Add OneBranch pipeline templates for CI and Release#925
Open
RyAuld wants to merge 14 commits into
Open
Conversation
- azure-pipelines.yml: extends v2/OneBranch.NonOfficial.CrossPlat.yml - pipeline-publish.yml: extends v2/OneBranch.Official.CrossPlat.yml - template-pipeline-stages.yml: remove PreBuildCheck stage (SDL now via globalSdl), convert pools to OneBranch syntax (type: linux, isCustom, ob_outputDirectory) OneBranch provides: TSA, CredScan, PoliCheck, CodeQL (Python), and compliance tracking. Release pipeline adds ManualValidation@1 approval gate before ESRP publish. Also includes ESRP client ID fix (38d4 -> 384d). Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
- Rename PublishPipelineArtifact artifacts to drop_<stage>_<job> convention - Add default values for packageVersion and publishTarget parameters - Fixes pipeline queue validation errors Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
OneBranch custom Linux pools don't support deployment strategy (runOnce). Convert to a regular job with explicit artifact download. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Required by OneBranch SDL pipeline to upload security scan results to TSA. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
1ES PT requires 1ES Hosted Pools for Official templates. Remove isCustom/vmImage and let OneBranch manage pool selection with just 'type: linux'. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
OneBranch auto-publishes artifacts from ob_outputDirectory at job end. Explicit PublishPipelineArtifact tasks are not allowed. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Without isCustom, OneBranch tries to run in a container using LinuxContainerImage variable which isn't configured. isCustom: true tells OneBranch to use MS-hosted agents directly. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Contributor
There was a problem hiding this comment.
Pull request overview
This PR migrates the repository’s Azure DevOps CI and release pipelines to OneBranch governed templates to meet compliance requirements (SDL/TSA/CodeQL), while preserving the existing test/build/publish flow.
Changes:
- Wraps CI and release pipelines using OneBranch v2 governed templates and configures
globalSdl(CredScan, PoliCheck, CodeQL + TSA upload). - Refactors shared stages template to remove the bespoke SDL stage and updates pools/jobs to OneBranch-compatible syntax (including
ob_outputDirectory). - Adds
.config/tsaoptions.jsonrequired for OneBranch TSA integration.
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
| azure-pipelines.yml | Switches PR/CI to OneBranch NonOfficial template and updates Benchmark stage to OneBranch pool/output patterns. |
| .Pipelines/template-pipeline-stages.yml | Removes explicit SDL stage (now handled by OneBranch), updates pool syntax, and adds ob_outputDirectory per job. |
| .Pipelines/pipeline-publish.yml | Switches release pipeline to OneBranch Official template, adds an explicit approval stage for prod, and adapts build/publish to OneBranch artifact/output conventions. |
| .config/tsaoptions.json | Introduces OneBranch TSA options configuration for security results upload. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- Resolve merge conflict (keep OneBranch rewrite, ESRP fix unchanged) - Remove packageVersion default to force explicit input on each release - Pin vmImage to ubuntu-22.04 for reproducibility Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Contributor
Author
|
Addressed all review comments in latest push:
Also resolved merge conflict with dev (ESRP fix already present in our branch) and disabled reportBuildStatus on the old/redundant pipelines (2708, 769, 3067) so only the PR pipeline reports status. |
Avery-Dunn
reviewed
Jun 8, 2026
Avery-Dunn
reviewed
Jun 8, 2026
| enabled: false | ||
| interpretedLanguages: python | ||
| tsaEnabled: true | ||
| featureFlags: |
Contributor
There was a problem hiding this comment.
There was an SFI item we had to handle earlier this year that request 1ES approved build agents through the WindowsHostVersion: '1ESWindows2022' feature flag:
- https://identitydivision.visualstudio.com/IDDP/_git/MSAL.NET-OneBranch?path=/.pipelines/OneBranch.Official.yml&version=GBmain&line=70&lineEnd=71&lineStartColumn=1&lineEndColumn=1&lineStyle=plain&_a=contents
- https://identitydivision.visualstudio.com/IDDP/_git/MSAL.NET-OneBranch/pullrequest/22988
Without it we might get a new SFI item, though I'm not sure because it might've been because MSAL .NET was explicitly using custom build agents in some stages.
Contributor
Author
There was a problem hiding this comment.
What is the recommended version for Linux?
Contributor
Author
There was a problem hiding this comment.
I looked into the docs and I don't think this is a hard requirement. It also locks you into a specific image version. I'd like to merge as-is and see if it produces a warning like the Windows version did. It may only be required for Windows agents since that's where the SFI item originated.
Avery-Dunn
reviewed
Jun 8, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Wraps existing CI and release pipelines with OneBranch pipeline templates for compliance (SDL, TSA, CodeQL).
Changes
v2/OneBranch.NonOfficial.CrossPlat.ymltemplate. AddedglobalSdlconfig for CredScan, PoliCheck, CodeQL (Python). Converted Benchmark stage to OneBranch pool syntax.v2/OneBranch.Official.CrossPlat.ymltemplate. Added ManualValidation approval gate. Includes ESRP client ID fix. Converted deployment job to regular job (OneBranch compatibility).globalSdl). Converted pools to OneBranch syntax (type: linux,isCustom: true,ubuntu-22.04). Addedob_outputDirectoryvariable to all jobs.ADO Pipeline Changes
reportBuildStatuson redundant pipelines (2708, 769, 3067) so onlyMSAL.Python-PR-OneBranch-Official(3064) reports PR status.MSAL-Python-SDL-CI(769) - classic pipeline running CredScan, PoliCheck, Component Detection, and SBOM. All of these are now handled by OneBranchglobalSdland auto-injected tasks.Validation