SBOM: Fix for conditional logic based on signingCondition (#322)

* Attempt to evaluate signingCondition to include/exclude settings at the time the sbom stage is run

* Evaluate signingCondition as part of a condition property and not as a conditional expression

* Apply signingCondition to the stages defined for PRs and CIs

* Try using two SBOM jobs with opposing conditional logic within the same stage

* Unique names for SBOM jobs

* SBOM: Execute PR job based on unsignedCondition

* Remove closing paren from unsignedCondition

* Remove stage name as parameter to condition

* Remove succeeded() from original signingCondition

* Multi-line conditions

* Use single signingCondition

* SBOM: Unsigned PR job: Include condition for success of the windows (build) stage

* Target production support for the SBOM shared template job name & display name

* Ensure SBOM_PR job only executes if the build 'windows' job succeeds by making the SBOM stage dependent on the success of the windows stage

* Spell out acronyms in comments

azure-pipelines.yml

@@ -6,7 +6,11 @@ variables:
   provisionator.path: '$(System.DefaultWorkingDirectory)/eng/provisioning/provisioning.csx'
   provisionator.vs: '$(System.DefaultWorkingDirectory)/eng/provisioning/vs.csx'
   provisionator.extraArguments: '--v'
-  signingCondition: and(succeeded(), or(eq(variables['Sign'], 'true'), or(eq(variables['Build.SourceBranch'], 'refs/heads/main'), or(startsWith(variables['Build.SourceBranch'],'refs/tags/'),  startsWith(variables['Build.SourceBranch'],'refs/heads/release/') ))))
+  signingCondition: or(eq(variables['Sign'], 'true'),
+                       or(eq(variables['Build.SourceBranch'], 'refs/heads/main'),
+                          or(startsWith(variables['Build.SourceBranch'],'refs/tags/'),  startsWith(variables['Build.SourceBranch'],'refs/heads/release/') )
+                          )
+                      )
 
 parameters:
   - name: BuildConfigurations
@@ -62,7 +66,7 @@ resources:
       type: github
       name: xamarin/yaml-templates
       endpoint: xamarin
-      ref: refs/heads/main # still defaults to master even though main is the main branch
+      ref: refs/heads/main
 
 stages:
   - stage: windows
@@ -203,19 +207,29 @@ stages:
             signedArtifactName: nuget
             signedArtifactPath: signed
             displayName: Sign Phase
-            condition: ${{ variables['signingCondition'] }}
+            condition: and(succeeded(), ${{ variables['signingCondition'] }} )
 
     - stage: sbom
       displayName: 'Software Bill of Materials'
-      ${{ if not(variables['signingCondition']) }}:
-        dependsOn: [ 'windows' ]
-      ${{ if variables['signingCondition'] }}:
-        dependsOn: [ 'nuget_signing' ]
+      dependsOn: [ 'windows', 'nuget_signing' ]
+      condition: succeeded('windows')
       jobs:
       - template: compliance/sbom/job.v1.yml@xamarin-templates
         parameters:
+          jobName: SBOM_PR
+          jobDisplayName: 'Software Bill of Materials (PR)'
           artifactNames: ['nuget']
-          ${{ if variables['signingCondition'] }}:
-            artifactMap: ['nuget/signed']
+          artifactMap: ['nuget/Release']
           packageName: 'Microsoft Maui Graphics'
           packageFilter: '*.nupkg'
+          condition: not(${{ variables['signingCondition'] }})                    # Executed when signing is not enabled such as for pull request builds (PRs)
+
+      - template: compliance/sbom/job.v1.yml@xamarin-templates
+        parameters:
+          jobName: SBOM_CI
+          jobDisplayName: 'Software Bill of Materials (CI)'
+          artifactNames: ['nuget']
+          artifactMap: ['nuget/signed']
+          packageName: 'Microsoft Maui Graphics'
+          packageFilter: '*.nupkg'
+          condition: and(succeeded(), ${{ variables['signingCondition'] }} )      # Executed when signing is enabled such as for continuous integration builds (CIs)