From 705bcb0b7697bfdf459bd924ea811fcb60ef8222 Mon Sep 17 00:00:00 2001 From: dotnet-docker-bot <60522487+dotnet-docker-bot@users.noreply.github.com> Date: Fri, 13 Mar 2026 10:02:13 -0700 Subject: [PATCH] Update common Docker engineering infrastructure with latest --- eng/docker-tools/CHANGELOG.md | 11 ++++++++ .../templates/jobs/build-images.yml | 4 ++- .../templates/jobs/generate-matrix.yml | 7 +++++ .../steps/reference-service-connections.yml | 26 +++++++++++-------- .../steps/test-images-linux-client.yml | 8 +++++- .../templates/variables/docker-images.yml | 2 +- 6 files changed, 44 insertions(+), 14 deletions(-) diff --git a/eng/docker-tools/CHANGELOG.md b/eng/docker-tools/CHANGELOG.md index 1d8cf40040..480b25ac65 100644 --- a/eng/docker-tools/CHANGELOG.md +++ b/eng/docker-tools/CHANGELOG.md @@ -26,12 +26,23 @@ Service connections are now referenced per-job via ## 2026-03-04: Pre-build validation gated by `preBuildTestScriptPath` variable +- Pull request: [#1997](https://github.com/dotnet/docker-tools/pull/1997) + The `PreBuildValidation` job condition now checks the new `preBuildTestScriptPath` variable instead of `testScriptPath`. This allows repos to independently control whether pre-build validation runs, without affecting functional tests. The new variable defaults to `$(testScriptPath)`, so existing repos that have pre-build tests are not affected. Repos that do not have pre-build tests can set `preBuildTestScriptPath` to `""` to skip the job entirely. +### Update (2026-03-11): Use `preBuildTestScriptPath` for test execution + +- Pull request: [#2011](https://github.com/dotnet/docker-tools/pull/2011) + +The `PreBuildValidation` job now uses `preBuildTestScriptPath` for test execution instead of `testScriptPath`. +Previously, the job condition was gated on `preBuildTestScriptPath` but the test execution step still used `testScriptPath`, +which meant PreBuildValidation could not be enabled independently when `testScriptPath` was empty. +Repos that do not have pre-build tests can set `preBuildTestScriptPath` to `""` to skip the job entirely. + --- ## 2026-02-19: Separate Registry Endpoints from Authentication diff --git a/eng/docker-tools/templates/jobs/build-images.yml b/eng/docker-tools/templates/jobs/build-images.yml index 75264104ac..7327b6d697 100644 --- a/eng/docker-tools/templates/jobs/build-images.yml +++ b/eng/docker-tools/templates/jobs/build-images.yml @@ -48,7 +48,9 @@ jobs: dockerClientOS: ${{ parameters.dockerClientOS }} usesRegistries: - ${{ parameters.publishConfig.BuildRegistry.server }} - ${{ if parameters.storageAccountServiceConnection }}: + # Check .name instead of the whole object - null parameters can become + # empty objects through template layers, making ${{ if }} truthy. + ${{ if parameters.storageAccountServiceConnection.name }}: serviceConnections: - name: ${{ parameters.storageAccountServiceConnection.name }} - template: /eng/docker-tools/templates/steps/set-image-info-path-var.yml@self diff --git a/eng/docker-tools/templates/jobs/generate-matrix.yml b/eng/docker-tools/templates/jobs/generate-matrix.yml index 8d22b39163..fe668c65e5 100644 --- a/eng/docker-tools/templates/jobs/generate-matrix.yml +++ b/eng/docker-tools/templates/jobs/generate-matrix.yml @@ -25,6 +25,13 @@ jobs: publishConfig: ${{ parameters.publishConfig }} versionsRepoRef: ${{ parameters.versionsRepoRef }} customInitSteps: ${{ parameters.customInitSteps }} + # When --trim-cached-images is active, ImageBuilder checks base image digests + # in the ACR mirror registry, which requires OIDC auth via this service connection. + - template: /eng/docker-tools/templates/steps/reference-service-connections.yml@self + parameters: + publishConfig: ${{ parameters.publishConfig }} + usesRegistries: + - ${{ parameters.publishConfig.BuildRegistry.server }} - ${{ parameters.customGenerateMatrixInitSteps }} - template: /eng/docker-tools/templates/steps/retain-build.yml@self - template: /eng/docker-tools/templates/steps/validate-branch.yml@self diff --git a/eng/docker-tools/templates/steps/reference-service-connections.yml b/eng/docker-tools/templates/steps/reference-service-connections.yml index 30f59e4403..ab6ec98052 100644 --- a/eng/docker-tools/templates/steps/reference-service-connections.yml +++ b/eng/docker-tools/templates/steps/reference-service-connections.yml @@ -43,19 +43,23 @@ parameters: steps: - ${{ if and(eq(variables['System.TeamProject'], parameters.internalProjectName), ne(variables['Build.Reason'], 'PullRequest')) }}: + # Guard on .name: null parameters passed through template layers can become + # empty objects that are truthy, so check the concrete property instead. - ${{ each serviceConnection in parameters.serviceConnections }}: - - task: AzureCLI@2 - displayName: Reference ${{ serviceConnection.name }} - inputs: - azureSubscription: ${{ serviceConnection.name }} - ${{ if eq(parameters.dockerClientOS, 'windows') }}: - scriptType: ps - ${{ else }}: - scriptType: pscore - scriptLocation: inlineScript - inlineScript: Write-Host "Service connection referenced for OIDC" + - ${{ if serviceConnection.name }}: + - task: AzureCLI@2 + displayName: Reference ${{ serviceConnection.name }} + inputs: + azureSubscription: ${{ serviceConnection.name }} + ${{ if eq(parameters.dockerClientOS, 'windows') }}: + scriptType: ps + ${{ else }}: + scriptType: pscore + scriptLocation: inlineScript + inlineScript: Write-Host "Service connection referenced for OIDC" - ${{ each auth in parameters.publishConfig.RegistryAuthentication }}: - - ${{ if containsValue(parameters.usesRegistries, auth.server) }}: + # Also guard on .name here for the same reason as the serviceConnections loop above. + - ${{ if and(containsValue(parameters.usesRegistries, auth.server), auth.serviceConnection.name) }}: - task: AzureCLI@2 displayName: Reference ${{ auth.serviceConnection.name }} inputs: diff --git a/eng/docker-tools/templates/steps/test-images-linux-client.yml b/eng/docker-tools/templates/steps/test-images-linux-client.yml index 8f0e8426bd..1806dbb7f0 100644 --- a/eng/docker-tools/templates/steps/test-images-linux-client.yml +++ b/eng/docker-tools/templates/steps/test-images-linux-client.yml @@ -25,6 +25,12 @@ steps: - script: | echo "##vso[task.setvariable variable=testRunner.container]testrunner-$(Build.BuildId)-$(System.JobId)" + if [ "${{ parameters.preBuildValidation }}" == "true" ]; then + echo "##vso[task.setvariable variable=effectiveTestScriptPath]$(preBuildTestScriptPath)" + else + echo "##vso[task.setvariable variable=effectiveTestScriptPath]$(testScriptPath)" + fi + additionalTestArgs="$ADDITIONALTESTARGS" if [ "${{ parameters.preBuildValidation }}" == "true" ]; then additionalTestArgs="$additionalTestArgs -TestCategories pre-build" @@ -74,7 +80,7 @@ steps: $(testRunner.options) $(testRunner.container) pwsh - -Command "$(testScriptPath) + -Command "$(effectiveTestScriptPath) -Paths $(imageBuilderPathsArrayInitStr) -OSVersions $(osVersionsArrayInitStr) -Architecture '$(architecture)' diff --git a/eng/docker-tools/templates/variables/docker-images.yml b/eng/docker-tools/templates/variables/docker-images.yml index 293657be58..73aa405116 100644 --- a/eng/docker-tools/templates/variables/docker-images.yml +++ b/eng/docker-tools/templates/variables/docker-images.yml @@ -1,5 +1,5 @@ variables: - imageNames.imageBuilderName: mcr.microsoft.com/dotnet-buildtools/image-builder:2919324 + imageNames.imageBuilderName: mcr.microsoft.com/dotnet-buildtools/image-builder:2923333 imageNames.imageBuilder: $(imageNames.imageBuilderName) imageNames.imageBuilder.withrepo: imagebuilder-withrepo:$(Build.BuildId)-$(System.JobId) imageNames.testRunner: mcr.microsoft.com/dotnet-buildtools/prereqs:azurelinux3.0-docker-testrunner