Zip-Nuget-Java-Nodejs Packaging
Pipeline" is deleted because it is no longer used. Previously it was
added to reduce the times of downloading the same java packages again
and again , which was to reduce download errors. Now we have setup a
private ADO feed for this.

Besides, there are some major changes to the pipeline that:

1. MD5 and SHA1 checksum files are provided along with the java package
files instead of SHA256. This is because Sonatype's official docs says
MD5/SHA1 checkcums are required while the others are optional. See:
https://central.sonatype.org/publish/requirements/#supply-javadoc-and-sources
. Now the publishing would fail if we don't have the MD5/SHA1 checksum
files.
2. The format of the checksum files is changed. Previously we used
Linux's sha256sum command to generate such files, so each checksum file
contains a hash value and a filename in the file content. However, it
was not the expected format. Sonatype expects that the file only
contains a hash value. This PR fixes the issue.
3. A few powershell scripts were rewritten in python to improve error
check and robustness
4. Added the support for generating RC packages. Previously we had to
manually modify the version numbers and manually do GPG sign.
5. Two new files `jar-packaging.yml` and `setup-maven.yml` were added.
We will use maven to fetch dependent packages(instead of directly HTTP
fetching) to improve supply chain security, because maven allows us
using a private feed to do so.


**4. Dockerfile Enhancements**

The Dockerfiles used in the CI have been updated to use a `BASEIMAGE`
argument. This makes them more flexible, allowing the base image to be
specified at build time, which simplifies maintenance and updates. It
will allow us to using different base image repos in different CI
environments. In the future we will change the Github Actions to only
fetch base images from public docker repos. Meanwhile, ADO packaging
pipelines will continue to use private repos.

**5. Improved Release Management**

The run_packaging_pipelines.py script has been updated to provide more
robust and explicit control over
the package versioning for different build scenarios. This clarifies the
process for generating nightly,
 release candidate (RC), and final release packages.

 The script now handles three distinct cases for package versioning:

* Nightly Packages: For regular CI builds (e.g., on the main branch),
the script triggers the packaging
pipelines in "nightly" mode. This sets the IsReleaseBuild parameter to
false and results in packages with
      a development version suffix (e.g., 1.2.3-dev-20250909-abcdef).

* Release Candidate (RC) Builds: To create a pre-release or RC build,
the script is run with the
--build-mode release flag, along with the --pre-release-suffix-string
(e.g., rc) and
--pre-release-suffix-number (e.g., 1) arguments. This sets the
IsReleaseBuild parameter to true and
passes the suffix information to the pipelines, resulting in a
semantically versioned pre-release package
      (e.g., 1.2.3-rc.1).

* Final Release Builds: For a final release, the script is run with
--build-mode release without any
pre-release suffix arguments. This sets IsReleaseBuild to true, and the
resulting package will have a
clean, final version number (e.g., 1.2.3) based on the VERSION_NUMBER
file.

Please note:
 - Java packages still only support the second and third mode.
 - Python packages only support the first and the last mode.

Author: snnn

java/build.gradle

@@ -4,7 +4,6 @@ plugins {
 	id 'signing'
 	id 'jacoco'
 	id "com.diffplug.spotless" version "6.25.0"
-	id "net.linguica.maven-settings" version "0.5"
 }
 
 allprojects {
@@ -14,17 +13,9 @@ allprojects {
 }
 
 project.group = "com.microsoft.onnxruntime"
-version = rootProject.file('../VERSION_NUMBER').text.trim()
-
 // cmake runs will inform us of the build directory of the current run
 def cmakeBuildDir = System.properties['cmakeBuildDir']
 def useCUDA = System.properties['USE_CUDA']
-def useROCM = System.properties['USE_ROCM']
-
-def adoArtifact = project.findProperty('adoArtifact')
-def adoAccessToken = project.findProperty('adoAccessToken')
-// Only publish to ADO feed if all two properties are set
-def publishToAdo = adoArtifact != null && adoAccessToken != null
 
 boolean enableTrainingApis = (System.properties['ENABLE_TRAINING_APIS'] ?: "0") == "1"
 def cmakeJavaDir = "${cmakeBuildDir}/java"
@@ -33,21 +24,14 @@ def cmakeNativeJniDir = "${cmakeJavaDir}/native-jni"
 def cmakeNativeTestDir = "${cmakeJavaDir}/native-test"
 def cmakeBuildOutputDir = "${cmakeJavaDir}/build"
 
-def mavenUser = System.properties['mavenUser']
-def mavenPwd = System.properties['mavenPwd']
-
 def tmpArtifactId = enableTrainingApis ? project.name + "-training" : project.name
-def mavenArtifactId = (useCUDA == null && useROCM == null) ? tmpArtifactId : tmpArtifactId + "_gpu"
+def mavenArtifactId = (useCUDA == null) ? tmpArtifactId : tmpArtifactId + "_gpu"
 
 def defaultDescription = 'ONNX Runtime is a performance-focused inference engine for ONNX (Open Neural Network Exchange) models.'
 def trainingDescription = 'ONNX Runtime Training is a training and inference package for ONNX ' +
 	'(Open Neural Network Exchange) models. This package is targeted for Learning on The Edge aka On-Device Training ' +
 	'See https://github.com/microsoft/onnxruntime-training-examples/tree/master/on_device_training for more details.'
 
-// We need to have a custom settings.xml so codeql can bypass the need for settings.security.xml
-mavenSettings {
-	userSettingsFileName = "${projectDir}/settings.xml"
-}
 
 java {
 	sourceCompatibility = JavaVersion.VERSION_17
@@ -202,16 +186,27 @@ test {
 	systemProperties System.getProperties().subMap([
 		'ENABLE_TRAINING_APIS',
 		'JAVA_FULL_TEST',
+		'USE_ACL',
+		'USE_ARMNN',
+		'USE_AZURE',
+		'USE_CANN',
 		'USE_COREML',
 		'USE_CUDA',
 		'USE_DML',
 		'USE_DNNL',
+		'USE_MIGRAPHX',
+		'USE_NNAPI',
+		'USE_NV',
 		'USE_OPENVINO',
-		'USE_ROCM',
-		'USE_TENSORRT',
 		'USE_QNN',
-		'USE_XNNPACK',
+		'USE_RKNPU',
+		'USE_SNPE',
+		'USE_TENSORRT',
+		'USE_VITISAI',
+		'USE_VSINPU',
 		'USE_WEBGPU',
+		'USE_WEBNN',
+		'USE_XNNPACK',
 		])
 	testLogging {
 		events "passed", "skipped", "failed"
@@ -233,13 +228,9 @@ publishing {
 	publications {
 		maven(MavenPublication) {
 			groupId = project.group
-			if(publishToAdo) {
-				artifactId = 'onnxruntime_gpu'
-				artifact (adoArtifact)
-			} else {
-				artifactId = mavenArtifactId
-				from components.java
-			}
+			artifactId = mavenArtifactId
+			from components.java
+
 			version = project.version
 			pom {
 				name = enableTrainingApis ? 'onnxruntime-training' : 'onnx-runtime'
@@ -270,42 +261,24 @@ publishing {
 			}
 		}
 	}
-	repositories {
-		if (publishToAdo) {
-			maven {
-				url "https://aiinfra.pkgs.visualstudio.com/PublicPackages/_packaging/${System.getenv('ADOFeedName')}/maven/v1"
-				name System.getenv('ADOFeedName')
-				authentication {
-					basic(BasicAuthentication)
-				}
-				credentials {
-					username  'aiinfra'
-					password "${project.findProperty('adoAccessToken')}"
-				}
-			}
-		} else {
-			maven {
-				url 'https://oss.sonatype.org/service/local/staging/deploy/maven2/'
-				credentials {
-					username mavenUser
-					password mavenPwd
-				}
-			}
-		}
-	}
 }
 // Generates a task signMavenPublication that will
 // build all artifacts.
 signing {
 	// Queries env vars:
 	// ORG_GRADLE_PROJECT_signingKey
 	// ORG_GRADLE_PROJECT_signingPassword but can be changed to properties
-		def signingKey = findProperty("signingKey")
-		def signingPassword = findProperty("signingPassword")
-		// Skip signing if no key is provided
-		if (signingKey != null && signingPassword != null) {
-			useInMemoryPgpKeys(signingKey, signingPassword)
-			sign publishing.publications.maven
-			sign publishing.publications.mavenAdo
-		}
+	def signingKey = findProperty("signingKey")
+	def signingPassword = findProperty("signingPassword")
+	// Skip signing if no key is provided
+	if (signingKey != null && signingPassword != null) {
+		useInMemoryPgpKeys(signingKey, signingPassword)
+		sign publishing.publications.maven
+	}
+}
+
+tasks.named('generatePomFileForMavenPublication') {
+	doFirst {
+		println "AGENT_LOG: Generating POM for version: ${project.version}"
+	}
 }

java/src/test/java/ai/onnxruntime/InferenceTest.java

@@ -693,12 +693,6 @@ public void testCUDA() throws OrtException {
     runProvider(OrtProvider.CUDA);
   }
 
-  @Test
-  @EnabledIfSystemProperty(named = "USE_ROCM", matches = "1")
-  public void testROCM() throws OrtException {
-    runProvider(OrtProvider.ROCM);
-  }
-
   @Test
   @EnabledIfSystemProperty(named = "USE_TENSORRT", matches = "1")
   public void testTensorRT() throws OrtException {
@@ -725,6 +719,18 @@ public void testDNNL() throws OrtException {
     runProvider(OrtProvider.DNNL);
   }
 
+  @Test
+  @EnabledIfSystemProperty(named = "USE_MIGRAPHX", matches = "1")
+  public void testMIGRAPHX() throws OrtException {
+    runProvider(OrtProvider.MI_GRAPH_X);
+  }
+
+  @Test
+  @EnabledIfSystemProperty(named = "USE_NNAPI", matches = "1")
+  public void testNNAPI() throws OrtException {
+    runProvider(OrtProvider.NNAPI);
+  }
+
   @Test
   @EnabledIfSystemProperty(named = "USE_XNNPACK", matches = "1")
   public void testXNNPACK() throws OrtException {

tools/ci_build/github/azure-pipelines/build-perf-test-binaries-pipeline.yml

@@ -7,7 +7,6 @@ parameters:
   default: true
 
 stages:
-
 # build binaries for Android
 - ${{ if parameters.BuildAndroidBinaries }}:
   - stage: BuildAndroidBinaries

tools/ci_build/github/azure-pipelines/c-api-noopenmp-packaging-pipelines.yml

@@ -122,29 +122,23 @@ extends:
         PreReleaseVersionSuffixString: ${{ parameters.PreReleaseVersionSuffixString }}
         PreReleaseVersionSuffixNumber: ${{ parameters.PreReleaseVersionSuffixNumber }}
 
-    - template: stages/download-java-tools-stage.yml
-
     - template: templates/c-api-cpu.yml
       parameters:
         RunOnnxRuntimeTests: ${{ parameters.RunOnnxRuntimeTests }}
         IsReleaseBuild: ${{ parameters.IsReleaseBuild }}
+        PreReleaseVersionSuffixString: ${{ parameters.PreReleaseVersionSuffixString }}
+        PreReleaseVersionSuffixNumber: ${{ parameters.PreReleaseVersionSuffixNumber }}
         ${{ if eq(parameters.NugetPackageSuffix, 'NONE') }}:
           OrtNugetPackageId: 'Microsoft.ML.OnnxRuntime'
         ${{ else }}:
           OrtNugetPackageId: 'Microsoft.ML.OnnxRuntime${{ parameters.NugetPackageSuffix }}'
         AdditionalBuildFlags: ''
         AdditionalWinBuildFlags: '--enable_onnx_tests ${{parameters.AdditionalBuildFlag}}'
         BuildVariant: 'default'
-        SpecificArtifact: ${{ parameters.SpecificArtifact }}
-        BuildId: ${{ parameters.BuildId }}
         QnnSDKVersion: ${{ parameters.QnnSdk }}
         is1ES: true
 
     - template: stages/java-cuda-packaging-stage.yml
-      parameters:
-        CudaVersion: 12.2
-        SpecificArtifact: ${{ parameters.SpecificArtifact }}
-        BuildId: ${{ parameters.BuildId }}
 
     - template: stages/nuget-combine-cuda-stage.yml
       parameters:
@@ -159,6 +153,8 @@ extends:
         buildNodejs: true
         SpecificArtifact: ${{ parameters.SpecificArtifact }}
         BuildId: ${{ parameters.BuildId }}
+        PreReleaseVersionSuffixString: ${{ parameters.PreReleaseVersionSuffixString }}
+        PreReleaseVersionSuffixNumber: ${{ parameters.PreReleaseVersionSuffixNumber }}
 
     - template: stages/nodejs-win-packaging-stage.yml
       parameters:

tools/ci_build/github/azure-pipelines/c-api-noopenmp-test-pipelines.yml

@@ -175,6 +175,8 @@ stages:
           artifact: 'Windows_Packaging_cuda_build_artifacts'
           displayName: 'Download Windows GPU Packages Build'
 
+        - template: templates/setup-build-tools.yml
+
         - task: CmdLine@2
           inputs:
             script: |
@@ -188,17 +190,6 @@ stages:
             jdkArchitectureOption: x64
             jdkSourceOption: 'PreInstalled'
 
-        - task: UsePythonVersion@0
-          inputs:
-            versionSpec: '3.12'
-            addToPath: true
-            architecture: x64
-
-        - task: PipAuthenticate@1
-          displayName: 'Pip Authenticate'
-          inputs:
-            artifactFeeds: 'Lotus'
-
         - task: PythonScript@0
           displayName: 'Update CTest Path References'
           inputs:
@@ -207,10 +198,6 @@ stages:
               "$(Build.BinariesDirectory)/RelWithDebInfo/CTestTestfile.cmake"
               "$(Build.BinariesDirectory)/RelWithDebInfo"
 
-        - task: NodeTool@0
-          inputs:
-            versionSpec: '22.x'
-
         - template: templates/jobs/download_win_gpu_library.yml
           parameters:
             CudaVersion: 12.2
@@ -223,12 +210,6 @@ stages:
             scriptPath: '$(Build.SourcesDirectory)\tools\ci_build\build.py'
             arguments: '--config RelWithDebInfo --use_binskim_compliant_compile_flags --enable_lto --disable_rtti --build_dir $(Build.BinariesDirectory) --skip_submodule_sync --build_shared_lib --test --enable_onnx_tests'
             workingDirectory: '$(Build.BinariesDirectory)'
-        # Previous stage only assembles the java binaries, testing will be done in this stage with GPU machine
-        - template: templates/make_java_win_binaries.yml
-          parameters:
-            msbuildPlatform: x64
-            java_artifact_id: onnxruntime_gpu
-            buildOnly: false
 
 - stage: Windows_Packaging_Tensorrt_Testing
   dependsOn: Setup
@@ -242,12 +223,13 @@ stages:
         - checkout: self
           clean: true
           submodules: none
-
-
+        
         - download: build
           artifact: 'Windows_Packaging_tensorrt_build_artifacts'
           displayName: 'Download Windows GPU Packages Build'
 
+        - template: templates/setup-build-tools.yml
+
         - task: CmdLine@2
           inputs:
             script: |
@@ -260,18 +242,7 @@ stages:
             versionSpec: "17"
             jdkArchitectureOption: x64
             jdkSourceOption: 'PreInstalled'
-
-        - task: UsePythonVersion@0
-          inputs:
-            versionSpec: '3.12'
-            addToPath: true
-            architecture: x64
-
-        - task: PipAuthenticate@1
-          displayName: 'Pip Authenticate'
-          inputs:
-            artifactFeeds: 'Lotus'
-
+       
         - task: PythonScript@0
           displayName: 'Update CTest Path References'
           inputs:
@@ -280,10 +251,6 @@ stages:
               "$(Build.BinariesDirectory)/RelWithDebInfo/CTestTestfile.cmake"
               "$(Build.BinariesDirectory)/RelWithDebInfo"
 
-        - task: NodeTool@0
-          inputs:
-            versionSpec: '22.x'
-
         - template: templates/jobs/download_win_gpu_library.yml
           parameters:
             CudaVersion: 12.2
@@ -295,10 +262,4 @@ stages:
           inputs:
             scriptPath: '$(Build.SourcesDirectory)\tools\ci_build\build.py'
             arguments: '--config RelWithDebInfo --use_binskim_compliant_compile_flags --enable_lto --disable_rtti --build_dir $(Build.BinariesDirectory) --skip_submodule_sync --build_shared_lib --test --enable_onnx_tests'
-            workingDirectory: '$(Build.BinariesDirectory)'
-        # Previous stage only assembles the java binaries, testing will be done in this stage with GPU machine
-        - template: templates/make_java_win_binaries.yml
-          parameters:
-            msbuildPlatform: x64
-            java_artifact_id: onnxruntime_gpu
-            buildOnly: false
+            workingDirectory: '$(Build.BinariesDirectory)'

tools/ci_build/github/azure-pipelines/cuda-packaging-pipeline.yml

@@ -123,11 +123,9 @@ extends:
         buildNodejs: false
         SpecificArtifact: ${{ parameters.SpecificArtifact }}
         BuildId: ${{ parameters.BuildId }}
+        PreReleaseVersionSuffixString: ${{ parameters.PreReleaseVersionSuffixString }}
+        PreReleaseVersionSuffixNumber: ${{ parameters.PreReleaseVersionSuffixNumber }}
 
     - template: stages/download-java-tools-stage.yml
 
     - template: stages/java-cuda-packaging-stage.yml
-      parameters:
-        CudaVersion: ${{ parameters.CudaVersion }}
-        SpecificArtifact: ${{ parameters.SpecificArtifact }}
-        BuildId: ${{ parameters.BuildId }}

tools/ci_build/github/azure-pipelines/custom-nuget-packaging-pipeline.yml

@@ -92,6 +92,8 @@ extends:
 
       - template: templates/win-ci.yml
         parameters:
+          PreReleaseVersionSuffixString: ${{ parameters.PreReleaseVersionSuffixString }}
+          PreReleaseVersionSuffixNumber: ${{ parameters.PreReleaseVersionSuffixNumber }}
           ort_build_pool_name: 'onnxruntime-Win2022-GPU-A10'
           DoCompliance: false
           DoEsrp: true
@@ -124,7 +126,6 @@ extends:
       - template: templates/mac-cpu-packaging-pipeline.yml
         parameters:
           AllowReleasedOpsetOnly: 1
-          BuildForAllArchs: true
           AdditionalBuildFlags: '--use_webgpu --skip_tests'
           DoEsrp: true