Add symbol verification to OneBranch pipelines#4073
Add symbol verification to OneBranch pipelines#4073paulmedynski wants to merge 4 commits intomainfrom
Conversation
paulmedynski
added
the
Area\Engineering
| isCustom: true | ||
| name: ADO-1ES-Pool | ||
| vmImage: 'ADO-MMS22-SQL19' | ||
| vmImage: ADO-Win25 |
There was a problem hiding this comment.
I created a new bare-bones 1ES image for tasks like this that don't require the large MMS base images.
There was a problem hiding this comment.
@paulmedynski - Confirm that this new image is actually being used. I'm seeing the pipeline claim it will use this image, but then the jobs actually use ADO-MMS22-SQL19 which is suspiciouly the first image in the pool...
| - artifactName: $(loggingArtifactsName) | ||
| displayName: Logging Package | ||
|
|
||
| # ==================================================================== |
There was a problem hiding this comment.
Validation has moved to its own dedicated stage.
There was a problem hiding this comment.
Pull request overview
Adds a OneBranch validation stage to verify signed packages and (when enabled) validate that PDBs are available on configured symbol servers using symchk.exe, integrating this stage into both official and non-official pipeline definitions.
Changes:
- Introduces a new
validationstage template that runs signed-package validation and optional symbol-server verification. - Adds a
validate-symbolsjob template + PowerShell script to download packages and runsymchkagainst public/internal symbol servers. - Refactors pipeline stage composition to insert validation between build and release.
Reviewed changes
Copilot reviewed 9 out of 9 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
| src/Microsoft.Data.SqlClient.slnx | Adds the new validation stage/job files to the solution listing and updates stage template paths. |
| eng/pipelines/onebranch/stages/validation-stage.yml | New stage template wiring signed-package validation + symbol verification across built packages. |
| eng/pipelines/onebranch/stages/build-stages.yml | Removes the old standalone MDS validation stage from build stages. |
| eng/pipelines/onebranch/stages/release-stage.yml | Documentation/comment updates (but still contains stage dependencies). |
| eng/pipelines/onebranch/sqlclient-official.yml | Inserts the new validation stage template before the release stage. |
| eng/pipelines/onebranch/sqlclient-non-official.yml | Inserts the new validation stage template before the release stage. |
| eng/pipelines/onebranch/jobs/validate-symbols-job.yml | New job to download artifacts and invoke symbol verification per package/server. |
| eng/pipelines/onebranch/jobs/validate-symbols.ps1 | New script that extracts the nupkg and runs symchk against symbol servers. |
| eng/pipelines/onebranch/jobs/validate-signed-package-job.yml | Updates displayName formatting and switches the validation job vmImage. |
Comments suppressed due to low confidence (1)
eng/pipelines/onebranch/stages/build-stages.yml:211
- build-stages.yml removes the dedicated
mds_package_validationstage, but the release stage template still listsmds_package_validationindependsOnwhen releasing SqlClient/Azure. This will causerelease_*to fail with an unknown stage dependency. Updateeng/pipelines/onebranch/stages/release-stage.ymlto depend on the new validation stage (or reintroduce an equivalent stage name) instead ofmds_package_validation.
- artifactName: $(sqlClientArtifactsName)
displayName: SqlClient Package
- artifactName: $(abstractionsArtifactsName)
displayName: Abstractions Package
- artifactName: $(loggingArtifactsName)
displayName: Logging Package
| echo "1 Succeeded; The request has published successfully" | ||
| echo "2 Failed; The request has failed to publish" | ||
| echo "3 Cancelled; The request was cancelled" | ||
| # Poll until symbol publishing completes on all requested servers. |
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 11 out of 11 changed files in this pull request and generated 1 comment.
Comments suppressed due to low confidence (1)
eng/pipelines/onebranch/stages/release-stage.yml:17
release-stage.ymlstill listsmds_package_validationindependsOnforreleaseSqlClient/releaseAzure, but this PR removes that stage frombuild-stages.ymland introduces the newvalidationstage (fromvalidation-stage.yml). This will cause the release stage to fail template expansion / stage dependency resolution. Update the release stage’sdependsOnto reference the newvalidationstage (and remove the oldmds_package_validationdependency).
Codecov Report✅ All modified and coverable lines are covered by tests.
Additional details and impacted files@@ Coverage Diff @@
## main #4073 +/- ##
==========================================
- Coverage 73.23% 65.67% -7.57%
==========================================
Files 280 275 -5
Lines 43000 65825 +22825
==========================================
+ Hits 31491 43230 +11739
- Misses 11509 22595 +11086
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
| - All source code is in `src/Microsoft.Data.SqlClient/src/`. Do NOT add code to legacy `netfx/src/` or `netcore/src/` directories. | ||
| - Only `ref/` folders in `netcore/ref/` and `netfx/ref/` remain active for defining the public API surface. | ||
| - Check for platform-specific differences using file suffixes (`.netfx.cs`, `.netcore.cs`, `.windows.cs`, `.unix.cs`) and conditional compilation (`#if NETFRAMEWORK`, `#if NET`, `#if _WINDOWS`, `#if _UNIX`). | ||
| - Lines of code, comments, and other text should be a maximum of 100 characters (see `policy/coding-style.md`). |
There was a problem hiding this comment.
Copilot has some built-in settings that specify 80 chars max, and it stores it locally (i.e. somewhere in my user directory). It claims that this will ensure that it generates text with our desired line length.
| [Parameter(Mandatory)] | ||
| [string]$SymbolServerName, | ||
|
|
||
| # Maximum number of attempts when symbols are not yet available. The first |
There was a problem hiding this comment.
@paulmedynski Move these docs above like the rest.
|
|
||
| # Maximum number of attempts when symbols are not yet available. The first | ||
| # attempt runs immediately; subsequent attempts wait RetryIntervalSeconds | ||
| # between them. Defaults to 10 (~5 minutes total with default interval). |
There was a problem hiding this comment.
We will tune these retries once we see how long it actually takes for symbols to become available.
mdaigle
left a comment
mdaigle
left a comment
There was a problem hiding this comment.
Did you evaluate the dotnet-symbol tool? It's OS agnostic and we can install it via our tool file.
| jobs: | ||
| - job: validate_signed_package | ||
| displayName: 'Verify signed package' | ||
| displayName: Verify signed package |
There was a problem hiding this comment.
It feels like every pipeline PR is switching these quote types back and forth or removing/adding. I think we should default to no quotes (fewer characters) unless necessary for correctness. Can we add something to the copilot instructions to capture this?
Description
We can use the Windows-only
symchk.exetool to confirm that symbols have been published to the expected servers for each DLL that we produce. This PR adds a validation job to perfom this symbol checking for each package's DLL.Testing
Manual runs of the Non-Official pipeline will confirm the new behaviour.