Merge remote-tracking branch 'libtemplate/microbuild' into libtemplateUpdate

2024-02-06 15:23:56 -07:00 · 2024-02-06 15:23:56 -07:00 · 42f47c94d5
--- a/.config/dotnet-tools.json
+++ b/.config/dotnet-tools.json
@ -3,13 +3,13 @@
  "isRoot": true,
  "tools": {
    "powershell": {
-      "version": "7.4.0",
+      "version": "7.4.1",
      "commands": [
        "pwsh"
      ]
    },
    "dotnet-coverage": {
-      "version": "17.9.5",
+      "version": "17.10.1",
      "commands": [
        "dotnet-coverage"
      ]
--- a/.vscode/settings.json
+++ b/.vscode/settings.json
@ -2,6 +2,7 @@
  "files.trimTrailingWhitespace": true,
  "files.insertFinalNewline": true,
  "files.trimFinalNewlines": true,
+  "azure-pipelines.1ESPipelineTemplatesSchemaFile": true,
  "omnisharp.enableEditorConfigSupport": true,
  "omnisharp.enableRoslynAnalyzers": true,
  "dotnet.completion.showCompletionItemsFromUnimportedNamespaces": true,
--- a/Directory.Packages.props
+++ b/Directory.Packages.props
@ -4,7 +4,7 @@
  <PropertyGroup>
    <ManagePackageVersionsCentrally>true</ManagePackageVersionsCentrally>
    <CentralPackageTransitivePinningEnabled>true</CentralPackageTransitivePinningEnabled>
-    <MicroBuildVersion>2.0.146</MicroBuildVersion>
+    <MicroBuildVersion>2.0.149</MicroBuildVersion>
  </PropertyGroup>
  <ItemGroup>
    <PackageVersion Include="Microsoft.NET.Test.Sdk" Version="17.8.0" />
@ -15,9 +15,9 @@
    <PackageVersion Include="Microsoft.ServiceHub.Framework.Testing" Version="4.4.22" />
    <PackageVersion Include="NSubstitute" Version="5.0.0" />
    <PackageVersion Include="System.ComponentModel.Composition" Version="7.0.0" />
-    <PackageVersion Include="xunit.runner.visualstudio" Version="2.5.5" />
+    <PackageVersion Include="xunit.runner.visualstudio" Version="2.5.6" />
    <PackageVersion Include="Xunit.SkippableFact" Version="1.4.13" />
-    <PackageVersion Include="xunit" Version="2.6.3" />
+    <PackageVersion Include="xunit" Version="2.6.6" />
  </ItemGroup>
  <ItemGroup>
    <GlobalPackageReference Include="CSharpIsNullAnalyzer" Version="0.1.495" />
@ -25,7 +25,7 @@
    <GlobalPackageReference Include="Microsoft.VisualStudio.Internal.MicroBuild.VisualStudio" Version="$(MicroBuildVersion)" />
    <GlobalPackageReference Include="Nerdbank.GitVersioning" Version="3.6.133" />
    <GlobalPackageReference Include="Nullable" Version="1.3.1" />
-    <GlobalPackageReference Include="StyleCop.Analyzers.Unstable" Version="1.2.0.507" />
+    <GlobalPackageReference Include="StyleCop.Analyzers.Unstable" Version="1.2.0.556" />
  </ItemGroup>
  <ItemGroup>
    <!-- <GlobalPackageReference Include="Microsoft.SourceLink.AzureRepos.Git" Version="8.0.0" /> -->
--- a/azure-pipelines/GlobalVariables.yml
+++ b/azure-pipelines/GlobalVariables.yml
@ -0,0 +1,4 @@
+variables:
+  # These variables are required for MicroBuild tasks
+  TeamName: VS IDE
+  TeamEmail: vsidemicrobuild@microsoft.com
--- a/azure-pipelines/archive-sourcecode.yml
+++ b/azure-pipelines/archive-sourcecode.yml
@ -11,6 +11,13 @@ schedules:
    include:
    - main

+resources:
+  repositories:
+  - repository: MicroBuildTemplate
+    type: git
+    name: 1ESPipelineTemplates/MicroBuildTemplate
+    ref: refs/tags/release
+
 parameters:
 - name: notes
  displayName: Notes to include in the SCA request
@ -24,35 +31,47 @@ parameters:
 variables:
 - group: VS Core team # Expected to provide ManagerAlias, SourceCodeArchivalUri

-pool:
-  name: AzurePipelines-EO
-  vmImage: AzurePipelinesUbuntu20.04compliant
+extends:
+  template: azure-pipelines/MicroBuild.1ES.Official.yml@MicroBuildTemplate
+  parameters:
+    sdl:
+      sourceAnalysisPool: VSEngSS-MicroBuild2022-1ES

-steps:
- checkout: self
-  clean: true
-  fetchDepth: 0
- powershell: tools/Install-DotNetSdk.ps1
-  displayName: ⚙ Install .NET SDK
- task: NuGetAuthenticate@1
-  displayName: 🔏 Authenticate NuGet feeds
-  inputs:
-    forceReinstallCredentialProvider: true
- script: dotnet tool restore
-  displayName: ⚙️ Restore CLI tools
- powershell: azure-pipelines/variables/_pipelines.ps1
-  failOnStderr: true
-  displayName: ⚙ Set pipeline variables based on source
- powershell: >
-    $TeamAlias = '$(TeamEmail)'.Substring(0, '$(TeamEmail)'.IndexOf('@'))
+    stages:
+    - stage: archive
+      jobs:
+      - job: archive
+        pool:
+          name: AzurePipelines-EO
+          demands:
+          - ImageOverride -equals AzurePipelinesUbuntu20.04compliantGPT
+          os: Linux

-    azure-pipelines/Archive-SourceCode.ps1
-    -ManagerAlias '$(ManagerAlias)'
-    -TeamAlias $TeamAlias
-    -BusinessGroupName '$(BusinessGroupName)'
-    -ProductName '$(SymbolsFeatureName)'
-    -ProductLanguage English
-    -Notes '${{ parameters.notes }}'
-    -Verbose
-    -WhatIf:$${{ parameters.whatif }}
-  displayName: 🗃️ Submit archival request
+        steps:
+        - checkout: self
+          clean: true
+          fetchDepth: 0
+        - powershell: tools/Install-DotNetSdk.ps1
+          displayName: ⚙ Install .NET SDK
+        - task: NuGetAuthenticate@1
+          displayName: 🔏 Authenticate NuGet feeds
+          inputs:
+            forceReinstallCredentialProvider: true
+        - script: dotnet tool restore
+          displayName: ⚙️ Restore CLI tools
+        - powershell: azure-pipelines/variables/_pipelines.ps1
+          failOnStderr: true
+          displayName: ⚙ Set pipeline variables based on source
+        - powershell: >
+            $TeamAlias = '$(TeamEmail)'.Substring(0, '$(TeamEmail)'.IndexOf('@'))
+
+            azure-pipelines/Archive-SourceCode.ps1
+            -ManagerAlias '$(ManagerAlias)'
+            -TeamAlias $TeamAlias
+            -BusinessGroupName '$(BusinessGroupName)'
+            -ProductName '$(SymbolsFeatureName)'
+            -ProductLanguage English
+            -Notes '${{ parameters.notes }}'
+            -Verbose
+            -WhatIf:$${{ parameters.whatif }}
+          displayName: 🗃️ Submit archival request
--- a/azure-pipelines/artifacts/_pipelines.ps1
+++ b/azure-pipelines/artifacts/_pipelines.ps1
@ -7,7 +7,8 @@
 [CmdletBinding()]
 param (
    [string]$ArtifactNameSuffix,
-    [switch]$StageOnly
+    [switch]$StageOnly,
+    [switch]$AvoidSymbolicLinks
 )

 Function Set-PipelineVariable($name, $value) {
@ -24,7 +25,7 @@ Function Test-ArtifactUploaded($artifactName) {
    Test-Path "env:$varName"
 }

-& "$PSScriptRoot/_stage_all.ps1" -ArtifactNameSuffix $ArtifactNameSuffix |% {
+& "$PSScriptRoot/_stage_all.ps1" -ArtifactNameSuffix $ArtifactNameSuffix -AvoidSymbolicLinks:$AvoidSymbolicLinks |% {
    # Set a variable which will out-live this script so that a subsequent attempt to collect and upload artifacts
    # will skip this one from a check in the _all.ps1 script.
    Set-PipelineVariable "ARTIFACTSTAGED_$($_.Name.ToUpper())" 'true'
--- a/azure-pipelines/artifacts/_stage_all.ps1
+++ b/azure-pipelines/artifacts/_stage_all.ps1
@ -7,7 +7,8 @@

 [CmdletBinding()]
 param (
-    [string]$ArtifactNameSuffix
+    [string]$ArtifactNameSuffix,
+    [switch]$AvoidSymbolicLinks
 )

 $ArtifactStagingFolder = & "$PSScriptRoot/../Get-ArtifactsStagingDirectory.ps1" -CleanIfLocal
@ -48,7 +49,12 @@ $Artifacts |% {

    if (-not (Test-Path $DestinationFolder)) { New-Item -ItemType Directory -Path $DestinationFolder | Out-Null }
    if (Test-Path -PathType Leaf $_.Source) { # skip folders
-        Create-SymbolicLink -Link (Join-Path $DestinationFolder $Name) -Target $_.Source
+        $TargetPath = Join-Path $DestinationFolder $Name
+        if ($AvoidSymbolicLinks) {
+            Copy-Item -Path $_.Source -Destination $TargetPath
+        } else {
+            Create-SymbolicLink -Link $TargetPath -Target $_.Source
+        }
    }
 }

--- a/azure-pipelines/build.yml
+++ b/azure-pipelines/build.yml
@ -1,8 +1,19 @@
 parameters:
+- name: RealSign
+  type: boolean
+  default: false
 - name: windowsPool
  type: object
  default:
    vmImage: windows-2022
+- name: linuxPool
+  type: object
+  default:
+    vmImage: ubuntu-20.04
+- name: macOSPool
+  type: object
+  default:
+    vmImage: macOS-12
 - name: RunTests
  type: boolean
  default: true
@ -12,6 +23,17 @@ parameters:
 - name: EnableAPIScan
  type: boolean
  default: false
+- name: artifact_names
+  type: object
+  default:
+  - build_logs
+  - coverageResults
+  - deployables
+  - projectAssetsJson
+  - symbols
+  - testResults
+  - test_symbols
+  - Variables

 jobs:
 - job: Windows
@ -21,6 +43,40 @@ jobs:
  - ${{ if eq(variables['system.collectionId'], '011b8bdf-6d56-4f87-be0d-0092136884d9') }}:
    # https://dev.azure.com/devdiv/DevDiv/_wiki/wikis/DevDiv.wiki/25351/APIScan-step-by-step-guide-to-setting-up-a-Pipeline
    - group: VSCloudServices-APIScan # Expected to provide ApiScanClientId, ApiScanSecret, ApiScanTenant
+  ${{ if eq(variables['system.collectionId'], '011b8bdf-6d56-4f87-be0d-0092136884d9') }}:
+    templateContext:
+      mb:
+        signing:
+          enabled: true
+          zipSources: false
+          ${{ if or(parameters.RealSign, eq(variables['Build.Reason'],'Schedule')) }}:
+            signType: real
+          ${{ else }}:
+            signType: test
+        sbom:
+          enabled: true
+        localization:
+          enabled: false
+          ${{ if eq(variables['Build.Reason'], 'pullRequest') }}:
+            languages: ENU,JPN
+      outputParentDirectory: $(Build.ArtifactStagingDirectory)
+      outputs:
+      - ${{ each artifact_name in parameters.artifact_names }}:
+        - ${{ if or(ne(artifact_name, 'testResults'), parameters.RunTests) }}:
+          - output: pipelineArtifact
+            displayName: 📢 Publish ${{ artifact_name }}-Windows
+            targetPath: $(Build.ArtifactStagingDirectory)/${{ artifact_name }}-Windows
+            artifactName: ${{ artifact_name }}-Windows
+      - output: pipelineArtifact
+        displayName: 📢 Publish VSInsertion-Windows
+        targetPath: $(Build.ArtifactStagingDirectory)/VSInsertion-Windows
+        artifactName: VSInsertion-Windows
+      # This is useful when false positives appear so we can copy some of the output into the suppressions file.
+      - output: pipelineArtifact
+        displayName: 📢 Publish Guardian failures
+        targetPath: $(Build.ArtifactStagingDirectory)/guardian_failures_as_suppressions
+        artifactName: guardian_failures_as_suppressions
+        condition: failed()
  steps:
  - checkout: self
    fetchDepth: 0 # avoid shallow clone so nbgv can do its work.
--- a/azure-pipelines/dotnet.yml
+++ b/azure-pipelines/dotnet.yml
@ -15,10 +15,17 @@ steps:
  displayName: ⚙ Update pipeline variables based on build outputs
  condition: succeededOrFailed()

- powershell: azure-pipelines/artifacts/_pipelines.ps1 -ArtifactNameSuffix "-$(Agent.JobName)" -Verbose
-  failOnStderr: true
-  displayName: 📢 Publish artifacts
-  condition: succeededOrFailed()
+- ${{ if eq(variables['system.collectionId'], '011b8bdf-6d56-4f87-be0d-0092136884d9') }}:
+  - powershell: azure-pipelines/artifacts/_pipelines.ps1 -StageOnly -AvoidSymbolicLinks -ArtifactNameSuffix "-$(Agent.JobName)" -Verbose
+    failOnStderr: true
+    displayName: 📢 Stage artifacts
+    condition: succeededOrFailed()
+
+- ${{ if ne(variables['system.collectionId'], '011b8bdf-6d56-4f87-be0d-0092136884d9') }}:
+  - powershell: azure-pipelines/artifacts/_pipelines.ps1 -ArtifactNameSuffix "-$(Agent.JobName)" -Verbose
+    failOnStderr: true
+    displayName: 📢 Publish artifacts
+    condition: succeededOrFailed()

 - ${{ if and(ne(variables['codecov_token'], ''), parameters.RunTests) }}:
  - powershell: |
--- a/azure-pipelines/microbuild.after.yml
+++ b/azure-pipelines/microbuild.after.yml
@ -10,10 +10,6 @@ steps:
      $(Build.SourcesDirectory)/bin/Packages/$(BuildConfiguration)/NuGet
  condition: and(succeeded(), eq(variables['Agent.OS'], 'Windows_NT'))

- task: MicroBuildCleanup@1
-  condition: succeededOrFailed()
-  displayName: ⚙️ MicroBuild Cleanup
-
 - task: Ref12Analyze@0
  displayName: 📑 Ref12 (Codex) Analyze
  inputs:
--- a/azure-pipelines/microbuild.before.yml
+++ b/azure-pipelines/microbuild.before.yml
@ -9,14 +9,3 @@ steps:
    outputformat: text
  condition: and(succeeded(), ne(variables['Build.Reason'], 'PullRequest'))
  retryCountOnTaskFailure: 3 # fails when the cloud service is overloaded
-
- task: MicroBuildSigningPlugin@4
-  inputs:
-    signType: $(SignType)
-    zipSources: false
-  displayName: 🔧 Install MicroBuild Signing Plugin
-  condition: and(succeeded(), or(eq(variables['Agent.OS'], 'Windows_NT'), eq(variables['SignType'], 'real')))
-
- task: MicroBuildSbomPlugin@1
-  displayName: 🔧 Install MicroBuild Sbom Plugin
-  condition: and(succeeded(), eq(variables['Agent.OS'], 'Windows_NT'))
--- a/azure-pipelines/official.yml
+++ b/azure-pipelines/official.yml
@ -20,11 +20,10 @@ schedules:
    - main

 parameters:
- name: SignTypeSelection
-  displayName: Sign type
-  type: string
-  default: Test
-  values: [ 'Test', 'Real' ]
+- name: RealSign
+  displayName: Real sign?
+  type: boolean
+  default: false
 - name: RunTests
  displayName: Run tests
  type: boolean
@ -38,23 +37,80 @@ parameters:
  type: boolean
  default: true

-stages:
+resources:
+  repositories:
+  - repository: MicroBuildTemplate
+    type: git
+    name: 1ESPipelineTemplates/MicroBuildTemplate
+    ref: refs/tags/release

- stage: Build
-  variables:
-    DOTNET_SKIP_FIRST_TIME_EXPERIENCE: true
-    BuildConfiguration: Release
-    NUGET_PACKAGES: $(Agent.TempDirectory)/.nuget/packages
-    SignTypeSelection: ${{ parameters.SignTypeSelection }}
-    Packaging.EnableSBOMSigning: false
-    Codeql.Enabled: true
+variables:
+- template: GlobalVariables.yml

-  jobs:
-  - template: build.yml
+extends:
+  ${{ if parameters.EnableCompliance }}:
+    template: azure-pipelines/MicroBuild.1ES.Official.yml@MicroBuildTemplate
    parameters:
-      EnableCompliance: ${{ parameters.EnableCompliance }}
-      EnableAPIScan: ${{ parameters.EnableAPIScan }}
-      windowsPool: VSEngSS-MicroBuild2022-1ES
-      RunTests: ${{ parameters.RunTests }}
-
- template: prepare-insertion-stages.yml
+      sdl:
+        sourceAnalysisPool: VSEngSS-MicroBuild2022-1ES
+      stages:
+      - stage: Build
+        variables:
+          DOTNET_SKIP_FIRST_TIME_EXPERIENCE: true
+          BuildConfiguration: Release
+          NUGET_PACKAGES: $(Agent.TempDirectory)/.nuget/packages/
+          Packaging.EnableSBOMSigning: false
+          Codeql.Enabled: true
+        jobs:
+        - template: /azure-pipelines/build.yml@self
+          parameters:
+            RealSign: ${{ parameters.RealSign }}
+            EnableCompliance: ${{ parameters.EnableCompliance }}
+            EnableAPIScan: ${{ parameters.EnableAPIScan }}
+            windowsPool: VSEngSS-MicroBuild2022-1ES
+            linuxPool:
+              name: AzurePipelines-EO
+              demands:
+              - ImageOverride -equals AzurePipelinesUbuntu20.04compliantGPT
+              os: Linux
+            macOSPool:
+              name: Azure Pipelines
+              vmImage: macOS-12
+              os: macOS
+            RunTests: ${{ parameters.RunTests }}
+      - template: /azure-pipelines/prepare-insertion-stages.yml@self
+        parameters:
+          RealSign: ${{ parameters.RealSign }}
+  ${{ else }}:
+    template: azure-pipelines/MicroBuild.1ES.Unofficial.yml@MicroBuildTemplate
+    parameters:
+      sdl:
+        sourceAnalysisPool: VSEngSS-MicroBuild2022-1ES
+      stages:
+      - stage: Build
+        variables:
+          DOTNET_SKIP_FIRST_TIME_EXPERIENCE: true
+          BuildConfiguration: Release
+          NUGET_PACKAGES: $(Agent.TempDirectory)/.nuget/packages/
+          Packaging.EnableSBOMSigning: false
+          Codeql.Enabled: true
+        jobs:
+        - template: /azure-pipelines/build.yml@self
+          parameters:
+            RealSign: ${{ parameters.RealSign }}
+            EnableCompliance: ${{ parameters.EnableCompliance }}
+            EnableAPIScan: ${{ parameters.EnableAPIScan }}
+            windowsPool: VSEngSS-MicroBuild2022-1ES
+            linuxPool:
+              name: AzurePipelines-EO
+              demands:
+              - ImageOverride -equals AzurePipelinesUbuntu20.04compliantGPT
+              os: Linux
+            macOSPool:
+              name: Azure Pipelines
+              vmImage: macOS-12
+              os: macOS
+            RunTests: ${{ parameters.RunTests }}
+      - template: /azure-pipelines/prepare-insertion-stages.yml@self
+        parameters:
+          RealSign: ${{ parameters.RealSign }}
--- a/azure-pipelines/prepare-insertion-stages.yml
+++ b/azure-pipelines/prepare-insertion-stages.yml
@ -2,11 +2,14 @@ parameters:
 - name: ArchiveSymbols
  type: boolean
  default: true
+- name: RealSign
+  displayName: Real sign?
+  type: boolean

 stages:
 - stage: release
  displayName: Publish
-  condition: and(succeeded(), eq(dependencies.Build.outputs['Windows.SetPipelineVariables.SignType'], 'Real'))
+  condition: and(succeeded(), eq('${{ parameters.RealSign }}', 'true'))
  jobs:
  - ${{ if parameters.ArchiveSymbols }}:
    - job: symbol_archive
@ -29,8 +32,6 @@ stages:
          SymbolsProject: VS
          SymbolsAgentPath: $(Pipeline.Workspace)/symbols-legacy
          azureSubscription: Symbols Upload (DevDiv)
-      - task: MicroBuildCleanup@1
-        displayName: ☎️ Send Telemetry

  - job: push
    displayName: azure-public/vssdk feed
@ -38,21 +39,26 @@ stages:
      dependsOn: symbol_archive
    pool:
      name: AzurePipelines-EO
-      vmImage: AzurePipelinesUbuntu20.04compliant
+      demands:
+      - ImageOverride -equals AzurePipelinesUbuntu20.04compliantGPT
+      os: Linux
+    templateContext:
+      outputParentDirectory: $(Pipeline.Workspace)
+      outputs:
+      - output: nuget
+        displayName: 📦 Push nuget packages
+        packagesToPush: '(Pipeline.Workspace)/deployables-Windows/NuGet/*.nupkg'
+        packageParentPath: (Pipeline.Workspace)/deployables-Windows/NuGet
+        allowPackageConflicts: true
+        nuGetFeedType: external
+        publishFeedCredentials: azure-public/vssdk
    steps:
    - checkout: none
+    - download: current
+      artifact: Variables-Windows
+      displayName: 🔻 Download Variables-Windows artifact
+    - powershell: $(Pipeline.Workspace)/Variables-Windows/_pipelines.ps1
+      displayName: ⚙️ Set pipeline variables based on artifacts
    - download: current
      artifact: deployables-Windows
      displayName: 🔻 Download deployables-Windows artifact
-    - task: UseDotNet@2
-      displayName: ⚙️ Install .NET SDK
-      inputs:
-        packageType: sdk
-        version: 6.x
-    - task: NuGetAuthenticate@1
-      displayName: 🔏 Authenticate NuGet feeds
-      inputs:
-        nuGetServiceConnections: azure-public/vssdk
-        forceReinstallCredentialProvider: true
-    - script: dotnet nuget push $(Pipeline.Workspace)/deployables-Windows/NuGet/*.nupkg -s https://pkgs.dev.azure.com/azure-public/vside/_packaging/vssdk/nuget/v3/index.json --api-key azdo --skip-duplicate
-      displayName: 📦 Push nuget packages
--- a/azure-pipelines/release.yml
+++ b/azure-pipelines/release.yml
@ -2,6 +2,11 @@ trigger: none # We only want to trigger manually or based on resources
 pr: none

 resources:
+  repositories:
+  - repository: MicroBuildTemplate
+    type: git
+    name: 1ESPipelineTemplates/MicroBuildTemplate
+    ref: refs/tags/release
  pipelines:
  - pipeline: CI
    source: VSSDKTestFx
@ -9,53 +14,62 @@ resources:
      tags:
      - auto-release

-variables:
- group: VS SDK feeds # Expected to provide NuGetOrgApiKey
+extends:
+  template: azure-pipelines/MicroBuild.1ES.Official.yml@MicroBuildTemplate
+  parameters:
+    sdl:
+      sourceAnalysisPool: VSEngSS-MicroBuild2022-1ES

-jobs:
- job: release
-  pool:
-    name: AzurePipelines-EO
-    vmImage: AzurePipelinesUbuntu20.04compliant
-  steps:
-  - checkout: none
-  - powershell: |
-      Write-Host "##vso[build.updatebuildnumber]$(resources.pipeline.CI.runName)"
-      if ('$(resources.pipeline.CI.runName)'.Contains('-')) {
-        Write-Host "##vso[task.setvariable variable=IsPrerelease]true"
-      } else {
-        Write-Host "##vso[task.setvariable variable=IsPrerelease]false"
-      }
-    displayName: ⚙ Set up pipeline
-  - task: UseDotNet@2
-    displayName: ⚙ Install .NET SDK
-    inputs:
-      packageType: sdk
-      version: 6.x
-  - download: CI
-    artifact: deployables-Windows
-    displayName: 🔻 Download deployables-Windows artifact
-    patterns: 'deployables-Windows/NuGet/*'
-  - task: GitHubRelease@1
-    displayName: 📢 GitHub release (create)
-    inputs:
-      gitHubConnection: AArnott
-      repositoryName: $(Build.Repository.Name)
-      target: $(resources.pipeline.CI.sourceCommit)
-      tagSource: userSpecifiedTag
-      tag: v$(resources.pipeline.CI.runName)
-      title: v$(resources.pipeline.CI.runName)
-      isDraft: true # After running this step, visit the new draft release, edit, and publish.
-      isPreRelease: $(IsPrerelease)
-      assets: $(Pipeline.Workspace)/CI/deployables-Windows/NuGet/*.nupkg
-      changeLogCompareToRelease: lastNonDraftRelease
-      changeLogType: issueBased
-      changeLogLabels: |
-        [
-          { "label" : "breaking change", "displayName" : "Breaking changes", "state" : "closed" },
-          { "label" : "bug", "displayName" : "Fixes", "state" : "closed" },
-          { "label" : "enhancement", "displayName": "Enhancements", "state" : "closed" }
-        ]
-  - script: dotnet nuget push $(Pipeline.Workspace)/CI/deployables-Windows/NuGet/*.nupkg -s https://api.nuget.org/v3/index.json --api-key $(NuGetOrgApiKey) --skip-duplicate
-    displayName: 📦 Push packages to nuget.org
-    condition: and(succeeded(), ne(variables['NuGetOrgApiKey'], ''))
+    stages:
+    - stage: release
+      jobs:
+      - job: release
+        pool:
+          name: AzurePipelines-EO
+          demands:
+          - ImageOverride -equals AzurePipelinesUbuntu20.04compliantGPT
+          os: Linux
+        templateContext:
+          outputParentDirectory: $(Pipeline.Workspace)
+          outputs:
+          - output: nuget
+            displayName: 📦 Push packages to nuget.org
+            packagesToPush: '$(Pipeline.Workspace)/CI/deployables-Windows/NuGet/*.nupkg'
+            packageParentPath: $(Pipeline.Workspace)/CI/deployables-Windows/NuGet
+            allowPackageConflicts: true
+            nuGetFeedType: external
+            publishFeedCredentials: VisualStudioExtensibility (nuget.org)
+        steps:
+        - checkout: none
+        - powershell: |
+            Write-Host "##vso[build.updatebuildnumber]$(resources.pipeline.CI.runName)"
+            if ('$(resources.pipeline.CI.runName)'.Contains('-')) {
+              Write-Host "##vso[task.setvariable variable=IsPrerelease]true"
+            } else {
+              Write-Host "##vso[task.setvariable variable=IsPrerelease]false"
+            }
+          displayName: ⚙ Set up pipeline
+        - download: CI
+          artifact: deployables-Windows
+          displayName: 🔻 Download deployables-Windows artifact
+          patterns: 'deployables-Windows/NuGet/*'
+        - task: GitHubRelease@1
+          displayName: 📢 GitHub release (create)
+          inputs:
+            gitHubConnection: AArnott
+            repositoryName: $(Build.Repository.Name)
+            target: $(resources.pipeline.CI.sourceCommit)
+            tagSource: userSpecifiedTag
+            tag: v$(resources.pipeline.CI.runName)
+            title: v$(resources.pipeline.CI.runName)
+            isDraft: true # After running this step, visit the new draft release, edit, and publish.
+            isPreRelease: $(IsPrerelease)
+            assets: $(Pipeline.Workspace)/CI/deployables-Windows/NuGet/*.nupkg
+            changeLogCompareToRelease: lastNonDraftRelease
+            changeLogType: issueBased
+            changeLogLabels: |
+              [
+                { "label" : "breaking change", "displayName" : "Breaking changes", "state" : "closed" },
+                { "label" : "bug", "displayName" : "Fixes", "state" : "closed" },
+                { "label" : "enhancement", "displayName": "Enhancements", "state" : "closed" }
+              ]
--- a/azure-pipelines/secure-development-tools.yml
+++ b/azure-pipelines/secure-development-tools.yml
@ -6,18 +6,8 @@ steps:
 - powershell: echo "##vso[build.addbuildtag]compliance"
  displayName: 🏷️ Tag run with 'compliance'

- task: CredScan@3
-  displayName: 🔍 Run CredScan
-
- task: PoliCheck@2
-  displayName: 🔍 Run PoliCheck
-  inputs:
-    targetType: F
-    targetArgument: $(System.DefaultWorkingDirectory)
-    optionsUEPATH: $(System.DefaultWorkingDirectory)\azure-pipelines\PoliCheckExclusions.xml
-
 - task: CopyFiles@2
-  displayName: 📂 Collect APIScan/BinSkim inputs
+  displayName: 📂 Collect APIScan inputs
  inputs:
    SourceFolder: $(Build.ArtifactStagingDirectory)/Symbols-$(Agent.JobName)
    # Exclude any patterns from the Contents (e.g. `!**/git2*`) that we have symbols for but do not need to run APIScan on.
@ -29,14 +19,6 @@ steps:
      !**/osx*/**
    TargetFolder: $(Build.ArtifactStagingDirectory)/APIScanInputs

- task: BinSkim@4
-  displayName: 🔍 Run BinSkim
-  inputs:
-    InputType: Basic
-    Function: analyze
-    TargetPattern: guardianGlob
-    AnalyzeTargetGlob: $(Build.ArtifactStagingDirectory)/APIScanInputs/**/*.dll;$(Build.ArtifactStagingDirectory)/APIScanInputs/**/*.exe
-
 - task: APIScan@2
  displayName: 🔍 Run APIScan
  inputs:
@ -72,9 +54,3 @@ steps:
    GdnBreakSuppressionSets: falsepositives
    GdnBreakOutputSuppressionFile: $(Build.ArtifactStagingDirectory)/guardian_failures_as_suppressions/
    GdnBreakOutputSuppressionSet: falsepositives
-
-# This is useful when false positives appear so we can copy some of the output into the suppressions file.
- publish: $(Build.ArtifactStagingDirectory)/guardian_failures_as_suppressions
-  artifact: guardian_failures_as_suppressions
-  displayName: 🔍 Publish Guardian failures
-  condition: failed()
--- a/azure-pipelines/variables/SignType.ps1
+++ b/azure-pipelines/variables/SignType.ps1
@ -1,11 +0,0 @@
-if ($env:SYSTEM_COLLECTIONID -eq '011b8bdf-6d56-4f87-be0d-0092136884d9') {
-    if ($env:BUILD_REASON -eq 'Schedule') {
-      'real'
-    } else {
-      if ($env:SIGNTYPESELECTION) {
-        $env:SIGNTYPESELECTION
-      } else {
-        'test'
-      }
-    }
-  }
--- a/azure-pipelines/variables/TeamEmail.ps1
+++ b/azure-pipelines/variables/TeamEmail.ps1
@ -1 +0,0 @@
-'vsidemicrobuild@microsoft.com'
--- a/azure-pipelines/variables/TeamName.ps1
+++ b/azure-pipelines/variables/TeamName.ps1
@ -1,2 +0,0 @@
-# This value is used as an input to the MicroBuild Insert VS task.
-'VS IDE'
--- a/azure-pipelines/vs-insertion.yml
+++ b/azure-pipelines/vs-insertion.yml
@ -2,6 +2,11 @@ trigger: none # We only want to trigger manually or based on resources
 pr: none

 resources:
+  repositories:
+  - repository: MicroBuildTemplate
+    type: git
+    name: 1ESPipelineTemplates/MicroBuildTemplate
+    ref: refs/tags/release
  pipelines:
  - pipeline: CI
    source: VSSDKTestFx
@ -12,46 +17,49 @@ resources:
      - Real signed
      - auto-insertion

-jobs:
- job: insertion
-  displayName: VS insertion
-  pool: VSEngSS-MicroBuild2022-1ES
-  steps:
-  - checkout: none
-  - powershell: Write-Host "##vso[build.updatebuildnumber]$(resources.pipeline.CI.runName)"
-    displayName: ⚙️ Set pipeline name
-  - task: UseDotNet@2
-    displayName: ⚙️ Install .NET SDK
-    inputs:
-      packageType: sdk
-      version: 6.x
-  - task: NuGetAuthenticate@1
-    displayName: 🔏 Authenticate NuGet feeds
-    inputs:
-      forceReinstallCredentialProvider: true
-  - template: release-deployment-prep.yml
-  - download: CI
-    artifact: VSInsertion-Windows
-    displayName: 🔻 Download VSInsertion-Windows artifact
-  - script: dotnet nuget push $(Pipeline.Workspace)\CI\VSInsertion-windows\*.nupkg -s https://pkgs.dev.azure.com/devdiv/_packaging/VS/nuget/v3/index.json -k azdo --skip-duplicate
-    displayName: 📦 Push CoreXT packages to VS feed
-  - task: MicroBuildInsertVsPayload@4
-    displayName: 🏭 Insert VS Payload
-    inputs:
-      TeamName: $(TeamName)
-      TeamEmail: $(TeamEmail)
-      InsertionPayloadName: $(Build.Repository.Name) $(Build.BuildNumber)
-      InsertionBuildPolicy: Request Perf DDRITs
-      AutoCompletePR: true
-      AutoCompleteMergeStrategy: Squash
-  - task: MicroBuildCleanup@1
-    displayName: ☎️ Send Telemetry
-  - powershell: |
-      $contentType = 'application/json';
-      $headers = @{ Authorization = 'Bearer $(System.AccessToken)' };
-      $rawRequest = @{ daysValid = 365 * 2; definitionId = $(resources.pipeline.CI.pipelineID); ownerId = 'User:$(Build.RequestedForId)'; protectPipeline = $false; runId = $(resources.pipeline.CI.runId) };
-      $request = ConvertTo-Json @($rawRequest);
-      Write-Host $request
-      $uri = "$(System.CollectionUri)$(System.TeamProject)/_apis/build/retention/leases?api-version=6.0-preview.1";
-      Invoke-RestMethod -uri $uri -method POST -Headers $headers -ContentType $contentType -Body $request;
-    displayName: 🗻 Retain inserted builds
+variables:
+- template: GlobalVariables.yml
+
+extends:
+  template: azure-pipelines/MicroBuild.1ES.Official.yml@MicroBuildTemplate
+  parameters:
+    sdl:
+      sourceAnalysisPool: VSEngSS-MicroBuild2022-1ES
+
+    stages:
+    - stage: insertion
+      jobs:
+      - job: insertion
+        displayName: VS insertion
+        pool: VSEngSS-MicroBuild2022-1ES
+        steps:
+        - checkout: none
+        - powershell: Write-Host "##vso[build.updatebuildnumber]$(resources.pipeline.CI.runName)"
+          displayName: ⚙️ Set pipeline name
+        - template: azure-pipelines/release-deployment-prep.yml@self
+        - download: CI
+          artifact: VSInsertion-Windows
+          displayName: 🔻 Download VSInsertion-Windows artifact
+        - task: 1ES.PublishNuget@1
+          displayName: 📦 Push CoreXT packages to VS feed
+          inputs:
+            packagesToPush: '$(Pipeline.Workspace)/CI/VSInsertion-Windows/*.nupkg'
+            packageParentPath: $(Pipeline.Workspace)/CI/VSInsertion-Windows
+            allowPackageConflicts: true
+            publishVstsFeed: VS
+        - task: MicroBuildInsertVsPayload@4
+          displayName: 🏭 Insert VS Payload
+          inputs:
+            InsertionPayloadName: $(Build.Repository.Name) $(Build.BuildNumber)
+            InsertionBuildPolicy: Request Perf DDRITs
+            AutoCompletePR: true
+            AutoCompleteMergeStrategy: Squash
+        - powershell: |
+            $contentType = 'application/json';
+            $headers = @{ Authorization = 'Bearer $(System.AccessToken)' };
+            $rawRequest = @{ daysValid = 365 * 2; definitionId = $(resources.pipeline.CI.pipelineID); ownerId = 'User:$(Build.RequestedForId)'; protectPipeline = $false; runId = $(resources.pipeline.CI.runId) };
+            $request = ConvertTo-Json @($rawRequest);
+            Write-Host $request
+            $uri = "$(System.CollectionUri)$(System.TeamProject)/_apis/build/retention/leases?api-version=6.0-preview.1";
+            Invoke-RestMethod -uri $uri -method POST -Headers $headers -ContentType $contentType -Body $request;
+          displayName: 🗻 Retain inserted builds
--- a/azure-pipelines/vs-validation.yml
+++ b/azure-pipelines/vs-validation.yml
@ -5,77 +5,85 @@
 trigger: none # We only want to trigger manually or based on resources
 pr: none

-stages:
- stage: Build
-  variables:
-    DOTNET_SKIP_FIRST_TIME_EXPERIENCE: true
-    NUGET_PACKAGES: $(Agent.TempDirectory)/.nuget/packages
-    SignTypeSelection: Real
-    BuildConfiguration: Release
-    ValidationBuild: true
+resources:
+  repositories:
+  - repository: MicroBuildTemplate
+    type: git
+    name: 1ESPipelineTemplates/MicroBuildTemplate
+    ref: refs/tags/release

-  jobs:
-  - template: build.yml
-    parameters:
-      windowsPool: VSEngSS-MicroBuild2022-1ES
-      includeMacOS: false
-      RunTests: false
+variables:
+- template: GlobalVariables.yml

- template: prepare-insertion-stages.yml
+extends:
+  template: azure-pipelines/MicroBuild.1ES.Unofficial.yml@MicroBuildTemplate
  parameters:
-    ArchiveSymbols: false
+    sdl:
+      sourceAnalysisPool: VSEngSS-MicroBuild2022-1ES

- stage: insertion
-  displayName: VS insertion
-  jobs:
-  - job: insertion
-    displayName: VS insertion
-    pool: VSEngSS-MicroBuild2022-1ES
-    steps:
-    - checkout: self
-      clean: true
-      fetchDepth: 1
-    - task: UseDotNet@2
-      displayName: ⚙️ Install .NET SDK
-      inputs:
-        packageType: sdk
-        version: 6.x
-    - task: NuGetAuthenticate@1
-      displayName: 🔏 Authenticate NuGet feeds
-      inputs:
-        forceReinstallCredentialProvider: true
-    - download: current
-      artifact: Variables-Windows
-      displayName: 🔻 Download Variables-Windows artifact
-    - powershell: $(Pipeline.Workspace)/Variables-Windows/_pipelines.ps1
-      displayName: ⚙️ Set pipeline variables based on artifacts
-    - download: current
-      artifact: VSInsertion-Windows
-      displayName: 🔻 Download VSInsertion-Windows artifact
-    - script: dotnet nuget push VSInsertion-windows\*.nupkg -s https://pkgs.dev.azure.com/devdiv/_packaging/VS/nuget/v3/index.json -k azdo --skip-duplicate
-      displayName: 📦 Push CoreXT packages to VS feed
-      workingDirectory: $(Pipeline.Workspace)
-    - task: MicroBuildInsertVsPayload@4
-      displayName: 🏭 Insert VS Payload
-      inputs:
-        TeamName: $(TeamName)
-        TeamEmail: $(TeamEmail)
-        InsertionPayloadName: $(Build.Repository.Name) VALIDATION BUILD $(Build.BuildNumber) ($(Build.SourceBranch)) [Skip-SymbolCheck]
-        InsertionDescription: |
-          This PR is for **validation purposes only** for !$(System.PullRequest.PullRequestId). **Do not complete**.
-        CustomScriptExecutionCommand: src/VSSDK/NuGet/AllowUnstablePackages.ps1
-        InsertionBuildPolicy: Request Perf DDRITs
-        InsertionReviewers: $(Build.RequestedForEmail)
-        AutoCompletePR: false
-    - powershell: |
-        $insertionPRId = azure-pipelines/Get-InsertionPRId.ps1
-        $Markdown = @"
-        Validation insertion pull request created: !$insertionPRId
-        Please check status there before proceeding to merge this PR.
-        Remember to Abandon and (if allowed) to Delete Source Branch on that insertion PR when validation is complete.
-        "@
-        azure-pipelines/PostPRMessage.ps1 -AccessToken '$(System.AccessToken)' -Markdown $Markdown -Verbose
-      displayName: ✏️ Comment on pull request
-      condition: and(succeeded(), eq(variables['Build.Reason'], 'PullRequest'))
-    - task: MicroBuildCleanup@1
-      displayName: ☎️ Send Telemetry
+    stages:
+    - stage: Build
+      variables:
+        DOTNET_SKIP_FIRST_TIME_EXPERIENCE: true
+        NUGET_PACKAGES: $(Agent.TempDirectory)/.nuget/packages/
+        BuildConfiguration: Release
+        ValidationBuild: true
+
+      jobs:
+      - template: /azure-pipelines/build.yml@self
+        parameters:
+          RealSign: true
+          windowsPool: VSEngSS-MicroBuild2022-1ES
+          includeMacOS: false
+          RunTests: false
+
+    - template: /azure-pipelines/prepare-insertion-stages.yml@self
+      parameters:
+        ArchiveSymbols: false
+        RealSign: ${{ parameters.RealSign }}
+
+    - stage: insertion
+      displayName: VS insertion
+      jobs:
+      - job: insertion
+        displayName: VS insertion
+        pool: VSEngSS-MicroBuild2022-1ES
+        steps:
+        - checkout: self
+          clean: true
+          fetchDepth: 1
+        - download: current
+          artifact: Variables-Windows
+          displayName: 🔻 Download Variables-Windows artifact
+        - powershell: $(Pipeline.Workspace)/Variables-Windows/_pipelines.ps1
+          displayName: ⚙️ Set pipeline variables based on artifacts
+        - download: current
+          artifact: VSInsertion-Windows
+          displayName: 🔻 Download VSInsertion-Windows artifact
+        - task: 1ES.PublishNuget@1
+          displayName: 📦 Push CoreXT packages to VS feed
+          inputs:
+            packagesToPush: '$(Pipeline.Workspace)/VSInsertion-Windows/*.nupkg'
+            packageParentPath: $(Pipeline.Workspace)/VSInsertion-Windows
+            allowPackageConflicts: true
+            publishVstsFeed: VS
+        - task: MicroBuildInsertVsPayload@4
+          displayName: 🏭 Insert VS Payload
+          inputs:
+            InsertionPayloadName: $(Build.Repository.Name) VALIDATION BUILD $(Build.BuildNumber) ($(Build.SourceBranch)) [Skip-SymbolCheck]
+            InsertionDescription: |
+              This PR is for **validation purposes only** for !$(System.PullRequest.PullRequestId). **Do not complete**.
+            CustomScriptExecutionCommand: src/VSSDK/NuGet/AllowUnstablePackages.ps1
+            InsertionBuildPolicy: Request Perf DDRITs
+            InsertionReviewers: $(Build.RequestedForEmail)
+            AutoCompletePR: false
+        - powershell: |
+            $insertionPRId = azure-pipelines/Get-InsertionPRId.ps1
+            $Markdown = @"
+            Validation insertion pull request created: !$insertionPRId
+            Please check status there before proceeding to merge this PR.
+            Remember to Abandon and (if allowed) to Delete Source Branch on that insertion PR when validation is complete.
+            "@
+            azure-pipelines/PostPRMessage.ps1 -AccessToken '$(System.AccessToken)' -Markdown $Markdown -Verbose
+          displayName: ✏️ Comment on pull request
+          condition: and(succeeded(), eq(variables['Build.Reason'], 'PullRequest'))
--- a/init.ps1
+++ b/init.ps1
@ -99,8 +99,7 @@ try {
    $HeaderColor = 'Green'

    $RestoreArguments = @()
-    if ($Interactive)
-    {
+    if ($Interactive) {
        $RestoreArguments += '--interactive'
    }

@ -113,10 +112,10 @@ try {
    }

    if (!$NoToolRestore -and $PSCmdlet.ShouldProcess("dotnet tool", "restore")) {
-      dotnet tool restore @RestoreArguments
-      if ($lastexitcode -ne 0) {
-          throw "Failure while restoring dotnet CLI tools."
-      }
+        dotnet tool restore @RestoreArguments
+        if ($lastexitcode -ne 0) {
+            throw "Failure while restoring dotnet CLI tools."
+        }
    }

    $InstallNuGetPkgScriptPath = "$PSScriptRoot\azure-pipelines\Install-NuGetPackage.ps1"