dotnet · lbussell · Mar 13, 2026 · Mar 13, 2026
@@ -26,12 +26,23 @@ Service connections are now referenced per-job via
 
 ## 2026-03-04: Pre-build validation gated by `preBuildTestScriptPath` variable
 
+- Pull request: [#1997](https://github.com/dotnet/docker-tools/pull/1997)
+
 The `PreBuildValidation` job condition now checks the new `preBuildTestScriptPath` variable instead of `testScriptPath`.
 This allows repos to independently control whether pre-build validation runs, without affecting functional tests.
 
 The new variable defaults to `$(testScriptPath)`, so existing repos that have pre-build tests are not affected.
 Repos that do not have pre-build tests can set `preBuildTestScriptPath` to `""` to skip the job entirely.
 
+### Update (2026-03-11): Use `preBuildTestScriptPath` for test execution
+
+- Pull request: [#2011](https://github.com/dotnet/docker-tools/pull/2011)
+
+The `PreBuildValidation` job now uses `preBuildTestScriptPath` for test execution instead of `testScriptPath`.
+Previously, the job condition was gated on `preBuildTestScriptPath` but the test execution step still used `testScriptPath`,
+which meant PreBuildValidation could not be enabled independently when `testScriptPath` was empty.
+Repos that do not have pre-build tests can set `preBuildTestScriptPath` to `""` to skip the job entirely.
+
 ---
 
 ## 2026-02-19: Separate Registry Endpoints from Authentication

@@ -48,7 +48,9 @@ jobs:
       dockerClientOS: ${{ parameters.dockerClientOS }}
       usesRegistries:
         - ${{ parameters.publishConfig.BuildRegistry.server }}
-      ${{ if parameters.storageAccountServiceConnection }}:
+      # Check .name instead of the whole object - null parameters can become
+      # empty objects through template layers, making ${{ if }} truthy.
+      ${{ if parameters.storageAccountServiceConnection.name }}:
         serviceConnections:
         - name: ${{ parameters.storageAccountServiceConnection.name }}
   - template: /eng/docker-tools/templates/steps/set-image-info-path-var.yml@self

@@ -25,6 +25,13 @@ jobs:
       publishConfig: ${{ parameters.publishConfig }}
       versionsRepoRef: ${{ parameters.versionsRepoRef }}
       customInitSteps: ${{ parameters.customInitSteps }}
+  # When --trim-cached-images is active, ImageBuilder checks base image digests
+  # in the ACR mirror registry, which requires OIDC auth via this service connection.
+  - template: /eng/docker-tools/templates/steps/reference-service-connections.yml@self
+    parameters:
+      publishConfig: ${{ parameters.publishConfig }}
+      usesRegistries:
+        - ${{ parameters.publishConfig.BuildRegistry.server }}
   - ${{ parameters.customGenerateMatrixInitSteps }}
   - template: /eng/docker-tools/templates/steps/retain-build.yml@self
   - template: /eng/docker-tools/templates/steps/validate-branch.yml@self

@@ -43,19 +43,23 @@ parameters:
 
 steps:
 - ${{ if and(eq(variables['System.TeamProject'], parameters.internalProjectName), ne(variables['Build.Reason'], 'PullRequest')) }}:
+  # Guard on .name: null parameters passed through template layers can become
+  # empty objects that are truthy, so check the concrete property instead.
   - ${{ each serviceConnection in parameters.serviceConnections }}:
-    - task: AzureCLI@2
-      displayName: Reference ${{ serviceConnection.name }}
-      inputs:
-        azureSubscription: ${{ serviceConnection.name }}
-        ${{ if eq(parameters.dockerClientOS, 'windows') }}:
-          scriptType: ps
-        ${{ else }}:
-          scriptType: pscore
-        scriptLocation: inlineScript
-        inlineScript: Write-Host "Service connection referenced for OIDC"
+    - ${{ if serviceConnection.name }}:
+      - task: AzureCLI@2
+        displayName: Reference ${{ serviceConnection.name }}
+        inputs:
+          azureSubscription: ${{ serviceConnection.name }}
+          ${{ if eq(parameters.dockerClientOS, 'windows') }}:
+            scriptType: ps
+          ${{ else }}:
+            scriptType: pscore
+          scriptLocation: inlineScript
+          inlineScript: Write-Host "Service connection referenced for OIDC"
   - ${{ each auth in parameters.publishConfig.RegistryAuthentication }}:
-    - ${{ if containsValue(parameters.usesRegistries, auth.server) }}:
+    # Also guard on .name here for the same reason as the serviceConnections loop above.
+    - ${{ if and(containsValue(parameters.usesRegistries, auth.server), auth.serviceConnection.name) }}:
       - task: AzureCLI@2
         displayName: Reference ${{ auth.serviceConnection.name }}
         inputs:

@@ -25,6 +25,12 @@ steps:
 - script: |
     echo "##vso[task.setvariable variable=testRunner.container]testrunner-$(Build.BuildId)-$(System.JobId)"
 
+    if [ "${{ parameters.preBuildValidation }}" == "true" ]; then
+      echo "##vso[task.setvariable variable=effectiveTestScriptPath]$(preBuildTestScriptPath)"
+    else
+      echo "##vso[task.setvariable variable=effectiveTestScriptPath]$(testScriptPath)"
+    fi
+
     additionalTestArgs="$ADDITIONALTESTARGS"
     if [ "${{ parameters.preBuildValidation }}" == "true" ]; then
       additionalTestArgs="$additionalTestArgs -TestCategories pre-build"
@@ -74,7 +80,7 @@ steps:
     $(testRunner.options)
     $(testRunner.container)
     pwsh
-    -Command "$(testScriptPath)
+    -Command "$(effectiveTestScriptPath)
     -Paths $(imageBuilderPathsArrayInitStr)
     -OSVersions $(osVersionsArrayInitStr)
     -Architecture '$(architecture)'

@@ -1,5 +1,5 @@
 variables:
-  imageNames.imageBuilderName: mcr.microsoft.com/dotnet-buildtools/image-builder:2919324
+  imageNames.imageBuilderName: mcr.microsoft.com/dotnet-buildtools/image-builder:2923333
   imageNames.imageBuilder: $(imageNames.imageBuilderName)
   imageNames.imageBuilder.withrepo: imagebuilder-withrepo:$(Build.BuildId)-$(System.JobId)
   imageNames.testRunner: mcr.microsoft.com/dotnet-buildtools/prereqs:azurelinux3.0-docker-testrunner