AArnott · AArnott · Jan 14, 2025 · Jan 13, 2025
diff --git a/Expand-Template.ps1 b/Expand-Template.ps1
@@ -156,7 +156,7 @@ try {
     $YmlReplacements = @{
         "(?m)^\s+- microbuild`r?`n"=""
     }
-    Replace-Placeholders -Path "azure-pipelines\official.yml" -Replacements $YmlReplacements
+    Replace-Placeholders -Path "azure-pipelines\unofficial.yml" -Replacements $YmlReplacements
     Replace-Placeholders -Path "azure-pipelines.yml" -Replacements $YmlReplacements
 
     $YmlReplacements = @{}

diff --git a/azure-pipelines/apiscan.yml b/azure-pipelines/apiscan.yml
@@ -1,6 +1,8 @@
 parameters:
 - name: windowsPool
   type: object
+- name: RealSign
+  type: boolean
 
 jobs:
 - job: apiscan
@@ -9,6 +11,12 @@ jobs:
   pool: ${{ parameters.windowsPool }}
   timeoutInMinutes: 120
   templateContext:
+    ${{ if not(parameters.RealSign) }}:
+      mb:
+        signing: # if the build is test-signed, install the signing plugin so that CSVTestSignPolicy.xml is available
+          enabled: true
+          zipSources: false
+          signType: test
     outputs:
     - output: pipelineArtifact
       displayName: 📢 collect apiscan artifact

diff --git a/azure-pipelines/build.yml b/azure-pipelines/build.yml
@@ -313,3 +313,4 @@ jobs:
     - template: apiscan.yml
       parameters:
         windowsPool: ${{ parameters.windowsPool }}
+        RealSign: ${{ parameters.RealSign }}
diff --git a/azure-pipelines/official.yml b/azure-pipelines/official.yml
@@ -1,17 +1,5 @@
-trigger:
-  batch: true
-  branches:
-    include:
-    - main
-    - microbuild
-    - 'validate/*'
-  paths:
-    exclude:
-    - doc/
-    - '*.md'
-    - .vscode/
-    - azure-pipelines/release.yml
-    - azure-pipelines/vs-insertion.yml
+trigger: none # We only want to trigger manually or based on a schedule
+pr: none
 #schedules:
 #- cron: "0 3 * * *" # Daily @ 8 PM PST
 #  displayName: Daily vs-insertion
@@ -23,10 +11,6 @@ parameters:
 # As an entrypoint pipeline yml file, all parameters here show up in the Queue Run dialog.
 # If any paramaters should NOT be queue-time options, they should be removed from here
 # and references to them in this file replaced with hard-coded values.
-- name: ForceOfficialBuild
-  displayName: Official build (sign, compliance, etc.)
-  type: boolean
-  default: false # this should remain false so PR builds using this pipeline are unofficial
 # - name: ShouldSkipOptimize # Uncomment this and references to it below when setting EnableOptProf to true in build.yml.
 #   displayName: Skip OptProf optimization
 #   type: boolean
@@ -55,75 +39,44 @@ variables:
 - template: GlobalVariables.yml
 
 extends:
-  ${{ if or(parameters.ForceOfficialBuild, eq(variables['Build.Reason'],'Schedule')) }}:
-    template: azure-pipelines/MicroBuild.1ES.Official.yml@MicroBuildTemplate
-    parameters:
-      sdl:
-        sourceAnalysisPool: VSEngSS-MicroBuild2022-1ES
-        codeSignValidation:
-          enabled: true
-          break: true
-          additionalTargetsGlobPattern: -|Variables-*\*.ps1;-|APIScanInputs-*\**;-|test_symbols-*\**;-|MicroBuild\**
-        policheck:
-          enabled: true
-          exclusionsFile: $(System.DefaultWorkingDirectory)\azure-pipelines\PoliCheckExclusions.xml
-        suppression:
-          suppressionFile: $(System.DefaultWorkingDirectory)\azure-pipelines\falsepositives.gdnsuppress
-        sbom:
-          enabled: true
-      stages:
-      - stage: Build
-        variables:
-        - template: /azure-pipelines/BuildStageVariables.yml@self
-        jobs:
-        - template: /azure-pipelines/build.yml@self
-          parameters:
-            Is1ESPT: true
-            RealSign: true
-            # ShouldSkipOptimize: ${{ parameters.ShouldSkipOptimize }}
-            EnableAPIScan: ${{ and(parameters.EnableAPIScan, ne(variables['Build.Reason'], 'pullRequest')) }}
-            windowsPool: VSEngSS-MicroBuild2022-1ES
-            linuxPool:
-              name: AzurePipelines-EO
-              demands:
-              - ImageOverride -equals 1ESPT-Ubuntu22.04
-              os: Linux
-            macOSPool:
-              name: Azure Pipelines
-              vmImage: macOS-14
-              os: macOS
-            EnableMacOSBuild: ${{ parameters.EnableMacOSBuild }}
-            RunTests: ${{ parameters.RunTests }}
-      - template: /azure-pipelines/prepare-insertion-stages.yml@self
+  template: azure-pipelines/MicroBuild.1ES.Official.yml@MicroBuildTemplate
+  parameters:
+    sdl:
+      sourceAnalysisPool: VSEngSS-MicroBuild2022-1ES
+      codeSignValidation:
+        enabled: true
+        break: true
+        additionalTargetsGlobPattern: -|Variables-*\*.ps1;-|APIScanInputs-*\**;-|test_symbols-*\**;-|MicroBuild\**
+      policheck:
+        enabled: true
+        exclusionsFile: $(System.DefaultWorkingDirectory)\azure-pipelines\PoliCheckExclusions.xml
+      suppression:
+        suppressionFile: $(System.DefaultWorkingDirectory)\azure-pipelines\falsepositives.gdnsuppress
+      sbom:
+        enabled: true
+    stages:
+    - stage: Build
+      variables:
+      - template: /azure-pipelines/BuildStageVariables.yml@self
+      jobs:
+      - template: /azure-pipelines/build.yml@self
         parameters:
+          Is1ESPT: true
           RealSign: true
-  ${{ else }}:
-    template: azure-pipelines/MicroBuild.1ES.Unofficial.yml@MicroBuildTemplate
-    parameters:
-      sdl:
-        sourceAnalysisPool: VSEngSS-MicroBuild2022-1ES
-        suppression:
-          suppressionFile: $(System.DefaultWorkingDirectory)\azure-pipelines\falsepositives.gdnsuppress
-      stages:
-      - stage: Build
-        variables:
-        - template: /azure-pipelines/BuildStageVariables.yml@self
-        jobs:
-        - template: /azure-pipelines/build.yml@self
-          parameters:
-            Is1ESPT: true
-            RealSign: false
-            # ShouldSkipOptimize: ${{ parameters.ShouldSkipOptimize }}
-            EnableAPIScan: false
-            windowsPool: VSEngSS-MicroBuild2022-1ES
-            linuxPool:
-              name: AzurePipelines-EO
-              demands:
-              - ImageOverride -equals 1ESPT-Ubuntu22.04
-              os: Linux
-            macOSPool:
-              name: Azure Pipelines
-              vmImage: macOS-14
-              os: macOS
-            EnableMacOSBuild: ${{ parameters.EnableMacOSBuild }}
-            RunTests: ${{ parameters.RunTests }}
+          # ShouldSkipOptimize: ${{ parameters.ShouldSkipOptimize }}
+          EnableAPIScan: ${{ parameters.EnableAPIScan }}
+          windowsPool: VSEngSS-MicroBuild2022-1ES
+          linuxPool:
+            name: AzurePipelines-EO
+            demands:
+            - ImageOverride -equals 1ESPT-Ubuntu22.04
+            os: Linux
+          macOSPool:
+            name: Azure Pipelines
+            vmImage: macOS-14
+            os: macOS
+          EnableMacOSBuild: ${{ parameters.EnableMacOSBuild }}
+          RunTests: ${{ parameters.RunTests }}
+    - template: /azure-pipelines/prepare-insertion-stages.yml@self
+      parameters:
+        RealSign: true
diff --git a/azure-pipelines/unofficial.yml b/azure-pipelines/unofficial.yml
@@ -0,0 +1,90 @@
+trigger:
+  batch: true
+  branches:
+    include:
+    - main
+    - microbuild
+    - 'validate/*'
+  paths:
+    exclude:
+    - doc/
+    - '*.md'
+    - .vscode/
+    - azure-pipelines/release.yml
+    - azure-pipelines/vs-insertion.yml
+
+parameters:
+# As an entrypoint pipeline yml file, all parameters here show up in the Queue Run dialog.
+# If any paramaters should NOT be queue-time options, they should be removed from here
+# and references to them in this file replaced with hard-coded values.
+# - name: ShouldSkipOptimize # Uncomment this and references to it below when setting EnableOptProf to true in build.yml.
+#   displayName: Skip OptProf optimization
+#   type: boolean
+#   default: false
+- name: EnableMacOSBuild
+  displayName: Build on macOS
+  type: boolean
+  default: false # macOS is often bogged down in Azure Pipelines
+- name: RunTests
+  displayName: Run tests
+  type: boolean
+  default: true
+- name: EnableAPIScan
+  displayName: Include APIScan with compliance tools
+  type: boolean
+  default: false
+- name: EnableProductionSDL
+  displayName: Enable Production SDL
+  type: boolean
+  default: false
+
+resources:
+  repositories:
+  - repository: MicroBuildTemplate
+    type: git
+    name: 1ESPipelineTemplates/MicroBuildTemplate
+    ref: refs/tags/release
+
+variables:
+- template: GlobalVariables.yml
+
+extends:
+  template: azure-pipelines/MicroBuild.1ES.Unofficial.yml@MicroBuildTemplate
+  parameters:
+    sdl:
+      sourceAnalysisPool: VSEngSS-MicroBuild2022-1ES
+      suppression:
+        suppressionFile: $(System.DefaultWorkingDirectory)\azure-pipelines\falsepositives.gdnsuppress
+      enableProductionSDL: ${{ parameters.EnableProductionSDL }}
+      codeSignValidation:
+        enabled: ${{ parameters.EnableProductionSDL }}
+        break: true
+        policyFile: $(MBSIGN_APPFOLDER)\CSVTestSignPolicy.xml
+      policheck:
+        enabled: ${{ parameters.EnableProductionSDL }}
+        exclusionsFile: $(System.DefaultWorkingDirectory)\azure-pipelines\PoliCheckExclusions.xml
+      sbom:
+        enabled: ${{ parameters.EnableProductionSDL }}
+    stages:
+    - stage: Build
+      variables:
+      - template: /azure-pipelines/BuildStageVariables.yml@self
+      jobs:
+      - template: /azure-pipelines/build.yml@self
+        parameters:
+          Is1ESPT: true
+          RealSign: false
+          # ShouldSkipOptimize: ${{ parameters.ShouldSkipOptimize }}
+          EnableAPIScan: ${{ parameters.EnableAPIScan }}
+          windowsPool: VSEngSS-MicroBuild2022-1ES
+          linuxPool:
+            name: AzurePipelines-EO
+            demands:
+            - ImageOverride -equals 1ESPT-Ubuntu22.04
+            os: Linux
+          macOSPool:
+            name: Azure Pipelines
+            vmImage: macOS-14
+            os: macOS
+          EnableMacOSBuild: ${{ parameters.EnableMacOSBuild }}
+          RunTests: ${{ parameters.RunTests }}
diff --git a/azure-pipelines/vs-validation.yml b/azure-pipelines/vs-validation.yml
@@ -87,7 +87,7 @@ extends:
             packageParentPath: $(Pipeline.Workspace)/VSInsertion-Windows
             allowPackageConflicts: true
             publishVstsFeed: VS
-        - task: MicroBuildInsertVsPayload@4
+        - task: MicroBuildInsertVsPayload@5
           displayName: 🏭 Insert VS Payload
           inputs:
             TeamName: $(TeamName)
@@ -96,7 +96,7 @@ extends:
             InsertionDescription: |
               This PR is for **validation purposes only** for !$(System.PullRequest.PullRequestId). **Do not complete**.
             CustomScriptExecutionCommand: src/VSSDK/NuGet/AllowUnstablePackages.ps1
-            InsertionBuildPolicy: Request Perf DDRITs
+            InsertionBuildPolicies: Request Perf DDRITs
             InsertionReviewers: $(Build.RequestedFor)
             DraftPR: false # set to true and update InsertionBuildPolicy when we can specify all the validations we want to run (https://dev.azure.com/devdiv/DevDiv/_workitems/edit/2224288)
             AutoCompletePR: false