[build] move to new yaml template for signing #1260
Conversation
Context: https://devdiv.visualstudio.com/DevDiv/_git/Xamarin.yaml-templates/commit/3aa7341d11ab4cc9d4bf63965806e35c015c5956?refName=refs%2Fheads%2Fmain&path=%2Fsign-artifacts%2Fsteps%2Fv4.yml&_a=contents Context: https://devdiv.visualstudio.com/DevDiv/_git/ClientTools.Platform/commit/81a98cf67ae869635ebd082f37e2ddbf624e0267?refName=refs/heads/main&path=/build/automation/stages/sign.yml
azure-pipelines.yml
Outdated
| ${{ if startsWith(variables['Build.SourceBranch'], 'refs/tags/') }}: | ||
| template: v1/1ES.Official.PipelineTemplate.yml@1esPipelines |
There was a problem hiding this comment.
You must use the MicroBuild 1ES templated
There was a problem hiding this comment.
Somehow still getting the same error:
Encountered error(s) while parsing pipeline YAML:
/azure-pipelines.yml (Line: 42, Col: 7): Unexpected parameter 'mb'
/azure-pipelines.yml: Expected error count to be 0 when attempting to load a new file
But I even named everything exactly the same as here:
azure-pipelines.yml
Outdated
| parameters: | ||
| mb: |
There was a problem hiding this comment.
mb must be set at job level. I don't think you even need it because you are using the sign-artifacts template, which is already setting this.
azure-pipelines.yml
Outdated
| - repository: yaml-templates | ||
| type: git | ||
| name: DevDiv/Xamarin.yaml-templates | ||
| ref: refs/heads/main | ||
|
|
||
| extends: | ||
| template: v1/1ES.Official.PipelineTemplate.yml@1esPipelines | ||
| ${{ if startsWith(variables['Build.SourceBranch'], 'refs/tags/') }}: |
There was a problem hiding this comment.
The recommendation is to use Build.Reason to choose between official and unofficial. I'm not sure how builds are configured on this pipeline, but only release branches should trigger CI builds and use the official template on the production pipeline.
There was a problem hiding this comment.
This repo doesn't have release branches; it goes based on if a commit is tagged or not.
I think it was done this way, because any random branch could build a preview package. So, you might have this branch for shipping a preview AndroidX.Security package:
Does this just need to be re-thought and we prefix any of these special branches with release/? And we can stop tagging?
There was a problem hiding this comment.
yes, I think so. Also 1ES will start blocking builds on production pipelines that don't come from a release branch. If you consider a release branch something else than release/, you must declare that in a config file (I can look for it if needed).
This reverts commit 1b9920f.
Fixes:
##[error]yaml-templates\sign-artifacts\steps\v2-SignFiles.proj(73,5): Error : Please update your SignList.xml to include the following unknown files which should be signed:
D:\a\_work\_temp\artifact-signing\extracted\Xamarin.AndroidX.Compose.Runtime.Annotation.1.9.0\jar\runtime-annotation.jar;
D:\a\_work\_temp\artifact-signing\extracted\Xamarin.AndroidX.Compose.Runtime.Annotation.Jvm.1.9.0\jar\runtime-annotation-jvm.jar
This prevents flaky CI on test failures such as:
Unexpected error: Download failed. Please download https://search.maven.org/remotecontent?filepath=com/facebook/android/facebook-android-sdk/4.17.0/facebook-android-sdk-4.17.0.aar to a file called C:\Users\cloudtest\AppData\Local\Temp\tmpaazgjb.tmp\unpacked\FacebookAndroid-4.17.0.aar.
Stack trace
at Xamarin.ContentPipeline.Tests.TestsBase.AssertNoMessagesOrWarnings(MSBuildTestLogger logger, String[] ignorePatterns) in C:\a\_work\1\s\util\Xamarin.Build.Download\source\Xamarin.Build.Download.Tests\Helpers\TestsBase.cs:line 71
at NativeLibraryDownloaderTests.Test.TestUncompressedNamedDownload() in C:\a\_work\1\s\util\Xamarin.Build.Download\source\Xamarin.Build.Download.Tests\Test.cs:line 181
at System.RuntimeMethodHandle.InvokeMethod(Object target, Void** arguments, Signature sig, Boolean isConstructor)
at System.Reflection.MethodBaseInvoker.InvokeWithNoArgs(Object obj, BindingFlags invokeAttr)
|
I believe test signing worked: 
So, going to backport to a release branch and try it. |
Context: https://devdiv.visualstudio.com/DevDiv/_git/Xamarin.yaml-templates/commit/3aa7341d11ab4cc9d4bf63965806e35c015c5956?refName=refs%2Fheads%2Fmain&path=%2Fsign-artifacts%2Fsteps%2Fv4.yml&_a=contents Context: https://devdiv.visualstudio.com/DevDiv/_git/ClientTools.Platform/commit/81a98cf67ae869635ebd082f37e2ddbf624e0267?refName=refs/heads/main&path=/build/automation/stages/sign.yml * Moves to `sign-artifacts/jobs/v4.yml` template * Set `$(TeamName)` to `.NET MAUI`. * Update `SignList.xml` for new libraries: Fixes: ##[error]yaml-templates\sign-artifacts\steps\v2-SignFiles.proj(73,5): Error : Please update your SignList.xml to include the following unknown files which should be signed: D:\a\_work\_temp\artifact-signing\extracted\Xamarin.AndroidX.Compose.Runtime.Annotation.1.9.0\jar\runtime-annotation.jar; D:\a\_work\_temp\artifact-signing\extracted\Xamarin.AndroidX.Compose.Runtime.Annotation.Jvm.1.9.0\jar\runtime-annotation-jvm.jar
Context: https://devdiv.visualstudio.com/DevDiv/_git/Xamarin.yaml-templates/commit/3aa7341d11ab4cc9d4bf63965806e35c015c5956?refName=refs%2Fheads%2Fmain&path=%2Fsign-artifacts%2Fsteps%2Fv4.yml&_a=contents
Context: https://devdiv.visualstudio.com/DevDiv/_git/ClientTools.Platform/commit/81a98cf67ae869635ebd082f37e2ddbf624e0267?refName=refs/heads/main&path=/build/automation/stages/sign.yml