Prevent scanning/signing of unrelated packages#3998
Prevent scanning/signing of unrelated packages#3998samsharma2700 wants to merge 6 commits intomainfrom
Conversation
There was a problem hiding this comment.
Pull request overview
This PR changes the build/pipeline directory layout so OneBranch ESRP signing and OneBranch artifact publishing only operate on NuGet packages produced by the current job, avoiding re-scanning/re-signing already-signed dependency packages downloaded from earlier stages.
Changes:
- Redirect NuGet pack output from
packages/to a new repo-rootoutput/directory (MSBuild + OneBranch pipeline variables/templates). - Update OneBranch templates to use
output/forob_outputDirectoryand defaultnuget pack -OutputDirectory. - Update cleanup and repo ignores to account for the new
output/folder.
Reviewed changes
Copilot reviewed 5 out of 6 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
| src/Directory.Build.props | Changes default PackagesDir to $(RepoRoot)output\ so MSBuild PackageOutputPath writes to output/. |
| eng/pipelines/libraries/common-variables.yml | Updates PACK_OUTPUT to $(REPO_ROOT)/output and documents separation from packages/. |
| eng/pipelines/common/templates/steps/generate-nuget-package-step.yml | Changes default outputDirectory parameter to $(Build.SourcesDirectory)/output. |
| eng/pipelines/common/templates/jobs/publish-nuget-package-job.yml | Updates ob_outputDirectory to $(Build.SourcesDirectory)/output. |
| build.proj | Updates Clean to delete generated *.nupkg/*.snupkg from output/ instead of packages/. |
| .gitignore | Ignores the new output/ directory. |
…amsharma2700/fix_singning_packages # Conflicts: # eng/pipelines/onebranch/jobs/publish-nuget-package-job.yml
|
Can you paste link in description to a successful non-official build with this change? |
|
Link to the non-official build : https://sqlclientdrivers.visualstudio.com/ADO.Net/_build/results?buildId=142300&view=results |
Codecov Report✅ All modified and coverable lines are covered by tests.
Additional details and impacted files@@ Coverage Diff @@
## main #3998 +/- ##
==========================================
- Coverage 74.38% 67.06% -7.33%
==========================================
Files 287 282 -5
Lines 43982 67171 +23189
==========================================
+ Hits 32717 45048 +12331
- Misses 11265 22123 +10858
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
paulmedynski
added
the
Area\Engineering
github-project-automation
bot
moved this from In review
to In progress
in SqlClient Board
mdaigle
left a comment
mdaigle
left a comment
There was a problem hiding this comment.
Looks good. Will also review the unofficial pipeline run before approving.
|
The Non-Official run's artifacts look better now. Each package's artifacts only contain that package's .nuget files. Well done! |
There was a problem hiding this comment.
I do still see extra dlls getting signed in the mds job (for abstractions and logging). Maybe we can correct that in a follow up PR. All other jobs look good.
https://sqlclientdrivers.visualstudio.com/ADO.Net/_build/results?buildId=142444&view=logs&j=67e5cce3-cf4d-502d-4e4e-0012da109ce2&t=faf3e756-f191-5b4b-8a51-37897c063709
Description
(Part 1 of 2) OneBranch pipeline jobs download dependency packages from previous stages into
packages/, and the build also outputs newly-built NuGet packages intopackages/. Sinceob_outputDirectoryand ESRP signing both operate onpackages/with a *.*nupkg glob, they scan, sign, and upload all packages in the directory, including ones downloaded from previous stages that were already signed.Solution
Redirect NuGet pack output from
packages/to a new top-leveloutput/directory, giving each concern its own location:packages/: Downloaded NuGets from previous stages (NuGet.config local feed for restore)artifacts/: Intermediate build output - DLLs, PDBs (unchanged)apiScan/: Signed DLLs/PDBs copied for APIScan (unchanged)output/: Built .nupkg/.snupkg - ESRP NuGet signing, ob_outputDirectory, OneBranch artifact uploadNotes
This PR (Part 1) covers the OneBranch official/non-official pipelines, the ones that do ESRP signing, package validation and NuGet releases. It also covers the MSBuild build system (PackagesDir, Clean target) which is shared across both.
Part 2 will cover the CI/PR validation pipelines, the ones that build packages for testing during pull requests and continuous integration, using packagePath and ci-build-nugets-job.yml.