Move out HAF and TFA build to pipeline and consume the bins locally (#1227)

## Description

For SBSA, move out HAF and TFA build to GitHub workflow and consume the
bins locally.
Eliminates need for local developer to rely on HAF/TFA build steps via a
new `HAF_TFA_BUILD` build flag set to `FALSE` by default.

The GitHub Workflow on Release will run `stuart_build` with
`HAF_TFA_BUILD=TRUE` and publishes the Hafnium and TFA binaries for
consumption as a part of the GitHub release. It will also publish a file
`fip_blob_manifest.json` which is generated using the output of the
fiptool from TFA against fip.bin. This is needed because the fiptool
reports offsets that are necessary to patch up the fip.bin if we want to
employ this method of building SBSA with HAF/TFA bins being pulled down
from an extdep.

The GitHub workflow runs the end-to-end build with `HAF_TFA_BUILD=TRUE`
only on GitHub releases. We will not publish the binaries after building
on arbitrary PR runs, but will still run stuart_build with
`HAF_TFA_BUILD=TRUE`.
On github releases, the version number and sha for the extdep must also
be updated for every release, as the contents of the binaries and the
json manifest, `fip_blob_manifest.json` needs to get updated also.

Once this and #1229
are merged, a developer can build SBSA like they would normally, however
the default behavior for building the Hafnium and TFA binaries will be
to use the extdep through `stuart_update`. Along with this, the
Post-Build step will now patch the extdep binaries with the contents of
the secure partitions that the local developer has built as a part of
`stuart_build`. For more advanced use cases, where the developer would
need to modify the secure partition DTS files, or if the developer
changes the .fd files to be larger than the size reported in the
`fip_blob_manifest.json`, then the developer would have to use
`HAF_TFA_BUILD=TRUE` in their `stuart_build` step as an argument.

After this PR is merged, we need to make a formal GitHub release so that
the necessary binaries and artifacts can be published as a part of that
release.

For details on how to complete these options and their meaning refer to
[CONTRIBUTING.md](https://github.com/microsoft/mu/blob/HEAD/CONTRIBUTING.md).

- [ ] Impacts functionality?
- [ ] Impacts security?
- [ ] Breaking change?
- [ ] Includes tests?
- [ ] Includes documentation?

## How This Was Tested

Tested on my fork by doing a release and making this pr and watching the
pipeline build publish the bins to test13 release on my fork
https://github.com/eeshanl/mu_tiano_platforms/releases/tag/test13_tag
but skips the just the publish step on this pr.

pr pipeline run:
https://github.com/microsoft/mu_tiano_platforms/actions/runs/17990944480/job/51180666584?pr=1227
release pipeline run:
https://github.com/eeshanl/mu_tiano_platforms/actions/runs/18020305440/job/51275744986


And then locally tested the ext_deps step by pointing to this release.

## Integration Instructions

This PR must be merged first, then make a release to autopopulate new ext_dep artifacts.

Author: eeshanl

.github/workflows/build-haf-tfa.yml

@@ -0,0 +1,83 @@
+# This workflow automatically publishes the HAF and TFA binaries for a given
+# release.
+#
+# Copyright (c) Microsoft Corporation.
+# SPDX-License-Identifier: BSD-2-Clause-Patent
+#
+
+name: Hafnium and Trusted Firmware-A Build
+
+on:
+  release:
+    types:
+      - published
+  pull_request:
+    branches:
+      - '**'  # Matches all branches
+    paths:
+      - 'Platforms/QemuSbsaPkg/**'
+      - 'Silicon/Arm/**'
+  workflow_dispatch:
+
+jobs:
+  build:
+    name: Hafnium and Trusted Firmware-A Build
+    runs-on: ubuntu-24.04
+    container:
+      image: ghcr.io/microsoft/mu_devops/ubuntu-24-dev:latest
+
+    steps:
+      - name: Checkout Code
+        uses: actions/checkout@v4
+
+      - name: Install Pip Modules
+        run: |
+          python -m pip install --upgrade pip
+          pip install -r pip-requirements.txt
+
+      - name: Configure Git identity
+        run: |
+          git config --global user.name "github-actions[bot]"
+          git config --global user.email "github-actions[bot]@users.noreply.github.com"
+          git config --global --add safe.directory $GITHUB_WORKSPACE
+
+      - name: Stuart Setup
+        run: python Platforms/QemuSbsaPkg/PlatformBuild.py --setup
+
+      - name: Stuart Update
+        run: python Platforms/QemuSbsaPkg/PlatformBuild.py --update
+
+      - name: Stuart Build
+        run: python Platforms/QemuSbsaPkg/PlatformBuild.py HAF_TFA_BUILD=TRUE
+
+      - name: Install archive tools
+        if: github.event_name == 'release'
+        run: |
+          apt-get update -y
+          apt-get install -y zip tar gh
+
+      - name: Create per-target archives
+        if: github.event_name == 'release'
+        shell: bash
+        run: |
+          set -euo pipefail
+          BIN_DIR="Build/QemuSbsaPkg/DEBUG_GCC5/HafTfaBins"
+          echo "Packaging binaries from ${BIN_DIR}"
+          if [ ! -d "$BIN_DIR" ]; then
+            echo "Binary directory not found: $BIN_DIR" >&2
+            exit 1
+          fi
+          ZIP_PATH="${RUNNER_TEMP}/haf-tfa-firmware-${{ github.event.release.tag_name }}.zip"
+          TAR_PATH="${RUNNER_TEMP}/haf-tfa-firmware-${{ github.event.release.tag_name }}.tar.gz"
+          (cd "$BIN_DIR" && zip -r "$ZIP_PATH" .)
+          (cd "$BIN_DIR" && tar -czf "$TAR_PATH" .)
+          echo "Created archives:"
+          ls -lh "$ZIP_PATH" "$TAR_PATH"
+
+      - name: Upload Release Assets
+        if: github.event_name == 'release'
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          gh release upload "${{ github.event.release.tag_name }}" "${RUNNER_TEMP}"/*.zip
+          gh release upload "${{ github.event.release.tag_name }}" "${RUNNER_TEMP}"/*.tar.gz

Platforms/QemuSbsaPkg/Binaries/haf_tfa_binaries_ext_dep.yaml

@@ -0,0 +1,21 @@
+##
+# Download the compiled HAF and TFA bins from the github release
+#
+# Copyright (c) 2025, Microsoft Corporation
+# SPDX-License-Identifier: BSD-2-Clause-Patent
+##
+scope: qemusbsa
+id: haf-tfa-bin
+type: web
+name: HAF_TFA_BUILD
+source: https://github.com/microsoft/mu_tiano_platforms/releases/download/v10.0.0/haf-tfa-firmware-v10.0.0.zip
+
+version: v10.0.0
+sha256: 9970d7d17d18506c0e91092e17d47655c0eb5f1ca41b3e78580be9889010f911
+internal_path: /
+compression_type: zip
+flags:
+  - set_shell_var
+  - set_build_var
+  - set_path
+var_name: HAF_TFA_BINS