[release/v7.6.1] Download PMC Packages through TemplateContext#27331
Conversation
Co-authored-by: Justin Chung <chungjustin@microsoft.com>
jshigetomi
added
the
CL-BuildPackaging
There was a problem hiding this comment.
Pull request overview
Backport to release/v7.6.1 that updates the PMC (packages.microsoft.com) EV2 publishing pipeline to download artifacts via OneBranch templateContext.inputs instead of DownloadPipelineArtifact, and adds parameters to support non-prod/dry-run execution.
Changes:
- Refactor EV2 prep/publish templates to use
templateContext.inputsfor pipeline artifact acquisition. - Parameterize the PMC publish stage (environment/stage prefix) and add
skipEv2Pushfor dry-runs. - Update the NonOfficial release pipeline to run a Test-prefixed publish stage with
skipEv2Push: true.
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 4 comments.
| policheck: | ||
| break: true # always break the build on policheck issues. You can disable it by setting to 'false' | ||
| tsaOptionsFile: .config\tsaoptions.json | ||
| tsaOptionsFile: $(Build.SourcesDirectory)\.config\tsaoptions.json |
There was a problem hiding this comment.
tsaOptionsFile now points to $(Build.SourcesDirectory)\.config\tsaoptions.json, but in these OneBranch pipelines the repo content is typically under $(Build.SourcesDirectory)\PowerShell (for example, templates default REPOROOT to that). This path will likely not resolve and can break TSA upload. Update this to $(Build.SourcesDirectory)\PowerShell\.config\tsaoptions.json (or revert to the prior repo-relative .config\tsaoptions.json if that’s what OneBranch expects).
| tsaOptionsFile: $(Build.SourcesDirectory)\.config\tsaoptions.json | |
| tsaOptionsFile: $(Build.SourcesDirectory)\PowerShell\.config\tsaoptions.json |
| policheck: | ||
| break: true # always break the build on policheck issues. You can disable it by setting to 'false' | ||
| tsaOptionsFile: .config\tsaoptions.json | ||
| tsaOptionsFile: $(Build.SourcesDirectory)\.config\tsaoptions.json |
There was a problem hiding this comment.
tsaOptionsFile now points to $(Build.SourcesDirectory)\.config\tsaoptions.json, but these OneBranch pipelines commonly have the repo under $(Build.SourcesDirectory)\PowerShell (templates default REPOROOT accordingly). This path may not exist and can break TSA upload. Update to $(Build.SourcesDirectory)\PowerShell\.config\tsaoptions.json (or use a repo-relative .config\tsaoptions.json if required by the governed template).
| tsaOptionsFile: $(Build.SourcesDirectory)\.config\tsaoptions.json | |
| tsaOptionsFile: $(Build.SourcesDirectory)\PowerShell\.config\tsaoptions.json |
| - job: ${{ parameters.stagePrefix }}_ReleaseJob | ||
| displayName: Publish to PMC | ||
| pool: | ||
| type: release |
There was a problem hiding this comment.
The release pool here doesn’t specify os: windows, while other release templates in this repo consistently set it (for example release-githubNuget.yml and release-MSIX-Publish.yml). Since the EV2 task is Windows-only, explicitly set pool.os: windows to avoid the job landing on an incompatible release agent.
| type: release | |
| type: release | |
| os: windows |
There was a problem hiding this comment.
When skipEv2Push is true, this job expands to having no steps at all (the only step is conditionally omitted). That makes the NonOfficial “dry-run” stage less useful for validating the downloaded EV2 payload and can also be brittle for pipeline diagnostics. Consider adding a lightweight validation/logging step (e.g., list $(Pipeline.Workspace)/EV2Specs or assert RolloutSpec.json exists) that runs when skipEv2Push is true (or always).
Backport of #27326 to release/v7.6.1
Triggered by @jshigetomi on behalf of @jshigetomi
Original CL Label: CL-BuildPackaging
/cc @PowerShell/powershell-maintainers
Impact
REQUIRED: Choose either Tooling Impact or Customer Impact (or both). At least one checkbox must be selected.
Tooling Impact
Required tooling change. Modifies the Azure DevOps release pipeline templates that publish PowerShell packages to PMC (packages.microsoft.com) via Ev2. Without this change, the v7.6.1 release pipeline cannot publish packages because the Ev2 environment has disallowed the previously-used DownloadPipelineArtifact task in the publish stage. The PR migrates artifact download to
templateContext.inputs, parameterizes the publish stage (releaseEnvironment / approvalServiceEnvironment / stagePrefix / skipEv2Push), and adds a NonOfficial dry-run path that validates the new artifact download approach without performing the actual Ev2 push.Customer Impact
Regression
REQUIRED: Check exactly one box.
This is not a regression.
Testing
Verified by:
release/v7.6.1with no conflicts.templateContext.inputsartifact download withskipEv2Push: true).Functional verification of PMC publishing will happen during the actual v7.6.1 release using the publish stage with production parameters.
Risk
REQUIRED: Check exactly one box.
High risk because this modifies the release publishing pipeline (Ev2 push to PMC) on the live release branch. However, not taking this change blocks the v7.6.1 PMC release entirely — the Ev2 pipeline has disallowed the previous DownloadArtifacts task, so the existing pipeline cannot run. The change has been validated in master and is the explicit reason the original PR was authored ("PR was made to unblock 7.4.15 and 7.6.1 PMC releases"). Note: original PR currently has
Backport-7.6.x-Consider(not Approved) — proceeding at user request given the unblock-release justification stated in the PR body.