fix: test and fix windows VHD release process (#8605)

Author: timmy-wright

.gitignore

@@ -16,6 +16,9 @@ e2e/scenario-logs
 **/vhd-publishing-info.json
 out/
 build/
+coverage/
+test-results/
+.devcontainer/devcontainer-lock.json
 
 test/junit/
 test/e2e/kubernetes/junit.xml

.pipelines/templates/.build-and-test-windows-vhd-template.yaml

@@ -101,7 +101,7 @@ stages:
   - stage: e2e_${{ parameters.stageName }}
     displayName: E2E (${{ parameters.artifactName }})
     dependsOn: build_${{ parameters.stageName }}
-    condition: and(succeeded(), eq('${{ parameters.build }}', True), ne(variables.SKIP_E2E_TESTS, 'true'))
+    condition: and(succeeded(), eq('${{ parameters.build }}', True), ne(variables.SKIP_E2E_TESTS, 'true'), ne(dependencies.build_${{ parameters.stageName }}.outputs['build_${{ parameters.stageName }}.skipVhd.skipping_vhd_build'], 'true'))
     variables:
       VHD_BUILD_ID: $(Build.BuildId)
       TAGS_TO_RUN: imageName=${{ parameters.imageName }}

.pipelines/templates/.builder-release-template-windows.yaml

@@ -70,7 +70,24 @@ steps:
       overrideBranch: ${{ parameters.overrideBranch }}
       useOverrides: ${{ parameters.useOverrides }}
 
+  - bash: |
+      skip_vhd=$(jq -r ".WindowsBaseVersions.\"${WINDOWS_SKU}\".skip_vhd // false" <vhdbuilder/packer/windows/windows_settings.json)
+      if [ "${skip_vhd}" = "true" ]; then
+        echo "skip_vhd is set to true for ${WINDOWS_SKU}, skipping VHD build."
+        echo "##vso[task.logissue type=error]Not building VHD for ${WINDOWS_SKU} because skip_vhd is set to true in windows_settings.json"
+        echo "##vso[task.setvariable variable=skipping_vhd_build;isOutput=true]true"
+        echo "##vso[task.setvariable variable=skipping_vhd_build]true"
+        exit 0
+      fi
+      echo "##vso[task.setvariable variable=skipping_vhd_build;isOutput=true]false"
+      echo "##vso[task.setvariable variable=skipping_vhd_build]false"
+    name: skipVhd
+    displayName: Determine VHD Skip
+    env:
+      WINDOWS_SKU: ${{ parameters.windowsSku }}
+
   - task: DownloadPipelineArtifact@2
+    condition: and(succeeded(), ne(variables.skipping_vhd_build, 'true'))
     displayName: Download CSE package
     inputs:
       source: current
@@ -79,6 +96,8 @@ steps:
       targetPath: ${{ parameters.csePackageDir }}
 
   - task: AzureCLI@2
+    condition: and(succeeded(), ne(variables.skipping_vhd_build, 'true'))
+    name: buildVhd
     inputs:
       azureSubscription: $(VHD_ARM_SERVICE_CONNECTION)
       scriptType: bash
@@ -122,6 +141,7 @@ steps:
 
   # Note: use -a to grep MANAGED_SIG_ID (packer-output should be read as a binary file in Linux)
   - task: AzureCLI@2
+    condition: and(succeeded(), ne(variables.skipping_vhd_build, 'true'))
     inputs:
       azureSubscription: $(VHD_ARM_SERVICE_CONNECTION)
       scriptType: bash
@@ -179,14 +199,17 @@ steps:
       mv tmp.json ${AKS_WINDOWS_IMAGE_VERSION}-image-list.json
       cp release-notes.txt ${AKS_WINDOWS_IMAGE_VERSION}.txt
     displayName: Reformat image-bom.json and rename release-notes.txt
+    condition: and(succeeded(), ne(variables.skipping_vhd_build, 'true'))
 
   - task: PublishPipelineArtifact@0
+    condition: and(succeeded(), ne(variables.skipping_vhd_build, 'true'))
     inputs:
       artifactName: 'vhd-release-notes-${{ parameters.artifactName }}'
       targetPath: '$(AKS_WINDOWS_IMAGE_VERSION).txt'
 
   # We can upload image bom json for check-in pr and sig mode to validate whether it is expected.
   - task: PublishPipelineArtifact@0
+    condition: and(succeeded(), ne(variables.skipping_vhd_build, 'true'))
     inputs:
       artifactName: 'vhd-image-list-${{ parameters.artifactName }}'
       targetPath: '$(AKS_WINDOWS_IMAGE_VERSION)-image-list.json'
@@ -209,7 +232,7 @@ steps:
 
         make -f packer.mk convert-sig-to-classic-storage-account-blob
     displayName: Convert Shared Image Gallery To VHD Blob In Classic Storage Account
-    condition: and(succeeded(), eq(variables.DRY_RUN, 'False'), eq(variables.SIG_FOR_PRODUCTION, 'True'))
+    condition: and(succeeded(), ne(variables.skipping_vhd_build, 'true'), eq(variables.DRY_RUN, 'False'), eq(variables.SIG_FOR_PRODUCTION, 'True'))
     env:
       LOCATION: $(AZURE_BUILD_LOCATION)
       RESOURCE_GROUP_NAME: $(AZURE_RESOURCE_GROUP_NAME)
@@ -245,7 +268,7 @@ steps:
 
         ./vhdbuilder/packer/cleanup.sh
     displayName: Clean Up Packer Generated Resources
-    condition: always()
+    condition: and(always(), ne(variables.skipping_vhd_build, 'true'))
     env:
       MODE: $(MODE)
       DRY_RUN: $( DRY_RUN )
@@ -280,7 +303,7 @@ steps:
 
         make -f packer.mk generate-publishing-info
     displayName: Getting Shared Access Signature URI
-    condition: and(succeeded(), eq(variables.DRY_RUN, 'False'), eq(variables.SIG_FOR_PRODUCTION, 'True'))
+    condition: and(succeeded(), ne(variables.skipping_vhd_build, 'true'), eq(variables.DRY_RUN, 'False'), eq(variables.SIG_FOR_PRODUCTION, 'True'))
     env:
       SUBSCRIPTION_ID: $(AZURE_PROD_SUBSCRIPTION_ID)
       STORAGE_ACCT_BLOB_URL: $(STORAGE_ACCT_BLOB_URL)
@@ -300,4 +323,4 @@ steps:
     inputs:
       artifactName: 'publishing-info-${{ parameters.artifactName }}'
       targetPath: 'vhd-publishing-info.json'
-    condition: and(succeeded(), eq(variables.DRY_RUN, 'False'), eq(variables.SIG_FOR_PRODUCTION, 'True'))
+    condition: and(succeeded(), ne(variables.skipping_vhd_build, 'true'), eq(variables.DRY_RUN, 'False'), eq(variables.SIG_FOR_PRODUCTION, 'True'))

.pipelines/templates/.template-copy-file.yaml

@@ -12,22 +12,28 @@ steps:
   - bash: |
       set -euo pipefail
       # we check for existence of both src and destination file because if neither of those exist then the override will fail.
-      
+
       if [ ! -f "${destinationFile}" ]; then
+        echo "##vso[task.logissue type=error]Destination file does not exist, could not copy: ${destinationFile}"
         echo "destination file file does not exist, not copying as it must have been moved in a refactor: ${destinationFile}"
         exit 1
       fi
 
       if [ ! -f "${sourceFile}" ]; then
-        echo "src ${sourceFile} file does not exist, aborting: ${sourceFile}"
-        exit 1
+        echo "##vso[task.logissue type=error]Source file does not exist, could not copy: ${sourceFile}"
+        exit 0
       fi
-      
+
       echo "Found source to use for overrides: ${sourceFile}"
       echo "Found file to overwrite: ${destinationFile}"
 
+      echo "##vso[task.logissue type=warning]Overwriting file ${destinationFile} from ${sourceFile}"
+
       echo "Overwriting ${sourceFile} -> ${destinationFile}"
       cp -af "${sourceFile}" "${destinationFile}"
 
     condition: and(succeeded(), eq('${{ parameters.enabled }}', true))
     displayName: Overwrite file ${{ parameters.destinationFile }}
+    env:
+      destinationFile: ${{ parameters.destinationFile }}
+      sourceFile: ${{ parameters.sourceFile }}

schemas/windows_settings.cue

@@ -27,6 +27,8 @@
   base_image_version:    string
   windows_image_name:    string
   patches_to_apply:      #WindowsPatches
+  sig_source_gallery_name?:      string
+  skip_vhd?:                     bool
 }
 
 #WindowsComments: [...string]

vhdbuilder/packer/produce-packer-settings-functions.sh

@@ -258,14 +258,21 @@ function create_new_base_image() {
 
 	# Use imported sig image to create the build VM
 	WINDOWS_IMAGE_URL=""
-	windows_sigmode_source_subscription_id=$SUBSCRIPTION_ID
-	windows_sigmode_source_resource_group_name=$AZURE_RESOURCE_GROUP_NAME
-	windows_sigmode_source_gallery_name=$SIG_GALLERY_NAME
-	windows_sigmode_source_image_name=$IMPORTED_IMAGE_NAME
-	windows_sigmode_source_image_version="1.0.0"
+	windows_sigmode_source_id="/subscriptions/${SUBSCRIPTION_ID}/resourceGroups/${AZURE_RESOURCE_GROUP_NAME}/providers/Microsoft.Compute/galleries/${SIG_GALLERY_NAME}/images/${IMPORTED_IMAGE_NAME}/versions/1.0.0"
 }
 
 function prepare_windows_vhd() {
+	local skip_vhd
+	skip_vhd=$(jq -r ".WindowsBaseVersions.\"${WINDOWS_SKU}\".skip_vhd // false" <$CDIR/windows/windows_settings.json)
+	if [ "${skip_vhd}" = "true" ]; then
+		echo "skip_vhd is set to true for ${WINDOWS_SKU}, skipping VHD build."
+		echo "##vso[task.setvariable variable=skipping_vhd_build;isOutput=true]true"
+		echo "##vso[task.setvariable variable=skipping_vhd_build]true"
+		exit 0
+	fi
+	echo "##vso[task.setvariable variable=skipping_vhd_build;isOutput=true]false"
+	echo "##vso[task.setvariable variable=skipping_vhd_build]false"
+
 	echo "Set the base image sku and version from windows_settings.json"
 
 	WINDOWS_IMAGE_SKU=$(jq -r ".WindowsBaseVersions.\"${WINDOWS_SKU}\".base_image_sku" <$CDIR/windows/windows_settings.json)
@@ -309,12 +316,59 @@ function prepare_windows_vhd() {
 		exit 1
 	fi
 
-	# Create the sig image from the official images defined in windows-settings.json by default
-	windows_sigmode_source_subscription_id=""
-	windows_sigmode_source_resource_group_name=""
-	windows_sigmode_source_gallery_name=""
-	windows_sigmode_source_image_name=""
-	windows_sigmode_source_image_version=""
+	# By default, packer uses marketplace source (image_publisher/offer/sku/version).
+	# For VHD imports, we use shared_image_gallery.id (full ARM resource ID).
+	# For embargo builds, we use direct_shared_gallery_image_id to source from a 1P shared gallery.
+	windows_sigmode_source_id=""
+	windows_sigmode_direct_shared_gallery_image_id=""
+
+	local sig_source_gallery_name
+	if sig_source_gallery_name=$(jq -re ".WindowsBaseVersions.\"${WINDOWS_SKU}\".sig_source_gallery_name" <$CDIR/windows/windows_settings.json); then
+		if [ -n "${sig_source_gallery_name}" ] && [ "${sig_source_gallery_name}" != "null" ]; then
+			local sig_image_name="${WINDOWS_IMAGE_SKU}"
+			# Use AZURE_LOCATION for gallery queries — PACKER_BUILD_LOCATION may not be normalized yet for Windows
+			local gallery_location="${AZURE_LOCATION:-${PACKER_BUILD_LOCATION}}"
+
+			# List latest 3 available versions for this image in the shared gallery
+			echo "  Latest 3 available versions in gallery:"
+			az sig image-version list-shared \
+				--gallery-unique-name "${sig_source_gallery_name}" \
+				--gallery-image-definition "${sig_image_name}" \
+				--location "${gallery_location}" \
+				--shared-to tenant \
+				--query "[-3:].name" -o tsv | while read -r ver; do
+				echo "    - ${ver}"
+			done
+
+			# Resolve version dynamically if base_image_version is empty
+			if [ -z "${WINDOWS_IMAGE_VERSION}" ] || [ "${WINDOWS_IMAGE_VERSION}" = "null" ]; then
+				echo "base_image_version is empty, resolving latest from shared gallery ${sig_source_gallery_name}/${sig_image_name}..."
+				WINDOWS_IMAGE_VERSION=$(az sig image-version list-shared \
+					--gallery-unique-name "${sig_source_gallery_name}" \
+					--gallery-image-definition "${sig_image_name}" \
+					--location "${gallery_location}" \
+					--shared-to tenant \
+					--query "sort_by(@, &name)[-1].name" -o tsv)
+				if [ -z "${WINDOWS_IMAGE_VERSION}" ]; then
+					echo "ERROR: Failed to resolve latest image version from gallery ${sig_source_gallery_name}/${sig_image_name}"
+					exit 1
+				fi
+				echo "Resolved base_image_version: ${WINDOWS_IMAGE_VERSION}"
+			fi
+
+			windows_sigmode_direct_shared_gallery_image_id="/SharedGalleries/${sig_source_gallery_name}/Images/${sig_image_name}/Versions/${WINDOWS_IMAGE_VERSION}"
+			# Clear marketplace and raw VHD source fields — packer requires exactly one source type
+			WINDOWS_IMAGE_URL=""
+			WINDOWS_BASE_IMAGE_URL=""
+			WINDOWS_IMAGE_PUBLISHER=""
+			WINDOWS_IMAGE_OFFER=""
+			WINDOWS_IMAGE_SKU=""
+			WINDOWS_IMAGE_VERSION=""
+			echo "Using direct shared gallery source:"
+			echo "  ID: ${windows_sigmode_direct_shared_gallery_image_id}"
+
+		fi
+	fi
 
 	# default: build VHD images from a marketplace base image
 	export AZCOPY_AUTO_LOGIN_TYPE="AZCLI" # use AZCLI for AzCopy authentication
@@ -323,8 +377,8 @@ function prepare_windows_vhd() {
 	mkdir -p "${AZCOPY_LOG_LOCATION}"
 	mkdir -p "${AZCOPY_JOB_PLAN_LOCATION}"
 
-	echo "VALID IMAGE URL: ${WINDOWS_CONTAINERIMAGE_JSON_URL}"
 	if [ -n "${WINDOWS_CONTAINERIMAGE_JSON_URL}" ]; then
+		echo "VALID IMAGE URL: ${WINDOWS_CONTAINERIMAGE_JSON_URL}"
 		download_windows_json_artifact
 		extract_windows_image_urls
 	else
@@ -333,14 +387,14 @@ function prepare_windows_vhd() {
 	fi
 
 	# Check if base, nano, and servercore urls are set
-	if [ -z "${windows_nanoserver_image_url}" ] || [ -z "${windows_servercore_image_url}" ] || [ -z "${WINDOWS_BASE_IMAGE_URL}" ]; then
-		echo "Error: One of the Windows image URLs are not set."
+	if [ -n "${windows_nanoserver_image_url}" ] && [ -n "${windows_servercore_image_url}" ] && [ -n "${WINDOWS_BASE_IMAGE_URL}" ]; then
+		echo "All Windows image URLs are set."
 	else
-		# If all URLs are set, print them
-		echo "Using Windows base image URL: ${WINDOWS_BASE_IMAGE_URL}"
-		echo "Using Windows Nano Server image URL: ${windows_nanoserver_image_url}"
-		echo "Using Windows Server Core image URL: ${windows_servercore_image_url}"
+		echo "At least one of the Windows image URLs are not set:"
 	fi
+		echo "  Windows base image URL: ${WINDOWS_BASE_IMAGE_URL}"
+		echo "  Windows Nano Server image URL: ${windows_nanoserver_image_url}"
+		echo "  Windows Server Core image URL: ${windows_servercore_image_url}"
 
 	# build from a pre-supplied VHD blob a.k.a. external raw VHD
 	if [ -n "${WINDOWS_BASE_IMAGE_URL}" ]; then

vhdbuilder/packer/produce-packer-settings.sh

@@ -243,11 +243,8 @@ cat <<EOF > vhdbuilder/packer/settings.json
   "nano_image_url": "${windows_nanoserver_image_url}",
   "core_image_url": "${windows_servercore_image_url}",
   "windows_private_packages_url": "${windows_private_packages_url}",
-  "windows_sigmode_source_subscription_id": "${windows_sigmode_source_subscription_id}",
-  "windows_sigmode_source_resource_group_name": "${windows_sigmode_source_resource_group_name}",
-  "windows_sigmode_source_gallery_name": "${windows_sigmode_source_gallery_name}",
-  "windows_sigmode_source_image_name": "${windows_sigmode_source_image_name}",
-  "windows_sigmode_source_image_version": "${windows_sigmode_source_image_version}",
+  "windows_sigmode_source_id": "${windows_sigmode_source_id}",
+  "windows_sigmode_direct_shared_gallery_image_id": "${windows_sigmode_direct_shared_gallery_image_id}",
   "vnet_name": "${VNET_NAME}",
   "subnet_name": "${SUBNET_NAME}",
   "vnet_resource_group_name": "${VNET_RG_NAME}",

vhdbuilder/packer/windows/configure-windows-vhd.ps1

@@ -1012,13 +1012,27 @@ function Test-AzureExtensions
     Write-Log "Azure extensions are not found"
 }
 
+function Run-BcdEdit
+{
+    Write-Host "Running bcdedit /set hypervisorlaunchtype auto"
+    bcdedit /set hypervisorlaunchtype auto
+    if ($LASTEXITCODE)
+    {
+        throw "bcdedit /set hypervisorlaunchtype auto failed with exit code $LASTEXITCODE"
+    }
+}
+
 # Disable progress writers for this session to greatly speed up operations such as Invoke-WebRequest
 $ProgressPreference = 'SilentlyContinue'
 
 try
 {
     switch ($env:ProvisioningPhase)
     {
+        "0" {
+            Write-Log "Performing actions for provisioning phase 0"
+            Run-BcdEdit
+        }
         "1" {
             Write-Log "Performing actions for provisioning phase 1"
             Expand-OS-Partition

vhdbuilder/packer/windows/windows-vhd-builder-sig.json

@@ -38,11 +38,8 @@
             "image_version": "{{user `windows_image_version`}}",
             "image_url": "{{user `windows_image_url`}}",
             "shared_image_gallery": {
-              "subscription": "{{user `windows_sigmode_source_subscription_id`}}",
-              "resource_group": "{{user `windows_sigmode_source_resource_group_name`}}",
-              "gallery_name": "{{user `windows_sigmode_source_gallery_name`}}",
-              "image_name": "{{user `windows_sigmode_source_image_name`}}",
-              "image_version": "{{user `windows_sigmode_source_image_version`}}"
+              "id": "{{user `windows_sigmode_source_id`}}",
+              "direct_shared_gallery_image_id": "{{user `windows_sigmode_direct_shared_gallery_image_id`}}"
             },
             "shared_image_gallery_destination": {
                 "resource_group": "{{user `resource_group_name`}}",
@@ -100,6 +97,24 @@
         ],
         "destination": "c:/akse-cache/"
         },
+        {
+            "elevated_user": "packer",
+            "elevated_password": "{{.WinRMPassword}}",
+            "environment_vars": [
+                "ProvisioningPhase=0",
+                "WindowsSKU={{user `windows_sku`}}",
+                "CustomizedDiskSize={{user `os_disk_size_gb`}}",
+                "INSTALL_OPEN_SSH_SERVER={{ user `INSTALL_OPEN_SSH_SERVER` }}"
+            ],
+            "type": "powershell",
+            "scripts": [
+                "vhdbuilder/packer/windows/configure-windows-vhd.ps1"
+            ]
+        },
+        {
+            "restart_timeout": "10m",
+            "type": "windows-restart"
+        },
         {
             "elevated_user": "packer",
             "elevated_password": "{{.WinRMPassword}}",