Merged PR 6250: FIX: Build Release Pipeline - Removed Symbols Publishing

#### AI description  (iteration 1)
#### PR Classification
This pull request fixes the release pipeline to ensure compliant and streamlined publishing of private symbols while migrating to 1ES for the Python driver.

#### PR Summary
The changes update the build pipeline to correctly set up and execute symbol publishing tasks fulfilling compliance requirements and build pipeline migration.
- In `OneBranchPipelines/steps/symbol-publishing-step.yml`, the PowerShell task setting the AccountName was updated, the symbol upload wait time reduced, and an additional Azure CLI task was added to publish symbols to the Microsoft Symbol Publishing Service.
- In `OneBranchPipelines/stages/build-windows-single-stage.yml`, a new Boolean parameter `publishSymbols` was introduced to conditionally trigger the symbol publishing step.
<!-- GitOpsUserAgent=GitOps.Apps.Server.pullrequestcopilot -->

Related work items: #37472, #38066

Author: bewithgaurav

OneBranchPipelines/build-release-package-pipeline.yml

@@ -41,11 +41,6 @@ parameters:
       - 'Debug'
     default: 'Release'
 
-  - name: publishSymbols
-    displayName: 'Publish Debug Symbols'
-    type: boolean
-    default: true
-
   - name: runSdlTasks
     displayName: 'Run SDL Security Tasks'
     type: boolean
@@ -150,10 +145,10 @@ extends:
       # ApiScan - Scans APIs for security vulnerabilities
       apiscan:
         enabled: ${{ parameters.runSdlTasks }}
-        softwareFolder: '${{ variables.apiScanDllPath }}'
+        softwareFolder: '$(apiScanDllPath)'
         softwareName: 'mssql-python'
-        softwareVersionNum: '${{ variables.packageVersion }}'
-        symbolsFolder: '${{ variables.apiScanPdbPath }}'
+        softwareVersionNum: '$(packageVersion)'
+        symbolsFolder: '$(apiScanPdbPath)'
 
       # Armory - Security scanning for binaries
       armory:

OneBranchPipelines/stages/build-windows-single-stage.yml

@@ -21,6 +21,9 @@ parameters:
   - name: buildConfiguration
     type: string
     default: 'Release'
+  - name: publishSymbols
+    type: boolean
+    default: true
 
 stages:
   - stage: ${{ parameters.stageName }}
@@ -41,6 +44,7 @@ stages:
           pythonVersion: ${{ parameters.pythonVersion }}
           shortPyVer: ${{ parameters.shortPyVer }}
           targetArch: ${{ parameters.architecture }}
+          SYSTEM_ACCESSTOKEN: $(System.AccessToken)  # Make System.AccessToken available to all steps in this job
 
         steps:
           - checkout: self
@@ -213,8 +217,5 @@ stages:
           #         esrpConnectedServiceName: '$(SigningEsrpConnectedServiceName)'
           #         signPath: '$(ob_outputDirectory)\wheels'
 
-          # Publish symbols (Windows only)
-          - ${{ if eq(parameters.oneBranchType, 'Official') }}:
-              - template: /OneBranchPipelines/steps/symbol-publishing-step.yml@self
-                parameters:
-                  SymbolsFolder: '$(ob_outputDirectory)\symbols'
+          # Note: Symbol publishing moved to release pipeline
+          # Symbols are published as artifacts here and consumed in release pipeline

OneBranchPipelines/steps/symbol-publishing-step.yml

@@ -6,23 +6,41 @@ parameters:
     default: '$(ob_outputDirectory)\symbols'
 
 steps:
-  - powershell: 'Write-Host "##vso[task.setvariable variable=ArtifactServices.Symbol.AccountName;]SqlClientDrivers"'
-    displayName: 'Update Symbol.AccountName with SqlClientDrivers'
+  # Set AccountName for SqlClientDrivers organization (separate PowerShell task like JDBC)
+  - task: PowerShell@2
+    displayName: 'Set Symbol.AccountName to SqlClientDrivers'
+    inputs:
+      targetType: inline
+      # NOTE: we're setting PAT in this step since Pat:$(System.AccessToken) doesn't work in PublishSymbols@2 task directly
+      # Tried using env: parameter on PublishSymbols@2 but it didn't work
+      # This is a workaround to set it via script, and setting as a secret variable
+      script: |
+        Write-Host "##vso[task.setvariable variable=ArtifactServices.Symbol.AccountName;]SqlClientDrivers"
+        Write-Host "##vso[task.setvariable variable=ArtifactServices.Symbol.Pat;issecret=true;]$env:SYSTEM_ACCESSTOKEN"
+        # Verify System.AccessToken is available
+        if (-not $env:SYSTEM_ACCESSTOKEN) {
+          Write-Error "SYSTEM_ACCESSTOKEN is not available. Ensure 'Allow scripts to access the OAuth token' is enabled in the pipeline settings."
+        } else {
+          Write-Host "SYSTEM_ACCESSTOKEN is available and will be used for symbol publishing."
+        }
+    env:
+      SYSTEM_ACCESSTOKEN: $(System.AccessToken)
 
   - task: PublishSymbols@2
-    displayName: 'Upload symbols to Azure DevOps Symbol Server'
+    displayName: 'Push Symbols to SqlClientDrivers ADO Organization'
     inputs:
       SymbolsFolder: '${{ parameters.SymbolsFolder }}'
       SearchPattern: '**/*.pdb'
       IndexSources: false
       SymbolServerType: TeamServices
-      SymbolsMaximumWaitTime: 60
-      SymbolExpirationInDays: 1825 # 5 years
+      SymbolsMaximumWaitTime: 10
       SymbolsProduct: mssql-python
       SymbolsVersion: $(Build.BuildId)
-      SymbolsArtifactName: $(System.TeamProject)-$(Build.SourceBranchName)-$(Build.DefinitionName)-$(Build.BuildId)
-      Pat: $(System.AccessToken)
 
+  # Publish to Microsoft Symbol Publishing Service (External)
+  # This requires additional variable group with SymbolServer, SymbolTokenUri variables
+  # Project name must be registered with Symbol team via IcM incident
+  # Reference: https://www.osgwiki.com/wiki/Symbols_Publishing_Pipeline_to_SymWeb_and_MSDL#Step_3:_Project_Setup
   - task: AzureCLI@2
     displayName: 'Publish symbols to Microsoft Symbol Publishing Service'
     condition: succeeded()
@@ -39,12 +57,12 @@ steps:
         $publishToInternalServer = $true 
         $publishToPublicServer = $false
 
-        echo "Publishing request name: $(requestName)"
+        echo "Publishing request name: $env:requestName"
         echo "Publish to internal server: $publishToInternalServer"
         echo "Publish to public server: $publishToPublicServer"      
 
-        $symbolServer = '$(SymbolServer)'
-        $tokenUri = '$(SymbolTokenUri)'
+        $symbolServer = $env:SymbolServer
+        $tokenUri = $env:SymbolTokenUri
         $projectName = "mssql-python"
 
         # Get the access token for the symbol publishing service
@@ -53,7 +71,7 @@ steps:
         echo ">  1.Symbol publishing token acquired."
 
         echo "Registering the request name ..."
-        $requestName = '$(requestName)'
+        $requestName = $env:requestName
         $requestNameRegistrationBody = "{'requestName': '$requestName'}"
         Invoke-RestMethod -Method POST -Uri "https://$symbolServer.trafficmanager.net/projects/$projectName/requests" -Headers @{ Authorization = "Bearer $symbolPublishingToken" } -ContentType "application/json" -Body $requestNameRegistrationBody
 

OneBranchPipelines/variables/symbol-variables.yml

@@ -1,7 +1,5 @@
 # Symbol Publishing Variables
 # These variables configure where debug symbols (.pdb files) are published
-# Note: Symbol server variables (SymbolsAzureSubscription, SymbolsPublishServer, etc.)
-#       should come from variable groups, not redefined here to avoid cyclical references
 variables:
   # Symbol paths for ApiScan
   # Must use Build.SourcesDirectory (not ob_outputDirectory) so files persist for globalSdl
@@ -12,3 +10,7 @@ variables:
   - name: apiScanPdbPath
     value: '$(Build.SourcesDirectory)/apiScan/pdbs'
 
+  # Symbol server variables come from 'Symbols Publishing' variable group:
+  # - SymbolServer: Symbol publishing server hostname
+  # - SymbolTokenUri: Token URI for symbol publishing service authentication
+