Skip to content

Use ESRP to release server.json files #2359

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
hallipr wants to merge 3 commits into
base: main
Choose a base branch
from
+37 −1,066
Open

Use ESRP to release server.json files #2359

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
08830de
Use ESRP to release server.json files
hallipr Apr 7, 2026
2b4e79f
Remove unused server.json publishing powershell scripts
hallipr Apr 7, 2026
d236839
Change display on ESRP task and use v11
hallipr Apr 7, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
49 changes: 35 additions & 14 deletions .../templates/jobs/update-mcp-repository.yml → ...jobs/mcp-registry/release-server-json.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -53,18 +53,39 @@ jobs:
-BuildInfoPath '$(Pipeline.Workspace)/build_info/build_info.json'
-NuGetFeedIndexUrl '${{ parameters.NuGetFeedIndexUrl }}'

- task: AzureCLI@2
displayName: 'Build go tool and publish server.json'
- pwsh: |
$serverJsonPath = '$(Pipeline.Workspace)/build_info/${{ parameters.ServerName }}/server.json'
Write-Host "Contents of server.json before staging:"
Get-Content -Path $serverJsonPath | Write-Host

$stagingDirectory = '$(Build.ArtifactStagingDirectory)'
New-Item -ItemType Directory -Path $stagingDirectory -ErrorAction SilentlyContinue | Out-Null
Copy-Item -Path $serverJsonPath -Destination $stagingDirectory
Copy link
Copy Markdown
Contributor

@jongio jongio Apr 8, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[LOW] Staging server.json directly to $(Build.ArtifactStagingDirectory) root. The pypi release template isolates files into a dedicated subdirectory before handing to ESRP to prevent unintended files from being released. Low risk right now since this is the only copy operation, but a subdirectory would be safer as the job evolves.


Write-Host "Staged server.json to $stagingDirectory"
displayName: 'Stage server.json for release'

- task: 1ES.PublishPipelineArtifact@1
displayName: Publish Server.json artifact
inputs:
azureSubscription: 'Azure SDK Engineering System'
scriptType: 'pscore'
scriptLocation: 'scriptPath'
scriptPath: $(Build.SourcesDirectory)/eng/scripts/Deploy-ServerJson.ps1
arguments: >
-ServerJsonPath: '$(Pipeline.Workspace)/build_info/${{ parameters.ServerName }}/server.json'
-ServerName '${{ parameters.ServerName }}'
-BuildInfoPath '$(Pipeline.Workspace)/build_info/build_info.json'
-KeyVaultName 'azuresdkengkeyvault'
-KeyVaultKeyName 'mcp-registry'
env:
AZURE_TOKEN_CREDENTIALS: 'AzureCLICredential' # Have DefaultAzureCredential use the AzureCLI credential
path: $(Build.ArtifactStagingDirectory)
artifact: server.json_${{ parameters.ServerName }}

- task: ESRPRelease@11
Copy link
Copy Markdown
Contributor

@jongio jongio Apr 8, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[MEDIUM] This ESRP task runs in a regular job:, but every other ESRP release in this repo (release-npm.yml, release-pypi.yml) uses a deployment: job with templateContext: { type: releaseJob, isProduction: true } and environment: package-publish. In 1ES pipelines, ESRP service connections are typically only injected for releaseJob contexts. The CI failure on "Release Publish server.json to MCP Repository" is likely related.

Consider switching to deployment: type to match the npm/pypi pattern - this would involve adding templateContext, environment: package-publish, and wrapping steps under strategy: runOnce: deploy: steps:.

displayName: Publish server.json to MCP Repository
inputs:
ConnectedServiceName: 'Azure SDK PME Managed Identity'
ClientId: '5f81938c-2544-4f1f-9251-dd9de5b8a81b'
DomainTenantId: '975f013f-7f24-47e8-a7d3-abc4752bf346'
UseManagedIdentity: true
KeyVaultName: 'kv-azuresdk-codesign'
SignCertName: 'azure-sdk-esrp-release-certificate'
Intent: 'PackageDistribution'
ContentType: 'mcpregistry'
ContentSource: 'Folder'
FolderLocation: '$(Build.ArtifactStagingDirectory)'
Owners: ${{ coalesce(variables['Build.RequestedForEmail'], 'azuresdk@microsoft.com') }}
Approvers: ${{ coalesce(variables['Build.RequestedForEmail'], 'azuresdk@microsoft.com') }}
ServiceEndpointUrl: 'https://api.esrp.microsoft.com'
MainPublisher: 'ESRPRELPACMANTEST'
ProductState: latest
4 changes: 2 additions & 2 deletions eng/pipelines/templates/jobs/release.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -90,8 +90,8 @@ jobs:
DeploymentEnvironment: 'public'
ServerName: ${{ parameters.ServerName }}
DependsOn: TagRepository

- template: /eng/pipelines/templates/jobs/update-mcp-repository.yml
- template: /eng/pipelines/templates/jobs/mcp-registry/release-server-json.yml
parameters:
ServerName: ${{ parameters.ServerName }}
PackageMCPB: ${{ parameters.PackageMCPB }}
Expand Down
142 changes: 0 additions & 142 deletions eng/scripts/Deploy-ServerJson.ps1
View file
Open in desktop

This file was deleted.

Loading
Loading