build: Add a 1ES Pipeline Templates version of Canary

[DHowett]

This pipeline runs on our agents, rather than OneBranch's, and doesn't use all of the OneBranch machinery--which is only required for producing a vpack that we check into Windows. Since Canary will never be a vpack, we don't need to worry.

It runs at about twice the speed and we control the build images!

This pull request also adds support for the "Terrapin Retrieval Tool," which will allow us to move away from having vcpkg contact remote servers directly to download source code (and which may become mandatory even in our OneBranch pipelines.)

[DHowett]

Salient diffs between ob-nightly and 1espt-nightly:

diff --git a/build/pipelines/ob-nightly.yml b/build/pipelines/1espt-nightly.yml
index 603593dca..cbd6cfef7 100644
--- a/build/pipelines/ob-nightly.yml
+++ b/build/pipelines/1espt-nightly.yml
@@ -13,6 +13,10 @@ parameters:
     displayName: "Deploy to **PUBLIC** Azure Storage"
     type: boolean
     default: true
+  - name: official
+    displayName: "Run on Official 1ES Pipeline Templates"
+    type: boolean
+    default: true

 name: $(BuildDefinitionName)_$(date:yyMM).$(date:dd)$(rev:rrr)

@@ -20,12 +24,11 @@ variables:
   - template: templates-v2/variables-nuget-package-version.yml
     parameters:
       branding: Canary
-  - template: templates-v2/variables-onebranch-config.yml

 extends:
-  template: templates-v2/pipeline-onebranch-full-release-build.yml
+  template: templates-v2/pipeline-1espt-full-release-build.yml
   parameters:
-    official: true
+    official: ${{ parameters.official }}
     branding: Canary
     buildTerminal: true
     pgoBuildMode: Optimize
@@ -40,7 +43,6 @@ extends:
       useManagedIdentity: $(SigningUseManagedIdentity)
       clientId: $(SigningOriginalClientId)
     publishSymbolsToPublic: true
-    publishVpackToWindows: false
     symbolExpiryTime: 15
     symbolPublishingSubscription: $(SymbolPublishingServiceConnection)
     symbolPublishingProject: $(SymbolPublishingProject)
@@ -48,12 +50,9 @@ extends:
       extraPublishJobs:
         - template: build/pipelines/templates-v2/job-deploy-to-azure-storage.yml@self
           parameters:
-            pool: { type: windows }
-            variables:
-              ob_sdl_prefast_enabled: false # This is a collection of powershell scripts
-              ob_git_checkout: false # This job checks itself out
-              ob_git_skip_checkout_none: true
-              ob_outputDirectory: "$(Build.SourcesDirectory)/_none"
+            pool:
+              name: SHINE-INT-S
+              os: windows
             dependsOn: [PublishSymbols]
             storagePublicRootURL: $(AppInstallerRootURL)
             subscription: $(AzureSubscriptionName)

and likewise, diffs between the actual pipeline templates:

diff --git a/build/pipelines/templates-v2/pipeline-onebranch-full-release-build.yml b/build/pipelines/templates-v2/pipeline-1espt-full-release-build.yml
index bd78a0d5f..62e541a2c 100644
--- a/build/pipelines/templates-v2/pipeline-onebranch-full-release-build.yml
+++ b/build/pipelines/templates-v2/pipeline-1espt-full-release-build.yml
@@ -49,12 +49,6 @@ parameters:
   - name: symbolExpiryTime
     type: string
     default: 36530 # This is the default from PublishSymbols@2
-  - name: createVpack
-    type: boolean
-    default: false
-  - name: publishVpackToWindows
-    type: boolean
-    default: false
   - name: symbolPublishingSubscription
     type: string
   - name: symbolPublishingProject
@@ -69,42 +63,30 @@ parameters:
 
 resources:
   repositories:
-  - repository: templates
+  - repository: 1esPipelines
     type: git
-    name: OneBranch.Pipelines/GovernedTemplates
-    ref: refs/heads/main
+    name: 1ESPipelineTemplates/1ESPipelineTemplates
+    ref: refs/tags/release
 
 extends:
   ${{ if eq(parameters.official, true) }}:
-    template: v2/Microsoft.Official.yml@templates # https://aka.ms/obpipelines/templates
+    template: v1/1ES.Official.PipelineTemplate.yml@1esPipelines
   ${{ else }}:
-    template: v2/Microsoft.NonOfficial.yml@templates
+    template: v1/1ES.Unofficial.PipelineTemplate.yml@1esPipelines
   parameters:
-    featureFlags:
-      WindowsHostVersion:
-        Version: 2022
-        Network: R1
-    platform:
-      name: 'windows_undocked'
-      product: 'Windows Terminal'
-    cloudvault: # https://aka.ms/obpipelines/cloudvault
-      enabled: false
-    globalSdl: # https://aka.ms/obpipelines/sdl
-      enableCheckCFlags: false # CheckCFlags is broken and exploding our builds; to remove, :g/BAD-FLAGS/d
-      isNativeCode: true
-      prefast:
-        enabled: true
-      asyncSdl:
-        enabled: true
-        tsaOptionsFile: 'build/config/tsa.json'
+    customBuildTags:
+    - 1ES.PT.ViaStartRight
+    pool:
+      name: SHINE-INT-L
+      os: windows
+    sdl:
       tsa:
         enabled: true
         configFile: '$(Build.SourcesDirectory)\build\config\tsa.json'
       binskim:
-        break: false
-        scanOutputDirectoryOnly: true
+        enabled: true
       policheck:
-        break: false
+        enabled: false
         severity: Note
       baseline:
         baselineFile: '$(Build.SourcesDirectory)\build\config\release.gdnbaselines'
@@ -117,17 +99,12 @@ extends:
         jobs:
           - template: ./build/pipelines/templates-v2/job-build-project.yml@self
             parameters:
-              pool: { type: windows }
-              variables:
-                ob_sdl_checkcflags_enabled: false # BAD-FLAGS
-                ob_sdl_xfgcheck_enabled: false # BAD-FLAGS
-                ob_sdl_prefast_runDuring: Build
-                ob_sdl_checkCompliantCompilerWarnings: true
-                ob_git_checkout: false # This job checks itself out
-                ob_git_skip_checkout_none: true
-                ob_outputDirectory: $(JobOutputDirectory)
-                ob_artifactBaseName: $(JobOutputArtifactName)
-              publishArtifacts: false # Handled by OneBranch
+              outerTemplateContext:
+                outputs:
+                  - output: pipelineArtifact
+                    targetPath: $(JobOutputDirectory)
+                    artifactName: $(JobOutputArtifactName)
+              publishArtifacts: false # Handled by 1ESPT
               branding: ${{ parameters.branding }}
               buildTerminal: ${{ parameters.buildTerminal }}
               buildConPTY: ${{ parameters.buildConPTY }}
@@ -135,13 +112,15 @@ extends:
               pgoBuildMode: ${{ parameters.pgoBuildMode }}
               buildConfigurations: ${{ parameters.buildConfigurations }}
               buildPlatforms: ${{ parameters.buildPlatforms }}
-              generateSbom: false # this is handled by onebranch
+              generateSbom: false # this is handled by 1ESPT
               removeAllNonSignedFiles: true # appease the overlords
               codeSign: ${{ parameters.codeSign }}
               signingIdentity: ${{ parameters.signingIdentity }}
-              beforeBuildSteps: # Right before we build, lay down the universal package and localizations
+              beforeBuildSteps:
                 - template: ./build/pipelines/templates-v2/steps-setup-versioning.yml@self
 
+                - template: ./build/pipelines/templates-v2/steps-install-terrapin.yml@self
+
                 - task: UniversalPackages@0
                   displayName: Download terminal-internal Universal Package
                   inputs:
@@ -153,16 +132,12 @@ extends:
             # Add an Any CPU build flavor for the WPF control bits
             - template: ./build/pipelines/templates-v2/job-build-project.yml@self
               parameters:
-                pool: { type: windows }
-                variables:
-                  ob_sdl_checkcflags_enabled: false # BAD-FLAGS
-                  ob_sdl_xfgcheck_enabled: false # BAD-FLAGS
-                  ob_sdl_prefast_enabled: false # This is a C# build job
-                  ob_git_checkout: false # This job checks itself out
-                  ob_git_skip_checkout_none: true
-                  ob_outputDirectory: $(JobOutputDirectory)
-                  ob_artifactBaseName: $(JobOutputArtifactName)
-                publishArtifacts: false # Handled by OneBranch
+                outerTemplateContext:
+                  outputs:
+                    - output: pipelineArtifact
+                      targetPath: $(JobOutputDirectory)
+                      artifactName: $(JobOutputArtifactName)
+                publishArtifacts: false # Handled by 1ESPT
                 jobName: BuildWPF
                 branding: ${{ parameters.branding }}
                 buildTerminal: false
@@ -170,7 +145,7 @@ extends:
                 buildConfigurations: ${{ parameters.buildConfigurations }}
                 buildPlatforms:
                   - Any CPU
-                generateSbom: false # this is handled by onebranch
+                generateSbom: false # this is handled by 1ESPT
                 removeAllNonSignedFiles: true # appease the overlords
                 codeSign: ${{ parameters.codeSign }}
                 signingIdentity: ${{ parameters.signingIdentity }}
@@ -185,95 +160,56 @@ extends:
           - ${{ if eq(parameters.buildTerminal, true) }}:
             - template: ./build/pipelines/templates-v2/job-merge-msix-into-bundle.yml@self
               parameters:
-                pool: { type: windows }
-                variables:
-                  ob_sdl_checkcflags_enabled: false # BAD-FLAGS
-                  ob_sdl_xfgcheck_enabled: false # BAD-FLAGS
-                  ob_sdl_prefast_enabled: false # This is a collection of powershell scripts
-                  ob_git_checkout: false # This job checks itself out
-                  ob_git_skip_checkout_none: true
-                  ob_outputDirectory: $(JobOutputDirectory)
-                  ob_artifactBaseName: $(JobOutputArtifactName)
-                  ### This job is also in charge of submitting the vpack to Windows if it's enabled
-                  ob_createvpack_enabled: ${{ and(parameters.buildTerminal, parameters.createVpack) }}
-                  ob_updateOSManifest_enabled: ${{ and(parameters.buildTerminal, parameters.createVpack, parameters.publishVpackToWindows) }}
-                  ### If enabled above, these options are in play.
-                  ob_createvpack_packagename: 'WindowsTerminal.app'
-                  ob_createvpack_owneralias: 'conhost@microsoft.com'
-                  ob_createvpack_description: 'VPack for the Windows Terminal Application'
-                  ob_createvpack_targetDestinationDirectory: '$(Destination)'
-                  ob_createvpack_propsFile: false
-                  ob_createvpack_provData: true
-                  ob_createvpack_metadata: '$(Build.SourceVersion)'
-                  ob_createvpack_topLevelRetries: 0
-                  ob_createvpack_failOnStdErr: true
-                  ob_createvpack_taskLogVerbosity: Detailed
-                  ob_createvpack_verbose: true
-                  ob_createvpack_vpackdirectory: '$(JobOutputDirectory)\vpack'
-                  ob_createvpack_versionAs: string
-                  ob_createvpack_version: '$(XES_PACKAGEVERSIONNUMBER)'
-                  ob_updateOSManifest_gitcheckinConfigPath: '$(Build.SourcesDirectory)\build\config\GitCheckin.json'
-                  # We're skipping the 'fetch' part of the OneBranch rules, but that doesn't mean
-                  # that it doesn't expect to have downloaded a manifest directly to some 'destination'
-                  # folder that it can then update and upload.
-                  # Effectively: it says "destination" but it means "source"
-                  # DH: Don't ask why.
-                  ob_updateOSManifest_destination: $(XES_VPACKMANIFESTDIRECTORY)
-                  ob_updateOSManifest_skipFetch: true
-                publishArtifacts: false # Handled by OneBranch
+                pool:
+                  name: SHINE-INT-S
+                  os: windows
+                outerTemplateContext:
+                  outputs:
+                    - output: pipelineArtifact
+                      targetPath: $(JobOutputDirectory)
+                      artifactName: $(JobOutputArtifactName)
+                publishArtifacts: false # Handled by 1ESPT
                 jobName: Bundle
                 branding: ${{ parameters.branding }}
                 buildConfigurations: ${{ parameters.buildConfigurations }}
                 buildPlatforms: ${{ parameters.buildPlatforms }}
-                generateSbom: false # Handled by onebranch
+                generateSbom: false # Handled by 1ESPT
                 codeSign: ${{ parameters.codeSign }}
                 signingIdentity: ${{ parameters.signingIdentity }}
-                afterBuildSteps:
-                  # This directory has to exist, even if we aren't using createvpack, because the Guardian rules demand it.
-                  - pwsh: |-
-                      New-Item "$(JobOutputDirectory)/vpack" -Type Directory
-                    displayName: Make sure the vpack directory exists
-
-                  - ${{ if parameters.createVpack }}:
-                    - pwsh: |-
-                        Copy-Item -Verbose -Path "$(MsixBundlePath)" -Destination (Join-Path "$(JobOutputDirectory)/vpack" 'Microsoft.WindowsTerminal_8wekyb3d8bbwe.msixbundle')
-                      displayName: Stage msixbundle for vpack
 
           - ${{ if eq(parameters.buildConPTY, true) }}:
             - template: ./build/pipelines/templates-v2/job-package-conpty.yml@self
               parameters:
-                pool: { type: windows }
-                variables:
-                  ob_sdl_checkcflags_enabled: false # BAD-FLAGS
-                  ob_sdl_xfgcheck_enabled: false # BAD-FLAGS
-                  ob_sdl_prefast_enabled: false # This is a collection of powershell scripts
-                  ob_git_checkout: false # This job checks itself out
-                  ob_git_skip_checkout_none: true
-                  ob_outputDirectory: $(JobOutputDirectory)
-                  ob_artifactBaseName: $(JobOutputArtifactName)
-                publishArtifacts: false # Handled by OneBranch
+                pool:
+                  name: SHINE-INT-S
+                  os: windows
+                outerTemplateContext:
+                  outputs:
+                    - output: pipelineArtifact
+                      targetPath: $(JobOutputDirectory)
+                      artifactName: $(JobOutputArtifactName)
+                publishArtifacts: false # Handled by 1ESPT
                 buildConfigurations: ${{ parameters.buildConfigurations }}
                 buildPlatforms: ${{ parameters.buildPlatforms }}
-                generateSbom: false # this is handled by onebranch
+                generateSbom: false # this is handled by 1ESPT
                 codeSign: ${{ parameters.codeSign }}
                 signingIdentity: ${{ parameters.signingIdentity }}
 
           - ${{ if eq(parameters.buildWPF, true) }}:
             - template: ./build/pipelines/templates-v2/job-build-package-wpf.yml@self
               parameters:
-                pool: { type: windows }
-                variables:
-                  ob_sdl_checkcflags_enabled: false # BAD-FLAGS
-                  ob_sdl_xfgcheck_enabled: false # BAD-FLAGS
-                  ob_sdl_prefast_enabled: false # This is a collection of powershell scripts
-                  ob_git_checkout: false # This job checks itself out
-                  ob_git_skip_checkout_none: true
-                  ob_outputDirectory: $(JobOutputDirectory)
-                  ob_artifactBaseName: $(JobOutputArtifactName)
-                publishArtifacts: false # Handled by OneBranch
+                pool:
+                  name: SHINE-INT-S
+                  os: windows
+                outerTemplateContext:
+                  outputs:
+                    - output: pipelineArtifact
+                      targetPath: $(JobOutputDirectory)
+                      artifactName: $(JobOutputArtifactName)
+                publishArtifacts: false # Handled by 1ESPT
                 buildConfigurations: ${{ parameters.buildConfigurations }}
                 buildPlatforms: ${{ parameters.buildPlatforms }}
-                generateSbom: false # this is handled by onebranch
+                generateSbom: false # this is handled by 1ESPT
                 codeSign: ${{ parameters.codeSign }}
                 signingIdentity: ${{ parameters.signingIdentity }}
 
@@ -286,19 +222,12 @@ extends:
         jobs:
           - template: ./build/pipelines/templates-v2/job-publish-symbols-using-symbolrequestprod-api.yml@self
             parameters:
-              pool: { type: windows }
+              pool:
+                name: SHINE-INT-S
+                os: windows
               includePublicSymbolServer: ${{ parameters.publishSymbolsToPublic }}
               symbolExpiryTime: ${{ parameters.symbolExpiryTime }}
               subscription: ${{ parameters.symbolPublishingSubscription }}
               symbolProject: ${{ parameters.symbolPublishingProject }}
-              variables:
-                ob_sdl_checkcflags_enabled: false # BAD-FLAGS
-                ob_sdl_xfgcheck_enabled: false # BAD-FLAGS
-                ob_sdl_prefast_enabled: false # This is a collection of powershell scripts
-                ob_git_checkout: false # This job checks itself out
-                ob_git_skip_checkout_none: true
-                ob_outputDirectory: $(Build.ArtifactStagingDirectory)
-                # Without this, OneBranch will nerf our symbol tasks
-                ob_symbolsPublishing_enabled: true
 
           - ${{ parameters.extraPublishJobs }}

[DHowett]

this stuff allows the outer template to inject stuff into THIS job for the grandparent/ancestor template. lol.

[github-actions]

@check-spelling-bot Report

🔴 Please review

See the 📂 files view, the 📜action log, or 📝 job summary for details.

Unrecognized words (1)

espt

These words are not needed and should be removed

lto Tlgg

To accept these unrecognized words as correct and remove the previously acknowledged and now absent words, you could run the following commands

... in a clone of the git@github.com:microsoft/terminal.git repository
on the dev/duhowett/1espt branch (ℹ️ how do I use this?):

curl -s -S -L 'https://raw.githubusercontent.com/check-spelling/check-spelling/c635c2f3f714eec2fcf27b643a1919b9a811ef2e/apply.pl' |
perl - 'https://github.com/microsoft/terminal/actions/runs/24590050390/attempts/1' &&
git commit -m 'Update check-spelling metadata'

Errors and Warnings ❌ (2)

See the 📂 files view, the 📜action log, or 📝 job summary for details.

❌ Errors and Warnings	Count
❌ check-file-path	2
⚠️ ignored-expect-variant	1

See ❌ Event descriptions for more information.

✏️ Contributor please read this

By default the command suggestion will generate a file named based on your commit. That's generally ok as long as you add the file to your commit. Someone can reorganize it later.

If the listed items are:

• ... misspelled, then please correct them instead of using the command.
• ... names, please add them to .github/actions/spelling/allow/names.txt.
• ... APIs, you can add them to a file in .github/actions/spelling/allow/.
• ... just things you're using, please add them to an appropriate file in .github/actions/spelling/expect/.
• ... tokens you only need in one place and shouldn't generally be used, you can add an item in an appropriate file in .github/actions/spelling/patterns/.

See the README.md in each directory for more information.

🔬 You can test your commits without appending to a PR by creating a new branch with that extra change and pushing it to your fork. The check-spelling action will run in response to your push -- it doesn't require an open pull request. By using such a branch, you can limit the number of typos your peers see you make. 😉

If the flagged items are 🤯 false positives

If items relate to a ...

• binary file (or some other file you wouldn't want to check at all).

  Please add a file path to the excludes.txt file matching the containing file.

  File paths are Perl 5 Regular Expressions - you can test yours before committing to verify it will match your files.

  ^ refers to the file's path from the root of the repository, so ^README\.md$ would exclude README.md (on whichever branch you're using).

• well-formed pattern.

  If you can write a pattern that would match it,
  try adding it to the patterns.txt file.

  Patterns are Perl 5 Regular Expressions - you can test yours before committing to verify it will match your lines.

  Note that patterns can't match multiline strings.