Move symbol publishing into a dedicated stage and refactor build artifacts#4175
Merged
paulmedynski merged 14 commits intomainfrom Apr 20, 2026
Merged
Move symbol publishing into a dedicated stage and refactor build artifacts#4175paulmedynski merged 14 commits intomainfrom
paulmedynski merged 14 commits intomainfrom
Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
This PR refactors the OneBranch pipeline artifact layout and moves symbol publishing out of individual build jobs into a dedicated publish_symbols stage, aligning APIScan and symbol publishing to consume standardized JOB_OUTPUT subfolders.
Changes:
- Introduces a dedicated
publish_symbolsstage with per-package symbol publishing jobs, driven by a shared step/script. - Renames
PACK_INPUT/PACK_OUTPUTtoJOB_INPUT/JOB_OUTPUTand reorganizes outputs intoassemblies/,packages/, andsymbols/. - Updates build/release/validation templates to consume packages from
packages/and symbols fromsymbols/, removing the old SqlClient APIScan copy step.
Reviewed changes
Copilot reviewed 20 out of 20 changed files in this pull request and generated 4 comments.
Show a summary per file
| File | Description |
|---|---|
| eng/pipelines/onebranch/variables/onebranch-variables.yml | Switches symbol credentials variable group reference to Symbols Publishing. |
| eng/pipelines/onebranch/variables/common-variables.yml | Renames PACK_* vars to JOB_* and documents new JOB_OUTPUT subfolder conventions. |
| eng/pipelines/onebranch/steps/tests/README.md | Adds documentation for running Pester tests for symbol publishing script. |
| eng/pipelines/onebranch/steps/tests/Publish-Symbols.Tests.ps1 | Adds Pester tests validating Publish-Symbols behavior via mocks. |
| eng/pipelines/onebranch/steps/Publish-Symbols.ps1 | Extracts symbol publishing logic into a standalone script with structured error handling. |
| eng/pipelines/onebranch/steps/publish-symbols-step.yml | Refactors publish step to call the extracted script and adds symbolsFolder parameter. |
| eng/pipelines/onebranch/steps/pack-sqlclient-step.yml | Copies SqlClient NuGet outputs into $(JOB_OUTPUT)/packages. |
| eng/pipelines/onebranch/steps/pack-csproj-step.yml | Packs csproj-based packages into $(JOB_OUTPUT)/packages. |
| eng/pipelines/onebranch/steps/copy-apiscan-files-sqlclient-step.yml | Removes legacy APIScan file copy step (deleted). |
| eng/pipelines/onebranch/stages/release-stages.yml | Updates release stage to push packages from the packages/ subdirectory. |
| eng/pipelines/onebranch/stages/publish-symbols-stage.yml | Adds new stage template to publish symbols per package from downloaded build artifacts. |
| eng/pipelines/onebranch/stages/build-stages.yml | Removes in-job symbol publishing parameters and job wiring (moved to stage). |
| eng/pipelines/onebranch/sqlclient-official.yml | Wires in the new publish-symbols-stage.yml between build and release stages. |
| eng/pipelines/onebranch/sqlclient-non-official.yml | Wires in the new publish-symbols-stage.yml between build and release stages. |
| eng/pipelines/onebranch/jobs/validate-signed-package-job.yml | Updates validation job to locate packages under <artifact>/packages. |
| eng/pipelines/onebranch/jobs/publish-symbols-job.yml | Adds per-package symbols publishing job template (download artifact + publish step). |
| eng/pipelines/onebranch/jobs/publish-nuget-package-job.yml | Updates release job to treat packages as living under packages/ within artifacts. |
| eng/pipelines/onebranch/jobs/build-signed-sqlclient-package-job.yml | Updates APIScan folder vars and copies DLLs/PDBs into JOB_OUTPUT subfolders; removes symbol publishing. |
| eng/pipelines/onebranch/jobs/build-signed-csproj-package-job.yml | Updates APIScan folder vars and copies DLLs/PDBs into JOB_OUTPUT subfolders; removes symbol publishing. |
| .github/instructions/onebranch-pipeline-design.instructions.md | Updates OneBranch pipeline design docs for new symbols stage and artifact layout. |
…facts - Extract symbol publishing from build jobs into a new publish_symbols stage (publish-symbols-stage.yml) with per-package jobs (publish-symbols-job.yml) - Reorganize JOB_OUTPUT subdirectories: assemblies/ (APIScan), packages/ (NuGet), symbols/ (PDBs shared by APIScan and symbol publishing) - Point APIScan at JOB_OUTPUT/assemblies and JOB_OUTPUT/symbols instead of separate apiScan/ tree; remove copy-apiscan-files-sqlclient-step.yml - Rename PACK_OUTPUT -> JOB_OUTPUT, PACK_INPUT -> JOB_INPUT for clarity - Extract inline PowerShell into Publish-Symbols.ps1 with structured error handling; add Pester tests - Rename variable group symbols-variables-v2 -> Symbols Publishing - Remove artifactPath variable from validate job in favor of packagesPath - Append $(System.JobAttempt) to symbol artifact names for retry safety - Guard publish_symbols stage against empty runs when no packages were built
paulmedynski
force-pushed
the
dev/paul/symbols-publishing
branch
from
0dccecb to
bbf6303
Compare
paulmedynski
added
the
Hotfix Candidate 🚑
…ols jobs - Add canonical docs link and two-step process documentation to publish-symbols-step.yml and publish-symbols.ps1 - Rename task display names to Step 1/Step 2 for clarity - Disable APIScan and BinSkim in publish-symbols-job.yml since symbols jobs only upload/publish PDBs with no assemblies to scan
Contributor
Author
|
Successful run using PPE for symbols publishing is here: https://sqlclientdrivers.visualstudio.com/ADO.Net/_build/results?buildId=148117&view=results |
- Update SymbolsPublishServer/SymbolsPublishTokenUri to their actual suffixed names (Prod/PPE) in onebranch-variables.yml header comment - Fix Publish-Symbols.ps1 -> publish-symbols.ps1 casing in onebranch-pipeline-design.instructions.md
mdaigle
reviewed
Apr 16, 2026
- Tighten searchPattern globs in publish-symbols-stage.yml to use exact
PDB filenames (e.g. '**/X.pdb' instead of '**/X*.pdb'), preventing
unrelated PDBs (such as native SNI PDBs) from being uploaded to the
symbol server.
- Fix CopyFiles pattern in build-signed-sqlclient-package-job.yml to
copy only Microsoft.Data.SqlClient.pdb, excluding SNI PDBs from the
symbols artifact.
- Fix ESRP DLL signing pattern in build-signed-sqlclient-package-job.yml
to sign only SqlClient and its resource DLLs, not native SNI DLLs
(which are signed in their own package).
- Include resource DLLs (satellite assemblies) in ESRP signing and
APIScan scanning for both the SqlClient and generic csproj build jobs
using brace expansion ({,.resources}.dll) and multi-line Contents.
- Add a diagnostic step in publish-symbols-step.yml that logs all PDB
files matching the search pattern before upload, converting the glob
to a regex for correct cross-platform matching.
- Add comments to all pattern/glob fields across pipeline files
documenting what each pattern matches, what it excludes, and why
resource DLLs are included or not.
…nds on both validation and symbols
Add UseMinimatch: true to all EsrpCodeSigning@6 and EsrpMalwareScanning@6
task inputs in esrp-dll-signing-step.yml and esrp-nuget-signing-step.yml.
Update callers to use minimatch glob patterns:
- DLL signing: multi-line patterns with **/ for recursive directory matching,
replacing shell-style brace expansion ({,.resources}).
- NuGet signing: [0-9]* anchors to the version segment to avoid matching
similarly-prefixed packages (e.g. Microsoft.Data.SqlClient.SNI), and ?(s)
extglob matches both .nupkg and .snupkg.
mdaigle
approved these changes
Apr 17, 2026
cheenamalhotra
approved these changes
Apr 20, 2026
github-actions Bot
added a commit
that referenced
this pull request
Apr 20, 2026
To resolve, run: git cherry-pick eacf112
github-actions Bot
added a commit
that referenced
this pull request
Apr 20, 2026
To resolve, run: git cherry-pick eacf112
paulmedynski
added a commit
that referenced
this pull request
Apr 20, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds a dedicated Publish Symbols stage to the OneBranch pipelines, extracts and refactors build artifact layout, and fixes several signing/pattern issues discovered during validation.
Changes
Symbols Publishing Stage
publish_symbolsstage (publish-symbols-stage.yml) with per-package jobs (publish-symbols-job.yml).publish-symbols.ps1script with structured error handling and Pester tests.PublishSymbols@2, then publish to SymWeb/MSDL via REST API) in step template and script.$(System.JobAttempt)to symbol artifact names for retry safety.Build Artifact Reorganization
JOB_OUTPUTsubdirectories:assemblies/(APIScan),packages/(NuGet),symbols/(PDBs shared by APIScan and symbol publishing).JOB_OUTPUT/assembliesandJOB_OUTPUT/symbols; removecopy-apiscan-files-sqlclient-step.yml.PACK_OUTPUT→JOB_OUTPUT,PACK_INPUT→JOB_INPUTfor clarity.artifactPathvariable from validate job in favor ofpackagesPath.File Pattern and Signing Fixes
searchPatternglobs in symbols stage to exact PDB filenames, preventing unrelated PDBs (e.g. native SNI) from being uploaded.CopyFilesand ESRP DLL signing patterns to exclude native SNI DLLs from SqlClient symbols and signing.UseMinimatch: trueto allEsrpCodeSigning@6andEsrpMalwareScanning@6tasks; update patterns to minimatch globs.Release Stage Updates
releasestage now depends on bothmds_package_validationandpublish_symbols.publish_symbolsstage always emits when the flag is set.Documentation and Cleanup
symbols-variables-v2→Symbols Publishing.Follow-up
Testing
publish-symbols.ps1(success, transient failure, and terminal failure scenarios).dev/paul/symbols-publishingbranch.