ci: add Control Tower prcheck to the PR check + reusable step templates#17885
ci: add Control Tower prcheck to the PR check + reusable step templates#17885PawelWMS wants to merge 11 commits into
Conversation
Rename the confusingly-named --source-commit/--target-commit flags to --from-commit (baseline / merge base) and --to-commit (newer commit), and add optional --changed-components-file / --specs-diff-file / --render-set-file output-name overrides (defaults unchanged). Update all three callers: pr-package-build-stages.yml, common-steps.yml, and the check-rendered-specs GitHub Actions gate. Ordering preserved: from -> to (base -> head). Resolves the two AI: comments on the compute_change_set.sh call site. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
compute_changed.sh had a single caller (compute_change_set.sh), so fold it in as a compute_changed() function and delete the standalone script. Behavior is unchanged: azldev component changed --from <base> --to <head> with the same supply-chain drift guard. Update the components README table and the common-steps.yml comment that referenced the removed script. Resolves the @ai: comment on the compute_changed.sh wrapper. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Add reusable step templates under templates/steps/ so the post-merge and PR
Control Tower pipelines can compose only the pieces they need instead of
duplicating setup:
ensure-full-history.yml unshallow guard
install-deps.yml PipAuthenticate + azldev + python deps, with
installMock / installAdoRequirements /
normalizeGoGitConfig toggles
commit-range-postmerge.yml previous-build delta (ADO Builds API)
commit-range-pr.yml merge-commit-parent range (PR)
prepare-change-set.yml compute_change_set.sh + triage artifact,
from/to variable names parameterized
verify-locks.yml lock freshness check
verify-rendered-specs.yml render --check-only drift check
These are additive; nothing consumes them yet (wired in follow-up commits).
Two AI: fixes land here, in commit-range-pr.yml:
- build-reason check moved to a compile-time template expression on
variables['Build.Reason'] so a mis-triggered run fails fast.
- the merge-base is now named baseCommit / base_commit (it is the fork
point, not the target tip).
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Replace the inlined step bodies in common-steps.yml with composition of the new templates/steps/* templates. The post-merge pipelines (package-build, source-upload) that splice common-steps in are unchanged in effect: same steps, same order, same emitted variables (sourceCommit/targetCommit -> changedComponentsFile/renderSetFile). Note one intentional, safe hardening: the shared install-deps.yml validates .azldev-version against ^[0-9A-Za-z._+-]+$ before `go install`, which the old common-steps did not. The committed .azldev-version is well-formed, so this only rejects a genuinely malformed value. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
…lates
Rewrite the PR package-build stages template to:
- compose the shared templates/steps/* templates (ensure-full-history,
install-deps with normalizeGoGitConfig, commit-range-pr, prepare-change-set)
instead of duplicating the setup inline; and
- call Control Tower 'prcheck' BEFORE the scratch package build. prcheck
uploads the missing lookaside sources for the changed components so they are
present when the build fetches them, so it must run first.
This folds the prcheck call (previously in sources-upload-stages.yml) into the
active PR check. The scratch-build step is unchanged. Reusing the granular
templates also lands the remaining template-local AI: fixes (build-reason
template expression and baseCommit rename live in commit-range-pr.yml; the
change_set_dir/changedComponentsFile derivation lives in prepare-change-set.yml).
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Rename the template pair now that the PR check does prcheck + package build: pr-package-build.yml -> pr-check-ct.yml pr-package-build-stages.yml -> pr-check-ct-stages.yml Rename the stage/job PRPackageBuild -> PRCheckCT, repoint the wrapper @self template path and artifactBaseName (prcheckct), and refresh the header comments and the components README references. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
The Control Tower prcheck (source upload) call now lives in the PR check (pr-check-ct), so the standalone source-upload pipeline is redundant. Delete both files: .github/workflows/ado/sources-upload.yml .github/workflows/ado/templates/sources-upload-stages.yml Scrub the now-dangling references in the package-build wrapper/stages headers, common-steps.yml, the scripts/ci READMEs, and the ado-pipeline instructions (canonical pairing example and shared-sub-template note repointed to the still-live package-build pipeline and the granular templates/steps/*). Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
There was a problem hiding this comment.
Pull request overview
This PR re-wires the ADO PR Control Tower check so it calls Control Tower prcheck (intended to upload changed components' missing lookaside sources) before submitting a scratch package build, and refactors the shared setup steps into granular, parameterized step sub-templates. It fits the repo's wrapper/raw-stages ADO convention and the cross-pipeline scripts/ci/components/ change-set contract, consolidating the previously separate sources-upload and pr-package-build pipelines into a single pr-check-ct flow.
Changes:
- Extract
common-steps.ymlinto granular templates (ensure-full-history,install-deps,commit-range-pr/commit-range-postmerge,prepare-change-set,verify-locks,verify-rendered-specs) and recompose the post-merge pipeline from them. - Rename
compute_change_set.shargs--source/--target-commit→--from/--to-commit, inline the now-deletedcompute_changed.sh, and add configurable output-file names; update all callers. - Add
prcheckbefore the scratch build in the renamedpr-check-ctpipeline and remove the standalonesources-uploadpipeline, updating docs/READMEs.
Reviewed changes
Copilot reviewed 21 out of 21 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
.github/workflows/ado/templates/pr-check-ct-stages.yml |
New PR CT stages: prcheck + scratch build composed from shared step templates (contains the prcheck no-op discrepancy). |
.github/workflows/ado/pr-check-ct.yml |
Wrapper retargeted to pr-check-ct-stages.yml, artifact renamed prcheckct, passes all required params. |
.github/workflows/ado/templates/steps/install-deps.yml |
New parameterized dep-install step (mock/ADO SDK/go-git-normalize opt-ins) with azldev version validation. |
.github/workflows/ado/templates/steps/prepare-change-set.yml |
New change-set step; from/to commit vars parameterized, publishes triage artifact + pipeline vars. |
.github/workflows/ado/templates/steps/commit-range-pr.yml |
New PR merge-base range resolver with compile-time PR-build guard + SHA validation. |
.github/workflows/ado/templates/steps/commit-range-postmerge.yml |
Extracted post-merge commit-range logic (ADO Builds API). |
.github/workflows/ado/templates/steps/{ensure-full-history,verify-locks,verify-rendered-specs}.yml |
Extracted individual steps from common-steps.yml. |
.github/workflows/ado/templates/steps/common-steps.yml |
Recomposed post-merge step set from the granular templates (order preserved). |
scripts/ci/components/compute_change_set.sh |
Inlines compute_changed.sh, renames args to --from/--to-commit, adds output-name overrides. |
scripts/ci/components/compute_changed.sh |
Deleted (single caller inlined). |
.github/workflows/check-rendered-specs.yml |
GH Actions caller updated to --from-commit/--to-commit. |
.github/workflows/ado/{package-build.yml,templates/package-build-stages.yml} |
Comment updates reflecting composed-from-templates wording. |
.github/workflows/ado/{sources-upload.yml,templates/{sources-upload,pr-package-build}-stages.yml} |
Removed redundant pipelines/templates. |
scripts/ci/{components,ado}/README.md, .github/instructions/ado-pipeline.instructions.md |
Docs updated for new callers/canonical examples. |
| python3 scripts/ci/control-tower/run_prcheck.py \ | ||
| --api-audience "$API_AUDIENCE" \ | ||
| --api-base-url "$API_BASE_URL" \ | ||
| --build-reason "$CT_BUILD_REASON" \ | ||
| --changed-components-file "$CHANGED_COMPONENTS_FILE" \ | ||
| --source-commit "$SOURCE_COMMIT" \ | ||
| --repo-uri "$UPSTREAM_REPO_URL" | ||
| env: | ||
| API_AUDIENCE: $(ApiAudience) | ||
| API_BASE_URL: $(ApiBaseAFDUrl) | ||
| # Non-reserved name: an `env:` override of the reserved BUILD_REASON var is silently ignored by the agent. | ||
| CT_BUILD_REASON: $(Build.Reason) |
- run_prcheck.py: remove the `build_reason == PullRequest` short-circuit so prcheck actually runs (and uploads sources) on PR triggers. (CT-side support for PR-triggered prcheck still to be verified — see session TODO.) - pr-check-ct-stages.yml: replace the `variableGroup` parameter with explicit `apiAudience` / `apiBaseAFDUrl` string params passed by the wrapper; drop the job-scope `- group:`. The wrapper now declares the `ControlTower-PRCheck` group at root and passes `$(ApiAudience)` / `$(ApiBaseAFDUrl)`. - Drop the redundant `CT_BUILD_REASON` env var in both AzureCLI steps; use the auto-provided `$BUILD_REASON` directly. - Drop the trailing "runs first…" sentence from the prcheck step comment. - Parameterize the names of job variables the step templates set (commit-range-pr: sourceCommitVar/baseCommitVar; commit-range-postmerge: sourceCommitVar/targetCommitVar; prepare-change-set: changedComponentsFileVar/renderSetFileVar), defaults = current names. - Document the `<name>Var` / `<name>OutputVar` variable-naming convention in ado-pipeline.instructions.md. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Address the second round of PR microsoft#17885 review comments and apply the same patterns across all ADO YAMLs (package-build as well as pr-check-ct): - Drop the `variableGroup` parameter from both stages templates; take `apiAudience`/`apiBaseAFDUrl` params and surface them (plus packageTarget / pollTimeoutSeconds) in the job `variables:` section so a caller may pass runtime $[ ] / $(macro) expressions. Both wrappers now declare the ControlTower-PRCheck group at root and pass $(ApiAudience)/$(ApiBaseAFDUrl). - Drop the redundant CT_BUILD_REASON everywhere; use the auto-provided $BUILD_REASON. - Route every pipeline parameter/variable used by a script through `env:` (setvariable name params, packageTarget, pollTimeoutSeconds, build reason) — no `${{ parameters }}`/`$(var)` inlined in script bodies. - Trim the wrapper variable-group comments to name only the extracted variables. AI instructions (ado-pipeline.instructions.md): - `<var>OutputVarTask` for the output-variable task-name parameter. - New rule: pass pipeline params/vars into scripts through `env:`. - New rule: templates that own a `variables:` section surface runtime-consumed params as variables (runtime $[ ] expressions only evaluate there). - Update the worked wrapper/stages example to match. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
| --changed-components-file "$CHANGED_COMPONENTS_FILE" \ | ||
| --source-commit "$SOURCE_COMMIT" \ | ||
| --repo-uri "$UPSTREAM_REPO_URL" | ||
| env: |
| # Control Tower API audience + base URL, passed by the wrapper (which owns the | ||
| # variable group / env-specific values). The template stays group-agnostic. |
There was a problem hiding this comment.
Remove comment - template has no knowledge of the origin (variable group at the moment) of the parameters. This comment can easily go stale. Remove such assumptions of caller's intentions from all templates and scripts you've touched in this PR.
| # Runtime-consumed params surfaced as variables so a caller may pass | ||
| # runtime $[ ] / $(macro) expressions (evaluated here, not inline). |
There was a problem hiding this comment.
Remove comment, don't explain the calling convention in every YAML. Apply globally to all changes in this PR. If this approach is missing from AI instruction - update them.
…plates Third round of PR microsoft#17885 review comments: - Restore a short note (both stages templates' env blocks) that Build.Reason is auto-exposed as $BUILD_REASON and must NOT be added to env: -- the agent drops env: overrides of that reserved predefined variable. Also documented as an exception to the "pass params through env:" rule in the ADO instructions. - Remove comments that assumed the caller's intent / parameter value origin (the "passed by the wrapper / owns the variable group" and "surfaced as variables so a caller may pass..." notes) from the stages and step templates; the calling convention lives in the ADO instructions, not in every YAML. Reworded install-deps.yml / prepare-change-set.yml param docs to be caller-agnostic. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
What
Re-adds the Control Tower
prcheck(source-upload) call into the active PRcheck, and refactors the ADO Control Tower pipeline templates to share setup via
reusable, parameterized step templates.
Per-PR flow of the renamed
pr-check-ctpipeline: shared setup + changedetection →
prcheck(uploads the changed components' missing lookasidesources) → scratch package build. prcheck runs before the build because
the build depends on the sources prcheck uploads.
Commits (each self-contained)
compute_change_set.sh: rename--source/--target-commit→--from/--to-commit, add optional output-name params.compute_changed.shintocompute_change_set.sh(single caller); delete the wrapper.common-steps.ymlinto granular parameterized step templates undertemplates/steps/.common-steps.yml(post-merge pipeline) from those templates — behavior-preserving.prcheckto the PR check and compose it from the shared templates.pr-package-build*→pr-check-ct*(stage/jobPRCheckCT).sources-uploadpipeline; scrub references.Resolved inline
AI:/@AI:review notesBuild.Reason(fail fast).targetCommit/target_commit→baseCommit/base_commit(it is the fork point, not the target tip).change_set_dir/changedComponentsFilederived via the sharedprepare-change-set.yml.compute_change_set.sharg rename + output-name params; wrapper script inlined.Reviewer notes
compute_change_set.shpassesbash -n. Real end-to-end validation is the ADO pipeline (mariner-org/azldef 5465) — not run here.pr-check-ct.ymlstays NonOfficial / DEV for now (uses the DEV service connection + DEV endpoint, scratch builds only). Revisit whether the prcheck source upload into the 'scanned' location warrants promotion to Official.Related work items (ADO
mariner-org/mariner)Draft for review.