Skip to content

CHANGELOG.md

Latest commit

 

History

History
136 lines (104 loc) · 5.62 KB

CHANGELOG.md

File metadata and controls

136 lines (104 loc) · 5.62 KB

Docker Tools / ImageBuilder Changelog

All breaking changes and new features in eng/docker-tools will be documented in this file.

2026-03-25: Manifest list creation moved to Post_Build

Manifest lists are now created during Post_Build instead of during Publish. They are copied to the publish registry via ACR import along with the platform images, rather than being recreated from scratch during publish.

2026-03-18: CG build template supports skipping .NET SDK installation

cg-build-projects.yml now accepts skipDotNetInstall (boolean, default false) and initSteps (stepList, default []) parameters. Setting skipDotNetInstall: true skips the built-in SDK installation. Setting initSteps will execute those custom steps at the beginning of the job.

2026-03-12: Service connection OIDC changes

setup-service-connections.yml has been removed. Azure DevOps no longer issues OIDC tokens for service connections referenced in a separate stage. Service connections are now referenced per-job via reference-service-connections.yml.

How to update:

  • Remove any serviceConnections parameters passed to 1es-official.yml or 1es-unofficial.yml - they are no longer accepted.
  • Remove any calls to setup-service-connections.yml from stage templates.
  • Non-registry service connections (e.g., kusto, marStatus) should be passed via additionalServiceConnections to the job templates that need them.

2026-03-04: Pre-build validation gated by preBuildTestScriptPath variable

The PreBuildValidation job condition now checks the new preBuildTestScriptPath variable instead of testScriptPath. This allows repos to independently control whether pre-build validation runs, without affecting functional tests.

The new variable defaults to $(testScriptPath), so existing repos that have pre-build tests are not affected. Repos that do not have pre-build tests can set preBuildTestScriptPath to "" to skip the job entirely.

Update (2026-03-11): Use preBuildTestScriptPath for test execution

The PreBuildValidation job now uses preBuildTestScriptPath for test execution instead of testScriptPath. Previously, the job condition was gated on preBuildTestScriptPath but the test execution step still used testScriptPath, which meant PreBuildValidation could not be enabled independently when testScriptPath was empty. Repos that do not have pre-build tests can set preBuildTestScriptPath to "" to skip the job entirely.

2026-02-19: Separate Registry Endpoints from Authentication

Authentication details (serviceConnection, resourceGroup, subscription) have been moved from individual registry endpoints into a centralized RegistryAuthentication list. This fixes an issue where ACR authentication could fail when multiple service connections existed for the same registry.

Before: Each registry endpoint embedded its own authentication:

publishConfig:
  BuildRegistry:
    server: $(acr.server)
    repoPrefix: "my-prefix/"
    resourceGroup: $(resourceGroup)
    subscription: $(subscription)
    serviceConnection:
      name: $(serviceConnectionName)
      id: $(serviceConnection.id)
      clientId: $(serviceConnection.clientId)
      tenantId: $(tenant)
  PublishRegistry:
    server: $(acr.server)
    repoPrefix: "publish/"
    resourceGroup: $(resourceGroup)
    subscription: $(subscription)
    serviceConnection:
      name: $(publishServiceConnectionName)
      id: $(publishServiceConnection.id)
      clientId: $(publishServiceConnection.clientId)
      tenantId: $(tenant)

After: Registry endpoints only contain server and repoPrefix. Authentication is centralized:

publishConfig:
  BuildRegistry:
    server: $(acr.server)
    repoPrefix: "my-prefix/"
  PublishRegistry:
    server: $(acr.server)
    repoPrefix: "publish/"
  RegistryAuthentication:
    - server: $(acr.server)
      resourceGroup: $(resourceGroup)
      subscription: $(subscription)
      serviceConnection:
        name: $(serviceConnectionName)
        id: $(serviceConnection.id)
        clientId: $(serviceConnection.clientId)
        tenantId: $(tenant)

How to update:

  • Update any publishConfig parameters to match the new structure.
    • Multiple registries can share authentication. If two registries use the same ACR server, only one entry is needed in RegistryAuthentication.
    • The new structure should match ImageBuilder's Configuration Model.
  • Update service connection setup (if using setup-service-connections.yml):
    • The template now supports looking up service connections from publishConfig.RegistryAuthentication
    • Use the new usesRegistries parameter to specify which registries need auth setup: 
      - template: eng/docker-tools/templates/stages/setup-service-connections.yml
  parameters:
    publishConfig: ${{ variables.publishConfig }}
    usesRegistries:
      - $(buildRegistry.server)
      - $(publishRegistry.server)