security: Use governed template for LTS build pipeline (#25931)

scottn12 · Copilot · web-flow · commit 131180e866b6 · 2025-11-26T16:49:48.000-05:00
## Description This PR updates the build pipeline on the LTS branch to use governed templates. ## Reviewer Guidance - The 1ES injected steps occur multiple times in the pipeline run. I think this may be because they are supposed to run after each published artifact, so this may be okay. ## Misc [AB#53960](https://dev.azure.com/fluidframework/235294da-091d-4c29-84fc-cdfc3d90890b/_workitems/edit/53960) --------- Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
diff --git a/tools/pipelines/build-client.yml b/tools/pipelines/build-client.yml
@@ -115,4 +115,5 @@ extends:
     poolBuild: Large-eastus2
     cgSubDirectory: packages
     checkoutSubmodules: true
-    taskBundleAnalysis: true
+    taskBundleAnalysis: true
+    shouldShip: ${{ or(eq(variables['release'], 'release'), eq(variables['release'], 'prerelease')) }}
diff --git a/tools/pipelines/templates/build-npm-package.yml b/tools/pipelines/templates/build-npm-package.yml
@@ -99,37 +99,97 @@ parameters:
   type: string
   default: "^"
 
-trigger: none
-
-variables:
-  # We use 'chalk' to colorize output, which auto-detects color support in the
-  # running terminal.  The log output shown in Azure DevOps job runs only has
-  # basic ANSI color support though, so force that in the pipeline
-  - name: FORCE_COLOR
-    value: 1
-  - template: include-vars.yml
-    parameters:
-      publishOverride: '${{ parameters.publishOverride }}'
-      releaseBuildOverride: '${{ parameters.releaseBuildOverride }}'
-
-stages:
-  # Install / Build / Test Stage
-  - stage: build
-    displayName: Build Stage
-    jobs:
+# Indicates if this is a release build that should be shipped to arrow.
+- name: shouldShip
+  type: boolean
+  default: false
+
+resources:
+  repositories:
+  - repository: 1ESPipelineTemplates
+    type: git
+    name: 1ESPipelineTemplates/1ESPipelineTemplates
+    ref: refs/tags/release
+
+extends:
+  template: v1/1ES.Official.PipelineTemplate.yml@1ESPipelineTemplates
+  parameters:
+    pool:
+      name: Small-eastus2
+      os: linux
+    sdl:
+      ${{ if eq(variables['System.TeamProject'], 'internal') }}:
+        arrow:
+          # This is the service connection for the Arrow Service Connection in FluidFramework Azure DevOps organization
+          serviceConnection: ff-internal-arrow-sc
+          # This will make sure that the artifacts are published to the Arrow Service Connection if they are release or pre-release
+          isShipped: ${{ parameters.shouldShip }}
+      sourceAnalysisPool:
+        name: Azure-Pipelines-1ESPT-ExDShared
+        image: windows-2022
+        os: windows
+      # Tentative workaround for the occasional Credscan failures
+      credscan:
+        batchSize: 4
+    # Skip tagging if Github PR coming from a fork;  This skips Microsoft security checks that won't work on forks.
+    settings:
+      skipBuildTagsForGitHubPullRequests: true
+    customBuildTags:
+      - ES365AIMigrationTooling
+    stages:
+    # Install / Build / Test Stage
+    - stage: build
+      displayName: Build Stage
+      jobs:
       # Job - Build
       - job: build
         displayName: Build
         pool: ${{ parameters.poolBuild }}
         variables:
-          - group: ado-feeds
-          - group: storage-vars
-          # Coverage has quality issues in LTS, and root-causing + fixing is not a priority given changes to LTS at this point
-          # will be things like upgrading node or security fixes, not adding new features.
-          - name: testCoverage
-            value: false
-          - name: releaseBuildVar
-            value: $[variables.releaseBuild]
+        # We use 'chalk' to colorize output, which auto-detects color support in the
+        # running terminal.  The log output shown in Azure DevOps job runs only has
+        # basic ANSI color support though, so force that in the pipeline
+        - name: FORCE_COLOR
+          value: 1
+        - template: /tools/pipelines/templates/include-vars.yml@self
+          parameters:
+            publishOverride: '${{ parameters.publishOverride }}'
+            releaseBuildOverride: '${{ parameters.releaseBuildOverride }}'
+        - group: ado-feeds
+        - group: storage-vars
+        # Coverage has quality issues in LTS, and root-causing + fixing is not a priority given changes to LTS at this point
+        # will be things like upgrading node or security fixes, not adding new features.
+        - name: testCoverage
+          value: false
+        - name: releaseBuildVar
+          value: $[variables.releaseBuild]
+        templateContext:
+          outputs:
+          - ${{ if ne(parameters.taskPack, false) }}:
+            - output: pipelineArtifact
+              displayName: 'Publish Artifact - pack'
+              targetPath: '$(Build.ArtifactStagingDirectory)/pack'
+              artifactName: 'pack'
+              publishLocation: 'Container'
+          - ${{ if ne(parameters.taskPack, false) }}:
+            - output: pipelineArtifact
+              displayName: 'Publish Artifact - Test Files'
+              targetPath: '$(Build.ArtifactStagingDirectory)/test-files'
+              artifactName: 'test-files'
+              publishLocation: 'Container'
+          - ${{ if eq(parameters.taskBundleAnalysis, true) }}:
+            - output: pipelineArtifact
+              displayName: 'Publish Artifacts - bundle-analysis'
+              condition: and( succeeded(), ne(variables['Build.Reason'], 'PullRequest'), eq(${{ parameters.taskPublishBundleSizeArtifacts }}, true) )
+              targetPath: '${{ parameters.buildDirectory }}/artifacts/bundleAnalysis'
+              artifactName: 'bundleAnalysis'
+              publishLocation: 'Container'
+          - ${{ if ne(parameters.taskBuildDocs, false) }}:
+            - output: pipelineArtifact
+              displayName: 'Publish Artifact - _api-extractor-temp'
+              targetPath: '${{ parameters.buildDirectory }}/_api-extractor-temp'
+              artifactName: '_api-extractor-temp'
+              publishLocation: 'Container'
         steps:
         # Setup
         - checkout: self
@@ -227,7 +287,7 @@ stages:
             packageManagerInstallCommand: '${{ parameters.packageManagerInstallCommand }}'
 
         # Set version
-        - template: include-set-package-version.yml@self
+        - template: /tools/pipelines/templates/include-set-package-version.yml@self
           parameters:
             buildDirectory: ${{ parameters.buildDirectory }}
             buildNumberInPatch: ${{ parameters.buildNumberInPatch }}
@@ -252,7 +312,6 @@ stages:
               command: 'custom'
               workingDir: ${{ parameters.buildDirectory }}
               customCommand: 'run lint'
-
         # Test
         - ${{ if ne(parameters.taskTest, 'false') }}:
           # Run any additional tests first so their results can be copied to the ~/nyc dir and published below
@@ -328,20 +387,6 @@ stages:
               workingDirectory: '${{ parameters.buildDirectory }}'
               filePath: $(Build.SourcesDirectory)/scripts/pack-packages.sh
 
-          - task: PublishBuildArtifacts@1
-            displayName: Publish Artifact - pack
-            inputs:
-              PathtoPublish: '$(Build.ArtifactStagingDirectory)/pack'
-              ArtifactName: 'pack'
-              publishLocation: 'Container'
-
-          - task: PublishBuildArtifacts@1
-            displayName: Publish Artifact - Test Files
-            inputs:
-              PathtoPublish: '$(Build.ArtifactStagingDirectory)/test-files'
-              ArtifactName: 'test-files'
-              publishLocation: 'Container'
-
         # Collect/publish/run bundle analysis
         - ${{ if eq(parameters.taskBundleAnalysis, true) }}:
           - task: Npm@1
@@ -350,28 +395,9 @@ stages:
               command: 'custom'
               workingDir: ${{ parameters.buildDirectory }}
               customCommand: 'run bundle-analysis:collect'
-
-          - task: PublishBuildArtifacts@1
-            displayName: Publish Artifacts - bundle-analysis
-            condition:
-              and(
-                succeeded(),
-                ne(variables['Build.Reason'], 'PullRequest'),
-                eq(${{ parameters.taskPublishBundleSizeArtifacts }}, true)
-              )
-            inputs:
-              PathtoPublish: '${{ parameters.buildDirectory }}/artifacts/bundleAnalysis'
-              Artifactname: 'bundleAnalysis'
-              publishLocation: 'Container'
-
           - task: Npm@1
             displayName: run bundle size comparison
-            condition:
-              and(
-                succeeded(),
-                eq(variables['Build.Reason'], 'PullRequest'),
-                ne(variables['System.PullRequest.IsFork'], 'true')
-              )
+            condition: and( succeeded(), eq(variables['Build.Reason'], 'PullRequest'), ne(variables['System.PullRequest.IsFork'], 'true') )
             continueOnError: true
             env:
               ADO_API_TOKEN: $(System.AccessToken)
@@ -390,14 +416,6 @@ stages:
               command: 'custom'
               workingDir: ${{ parameters.buildDirectory }}
               customCommand: 'run ci:build:docs'
-
-          - task: PublishBuildArtifacts@1
-            displayName: Publish Artifact - _api-extractor-temp
-            inputs:
-              PathtoPublish: '${{ parameters.buildDirectory }}/_api-extractor-temp'
-              ArtifactName: '_api-extractor-temp'
-              publishLocation: 'Container'
-
         - task: Bash@3
           displayName: Check for extraneous modified files
           inputs:
@@ -410,29 +428,8 @@ stages:
                 exit -1;
               fi
 
-      # Job - Component detection
-      - ${{ if eq(variables.componentDetection, true) }}:
-        - job: CG
-          displayName: Component Detection
-          pool: ${{ parameters.poolCG }}
-          steps:
-          - checkout: self
-            clean: true
-            lfs: false
-            submodules: false
-
-          - ${{ parameters.preCG }}
-
-          - task: ComponentGovernanceComponentDetection@0
-            displayName: Component Detection
-            inputs:
-              sourceScanPath: ${{ parameters.buildDirectory }}/${{ parameters.cgSubDirectory }}
-              verbosity: Verbose
-              scanType: Register
-              alertWarningLevel: High
-
-  # Publish stage
-  - ${{ if eq(variables.publish, true) }}:
-    - template: include-publish-npm-package.yml
-      parameters:
-        tagName: ${{ parameters.tagName }}
+    # Publish stage
+    - ${{ if eq(variables.publish, true) }}:
+      - template: /tools/pipelines/templates/include-publish-npm-package.yml@self
+        parameters:
+          tagName: ${{ parameters.tagName }}
