From f86d8c56b744caf6519d86a1f6687ec7e84f57b1 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Mon, 18 May 2026 14:01:15 +0000 Subject: [PATCH 1/4] Restore signing project from internal NuGet feed; document feed prerequisite Agent-Logs-Url: https://github.com/microsoft/vscode-azuretools/sessions/8d4f153f-de57-474b-b9af-f03039c92049 Co-authored-by: bwateratmsft <36966225+bwateratmsft@users.noreply.github.com> --- azure-pipelines/1esmain.yml | 8 ++++++++ azure-pipelines/1esstages.yml | 5 +++++ azure-pipelines/README.md | 12 ++++++++++++ azure-pipelines/templates/sign.yml | 23 +++++++++++++++++++++-- 4 files changed, 46 insertions(+), 2 deletions(-) diff --git a/azure-pipelines/1esmain.yml b/azure-pipelines/1esmain.yml index f6bfd1e070..e5d88f4bd6 100644 --- a/azure-pipelines/1esmain.yml +++ b/azure-pipelines/1esmain.yml @@ -19,6 +19,13 @@ parameters: - name: npmFeed type: string default: DevDiv/azcode + # Azure Artifacts feed for a private NuGet mirror used during the signing step + # (the SignExtension.signproj references Microsoft.VisualStudioEng.MicroBuild.Core). + # Configure this feed in Azure DevOps to upstream api.nuget.org/v3/index.json + # so that builds don't reach out to public nuget.org. + - name: nugetFeed + type: string + default: DevDiv/azcode - name: additionalPostPackageSteps type: stepList default: [] @@ -74,6 +81,7 @@ extends: bamiVariablesGroupName: ${{ parameters.bamiVariablesGroupName }} additionalSetupSteps: ${{ parameters.additionalSetupSteps }} npmFeed: ${{ parameters.npmFeed }} + nugetFeed: ${{ parameters.nugetFeed }} additionalPostPackageSteps: ${{ parameters.additionalPostPackageSteps }} enableSigning: ${{ parameters.enableSigning }} vsixFileNames: ${{ parameters.vsixFileNames }} diff --git a/azure-pipelines/1esstages.yml b/azure-pipelines/1esstages.yml index 164d15034e..4a72febf9b 100644 --- a/azure-pipelines/1esstages.yml +++ b/azure-pipelines/1esstages.yml @@ -20,6 +20,10 @@ parameters: - name: npmFeed type: string default: DevDiv/azcode + # Azure Artifacts feed for a private NuGet mirror (used by the signing step) + - name: nugetFeed + type: string + default: DevDiv/azcode - name: additionalPostPackageSteps type: stepList default: [] @@ -65,6 +69,7 @@ stages: vsixFileNames: ${{ parameters.vsixFileNames }} workingDirectory: ${{ job.working_directory }} npmFeed: ${{ parameters.npmFeed }} + nugetFeed: ${{ parameters.nugetFeed }} - template: ./templates/stage-artifacts.yml - template: ./templates/test.yml diff --git a/azure-pipelines/README.md b/azure-pipelines/README.md index 73777d516d..7fdc3a9392 100644 --- a/azure-pipelines/README.md +++ b/azure-pipelines/README.md @@ -120,6 +120,18 @@ extends: ``` +> **NuGet feed prerequisite for signing:** The signing step runs `dotnet` against +> `SignExtension.signproj`, which has a `PackageReference` on +> `Microsoft.VisualStudioEng.MicroBuild.Core`. To avoid the build reaching out +> to public `nuget.org`, the templates restore that package from the Azure +> Artifacts feed identified by the `nugetFeed` parameter (defaults to +> `DevDiv/azcode`). That feed must be configured in Azure DevOps to have +> `api.nuget.org/v3/index.json` as an upstream source. If your feed does not +> mirror NuGet, either (a) add a NuGet upstream to the feed, or (b) override +> the `nugetFeed` parameter when extending the template (set it to `''` to +> fall back to the default NuGet sources, or to a different `Project/Feed` +> name). + ### Extension release pipeline This pipeline downloads and releases signed VSIX artifacts from the specified build pipeline. diff --git a/azure-pipelines/templates/sign.yml b/azure-pipelines/templates/sign.yml index 41838bc019..8060c5f407 100644 --- a/azure-pipelines/templates/sign.yml +++ b/azure-pipelines/templates/sign.yml @@ -11,6 +11,12 @@ parameters: - name: npmFeed type: string default: DevDiv/azcode + # Azure Artifacts feed for a private NuGet mirror used when restoring the + # SignExtension.signproj project. This avoids reaching out to nuget.org from + # the signing step. Set to '' to fall back to the default NuGet sources. + - name: nugetFeed + type: string + default: DevDiv/azcode steps: # Check if the SignExtension.signproj file exists and set a variable using PowerShell @@ -56,6 +62,19 @@ steps: customRegistry: useFeed customFeed: ${{ parameters.npmFeed }} + # Restore the signing project's NuGet packages (e.g. Microsoft.VisualStudioEng.MicroBuild.Core) + # from the internal Azure Artifacts feed rather than nuget.org. The build steps below pass + # --no-restore so they don't trigger an implicit restore against the public feed. + - task: DotNetCoreCLI@2 + condition: and(succeeded(), eq(variables['signprojExists'], True)) + displayName: "\U0001F449 Restore signing project from internal NuGet feed" + inputs: + command: "restore" + projects: $(signprojPath) + ${{ if ne(parameters.nugetFeed, '') }}: + feedsToUse: "select" + vstsFeed: ${{ parameters.nugetFeed }} + # Sign single vsix file if vsixFileNames are not provided - ${{ if eq(join('', parameters.vsixFileNames), '') }}: - script: vsce generate-manifest -i $(package.name)-$(package.version).vsix -o $(Build.SourcesDirectory)/${{ parameters.workingDirectory }}/extension.manifest @@ -70,7 +89,7 @@ steps: inputs: command: "build" projects: $(signprojPath) - arguments: "/p:ProjectDir=$(Build.SourcesDirectory)/${{ parameters.workingDirectory }}/.azure-pipelines/" + arguments: "/p:ProjectDir=$(Build.SourcesDirectory)/${{ parameters.workingDirectory }}/.azure-pipelines/ --no-restore" env: SYSTEM_ACCESSTOKEN: $(System.AccessToken) @@ -104,7 +123,7 @@ steps: inputs: command: "build" projects: $(signprojPath) - arguments: "/p:ProjectDir=$(Build.SourcesDirectory)/${{ parameters.workingDirectory }}/.azure-pipelines/" + arguments: "/p:ProjectDir=$(Build.SourcesDirectory)/${{ parameters.workingDirectory }}/.azure-pipelines/ --no-restore" env: SYSTEM_ACCESSTOKEN: $(System.AccessToken) From e2a231241c3326ee59d0741a8c916d058530acda Mon Sep 17 00:00:00 2001 From: "Brandon Waterloo [MSFT]" <36966225+bwateratmsft@users.noreply.github.com> Date: Mon, 18 May 2026 10:46:39 -0400 Subject: [PATCH 2/4] Don't allow nuget.org --- azure-pipelines/templates/sign.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/azure-pipelines/templates/sign.yml b/azure-pipelines/templates/sign.yml index 8060c5f407..bc32f1fc0d 100644 --- a/azure-pipelines/templates/sign.yml +++ b/azure-pipelines/templates/sign.yml @@ -74,6 +74,7 @@ steps: ${{ if ne(parameters.nugetFeed, '') }}: feedsToUse: "select" vstsFeed: ${{ parameters.nugetFeed }} + includeNuGetOrg: false # Sign single vsix file if vsixFileNames are not provided - ${{ if eq(join('', parameters.vsixFileNames), '') }}: From 57ea71515b7d307d9aeb20d310e9a8021129b7f6 Mon Sep 17 00:00:00 2001 From: "Brandon Waterloo [MSFT]" <36966225+bwateratmsft@users.noreply.github.com> Date: Mon, 18 May 2026 11:06:49 -0400 Subject: [PATCH 3/4] Try disabling audit --- azure-pipelines/templates/sign.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/azure-pipelines/templates/sign.yml b/azure-pipelines/templates/sign.yml index bc32f1fc0d..ae742b7da8 100644 --- a/azure-pipelines/templates/sign.yml +++ b/azure-pipelines/templates/sign.yml @@ -75,6 +75,8 @@ steps: feedsToUse: "select" vstsFeed: ${{ parameters.nugetFeed }} includeNuGetOrg: false + restoreArguments: >- + /p:NuGetAudit=false # Sign single vsix file if vsixFileNames are not provided - ${{ if eq(join('', parameters.vsixFileNames), '') }}: From b8ed73cd2c0513643ecdf105d6e47a1181003cf4 Mon Sep 17 00:00:00 2001 From: "Brandon Waterloo [MSFT]" <36966225+bwateratmsft@users.noreply.github.com> Date: Mon, 18 May 2026 11:19:23 -0400 Subject: [PATCH 4/4] Still not good enough... --- azure-pipelines/templates/sign.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/azure-pipelines/templates/sign.yml b/azure-pipelines/templates/sign.yml index ae742b7da8..fccfc98e4f 100644 --- a/azure-pipelines/templates/sign.yml +++ b/azure-pipelines/templates/sign.yml @@ -17,6 +17,11 @@ parameters: - name: nugetFeed type: string default: DevDiv/azcode + # Internal NuGet v3 index used to force restore to a single source via + # command-line arguments without requiring a repo-local NuGet.config. + - name: nugetFeedUrl + type: string + default: https://devdiv.pkgs.visualstudio.com/DevDiv/_packaging/azcode/nuget/v3/index.json steps: # Check if the SignExtension.signproj file exists and set a variable using PowerShell @@ -76,6 +81,7 @@ steps: vstsFeed: ${{ parameters.nugetFeed }} includeNuGetOrg: false restoreArguments: >- + --source ${{ parameters.nugetFeedUrl }} /p:NuGetAudit=false # Sign single vsix file if vsixFileNames are not provided