Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Publishing to BAR/Maestro will no longer support tokens #9164

Closed
premun opened this issue Aug 2, 2024 · 0 comments · Fixed by #9182
Closed

Publishing to BAR/Maestro will no longer support tokens #9164

premun opened this issue Aug 2, 2024 · 0 comments · Fixed by #9182
Assignees
Labels
Area: xamarin-android Build Issues building the xamarin-android repo *itself*.
Milestone

Comments

@premun
Copy link
Member

premun commented Aug 2, 2024

Android framework version

Other

Affected platform version

CI/eng

Description

I noticed that you're still using $(MaestroAccessToken) when publishing internal builds in

-p:BuildAssetRegistryToken=$(MaestroAccessToken)
.

This token is getting deprecated in favour of using a secretless auth via a service connection.
You will need to change how you do this or your internal builds will soon break.
The change is not complicated and goes as follows:

If your pipeline has something like this:

- task: DotNetCoreCLI@2
  displayName: generate and publish BAR manifest
  inputs:
    projects: $(System.DefaultWorkingDirectory)\build-tools\create-packs\Microsoft.Android.Sdk.proj
    arguments: >-
      -t:PushManifestToBuildAssetRegistry
      -p:BuildAssetRegistryToken=$(MaestroAccessToken)
      -p:OutputPath=$(Build.StagingDirectory)\nuget-signed\
      -c $(XA.Build.Configuration) -bl:$(System.DefaultWorkingDirectory)\bin\Build$(XA.Build.Configuration)\push-bar-manifest.binlog
  condition: and(succeeded(), eq('${{ parameters.pushXAPackagesToMaestro }}', 'true'))

it will need to change to something like this:

- task: AzureCLI@2
  displayName: "Publish to the .NET Core build asset registry (BAR)"
  inputs:
    azureSubscription: "Darc: Maestro Production"
    scriptType: ps
    scriptLocation: inlineScript
    inlineScript: >
      dotnet build $(System.DefaultWorkingDirectory)\build-tools\create-packs\Microsoft.Android.Sdk.proj
      -t:PushManifestToBuildAssetRegistry
      -p:BuildAssetRegistryToken=$(MaestroAccessToken)
      -p:OutputPath=$(Build.StagingDirectory)\nuget-signed\
      -c $(XA.Build.Configuration) -bl:$(System.DefaultWorkingDirectory)\bin\Build$(XA.Build.Configuration)\push-bar-manifest.binlog
  condition: and(succeeded(), eq('${{ parameters.pushXAPackagesToMaestro }}', 'true'))

The differences between the snippets above are:

  • AzureCLI@2 task is used
  • The “Darc: Maestro Production” service connection is used.
    Your pipeline will need to be approved to use this connection (reach out to First Responders).
  • The $(MaestroAccessToken) secret is removed

Steps to Reproduce

A problem with internal builds of this repo

Did you find any workaround?

No response

Relevant log output

No response

@premun premun added the needs-triage Issues that need to be assigned. label Aug 2, 2024
@pjcollins pjcollins assigned pjcollins and unassigned jpobst Aug 2, 2024
@pjcollins pjcollins added Area: xamarin-android Build Issues building the xamarin-android repo *itself*. and removed needs-triage Issues that need to be assigned. labels Aug 2, 2024
@pjcollins pjcollins added this to the .NET 9 milestone Aug 2, 2024
pjcollins added a commit that referenced this issue Aug 8, 2024
Fixes: #9164

Migrates darc/maestro commands to use a passwordless auth flow, as token
based authentication is deprecated and will be removed in the future.
pjcollins added a commit that referenced this issue Aug 14, 2024
Fixes: #9164

Migrates darc/maestro commands to use a passwordless auth flow, as token
based authentication is deprecated and will be removed in the future.
pjcollins added a commit to xamarin/xamarin-macios that referenced this issue Aug 15, 2024
…#20914)

Context: dotnet/android#9164

We've seen the build promotion pipeline fail when trying to publish
stable package versions:

    error : Package 'Microsoft.iOS.Ref.net8.0_17.5' has stable version '17.5.8001' but is targeted at a non-isolated feed 'https://pkgs.dev.azure.com/dnceng/public/_packaging/dotnet8/nuget/v3/index.json'

This is because we were not declaring these packages as stable when
building the build asset registry manifest.

Fix this by passing the `$NUGET_PRERELEASE_IDENTIFIER` variable to the
build asset manifest creation task to determine if a build is stable.

When `$(IsStableBuild)` is set to true, packages will be pushed to an
isolated feed during publishing, such as:

      Package [email protected] (Shipping) should go to https://pkgs.dev.azure.com/dnceng/public/_packaging/darc-pub-dotnet-android-b8317b6f/nuget/v3/index.json (Isolated, Public)

Additionally migrates darc/maestro commands to use a passwordless auth flow,
as token-based authentication will be removed in the future.
pjcollins added a commit to xamarin/xamarin-macios that referenced this issue Aug 15, 2024
…#20914)

Context: dotnet/android#9164

We've seen the build promotion pipeline fail when trying to publish
stable package versions:

    error : Package 'Microsoft.iOS.Ref.net8.0_17.5' has stable version '17.5.8001' but is targeted at a non-isolated feed 'https://pkgs.dev.azure.com/dnceng/public/_packaging/dotnet8/nuget/v3/index.json'

This is because we were not declaring these packages as stable when
building the build asset registry manifest.

Fix this by passing the `$NUGET_PRERELEASE_IDENTIFIER` variable to the
build asset manifest creation task to determine if a build is stable.

When `$(IsStableBuild)` is set to true, packages will be pushed to an
isolated feed during publishing, such as:

      Package [email protected] (Shipping) should go to https://pkgs.dev.azure.com/dnceng/public/_packaging/darc-pub-dotnet-android-b8317b6f/nuget/v3/index.json (Isolated, Public)

Additionally migrates darc/maestro commands to use a passwordless auth flow,
as token-based authentication will be removed in the future.
pjcollins added a commit that referenced this issue Aug 16, 2024
…ts (#9195)

* [ci] Improve maestro artifact publishing (#8945)

Context: https://github.com/dotnet/arcade/blob/efc3da96e5ac110513e92ebd9ef87c73f44d8540/Documentation/DependencyFlowOnboardingWithoutArcade.md

The steps used to publish build asset information to maestro have been
updated.

With the new `PushToAzureDevOpsArtifacts` task the build pipeline should
now create all of the artifacts required for maestro artifact publishing.
The `add-build-to-channel` darc command will now trigger a
[Build Promotion Pipeline][0] that pushes build assets to the feed that
corresponds to the maestro channel that is being updated.  We should
no longer need to push assets to various NuGet feeds in a separate step.

[0]: https://dev.azure.com/devdiv/DevDiv/_build/results?buildId=9577012&view=logs&j=ba23343f-f710-5af9-782d-5bd26b102304&t=c7a8693b-2f9c-5ea8-c909-cde9405ac2e1&l=238

* [ci] Use long version for maestro publishing (#8964)

Commit bbac9fe ran into some issues when attempting to publish to maestro:

    error : Asset 'D:\a\_work\1\a\7dc04dfe-406a-4fa3-aea0-199acc2763fa\MergedManifest.xml' already exists with different contents at assets/manifests/xamarin-xamarin-android/34.99.0-dev/MergedManifest.xml

We should be able to fix this by using the long package version which
optionally includes pre-release labeling and commit distance info.

* [ci] Use drop service for SDK insertion artifacts  (#9116)

Context: xamarin/yaml-templates@8759ec9
Context: xamarin/sdk-insertions#149

Steps to upload release artifacts to custom blob storage have been
replaced with azure-artifacts-drop (aka.ms/drop).

A new version of nuget-msi-convert has been added that will create a set
of artifact drops for the following shipping artifacts:
  * nugets
  * vs-components
  * vs-packs

The nugets drop contains all shipping packages that should be pushed to
various feeds or NuGet.org.

The components and packs drops are used for VS insertions.

* [ci] Fix maestro publishing for stable packages (#9118)

We've seen the build promotion pipeline fail when trying to publish
stable package versions:

    error : Package 'Microsoft.iOS.Ref.net8.0_17.5' has stable version '17.5.8001' but is targeted at a non-isolated feed 'https://pkgs.dev.azure.com/dnceng/public/_packaging/dotnet8/nuget/v3/index.json'

This is because we were not declaring these packages as stable when
building the build asset registry manifest.

Fix this by passing the `$(IsStableBuild)` property to the build asset
manifest creation task. This property needs to be updated manually when
switching to stable package versioning (see commit 4ea5dbb).

When `$(IsStableBuild)` is set to true, packages will be pushed to an
isolated feed during publishing, such as:

      Package [email protected] (Shipping) should go to https://pkgs.dev.azure.com/dnceng/public/_packaging/darc-pub-dotnet-android-b8317b6f/nuget/v3/index.json (Isolated, Public)

* [ci] Use passwordless auth for darc/maestro (#9182)

Fixes: #9164

Migrates darc/maestro commands to use a passwordless auth flow, as token
based authentication is deprecated and will be removed in the future.

* Use net8.0 version of Microsoft.DotNet.SharedFramework.Sdk

* [ci] Simplify shipping drop metadata names (#9181)

Using the $(System.JobAttempt) variable in the drop metadata artifact
name is problematic. In some cases the drop artifacts created by the
nuget-msi-convert job will be used by a different job, and the job
attempt number will not necessarily match if any jobs are re-ran.
@github-actions github-actions bot locked and limited conversation to collaborators Sep 14, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
Area: xamarin-android Build Issues building the xamarin-android repo *itself*.
Projects
None yet
Development

Successfully merging a pull request may close this issue.

3 participants