[CI] Remove the need of a variable to state if we are building a PR. (#…

…15205)

Deciding if we build a PR or not used to be more complicated since we
had to make the diff between a CI build and a PR build. Now, since we
added diff pipelines we do not longer need to check any variable since
we can use a parameter.

This new fact makes the decision making simpler (although forces use to
add a new parameter in a few templates). The overall result is a simple
way to decide what can be used or not in the pipeline.

* Simplify logic.

* Add missing param.

* Fix the checkout for signing in the pr build.

* There is not need to sign in PR builds.

The signature is not needed for the tests and using -s in codesign means
that it is only valid in the machine that signed it.

tools/devops/automation/build-pipeline.yml

@@ -221,6 +221,7 @@ trigger:
 stages:
 - template: templates/main-stage.yml
   parameters:
+    isPR: false
     provisionatorChannel: ${{ parameters.provisionatorChannel }}
     pool: ${{ parameters.pool }}
     runTests: ${{ parameters.runTests }}
@@ -238,4 +239,6 @@ stages:
     macTestsConfigurations: ${{ parameters.macTestsConfigurations }}
     signingSetupSteps:
       - template: ./templates/sign-and-notarized/setup.yml
+        parameters:
+          isPR: false
 

tools/devops/automation/build-pull-request.yml

@@ -205,6 +205,7 @@ pr:
 stages:
 - template: templates/main-stage.yml
   parameters:
+    isPR: true
     provisionatorChannel: ${{ parameters.provisionatorChannel }}
     pool: ${{ parameters.pool }}
     runTests: ${{ parameters.runTests }}
@@ -220,3 +221,7 @@ stages:
     simTestsConfigurations: ${{ parameters.simTestsConfigurations }}
     deviceTestsConfigurations: ${{ parameters.deviceTestsConfigurations }}
     macTestsConfigurations: ${{ parameters.macTestsConfigurations }}
+    signingSetupSteps:
+      - template: ./templates/sign-and-notarized/setup.yml
+        parameters:
+          isPR: true

tools/devops/automation/templates/build/api-diff-build-and-detect.yml

@@ -21,10 +21,14 @@ parameters:
   type: string
   default: '' # default empty, meaning we are building in CI
 
+- name: isPR
+  type: boolean
+
 # build the source code (build.yml) and detect changes (the nested api-diff.yml)
 steps:
 - template: build.yml
   parameters:
+    isPR: ${{ parameters.isPR }}
     vsdropsPrefix: ${{ parameters.vsdropsPrefix }}
     keyringPass: ${{ parameters.keyringPass }}
     gitHubToken: ${{ parameters.gitHubToken }}

tools/devops/automation/templates/build/api-diff-stage.yml

@@ -21,6 +21,9 @@ parameters:
   type: string
   default: automatic
 
+- name: isPR
+  type: boolean
+
 jobs:
 - job: configure
   displayName: 'Configure build'
@@ -83,6 +86,7 @@ jobs:
   steps:
   - template: api-diff-build-and-detect.yml
     parameters:
+      isPR: ${{ parameters.isPR }}
       vsdropsPrefix: ${{ parameters.vsdropsPrefix }}
       keyringPass: ${{ parameters.keyringPass }}
       gitHubToken: ${{ parameters.gitHubToken }}

tools/devops/automation/templates/build/build-pkgs.yml

@@ -35,9 +35,13 @@ parameters:
   type: boolean
   default: false # only to be used when testing the CI and we do not need a signed pkg
 
+- name: isPR
+  type: boolean
+
 steps:
 - template: build.yml
   parameters:
+    isPR: ${{ parameters.isPR }}
     runDeviceTests: ${{ parameters.runDeviceTests }}
     vsdropsPrefix: ${{ parameters.vsdropsPrefix }}
     keyringPass: ${{ parameters.keyringPass }}

tools/devops/automation/templates/build/build-stage.yml

@@ -33,6 +33,9 @@ parameters:
   type: string
   default: automatic
 
+- name: isPR
+  type: boolean
+
 jobs:
 - job: configure
   displayName: 'Configure build'
@@ -120,6 +123,7 @@ jobs:
   steps:
   - template: build-pkgs.yml
     parameters:
+      isPR: ${{ parameters.isPR }}
       runTests: ${{ parameters.runTests }}
       runDeviceTests: ${{ parameters.runDeviceTests }}
       vsdropsPrefix: ${{ parameters.vsdropsPrefix }}

tools/devops/automation/templates/build/build.yml

@@ -19,6 +19,10 @@ parameters:
   type: boolean
   default: false
 
+- name: isPR
+  type: boolean
+  default: false
+
 - name: buildSteps 
   type: stepList 
   default: []
@@ -100,8 +104,6 @@ steps:
     # a branch in origin
 
     if ($buildReason -eq "PullRequest" -or (($buildReason -eq "Manual" -or $buildReason -eq "IndividualCI") -and ($buildSourceBranchName -eq "merge")) ) {
-      $configVars.Add("IsPR", "True")
-
       $configVars.Add("BuildPkgs", "True")
 
       # interesting case, we have build-pkg and skip-pkg... if that is the case, we build it, but we set a warning
@@ -145,8 +147,6 @@ steps:
 
     } else {
       # set the defaults, all the things! o/
-      $configVars.Add("IsPR", "False")
-
       # build pkg, nugets and sign them
       $configVars.Add("BuildPkgs", "True")
       $configVars.Add("BuildNugets", "True")
@@ -214,7 +214,10 @@ steps:
     ./configure $CONFIGURE_FLAGS
     echo $(cat $(Build.SourcesDirectory)/xamarin-macios/configure.inc)
   env:
-    IsPR: $(configuration.IsPR)
+    ${{ if eq(parameters.isPR, true) }}:
+      IsPR: 'True'
+    ${{ else }}:
+      IsPR: 'False'
     ${{ if eq(parameters.enableDotnet, true) }}:
       EnableDotNet: 'True'
   displayName: "Configure build"

tools/devops/automation/templates/main-stage.yml

@@ -52,6 +52,9 @@ parameters:
   type: boolean
   default: false # only to be used when testing the CI and we do not need a signed pkg
 
+- name: isPR
+  type: boolean
+
 - name: simTestsConfigurations
   type: object
 
@@ -107,6 +110,7 @@ stages:
   jobs:
     - template: ./build/build-stage.yml
       parameters:
+        isPR: ${{ parameters.isPR }}
         vsdropsPrefix: ${{ variables.vsdropsPrefix }}
         runTests: ${{ and(parameters.runTests, ne(variables['Build.Reason'], 'Schedule'))}}
         runDeviceTests: ${{ and(parameters.runDeviceTests, ne(variables['Build.Reason'], 'Schedule')) }}
@@ -124,6 +128,7 @@ stages:
   jobs:
     - template: ./sign-and-notarized/prepare-pkg-stage.yml
       parameters:
+        isPR: ${{ parameters.isPR }}
         signingSetupSteps: ${{ parameters.signingSetupSteps }}
         keyringPass: $(pass--lab--mac--builder--keychain)
         enableDotnet: ${{ parameters.enableDotnet }}
@@ -136,6 +141,7 @@ stages:
     jobs:
       - template: ./build/api-diff-stage.yml
         parameters:
+          isPR: ${{ parameters.isPR }}
           vsdropsPrefix: ${{ variables.vsdropsPrefix }}
           keyringPass: $(pass--lab--mac--builder--keychain)
           gitHubToken: ${{ variables['GitHub.Token'] }}
@@ -146,6 +152,8 @@ stages:
 # .NET Release Prep and VS Insertion Stages, only execute them when the build comes from an official branch and is not a schedule build from OneLoc
 - ${{ if and(ne(variables['Build.Reason'], 'Schedule'), or(eq(variables['Build.SourceBranch'], 'refs/heads/main'), startsWith(variables['Build.SourceBranch'], 'refs/heads/release/'), eq(variables['Build.SourceBranch'], 'refs/heads/net7.0'), eq(parameters.forceInsertion, true))) }}:
   - template: ./release/vs-insertion-prep.yml
+    parameters:
+      isPR: ${{ parameters.isPR }}
 
 # Test stages
 

tools/devops/automation/templates/release/vs-insertion-prep.yml

@@ -7,11 +7,14 @@ parameters:
   type: string
   default: prepare_packages
 
+- name: isPR
+  type: boolean
+
 stages:
 - stage: prepare_release
   displayName: Prepare Release
   dependsOn: ${{ parameters.dependsOn }}
-  condition: and(or(eq(dependencies.${{ parameters.dependsOn }}.result, 'Succeeded'), eq(dependencies.${{ parameters.dependsOn }}.result, 'SucceededWithIssues')), eq(variables.IsPRBuild, 'False'), eq(${{ parameters.enableDotnet }}, true))
+  condition: and(or(eq(dependencies.${{ parameters.dependsOn }}.result, 'Succeeded'), eq(dependencies.${{ parameters.dependsOn }}.result, 'SucceededWithIssues')), eq(${{ parameters.isPR }}, false), eq(${{ parameters.enableDotnet }}, true))
 
   jobs:
   # Check - "xamarin-macios (Prepare Release Sign NuGets)"
@@ -107,4 +110,4 @@ stages:
     pushToShippingFeed: true
     nupkgArtifactName: nuget-signed
     msiNupkgArtifactName: vs-msi-nugets
-    condition: eq(variables.IsPRBuild, 'False')
+    condition: eq(${{ parameters.isPR }}, false)

tools/devops/automation/templates/sign-and-notarized/dotnet-signing.yml

@@ -2,11 +2,16 @@
 parameters:
 
 - name: condition
-  default: and(succeeded(), eq(variables['IsPRBuild'], 'False'))
+  default: succeeded()
+
+- name: isPR
+  type: boolean
 
 steps:
 
 - template: setup.yml
+  parameters:
+    isPR: ${{ parameters.isPR }}
 
 - task: DownloadPipelineArtifact@2
   displayName: Download not notaraized build
@@ -16,36 +21,37 @@ steps:
     allowFailedBuilds: true
     path: $(Build.SourcesDirectory)/package
 
-- pwsh : |
-    # Get the list of files to sign
-    $msiFiles = Get-ChildItem -Path $(Build.SourcesDirectory)/package/ -Filter "*.msi"
+- ${{ if eq(parameters.isPR, false) }}:
+  - pwsh : |
+      # Get the list of files to sign
+      $msiFiles = Get-ChildItem -Path $(Build.SourcesDirectory)/package/ -Filter "*.msi"
 
-    # Add those files to an array
-    $SignFiles = @()
-    foreach($msi in $msiFiles) {
-        Write-Host "$($msi.FullName)"
-        $SignFiles += @{ "SrcPath"="$($msi.FullName)"}
-    }
+      # Add those files to an array
+      $SignFiles = @()
+      foreach($msi in $msiFiles) {
+          Write-Host "$($msi.FullName)"
+          $SignFiles += @{ "SrcPath"="$($msi.FullName)"}
+      }
 
-    Write-Host "$msiFiles"
+      Write-Host "$msiFiles"
 
-    # array of dicts
-    $SignFileRecord = @(
-      @{
-        "Certs" = "400";
-        "SignFileList" = $SignFiles;
-      }
-    )
+      # array of dicts
+      $SignFileRecord = @(
+        @{
+          "Certs" = "400";
+          "SignFileList" = $SignFiles;
+        }
+      )
 
-    $SignFileList = @{
-        "SignFileRecordList" = $SignFileRecord
-    }
+      $SignFileList = @{
+          "SignFileRecordList" = $SignFileRecord
+      }
 
-    # Write the json to a file
-    ConvertTo-Json -InputObject $SignFileList -Depth 5 | Out-File -FilePath $(Build.ArtifactStagingDirectory)/MsiFiles2Notarize.json -Force
-    dotnet $Env:MBSIGN_APPFOLDER/ddsignfiles.dll /filelist:$(Build.ArtifactStagingDirectory)/MsiFiles2Notarize.json
-  displayName: 'Sign .msi'
-  condition: ${{ parameters.condition }}
+      # Write the json to a file
+      ConvertTo-Json -InputObject $SignFileList -Depth 5 | Out-File -FilePath $(Build.ArtifactStagingDirectory)/MsiFiles2Notarize.json -Force
+      dotnet $Env:MBSIGN_APPFOLDER/ddsignfiles.dll /filelist:$(Build.ArtifactStagingDirectory)/MsiFiles2Notarize.json
+    displayName: 'Sign .msi'
+    condition: ${{ parameters.condition }}
 
 - pwsh: |
     mv $(Build.SourcesDirectory)/package/bundle.zip $(Build.ArtifactStagingDirectory)/not-signed-bundle.zip

tools/devops/automation/templates/sign-and-notarized/prepare-pkg-stage.yml

@@ -15,6 +15,9 @@ parameters:
   type: stepList
   default: []
 
+- name: isPR
+  type: boolean
+
 - name: packages
   type: object
   default: [
@@ -77,6 +80,7 @@ jobs:
     steps:
     - template: sign-and-notarized.yml
       parameters:
+        isPR: ${{ parameters.isPR }}
         signingSetupSteps: ${{ parameters.signingSetupSteps }}
         keyringPass: ${{ parameters.keyringPass }}
         skipESRP: ${{ parameters.skipESRP }}
@@ -96,6 +100,8 @@ jobs:
 
     steps:
     - template: dotnet-signing.yml
+      parameters:
+        isPR: ${{ parameters.isPR }}
 
 - job: funnel_job
   dependsOn:

tools/devops/automation/templates/sign-and-notarized/setup.yml

@@ -5,8 +5,11 @@ parameters:
   type: string
   default: 'Real'
 
+- name: isPR
+  type: boolean
+
 - name: condition
-  default: and(succeeded(), eq(variables['IsPRBuild'], 'False'))
+  default: succeeded()
 
 steps:
 
@@ -27,28 +30,30 @@ steps:
   clean: true
 
 # the ddsign plugin needs this version or it will crash and will make the sign step fail
-- task: UseDotNet@2
-  inputs:
-    packageType: sdk
-    version: 3.x
-  displayName: 'Install .NET Core SDK 3.x needed for ESRP'
-
-- task: MicroBuildSigningPlugin@3
-  displayName: 'Install Signing Plugin'
-  inputs:
-    signType: '${{ parameters.signatureType }}'
-    azureSubscription: $(MicrobuildConnector)
-    zipSources: false  # we do not use the feature and makes the installation to last 10/12 mins instead of < 1 min
-  env:
-    SYSTEM_ACCESSTOKEN: $(System.AccessToken)
-  condition: ${{ parameters.condition }}
-
-- task: ms-vseng.MicroBuildTasks.30666190-6959-11e5-9f96-f56098202fef.MicroBuildSigningPlugin@3
-  displayName: 'Install Notarizing Plugin'
-  inputs:
-    signType: 'Real'  # test is not present for mac..
-    azureSubscription: $(MicrobuildConnector)
-    zipSources: false  # we do not use the feature and makes the installation to last 10/12 mins instead of < 1 min
-  env:
+
+- ${{ if eq(parameters.isPR, false) }}:
+  - task: UseDotNet@2
+    inputs:
+      packageType: sdk
+      version: 3.x
+    displayName: 'Install .NET Core SDK 3.x needed for ESRP'
+
+  - task: MicroBuildSigningPlugin@3
+    displayName: 'Install Signing Plugin'
+    inputs:
+      signType: '${{ parameters.signatureType }}'
+      azureSubscription: $(MicrobuildConnector)
+      zipSources: false  # we do not use the feature and makes the installation to last 10/12 mins instead of < 1 min
+    env:
       SYSTEM_ACCESSTOKEN: $(System.AccessToken)
-  condition: ${{ parameters.condition }}
+    condition: ${{ parameters.condition }}
+
+  - task: ms-vseng.MicroBuildTasks.30666190-6959-11e5-9f96-f56098202fef.MicroBuildSigningPlugin@3
+    displayName: 'Install Notarizing Plugin'
+    inputs:
+      signType: 'Real'  # test is not present for mac..
+      azureSubscription: $(MicrobuildConnector)
+      zipSources: false  # we do not use the feature and makes the installation to last 10/12 mins instead of < 1 min
+    env:
+        SYSTEM_ACCESSTOKEN: $(System.AccessToken)
+    condition: ${{ parameters.condition }}