[ci] Support stable publishing and passwordless auth for darc/maestro (…

…#20914)

Context: dotnet/android#9164

We've seen the build promotion pipeline fail when trying to publish
stable package versions:

    error : Package 'Microsoft.iOS.Ref.net8.0_17.5' has stable version '17.5.8001' but is targeted at a non-isolated feed 'https://pkgs.dev.azure.com/dnceng/public/_packaging/dotnet8/nuget/v3/index.json'

This is because we were not declaring these packages as stable when
building the build asset registry manifest.

Fix this by passing the `$NUGET_PRERELEASE_IDENTIFIER` variable to the
build asset manifest creation task to determine if a build is stable.

When `$(IsStableBuild)` is set to true, packages will be pushed to an
isolated feed during publishing, such as:

      Package [email protected] (Shipping) should go to https://pkgs.dev.azure.com/dnceng/public/_packaging/darc-pub-dotnet-android-b8317b6f/nuget/v3/index.json (Isolated, Public)

Additionally migrates darc/maestro commands to use a passwordless auth flow,
as token-based authentication will be removed in the future.

dotnet/Makefile

@@ -135,6 +135,9 @@ $(foreach platform,$(DOTNET_PLATFORMS),$(eval $(call VersionsTemplate,$(platform
 
 version-props: $(foreach platform,$(DOTNET_PLATFORMS),targets/Microsoft.$(platform).Sdk.Versions.props)
 
+setup-publish-bar-manifest: version-props
+	echo \#\#vso[task.setvariable variable=PrereleaseIdentifier]$(NUGET_PRERELEASE_IDENTIFIER)
+
 define AutoImports
 Microsoft.$(1).Sdk/Sdk/AutoImport.props: targets/AutoImport.template.props Makefile
 	$(Q) rm -f $$@.tmp

dotnet/package/common.csproj

@@ -112,12 +112,14 @@
     </Content>
   </ItemGroup>
 
-  <!-- https://github.com/dotnet/arcade/blob/efc3da96e5ac110513e92ebd9ef87c73f44d8540/Documentation/DependencyFlowOnboardingWithoutArcade.md -->
+  <!-- https://github.com/dotnet/arcade/blob/00d6decc59f5030c2399a64fd3e4f6e8e11bacca/Documentation/DependencyFlowOnboardingWithoutArcade.md -->
   <Target Name="PushManifestToBuildAssetRegistry" >
     <PropertyGroup>
       <ArtifactsLogDir>$(BarManifestOutputPath)</ArtifactsLogDir>
       <AssetManifestFileName>Assets.xml</AssetManifestFileName>
       <AssetManifestPath>$(ArtifactsLogDir)AssetManifest\$(AssetManifestFileName)</AssetManifestPath>
+      <IsStableBuild Condition=" '$(PrereleaseIdentifier)' == '' ">true</IsStableBuild>
+      <IsStableBuild Condition=" '$(PrereleaseIdentifier)' != '' ">false</IsStableBuild>
     </PropertyGroup>
 
     <Error Condition="Exists($(AssetManifestPath))" Text="The manifest file '$(AssetManifestPath)' already exists." />
@@ -140,8 +142,9 @@
       <ManifestBuildData Include="AzureDevOpsBranch=$(BUILD_SOURCEBRANCH)" />
     </ItemGroup>
 
-    <PushToAzureDevOpsArtifacts
+    <PushToBuildStorage
         ItemsToPush="@(ItemsToPush)"
+        IsStableBuild="$(IsStableBuild)"
         ManifestBuildData="@(ManifestBuildData)"
         ManifestRepoUri="$(BUILD_REPOSITORY_NAME)"
         ManifestBranch="$(BUILD_SOURCEBRANCH)"

eng/Version.Details.xml

@@ -70,9 +70,9 @@
     </Dependency>
   </ProductDependencies>
   <ToolsetDependencies>
-    <Dependency Name="Microsoft.DotNet.Build.Tasks.Feed" Version="8.0.0-beta.24225.1">
+    <Dependency Name="Microsoft.DotNet.Build.Tasks.Feed" Version="9.0.0-beta.24408.2">
       <Uri>https://github.com/dotnet/arcade</Uri>
-      <Sha>67d23f4ba1813b315e7e33c71d18b63475f5c5f8</Sha>
+      <Sha>60ae233c3d77f11c5fdb53e570b64d503b13ba59</Sha>
     </Dependency>
     <Dependency Name="Microsoft.TemplateEngine.Tasks" Version="7.0.100-alpha.1.21601.1">
       <Uri>https://github.com/dotnet/templating</Uri>

eng/Versions.props

@@ -6,7 +6,7 @@
     <MicrosoftDotnetSdkInternalPackageVersion>8.0.109-servicing.24407.6</MicrosoftDotnetSdkInternalPackageVersion>
     <MicrosoftNETILLinkTasksPackageVersion>8.0.7</MicrosoftNETILLinkTasksPackageVersion>
     <MicrosoftNETILLinkPackageVersion>8.0.0-rtm.23524.7</MicrosoftNETILLinkPackageVersion>
-    <MicrosoftDotNetBuildTasksFeedPackageVersion>8.0.0-beta.24225.1</MicrosoftDotNetBuildTasksFeedPackageVersion>
+    <MicrosoftDotNetBuildTasksFeedPackageVersion>9.0.0-beta.24408.2</MicrosoftDotNetBuildTasksFeedPackageVersion>
     <MicrosoftDotNetSharedFrameworkSdkVersion>8.0.0-beta.24413.2</MicrosoftDotNetSharedFrameworkSdkVersion>
     <MicrosoftNETCoreAppRefPackageVersion>8.0.7</MicrosoftNETCoreAppRefPackageVersion>
     <MicrosoftNETWorkloadEmscriptenCurrentManifest80100TransportVersion>8.0.0-rtm.23511.3</MicrosoftNETWorkloadEmscriptenCurrentManifest80100TransportVersion>

tools/devops/automation/templates/release/vs-insertion-prep.yml

@@ -136,8 +136,6 @@ stages:
         value: $[ stageDependencies.configure_build.configure.outputs['configure_platforms.INCLUDE_DOTNET_MACOS'] ]
       - name: INCLUDE_DOTNET_TVOS
         value: $[ stageDependencies.configure_build.configure.outputs['configure_platforms.INCLUDE_DOTNET_TVOS'] ]
-      - ${{ if eq(parameters.isPR, false) }}:
-        - group: Publish-Build-Assets
       pool:
         name: AzurePipelines-EO
         demands:
@@ -148,6 +146,12 @@ stages:
           New-Item -Path "$(System.DefaultWorkingDirectory)/xamarin-macios/tools/devops/governance" -Name "CredScanSuppressions.json" -Value '{"tool":"Crendential Scanner", "supressions":[]}'
         displayName: Create credscan dummy ignore file
 
+      - task: UseDotNet@2
+        displayName: Install .NET 9.x
+        inputs:
+          version: 9.x
+          includePreviewVersions: true
+
       - task: DownloadPipelineArtifact@2
         inputs:
           artifactName: DropMetadata-shipping-nugets
@@ -168,47 +172,58 @@ stages:
           buildNumber: $(ReleaseDropPrefix)/nugets
           destinationPath: $(Build.StagingDirectory)\nuget-signed
 
-      - script: make -C $(Build.SourcesDirectory)/dotnet version-props
-        displayName: make version props
+      - script: make -C $(Build.SourcesDirectory)/dotnet setup-publish-bar-manifest
+        displayName: make setup-publish-bar-manifest
 
-      - powershell: |
-          $varMap = @{ "INCLUDE_DOTNET_IOS" = "iOS"; "INCLUDE_DOTNET_MACCATALYST" = "MacCatalyst"; "INCLUDE_DOTNET_MACOS" = "macOS"; "INCLUDE_DOTNET_TVOS" = "tvOS" }
+      - pwsh: |
+          gci env: | format-table -autosize -wrap
+          Get-ChildItem -Name -Recurse -Path $(Build.StagingDirectory)
+          $varMap = [ordered]@{ "INCLUDE_DOTNET_IOS" = "iOS"; "INCLUDE_DOTNET_MACCATALYST" = "MacCatalyst"; "INCLUDE_DOTNET_MACOS" = "macOS"; "INCLUDE_DOTNET_TVOS" = "tvOS" }
           foreach ($varName in $varMap.Keys) {
               if ([Environment]::GetEnvironmentVariable($varName)) {
+                  Write-Host "Variable '$varName' was set, setting MaestroProjectPlatformName to '$($varMap[$varName])'"
                   Write-Host "##vso[task.setvariable variable=MaestroProjectPlatformName]$($varMap[$varName])"
                   exit 0;
               }
           }
         displayName: Set maestro project variable
 
-      - task: DotNetCoreCLI@2
+      - task: AzureCLI@2
         displayName: generate and publish BAR manifest
         inputs:
-          projects: $(Build.SourcesDirectory)/dotnet/package/Microsoft.$(MaestroProjectPlatformName).Ref/package.csproj
-          arguments: >-
+          azureSubscription: "Darc: Maestro Production"
+          scriptType: pscore
+          scriptLocation: inlineScript
+          inlineScript: >-
+            dotnet build $(Build.SourcesDirectory)\dotnet\package\Microsoft.$(MaestroProjectPlatformName).Ref\package.csproj
             -t:PushManifestToBuildAssetRegistry
-            -p:BuildAssetRegistryToken=$(MaestroAccessToken)
-            -p:NupkgPath=$(Build.StagingDirectory)/nuget-signed
-            -bl:$(Build.ArtifactStagingDirectory)/maestro-binlogs/generate-bar-manifest.binlog
+            -p:NupkgPath=$(Build.StagingDirectory)\nuget-signed
+            -p:PrereleaseIdentifier=$(PrereleaseIdentifier)
+            -bl:$(Build.StagingDirectory)\maestro-binlogs\generate-bar-manifest.binlog
           workingDirectory: $(Build.SourcesDirectory)\..
         condition: and(succeeded(), eq('${{ parameters.pushNugetsToMaestro }}', 'true'))
 
-      - powershell: |
-          $versionEndpoint = 'https://maestro.dot.net/api/assets/darc-version?api-version=2019-01-16'
-          $darcVersion = $(Invoke-WebRequest -Uri $versionEndpoint -UseBasicParsing).Content
-          $arcadeServicesSource = 'https://pkgs.dev.azure.com/dnceng/public/_packaging/dotnet-eng/nuget/v3/index.json'
-          & dotnet tool update microsoft.dotnet.darc --version "$darcVersion" --add-source "$arcadeServicesSource" --tool-path $(Agent.ToolsDirectory)\darc -v n
-          & $(Agent.ToolsDirectory)\darc\darc add-build-to-channel --default-channels --id $(BARBuildId) --publishing-infra-version 3 --password $(MaestroAccessToken) --azdev-pat $(publishing-dnceng-devdiv-code-r-build-re)
+      - task: AzureCLI@2
+        inputs:
+          azureSubscription: "Darc: Maestro Production"
+          scriptType: pscore
+          scriptLocation: inlineScript
+          inlineScript: |
+            $versionEndpoint = 'https://maestro.dot.net/api/assets/darc-version?api-version=2019-01-16'
+            $darcVersion = $(Invoke-WebRequest -Uri $versionEndpoint -UseBasicParsing).Content
+            $arcadeServicesSource = 'https://pkgs.dev.azure.com/dnceng/public/_packaging/dotnet-eng/nuget/v3/index.json'
+            & dotnet tool update microsoft.dotnet.darc --version "$darcVersion" --add-source "$arcadeServicesSource" --tool-path $(Agent.ToolsDirectory)\darc -v n
+            & $(Agent.ToolsDirectory)\darc\darc add-build-to-channel --default-channels --id $(BARBuildId) --ci --publishing-infra-version 3 --azdev-pat $(System.AccessToken)
+          # We can't use the global.json located in the root of our repo, because makes it required to use the exact .NET version we're referencing in our eng/Versions.Details.xml file.
+          # So in order to not use it, we set the working directory to the parent directory of xamarin-macios.
+          workingDirectory: $(Build.SourcesDirectory)\..
         displayName: Add builds to default darc channel
-        # We can't use the global.json located in the root of our repo, because makes it required to use the exact .NET version we're referencing in our eng/Versions.Details.xml file.
-        # So in order to not use it, we set the working directory to the parent directory of xamarin-macios.
-        workingDirectory: $(Build.SourcesDirectory)\..
         condition: and(succeeded(), eq('${{ parameters.pushNugetsToMaestro }}', 'true'))
 
       - task: 1ES.PublishPipelineArtifact@1
         displayName: 'Publish Artifact: maestro-binlogs'
         inputs:
-          path: $(Build.ArtifactStagingDirectory)/maestro-binlogs
+          path: $(Build.StagingDirectory)\maestro-binlogs
           artifact: ${{ parameters.uploadPrefix }}maestro-binlogs-$(System.JobAttempt)
         condition: and(succeededOrFailed(), eq('${{ parameters.pushNugetsToMaestro }}', 'true'))
         continueOnError: true