[release/v7.5] Add rebuild branch support with conditional MSIX signing#26817
Conversation
…26415) Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
daxian-dbw
added
the
CL-BuildPackaging
There was a problem hiding this comment.
Pull request overview
Backports rebuild-branch awareness into the release/v7.5 packaging/release pipelines to prevent rebuild branches from being treated as LTS, and adds an OfficialBuild switch intended to gate MSIX signing to official builds only.
Changes:
- Adds a reusable
rebuild-branch-check.ymlstep template and wires it into Linux/macOS/Windows packaging templates to skip LTS package creation on rebuild branches. - Updates
channelSelection.ymlto force Preview channel behavior on rebuild branches. - Adds an
OfficialBuildparameter topackage-create-msix.ymland passes it from the official packaging pipeline to conditionally run MSIX signing.
Reviewed changes
Copilot reviewed 9 out of 9 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
.pipelines/templates/rebuild-branch-check.yml |
New step template to detect rebuild branches and expose IsRebuildBranch as an output variable. |
.pipelines/templates/packaging/windows/package.yml |
Consumes rebuild-branch detection to avoid building LTS packages on rebuild branches. |
.pipelines/templates/linux-package-build.yml |
Consumes rebuild-branch detection to avoid building LTS packages on rebuild branches. |
.pipelines/templates/mac-package-build.yml |
Consumes rebuild-branch detection to avoid building LTS packages on rebuild branches. |
.pipelines/templates/channelSelection.yml |
Forces rebuild branches to be treated as Preview (not Stable/LTS). |
.pipelines/templates/package-create-msix.yml |
Introduces OfficialBuild parameter and attempts to conditionally sign MSIX bundles. |
.pipelines/PowerShell-Packages-Official.yml |
Passes OfficialBuild into the MSIX bundle template. |
.pipelines/PowerShell-Coordinated_Packages-Official.yml |
Uses rebuild-branch detection to avoid marking rebuild builds as LTS in release.json. |
.pipelines/EV2Specs/ServiceGroupRoot/Shell/Run/Run.ps1 |
Avoids adding powershell-lts package when the version indicates a rebuild. |
|
|
||
| - task: onebranch.pipeline.signing@1 | ||
| displayName: Sign MsixBundle | ||
| condition: eq('${{ parameters.OfficialBuild }}', 'true') |
There was a problem hiding this comment.
This condition is comparing strings, but OfficialBuild is a boolean template parameter. With the current quoting, the expression expansion can produce unexpected values/casing and the signing step may be skipped even for official builds. Use a boolean comparison like eq(${{ parameters.OfficialBuild }}, true) (or just ${{ parameters.OfficialBuild }} combined with succeeded()).
| condition: eq('${{ parameters.OfficialBuild }}', 'true') | |
| condition: eq(${{ parameters.OfficialBuild }}, true) |
| - task: onebranch.pipeline.signing@1 | ||
| displayName: Sign MsixBundle | ||
| condition: eq('${{ parameters.OfficialBuild }}', 'true') | ||
| inputs: |
There was a problem hiding this comment.
Since signing is now conditional, when OfficialBuild is false this job becomes build-only but will still run with OneBranch signing infrastructure defaults (and uses restore-phase semantics earlier in the job). Consider explicitly setting ob_signing_setup_enabled/ob_sdl_codeSignValidation_enabled based on OfficialBuild (and only using restore phase when signing is enabled) to avoid unnecessary overhead in non-official runs.
| nativePathRoot: '$(Agent.TempDirectory)' | ||
| ob_restore_phase: false | ||
|
|
||
| - template: rebuild-branch-check.yml@self |
There was a problem hiding this comment.
The template include path looks incorrect here. Because this file is under .pipelines/templates/packaging/windows/, rebuild-branch-check.yml@self will be resolved relative to that folder and the template won’t be found. Use the repo-rooted path (e.g. /.pipelines/templates/rebuild-branch-check.yml@self) to match the other template includes in this file.
| - template: rebuild-branch-check.yml@self | |
| - template: /.pipelines/templates/rebuild-branch-check.yml@self |
Backport of #26415 to release/v7.5
Triggered by @daxian-dbw on behalf of @TravisEz13
Original CL Label: CL-BuildPackaging
/cc @PowerShell/powershell-maintainers
Impact
REQUIRED: Choose either Tooling Impact or Customer Impact (or both). At least one checkbox must be selected.
Tooling Impact
Adds rebuild branch detection and conditional MSIX signing for official builds only
Customer Impact
Regression
REQUIRED: Check exactly one box.
This is not a regression.
Testing
Successfully tested in 7.4 and 7.6 releases. Rebuild branch detection prevents incorrect LTS package creation.
Risk
REQUIRED: Check exactly one box.
Adds rebuild branch detection to prevent LTS packages from being built on rebuild branches. Adds conditional MSIX signing. Successfully backported to 7.4 and 7.6 branches.
Merge Conflicts
Conflict in package-create-msix.yml resolved - context differences in MSIX signing configuration