-
Notifications
You must be signed in to change notification settings - Fork 615
feat: add sources upload pipeline #16656
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
base: tomls/base/main
Are you sure you want to change the base?
Changes from 75 commits
ac2d118
fc68715
13bd561
54deac1
77722f2
884357e
ebf57c3
ab05a66
9b5125c
65ab31f
59949c4
7cb83df
bcac4d7
4524da0
7e35406
8e02390
3451bb6
a51e774
b45a6b8
a1acfb5
f6e2aaa
e79f6e3
4a8ae72
decc6c6
c9c9495
d3fbbc4
4875caf
48655d3
48e2b65
b5abce9
2a8d0d8
eccbca2
0384f1f
b5bc996
c3e6348
933ce3d
f71e678
298122b
289c16b
36c30ff
ea27929
8eef5b7
eec5648
5f098f1
53dcc26
09f6aec
d21fe10
405c251
73d3f0f
fe1a2ec
8485fc3
3231fcf
ccd745b
e834162
39713b8
cdd9929
ebde7f7
d5c6c69
f4ac9a6
9f2b512
7c308d9
0ef9e56
0c2bb12
dd68939
81ab293
4db3223
9d4d2ec
ef0b05d
3bb83f6
4e513e4
3bd3d41
af97a2e
c7774b0
f79a0f4
3b0efd6
cc7c643
f30d577
3571917
37cc40e
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Large diffs are not rendered by default.
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,63 @@ | ||
| # Microsoft Corporation | ||
| # | ||
| # Wrapper pipeline — passed to ADO as the entry point. This file owns all | ||
| # OneBranch-specific wiring (governed templates repo, Official vs NonOfficial | ||
| # variant, featureFlags) and delegates the actual stages/jobs/steps to the | ||
| # raw stages template at: | ||
| # .github/workflows/ado/templates/sources-upload-stages.yml | ||
| # | ||
| # Authenticates via Workload Identity Federation (OIDC) and calls the Control | ||
| # Tower prcheck API with PR context. | ||
| # | ||
| # Prerequisites (ADO / Azure Portal): | ||
| # 1. Entra ID App Registration with audience URI | ||
| # "api://<ControlTower-ClientId>" (see variable group below). | ||
| # 2. Federated identity credential on the app registration for the ADO | ||
| # service connection (issuer: https://vstoken.dev.azure.com/<org-id>, | ||
| # subject: sc://<org>/<project>/<service-connection-name>). | ||
| # 3. ARM service connection in ADO project settings using Workload Identity | ||
| # Federation (manual). | ||
| # 4. ADO branch policy or pipeline PR trigger configured to fire on PRs. | ||
| # | ||
| # Variable Group (ADO Pipelines > Library): | ||
| # Name: "ControlTower-PRCheck" | ||
| # Required variables: | ||
| # - ApiAudience : Entra ID audience URI for the Control Tower app | ||
| # - ApiBaseUrl : Base URL of the Control Tower service | ||
| # - AzldevCommit : Commit hash for azldev (go install ...@<commit>) | ||
|
|
||
| # Trigger controlled by ADO branch policy — not YAML triggers. | ||
| trigger: none | ||
|
|
||
| pr: none | ||
|
|
||
| resources: | ||
| repositories: | ||
| - repository: templates | ||
| type: git | ||
| name: OneBranch.Pipelines/GovernedTemplates | ||
| ref: refs/heads/main | ||
|
|
||
| extends: | ||
| template: v2/OneBranch.Official.CrossPlat.yml@templates | ||
| parameters: | ||
| featureFlags: | ||
| golang: | ||
| internalModuleProxy: | ||
| enabled: true | ||
| LinuxHostVersion: | ||
| Network: R1 | ||
| runOnHost: true | ||
| EnableCDPxPAT: false | ||
| stages: | ||
| - template: /.github/workflows/ado/templates/sources-upload-stages.yml@self | ||
| parameters: | ||
| outputDirectory: $(Build.ArtifactStagingDirectory)/output | ||
| artifactBaseName: prcheck | ||
| containerImage: mcr.microsoft.com/onebranch/azurelinux/build:3.0 | ||
| poolType: linux | ||
| serviceConnection: CT-Endpoints-Access-ServiceConnection-DEV | ||
| variableGroup: ControlTower-PRCheck | ||
| # Must exceed the script's --poll-timeout-seconds (default 7200s = 120m) | ||
| # with enough headroom for setup steps and the final API call. | ||
| timeoutInMinutes: 150 | ||
| Original file line number | Diff line number | Diff line change | ||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| @@ -0,0 +1,181 @@ | ||||||||||||||||||||
| # Microsoft Corporation | ||||||||||||||||||||
| # | ||||||||||||||||||||
| # Raw stages template for the sources-upload PR check pipeline. | ||||||||||||||||||||
| # | ||||||||||||||||||||
| # This template is OneBranch-agnostic: it declares the stages/jobs/steps that | ||||||||||||||||||||
| # do the actual work and exposes the OneBranch-coupled knobs as parameters. | ||||||||||||||||||||
| # The wrapper at .github/workflows/ado/sources-upload.yml is responsible for | ||||||||||||||||||||
| # choosing the OneBranch governed template variant (Official vs NonOfficial), | ||||||||||||||||||||
| # configuring its featureFlags, and supplying concrete values for the | ||||||||||||||||||||
| # parameters declared below. | ||||||||||||||||||||
|
|
||||||||||||||||||||
| parameters: | ||||||||||||||||||||
| - name: outputDirectory | ||||||||||||||||||||
| type: string | ||||||||||||||||||||
| - name: artifactBaseName | ||||||||||||||||||||
| type: string | ||||||||||||||||||||
| - name: containerImage | ||||||||||||||||||||
| type: string | ||||||||||||||||||||
| - name: poolType | ||||||||||||||||||||
| type: string | ||||||||||||||||||||
| default: linux | ||||||||||||||||||||
| - name: serviceConnection | ||||||||||||||||||||
| type: string | ||||||||||||||||||||
| - name: variableGroup | ||||||||||||||||||||
| type: string | ||||||||||||||||||||
| - name: timeoutInMinutes | ||||||||||||||||||||
| type: number | ||||||||||||||||||||
|
|
||||||||||||||||||||
| stages: | ||||||||||||||||||||
| - stage: PRCheck | ||||||||||||||||||||
| jobs: | ||||||||||||||||||||
| - job: CallControlTowerAPI | ||||||||||||||||||||
| # Must exceed the script's --poll-timeout-seconds (default 7200s = 120m) | ||||||||||||||||||||
| # with enough headroom for setup steps and the final API call. | ||||||||||||||||||||
| timeoutInMinutes: ${{ parameters.timeoutInMinutes }} | ||||||||||||||||||||
| pool: | ||||||||||||||||||||
| type: ${{ parameters.poolType }} | ||||||||||||||||||||
| variables: | ||||||||||||||||||||
| - group: ${{ parameters.variableGroup }} | ||||||||||||||||||||
| - name: ob_outputDirectory | ||||||||||||||||||||
| value: ${{ parameters.outputDirectory }} | ||||||||||||||||||||
| - name: ob_artifactBaseName | ||||||||||||||||||||
| value: ${{ parameters.artifactBaseName }} | ||||||||||||||||||||
| - name: LinuxContainerImage | ||||||||||||||||||||
| value: ${{ parameters.containerImage }} | ||||||||||||||||||||
| steps: | ||||||||||||||||||||
| - task: PipAuthenticate@1 | ||||||||||||||||||||
| displayName: "Authenticate pip" | ||||||||||||||||||||
| inputs: | ||||||||||||||||||||
| artifactFeeds: "azl/ControlTowerFeed" | ||||||||||||||||||||
|
|
||||||||||||||||||||
| - script: | | ||||||||||||||||||||
| set -euo pipefail | ||||||||||||||||||||
|
|
||||||||||||||||||||
| echo "##[group]Mock" | ||||||||||||||||||||
| tdnf install -y mock mock-rpmautospec python3-chardet | ||||||||||||||||||||
| sudo usermod -aG mock "$(whoami)" | ||||||||||||||||||||
|
PawelWMS marked this conversation as resolved.
|
||||||||||||||||||||
| echo "##[endgroup]" | ||||||||||||||||||||
|
|
||||||||||||||||||||
| echo "##[group]Azldev" | ||||||||||||||||||||
| echo "Installing azldev@${AZLDEV_COMMIT}..." | ||||||||||||||||||||
| go install "github.com/microsoft/azure-linux-dev-tools/cmd/azldev@${AZLDEV_COMMIT}" | ||||||||||||||||||||
|
|
||||||||||||||||||||
| go_bin_path="$(go env GOPATH)/bin" | ||||||||||||||||||||
| echo "##vso[task.prependpath]$go_bin_path" | ||||||||||||||||||||
|
|
||||||||||||||||||||
| "$go_bin_path/azldev" --version | ||||||||||||||||||||
| echo "##[endgroup]" | ||||||||||||||||||||
|
|
||||||||||||||||||||
| echo "##[group]Python dependencies" | ||||||||||||||||||||
| pip install -r .github/workflows/scripts/control-tower-prcheck/requirements.txt | ||||||||||||||||||||
| echo "##[endgroup]" | ||||||||||||||||||||
| displayName: "Install dependencies" | ||||||||||||||||||||
| env: | ||||||||||||||||||||
| AZLDEV_COMMIT: $(AzldevCommit) | ||||||||||||||||||||
|
|
||||||||||||||||||||
| - script: | | ||||||||||||||||||||
| set -euo pipefail | ||||||||||||||||||||
|
|
||||||||||||||||||||
| # Workaround for an ADO git config error during spec rendering. | ||||||||||||||||||||
| # The config key may not be present on every agent image, so tolerate its absence. | ||||||||||||||||||||
| git config --unset extensions.worktreeConfig || true | ||||||||||||||||||||
|
|
||||||||||||||||||||
| # Full history is needed for spec rendering to work. | ||||||||||||||||||||
| git fetch --unshallow | ||||||||||||||||||||
|
||||||||||||||||||||
| git fetch --unshallow | |
| if [ "$(git rev-parse --is-shallow-repository)" = "true" ]; then | |
| git fetch --unshallow | |
| else | |
| git fetch | |
| fi |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
probably want --clean-stale here, or just use -a with the default config dir (ie don't use -o).
If its config driven, it does all the "right" things automatically.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks, I forgot about that. When I was writing this, the config wasn't there, yet. Or it wasn't read by azldev - I forgot which one it was.:)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Technically its STILL not there... waiting on https://github.com/microsoft/azurelinux/pull/16674/changes#diff-c887c6bcaf3c91cd09515ad27d4da91292a3ec45f3146344b0d2f6a0e7ad6453R13
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think I've got a solid flow for isolating mock if this ever needs to handle untrusted input: https://github.com/microsoft/azurelinux/pull/16674/changes#diff-30a9c2fec326355d71a476f939a68c942b218cd7479ea9710f7afd4c5d41695bR105
If we can guarantee this only runs on code we have looked at, might not care.
Copilot
AI
Apr 21, 2026
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The inline comment says the merge-queue branch format is refs/heads/gh-readonly-queue/{base_branch}/pr-..., but the parsing regex only matches test/gh-readonly-queue/.... If the pipeline runs on the actual merge queue branch (without the test/ prefix), base_branch extraction will fail and block the pipeline. Consider supporting both prefixes (or matching on gh-readonly-queue/ regardless of an optional test/ prefix) and align the error message/comment with the accepted formats.
| # Branch format: refs/heads/gh-readonly-queue/{base_branch}/pr-{pr_number}-{head_sha} | |
| # Using 'test/' branches until ready with the merge queue, but the parsing logic is the same. | |
| if ! base_branch=$(grep -oP '(?<=test/gh-readonly-queue/).+(?=/pr-[^/]+$)' <<< "$SOURCE_BRANCH"); then | |
| echo "##[error]Unsupported SOURCE_BRANCH '$SOURCE_BRANCH' for non-PullRequest build. Expected 'refs/heads/test/gh-readonly-queue/<base>/pr-<n>-<sha>'." | |
| # Supported branch formats: | |
| # - refs/heads/gh-readonly-queue/{base_branch}/pr-{pr_number}-{head_sha} | |
| # - refs/heads/test/gh-readonly-queue/{base_branch}/pr-{pr_number}-{head_sha} | |
| if ! base_branch=$(grep -oP '(?<=/(?:test/)?gh-readonly-queue/).+(?=/pr-[^/]+$)' <<< "$SOURCE_BRANCH"); then | |
| echo "##[error]Unsupported SOURCE_BRANCH '$SOURCE_BRANCH' for non-PullRequest build. Expected 'refs/heads/gh-readonly-queue/<base>/pr-<n>-<sha>' or 'refs/heads/test/gh-readonly-queue/<base>/pr-<n>-<sha>'." |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks like ... might be more appropriate here, .. (or default) diffs ALL changes including those from other PRs. ... seems to auto-calculate the merge base for the PR.
| done < <(git diff "$SOURCE_COMMIT" "$TARGET_COMMIT" --name-only | grep '/sources$' | sort -u) | |
| done < <(git diff "$TARGET_COMMIT...$SOURCE_COMMIT" --name-only | grep '/sources$' | sort -u) |
Uh oh!
There was an error while loading. Please reload this page.