[Release 6.1] OneBranch Governed Release templates

[cheenamalhotra]

Description

Migrates the official and non-official OneBranch pipelines to use Governed Templates (v2/OneBranch.Official.CrossPlat.yml / v2/OneBranch.NonOfficial.CrossPlat.yml), consolidates variable definitions, and fixes several build issues including broken AKV provider builds.

Changes

• Pipeline restructuring
• Added new governed-template-based pipeline definitions: sqlclient-official.yml
• Consolidated common variables into common-variables.yml (replaces fragmented variable files)
• Moved step/job/variable templates from scattered locations into onebranch for a consistent layout
• Added publish-nuget-package-job.yml for NuGet release stage

Symbols publishing

• Parameterized symbol server and project name via symbols-variables-v3 variable group
• Replaced hardcoded Azure subscription and project names with variable references

Other

• Installed .NET 10 SDK runtime by default for ESRP code signing task compatibility
• Removed obsolete files: akv-official-pipeline.yml, dotnet-sqlclient-signing-pipeline.yml, compound-esrp-code-signing-step.yml, and old variable files
• Updated global.json SDK version

[Copilot]

Pull request overview

Migrates the release/6.1 Azure DevOps OneBranch pipelines to Governed Templates v2, consolidating variables/templates and introducing new official/non-official pipeline entrypoints plus an on-demand NuGet release stage.

Changes:

• Adds new governed-template-based OneBranch pipelines for official and non-official builds.
• Consolidates and relocates variable/step/job templates under eng/pipelines/onebranch/.
• Updates signing/symbol publishing wiring and bumps SDK tooling (global.json, default .NET runtime install).

Reviewed changes

Copilot reviewed 22 out of 33 changed files in this pull request and generated 5 comments.

Show a summary per file

File	Description
global.json	Bumps pinned .NET SDK patch version.
eng/pipelines/variables/onebranch-variables.yml	Removes legacy variable file (replaced by OneBranch-scoped variables).
eng/pipelines/variables/esrp-signing-variables.yml	Removes legacy ESRP signing variable group include (moved to consolidated variables).
eng/pipelines/variables/common-variables.yml	Removes legacy common variables (replaced by OneBranch-scoped variables).
eng/pipelines/variables/akv-official-variables.yml	Removes AKV-specific legacy variables (moved to consolidated variables).
eng/pipelines/steps/install-dotnet.yml	Changes default runtime installation to include .NET 10.
eng/pipelines/steps/compound-esrp-code-signing-step.yml	Removes older compound ESRP signing step template.
eng/pipelines/onebranch/variables/variables.yml	New OneBranch variables entry template.
eng/pipelines/onebranch/variables/build-variables.yml	New OneBranch build variable aggregation template.
eng/pipelines/onebranch/variables/common-variables.yml	New consolidated variables (versions, symbols, ESRP, paths).
eng/pipelines/onebranch/variables/mds-variables.yml	Adds MDS variable group include for release-related values.
eng/pipelines/onebranch/variables/mds-validation-variables.yml	Adds validation variables for signed package verification.
eng/pipelines/onebranch/steps/script-output-environment-variables-step.yml	Adds env-dump helper step.
eng/pipelines/onebranch/steps/roslyn-analyzers-akv-step.yml	Fixes repo-root variable usage for AKV analyzer build step.
eng/pipelines/onebranch/steps/publish-symbols-step.yml	Updates symbols publishing to use variable-driven subscription/project identifiers.
eng/pipelines/onebranch/steps/esrp-code-signing-step.yml	Updates ESRP steps (task versions, variable wiring).
eng/pipelines/onebranch/steps/copy-dlls-for-test-step.yml	Adds step to stage DLLs/PDBs for downstream SDL validation tasks.
eng/pipelines/onebranch/steps/compound-publish-symbols-step.yml	Adds a reusable symbol publish/upload compound step.
eng/pipelines/onebranch/steps/compound-nuget-pack-step.yml	Adds a reusable NuGet pack compound step.
eng/pipelines/onebranch/steps/compound-extract-akv-apiscan-files-step.yml	Adds step to extract AKV binaries for ApiScan inputs.
eng/pipelines/onebranch/steps/compound-build-akv-step.yml	Updates AKV build step to use consolidated repo-root variable naming.
eng/pipelines/onebranch/steps/code-analyze-step.yml	Adds code analysis step wrapper (Roslyn analyzers + Code Inspector).
eng/pipelines/onebranch/steps/build-all-configurations-signed-dlls-step.yml	Adds build step to produce signed DLLs across configurations.
eng/pipelines/onebranch/sqlclient-official.yml	New governed-template official pipeline definition (build/validate/add-ons/release).
eng/pipelines/onebranch/sqlclient-non-official.yml	New governed-template non-official pipeline definition.
eng/pipelines/onebranch/jobs/validate-signed-package-job.yml	Updates job template paths and gates signature verification by “official build” flag.
eng/pipelines/onebranch/jobs/publish-nuget-package-job.yml	Adds reusable job template for gated NuGet publishing.
eng/pipelines/onebranch/jobs/build-signed-package-job.yml	Rewires build job to new steps/variables and gates signing to official builds.
eng/pipelines/onebranch/jobs/build-akv-official-job.yml	Rewires AKV job to new steps/variables and gates signing to official builds.
eng/pipelines/libraries/common-variables.yml	Removes legacy variables file superseded by OneBranch equivalents.
eng/pipelines/dotnet-sqlclient-signing-pipeline.yml	Removes older governed-template pipeline entrypoint (superseded).
eng/pipelines/common/templates/jobs/run-tests-package-reference-job.yml	Removes legacy job template (pipeline restructure).
eng/pipelines/akv-official-pipeline.yml	Removes legacy AKV pipeline entrypoint (superseded).

Comments suppressed due to low confidence (6)

eng/pipelines/onebranch/steps/esrp-code-signing-step.yml:127

• There is an extra nested inputs: key under the EsrpCodeSigning@6 task (pkg signing). This makes the YAML invalid for the task inputs and will cause the pipeline to fail to parse/run. Remove the stray inputs: line so the inputs map is defined once.
  eng/pipelines/onebranch/jobs/build-akv-official-job.yml:72
• The defaults for symbolsPublishProjectName, symbolsPublishServer, and symbolsPublishTokenUri reference $(SymbolsPublishProjectName), $(SymbolsPublishServer), and $(SymbolsPublishTokenUri), but the shared variables/group only defines the suffixed variants (e.g., SymbolsPublishProjectNameSqlClient, SymbolsPublishServerProd/Ppe, SymbolsPublishTokenUriProd/Ppe in eng/pipelines/onebranch/variables/common-variables.yml). As-is, these will expand to empty unless additional variables exist externally. Update these defaults (or make the parameters required) to use the actual variable names.
  eng/pipelines/onebranch/steps/esrp-code-signing-step.yml:23
• ESRPConnectedServiceName defaults to $(SigningESRPConnectedServiceName), but the repo’s signing variable name is SigningEsrpConnectedServiceName (see eng/pipelines/onebranch/variables/common-variables.yml). As-is, the ESRP tasks will get an empty service connection name and fail. Rename this default to the correct variable name (or make it a required parameter).
  eng/pipelines/onebranch/steps/esrp-code-signing-step.yml:56
• For DLL signing, FolderPath is set to ${{ parameters.sourceRoot }} (defaults to $(REPOROOT)), so ESRP malware scanning/signing will recurse over the whole repo (including sources and any incidental .dll files), rather than just the build output. Consider changing the default to the build output folder (e.g., $(Build.SourcesDirectory)\artifacts\...) and/or require callers to pass an explicit output path to avoid signing unintended binaries and reduce runtime.
  eng/pipelines/onebranch/jobs/build-akv-official-job.yml:138
• This template still uses $(ARTIFACT_PATH) as the NuGet pack outputDirectory, but ARTIFACT_PATH is no longer defined anywhere in the repo after the variable template consolidation. This will resolve to empty and likely break packaging/publishing. Use $(artifactDirectory) (defined in eng/pipelines/onebranch/variables/common-variables.yml) or reintroduce an ARTIFACT_PATH alias in the shared variables template.
  eng/pipelines/onebranch/steps/publish-symbols-step.yml:68
• This template’s publishSymbols parameter is a string and the conditions use eq(parameters.publishSymbols, 'true'), but upstream callers pass a boolean. In template expressions eq(true, 'true') is false, so symbol publishing can be skipped even when enabled. Consider changing publishSymbols to type: boolean and updating the conditions to compare against true (or consistently pass a lowercase string).

[Copilot]

Pull request overview

Copilot reviewed 22 out of 33 changed files in this pull request and generated 1 comment.

Comments suppressed due to low confidence (3)

eng/pipelines/onebranch/jobs/build-signed-package-job.yml:62

• This call to esrp-code-signing-step.yml doesn’t pass sourceRoot, so the step will use its default ($(REPOROOT)) as the signing FolderPath for *.dll. That will scan/sign all DLLs under the repo instead of just the build output. Pass the build output/bin folder explicitly (or update the step’s default to the build output directory).
  eng/pipelines/onebranch/steps/publish-symbols-step.yml:68
• PublishSymbols@2 input SymbolsProduct is being set to $(SymbolsPublishProjectNameSqlClient), which appears to be the symbols publishing project name (used later for the REST calls), not the product/package name. SymbolsProduct should remain the actual product identifier (e.g., Microsoft.Data.SqlClient) or be parameterized separately from the project name.
  eng/pipelines/onebranch/steps/esrp-code-signing-step.yml:127
• EsrpCodeSigning@6 task has an invalid YAML structure here: inputs: is duplicated (inputs: nested under inputs:), which will fail template expansion / pipeline parsing. Remove the extra inputs: line so the task has a single inputs mapping.

[paulmedynski]

This is a good transitional PR to get us on modern OneBranch pipelines. I still think we should bring all of the modern build/pipeline work from main back here eventually.

Rather than make a bunch of comments and go back and forth, I will push a commit to tidy a few things up. I will approve after that commit appears.

[mdaigle]

Can you link some pipeline runs that I can look through?

[Copilot]

Pull request overview

Copilot reviewed 38 out of 46 changed files in this pull request and generated 2 comments.

Comments suppressed due to low confidence (4)

eng/pipelines/onebranch/jobs/build-akv-official-job.yml:96

• $(ARTIFACT_PATH) is referenced for ob_outputDirectory but that variable is not defined anywhere in the repo (it used to come from the removed variable templates). This will resolve to an empty string and can break artifact staging/upload. Use an existing variable like $(artifactDirectory) (defined in /eng/pipelines/onebranch/variables/common-variables.yml) or define ARTIFACT_PATH in the consolidated variables template.
  eng/pipelines/onebranch/steps/esrp-code-signing-step.yml:127
• There is a duplicated inputs: key under the EsrpCodeSigning task (pkg branch). This makes the YAML invalid and will prevent the pipeline from running. Remove the extra inputs: line so the task has a single inputs mapping.
  eng/pipelines/onebranch/jobs/build-signed-package-job.yml:83
• publishSymbols is a boolean parameter in this job template, but /eng/pipelines/onebranch/steps/publish-symbols-step.yml declares publishSymbols as a string and checks eq(parameters.publishSymbols, 'true'). Passing a boolean here risks the condition never matching (e.g., boolean → 'True' vs 'true'). Consider aligning types by making the step template parameter boolean and using eq(..., true), or pass 'true'/'false' strings explicitly.
  eng/pipelines/onebranch/jobs/build-akv-official-job.yml:138
• outputDirectory: '$(ARTIFACT_PATH)' references ARTIFACT_PATH, which is not defined anywhere in the repo after the variables consolidation. This likely causes NuGet pack output to go to an unintended location. Consider switching to $(artifactDirectory) (or another defined output variable) or reintroducing ARTIFACT_PATH in the onebranch common variables template.