[main] Update common Docker engineering infrastructure with latest

eng/common/templates/1es-official.yml

@@ -38,23 +38,25 @@ resources:
     ref: refs/tags/release
 
 extends:
-  template: v1/1ES.Official.PipelineTemplate.yml@1ESPipelineTemplates
+  template: /eng/common/templates/task-prefix-decorator.yml@self
   parameters:
-    pool: ${{ parameters.pool }}
-    sdl:
-      binskim:
-        enabled: true
-      componentgovernance:
-        ignoreDirectories: $(Build.SourcesDirectory)/versions
-        whatIf: ${{ parameters.cgDryRun }}
-        showAlertLink: true
-      policheck:
-        enabled: true
-      sourceRepositoriesToScan:
-        exclude:
-        - repository: InternalVersionsRepo
-        - repository: PublicVersionsRepo
-      sourceAnalysisPool: ${{ parameters.sourceAnalysisPool }}
-      tsa:
-        enabled: true
+    baseTemplate: v1/1ES.Official.PipelineTemplate.yml@1ESPipelineTemplates
+    templateParameters:
+      pool: ${{ parameters.pool }}
+      sdl:
+        binskim:
+          enabled: true
+        componentgovernance:
+          ignoreDirectories: $(Build.SourcesDirectory)/versions
+          whatIf: ${{ parameters.cgDryRun }}
+          showAlertLink: true
+        policheck:
+          enabled: true
+        sourceRepositoriesToScan:
+          exclude:
+          - repository: InternalVersionsRepo
+          - repository: PublicVersionsRepo
+        sourceAnalysisPool: ${{ parameters.sourceAnalysisPool }}
+        tsa:
+          enabled: true
     stages: ${{ parameters.stages }}

eng/common/templates/1es-unofficial.yml

@@ -41,26 +41,30 @@ resources:
     ref: refs/tags/release
 
 extends:
-  template: v1/1ES.Unofficial.PipelineTemplate.yml@1ESPipelineTemplates
+  template: /eng/common/templates/task-prefix-decorator.yml@self
   parameters:
-    pool: ${{ parameters.pool }}
-    sdl:
-      binskim:
-        enabled: true
-      componentgovernance:
-        ignoreDirectories: $(Build.SourcesDirectory)/versions
-        whatIf: true
-        showAlertLink: true
-      enableAllTools: ${{ not(parameters.disableSDL) }}
-      policheck:
-        enabled: true
-      sbom:
-        enabled: true
-      sourceRepositoriesToScan:
-        exclude:
-        - repository: InternalVersionsRepo
-        - repository: PublicVersionsRepo
-      sourceAnalysisPool: ${{ parameters.sourceAnalysisPool }}
-      tsa:
-        enabled: true
+    # Use a unique task prefix for unofficial pipelines
+    taskPrefix: "🟦"
+    baseTemplate: v1/1ES.Unofficial.PipelineTemplate.yml@1ESPipelineTemplates
+    templateParameters:
+      pool: ${{ parameters.pool }}
+      sdl:
+        binskim:
+          enabled: true
+        componentgovernance:
+          ignoreDirectories: $(Build.SourcesDirectory)/versions
+          whatIf: true
+          showAlertLink: true
+        enableAllTools: ${{ not(parameters.disableSDL) }}
+        policheck:
+          enabled: true
+        sbom:
+          enabled: true
+        sourceRepositoriesToScan:
+          exclude:
+          - repository: InternalVersionsRepo
+          - repository: PublicVersionsRepo
+        sourceAnalysisPool: ${{ parameters.sourceAnalysisPool }}
+        tsa:
+          enabled: true
     stages: ${{ parameters.stages }}

eng/common/templates/jobs/publish.yml

@@ -183,6 +183,15 @@ jobs:
       $(imageBuilder.commonCmdArgs)
     condition: and(succeeded(), eq(variables['publishImageInfo'], 'true'))
     displayName: Publish Image Info
+  # Task displayNames names are hardcoded to reference the task prefix used by 1ES official
+  # pipelines in eng/common/templates/1es-official.yml.
+  #
+  # These will fail if they are dependend on by an unofficial pipeline since they use a unique task
+  # prefix compared to official pipelines (see eng/common/templates/1es-unofficial.yml). This is
+  # acceptable because unofficial pipelines should not publish images.
+  #
+  # https://github.com/dotnet/docker-tools/issues/1698 tracks making this command no longer depend
+  # on individual step displayNames.
   - script: >
       $(runImageBuilderCmd) postPublishNotification
       '$(publishNotificationRepoName)'
@@ -196,16 +205,16 @@ jobs:
       '$(gitHubNotificationsRepoInfo.org)'
       '$(gitHubNotificationsRepoInfo.repo)'
       --repo-prefix '$(publishRepoPrefix)'
-      --task "Copy Images (Authenticated)"
-      --task "Publish Manifest (Authenticated)"
-      --task "Wait for Image Ingestion (Authenticated)"
-      --task "Publish Readmes"
-      --task "Wait for MCR Doc Ingestion (Authenticated)"
-      --task "Publish Image Info"
-      --task "Ingest Kusto Image Info (Authenticated)"
-      --task "Generate EOL Annotation Data (Authenticated)"
-      --task "Annotate EOL Images (Authenticated)"
-      --task "Wait for Annotation Ingestion (Authenticated)"
+      --task "🟪 Copy Images (Authenticated)"
+      --task "🟪 Publish Manifest (Authenticated)"
+      --task "🟪 Wait for Image Ingestion (Authenticated)"
+      --task "🟪 Publish Readmes"
+      --task "🟪 Wait for MCR Doc Ingestion (Authenticated)"
+      --task "🟪 Publish Image Info"
+      --task "🟪 Ingest Kusto Image Info (Authenticated)"
+      --task "🟪 Generate EOL Annotation Data (Authenticated)"
+      --task "🟪 Annotate EOL Images (Authenticated)"
+      --task "🟪 Wait for Annotation Ingestion (Authenticated)"
       $(dryRunArg)
       $(imageBuilder.commonCmdArgs)
     displayName: Post Publish Notification

eng/common/templates/task-prefix-decorator.yml

@@ -0,0 +1,63 @@
+# This Azure Pipelines template is adds a prefix to the display name of each
+# task passed through the `stages` parameter. When used in conjunction with
+# an "extends" template which injects a lot of tasks into the pipeline, the
+# added prefix helps to identify which tasks were passed through this template
+# and which tasks were injected by the `baseTemplate`.
+#
+# This template assumes that `baseTemplate` uses the `stages` parameter. If it
+# doesn't, this template likely won't work as expected.
+
+parameters:
+# The pipeline will behave as if it were originally extended from this template,
+# except with updated task display names.
+- name: baseTemplate
+  type: string
+  default: ""
+
+# These parameters are passed directly to `baseTemplate`
+- name: templateParameters
+  type: object
+  default: null
+
+# These stages will be modified and passed to the `baseTemplate` as the
+# `stages` parameter. The
+- name: stages
+  type: stageList
+  default: []
+
+# This prefix will be added to the display name of each task.
+- name: taskPrefix
+  type: string
+  default: "🟪"
+
+
+extends:
+  template: ${{ parameters.baseTemplate }}
+  parameters:
+    ${{ insert }}: ${{ parameters.templateParameters }}
+    stages:
+    - ${{ each stage in parameters.stages }}:
+      - stage: ${{ stage.stage }}
+        ${{ each property in stage }}:
+          ${{ if notIn(property.key, 'stage', 'jobs') }}:
+            ${{ property.key }} : ${{ property.value }}
+        jobs:
+        - ${{ each job in stage.jobs }}:
+          - job: ${{ job.job }}
+            ${{ each property in job }}:
+              ${{ if notIn(property.key, 'job', 'steps') }}:
+                ${{ property.key }} : ${{ property.value }}
+            steps:
+            - ${{ each step in job.steps }}:
+              # Special case for Azure Pipelines checkout task:
+              # https://learn.microsoft.com/azure/devops/extend/develop/pipeline-decorator-context?view=azure-devops#task-names-and-guids
+              # The checkout task does not have a name - it is special and built directly into the agent.
+              # Avoid modifying the checkout task, or else it will show up in the UI as a task with no name.
+              - ${{ if contains(step.task, '6d15af64-176c-496d-b583-fd2ae21d4df4') }}:
+                - ${{ step }}
+              - ${{ else }}:
+                - task: ${{ step.task }}
+                  ${{ each property in step }}:
+                    ${{ if notIn(property.key, 'task', 'displayName') }}:
+                      ${{ property.key }} : ${{ property.value }}
+                  displayName: ${{ parameters.taskPrefix }} ${{ step.displayName }}

eng/common/templates/variables/docker-images.yml

@@ -1,5 +1,5 @@
 variables:
-  imageNames.imageBuilderName: mcr.microsoft.com/dotnet-buildtools/image-builder:2703271
+  imageNames.imageBuilderName: mcr.microsoft.com/dotnet-buildtools/image-builder:2708614
   imageNames.imageBuilder: $(imageNames.imageBuilderName)
   imageNames.imageBuilder.withrepo: imagebuilder-withrepo:$(Build.BuildId)-$(System.JobId)
   imageNames.testRunner: mcr.microsoft.com/dotnet-buildtools/prereqs:azurelinux3.0-docker-testrunner