From b1b6515c16a5abfc4e496888a31aaca58cb60b91 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Mon, 5 Jan 2026 19:08:20 +0000 Subject: [PATCH 1/3] Initial plan From bd0051d1c770db894d8f74c0754b21d805d363f8 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Mon, 5 Jan 2026 19:17:34 +0000 Subject: [PATCH 2/3] Replace 1es-official.yml and 1es-unofficial.yml with 1es.yml template Co-authored-by: lbussell <36081148+lbussell@users.noreply.github.com> --- eng/docker-tools/templates/jobs/publish.yml | 10 ++++------ eng/pipelines/annotate-eol-digests.yml | 10 ++++++---- eng/pipelines/cg-detection.yml | 3 +-- eng/pipelines/check-base-image-updates.yml | 8 +++++--- .../cleanup-acr-images-custom-official.yml | 8 +++++--- eng/pipelines/cleanup-acr-images-official.yml | 16 +++++++++------- eng/pipelines/cleanup-acr-images-unofficial.yml | 16 +++++++++------- eng/pipelines/import-image.yml | 2 +- eng/pipelines/mirror-base-images.yml | 8 +++++--- eng/pipelines/secret-management-weekly.yml | 2 +- eng/pipelines/upload-file.yml | 2 +- 11 files changed, 47 insertions(+), 38 deletions(-) diff --git a/eng/docker-tools/templates/jobs/publish.yml b/eng/docker-tools/templates/jobs/publish.yml index cb9b454ac..bad52cc09 100644 --- a/eng/docker-tools/templates/jobs/publish.yml +++ b/eng/docker-tools/templates/jobs/publish.yml @@ -254,12 +254,10 @@ jobs: condition: and(succeeded(), eq(variables['publishImageInfo'], 'true')) displayName: Publish Image Info - # Task displayNames names are hardcoded to reference the task prefix used by 1ES official - # pipelines in eng/docker-tools/templates/1es-official.yml. - # - # These will fail if they are dependend on by an unofficial pipeline since they use a unique task - # prefix compared to official pipelines (see eng/docker-tools/templates/1es-unofficial.yml). This is - # acceptable because unofficial pipelines should not publish images. + # Task displayNames are hardcoded to reference the task prefix used by 1ES official + # pipelines (🟪). These will fail if they are depended on by an unofficial pipeline since + # they use a unique task prefix compared to official pipelines (🟦). + # This is acceptable because unofficial pipelines should not publish images. # # https://github.com/dotnet/docker-tools/issues/1698 tracks making this command no longer depend # on individual step displayNames. diff --git a/eng/pipelines/annotate-eol-digests.yml b/eng/pipelines/annotate-eol-digests.yml index 8a364eb31..5d85a0ac0 100644 --- a/eng/pipelines/annotate-eol-digests.yml +++ b/eng/pipelines/annotate-eol-digests.yml @@ -14,12 +14,14 @@ variables: value: "" extends: - template: /eng/docker-tools/templates/1es-official.yml@self + template: /eng/docker-tools/templates/1es.yml@self parameters: - serviceConnections: - - name: $(publish.serviceConnectionName) - - name: $(marStatus.serviceConnectionName) stages: + - template: /eng/docker-tools/templates/stages/setup-service-connections.yml@self + parameters: + serviceConnections: + - name: $(publish.serviceConnectionName) + - name: $(marStatus.serviceConnectionName) - stage: eolAnnotate displayName: Annotate EOL images dependsOn: [] diff --git a/eng/pipelines/cg-detection.yml b/eng/pipelines/cg-detection.yml index edb69a55f..19835790b 100644 --- a/eng/pipelines/cg-detection.yml +++ b/eng/pipelines/cg-detection.yml @@ -20,9 +20,8 @@ variables: value: false extends: - template: /eng/docker-tools/templates/1es-official.yml@self + template: /eng/docker-tools/templates/1es.yml@self parameters: - cgDryRun: ${{ parameters.cgDryRun }} stages: - stage: CgDetection displayName: CG Detection diff --git a/eng/pipelines/check-base-image-updates.yml b/eng/pipelines/check-base-image-updates.yml index ffa9b11cd..d39c2592b 100644 --- a/eng/pipelines/check-base-image-updates.yml +++ b/eng/pipelines/check-base-image-updates.yml @@ -15,11 +15,13 @@ variables: - template: /eng/docker-tools/templates/variables/dotnet/secrets.yml@self extends: - template: /eng/docker-tools/templates/1es-official.yml@self + template: /eng/docker-tools/templates/1es.yml@self parameters: - serviceConnections: - - name: $(acr-staging.serviceConnectionName) stages: + - template: /eng/docker-tools/templates/stages/setup-service-connections.yml@self + parameters: + serviceConnections: + - name: $(acr-staging.serviceConnectionName) - stage: CheckBaseImages displayName: Check Base Images dependsOn: [] diff --git a/eng/pipelines/cleanup-acr-images-custom-official.yml b/eng/pipelines/cleanup-acr-images-custom-official.yml index 7b8ceb9b1..42aeee47a 100644 --- a/eng/pipelines/cleanup-acr-images-custom-official.yml +++ b/eng/pipelines/cleanup-acr-images-custom-official.yml @@ -27,11 +27,13 @@ parameters: type: int extends: - template: /eng/docker-tools/templates/1es-official.yml@self + template: /eng/docker-tools/templates/1es.yml@self parameters: - serviceConnections: - - name: $(clean.serviceConnectionName) stages: + - template: /eng/docker-tools/templates/stages/setup-service-connections.yml@self + parameters: + serviceConnections: + - name: $(clean.serviceConnectionName) - template: /eng/docker-tools/templates/stages/dotnet/publish-config-prod.yml@self parameters: stagesTemplate: /eng/pipelines/templates/stages/cleanup-acr-images-custom.yml@self diff --git a/eng/pipelines/cleanup-acr-images-official.yml b/eng/pipelines/cleanup-acr-images-official.yml index 8c8727af4..8f844be6e 100644 --- a/eng/pipelines/cleanup-acr-images-official.yml +++ b/eng/pipelines/cleanup-acr-images-official.yml @@ -22,15 +22,17 @@ variables: readonly: true extends: - template: /eng/docker-tools/templates/1es-official.yml@self + template: /eng/docker-tools/templates/1es.yml@self parameters: - serviceConnections: - # For image removal - - name: $(clean.serviceConnectionName) - # For EOL annotations - - name: $(build.serviceConnectionName) - - name: $(public-mirror.serviceConnectionName) stages: + - template: /eng/docker-tools/templates/stages/setup-service-connections.yml@self + parameters: + serviceConnections: + # For image removal + - name: $(clean.serviceConnectionName) + # For EOL annotations + - name: $(build.serviceConnectionName) + - name: $(public-mirror.serviceConnectionName) - template: /eng/docker-tools/templates/stages/dotnet/publish-config-prod.yml@self parameters: stagesTemplate: /eng/pipelines/templates/stages/cleanup-acr-images.yml@self diff --git a/eng/pipelines/cleanup-acr-images-unofficial.yml b/eng/pipelines/cleanup-acr-images-unofficial.yml index 9eed550f0..9111b04dd 100644 --- a/eng/pipelines/cleanup-acr-images-unofficial.yml +++ b/eng/pipelines/cleanup-acr-images-unofficial.yml @@ -14,15 +14,17 @@ variables: readonly: true extends: - template: /eng/docker-tools/templates/1es-unofficial.yml@self + template: /eng/docker-tools/templates/1es.yml@self parameters: - serviceConnections: - # For image removal - - name: $(clean-test.serviceConnectionName) - # For EOL annotations - - name: $(build-test.serviceConnectionName) - - name: $(public-mirror.serviceConnectionName) stages: + - template: /eng/docker-tools/templates/stages/setup-service-connections.yml@self + parameters: + serviceConnections: + # For image removal + - name: $(clean-test.serviceConnectionName) + # For EOL annotations + - name: $(build-test.serviceConnectionName) + - name: $(public-mirror.serviceConnectionName) - template: /eng/docker-tools/templates/stages/dotnet/publish-config-nonprod.yml@self parameters: stagesTemplate: /eng/pipelines/templates/stages/cleanup-acr-images.yml@self diff --git a/eng/pipelines/import-image.yml b/eng/pipelines/import-image.yml index 239a8b5ff..faa095317 100644 --- a/eng/pipelines/import-image.yml +++ b/eng/pipelines/import-image.yml @@ -34,7 +34,7 @@ variables: value: '' extends: - template: /eng/docker-tools/templates/1es-official.yml@self + template: /eng/docker-tools/templates/1es.yml@self parameters: stages: - stage: Import diff --git a/eng/pipelines/mirror-base-images.yml b/eng/pipelines/mirror-base-images.yml index 5c5556239..f58895ee3 100644 --- a/eng/pipelines/mirror-base-images.yml +++ b/eng/pipelines/mirror-base-images.yml @@ -23,11 +23,13 @@ variables: value: "" extends: - template: /eng/docker-tools/templates/1es-official.yml@self + template: /eng/docker-tools/templates/1es.yml@self parameters: - serviceConnections: - - name: $(public-mirror.serviceConnectionName) stages: + - template: /eng/docker-tools/templates/stages/setup-service-connections.yml@self + parameters: + serviceConnections: + - name: $(public-mirror.serviceConnectionName) - stage: MirrorBaseImages displayName: Mirror Base Images dependsOn: [] diff --git a/eng/pipelines/secret-management-weekly.yml b/eng/pipelines/secret-management-weekly.yml index c416b8f11..bb725de76 100644 --- a/eng/pipelines/secret-management-weekly.yml +++ b/eng/pipelines/secret-management-weekly.yml @@ -12,7 +12,7 @@ variables: - template: templates/variables/common.yml extends: - template: /eng/docker-tools/templates/1es-unofficial.yml@self + template: /eng/docker-tools/templates/1es.yml@self parameters: stages: - stage: SynchronizeSecrets diff --git a/eng/pipelines/upload-file.yml b/eng/pipelines/upload-file.yml index 072be2d4c..40651d4d2 100644 --- a/eng/pipelines/upload-file.yml +++ b/eng/pipelines/upload-file.yml @@ -16,7 +16,7 @@ variables: - template: /eng/pipelines/templates/variables/common.yml@self extends: - template: /eng/docker-tools/templates/1es-official.yml@self + template: /eng/docker-tools/templates/1es.yml@self parameters: stages: - stage: UploadFile From f9e04e51d98cbc7fcb0e5951414231bce9223fe9 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Tue, 6 Jan 2026 18:17:56 +0000 Subject: [PATCH 3/3] Remove deprecated 1es-official.yml and 1es-unofficial.yml templates Co-authored-by: lbussell <36081148+lbussell@users.noreply.github.com> --- eng/docker-tools/templates/1es-official.yml | 70 ---------------- eng/docker-tools/templates/1es-unofficial.yml | 79 ------------------- 2 files changed, 149 deletions(-) delete mode 100644 eng/docker-tools/templates/1es-official.yml delete mode 100644 eng/docker-tools/templates/1es-unofficial.yml diff --git a/eng/docker-tools/templates/1es-official.yml b/eng/docker-tools/templates/1es-official.yml deleted file mode 100644 index ebf8fcd70..000000000 --- a/eng/docker-tools/templates/1es-official.yml +++ /dev/null @@ -1,70 +0,0 @@ -# When extending this template, pipelines using a repository resource containing versions files for image caching must -# do the following: -# -# - Do not rely on any source code from the versions repo so as to not circumvent SDL and CG guidelines -# - The versions repo resource must be named `VersionsRepo` to avoid SDL scans -# - The versions repo must be checked out to `$(Build.SourcesDirectory)/versions` to avoid CG scans -# -# If the pipeline is not using a separate repository resource, ensure that there is no source code checked out in -# `$(Build.SourcesDirectory)/versions`, as it will not be scanned. -# -# The `cgDryRun` parameter will run CG but not submit the results, for testing purposes. - -parameters: -- name: cgDryRun - type: boolean - default: false -- name: stages - type: stageList - default: [] -- name: serviceConnections - type: object - default: [] -- name: pool - type: object - default: - name: $(default1ESInternalPoolName) - image: $(default1ESInternalPoolImage) - os: linux -- name: sourceAnalysisPool - type: object - default: - name: $(defaultSourceAnalysisPoolName) - image: $(defaultSourceAnalysisPoolImage) - os: windows - -resources: - repositories: - - repository: 1ESPipelineTemplates - type: git - name: 1ESPipelineTemplates/1ESPipelineTemplates - ref: refs/tags/release - -extends: - template: /eng/docker-tools/templates/task-prefix-decorator.yml@self - parameters: - baseTemplate: v1/1ES.Official.PipelineTemplate.yml@1ESPipelineTemplates - templateParameters: - pool: ${{ parameters.pool }} - sdl: - binskim: - enabled: true - componentgovernance: - ignoreDirectories: $(Build.SourcesDirectory)/versions - whatIf: ${{ parameters.cgDryRun }} - showAlertLink: true - policheck: - enabled: true - sourceRepositoriesToScan: - exclude: - - repository: VersionsRepo - sourceAnalysisPool: ${{ parameters.sourceAnalysisPool }} - tsa: - enabled: true - stages: - - ${{ if gt(length(parameters.serviceConnections), 0) }}: - - template: /eng/docker-tools/templates/stages/setup-service-connections.yml@self - parameters: - pool: ${{ parameters.pool }} - serviceConnections: ${{ parameters.serviceConnections }} - - ${{ parameters.stages }} diff --git a/eng/docker-tools/templates/1es-unofficial.yml b/eng/docker-tools/templates/1es-unofficial.yml deleted file mode 100644 index bc584cd38..000000000 --- a/eng/docker-tools/templates/1es-unofficial.yml +++ /dev/null @@ -1,79 +0,0 @@ -# This unofficial template will always run CG in "what if" mode, which will not submit results to the CG. SDL tools may -# also be disabled for testing purposes. -# -# When extending this template, pipelines using a repository resource containing versions files for image caching must -# do the following: -# -# - Do not rely on any source code from the versions repo so as to not circumvent SDL and CG guidelines -# - The versions repo resource must be named `InternalVersionsRepo` or `PublicVersionsRepo` to avoid SDL scans -# - The versions repo must be checked out to `$(Build.SourcesDirectory)/versions` to avoid CG scans -# -# If the pipeline is not using a separate repository resource, ensure that there is no source code checked out in -# `$(Build.SourcesDirectory)/versions`, as it will not be scanned. - -parameters: -- name: disableSDL - type: boolean - default: false - displayName: Disable SDL -- name: stages - type: stageList - default: [] - # 1ES Pipeline Template parameters -- name: serviceConnections - type: object - default: [] -- name: pool - type: object - default: - name: $(default1ESInternalPoolName) - image: $(default1ESInternalPoolImage) - os: linux -- name: sourceAnalysisPool - type: object - default: - name: $(defaultSourceAnalysisPoolName) - image: $(defaultSourceAnalysisPoolImage) - os: windows - -resources: - repositories: - - repository: 1ESPipelineTemplates - type: git - name: 1ESPipelineTemplates/1ESPipelineTemplates - ref: refs/tags/release - -extends: - template: /eng/docker-tools/templates/task-prefix-decorator.yml@self - parameters: - # Use a unique task prefix for unofficial pipelines - taskPrefix: "🟦" - baseTemplate: v1/1ES.Unofficial.PipelineTemplate.yml@1ESPipelineTemplates - templateParameters: - pool: ${{ parameters.pool }} - sdl: - binskim: - enabled: true - componentgovernance: - ignoreDirectories: $(Build.SourcesDirectory)/versions - whatIf: true - showAlertLink: true - enableAllTools: ${{ not(parameters.disableSDL) }} - policheck: - enabled: true - sbom: - enabled: true - sourceRepositoriesToScan: - exclude: - - repository: InternalVersionsRepo - - repository: PublicVersionsRepo - sourceAnalysisPool: ${{ parameters.sourceAnalysisPool }} - tsa: - enabled: true - stages: - - ${{ if gt(length(parameters.serviceConnections), 0) }}: - - template: /eng/docker-tools/templates/stages/setup-service-connections.yml@self - parameters: - pool: ${{ parameters.pool }} - serviceConnections: ${{ parameters.serviceConnections }} - - ${{ parameters.stages }}