Build + Release pipelines v1 (test)

andystaples · andystaples · commit 3c718ae6b40e · 2026-05-20T16:44:08.000-06:00
diff --git a/eng/ci/official-build.yml b/eng/ci/official-build.yml
@@ -0,0 +1,55 @@
+variables:
+  - template: ci/variables/cfs.yml@eng
+
+trigger:
+  batch: true
+  branches:
+    include:
+      - main
+
+# CI only, does not trigger on PRs.
+pr: none
+
+schedules:
+  # Build nightly to catch any new CVEs and report SDL often.
+  # We are also required to generate CodeQL reports weekly, so this
+  # helps us meet that.
+  - cron: "0 5 * * *"
+    displayName: Nightly Build
+    branches:
+      include:
+        - main
+    always: true
+
+resources:
+  repositories:
+    - repository: 1es
+      type: git
+      name: 1ESPipelineTemplates/1ESPipelineTemplates
+      ref: refs/tags/release
+    - repository: eng
+      type: git
+      name: engineering
+      ref: refs/tags/release
+
+extends:
+  template: v1/1ES.Official.PipelineTemplate.yml@1es
+  parameters:
+    pool:
+      name: 1es-pool-azfunc
+      image: 1es-ubuntu-22.04
+      os: linux
+      ${{ if eq( variables['Build.Reason'], 'Schedule' ) }}:
+        demands:
+          - Priority -equals Low
+    sdl:
+      sourceAnalysisPool:
+        name: 1es-pool-azfunc
+        image: 1es-windows-2022
+        os: windows
+
+    stages:
+      - stage: BuildAndSign
+        dependsOn: []
+        jobs:
+          - template: /eng/templates/build.yml@self
diff --git a/eng/ci/release.yml b/eng/ci/release.yml
@@ -0,0 +1,94 @@
+pr: none
+trigger: none
+
+resources:
+  repositories:
+    - repository: 1ESPipelineTemplates
+      type: git
+      name: 1ESPipelineTemplates/1ESPipelineTemplates
+      ref: refs/tags/release
+  pipelines:
+    - pipeline: DurableTaskPythonBuildPipeline
+      source: durabletask-python.official
+      branch: main
+
+extends:
+  template: v1/1ES.Official.PipelineTemplate.yml@1ESPipelineTemplates
+  parameters:
+    pool:
+      name: 1es-pool-azfunc
+      image: 1es-ubuntu-22.04
+      os: linux
+
+    stages:
+      - stage: release
+        jobs:
+          - job: durabletask
+            displayName: "Release durabletask"
+            templateContext:
+              type: releaseJob
+              isProduction: true
+              inputs:
+                - input: pipelineArtifact
+                  pipeline: DurableTaskPythonBuildPipeline
+                  artifactName: drop
+                  targetPath: $(System.DefaultWorkingDirectory)/drop
+
+            steps:
+              - task: SFP.release-tasks.custom-build-release-task.EsrpRelease@9
+                displayName: "ESRP Release durabletask"
+                inputs:
+                  connectedservicename: "dtfx-internal-esrp-prod"
+                  usemanagedidentity: true
+                  keyvaultname: "durable-esrp-akv"
+                  signcertname: "dts-esrp-cert"
+                  clientid: "0b3ed1a4-0727-4a50-b82a-02c2bd9dec89"
+                  intent: "PackageDistribution"
+                  # DRY-RUN: set to "NPM" while bringing up the pipeline so ESRP
+                  # signs and processes the artifact but does NOT push to PyPI
+                  # (mismatched destination router). Switch back to "PyPi" for
+                  # real releases. See https://aka.ms/python/publish.
+                  contenttype: "NPM"
+                  contentsource: "Folder"
+                  folderlocation: "$(System.DefaultWorkingDirectory)/drop/buildoutputs/durabletask"
+                  waitforreleasecompletion: true
+                  owners: "wangbill@microsoft.com"
+                  approvers: "kaibocai@microsoft.com"
+                  serviceendpointurl: "https://api.esrp.microsoft.com"
+                  mainpublisher: "durabletask-java"
+                  domaintenantid: "33e01921-4d64-4f8c-a055-5bdaffd5e33d"
+
+          - job: durabletask_azuremanaged
+            displayName: "Release durabletask-azuremanaged"
+            templateContext:
+              type: releaseJob
+              isProduction: true
+              inputs:
+                - input: pipelineArtifact
+                  pipeline: DurableTaskPythonBuildPipeline
+                  artifactName: drop
+                  targetPath: $(System.DefaultWorkingDirectory)/drop
+
+            steps:
+              - task: SFP.release-tasks.custom-build-release-task.EsrpRelease@9
+                displayName: "ESRP Release durabletask-azuremanaged"
+                inputs:
+                  connectedservicename: "dtfx-internal-esrp-prod"
+                  usemanagedidentity: true
+                  keyvaultname: "durable-esrp-akv"
+                  signcertname: "dts-esrp-cert"
+                  clientid: "0b3ed1a4-0727-4a50-b82a-02c2bd9dec89"
+                  intent: "PackageDistribution"
+                  # DRY-RUN: set to "NPM" while bringing up the pipeline so ESRP
+                  # signs and processes the artifact but does NOT push to PyPI
+                  # (mismatched destination router). Switch back to "PyPi" for
+                  # real releases. See https://aka.ms/python/publish.
+                  contenttype: "NPM"
+                  contentsource: "Folder"
+                  folderlocation: "$(System.DefaultWorkingDirectory)/drop/buildoutputs/durabletask-azuremanaged"
+                  waitforreleasecompletion: true
+                  owners: "wangbill@microsoft.com"
+                  approvers: "kaibocai@microsoft.com"
+                  serviceendpointurl: "https://api.esrp.microsoft.com"
+                  mainpublisher: "durabletask-java"
+                  domaintenantid: "33e01921-4d64-4f8c-a055-5bdaffd5e33d"
diff --git a/eng/templates/build.yml b/eng/templates/build.yml
@@ -0,0 +1,50 @@
+jobs:
+  - job:
+    templateContext:
+      outputs:
+        - output: pipelineArtifact
+          path: $(Build.ArtifactStagingDirectory)
+          artifact: drop
+          sbomBuildDropPath: "$(System.DefaultWorkingDirectory)"
+          sbomPackageName: "Durable Task Python SBOM"
+
+    steps:
+      - checkout: self
+
+      - task: UsePythonVersion@0
+        displayName: "Use Python 3.12"
+        inputs:
+          versionSpec: "3.12"
+          addToPath: true
+
+      # Install build + lint tooling
+      - script: |
+          python -m pip install --upgrade pip
+          python -m pip install build flake8
+        displayName: "Install build tooling"
+
+      # Lint core SDK
+      - script: flake8 .
+        displayName: "flake8: durabletask"
+        workingDirectory: durabletask
+
+      # Lint azuremanaged provider
+      - script: flake8 .
+        displayName: "flake8: durabletask-azuremanaged"
+        workingDirectory: durabletask-azuremanaged
+
+      # Build sdist + wheel for durabletask (core SDK)
+      - script: |
+          python -m build --sdist --wheel --outdir $(Build.ArtifactStagingDirectory)/buildoutputs/durabletask .
+        displayName: "Build durabletask (sdist + wheel)"
+
+      # Build sdist + wheel for durabletask-azuremanaged
+      - script: |
+          python -m build --sdist --wheel --outdir $(Build.ArtifactStagingDirectory)/buildoutputs/durabletask-azuremanaged ./durabletask-azuremanaged
+        displayName: "Build durabletask-azuremanaged (sdist + wheel)"
+
+      # List staged outputs for visibility in logs
+      - script: |
+          ls -la $(Build.ArtifactStagingDirectory)/buildoutputs/durabletask
+          ls -la $(Build.ArtifactStagingDirectory)/buildoutputs/durabletask-azuremanaged
+        displayName: "List build outputs"
