Prevent scanning/signing of unrelated packages

[samsharma2700]

Description

(Part 2 of 2) Continuation of the package isolation work from Part 1. The CI/PR validation pipelines (ci-build-nugets-job.yml) have the same issue: they download dependency packages from previous stages into a directory, then build new NuGet packages into the same directory. The packagePath variable controls where built packages are published as pipeline artifacts, so any downloaded packages in the same location get re-uploaded as artifacts unnecessarily.

Solution

Apply the same packages/ vs output/ separation to the CI/PR pipelines:

• packagePath (in ci-build-variables.yml) now points to output/ : this is where dotnet pack / nuget pack outputs go and what gets published as pipeline artifacts
• Download steps in ci-build-nugets-job.yml are hardcoded to $(Build.SourcesDirectory)/packages instead of using
  $(packagePath), so downloaded dependencies stay in the NuGet local feed directory and don't contaminate the artifact upload

Notes

This PR (Part 2) covers the CI/PR validation pipelines that build packages for testing during pull requests and continuous integration. No MSBuild or .gitignore changes needed, those were handled in Part 1.

[Copilot]

Pull request overview

Separates downloaded dependency packages from newly-built NuGet outputs in CI/PR pipelines to avoid re-uploading unrelated packages as artifacts.

Changes:

• Updates packagePath to use output/ as the build/artifact output directory.
• Redirects pipeline artifact downloads to packages/ (local feed) instead of $(packagePath).

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.

File	Description
eng/pipelines/libraries/ci-build-variables.yml	Moves packagePath from packages/ to output/ and documents why.
eng/pipelines/common/templates/jobs/ci-build-nugets-job.yml	Downloads dependent package artifacts into packages/ to avoid contaminating build outputs/artifacts.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 65.05%. Comparing base (326a242) to head (f2ec391).
⚠️ Report is 3 commits behind head on main.

❗ There is a different number of reports uploaded between BASE (326a242) and HEAD (f2ec391). Click for more details.

HEAD has 1 upload less than BASE

Flag	BASE (326a242)	HEAD (f2ec391)
CI-SqlClient	1	0

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #4007      +/-   ##
==========================================
- Coverage   72.65%   65.05%   -7.61%     
==========================================
  Files         287      282       -5     
  Lines       43134    66043   +22909     
==========================================
+ Hits        31337    42961   +11624     
- Misses      11797    23082   +11285     

Flag	Coverage Δ
CI-SqlClient	?
PR-SqlClient-Project	65.05% <ø> (?)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[mdaigle]

Looks good. You should be able to temporarily open a PR against the ADO repo to do a test run of the ci pipeline against these changes.

[samsharma2700]

build link : https://sqlclientdrivers.visualstudio.com/ADO.Net/_build/results?buildId=142484&view=results

[mdaigle]

I also noticed that we're scanning and signing extra nupkg and snupkg files
https://sqlclientdrivers.visualstudio.com/ADO.Net/_build/results?buildId=142484&view=logs&j=99937505-de76-5f62-5ae4-e56b4d0a7b45&t=7aec6b7e-df9b-5a54-d0d3-669ba026a6ae
https://sqlclientdrivers.visualstudio.com/ADO.Net/_build/results?buildId=142484&view=logs&j=99937505-de76-5f62-5ae4-e56b4d0a7b45&t=6fe5b30d-602c-552d-93af-7cda3526bf78

[Copilot]

Pull request overview

Copilot reviewed 2 out of 2 changed files in this pull request and generated no new comments.