Prevent scanning/signing of unrelated packages#3998
Prevent scanning/signing of unrelated packages#3998samsharma2700 wants to merge 6 commits intomainfrom
Conversation
There was a problem hiding this comment.
Pull request overview
This PR changes the build/pipeline directory layout so OneBranch ESRP signing and OneBranch artifact publishing only operate on NuGet packages produced by the current job, avoiding re-scanning/re-signing already-signed dependency packages downloaded from earlier stages.
Changes:
- Redirect NuGet pack output from
packages/to a new repo-rootoutput/directory (MSBuild + OneBranch pipeline variables/templates). - Update OneBranch templates to use
output/forob_outputDirectoryand defaultnuget pack -OutputDirectory. - Update cleanup and repo ignores to account for the new
output/folder.
Reviewed changes
Copilot reviewed 5 out of 6 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
| src/Directory.Build.props | Changes default PackagesDir to $(RepoRoot)output\ so MSBuild PackageOutputPath writes to output/. |
| eng/pipelines/libraries/common-variables.yml | Updates PACK_OUTPUT to $(REPO_ROOT)/output and documents separation from packages/. |
| eng/pipelines/common/templates/steps/generate-nuget-package-step.yml | Changes default outputDirectory parameter to $(Build.SourcesDirectory)/output. |
| eng/pipelines/common/templates/jobs/publish-nuget-package-job.yml | Updates ob_outputDirectory to $(Build.SourcesDirectory)/output. |
| build.proj | Updates Clean to delete generated *.nupkg/*.snupkg from output/ instead of packages/. |
| .gitignore | Ignores the new output/ directory. |
…amsharma2700/fix_singning_packages # Conflicts: # eng/pipelines/onebranch/jobs/publish-nuget-package-job.yml
|
Can you paste link in description to a successful non-official build with this change? |
|
Link to the non-official build : https://sqlclientdrivers.visualstudio.com/ADO.Net/_build/results?buildId=142300&view=results |
Codecov Report✅ All modified and coverable lines are covered by tests.
Additional details and impacted files@@ Coverage Diff @@
## main #3998 +/- ##
==========================================
- Coverage 72.33% 67.07% -5.26%
==========================================
Files 287 282 -5
Lines 43149 67171 +24022
==========================================
+ Hits 31211 45056 +13845
- Misses 11938 22115 +10177
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
paulmedynski
added
the
Area\Engineering
github-project-automation
bot
moved this from In review
to In progress
in SqlClient Board
mdaigle
left a comment
mdaigle
left a comment
There was a problem hiding this comment.
Looks good. Will also review the unofficial pipeline run before approving.
|
The Non-Official run's artifacts look better now. Each package's artifacts only contain that package's .nuget files. Well done! |
Description
(Part 1 of 2) OneBranch pipeline jobs download dependency packages from previous stages into
packages/, and the build also outputs newly-built NuGet packages intopackages/. Sinceob_outputDirectoryand ESRP signing both operate onpackages/with a *.*nupkg glob, they scan, sign, and upload all packages in the directory, including ones downloaded from previous stages that were already signed.Solution
Redirect NuGet pack output from
packages/to a new top-leveloutput/directory, giving each concern its own location:packages/: Downloaded NuGets from previous stages (NuGet.config local feed for restore)artifacts/: Intermediate build output - DLLs, PDBs (unchanged)apiScan/: Signed DLLs/PDBs copied for APIScan (unchanged)output/: Built .nupkg/.snupkg - ESRP NuGet signing, ob_outputDirectory, OneBranch artifact uploadNotes
This PR (Part 1) covers the OneBranch official/non-official pipelines, the ones that do ESRP signing, package validation and NuGet releases. It also covers the MSBuild build system (PackagesDir, Clean target) which is shared across both.
Part 2 will cover the CI/PR validation pipelines, the ones that build packages for testing during pull requests and continuous integration, using packagePath and ci-build-nugets-job.yml.