Add Manual OneBranch Release Stage & Publish Support (Internal/Public)

[cheenamalhotra]

Description

Adds a manual, parameter‑gated release stage to the signing pipeline enabling:

• Internal or public NuGet publish (publishDestination)
• Dry run preview (dryRun)
• Optional symbol publishing (MDS only)
• Human approval checklist (destination, preview, dry run, symbols, version, product)

Next Steps:

• Run Dryrun and Approval workflow to validate changes ensuring configuration is up-to-date.
• Make an attempt to publish MDS packages to internal feed.
• Validate workflows for all 3 packages: MDS, MSS, AKV

Investigate:

• Can symbols be published using the same "compound-publish-symbols-step" for AKV and MSS packages?

[Copilot]

Pull Request Overview

This PR adds a manual release stage to the OneBranch signing pipeline, enabling controlled NuGet package publishing with approval gates. The implementation supports both internal and public publishing destinations, includes dry-run capability for testing, and integrates symbol publishing for the MDS product.

Key Changes:

• Adds manual release parameters (destination, dry run, product) to the signing pipeline
• Implements approval workflow with human validation before package publication
• Creates templated release infrastructure supporting multiple products (MDS, MSS, AKV)

Reviewed Changes

Copilot reviewed 8 out of 8 changed files in this pull request and generated 5 comments.

Show a summary per file

File	Description
eng/pipelines/dotnet-sqlclient-signing-pipeline.yml	Adds release parameters and invokes new release-stage template
eng/pipelines/common/templates/stages/release-stage.yml	Defines manual release stage with approval and publish jobs
eng/pipelines/common/templates/jobs/approval-job.yml	Implements manual validation job with release checklist
eng/pipelines/common/templates/jobs/publish-packages-job.yml	Orchestrates package download and conditional publishing to internal/public feeds
eng/pipelines/common/templates/steps/publish-internal-feed-step.yml	Handles internal feed publishing with dry-run support
eng/pipelines/common/templates/steps/publish-public-nuget-step.yml	Handles NuGet.org publishing with dry-run support
eng/pipelines/common/templates/steps/list-packages-step.yml	Lists packages for verification before publishing
eng/pipelines/common/templates/steps/publish-symbols-step.yml	Updates symbol publishing to use boolean type and add AKV product support

[Copilot]

Pull Request Overview

Copilot reviewed 7 out of 7 changed files in this pull request and generated 10 comments.

[Copilot]

Pull request overview

Copilot reviewed 8 out of 8 changed files in this pull request and generated 8 comments.

[Copilot]

Pull request overview

Copilot reviewed 8 out of 8 changed files in this pull request and generated 11 comments.

[Copilot]

Pull request overview

Copilot reviewed 8 out of 8 changed files in this pull request and generated 9 comments.

[Copilot]

Pull request overview

Copilot reviewed 8 out of 8 changed files in this pull request and generated 5 comments.

[Copilot]

The parameter type for publishSymbols has been changed from 'string' to 'boolean', which is the correct type for a boolean flag. However, the condition on line 79 should be updated to use the boolean comparison syntax. Change 'eq(parameters.publishSymbols, true)' instead of comparing to the string 'true'.

[Copilot]

Same issue as line 83 - the variable targetDownloadPath should be referenced using runtime syntax $(targetDownloadPath) instead of template syntax ${{ variables.targetDownloadPath }}.

[Copilot]

Pull request overview

Copilot reviewed 8 out of 8 changed files in this pull request and generated 5 comments.

[Copilot]

$namePattern is derived from packagesGlob, but the actual file enumeration always uses -Filter "*.nupkg", so the provided glob/pattern is effectively ignored. Either use $namePattern (and possibly handle .snupkg if intended) or remove the unused parsing to avoid misleading configuration.

[Copilot]

targetDownloadPath is defined as a job variable, but it’s referenced via template expression ${{ variables.targetDownloadPath }}. Template expressions are evaluated before runtime variables exist, so these paths will be empty/incorrect. Use runtime variable syntax ($(targetDownloadPath)) consistently for targetPath, echo output, and packagesGlob.

[Copilot]

The step conditions use eq(parameters.publishSymbols, true) without ${{ }} expansion. parameters.* isn’t available in runtime conditions, so these steps will be skipped even when the template parameter is true. Either remove the runtime condition (since the surrounding ${{ if ... }} already gates inclusion) or expand the boolean at compile time inside the condition.

[Copilot]

The push block has duplicated/nested foreach ($package in $packages) loops and $anyPushFailed is declared inside the wrong scope; as written it looks like braces are unbalanced and the script will either fail to parse or never execute the intended push loop. Refactor to a single loop, initialize $anyPushFailed once before iterating, and remove the redundant inner loop/log line.

[Copilot]

This pipeline exposes product values MSS/AKV, but the build/validation stages are only instantiated when product == 'MDS' while the Release stage template is always included. If a user queues a manual run with product set to MSS/AKV and runRelease=true, the release job will attempt to download a non-existent artifact and fail. Consider restricting product values until builds exist, or conditionally include the release stage per product as well.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 0.00%. Comparing base (3ffbba7) to head (d337d8f).
⚠️ Report is 4 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main   #3761       +/-   ##
==========================================
- Coverage   74.53%       0   -74.54%     
==========================================
  Files         266       0      -266     
  Lines       42915       0    -42915     
==========================================
- Hits        31987       0    -31987     
+ Misses      10928       0    -10928     

Flag	Coverage Δ
addons	?
netcore	?
netfx	?

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[mdaigle]

I feel like this should be locked down. In what situation would we want to allow non-admins to approve?

[mdaigle]

Some of this is a little weird. It prints Pushing packages to feed... for each package, then loops through again and pushes each the package.

We can remove this first loop.

[mdaigle]

Why can't we use the Nuget task pointed at an internal feed?

[mdaigle]

I didn't realize this file even existed. Not for this pr, but we should definitely switch to dotnet pack when we can.