Update common Docker engineering infrastructure with latest

Author: dotnet-docker-bot

eng/docker-tools/CHANGELOG.md

@@ -4,6 +4,35 @@ All breaking changes and new features in `eng/docker-tools` will be documented i
 
 ---
 
+## 2026-04-02: Extra Docker build options can be passed through ImageBuilder
+
+- Pull request: [#2063](https://github.com/dotnet/docker-tools/pull/2063)
+
+ImageBuilder's `build` command now accepts repeated `--build-option` arguments and forwards them directly to
+`docker build`. This allows repos to pass options such as `--ulimit nofile=65536:65536` or `--network host`
+through `imageBuilderBuildArgs`, in addition to standard Dockerfile `--build-arg` values.
+
+**How to use:**
+
+```yaml
+customBuildInitSteps:
+- powershell: |
+    $args = '--build-option "--ulimit nofile=65536:65536"'
+    echo "##vso[task.setvariable variable=imageBuilderBuildArgs]$args"
+```
+
+Repeat `--build-option` for multiple Docker arguments, and quote values that contain spaces.
+
+---
+
+## 2026-03-25: Manifest list creation moved to Post_Build
+
+- Issue: [#2002](https://github.com/dotnet/docker-tools/issues/2002)
+
+Manifest lists are now created during `Post_Build` instead of during `Publish`. They are copied to the publish registry via ACR import along with the platform images, rather than being recreated from scratch during publish.
+
+---
+
 ## 2026-03-18: CG build template supports skipping .NET SDK installation
 
 - Issue: [#2029](https://github.com/dotnet/docker-tools/issues/2029)

eng/docker-tools/DEV-GUIDE.md

@@ -370,7 +370,7 @@ To force a rebuild regardless of cache state, set the `noCache` parameter to `tr
 
 ### Pattern: Adding Build Arguments
 
-Pass additional arguments to Docker builds via ImageBuilder:
+Pass Dockerfile `ARG` values via ImageBuilder:
 
 ```yaml
 customBuildInitSteps:
@@ -379,6 +379,15 @@ customBuildInitSteps:
     echo "##vso[task.setvariable variable=imageBuilderBuildArgs]$args"
 ```
 
+To pass raw options directly to `docker build`, use `--build-option`. Quote values that contain spaces:
+
+```yaml
+customBuildInitSteps:
+- powershell: |
+    $args = '--build-option "--ulimit nofile=65536:65536"'
+    echo "##vso[task.setvariable variable=imageBuilderBuildArgs]$args"
+```
+
 ### Pattern: Re-running Stages with `stages` and `sourceBuildPipelineRunId`
 
 A powerful pattern is combining the `stages` variable with the `sourceBuildPipelineRunId` pipeline parameter to run specific stages using artifacts from a previous build. This is useful for:

eng/docker-tools/skill-helpers/AzureDevOps.ps1

@@ -0,0 +1,74 @@
+#!/usr/bin/env pwsh
+# Lightweight wrapper for authenticated Azure DevOps REST API calls.
+# Uses `az account get-access-token` for bearer token auth.
+#
+# Usage:
+#   . ./AzureDevOps.ps1
+#   $response = Invoke-AzDORestMethod -Organization myorg -Project myproject `
+#       -Endpoint "pipelines/42/runs" -Method POST -Body @{ resources = @{} }
+
+$ErrorActionPreference = "Stop"
+
+function Get-AzDOAccessToken {
+    <#
+    .SYNOPSIS
+        Returns a bearer token for Azure DevOps.
+    #>
+
+    # Well-known Entra ID application ID for Azure DevOps
+    $tokenJson = az account get-access-token --resource "499b84ac-1321-427f-aa17-267ca6975798" 2>&1
+    if ($LASTEXITCODE -ne 0) {
+        throw "Failed to get access token. Run 'az login' first. Output: $tokenJson"
+    }
+
+    $parsed = $tokenJson | ConvertFrom-Json
+    return $parsed.accessToken
+}
+
+function Invoke-AzDORestMethod {
+    <#
+    .SYNOPSIS
+        Calls an Azure DevOps REST API endpoint with automatic authentication.
+    .PARAMETER Organization
+        Azure DevOps organization name (not the full URL).
+    .PARAMETER Project
+        Azure DevOps project name.
+    .PARAMETER Endpoint
+        API path after _apis/ (e.g. "pipelines/42/runs", "build/builds").
+    .PARAMETER Method
+        HTTP method. Defaults to GET.
+    .PARAMETER Body
+        Request body as a hashtable. Automatically converted to JSON.
+    .PARAMETER ApiVersion
+        API version. Defaults to 7.1.
+    #>
+    [CmdletBinding()]
+    param(
+        [Parameter(Mandatory)][string] $Organization,
+        [Parameter(Mandatory)][string] $Project,
+        [Parameter(Mandatory)][string] $Endpoint,
+        [string] $Method = "GET",
+        [hashtable] $Body,
+        [string] $ApiVersion = "7.1"
+    )
+
+    $token = Get-AzDOAccessToken
+    $headers = @{
+        Authorization  = "Bearer $token"
+        "Content-Type" = "application/json"
+    }
+
+    $uri = "https://dev.azure.com/$Organization/$Project/_apis/$($Endpoint)?api-version=$ApiVersion"
+
+    $params = @{
+        Uri     = $uri
+        Headers = $headers
+        Method  = $Method
+    }
+
+    if ($Body) {
+        $params.Body = $Body | ConvertTo-Json -Depth 10
+    }
+
+    return Invoke-RestMethod @params
+}

eng/docker-tools/skill-helpers/Get-BuildLog.ps1

@@ -0,0 +1,21 @@
+#!/usr/bin/env pwsh
+# Retrieves a build log by log ID.
+# Usage:
+#   ./Get-BuildLog.ps1 -Organization dnceng -Project internal -BuildId 12345 -LogId 47
+
+[CmdletBinding()]
+param(
+    [Parameter(Mandatory)][string] $Organization,
+    [Parameter(Mandatory)][string] $Project,
+    [Parameter(Mandatory)][int]    $BuildId,
+    [Parameter(Mandatory)][int]    $LogId
+)
+
+$ErrorActionPreference = "Stop"
+
+. "$PSScriptRoot/AzureDevOps.ps1"
+
+Invoke-AzDORestMethod `
+    -Organization $Organization `
+    -Project $Project `
+    -Endpoint "build/builds/$BuildId/logs/$LogId"

eng/docker-tools/skill-helpers/Show-BuildTimeline.ps1

@@ -0,0 +1,77 @@
+#!/usr/bin/env pwsh
+# Prints the build timeline as an indented tree with result indicators.
+# Usage:
+#   ./Show-BuildTimeline.ps1 -Organization dnceng -Project internal -BuildId 12345
+#   ./Show-BuildTimeline.ps1 -Organization dnceng -Project internal -BuildId 12345 -ShowAllTasks
+
+[CmdletBinding()]
+param(
+    [Parameter(Mandatory)][string] $Organization,
+    [Parameter(Mandatory)][string] $Project,
+    [Parameter(Mandatory)][int]    $BuildId,
+    [switch] $ShowAllTasks
+)
+
+$ErrorActionPreference = "Stop"
+
+. "$PSScriptRoot/AzureDevOps.ps1"
+
+$build = Invoke-AzDORestMethod `
+    -Organization $Organization `
+    -Project $Project `
+    -Endpoint "build/builds/$BuildId"
+
+Write-Host "# Build $BuildId - $($build.definition.name)"
+Write-Host ""
+Write-Host "- Status:  $($build.status) $(if ($build.result) { "($($build.result))" })"
+Write-Host "- Branch:  $($build.sourceBranch)"
+Write-Host "- Queued:  $($build.queueTime)"
+Write-Host "- URL:     $($build._links.web.href)"
+Write-Host ""
+
+$timeline = Invoke-AzDORestMethod `
+    -Organization $Organization `
+    -Project $Project `
+    -Endpoint "build/builds/$BuildId/timeline"
+
+$records = $timeline.records
+
+# Build a lookup of children grouped by parentId
+$childrenOf = @{}
+foreach ($record in $records) {
+    $parentId = $record.parentId
+    if (-not $parentId) { $parentId = "" }
+    if (-not $childrenOf.ContainsKey($parentId)) {
+        $childrenOf[$parentId] = [System.Collections.Generic.List[object]]::new()
+    }
+    $childrenOf[$parentId].Add($record)
+}
+
+# Sort children by order within each group
+foreach ($key in @($childrenOf.Keys)) {
+    $childrenOf[$key] = $childrenOf[$key] | Sort-Object { $_.order }
+}
+
+function Write-TimelineNode([string] $nodeId, [int] $depth) {
+    $children = $childrenOf[$nodeId]
+    if (-not $children) { return }
+
+    foreach ($child in $children) {
+        $isTask = $child.type -eq "Task"
+        $isFailing = $child.result -in @("failed", "canceled", "abandoned") -or $child.state -eq "inProgress"
+        if ($isTask -and -not $ShowAllTasks -and -not $isFailing) { continue }
+
+        $indent = "  " * $depth
+        $status = if ($child.result) { $child.result } else { $child.state }
+
+        $logId = $child.log.id
+        $logLabel = if ($logId) { " #$logId" } else { "" }
+        Write-Host "${indent}- $($child.type)$logLabel | $($child.name) | $status"
+        Write-TimelineNode $child.id ($depth + 1)
+    }
+}
+
+Write-Host "## Build Timeline"
+Write-Host ""
+Write-TimelineNode "" 0
+Write-Host ""

eng/docker-tools/templates/jobs/post-build.yml

@@ -20,6 +20,12 @@ jobs:
       dockerClientOS: linux
       customInitSteps: ${{ parameters.customInitSteps }}
       publishConfig: ${{ parameters.publishConfig }}
+  - ${{ if parameters.publishConfig }}:
+    - template: /eng/docker-tools/templates/steps/reference-service-connections.yml@self
+      parameters:
+        publishConfig: ${{ parameters.publishConfig }}
+        usesRegistries:
+          - ${{ parameters.publishConfig.BuildRegistry.server }}
   - template: /eng/docker-tools/templates/steps/download-build-artifact.yml@self
     parameters:
       targetPath: $(Build.ArtifactStagingDirectory)
@@ -75,6 +81,21 @@ jobs:
         $(manifestVariables)
     name: MergeImageInfoFiles
     displayName: Merge Image Info Files
+  - ${{ if parameters.publishConfig }}:
+    - template: /eng/docker-tools/templates/steps/run-imagebuilder.yml@self
+      parameters:
+        displayName: Create Manifest Lists
+        internalProjectName: ${{ parameters.internalProjectName }}
+        condition: and(succeeded(), ne(variables['MergeImageInfoFiles.noImageInfos'], 'true'), ne(variables['Build.Reason'], 'PullRequest'))
+        args: >-
+          createManifestList
+          '$(imageInfosContainerDir)$(imageInfosOutputSubDir)/image-info.json'
+          --repo-prefix '${{ parameters.publishConfig.BuildRegistry.repoPrefix }}'
+          --os-type '*'
+          --architecture '*'
+          --manifest '$(manifest)'
+          --registry-override '${{ parameters.publishConfig.BuildRegistry.server }}'
+          $(manifestVariables)
   - template: /eng/docker-tools/templates/steps/publish-artifact.yml@self
     parameters:
       condition: and(succeeded(), ne(variables['MergeImageInfoFiles.noImageInfos'], 'true'))

eng/docker-tools/templates/jobs/publish.yml

@@ -118,21 +118,6 @@ jobs:
         $(imageBuilder.pathArgs)
         $(imageBuilder.commonCmdArgs)
 
-  - template: /eng/docker-tools/templates/steps/run-imagebuilder.yml@self
-    parameters:
-      displayName: Publish Manifest
-      internalProjectName: ${{ parameters.internalProjectName }}
-      dockerClientOS: ${{ parameters.dockerClientOS }}
-      args: >-
-        publishManifest
-        '$(imageInfoContainerDir)/image-info.json'
-        --repo-prefix '${{ parameters.publishConfig.PublishRegistry.repoPrefix }}'
-        --os-type '*'
-        --architecture '*'
-        $(dryRunArg)
-        $(imageBuilder.pathArgs)
-        $(imageBuilder.commonCmdArgs)
-
   - template: /eng/docker-tools/templates/steps/publish-artifact.yml@self
     parameters:
       path: $(imageInfoHostDir)
@@ -256,6 +241,9 @@ jobs:
   #
   # https://github.com/dotnet/docker-tools/issues/1698 tracks making this command no longer depend
   # on individual step displayNames.
+  #
+  # Skipped for PR builds because manifest lists are not created in PR builds (see post-build.yml).
+  # Without manifest lists present in image-info.json, the postPublishNotification fails with a NRE.
   - script: >
       $(runImageBuilderCmd) postPublishNotification
       '$(publishNotificationRepoName)'
@@ -270,7 +258,6 @@ jobs:
       '$(gitHubNotificationsRepoInfo.repo)'
       --repo-prefix '${{ parameters.publishConfig.PublishRegistry.repoPrefix }}'
       --task "🟪 Copy Images"
-      --task "🟪 Publish Manifest"
       --task "🟪 Wait for Image Ingestion"
       --task "🟪 Publish Readmes"
       --task "🟪 Wait for MCR Doc Ingestion"
@@ -282,7 +269,7 @@ jobs:
       $(dryRunArg)
       $(imageBuilder.commonCmdArgs)
     displayName: Post Publish Notification
-    condition: and(always(), eq(variables['publishNotificationsEnabled'], 'true'))
+    condition: and(always(), eq(variables['publishNotificationsEnabled'], 'true'), ne(variables['Build.Reason'], 'PullRequest'))
 
   - powershell: |
       # Default to current build number if parameter was not overridden

eng/docker-tools/templates/variables/docker-images.yml

@@ -1,5 +1,5 @@
 variables:
-  imageNames.imageBuilderName: mcr.microsoft.com/dotnet-buildtools/image-builder:2928776
+  imageNames.imageBuilderName: mcr.microsoft.com/dotnet-buildtools/image-builder:2941471
   imageNames.imageBuilder: $(imageNames.imageBuilderName)
   imageNames.imageBuilder.withrepo: imagebuilder-withrepo:$(Build.BuildId)-$(System.JobId)
   imageNames.testRunner: mcr.microsoft.com/dotnet-buildtools/prereqs:azurelinux3.0-docker-testrunner