From 03cac2b930aadda2047bd703f52b602f4e59f531 Mon Sep 17 00:00:00 2001
From: Paul Medynski <31868385+paulmedynski@users.noreply.github.com>
Date: Fri, 19 Jun 2026 13:02:11 -0300
Subject: [PATCH] Sign the Azure extension assembly and tests
Expose Azure internals to the test assembly signed with the test key in Package
mode (kept unsigned in Project mode and when signing is disabled), align the
signing comment with the assembly-signing terminology, and wire the Azure
package CI stage/job and test job for signed internal builds.
---
eng/pipelines/dotnet-sqlclient-ci-core.yml | 1 +
.../jobs/pack-azure-package-ci-job.yml | 60 +++++++++++--------
.../jobs/test-azure-package-ci-job.yml | 35 +++++++++--
.../stages/build-azure-package-ci-stage.yml | 11 ++++
.../Azure/src/Azure.csproj | 14 ++++-
.../Azure/test/Azure.Test.csproj | 7 +++
6 files changed, 96 insertions(+), 32 deletions(-)
diff --git a/eng/pipelines/dotnet-sqlclient-ci-core.yml b/eng/pipelines/dotnet-sqlclient-ci-core.yml
index 5361407e0d..94c04ed2f0 100644
--- a/eng/pipelines/dotnet-sqlclient-ci-core.yml
+++ b/eng/pipelines/dotnet-sqlclient-ci-core.yml
@@ -228,6 +228,7 @@ stages:
- build_sqlserver_package_stage
- build_sqlclient_package_stage
dotnetVerbosity: ${{ parameters.dotnetVerbosity }}
+ isInternalBuild: ${{ parameters.isInternalBuild }}
loggingArtifactsName: $(loggingArtifactsName)
loggingPackageVersion: $(loggingPackageVersion)
mdsArtifactsName: $(mdsArtifactsName)
diff --git a/eng/pipelines/jobs/pack-azure-package-ci-job.yml b/eng/pipelines/jobs/pack-azure-package-ci-job.yml
index 12567fec14..e1ddd7da76 100644
--- a/eng/pipelines/jobs/pack-azure-package-ci-job.yml
+++ b/eng/pipelines/jobs/pack-azure-package-ci-job.yml
@@ -89,6 +89,11 @@ parameters:
# Reference sibling packages as C# projects.
- Project
+ # True when building on the internal ADO.Net project.
+ - name: isInternalBuild
+ type: boolean
+ default: false
+
jobs:
- job: pack_azure_package_job
@@ -131,6 +136,23 @@ jobs:
- name: Configuration
value: ''
+ # Build properties passed to dotnet pack. Composed from a base set plus
+ # optional suffixes for Package-mode dependencies and assembly signing.
+ - name: baseBuildProperties
+ value: AzurePackageVersion=${{ parameters.azurePackageVersion }};AzureAssemblyFileVersion=${{ parameters.azureAssemblyFileVersion }}
+
+ # NOTE: We use compile-time ${{ if }} branches rather than concatenating
+ # separate variables (e.g. "$(base);$(optional);$(signing)") because
+ # when the optional variables are empty the semicolons remain, producing
+ # a trailing ";;" that MSBuild rejects with MSB1005.
+ - name: buildProperties
+ ${{ if and(eq(parameters.referenceType, 'Package'), eq(parameters.isInternalBuild, true)) }}:
+ value: $(baseBuildProperties);ReferenceType=Package;LoggingPackageVersion=${{ parameters.loggingPackageVersion }};AbstractionsPackageVersion=${{ parameters.abstractionsPackageVersion }};SigningKeyPath=$(driverKeyFile.secureFilePath)
+ ${{ elseif eq(parameters.referenceType, 'Package') }}:
+ value: $(baseBuildProperties);ReferenceType=Package;LoggingPackageVersion=${{ parameters.loggingPackageVersion }};AbstractionsPackageVersion=${{ parameters.abstractionsPackageVersion }}
+ ${{ else }}:
+ value: $(baseBuildProperties)
+
steps:
# Emit environment variables if debug is enabled.
@@ -157,32 +179,20 @@ jobs:
parameters:
debug: ${{ parameters.debug }}
+ # Download the assembly signing key for internal Package-mode builds.
+ - ${{ if and(eq(parameters.isInternalBuild, true), ne(parameters.referenceType, 'Project')) }}:
+ - template: /eng/pipelines/common/steps/download-assembly-signing-key.yml@self
+
# Create the NuGet packages.
- #
- # When referenceType is Package, we must pass ReferenceType and the
- # dependency versions so that Directory.Packages.props applies version
- # ranges to sibling package dependencies.
- - ${{ if eq(parameters.referenceType, 'Package') }}:
- - task: DotNetCoreCLI@2
- displayName: Create NuGet Package
- inputs:
- command: pack
- packagesToPack: $(project)
- configurationToPack: ${{ parameters.buildConfiguration }}
- packDirectory: $(dotnetPackagesDir)
- verbosityToPack: ${{ parameters.dotnetVerbosity }}
- buildProperties: AzurePackageVersion=${{ parameters.azurePackageVersion }};AzureAssemblyFileVersion=${{ parameters.azureAssemblyFileVersion }};ReferenceType=Package;LoggingPackageVersion=${{ parameters.loggingPackageVersion }};AbstractionsPackageVersion=${{ parameters.abstractionsPackageVersion }}
-
- - ${{ else }}:
- - task: DotNetCoreCLI@2
- displayName: Create NuGet Package
- inputs:
- command: pack
- packagesToPack: $(project)
- configurationToPack: ${{ parameters.buildConfiguration }}
- packDirectory: $(dotnetPackagesDir)
- verbosityToPack: ${{ parameters.dotnetVerbosity }}
- buildProperties: AzurePackageVersion=${{ parameters.azurePackageVersion }};AzureAssemblyFileVersion=${{ parameters.azureAssemblyFileVersion }}
+ - task: DotNetCoreCLI@2
+ displayName: Create NuGet Package
+ inputs:
+ command: pack
+ packagesToPack: $(project)
+ configurationToPack: ${{ parameters.buildConfiguration }}
+ packDirectory: $(dotnetPackagesDir)
+ verbosityToPack: ${{ parameters.dotnetVerbosity }}
+ buildProperties: $(buildProperties)
# Publish the NuGet packages as a named pipeline artifact.
- task: PublishPipelineArtifact@1
diff --git a/eng/pipelines/jobs/test-azure-package-ci-job.yml b/eng/pipelines/jobs/test-azure-package-ci-job.yml
index eb9e36152a..3570d72114 100644
--- a/eng/pipelines/jobs/test-azure-package-ci-job.yml
+++ b/eng/pipelines/jobs/test-azure-package-ci-job.yml
@@ -69,6 +69,12 @@ parameters:
- detailed
- diagnostic
+ # True when building on the internal ADO.Net project. When set, assemblies
+ # are signed with the driver key and tests are signed with the test key.
+ - name: isInternalBuild
+ type: boolean
+ default: false
+
# The suffix to append to the job name.
- name: jobNameSuffix
type: string
@@ -169,7 +175,7 @@ jobs:
value: src/Microsoft.Data.SqlClient.Extensions/Azure/test/Azure.Test.csproj
# dotnet CLI arguments for build/test/pack commands.
- - name: buildArguments
+ - name: dotnetBuildOpts
value: >-
-p:Configuration=${{ parameters.buildConfiguration }}
--verbosity ${{ parameters.dotnetVerbosity }}
@@ -179,6 +185,16 @@ jobs:
-p:SqlClientPackageVersion=${{ parameters.mdsPackageVersion }}
-p:SqlServerPackageVersion=${{ parameters.sqlServerPackageVersion }}
+ # Signing arguments — only set for internal Package-mode builds.
+ - ${{ if and(eq(parameters.isInternalBuild, true), ne(parameters.referenceType, 'Project')) }}:
+ - name: signingArguments
+ value: >-
+ -p:SigningKeyPath=$(driverKeyFile.secureFilePath)
+ -p:TestSigningKeyPath=$(testKeyFile.secureFilePath)
+ - ${{ else }}:
+ - name: signingArguments
+ value: ''
+
# Explicitly unset the $PLATFORM environment variable that is set by the
# 'ADO Build properties' Library in the ADO SqlClientDrivers public
# project. This is defined with a non-standard Platform of 'AnyCPU', and
@@ -206,6 +222,13 @@ jobs:
- pwsh: 'Get-ChildItem Env: | Sort-Object Name'
displayName: '[Debug] Print Environment Variables'
+ # Download the assembly signing keys for internal Package-mode builds.
+ - ${{ if and(eq(parameters.isInternalBuild, true), ne(parameters.referenceType, 'Project')) }}:
+ - template: /eng/pipelines/common/steps/download-assembly-signing-key.yml@self
+ - template: /eng/pipelines/common/steps/download-assembly-signing-key.yml@self
+ parameters:
+ isTest: true
+
# We have a few extra steps for Package reference builds.
- ${{ if eq(parameters.referenceType, 'Package') }}:
@@ -289,7 +312,7 @@ jobs:
inputs:
command: build
projects: $(project)
- arguments: $(buildArguments)
+ arguments: $(dotnetBuildOpts) $(signingArguments)
# List the DLLs in the output directory for debugging purposes.
- ${{ if eq(parameters.debug, true) }}:
@@ -324,7 +347,7 @@ jobs:
command: test
projects: $(project)
arguments: >-
- $(buildArguments)
+ $(dotnetBuildOpts)
--no-build
-f ${{ runtime }}
--filter "category != failing & category != flaky & category != interactive"
@@ -342,7 +365,7 @@ jobs:
command: test
projects: $(project)
arguments: >-
- $(buildArguments)
+ $(dotnetBuildOpts)
--no-build
-f ${{ runtime }}
--filter "category = flaky"
@@ -362,7 +385,7 @@ jobs:
command: test
projects: $(project)
arguments: >-
- $(buildArguments)
+ $(dotnetBuildOpts)
--no-build
-f ${{ runtime }}
--filter "category != failing & category != flaky & category != interactive"
@@ -380,7 +403,7 @@ jobs:
command: test
projects: $(project)
arguments: >-
- $(buildArguments)
+ $(dotnetBuildOpts)
--no-build
-f ${{ runtime }}
--filter "category = flaky"
diff --git a/eng/pipelines/stages/build-azure-package-ci-stage.yml b/eng/pipelines/stages/build-azure-package-ci-stage.yml
index b3cf9073d5..396314125c 100644
--- a/eng/pipelines/stages/build-azure-package-ci-stage.yml
+++ b/eng/pipelines/stages/build-azure-package-ci-stage.yml
@@ -152,6 +152,11 @@ parameters:
# Reference sibling packages as C# projects.
- Project
+ # True when building on the internal ADO.Net project.
+ - name: isInternalBuild
+ type: boolean
+ default: false
+
stages:
- stage: build_azure_package_stage
@@ -180,6 +185,7 @@ stages:
debug: ${{ parameters.debug }}
displayNamePrefix: Linux
dotnetVerbosity: ${{ parameters.dotnetVerbosity }}
+ isInternalBuild: ${{ parameters.isInternalBuild }}
jobNameSuffix: linux
loggingArtifactsName: ${{ parameters.loggingArtifactsName }}
loggingPackageVersion: ${{ parameters.loggingPackageVersion }}
@@ -202,6 +208,7 @@ stages:
debug: ${{ parameters.debug }}
displayNamePrefix: Linux Integration
dotnetVerbosity: ${{ parameters.dotnetVerbosity }}
+ isInternalBuild: ${{ parameters.isInternalBuild }}
jobNameSuffix: linux_integration
loggingArtifactsName: ${{ parameters.loggingArtifactsName }}
loggingPackageVersion: ${{ parameters.loggingPackageVersion }}
@@ -233,6 +240,7 @@ stages:
debug: ${{ parameters.debug }}
displayNamePrefix: Win
dotnetVerbosity: ${{ parameters.dotnetVerbosity }}
+ isInternalBuild: ${{ parameters.isInternalBuild }}
jobNameSuffix: windows
loggingArtifactsName: ${{ parameters.loggingArtifactsName }}
loggingPackageVersion: ${{ parameters.loggingPackageVersion }}
@@ -255,6 +263,7 @@ stages:
debug: ${{ parameters.debug }}
displayNamePrefix: Win Integration
dotnetVerbosity: ${{ parameters.dotnetVerbosity }}
+ isInternalBuild: ${{ parameters.isInternalBuild }}
jobNameSuffix: windows_integration
loggingArtifactsName: ${{ parameters.loggingArtifactsName }}
loggingPackageVersion: ${{ parameters.loggingPackageVersion }}
@@ -295,6 +304,7 @@ stages:
debug: ${{ parameters.debug }}
displayNamePrefix: macOS
dotnetVerbosity: ${{ parameters.dotnetVerbosity }}
+ isInternalBuild: ${{ parameters.isInternalBuild }}
jobNameSuffix: macos
loggingArtifactsName: ${{ parameters.loggingArtifactsName }}
loggingPackageVersion: ${{ parameters.loggingPackageVersion }}
@@ -331,6 +341,7 @@ stages:
- test_azure_package_job_windows_integration
- test_azure_package_job_macos
dotnetVerbosity: ${{ parameters.dotnetVerbosity }}
+ isInternalBuild: ${{ parameters.isInternalBuild }}
loggingArtifactsName: ${{ parameters.loggingArtifactsName }}
loggingPackageVersion: ${{ parameters.loggingPackageVersion }}
referenceType: ${{ parameters.referenceType }}
diff --git a/src/Microsoft.Data.SqlClient.Extensions/Azure/src/Azure.csproj b/src/Microsoft.Data.SqlClient.Extensions/Azure/src/Azure.csproj
index b9a3b82c27..498ed5b856 100644
--- a/src/Microsoft.Data.SqlClient.Extensions/Azure/src/Azure.csproj
+++ b/src/Microsoft.Data.SqlClient.Extensions/Azure/src/Azure.csproj
@@ -32,12 +32,24 @@
$(AzurePackageVersion)
-
+
+
+
+
+
+
+
+
$(RepoRoot)artifacts/
diff --git a/src/Microsoft.Data.SqlClient.Extensions/Azure/test/Azure.Test.csproj b/src/Microsoft.Data.SqlClient.Extensions/Azure/test/Azure.Test.csproj
index 1c020c2ae4..818a223f21 100644
--- a/src/Microsoft.Data.SqlClient.Extensions/Azure/test/Azure.Test.csproj
+++ b/src/Microsoft.Data.SqlClient.Extensions/Azure/test/Azure.Test.csproj
@@ -8,6 +8,13 @@
true
+
+
+
+ true
+ $(TestSigningKeyPath)
+
+
net8.0;net9.0;net10.0