- Added MDS package version to AKV official build steps for Package mode.

paulmedynski · paulmedynski · commit 7d990490f295 · 2025-10-09T13:36:32.000-03:00
- Moved Roslyn analysis above build steps to avoid Roslyn clobbering artifacts.
- Removed obsolete code scanning.
diff --git a/eng/pipelines/akv-official-pipeline.yml b/eng/pipelines/akv-official-pipeline.yml
@@ -105,7 +105,8 @@ extends:
             roslyn:
                 enabled: ${{ parameters.runSdlTasks }}
                 break: true
-                # Requires RoslynAnalyzers task to be added after build task
+                # Requires RoslynAnalyzers task to be added somewhere in
+                # the build stage.
 
             publishLogs:
                 enabled: ${{ parameters.runSdlTasks }}
diff --git a/eng/pipelines/common/templates/jobs/build-signed-package-job.yml b/eng/pipelines/common/templates/jobs/build-signed-package-job.yml
@@ -49,12 +49,8 @@ jobs:
       configuration: $(Configuration)
       msbuildArguments: -t:BuildTools
 
-  # GOTCHA: This analysis step must run _before_ the build (below) step because
-  # it builds DLLs that would otherwise clobber the properly-versioned DLLs from
-  # the build step!
+  # Perform analysis before building, since this step will clobber build output
   - template: ../steps/code-analyze-step.yml@self
-    parameters:
-      analyzeType: all
   
   - template: ../steps/build-all-configurations-signed-dlls-step.yml@self
     parameters:
diff --git a/eng/pipelines/common/templates/steps/code-analyze-step.yml b/eng/pipelines/common/templates/steps/code-analyze-step.yml
@@ -3,40 +3,30 @@
 # The .NET Foundation licenses this file to you under the MIT license.          #
 # See the LICENSE file in the project root for more information.                #
 #################################################################################
-parameters:
-  - name: analyzeType
-    values:
-    - roslyn
-    - inspect
-    - all
 
+# This template defines a step to run Roslyn Analyzers on the MDS project build.
+# It uses the RoslynAnalyzers@3 task from the Secure Development Team's SDL
+# extension:
+#
+# https://eng.ms/docs/cloud-ai-platform/devdiv/one-engineering-system-1es/1es-mohanb/security-integration/guardian-wiki/sdl-azdo-extension/roslyn-analyzers-build-task
+#
+# GOTCHA: This step will clobber any existing build output.  It should be run
+# _before_ any build steps that perform versioning or signing.
+
+# @TODO: This can probably be made generic and pass in the command lines for msbuild
+#        BUT, they should be kept separate by now as we rebuild build.proj in parallel, we won't
+#        affect >1 project at a time.
+
+parameters:
   - name: sourceRoot
     type: string
     default: $(REPOROOT)
 
-  - name: packageRefMdsVersion
-    type: string
-    default: ''
-  
-  - name: product
-    default: MDS
-    values:
-    - MDS
-    - MSS
-
 steps:
-- ${{ if or(eq(parameters.analyzeType, 'roslyn'), eq(parameters.analyzeType, 'all')) }}:
-  - ${{ if eq(parameters.product, 'MDS') }}:
-    - task: securedevelopmentteam.vss-secure-development-tools.build-task-roslynanalyzers.RoslynAnalyzers@3
-      displayName: 'Guardian Dotnet Analyzers '
-      inputs:
-        msBuildVersion: 17.0
-        msBuildArchitecture: x64
-        setupCommandlinePicker: vs2022
-        msBuildCommandline: 'msbuild  ${{parameters.sourceRoot}}\build.proj -p:configuration=Release -p:GenerateNuget=false -p:BuildTools=false -p:SigningKeyPath=$(Agent.TempDirectory)\netfxKeypair.snk'
-
-- ${{ if or(eq(parameters.analyzeType, 'inspect'), eq(parameters.analyzeType, 'all')) }}:
-  - task: securedevelopmentteam.vss-secure-development-tools.build-task-codeinspector.CodeInspector@2
-    displayName: 'Run Code Inspector'
+  - task: securedevelopmentteam.vss-secure-development-tools.build-task-roslynanalyzers.RoslynAnalyzers@3
+    displayName: Roslyn Analyzers
     inputs:
-      LogLevel: Error
+      msBuildVersion: 17.0
+      msBuildArchitecture: x64
+      setupCommandlinePicker: vs2022
+      msBuildCommandline: 'msbuild  ${{parameters.sourceRoot}}\build.proj -p:configuration=Release -p:GenerateNuget=false -p:BuildTools=false -p:SigningKeyPath=$(Agent.TempDirectory)\netfxKeypair.snk'
diff --git a/eng/pipelines/jobs/build-akv-official-job.yml b/eng/pipelines/jobs/build-akv-official-job.yml
@@ -5,6 +5,9 @@
 #################################################################################
 
 parameters:
+    - name: akvAssemblyFileVersion
+      type: string
+
     - name: akvPackageVersion
       type: string
 
@@ -13,9 +16,6 @@ parameters:
       
     - name: apiScanPdbPath
       type: string
-    
-    - name: assemblyFileVersion
-      type: string
 
     - name: buildConfiguration
       type: string
@@ -86,11 +86,20 @@ jobs:
                 $jsonParams | ConvertFrom-Json | Format-List
             displayName: 'Output Job Parameters'
 
-          - template: ../steps/compound-build-akv-step.yml@self
+          # Perform analysis before building, since this step will clobber build
+          # output
+          - template: ../steps/roslyn-analyzers-akv-step.yml@self
             parameters:
-                assemblyFileVersion: '${{ parameters.assemblyFileVersion }}'
+                akvPackageVersion: '${{ parameters.akvPackageVersion }}'
                 buildConfiguration: '${{ parameters.buildConfiguration }}'
+                mdsPackageVersion: '${{ parameters.mdsPackageVersion }}'
+
+          - template: ../steps/compound-build-akv-step.yml@self
+            parameters:
+                akvAssemblyFileVersion: '${{ parameters.akvAssemblyFileVersion }}'
                 akvPackageVersion: '${{ parameters.akvPackageVersion }}'
+                buildConfiguration: '${{ parameters.buildConfiguration }}'
+                mdsPackageVersion: '${{ parameters.mdsPackageVersion }}'
                 
           - ${{ each targetFramework in parameters.targetFrameworks }}:  
               - template: ../steps/compound-extract-akv-apiscan-files-step.yml
@@ -101,11 +110,6 @@ jobs:
                     referenceType: Package
                     targetFramework: '${{ targetFramework }}'
 
-          - template: ../steps/roslyn-analyzers-akv-step.yml@self
-            parameters:
-                buildConfiguration: '${{ parameters.buildConfiguration }}'
-                akvPackageVersion: '${{ parameters.akvPackageVersion }}'
-
           - template: ../steps/compound-esrp-code-signing-step.yml@self
             parameters:
                 appRegistrationClientId: '${{ parameters.signingAppRegistrationClientId }}'
diff --git a/eng/pipelines/steps/compound-build-akv-step.yml b/eng/pipelines/steps/compound-build-akv-step.yml
@@ -10,15 +10,18 @@
 # @TODO: mdsPackageVersion should not be used for MDS package version
 
 parameters:
-    - name: akvPackageVersion
+    - name: akvAssemblyFileVersion
       type: string
 
-    - name: assemblyFileVersion
+    - name: akvPackageVersion
       type: string
 
     - name: buildConfiguration
       type: string
 
+    - name: mdsPackageVersion
+      type: string
+
 steps:
     - task: DownloadSecureFile@1
       displayName: 'Download Signing Key'
@@ -32,21 +35,16 @@ steps:
           packageType: 'sdk'
           version: '9.x'
 
-    - task: UseDotNet@2
-      displayName: 'Install .NET 8.x Runtime'
-      inputs:
-          packageType: 'runtime'
-          version: '8.x'
-
     - task: MSBuild@1
       displayName: 'Build.proj - BuildAkv'
       inputs:
           solution: '$(REPO_ROOT)/build.proj'
           configuration: '${{ parameters.buildConfiguration }}'
           msbuildArguments: >-
               -t:BuildAkv
-              -p:AssemblyFileVersion=${{ parameters.assemblyFileVersion }}
+              -p:AssemblyFileVersion=${{ parameters.akvAssemblyFileVersion }}
               -p:AkvPackageVersion=${{ parameters.akvPackageVersion }}
+              -p:MdsPackageVersion=${{ parameters.mdsPackageVersion }}
               -p:ReferenceType=Package
               -p:SigningKeyPath=$(Agent.TempDirectory)/netfxKeypair.snk
               
diff --git a/eng/pipelines/steps/roslyn-analyzers-akv-step.yml b/eng/pipelines/steps/roslyn-analyzers-akv-step.yml
@@ -4,6 +4,15 @@
 # See the LICENSE file in the project root for more information.                #
 #################################################################################
 
+# This template defines a step to run Roslyn Analyzers on the AKV project build.
+# It uses the RoslynAnalyzers@3 task from the Secure Development Team's SDL
+# extension:
+#
+# https://eng.ms/docs/cloud-ai-platform/devdiv/one-engineering-system-1es/1es-mohanb/security-integration/guardian-wiki/sdl-azdo-extension/roslyn-analyzers-build-task
+#
+# GOTCHA: This step will clobber any existing build output.  It should be run
+# _before_ any build steps that perform versioning or signing.
+
 # @TODO: This can probably be made generic and pass in the command lines for msbuild
 #        BUT, they should be kept separate by now as we rebuild build.proj in parallel, we won't
 #        affect >1 project at a time.
@@ -15,6 +24,9 @@ parameters:
     - name: buildConfiguration
       type: string
 
+    - name: mdsPackageVersion
+      type: string
+
 steps:
     - task: securedevelopmentteam.vss-secure-development-tools.build-task-roslynanalyzers.RoslynAnalyzers@3
       displayName: 'Roslyn Analyzers'
@@ -26,6 +38,7 @@ steps:
               -t:BuildAkv
               -p:Configuration=${{ parameters.buildConfiguration }}
               -p:AkvPackageVersion=${{ parameters.akvPackageVersion }}
+              -p:MdsPackageVersion=${{ parameters.mdsPackageVersion }}
               -p:ReferenceType=Package
           msBuildVersion: 17.0
           setupCommandLinePicker: vs2022
diff --git a/eng/pipelines/variables/akv-official-variables.yml b/eng/pipelines/variables/akv-official-variables.yml
@@ -35,7 +35,7 @@ variables:
       value: '-preview1'
 
     # Compound Variables ---------------------------------------------------
-    - name: assemblyFileVersion
+    - name: akvAssemblyFileVersion
       value: '${{ variables.versionMajor }}.${{ variables.versionMinor }}${{ variables.versionPatch }}.$(Build.BuildNumber)'
     - name: akvPackageVersion
       value: '${{ variables.versionMajor }}.${{ variables.versionMinor }}.${{ variables.versionPatch }}${{ variables.versionPreview }}'
diff --git a/tools/props/Versions.props b/tools/props/Versions.props
@@ -31,6 +31,10 @@
       specific to MDS, and then used in the MDS project.  As-is, these names are
       used by the build tooling and may be unintentionally included in other
       (non-MDS) projects.
+
+      For example, the AKV package uses the AssemblyVersion, FileVersion, and
+      Version as its own.  It currently isn't possible to build/package both
+      MDS and AKV at the same time.
     -->
 
     <!--
