Symbols Publishing Follow-up#4214
Merged
paulmedynski merged 3 commits intomainfrom Apr 21, 2026
Merged
Conversation
- Change pool type from windows to linux in publish-symbols-job.yml - Add LinuxContainerImage variable to onebranch-variables.yml - Add .artifactignore step to suppress empty artifact publishing - Improve comments in publish-symbols-step.yml
PublishSymbols@2 runs on the OneBranch host agent (outside the build container) due to 1ES PT credential isolation. The previous runtime ##vso[task.setvariable] ran inside the container and was not visible to the host-level task. On Linux the host defaults to the Microsoft org, causing a VssUnauthorizedException (VS30063). Move ArtifactServices.Symbol.AccountName to a job-level variable so it is visible to both container and host steps.
paulmedynski
added
Area\Engineering
Contributor
There was a problem hiding this comment.
Pull request overview
This PR updates the OneBranch symbols publishing stage to run on Linux agents and adjusts symbol-upload configuration to work correctly under 1ES Pipeline Template host/container credential isolation.
Changes:
- Switch
publish-symbols-job.ymlto a Linux pool and add a workaround to avoid publishing meaningful job artifacts. - Move
ArtifactServices.Symbol.AccountNameconfiguration to job scope (instead of setting it at runtime inside the container). - Add a Linux container image variable and update symbol-publish step comments accordingly.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| eng/pipelines/onebranch/variables/onebranch-variables.yml | Adds LinuxContainerImage and clarifies container image variables. |
| eng/pipelines/onebranch/steps/publish-symbols-step.yml | Removes runtime variable-setting step; documents why job-level scope is required. |
| eng/pipelines/onebranch/jobs/publish-symbols-job.yml | Switches symbols publishing job to Linux; sets org-routing variable at job scope; adds .artifactignore generation to produce empty auto-published artifacts. |
The official pipeline's publishSymbols stage was hardcoded to the Production symbol server regardless of the releaseToProduction flag. This meant there was no way to do a full dry-run release targeting both NuGet Test and symbol server PPE. Now the releaseToProduction parameter drives both destinations: true → NuGet Production + Production symbol server false → NuGet Test + PPE symbol server The publishSymbols flag still independently controls whether symbols are published at all. The non-official pipeline is unchanged (always PPE).
paulmedynski
changed the title
paulmedynski
commented
Apr 20, 2026
mdaigle
approved these changes
Apr 20, 2026
priyankatiwari08
approved these changes
Apr 21, 2026
paulmedynski
added
Hotfix 7.0.1
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Switches the OneBranch publish symbols jobs from Windows to Linux agents, fixes a cross-org authentication issue discovered during validation, and routes official symbols to PPE when
releaseToProductionis false.Follow-up to #4175.
Changes
Linux Pool for Symbols Jobs
pool.typefromwindowstolinuxinpublish-symbols-job.yml.LinuxContainerImagevariable toonebranch-variables.yml..artifactignorestep to suppress empty artifact auto-publishing on Linux.Fix cross-org symbol upload authentication (VS30063)
ArtifactServices.Symbol.AccountNamefrom a runtime##vso[task.setvariable]step (which ran inside the build container) to a job-level variable.PublishSymbols@2runs on the host agent (outside the build container) due to 1ES Pipeline Template credential isolation. The host defaults to themicrosoftorg, so$(System.AccessToken)(scoped toSqlClientDrivers) could not authenticate againsthttps://microsoft.artifacts.visualstudio.com. Setting the variable at job scope makes it visible to both container and host steps, routing the upload tohttps://SqlClientDrivers.artifacts.visualstudio.com.SqlClientDriversorg context.Route official symbols to PPE when releaseToProduction is false
publishSymbolsstage was hardcoded to the Production symbol server regardless of thereleaseToProductionflag. This meant there was no way to do a full dry-run release targeting both NuGet Test and symbol server PPE.releaseToProductiondrives both destinations:true→ NuGet Production + Production symbol serverfalse→ NuGet Test + PPE symbol serverpublishSymbolsflag still independently controls whether symbols are published at all.Testing
VssUnauthorizedException (VS30063)on Linux → root cause identified → fix applied → re-run expected to succeed.