From 541b4c391b12d6b342c63f936a9529f6850c8aab Mon Sep 17 00:00:00 2001 From: echairez Date: Wed, 4 Oct 2023 15:30:11 -0400 Subject: [PATCH 1/7] suppress false alarms in cred scan --- .config/CredScanSuppressions.json | 13 +++++++++++++ 1 file changed, 13 insertions(+) create mode 100644 .config/CredScanSuppressions.json diff --git a/.config/CredScanSuppressions.json b/.config/CredScanSuppressions.json new file mode 100644 index 000000000..e8451b4dd --- /dev/null +++ b/.config/CredScanSuppressions.json @@ -0,0 +1,13 @@ +{ + "tool": "Credential Scanner", + "suppressions": [ + { + "file": "test/utils/credentials/credentials.go", + "_justification": "False positive variable." + }, + { + "file": "vendor/k8s.io/kubernetes/test/utils/admission_webhook.go", + "_justification": "An example certificate with command to create it to go along with it." + } + ] +} From 22d9ea34e845056157eaaa57288a53d85d79d9aa Mon Sep 17 00:00:00 2001 From: echairez Date: Wed, 4 Oct 2023 15:33:20 -0400 Subject: [PATCH 2/7] pipeline to build the csi driver --- BLOB_CSI_VERSION | 1 + pipelines/testci.yml | 259 ++++++++++++++++++++++++++++++ pkg/blobplugin/Dockerfile | 12 +- pkg/blobplugin/Dockerfile.mariner | 59 +++++++ 4 files changed, 323 insertions(+), 8 deletions(-) create mode 100644 BLOB_CSI_VERSION create mode 100644 pipelines/testci.yml create mode 100644 pkg/blobplugin/Dockerfile.mariner diff --git a/BLOB_CSI_VERSION b/BLOB_CSI_VERSION new file mode 100644 index 000000000..4250ea042 --- /dev/null +++ b/BLOB_CSI_VERSION @@ -0,0 +1 @@ +BLOB_CSI_VERSION=v4.3.0 diff --git a/pipelines/testci.yml b/pipelines/testci.yml new file mode 100644 index 000000000..87515592a --- /dev/null +++ b/pipelines/testci.yml @@ -0,0 +1,259 @@ +################################################################################# +# OneBranch Pipelines # +# This pipeline was created by EasyStart from a sample located at: # +# https://aka.ms/obpipelines/easystart/samples # +# Documentation: https://aka.ms/obpipelines # +# Yaml Schema: https://aka.ms/obpipelines/yaml/schema # +# Retail Tasks: https://aka.ms/obpipelines/tasks # +# Support: https://aka.ms/onebranchsup # +################################################################################# +trigger: none + +resources: + repositories: + - repository: templates + type: git + name: OneBranch.Pipelines/GovernedTemplates + ref: refs/heads/main + - repository: Hydra + clean: true + type: git + name: One/Hydra + ref: echairez/cross-repo-pipelines + +variables: + - template: pipelines/templates/OneBranch.repo.variables.yml@Hydra + parameters: + buildType: buddy + - template: pipelines/templates/shared_variables.yml@Hydra + parameters: + location: eastus + # Usually used for build number (but N/A for OneBranch). + pipelineShortName: OneBranch + - name: BlobImageRepo + value: "blob-csi" + - name: IsStaging + value: ${{ eq(variables['Build.SourceBranch'], 'refs/heads/staging') }} + - name: IsOfficial + value: ${{ eq(variables['ONEBRANCH_BUILD_TYPE'], 'official') }} + +parameters: + - name: acr + displayName: ACR for container image publish + type: string + default: hydraedgecidev + values: + - hydraedge + - hydraedgecidev + - name: architectures + displayName: Architectures to build + type: object + default: + - amd64 + - arm64 + +extends: + template: v2/OneBranch.NonOfficial.CrossPlat.yml@templates # https://aka.ms/obpipelines/templates + parameters: + containers: + - container: linux_build_container + image: $(LinuxContainerImage) + type: Linux + endpoint: "hydraedge-acr-connection" + + globalSdl: # https://aka.ms/obpipelines/sdl + # tsa: + # enabled: true # SDL results of non-official builds aren't uploaded to TSA by default. + # credscan: + # suppressionsFile: $(Build.SourcesDirectory)\.config\CredScanSuppressions.json + policheck: + break: true # always break the build on policheck issues. You can disable it by setting to 'false' + # suppression: + # suppressionFile: $(Build.SourcesDirectory)\.gdn\global.gdnsuppress + stages: + - stage: setup + jobs: + - job: Setup + timeoutInMinutes: 30 + displayName: Setup + pool: + type: linux + variables: + ob_outputDirectory: "$(Build.ArtifactStagingDirectory)/out" + steps: + - checkout: Hydra + - template: pipelines/templates/job_start.yml@Hydra + parameters: + logInAgentUami: false + uploadAdx: false + installVenv: false + installReportGenerator: false + + - task: onebranch.pipeline.version@1 + displayName: "Setup BuildNumber" + inputs: + system: "RevisionCounter" + major: "1" + minor: "0" + exclude_commit: true + + - bash: | + pushd Hydra + scripts/setup_pipeline_variables.sh $(Build.BuildId) + popd + + source BLOB_CSI_VERSION + echo "##vso[task.setvariable variable=BLOB_CSI_VERSION;isOutput=true]${BLOB_CSI_VERSION}" + displayName: Setup environment + name: setupStep + + - stage: build + dependsOn: + - setup + variables: + TOOLCHAIN_IMAGE: $[ stageDependencies.setup.Setup.outputs['setupStep.TOOLCHAIN_IMAGE'] ] + pipelineBuildTag: $[ stageDependencies.setup.Setup.outputs['setupStep.VERSION_TAG'] ] + jobs: + - ${{ each arch in parameters.architectures }}: + - job: build_csi_container_${{ arch }} + timeoutInMinutes: 60 + displayName: Build ${{ arch }} BlobCSIImage + pool: + type: docker + os: linux + hostArchitecture: ${{ arch }} + variables: + ob_git_checkout: true + steps: + - template: pipelines/templates/job_start.yml@Hydra + parameters: + logInAgentUami: false + uploadAdx: false + installVenv: false + installReportGenerator: false + + # We always sign in to hydraedge since it holds our runtime/toolchain + # images, in addition to the ACR that we'll actually put the built + # images in. + - template: pipelines/templates/acr_login.yml@Hydra + parameters: + acr: hydraedge + onebranch: true + + - template: pipelines/templates/acr_login.yml@Hydra + parameters: + acr: ${{ parameters.acr }} + onebranch: true + + - task: onebranch.pipeline.imagebuildinfo@1@2 + displayName: Build blob csi ${{ arch }} image + inputs: + dockerFileContextPath: . + dockerFileRelPath: pkg/blobplugin/Dockerfile.mariner + repositoryName: $(BlobImageRepo) + registry: "${{ parameters.acr }}.azurecr.io" + saveImageToPath: "$(BlobImageRepo)-${{ arch }}.tar" + enable_network: true # We may not want to do this... but current files require it + enable_acr_push: true + buildkit: 1 # turn on for optimizations like caching, parallelization, new dockerfile options + enable_cache: true # take advantage of multi-stage caching + endpoint: "${{ parameters.acr }}-acr-connection" + arguments: --build-arg ARCH=${{ arch }} --build-arg BUILD_IMAGE=$(TOOLCHAIN_IMAGE) + build_tag: "$(pipelineBuildTag)-${{ arch }}" + + - stage: publish + dependsOn: + - setup + - build + variables: + pipelineBuildTag: $[ stageDependencies.setup.Setup.outputs['setupStep.VERSION_TAG'] ] + blobCsiVersion: $[ stageDependencies.setup.Setup.outputs['setupStep.BLOB_CSI_VERSION'] ] + HYDRA_REPO_PREFIX: "artifact/$(ServiceTreeId)/$(ONEBRANCH_BUILD_TYPE)/" + jobs: + - job: PublishArtifacts + timeoutInMinutes: 30 + displayName: Publish artifacts + pool: + type: linux + isCustom: true + name: $(AGENT_POOL) + variables: + ob_outputDirectory: "$(Build.SourcesDirectory)/out" + steps: + - checkout: Hydra + - template: pipelines/templates/job_start.yml@Hydra + parameters: + logInAgentUami: false + uploadAdx: false + installVenv: false + installReportGenerator: false + + - template: pipelines/templates/acr_login.yml@Hydra + parameters: + acr: ${{ parameters.acr }} + onebranch: true + + - template: pipelines/templates/make_images_multiarch.yml@Hydra + parameters: + hydraRepoPrefix: "$(HYDRA_REPO_PREFIX)" + acr: "${{ parameters.acr }}" + architectures: ${{ parameters.architectures }} + images: + - $(BlobImageRepo) + + - task: AzureCLI@2 + displayName: "Check if version tag exists" + target: host + inputs: + azureSubscription: $(AZURE_SERVICE_CONNECTION) + scriptType: bash + scriptLocation: inlineScript + inlineScript: | + image="$(HYDRA_REPO_PREFIX)$(BlobImageRepo):$(blobCsiVersion)" + + if ! az acr repository show -n "${{ parameters.acr }}" --image "$image" &>2 ; then + echo "##vso[task.setvariable variable=pushLatest;isOutput=true]true" + else + echo "##vso[task.setvariable variable=pushLatest;isOutput=true]false" + fi + name: csi_version + condition: and(eq(variables.IsOfficial, 'True'), eq(variables.IsStaging, 'True')) + + - job: PublishLatest + condition: | + and( + eq(variables.IsOfficial, 'True'), + eq(variables.IsStaging, 'True'), + eq(dependencies.PublishArtifacts.outputs['csi_version.pushLatest'], 'true')) + dependsOn: PublishArtifacts + timeoutInMinutes: 30 + displayName: Publish latest container image + pool: + type: linux + isCustom: true + name: $(AGENT_POOL) + variables: + ob_outputDirectory: "$(Build.SourcesDirectory)/out" + steps: + - checkout: Hydra + - template: pipelines/templates/job_start.yml@Hydra + parameters: + logInAgentUami: false + uploadAdx: false + installVenv: false + installReportGenerator: false + + - template: pipelines/templates/acr_login.yml@Hydra + parameters: + acr: ${{ parameters.acr }} + onebranch: true + + - template: pipelines/templates/make_images_latest.yml@Hydra + parameters: + hydraRepoPrefix: "$(HYDRA_REPO_PREFIX)" + acr: "${{ parameters.acr }}" + dstBuildTag: "$(blobCsiVersion)" + srcBuildTag: "$(pipelineBuildTag)" + images: + - $(BlobImageRepo) + diff --git a/pkg/blobplugin/Dockerfile b/pkg/blobplugin/Dockerfile index 293844626..6c99d6f07 100644 --- a/pkg/blobplugin/Dockerfile +++ b/pkg/blobplugin/Dockerfile @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -FROM registry.k8s.io/build-image/debian-base:bullseye-v1.4.3 +FROM mcr.microsoft.com/cbl-mariner/base/core:2.0 ARG ARCH=amd64 ARG binary=./_output/${ARCH}/blobplugin @@ -28,14 +28,10 @@ RUN chmod +x /blobfuse-proxy/init.sh && \ chmod +x /blobfuse-proxy/blobfuse-proxy.service && \ chmod +x /blobfuse-proxy/blobfuse-proxy -RUN apt update && apt upgrade -y && apt-mark unhold libcap2 && clean-install ca-certificates uuid-dev util-linux mount udev wget e2fsprogs nfs-common netbase +RUN tdnf updateinfo && \ + tdnf install -y util-linux e2fsprogs nfs-utils quota-rpc rpcbind blobfuse2 fuse3 libcap-ng libcap ca-certificates && \ + tdnf clean all -ARG ARCH=amd64 -RUN if [ "$ARCH" = "amd64" ] ; then \ - clean-install libcurl4-gnutls-dev && \ - wget -O /blobfuse-proxy/packages-microsoft-prod-22.04.deb https://packages.microsoft.com/config/ubuntu/22.04/packages-microsoft-prod.deb && \ - wget -O /blobfuse-proxy/packages-microsoft-prod-18.04.deb https://packages.microsoft.com/config/ubuntu/18.04/packages-microsoft-prod.deb && \ - dpkg -i /blobfuse-proxy/packages-microsoft-prod-18.04.deb && apt update && apt install blobfuse blobfuse2 fuse -y && apt remove wget -y; fi LABEL maintainers="andyzhangx" LABEL description="Azure Blob Storage CSI driver" diff --git a/pkg/blobplugin/Dockerfile.mariner b/pkg/blobplugin/Dockerfile.mariner new file mode 100644 index 000000000..a0c1e4dc7 --- /dev/null +++ b/pkg/blobplugin/Dockerfile.mariner @@ -0,0 +1,59 @@ +# Copyright 2019 The Kubernetes Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +############## +# Build binaries +############## + +ARG BUILD_IMAGE +FROM ${BUILD_IMAGE} AS build-stage + +WORKDIR /app + +ARG ARCH=amd64 + +COPY go.mod go.sum ./ +RUN go mod download + +ADD . . +RUN make clean && make + +############## +# Build CSI container +############## + +FROM mcr.microsoft.com/cbl-mariner/base/core:2.0 + +ARG ARCH=amd64 + +RUN mkdir /blobfuse-proxy/ + +COPY --from=build-stage /app/_output/${ARCH}/blobplugin /blobplugin +COPY --from=build-stage /app/_output/${ARCH}/blobfuse-proxy /blobfuse-proxy/ +COPY --from=build-stage /app/pkg/blobfuse-proxy/init.sh /blobfuse-proxy/ +COPY --from=build-stage /app/pkg/blobfuse-proxy/blobfuse-proxy.service /blobfuse-proxy/ + +RUN chmod +x /blobfuse-proxy/init.sh && \ + chmod +x /blobfuse-proxy/blobfuse-proxy.service && \ + chmod +x /blobfuse-proxy/blobfuse-proxy + +RUN tdnf updateinfo && \ + tdnf install -y util-linux e2fsprogs nfs-utils quota-rpc rpcbind blobfuse2 fuse3 libcap-ng libcap ca-certificates && \ + tdnf clean all + +LABEL maintainers="andyzhangx" +LABEL description="Azure Blob Storage CSI driver" + +ENTRYPOINT ["/blobplugin"] + From 1676f34e344fbd761f71aca2cfcb4a9db31482e4 Mon Sep 17 00:00:00 2001 From: echairez Date: Wed, 4 Oct 2023 15:35:25 -0400 Subject: [PATCH 3/7] chandlers suggestion --- pipelines/testci.yml | 46 +++++++++----------------------------------- 1 file changed, 9 insertions(+), 37 deletions(-) diff --git a/pipelines/testci.yml b/pipelines/testci.yml index 87515592a..9a7075a49 100644 --- a/pipelines/testci.yml +++ b/pipelines/testci.yml @@ -22,7 +22,7 @@ resources: ref: echairez/cross-repo-pipelines variables: - - template: pipelines/templates/OneBranch.repo.variables.yml@Hydra + - template: pipelines/templates/OneBranch.shared.variables.yml@Hydra parameters: buildType: buddy - template: pipelines/templates/shared_variables.yml@Hydra @@ -105,14 +105,14 @@ extends: source BLOB_CSI_VERSION echo "##vso[task.setvariable variable=BLOB_CSI_VERSION;isOutput=true]${BLOB_CSI_VERSION}" displayName: Setup environment - name: setupStep + name: setupEnvironment - stage: build dependsOn: - setup variables: - TOOLCHAIN_IMAGE: $[ stageDependencies.setup.Setup.outputs['setupStep.TOOLCHAIN_IMAGE'] ] - pipelineBuildTag: $[ stageDependencies.setup.Setup.outputs['setupStep.VERSION_TAG'] ] + TOOLCHAIN_IMAGE: $[ stageDependencies.setup.Setup.outputs['setupEnvironment.TOOLCHAIN_IMAGE'] ] + pipelineBuildTag: $[ stageDependencies.setup.Setup.outputs['setupEnvironment.VERSION_TAG'] ] jobs: - ${{ each arch in parameters.architectures }}: - job: build_csi_container_${{ arch }} @@ -166,8 +166,8 @@ extends: - setup - build variables: - pipelineBuildTag: $[ stageDependencies.setup.Setup.outputs['setupStep.VERSION_TAG'] ] - blobCsiVersion: $[ stageDependencies.setup.Setup.outputs['setupStep.BLOB_CSI_VERSION'] ] + pipelineBuildTag: $[ stageDependencies.setup.Setup.outputs['setupEnvironment.VERSION_TAG'] ] + blobCsiVersion: $[ stageDependencies.setup.Setup.outputs['setupEnvironment.BLOB_CSI_VERSION'] ] HYDRA_REPO_PREFIX: "artifact/$(ServiceTreeId)/$(ONEBRANCH_BUILD_TYPE)/" jobs: - job: PublishArtifacts @@ -212,44 +212,16 @@ extends: image="$(HYDRA_REPO_PREFIX)$(BlobImageRepo):$(blobCsiVersion)" if ! az acr repository show -n "${{ parameters.acr }}" --image "$image" &>2 ; then - echo "##vso[task.setvariable variable=pushLatest;isOutput=true]true" + echo "##vso[task.setvariable variable=pushLatest]true" else - echo "##vso[task.setvariable variable=pushLatest;isOutput=true]false" + echo "##vso[task.setvariable variable=pushLatest]false" fi name: csi_version condition: and(eq(variables.IsOfficial, 'True'), eq(variables.IsStaging, 'True')) - - job: PublishLatest - condition: | - and( - eq(variables.IsOfficial, 'True'), - eq(variables.IsStaging, 'True'), - eq(dependencies.PublishArtifacts.outputs['csi_version.pushLatest'], 'true')) - dependsOn: PublishArtifacts - timeoutInMinutes: 30 - displayName: Publish latest container image - pool: - type: linux - isCustom: true - name: $(AGENT_POOL) - variables: - ob_outputDirectory: "$(Build.SourcesDirectory)/out" - steps: - - checkout: Hydra - - template: pipelines/templates/job_start.yml@Hydra - parameters: - logInAgentUami: false - uploadAdx: false - installVenv: false - installReportGenerator: false - - - template: pipelines/templates/acr_login.yml@Hydra - parameters: - acr: ${{ parameters.acr }} - onebranch: true - - template: pipelines/templates/make_images_latest.yml@Hydra parameters: + condition: and(eq(variables.IsOfficial, 'True'), eq(variables.IsStaging, 'True'), eq(variables['pushLatest'], 'true')) hydraRepoPrefix: "$(HYDRA_REPO_PREFIX)" acr: "${{ parameters.acr }}" dstBuildTag: "$(blobCsiVersion)" From 1843b69237c55cf44b62b504e7468d307abe5634 Mon Sep 17 00:00:00 2001 From: echairez Date: Wed, 4 Oct 2023 15:36:45 -0400 Subject: [PATCH 4/7] be more explicit about options --- pipelines/testci.yml | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/pipelines/testci.yml b/pipelines/testci.yml index 9a7075a49..50d3ab76e 100644 --- a/pipelines/testci.yml +++ b/pipelines/testci.yml @@ -62,14 +62,15 @@ extends: endpoint: "hydraedge-acr-connection" globalSdl: # https://aka.ms/obpipelines/sdl - # tsa: - # enabled: true # SDL results of non-official builds aren't uploaded to TSA by default. - # credscan: - # suppressionsFile: $(Build.SourcesDirectory)\.config\CredScanSuppressions.json + # Details on TSA onboarding: + # https://onebranch.visualstudio.com/OneBranch/_wiki/wikis/OneBranch.wiki/4637/TSA-and-TSA-Onboarding-in-OneBranch-Pipelines + tsa: + enabled: false + credscan: + enabled: true + suppressionsFile: $(Build.SourcesDirectory)/.config/CredScanSuppressions.json policheck: break: true # always break the build on policheck issues. You can disable it by setting to 'false' - # suppression: - # suppressionFile: $(Build.SourcesDirectory)\.gdn\global.gdnsuppress stages: - stage: setup jobs: From e535888102f29763eac1d6f7146480b40f5bbd9a Mon Sep 17 00:00:00 2001 From: echairez Date: Wed, 4 Oct 2023 15:38:20 -0400 Subject: [PATCH 5/7] create separate official/ nonofficial pipes --- .../{testci.yml => OneBranch.NonOfficial.yml} | 0 pipelines/OneBranch.Official.yml | 236 ++++++++++++++++++ 2 files changed, 236 insertions(+) rename pipelines/{testci.yml => OneBranch.NonOfficial.yml} (100%) create mode 100644 pipelines/OneBranch.Official.yml diff --git a/pipelines/testci.yml b/pipelines/OneBranch.NonOfficial.yml similarity index 100% rename from pipelines/testci.yml rename to pipelines/OneBranch.NonOfficial.yml diff --git a/pipelines/OneBranch.Official.yml b/pipelines/OneBranch.Official.yml new file mode 100644 index 000000000..2c5fd1dbc --- /dev/null +++ b/pipelines/OneBranch.Official.yml @@ -0,0 +1,236 @@ +################################################################################# +# OneBranch Pipelines # +# This pipeline was created by EasyStart from a sample located at: # +# https://aka.ms/obpipelines/easystart/samples # +# Documentation: https://aka.ms/obpipelines # +# Yaml Schema: https://aka.ms/obpipelines/yaml/schema # +# Retail Tasks: https://aka.ms/obpipelines/tasks # +# Support: https://aka.ms/onebranchsup # +################################################################################# +trigger: + batch: true + branches: + include: + - staging + +resources: + repositories: + - repository: templates + type: git + name: OneBranch.Pipelines/GovernedTemplates + ref: refs/heads/main + - repository: Hydra + clean: true + type: git + name: One/Hydra + ref: echairez/cross-repo-pipelines + +variables: + - template: pipelines/templates/OneBranch.shared.variables.yml@Hydra + parameters: + buildType: official + - template: pipelines/templates/shared_variables.yml@Hydra + parameters: + location: eastus + # Usually used for build number (but N/A for OneBranch). + pipelineShortName: OneBranch + - name: BlobImageRepo + value: "blob-csi" + - name: IsStaging + value: ${{ eq(variables['Build.SourceBranch'], 'refs/heads/staging') }} + - name: IsOfficial + value: ${{ eq(variables['ONEBRANCH_BUILD_TYPE'], 'official') }} + +parameters: + - name: acr + displayName: ACR for container image publish + type: string + default: hydraedge + values: + - hydraedge + - hydraedgecidev + - name: architectures + displayName: Architectures to build + type: object + default: + - amd64 + - arm64 + +extends: + template: v2/OneBranch.Official.CrossPlat.yml@templates # https://aka.ms/obpipelines/templates + parameters: + containers: + - container: linux_build_container + image: $(LinuxContainerImage) + type: Linux + endpoint: "hydraedge-acr-connection" + + globalSdl: # https://aka.ms/obpipelines/sdl + # Details on TSA onboarding: + # https://onebranch.visualstudio.com/OneBranch/_wiki/wikis/OneBranch.wiki/4637/TSA-and-TSA-Onboarding-in-OneBranch-Pipelines + tsa: + enabled: false + credscan: + enabled: true + suppressionsFile: $(Build.SourcesDirectory)/.config/CredScanSuppressions.json + policheck: + break: true # always break the build on policheck issues. You can disable it by setting to 'false' + stages: + - stage: setup + jobs: + - job: Setup + timeoutInMinutes: 30 + displayName: Setup + pool: + type: linux + variables: + ob_outputDirectory: "$(Build.ArtifactStagingDirectory)/out" + steps: + - checkout: Hydra + - template: pipelines/templates/job_start.yml@Hydra + parameters: + logInAgentUami: false + uploadAdx: false + installVenv: false + installReportGenerator: false + + - task: onebranch.pipeline.version@1 + displayName: "Setup BuildNumber" + inputs: + system: "RevisionCounter" + major: "1" + minor: "0" + exclude_commit: true + + - bash: | + pushd Hydra + scripts/setup_pipeline_variables.sh $(Build.BuildId) + popd + + source BLOB_CSI_VERSION + echo "##vso[task.setvariable variable=BLOB_CSI_VERSION;isOutput=true]${BLOB_CSI_VERSION}" + displayName: Setup environment + name: setupEnvironment + + - stage: build + dependsOn: + - setup + variables: + TOOLCHAIN_IMAGE: $[ stageDependencies.setup.Setup.outputs['setupEnvironment.TOOLCHAIN_IMAGE'] ] + pipelineBuildTag: $[ stageDependencies.setup.Setup.outputs['setupEnvironment.VERSION_TAG'] ] + jobs: + - ${{ each arch in parameters.architectures }}: + - job: build_csi_container_${{ arch }} + timeoutInMinutes: 60 + displayName: Build ${{ arch }} BlobCSIImage + pool: + type: docker + os: linux + hostArchitecture: ${{ arch }} + variables: + ob_git_checkout: true + steps: + - template: pipelines/templates/job_start.yml@Hydra + parameters: + logInAgentUami: false + uploadAdx: false + installVenv: false + installReportGenerator: false + + # We always sign in to hydraedge since it holds our runtime/toolchain + # images, in addition to the ACR that we'll actually put the built + # images in. + - template: pipelines/templates/acr_login.yml@Hydra + parameters: + acr: hydraedge + onebranch: true + + - template: pipelines/templates/acr_login.yml@Hydra + parameters: + acr: ${{ parameters.acr }} + onebranch: true + + - task: onebranch.pipeline.imagebuildinfo@1@2 + displayName: Build blob csi ${{ arch }} image + inputs: + dockerFileContextPath: . + dockerFileRelPath: pkg/blobplugin/Dockerfile.mariner + repositoryName: $(BlobImageRepo) + registry: "${{ parameters.acr }}.azurecr.io" + saveImageToPath: "$(BlobImageRepo)-${{ arch }}.tar" + enable_network: true # We may not want to do this... but current files require it + enable_acr_push: true + buildkit: 1 # turn on for optimizations like caching, parallelization, new dockerfile options + enable_cache: true # take advantage of multi-stage caching + endpoint: "${{ parameters.acr }}-acr-connection" + arguments: --build-arg ARCH=${{ arch }} --build-arg BUILD_IMAGE=$(TOOLCHAIN_IMAGE) + build_tag: "$(pipelineBuildTag)-${{ arch }}" + + - stage: publish + dependsOn: + - setup + - build + variables: + pipelineBuildTag: $[ stageDependencies.setup.Setup.outputs['setupEnvironment.VERSION_TAG'] ] + blobCsiVersion: $[ stageDependencies.setup.Setup.outputs['setupEnvironment.BLOB_CSI_VERSION'] ] + HYDRA_REPO_PREFIX: "artifact/$(ServiceTreeId)/$(ONEBRANCH_BUILD_TYPE)/" + jobs: + - job: PublishArtifacts + timeoutInMinutes: 30 + displayName: Publish artifacts + pool: + type: linux + isCustom: true + name: $(AGENT_POOL) + variables: + ob_outputDirectory: "$(Build.SourcesDirectory)/out" + steps: + - checkout: Hydra + - template: pipelines/templates/job_start.yml@Hydra + parameters: + logInAgentUami: false + uploadAdx: false + installVenv: false + installReportGenerator: false + + - template: pipelines/templates/acr_login.yml@Hydra + parameters: + acr: ${{ parameters.acr }} + onebranch: true + + - template: pipelines/templates/make_images_multiarch.yml@Hydra + parameters: + hydraRepoPrefix: "$(HYDRA_REPO_PREFIX)" + acr: "${{ parameters.acr }}" + architectures: ${{ parameters.architectures }} + images: + - $(BlobImageRepo) + + - task: AzureCLI@2 + displayName: "Check if version tag exists" + target: host + inputs: + azureSubscription: $(AZURE_SERVICE_CONNECTION) + scriptType: bash + scriptLocation: inlineScript + inlineScript: | + image="$(HYDRA_REPO_PREFIX)$(BlobImageRepo):$(blobCsiVersion)" + + if ! az acr repository show -n "${{ parameters.acr }}" --image "$image" &>2 ; then + echo "##vso[task.setvariable variable=pushLatest]true" + else + echo "##vso[task.setvariable variable=pushLatest]false" + fi + name: csi_version + condition: and(eq(variables.IsOfficial, 'True'), eq(variables.IsStaging, 'True')) + + - template: pipelines/templates/make_images_latest.yml@Hydra + parameters: + condition: and(eq(variables.IsOfficial, 'True'), eq(variables.IsStaging, 'True'), eq(variables['pushLatest'], 'true')) + hydraRepoPrefix: "$(HYDRA_REPO_PREFIX)" + acr: "${{ parameters.acr }}" + dstBuildTag: "$(blobCsiVersion)" + srcBuildTag: "$(pipelineBuildTag)" + images: + - $(BlobImageRepo) + From 80eedec6c432804f6156893992aeb3df84c8be30 Mon Sep 17 00:00:00 2001 From: echairez Date: Wed, 4 Oct 2023 15:44:55 -0400 Subject: [PATCH 6/7] create a template body --- pipelines/OneBranch.NonOfficial.yml | 162 +----------------------- pipelines/OneBranch.Official.yml | 162 +----------------------- pipelines/OneBranch.body.yml | 186 ++++++++++++++++++++++++++++ 3 files changed, 196 insertions(+), 314 deletions(-) create mode 100644 pipelines/OneBranch.body.yml diff --git a/pipelines/OneBranch.NonOfficial.yml b/pipelines/OneBranch.NonOfficial.yml index 50d3ab76e..72c1b1675 100644 --- a/pipelines/OneBranch.NonOfficial.yml +++ b/pipelines/OneBranch.NonOfficial.yml @@ -72,161 +72,9 @@ extends: policheck: break: true # always break the build on policheck issues. You can disable it by setting to 'false' stages: - - stage: setup - jobs: - - job: Setup - timeoutInMinutes: 30 - displayName: Setup - pool: - type: linux - variables: - ob_outputDirectory: "$(Build.ArtifactStagingDirectory)/out" - steps: - - checkout: Hydra - - template: pipelines/templates/job_start.yml@Hydra - parameters: - logInAgentUami: false - uploadAdx: false - installVenv: false - installReportGenerator: false - - - task: onebranch.pipeline.version@1 - displayName: "Setup BuildNumber" - inputs: - system: "RevisionCounter" - major: "1" - minor: "0" - exclude_commit: true - - - bash: | - pushd Hydra - scripts/setup_pipeline_variables.sh $(Build.BuildId) - popd - - source BLOB_CSI_VERSION - echo "##vso[task.setvariable variable=BLOB_CSI_VERSION;isOutput=true]${BLOB_CSI_VERSION}" - displayName: Setup environment - name: setupEnvironment - - - stage: build - dependsOn: - - setup - variables: - TOOLCHAIN_IMAGE: $[ stageDependencies.setup.Setup.outputs['setupEnvironment.TOOLCHAIN_IMAGE'] ] - pipelineBuildTag: $[ stageDependencies.setup.Setup.outputs['setupEnvironment.VERSION_TAG'] ] - jobs: - - ${{ each arch in parameters.architectures }}: - - job: build_csi_container_${{ arch }} - timeoutInMinutes: 60 - displayName: Build ${{ arch }} BlobCSIImage - pool: - type: docker - os: linux - hostArchitecture: ${{ arch }} - variables: - ob_git_checkout: true - steps: - - template: pipelines/templates/job_start.yml@Hydra - parameters: - logInAgentUami: false - uploadAdx: false - installVenv: false - installReportGenerator: false - - # We always sign in to hydraedge since it holds our runtime/toolchain - # images, in addition to the ACR that we'll actually put the built - # images in. - - template: pipelines/templates/acr_login.yml@Hydra - parameters: - acr: hydraedge - onebranch: true - - - template: pipelines/templates/acr_login.yml@Hydra - parameters: - acr: ${{ parameters.acr }} - onebranch: true - - - task: onebranch.pipeline.imagebuildinfo@1@2 - displayName: Build blob csi ${{ arch }} image - inputs: - dockerFileContextPath: . - dockerFileRelPath: pkg/blobplugin/Dockerfile.mariner - repositoryName: $(BlobImageRepo) - registry: "${{ parameters.acr }}.azurecr.io" - saveImageToPath: "$(BlobImageRepo)-${{ arch }}.tar" - enable_network: true # We may not want to do this... but current files require it - enable_acr_push: true - buildkit: 1 # turn on for optimizations like caching, parallelization, new dockerfile options - enable_cache: true # take advantage of multi-stage caching - endpoint: "${{ parameters.acr }}-acr-connection" - arguments: --build-arg ARCH=${{ arch }} --build-arg BUILD_IMAGE=$(TOOLCHAIN_IMAGE) - build_tag: "$(pipelineBuildTag)-${{ arch }}" - - - stage: publish - dependsOn: - - setup - - build - variables: - pipelineBuildTag: $[ stageDependencies.setup.Setup.outputs['setupEnvironment.VERSION_TAG'] ] - blobCsiVersion: $[ stageDependencies.setup.Setup.outputs['setupEnvironment.BLOB_CSI_VERSION'] ] - HYDRA_REPO_PREFIX: "artifact/$(ServiceTreeId)/$(ONEBRANCH_BUILD_TYPE)/" - jobs: - - job: PublishArtifacts - timeoutInMinutes: 30 - displayName: Publish artifacts - pool: - type: linux - isCustom: true - name: $(AGENT_POOL) - variables: - ob_outputDirectory: "$(Build.SourcesDirectory)/out" - steps: - - checkout: Hydra - - template: pipelines/templates/job_start.yml@Hydra - parameters: - logInAgentUami: false - uploadAdx: false - installVenv: false - installReportGenerator: false - - - template: pipelines/templates/acr_login.yml@Hydra - parameters: - acr: ${{ parameters.acr }} - onebranch: true - - - template: pipelines/templates/make_images_multiarch.yml@Hydra - parameters: - hydraRepoPrefix: "$(HYDRA_REPO_PREFIX)" - acr: "${{ parameters.acr }}" - architectures: ${{ parameters.architectures }} - images: - - $(BlobImageRepo) - - - task: AzureCLI@2 - displayName: "Check if version tag exists" - target: host - inputs: - azureSubscription: $(AZURE_SERVICE_CONNECTION) - scriptType: bash - scriptLocation: inlineScript - inlineScript: | - image="$(HYDRA_REPO_PREFIX)$(BlobImageRepo):$(blobCsiVersion)" - - if ! az acr repository show -n "${{ parameters.acr }}" --image "$image" &>2 ; then - echo "##vso[task.setvariable variable=pushLatest]true" - else - echo "##vso[task.setvariable variable=pushLatest]false" - fi - name: csi_version - condition: and(eq(variables.IsOfficial, 'True'), eq(variables.IsStaging, 'True')) - - - template: pipelines/templates/make_images_latest.yml@Hydra - parameters: - condition: and(eq(variables.IsOfficial, 'True'), eq(variables.IsStaging, 'True'), eq(variables['pushLatest'], 'true')) - hydraRepoPrefix: "$(HYDRA_REPO_PREFIX)" - acr: "${{ parameters.acr }}" - dstBuildTag: "$(blobCsiVersion)" - srcBuildTag: "$(pipelineBuildTag)" - images: - - $(BlobImageRepo) + - template: OneBranch.body.yml@self + parameters: + acr: ${{ parameters.acr }} + architectures: ${{ parameters.architectures }} + buildType: official diff --git a/pipelines/OneBranch.Official.yml b/pipelines/OneBranch.Official.yml index 2c5fd1dbc..a37aeac01 100644 --- a/pipelines/OneBranch.Official.yml +++ b/pipelines/OneBranch.Official.yml @@ -76,161 +76,9 @@ extends: policheck: break: true # always break the build on policheck issues. You can disable it by setting to 'false' stages: - - stage: setup - jobs: - - job: Setup - timeoutInMinutes: 30 - displayName: Setup - pool: - type: linux - variables: - ob_outputDirectory: "$(Build.ArtifactStagingDirectory)/out" - steps: - - checkout: Hydra - - template: pipelines/templates/job_start.yml@Hydra - parameters: - logInAgentUami: false - uploadAdx: false - installVenv: false - installReportGenerator: false - - - task: onebranch.pipeline.version@1 - displayName: "Setup BuildNumber" - inputs: - system: "RevisionCounter" - major: "1" - minor: "0" - exclude_commit: true - - - bash: | - pushd Hydra - scripts/setup_pipeline_variables.sh $(Build.BuildId) - popd - - source BLOB_CSI_VERSION - echo "##vso[task.setvariable variable=BLOB_CSI_VERSION;isOutput=true]${BLOB_CSI_VERSION}" - displayName: Setup environment - name: setupEnvironment - - - stage: build - dependsOn: - - setup - variables: - TOOLCHAIN_IMAGE: $[ stageDependencies.setup.Setup.outputs['setupEnvironment.TOOLCHAIN_IMAGE'] ] - pipelineBuildTag: $[ stageDependencies.setup.Setup.outputs['setupEnvironment.VERSION_TAG'] ] - jobs: - - ${{ each arch in parameters.architectures }}: - - job: build_csi_container_${{ arch }} - timeoutInMinutes: 60 - displayName: Build ${{ arch }} BlobCSIImage - pool: - type: docker - os: linux - hostArchitecture: ${{ arch }} - variables: - ob_git_checkout: true - steps: - - template: pipelines/templates/job_start.yml@Hydra - parameters: - logInAgentUami: false - uploadAdx: false - installVenv: false - installReportGenerator: false - - # We always sign in to hydraedge since it holds our runtime/toolchain - # images, in addition to the ACR that we'll actually put the built - # images in. - - template: pipelines/templates/acr_login.yml@Hydra - parameters: - acr: hydraedge - onebranch: true - - - template: pipelines/templates/acr_login.yml@Hydra - parameters: - acr: ${{ parameters.acr }} - onebranch: true - - - task: onebranch.pipeline.imagebuildinfo@1@2 - displayName: Build blob csi ${{ arch }} image - inputs: - dockerFileContextPath: . - dockerFileRelPath: pkg/blobplugin/Dockerfile.mariner - repositoryName: $(BlobImageRepo) - registry: "${{ parameters.acr }}.azurecr.io" - saveImageToPath: "$(BlobImageRepo)-${{ arch }}.tar" - enable_network: true # We may not want to do this... but current files require it - enable_acr_push: true - buildkit: 1 # turn on for optimizations like caching, parallelization, new dockerfile options - enable_cache: true # take advantage of multi-stage caching - endpoint: "${{ parameters.acr }}-acr-connection" - arguments: --build-arg ARCH=${{ arch }} --build-arg BUILD_IMAGE=$(TOOLCHAIN_IMAGE) - build_tag: "$(pipelineBuildTag)-${{ arch }}" - - - stage: publish - dependsOn: - - setup - - build - variables: - pipelineBuildTag: $[ stageDependencies.setup.Setup.outputs['setupEnvironment.VERSION_TAG'] ] - blobCsiVersion: $[ stageDependencies.setup.Setup.outputs['setupEnvironment.BLOB_CSI_VERSION'] ] - HYDRA_REPO_PREFIX: "artifact/$(ServiceTreeId)/$(ONEBRANCH_BUILD_TYPE)/" - jobs: - - job: PublishArtifacts - timeoutInMinutes: 30 - displayName: Publish artifacts - pool: - type: linux - isCustom: true - name: $(AGENT_POOL) - variables: - ob_outputDirectory: "$(Build.SourcesDirectory)/out" - steps: - - checkout: Hydra - - template: pipelines/templates/job_start.yml@Hydra - parameters: - logInAgentUami: false - uploadAdx: false - installVenv: false - installReportGenerator: false - - - template: pipelines/templates/acr_login.yml@Hydra - parameters: - acr: ${{ parameters.acr }} - onebranch: true - - - template: pipelines/templates/make_images_multiarch.yml@Hydra - parameters: - hydraRepoPrefix: "$(HYDRA_REPO_PREFIX)" - acr: "${{ parameters.acr }}" - architectures: ${{ parameters.architectures }} - images: - - $(BlobImageRepo) - - - task: AzureCLI@2 - displayName: "Check if version tag exists" - target: host - inputs: - azureSubscription: $(AZURE_SERVICE_CONNECTION) - scriptType: bash - scriptLocation: inlineScript - inlineScript: | - image="$(HYDRA_REPO_PREFIX)$(BlobImageRepo):$(blobCsiVersion)" - - if ! az acr repository show -n "${{ parameters.acr }}" --image "$image" &>2 ; then - echo "##vso[task.setvariable variable=pushLatest]true" - else - echo "##vso[task.setvariable variable=pushLatest]false" - fi - name: csi_version - condition: and(eq(variables.IsOfficial, 'True'), eq(variables.IsStaging, 'True')) - - - template: pipelines/templates/make_images_latest.yml@Hydra - parameters: - condition: and(eq(variables.IsOfficial, 'True'), eq(variables.IsStaging, 'True'), eq(variables['pushLatest'], 'true')) - hydraRepoPrefix: "$(HYDRA_REPO_PREFIX)" - acr: "${{ parameters.acr }}" - dstBuildTag: "$(blobCsiVersion)" - srcBuildTag: "$(pipelineBuildTag)" - images: - - $(BlobImageRepo) + - template: OneBranch.body.yml@self + parameters: + acr: ${{ parameters.acr }} + architectures: ${{ parameters.architectures }} + buildType: official diff --git a/pipelines/OneBranch.body.yml b/pipelines/OneBranch.body.yml new file mode 100644 index 000000000..230a5aa24 --- /dev/null +++ b/pipelines/OneBranch.body.yml @@ -0,0 +1,186 @@ +# ------------------------------------------------------------------------------ +# ONEBRANCH BODY +# +# This template contains the body used by pipelines/OneBranch.*Official.yml so +# that both the official and non-official OneBranch pipelines share the same +# logic. Changes to the OneBranch pipeline will largely need to be done here +# rather than in the top-level files. +# ------------------------------------------------------------------------------ + +# NOTE: The parameters must match the pipeline parameters in +# pipelines/OneBranch.*Official.yml and should be provided with every +# call of this template. +parameters: + - name: acr + displayName: ACR for container image publish + type: string + - name: architectures + displayName: Architectures to build + type: object + - name: buildType + displayName: The type of build. + type: string + values: + - official + - buddy + + +stages: + - stage: setup + jobs: + - job: Setup + timeoutInMinutes: 30 + displayName: Setup + pool: + type: linux + variables: + ob_outputDirectory: "$(Build.ArtifactStagingDirectory)/out" + steps: + - checkout: Hydra + - template: pipelines/templates/job_start.yml@Hydra + parameters: + logInAgentUami: false + uploadAdx: false + installVenv: false + installReportGenerator: false + + - task: onebranch.pipeline.version@1 + displayName: "Setup BuildNumber" + inputs: + system: "RevisionCounter" + major: "1" + minor: "0" + exclude_commit: true + + - bash: | + pushd Hydra + scripts/setup_pipeline_variables.sh $(Build.BuildId) + popd + + source BLOB_CSI_VERSION + echo "##vso[task.setvariable variable=BLOB_CSI_VERSION;isOutput=true]${BLOB_CSI_VERSION}" + displayName: Setup environment + name: setupEnvironment + + - stage: build + dependsOn: + - setup + variables: + TOOLCHAIN_IMAGE: $[ stageDependencies.setup.Setup.outputs['setupEnvironment.TOOLCHAIN_IMAGE'] ] + pipelineBuildTag: $[ stageDependencies.setup.Setup.outputs['setupEnvironment.VERSION_TAG'] ] + jobs: + - ${{ each arch in parameters.architectures }}: + - job: build_csi_container_${{ arch }} + timeoutInMinutes: 60 + displayName: Build ${{ arch }} BlobCSIImage + pool: + type: docker + os: linux + hostArchitecture: ${{ arch }} + variables: + ob_git_checkout: true + steps: + - template: pipelines/templates/job_start.yml@Hydra + parameters: + logInAgentUami: false + uploadAdx: false + installVenv: false + installReportGenerator: false + + # We always sign in to hydraedge since it holds our runtime/toolchain + # images, in addition to the ACR that we'll actually put the built + # images in. + - template: pipelines/templates/acr_login.yml@Hydra + parameters: + acr: hydraedge + onebranch: true + + - template: pipelines/templates/acr_login.yml@Hydra + parameters: + acr: ${{ parameters.acr }} + onebranch: true + + - task: onebranch.pipeline.imagebuildinfo@1@2 + displayName: Build blob csi ${{ arch }} image + inputs: + dockerFileContextPath: . + dockerFileRelPath: pkg/blobplugin/Dockerfile.mariner + repositoryName: $(BlobImageRepo) + registry: "${{ parameters.acr }}.azurecr.io" + saveImageToPath: "$(BlobImageRepo)-${{ arch }}.tar" + enable_network: true # We may not want to do this... but current files require it + enable_acr_push: true + buildkit: 1 # turn on for optimizations like caching, parallelization, new dockerfile options + enable_cache: true # take advantage of multi-stage caching + endpoint: "${{ parameters.acr }}-acr-connection" + arguments: --build-arg ARCH=${{ arch }} --build-arg BUILD_IMAGE=$(TOOLCHAIN_IMAGE) + build_tag: "$(pipelineBuildTag)-${{ arch }}" + + - stage: publish + dependsOn: + - setup + - build + variables: + pipelineBuildTag: $[ stageDependencies.setup.Setup.outputs['setupEnvironment.VERSION_TAG'] ] + blobCsiVersion: $[ stageDependencies.setup.Setup.outputs['setupEnvironment.BLOB_CSI_VERSION'] ] + HYDRA_REPO_PREFIX: "artifact/$(ServiceTreeId)/$(ONEBRANCH_BUILD_TYPE)/" + jobs: + - job: PublishArtifacts + timeoutInMinutes: 30 + displayName: Publish artifacts + pool: + type: linux + isCustom: true + name: $(AGENT_POOL) + variables: + ob_outputDirectory: "$(Build.SourcesDirectory)/out" + steps: + - checkout: Hydra + - template: pipelines/templates/job_start.yml@Hydra + parameters: + logInAgentUami: false + uploadAdx: false + installVenv: false + installReportGenerator: false + + - template: pipelines/templates/acr_login.yml@Hydra + parameters: + acr: ${{ parameters.acr }} + onebranch: true + + - template: pipelines/templates/make_images_multiarch.yml@Hydra + parameters: + hydraRepoPrefix: "$(HYDRA_REPO_PREFIX)" + acr: "${{ parameters.acr }}" + architectures: ${{ parameters.architectures }} + images: + - $(BlobImageRepo) + + - task: AzureCLI@2 + displayName: "Check if version tag exists" + target: host + inputs: + azureSubscription: $(AZURE_SERVICE_CONNECTION) + scriptType: bash + scriptLocation: inlineScript + inlineScript: | + image="$(HYDRA_REPO_PREFIX)$(BlobImageRepo):$(blobCsiVersion)" + + if ! az acr repository show -n "${{ parameters.acr }}" --image "$image" &>2 ; then + echo "##vso[task.setvariable variable=pushLatest]true" + else + echo "##vso[task.setvariable variable=pushLatest]false" + fi + name: csi_version + condition: and(eq(variables.IsOfficial, 'True'), eq(variables.IsStaging, 'True')) + + - template: pipelines/templates/make_images_latest.yml@Hydra + parameters: + condition: and(eq(variables.IsOfficial, 'True'), eq(variables.IsStaging, 'True'), eq(variables['pushLatest'], 'true')) + hydraRepoPrefix: "$(HYDRA_REPO_PREFIX)" + acr: "${{ parameters.acr }}" + dstBuildTag: "$(blobCsiVersion)" + srcBuildTag: "$(pipelineBuildTag)" + images: + - $(BlobImageRepo) + From c656dfddd7a5dd353c9e7ccdbfd49c94e3c5e566 Mon Sep 17 00:00:00 2001 From: echairez Date: Wed, 4 Oct 2023 15:45:55 -0400 Subject: [PATCH 7/7] reference Hydras main branch --- pipelines/OneBranch.NonOfficial.yml | 2 +- pipelines/OneBranch.Official.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/pipelines/OneBranch.NonOfficial.yml b/pipelines/OneBranch.NonOfficial.yml index 72c1b1675..da4aab813 100644 --- a/pipelines/OneBranch.NonOfficial.yml +++ b/pipelines/OneBranch.NonOfficial.yml @@ -19,7 +19,7 @@ resources: clean: true type: git name: One/Hydra - ref: echairez/cross-repo-pipelines + ref: main variables: - template: pipelines/templates/OneBranch.shared.variables.yml@Hydra diff --git a/pipelines/OneBranch.Official.yml b/pipelines/OneBranch.Official.yml index a37aeac01..e3f342090 100644 --- a/pipelines/OneBranch.Official.yml +++ b/pipelines/OneBranch.Official.yml @@ -23,7 +23,7 @@ resources: clean: true type: git name: One/Hydra - ref: echairez/cross-repo-pipelines + ref: main variables: - template: pipelines/templates/OneBranch.shared.variables.yml@Hydra