[release/v7.6] Optimize/split windows package signing #26557
Conversation
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
There was a problem hiding this comment.
Pull request overview
This PR is a backport of #26403 to the release/v7.6 branch that significantly refactors the Windows package build and signing pipeline infrastructure. The changes separate the Windows packaging process into distinct build and sign stages for better maintainability and performance, add comprehensive OneBranch pipeline documentation, and improve restore phase configuration across templates.
Key changes include:
- Split Windows packaging into separate build (
windows_package_build) and sign (windows_package_sign) stages, with build-only jobs having signing infrastructure disabled for better performance - Parameterized
ob_restore_phaseacross reusable templates for proper OneBranch restore phase management - Removed obsolete
UseJsonparameter fromSetVersionVariables.ymland extracted repo root detection to a separateset-reporoot.ymltemplate - Added comprehensive documentation for OneBranch signing configuration and restore phase patterns
- Updated artifact naming to reflect the new build/sign separation
Reviewed changes
Copilot reviewed 27 out of 27 changed files in this pull request and generated 8 comments.
Show a summary per file
| File | Description |
|---|---|
.pipelines/PowerShell-Packages-Official.yml |
Split windows_package stage into separate build and sign stages; updated stage dependencies and display names |
.pipelines/templates/packaging/windows/package.yml |
Renamed job to build_win_*; disabled signing setup and validation; removed signing steps; outputs unsigned packages |
.pipelines/templates/packaging/windows/sign.yml |
New template for signing Windows packages; downloads unsigned artifacts, signs MSI/EXE packages, outputs signed artifacts |
.pipelines/templates/SetVersionVariables.yml |
Removed UseJson parameter; added ob_restore_phase parameter; extracted repo root detection to separate template |
.pipelines/templates/set-reporoot.yml |
New template for detecting and setting REPOROOT variable with ob_restore_phase support |
.pipelines/templates/shouldSign.yml |
Added ob_restore_phase parameter support |
.pipelines/templates/install-dotnet.yml |
Added ob_restore_phase parameter support |
.pipelines/templates/cloneToOfficialPath.yml |
Added ob_restore_phase parameter; improved error handling and validation for REPOROOT |
.pipelines/templates/package-create-msix.yml |
Updated artifact names to match new build stage output names |
.pipelines/templates/uploadToAzure.yml |
Removed UseJson parameter from SetVersionVariables call |
.pipelines/templates/release-MakeBlobPublic.yml |
Removed UseJson parameter from SetVersionVariables calls |
.pipelines/templates/nupkg.yml |
Removed UseJson parameter from SetVersionVariables call |
.pipelines/templates/mac-package-build.yml |
Removed UseJson parameter from SetVersionVariables call |
.pipelines/templates/linux-package-build.yml |
Removed UseJson parameter from SetVersionVariables call |
.pipelines/templates/compliance/apiscan.yml |
Removed UseJson parameter from SetVersionVariables call |
.pipelines/templates/checkAzureContainer.yml |
Removed UseJson parameter; added ob_artifactBaseName variable |
.pipelines/PowerShell-vPack-Official.yml |
Removed UseJson parameter from SetVersionVariables call |
.pipelines/PowerShell-Coordinated_Packages-Official.yml |
Removed UseJson parameter from SetVersionVariables call |
.pipelines/MSIXBundle-vPack-Official.yml |
Removed UseJson parameter from SetVersionVariables call |
.github/instructions/onebranch-signing-configuration.instructions.md |
New comprehensive guide for OneBranch signing configuration and restore phase usage |
.github/instructions/onebranch-restore-phase-pattern.instructions.md |
New guide for proper restore phase pattern implementation |
.github/instructions/code-review-branch-strategy.instructions.md |
New guide for code review branch strategy |
.github/instructions/build-configuration-guide.md |
Added applyTo section with pipeline file patterns |
.github/chatmodes/cherry-pick-commits.chatmode.md |
New chatmode for cherry-picking commits between branches |
.pipelines/templates/release-install-pwsh.yml |
Removed obsolete template |
.pipelines/templates/release-download-packages.yml |
Removed obsolete template |
.pipelines/templates/release-checkout-pwsh-repo.yml |
Removed obsolete template |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| env: | ||
| ob_restore_phase: true | ||
| - template: /.pipelines/templates/install-dotnet.yml@self |
There was a problem hiding this comment.
The install-dotnet.yml template call is missing the ob_restore_phase parameter. Since this step installs dotnet which is needed before signing operations, it should explicitly set ob_restore_phase: true.
Add the parameter:
- template: /.pipelines/templates/install-dotnet.yml@self
parameters:
ob_restore_phase: trueThis ensures the dotnet installation happens in the restore phase, before signing operations begin.
| - template: /.pipelines/templates/install-dotnet.yml@self | |
| - template: /.pipelines/templates/install-dotnet.yml@self | |
| parameters: | |
| ob_restore_phase: true |
| parameters: | ||
| ReleaseTagVar: $(ReleaseTagVar) | ||
| CreateJson: no | ||
|
|
There was a problem hiding this comment.
The SetVersionVariables.yml template call is missing the ob_restore_phase parameter. Since this template now accepts and uses this parameter (as shown in the diff), it should be explicitly passed as true in signing jobs.
Add the parameter:
- template: /.pipelines/templates/SetVersionVariables.yml@self
parameters:
ReleaseTagVar: $(ReleaseTagVar)
CreateJson: no
ob_restore_phase: trueThis ensures version variables are set in the restore phase before signing operations.
| ob_restore_phase: true |
| - template: /.pipelines/templates/cloneToOfficialPath.yml@self | ||
| parameters: | ||
| nativePathRoot: '$(Agent.TempDirectory)' | ||
|
|
There was a problem hiding this comment.
The cloneToOfficialPath.yml template call is missing the ob_restore_phase parameter. This template now accepts this parameter (as shown in the diff), and cloning should happen in the restore phase before signing.
Add the parameter:
- template: /.pipelines/templates/cloneToOfficialPath.yml@self
parameters:
nativePathRoot: '$(Agent.TempDirectory)'
ob_restore_phase: trueThis ensures the repository is cloned in the restore phase.
| ob_restore_phase: true |
| env: | ||
| ob_restore_phase: true |
There was a problem hiding this comment.
This diagnostic step runs after signing operations complete, so it should NOT have ob_restore_phase: true. According to the OneBranch restore phase pattern, only steps before the first signing operation should use the restore phase.
Remove the env block:
- pwsh: |
Get-ChildItem -Path $(ob_outputDirectory) -Recurse
displayName: 'List signed artifacts'Steps after signing should run in the normal build phase, not the restore phase.
| env: | |
| ob_restore_phase: true |
| - "tools/ci.psm1" | ||
| - ".github/**/*.yml" | ||
| - ".github/**/*.yaml" | ||
| - ".pipelines/**/*.yml" |
There was a problem hiding this comment.
[nitpick] The applyTo section is missing the .pipelines/**/*.yaml pattern. For consistency with other instruction files and to ensure the guide applies to all pipeline files (both .yml and .yaml extensions), add:
---
applyTo:
- "build.psm1"
- "tools/ci.psm1"
- ".github/**/*.yml"
- ".github/**/*.yaml"
- ".pipelines/**/*.yml"
- ".pipelines/**/*.yaml"
---This ensures the build configuration guide is available when editing any pipeline file.
| - ".pipelines/**/*.yml" | |
| - ".pipelines/**/*.yml" | |
| - ".pipelines/**/*.yaml" |
| - name: runCodesignValidationInjection | ||
| value: false | ||
| - name: ob_artifactBaseName | ||
| value: drop_windows_package_package_win_${{ parameters.runtime }} |
There was a problem hiding this comment.
The artifact name in the signing stage doesn't match the artifact name from the build stage. The build stage outputs artifacts with the name drop_windows_package_${{ parameters.runtime }} (line 19 in package.yml), but the signing stage is configured to output artifacts with the name drop_windows_package_package_win_${{ parameters.runtime }} (includes extra "package_win").
This inconsistency will cause issues when the upload stage tries to download the signed artifacts. The artifact name should be:
ob_artifactBaseName: drop_windows_package_package_win_${{ parameters.runtime }}This matches the pattern used in the upload stage and other parts of the pipeline.
| value: drop_windows_package_package_win_${{ parameters.runtime }} | |
| value: drop_windows_package_${{ parameters.runtime }} |
| displayName: 'Create MSIX Bundle' | ||
| dependsOn: [windows_package] | ||
| displayName: 'MSIX Bundle+Sign' | ||
| dependsOn: [windows_package_build] # Only depends on unsigned packages |
There was a problem hiding this comment.
The MSIX bundle stage depends on windows_package_build and downloads unsigned MSIX packages, but it should likely depend on windows_package_sign to use signed MSIX packages instead.
Currently, the pipeline creates unsigned MSIX files in the build stage, then creates a bundle from those unsigned files and only signs the bundle. Typically, both individual MSIX packages and the bundle should be signed.
Consider changing:
dependsOn: [windows_package_build] # Only depends on unsigned packagesto:
dependsOn: [windows_package_sign] # Depends on signed packagesAnd update the artifact downloads in package-create-msix.yml to download from drop_windows_package_package_win_x64 (etc.) instead of drop_windows_package_x64.
| dependsOn: [windows_package_build] # Only depends on unsigned packages | |
| dependsOn: [windows_package_sign] # Depends on signed packages |
| ReleaseTagVar: $(ReleaseTagVar) | ||
| CreateJson: no | ||
|
|
||
| - template: /.pipelines/templates/shouldSign.yml@self |
There was a problem hiding this comment.
[nitpick] The shouldSign.yml template call is missing the ob_restore_phase parameter. While it defaults to true, it's better to be explicit for consistency with other template calls in this file.
Add the parameter:
- template: /.pipelines/templates/shouldSign.yml@self
parameters:
ob_restore_phase: trueThis matches the pattern used for SetVersionVariables.yml and cloneToOfficialPath.yml calls in the same file.
| - template: /.pipelines/templates/shouldSign.yml@self | |
| - template: /.pipelines/templates/shouldSign.yml@self | |
| parameters: | |
| ob_restore_phase: true |
Backport of #26403 to release/v7.6
Triggered by @adityapatwardhan on behalf of @TravisEz13
Original CL Label: CL-BuildPackaging
/cc @PowerShell/powershell-maintainers
Impact
REQUIRED: Choose either Tooling Impact or Customer Impact (or both). At least one checkbox must be selected.
Tooling Impact
Build pipeline and packaging infrastructure improvements - refactors Windows package build/signing stages, adds OneBranch documentation, and improves restore phase configuration
Customer Impact
Regression
REQUIRED: Check exactly one box.
This is not a regression.
Testing
Build pipeline refactoring tested through CI/CD pipeline execution and validation of stage separation
Risk
REQUIRED: Check exactly one box.
Changes build pipeline structure and configuration which could affect packaging, but follows established patterns and improves maintainability
Merge Conflicts
File rename conflict in .github/instructions/build-configuration-guide.md - resolved by applying the applyTo section change (added .pipelines/**/*.yml) to the existing file in release branch