[release/v7.4.15] Download PMC Packages through TemplateContext#27330
Merged
jshigetomi merged 2 commits intoPowerShell:release/v7.4.15from Apr 22, 2026
Merged
Conversation
Co-authored-by: Justin Chung <chungjustin@microsoft.com>
SeeminglyScience
approved these changes
Apr 22, 2026
Contributor
There was a problem hiding this comment.
Pull request overview
Backport to release/v7.4.15 that updates the PMC (packages.microsoft.com) publish flow to avoid legacy artifact download tasks that are now disallowed in the Ev2 environment, by switching artifact retrieval to templateContext.inputs and enabling a NonOfficial dry-run path.
Changes:
- Refactors PMC publish and EV2 prep templates to download pipeline artifacts via
templateContext.inputs(replacing explicit download steps/tasks). - Parameterizes the PMC publish stage (environment selection, stage prefix, and an option to skip the Ev2 push for validations).
- Updates the NonOfficial release pipeline to run a publish-stage dry run (
skipEv2Push: true) to validate the new artifact download behavior.
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| .pipelines/templates/release-publish-pmc.yml | Adds parameters and switches artifact download to templateContext.inputs, with optional Ev2 push skipping. |
| .pipelines/templates/release-prep-for-ev2.yml | Moves PSPackagesOfficial artifact downloads to templateContext.inputs and updates copy logic accordingly; adds TSA SDL config var. |
| .pipelines/PowerShell-Release-Official-Azure.yml | Adjusts TSA options file path for the OneBranch globalSdl configuration. |
| .pipelines/NonOfficial/PowerShell-Release-Azure-NonOfficial.yml | Adjusts TSA options file path and adds a publish-stage dry-run invocation of the PMC publish template. |
| - name: ob_sdl_credscan_suppressionsFile | ||
| value: $(Build.SourcesDirectory)/PowerShell/.config/suppress.json | ||
| - name: ob_sdl_tsa_configFile | ||
| value: $(Build.SourcesDirectory)/PowerShell/.config/tsaoptions.json |
9 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Backport of #27326 to release/v7.4.15
Triggered by @jshigetomi on behalf of @jshigetomi
Original CL Label: CL-BuildPackaging
/cc @PowerShell/powershell-maintainers
Impact
REQUIRED: Choose either Tooling Impact or Customer Impact (or both). At least one checkbox must be selected.
Tooling Impact
Required tooling change. Modifies the Azure DevOps release pipeline templates that publish PowerShell packages to PMC (packages.microsoft.com) via Ev2. Without this change, the v7.4.15 release pipeline cannot publish packages because the Ev2 environment has disallowed the previously-used DownloadPipelineArtifact task in the publish stage. The PR migrates artifact download to
templateContext.inputs, parameterizes the publish stage (releaseEnvironment / approvalServiceEnvironment / stagePrefix / skipEv2Push), and adds a NonOfficial dry-run path that validates the new artifact download approach without performing the actual Ev2 push.Customer Impact
Regression
REQUIRED: Check exactly one box.
This is not a regression.
Testing
Verified by:
release/v7.4.15(one trivial conflict resolved — see Merge Conflicts section).templateContext.inputsartifact entries, both SDL variables (ob_sdl_credscan_suppressionsFile,ob_sdl_tsa_configFile), removal of legacy- download: PSPackagesOfficialsteps, and correct pwsh copy logic using$(Pipeline.Workspace)directly.templateContext.inputsartifact download withskipEv2Push: true).Functional verification of PMC publishing will happen during the actual v7.4.15 release using the publish stage with production parameters.
Risk
REQUIRED: Check exactly one box.
High risk because this modifies the release publishing pipeline (Ev2 push to PMC) on the live release branch. However, not taking this change blocks the v7.4.15 PMC release entirely — the Ev2 pipeline has disallowed the previous DownloadArtifacts task, so the existing pipeline cannot run. The change has been validated in master and is the explicit reason the original PR was authored ("PR was made to unblock 7.4.15 and 7.6.1 PMC releases"). Note: original PR currently has
Backport-7.4.x-Consider(not Approved) — proceeding at user request given the unblock-release justification stated in the PR body.Merge Conflicts
Single conflict in
.pipelines/templates/release-prep-for-ev2.ymlat theob_sdl_credscan_suppressionsFilevariable. The PR changed this path from backslashes to forward slashes AND added a newob_sdl_tsa_configFilevariable. Resolution: kept the release branch's existing backslash path forob_sdl_credscan_suppressionsFile(no functional change to that var on this branch) and added the newob_sdl_tsa_configFilevariable as introduced by the PR. All other hunks (templateContext.inputs block, removed- download: PSPackagesOfficialsteps, updated pwsh copy logic) applied cleanly.