Skip to content

ci: add Control Tower prcheck to the PR check + reusable step templates#17885

Draft
PawelWMS wants to merge 11 commits into
microsoft:4.0from
PawelWMS:pawelwi/pr_check_sources_uploads
Draft

ci: add Control Tower prcheck to the PR check + reusable step templates#17885
PawelWMS wants to merge 11 commits into
microsoft:4.0from
PawelWMS:pawelwi/pr_check_sources_uploads

Conversation

@PawelWMS

@PawelWMS PawelWMS commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

What

Re-adds the Control Tower prcheck (source-upload) call into the active PR
check, and refactors the ADO Control Tower pipeline templates to share setup via
reusable, parameterized step templates.

Per-PR flow of the renamed pr-check-ct pipeline: shared setup + change
detection → prcheck (uploads the changed components' missing lookaside
sources) → scratch package build. prcheck runs before the build because
the build depends on the sources prcheck uploads.

Commits (each self-contained)

  1. compute_change_set.sh: rename --source/--target-commit--from/--to-commit, add optional output-name params.
  2. Inline compute_changed.sh into compute_change_set.sh (single caller); delete the wrapper.
  3. Extract common-steps.yml into granular parameterized step templates under templates/steps/.
  4. Recompose common-steps.yml (post-merge pipeline) from those templates — behavior-preserving.
  5. Add prcheck to the PR check and compose it from the shared templates.
  6. Rename the PR template pair pr-package-build*pr-check-ct* (stage/job PRCheckCT).
  7. Remove the now-redundant standalone sources-upload pipeline; scrub references.

Resolved inline AI: / @AI: review notes

  • Build-reason guard moved to a compile-time template expression on Build.Reason (fail fast).
  • Merge base renamed targetCommit/target_commitbaseCommit/base_commit (it is the fork point, not the target tip).
  • change_set_dir / changedComponentsFile derived via the shared prepare-change-set.yml.
  • compute_change_set.sh arg rename + output-name params; wrapper script inlined.

Reviewer notes

  • Validation: all touched YAML parses and compute_change_set.sh passes bash -n. Real end-to-end validation is the ADO pipeline (mariner-org/azl def 5465) — not run here.
  • Deferred decision: pr-check-ct.yml stays NonOfficial / DEV for now (uses the DEV service connection + DEV endpoint, scratch builds only). Revisit whether the prcheck source upload into the 'scanned' location warrants promotion to Official.

Related work items (ADO mariner-org/mariner)

Draft for review.

PawelWMS and others added 8 commits July 1, 2026 19:04
Rename the confusingly-named --source-commit/--target-commit flags to
--from-commit (baseline / merge base) and --to-commit (newer commit), and
add optional --changed-components-file / --specs-diff-file / --render-set-file
output-name overrides (defaults unchanged). Update all three callers:
pr-package-build-stages.yml, common-steps.yml, and the check-rendered-specs
GitHub Actions gate. Ordering preserved: from -> to (base -> head).

Resolves the two AI: comments on the compute_change_set.sh call site.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
compute_changed.sh had a single caller (compute_change_set.sh), so fold it in
as a compute_changed() function and delete the standalone script. Behavior is
unchanged: azldev component changed --from <base> --to <head> with the same
supply-chain drift guard. Update the components README table and the
common-steps.yml comment that referenced the removed script.

Resolves the @ai: comment on the compute_changed.sh wrapper.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Add reusable step templates under templates/steps/ so the post-merge and PR
Control Tower pipelines can compose only the pieces they need instead of
duplicating setup:

  ensure-full-history.yml      unshallow guard
  install-deps.yml             PipAuthenticate + azldev + python deps, with
                               installMock / installAdoRequirements /
                               normalizeGoGitConfig toggles
  commit-range-postmerge.yml   previous-build delta (ADO Builds API)
  commit-range-pr.yml          merge-commit-parent range (PR)
  prepare-change-set.yml       compute_change_set.sh + triage artifact,
                               from/to variable names parameterized
  verify-locks.yml             lock freshness check
  verify-rendered-specs.yml    render --check-only drift check

These are additive; nothing consumes them yet (wired in follow-up commits).

Two AI: fixes land here, in commit-range-pr.yml:
  - build-reason check moved to a compile-time template expression on
    variables['Build.Reason'] so a mis-triggered run fails fast.
  - the merge-base is now named baseCommit / base_commit (it is the fork
    point, not the target tip).

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Replace the inlined step bodies in common-steps.yml with composition of the
new templates/steps/* templates. The post-merge pipelines (package-build,
source-upload) that splice common-steps in are unchanged in effect: same steps,
same order, same emitted variables (sourceCommit/targetCommit ->
changedComponentsFile/renderSetFile).

Note one intentional, safe hardening: the shared install-deps.yml validates
.azldev-version against ^[0-9A-Za-z._+-]+$ before `go install`, which the old
common-steps did not. The committed .azldev-version is well-formed, so this
only rejects a genuinely malformed value.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
…lates

Rewrite the PR package-build stages template to:
  - compose the shared templates/steps/* templates (ensure-full-history,
    install-deps with normalizeGoGitConfig, commit-range-pr, prepare-change-set)
    instead of duplicating the setup inline; and
  - call Control Tower 'prcheck' BEFORE the scratch package build. prcheck
    uploads the missing lookaside sources for the changed components so they are
    present when the build fetches them, so it must run first.

This folds the prcheck call (previously in sources-upload-stages.yml) into the
active PR check. The scratch-build step is unchanged. Reusing the granular
templates also lands the remaining template-local AI: fixes (build-reason
template expression and baseCommit rename live in commit-range-pr.yml; the
change_set_dir/changedComponentsFile derivation lives in prepare-change-set.yml).

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Rename the template pair now that the PR check does prcheck + package build:
  pr-package-build.yml        -> pr-check-ct.yml
  pr-package-build-stages.yml -> pr-check-ct-stages.yml

Rename the stage/job PRPackageBuild -> PRCheckCT, repoint the wrapper @self
template path and artifactBaseName (prcheckct), and refresh the header comments
and the components README references.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
The Control Tower prcheck (source upload) call now lives in the PR check
(pr-check-ct), so the standalone source-upload pipeline is redundant. Delete
both files:
  .github/workflows/ado/sources-upload.yml
  .github/workflows/ado/templates/sources-upload-stages.yml

Scrub the now-dangling references in the package-build wrapper/stages headers,
common-steps.yml, the scripts/ci READMEs, and the ado-pipeline instructions
(canonical pairing example and shared-sub-template note repointed to the
still-live package-build pipeline and the granular templates/steps/*).

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Copilot AI review requested due to automatic review settings July 1, 2026 20:58

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR re-wires the ADO PR Control Tower check so it calls Control Tower prcheck (intended to upload changed components' missing lookaside sources) before submitting a scratch package build, and refactors the shared setup steps into granular, parameterized step sub-templates. It fits the repo's wrapper/raw-stages ADO convention and the cross-pipeline scripts/ci/components/ change-set contract, consolidating the previously separate sources-upload and pr-package-build pipelines into a single pr-check-ct flow.

Changes:

  • Extract common-steps.yml into granular templates (ensure-full-history, install-deps, commit-range-pr/commit-range-postmerge, prepare-change-set, verify-locks, verify-rendered-specs) and recompose the post-merge pipeline from them.
  • Rename compute_change_set.sh args --source/--target-commit--from/--to-commit, inline the now-deleted compute_changed.sh, and add configurable output-file names; update all callers.
  • Add prcheck before the scratch build in the renamed pr-check-ct pipeline and remove the standalone sources-upload pipeline, updating docs/READMEs.

Reviewed changes

Copilot reviewed 21 out of 21 changed files in this pull request and generated 1 comment.

Show a summary per file
File Description
.github/workflows/ado/templates/pr-check-ct-stages.yml New PR CT stages: prcheck + scratch build composed from shared step templates (contains the prcheck no-op discrepancy).
.github/workflows/ado/pr-check-ct.yml Wrapper retargeted to pr-check-ct-stages.yml, artifact renamed prcheckct, passes all required params.
.github/workflows/ado/templates/steps/install-deps.yml New parameterized dep-install step (mock/ADO SDK/go-git-normalize opt-ins) with azldev version validation.
.github/workflows/ado/templates/steps/prepare-change-set.yml New change-set step; from/to commit vars parameterized, publishes triage artifact + pipeline vars.
.github/workflows/ado/templates/steps/commit-range-pr.yml New PR merge-base range resolver with compile-time PR-build guard + SHA validation.
.github/workflows/ado/templates/steps/commit-range-postmerge.yml Extracted post-merge commit-range logic (ADO Builds API).
.github/workflows/ado/templates/steps/{ensure-full-history,verify-locks,verify-rendered-specs}.yml Extracted individual steps from common-steps.yml.
.github/workflows/ado/templates/steps/common-steps.yml Recomposed post-merge step set from the granular templates (order preserved).
scripts/ci/components/compute_change_set.sh Inlines compute_changed.sh, renames args to --from/--to-commit, adds output-name overrides.
scripts/ci/components/compute_changed.sh Deleted (single caller inlined).
.github/workflows/check-rendered-specs.yml GH Actions caller updated to --from-commit/--to-commit.
.github/workflows/ado/{package-build.yml,templates/package-build-stages.yml} Comment updates reflecting composed-from-templates wording.
.github/workflows/ado/{sources-upload.yml,templates/{sources-upload,pr-package-build}-stages.yml} Removed redundant pipelines/templates.
scripts/ci/{components,ado}/README.md, .github/instructions/ado-pipeline.instructions.md Docs updated for new callers/canonical examples.

Comment on lines +124 to +135
python3 scripts/ci/control-tower/run_prcheck.py \
--api-audience "$API_AUDIENCE" \
--api-base-url "$API_BASE_URL" \
--build-reason "$CT_BUILD_REASON" \
--changed-components-file "$CHANGED_COMPONENTS_FILE" \
--source-commit "$SOURCE_COMMIT" \
--repo-uri "$UPSTREAM_REPO_URL"
env:
API_AUDIENCE: $(ApiAudience)
API_BASE_URL: $(ApiBaseAFDUrl)
# Non-reserved name: an `env:` override of the reserved BUILD_REASON var is silently ignored by the agent.
CT_BUILD_REASON: $(Build.Reason)
Comment thread .github/workflows/ado/templates/pr-check-ct-stages.yml Outdated
Comment thread .github/workflows/ado/templates/pr-check-ct-stages.yml
Comment thread .github/workflows/ado/templates/pr-check-ct-stages.yml Outdated
Comment thread .github/workflows/ado/templates/pr-check-ct-stages.yml Outdated
Comment thread .github/workflows/ado/templates/pr-check-ct-stages.yml Outdated
- run_prcheck.py: remove the `build_reason == PullRequest` short-circuit so
  prcheck actually runs (and uploads sources) on PR triggers. (CT-side support
  for PR-triggered prcheck still to be verified — see session TODO.)
- pr-check-ct-stages.yml: replace the `variableGroup` parameter with explicit
  `apiAudience` / `apiBaseAFDUrl` string params passed by the wrapper; drop the
  job-scope `- group:`. The wrapper now declares the `ControlTower-PRCheck`
  group at root and passes `$(ApiAudience)` / `$(ApiBaseAFDUrl)`.
- Drop the redundant `CT_BUILD_REASON` env var in both AzureCLI steps; use the
  auto-provided `$BUILD_REASON` directly.
- Drop the trailing "runs first…" sentence from the prcheck step comment.
- Parameterize the names of job variables the step templates set
  (commit-range-pr: sourceCommitVar/baseCommitVar; commit-range-postmerge:
  sourceCommitVar/targetCommitVar; prepare-change-set:
  changedComponentsFileVar/renderSetFileVar), defaults = current names.
- Document the `<name>Var` / `<name>OutputVar` variable-naming convention in
  ado-pipeline.instructions.md.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Comment thread .github/instructions/ado-pipeline.instructions.md Outdated
Comment thread .github/workflows/ado/templates/steps/commit-range-postmerge.yml Outdated
Comment thread .github/workflows/ado/templates/pr-check-ct-stages.yml Outdated
Comment thread .github/workflows/ado/pr-check-ct.yml Outdated
Address the second round of PR microsoft#17885 review comments and apply the same
patterns across all ADO YAMLs (package-build as well as pr-check-ct):

- Drop the `variableGroup` parameter from both stages templates; take
  `apiAudience`/`apiBaseAFDUrl` params and surface them (plus packageTarget /
  pollTimeoutSeconds) in the job `variables:` section so a caller may pass
  runtime $[ ] / $(macro) expressions. Both wrappers now declare the
  ControlTower-PRCheck group at root and pass $(ApiAudience)/$(ApiBaseAFDUrl).
- Drop the redundant CT_BUILD_REASON everywhere; use the auto-provided
  $BUILD_REASON.
- Route every pipeline parameter/variable used by a script through `env:`
  (setvariable name params, packageTarget, pollTimeoutSeconds, build reason) —
  no `${{ parameters }}`/`$(var)` inlined in script bodies.
- Trim the wrapper variable-group comments to name only the extracted variables.

AI instructions (ado-pipeline.instructions.md):
- `<var>OutputVarTask` for the output-variable task-name parameter.
- New rule: pass pipeline params/vars into scripts through `env:`.
- New rule: templates that own a `variables:` section surface runtime-consumed
  params as variables (runtime $[ ] expressions only evaluate there).
- Update the worked wrapper/stages example to match.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Copilot AI review requested due to automatic review settings July 2, 2026 01:18

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 22 out of 22 changed files in this pull request and generated 1 comment.

--changed-components-file "$CHANGED_COMPONENTS_FILE" \
--source-commit "$SOURCE_COMMIT" \
--repo-uri "$UPSTREAM_REPO_URL"
env:
Comment on lines +24 to +25
# Control Tower API audience + base URL, passed by the wrapper (which owns the
# variable group / env-specific values). The template stays group-agnostic.

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Remove comment - template has no knowledge of the origin (variable group at the moment) of the parameters. This comment can easily go stale. Remove such assumptions of caller's intentions from all templates and scripts you've touched in this PR.

Comment on lines +60 to +61
# Runtime-consumed params surfaced as variables so a caller may pass
# runtime $[ ] / $(macro) expressions (evaluated here, not inline).

@PawelWMS PawelWMS Jul 2, 2026

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Remove comment, don't explain the calling convention in every YAML. Apply globally to all changes in this PR. If this approach is missing from AI instruction - update them.

…plates

Third round of PR microsoft#17885 review comments:
- Restore a short note (both stages templates' env blocks) that Build.Reason is
  auto-exposed as $BUILD_REASON and must NOT be added to env: -- the agent drops
  env: overrides of that reserved predefined variable. Also documented as an
  exception to the "pass params through env:" rule in the ADO instructions.
- Remove comments that assumed the caller's intent / parameter value origin
  (the "passed by the wrapper / owns the variable group" and "surfaced as
  variables so a caller may pass..." notes) from the stages and step templates;
  the calling convention lives in the ADO instructions, not in every YAML.
  Reworded install-deps.yml / prepare-change-set.yml param docs to be
  caller-agnostic.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants