[DO NOT MERGE] Testing new delta build flow#17066
Draft
dmcilvaney wants to merge 10 commits intotomls/base/mainfrom
Draft
[DO NOT MERGE] Testing new delta build flow#17066dmcilvaney wants to merge 10 commits intotomls/base/mainfrom
dmcilvaney wants to merge 10 commits intotomls/base/mainfrom
Conversation
dmcilvaney
force-pushed
the
damcilva/test_build
branch
11 times, most recently
from
557a52d to
453ebaa
Compare
…tection
Replace the bash 'git diff | grep /sources' step with structured azldev
commands for lock validation, change detection, and scoped rendering.
Pipeline step order:
1. Lock check -- 'azldev component update -a -q -O json', fail if any
component has changed == true. Lock-update JSON published as a
pipeline artifact for triage.
2. Changed-component detection -- 'azldev component changed
--include-unchanged' writes the full per-component JSON to disk,
published via ob_outputDirectory. The --include-unchanged flag
ensures the JSON contains every known component, which is needed
for the renderable-set filter in step 4.
3. Source/identity consistency tripwire -- hard-fail if any component
reports sourcesChange == true with a changeType not in the
allow-list {added, changed, deleted}. Prevents unauthenticated
rewrites of the rendered 'sources' file under an existing
component's identity. Data path is severed (subsequent steps
skip); PR check remains advisory until ADO task 19179 removes
job-level continueOnError.
4. Scoped render -- render set is the union of components flagged by
'azldev component changed' (inputs differ) and components whose
spec tree was touched directly in the PR (git diff under specs/,
mapped back to component names by compute_render_set.py). Deleted
and unknown components are excluded via a renderable-set filter
built from the full --include-unchanged JSON.
5. Prcheck API -- switches from --components <csv> to
--changed-components-file <path>, filtering to entries with
sourcesChange == true and changeType in {added, changed}
(allow-list, mirroring the consistency tripwire).
Also:
* Add --changed-components-file flag (mutually exclusive with
--components) and _load_components_from_file() to run_prcheck.py.
Uses an allow-list of changeType values for defense-in-depth.
* Add compute_render_set.py for render-set computation.
* Document AZLDEV_ALLOW_ROOT in ADO pipeline instructions (OneBranch
containers run as root, azldev refuses by default).
* Mark changedComponentsFile pipeline variable as isreadonly=true.
* Switch API_BASE_URL to $(ApiBaseDirectUrl) (bypasses AFD).
dmcilvaney
force-pushed
the
damcilva/test_build
branch
from
5e35cd8 to
c873a79
Compare
dmcilvaney
force-pushed
the
damcilva/test_build
branch
from
c873a79 to
76b54d6
Compare
📄❌ Rendered specs are out of dateFIX: — run this and commit the result: azldev component render nanoOr download the fix patch and apply it: gh run download 25588424331 -R microsoft/azurelinux -n rendered-specs-patch
git apply rendered-specs.patch
Files to addThese files are produced by
|
Add a 'Submit package build to Control Tower' step that calls the
/api/Scenario/package endpoint after the prcheck step succeeds. The
step is gated on PR triggers so unmerged code never kicks off a build.
Naming: the pipeline now does more than source upload, so rename to
reflect what it actually does (call Control Tower).
* sources-upload.yml -> control-tower-integration.yml
* sources-upload-stages.yml -> control-tower-integration-stages.yml
* Stage PRCheck -> Integration
* Job CallControlTowerAPI -> UploadAndBuild
Both API calls live in a single job. Two jobs would have doubled the
fixed-cost OneBranch SDL/binary-analysis injections, required a
cross-job artifact handoff for the changed-components JSON, and bought
us only marginal isolation -- upload finishes in minutes and the
package-build call only briefly polls to confirm acceptance.
The ADO pipeline definition's 'YAML file path' must be updated in the
portal from sources-upload.yml to control-tower-integration.yml when
this lands.
Package-build step details:
* condition: and(succeeded(), ne(Build.Reason, PullRequest))
* Reuses the changed-components JSON from earlier in the job, filters
to changeType in {added, changed}, submits with packageTarget=azl4,
isScratchBuild=true.
* run_package_build.py polls briefly (default 5 min) just to confirm
the job left Queued; full build progress is monitored in CT itself.
Testing-only commit so we can exercise the full PR-3 flow from a draft PR against the existing ADO build definition. Changes: * Rename control-tower-integration.yml -> sources-upload.yml (+ stages template) so the existing ADO pipeline definition keeps firing without portal edits. * Lift the PullRequest skip in run_prcheck.py so prcheck gets called from a draft PR run. * Lift the PullRequest exclusion on the package-build step condition so scratch builds get submitted from a draft PR run. (The earlier API_BASE_URL hardcode is no longer needed: PR-1 now wires $(ApiBaseDirectUrl) from the variable group, which already points at APIM directly.)
Adds a Summary tweak via spec-search-replace overlay so 'azldev component changed' reports words with changeType=changed. The spec Source: URL and lookaside sources file stay at their upstream values so Control Tower can actually fetch the tarball and rebuild. Sources file is unchanged from upstream, so sourcesChange=false and the prcheck upload path is skipped. The package-build path is the one being exercised here. Drop this commit before merging anywhere.
Pairs with the words benign-overlay fixture to exercise the second input to compute_render_set.py: a rendered-spec edit with no .comp.toml change. The file shows up in 'git diff --name-only specs/' and gets mapped to the 'nano' component; the union with azldev's component-changed output puts both 'words' and 'nano' in the render set, visible in the pipeline log. A pure file-addition (not modify/delete) is the only way to exercise the path without also tripping check_rendered_specs.py, which only flags modifications and deletions. Drop before merging anywhere.
Removes cvsps component + specs + lock. The specs-diff render set should NOT include cvsps because --diff-filter=d excludes deleted paths. azldev component changed should report changeType=deleted which is also excluded from the render set. Net: cvsps should not appear in the render set or trigger a render call. Drop this commit before merging anywhere.
Remove test fixture file -- no longer needed for pipeline validation.
dmcilvaney
force-pushed
the
damcilva/test_build
branch
from
c9303be to
6ea25dd
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Merge Checklist
All boxes should be checked before merging the PR (just tick any boxes which don't apply to this PR)
*-staticsubpackages, etc.) have had theirReleasetag incremented../cgmanifest.json,./toolkit/scripts/toolchain/cgmanifest.json,.github/workflows/cgmanifest.json)./LICENSES-AND-NOTICES/SPECS/data/licenses.json,./LICENSES-AND-NOTICES/SPECS/LICENSES-MAP.md,./LICENSES-AND-NOTICES/SPECS/LICENSE-EXCEPTIONS.PHOTON)*.signatures.jsonfilessudo make go-tidy-allandsudo make go-test-coveragepassSummary
What does the PR accomplish, why was it needed?
Change Log
Does this affect the toolchain?
YES/NO
Associated issues
Links to CVEs
Test Methodology