dotnet · cheenamalhotra · Jan 24, 2026 · Jan 29, 2026 · Feb 9, 2026 · Feb 9, 2026
@@ -0,0 +1,137 @@
+#################################################################################
+# Licensed to the .NET Foundation under one or more agreements.                 #
+# The .NET Foundation licenses this file to you under the MIT license.          #
+# See the LICENSE file in the project root for more information.                #
+#################################################################################
+
+name: $(Year:YY)$(DayOfYear)$(Rev:.r)
+
+parameters:
+    - name:  buildConfiguration
+      displayName: 'Build configuration'
+      type: 'string'
+      values:
+          - 'Release'
+          - 'Debug'
+      default: 'Release'
+
+    - name: publishSymbols
+      displayName: 'Publish symbols'
+      type: 'boolean'
+      default: false
+
+    - name: runSdlTasks
+      displayName: 'Run SDL Tasks'
+      type: 'boolean'
+      default: true
+
+variables:
+    - template: /eng/pipelines/variables/common-variables.yml@self
+    - template: /eng/pipelines/variables/onebranch-variables.yml@self
+    - template: /eng/pipelines/variables/esrp-signing-variables.yml@self
+    - template: /eng/pipelines/variables/akv-official-variables.yml@self
+
+resources:
+    repositories:
+        - repository: templates
+          type: 'git'
+          name: 'OneBranch.Pipelines/GovernedTemplates'
+          ref: 'refs/heads/main'
+
+extends:
+    template: 'v2/OneBranch.NonOfficial.CrossPlat.yml@templates'
+
+    parameters:
+        featureFlags:
+            WindowsHostVersion:
+                Version: '2022'
+
+        globalSdl:
+            # See https://aka.ms/obpipelines/sdl
+
+            apiscan:
+                enabled: ${{ parameters.runSdlTasks }}
+                softwareFolder: '${{ variables.apiScanDllPath }}'
+                softwareName: 'Microsoft.Data.SqlClient' # Note: This name is registered with ApiScan
+                softwareVersionNum: '${{ variables.assemblyFileVersion }}'
+                symbolsFolder: '${{ variables.apiScanPdbPath }}'
+
+            armory:
+                enabled: ${{ parameters.runSdlTasks }}
+                break: true
+
+            asyncSdl:
+                # If this should be enabled, move supported tools under this item,
+                # see https://aka.ms/obpipelines/asyncsdl
+                enabled: false
+
+            binskim:
+                enabled: ${{ parameters.runSdlTasks }}
+                break: true
+
+            codeinspector:
+                enabled: ${{ parameters.runSdlTasks }}
+                logLevel: Error
+
+            codeql:
+                enabled: ${{ parameters.runSdlTasks }}
+                sourceRoot: '$(REPO_ROOT)/src/Microsoft.Data.SqlClient/add-ons/AzureKeyVaultProvider'
+                # Note, this can only be done if project doesn't depend on other projects. In
+                #    package reference mode, this is true, but if we ever enable project reference
+                #    builds, this will have to be removed.
+
+            credscan:
+                enabled: ${{ parameters.runSdlTasks }}
+                suppressionsFile: '$(REPO_ROOT)/.config/CredScanSuppressions.json'
+
+            eslint:
+                enabled: false
+
+            policheck:
+                enabled: ${{ parameters.runSdlTasks }}
+                break: true
+                exclusionFile: '$(REPO_ROOT)/.config/PolicheckExclusions.xml'
+
+            roslyn:
+                enabled: ${{ parameters.runSdlTasks }}
+                break: true
+                # Requires RoslynAnalyzers task to be added after build task
+
+            publishLogs:
+                enabled: ${{ parameters.runSdlTasks }}
+
+            sbom:
+                enabled: ${{ parameters.runSdlTasks }}
+                packageName: 'Microsoft.Data.SqlClient.AlwaysEncrypted.AzureKeyVaultProvider'
+                packageVersion: ${{ variables.nugetPackageVersion }}
+
+            tsa:
+                # OneBranch publishes all sdl results to TSA. If TSA is disabled all SDL tools will
+                # be forced into 'break' build mode.
+                enabled: true
+                configFile: '$(REPO_ROOT)/.config/tsaoptions.json'
+
+        stages:
+            - stage: BuildAkv
+              displayName: 'Build AKV'
+              jobs:
+                  - template: /eng/pipelines/jobs/build-akv-official-job.yml@self
+                    parameters:
+                        apiScanDllPath: '${{ variables.apiScanDllPath }}'
+                        apiScanPdbPath: '${{ variables.apiScanPdbPath }}'
+                        assemblyFileVersion: '${{ variables.assemblyFileVersion }}'
+                        buildConfiguration: '${{ parameters.buildConfiguration }}'
+                        nugetPackageVersion: '${{ variables.nugetPackageVersion }}'
+                        mdsPackageVersion: '${{ variables.mdsPackageVersion }}'
+                        publishSymbols: '${{ parameters.publishSymbols }}'
+                        signingAppRegistrationClientId: '$(SigningAppRegistrationClientId)'
+                        signingAppRegistrationTenantId: '$(SigningAppRegistrationTenantId)'
+                        signingAuthAkvName: '$(SigningAuthAkvName)'
+                        signingAuthSignCertName: '$(SigningAuthSignCertName)'
+                        signingEsrpClientId: '$(SigningEsrpClientId)'
+                        signingEsrpConnectedServiceName: '$(SigningEsrpConnectedServiceName)'
+                        symbolsAzureSubscription: '$(SymbolsAzureSubscription)'
+                        symbolsPublishProjectName: '$(SymbolsPublishProjectName)'
+                        symbolsPublishServer: '$(SymbolsPublishServer)'
+                        symbolsPublishTokenUri: '$(SymbolsPublishTokenUri)'
+                        symbolsUploadAccount: '$(SymbolsUploadAccount)'
@@ -9,14 +9,6 @@ name: $(Year:YY)$(DayOfYear)$(Rev:.r)
 # @TODO: Add triggers and schedules
 
 parameters:
-    - name: oneBranchType
-      displayName: 'OneBranch template'
-      type: 'string'
-      values:
-          - 'Official'
-          - 'NonOfficial'
-      default: 'Official'
-
     - name: buildConfiguration
       displayName: 'Build configuration'
       type: 'string'
@@ -49,8 +41,8 @@ resources:
           ref: 'refs/heads/main'
 
 extends:
-    template: /v2/OneBranch.${{ parameters.oneBranchType }}.CrossPlat.yml@templates
-
+    template: 'v2/OneBranch.Official.CrossPlat.yml@templates'
+    
     parameters:
         featureFlags:
             WindowsHostVersion:
@@ -118,7 +110,7 @@ extends:
             tsa:
                 # OneBranch publishes all sdl results to TSA. If TSA is disabled all SDL tools will
                 # be forced into 'break' build mode.
-                enabled: ${{ eq(parameters.oneBranchType, 'Official') }}
+                enabled: true
                 configFile: '$(REPO_ROOT)/.config/tsaoptions.json'
 
         stages:

@@ -0,0 +1,151 @@
+#################################################################################
+# Licensed to the .NET Foundation under one or more agreements.                 #
+# The .NET Foundation licenses this file to you under the MIT license.          #
+# See the LICENSE file in the project root for more information.                #
+#################################################################################
+
+name: $(Year:YY)$(DayOfYear)$(Rev:.r)
+trigger:
+  branches:
+    include:
+    - internal/main
+  paths:
+    include:
+    - .azuredevops
+    - .config
+    - doc
+    - eng/pipelines
+    - src
+    - tools
+    - azurepipelines-coverage.yml
+    - build.proj
+    - NuGet.config
+
+parameters: # parameters are shown up in ADO UI in a build queue time
+- name: 'debug'
+  displayName: 'Enable debug output'
+  type: boolean
+  default: false
+
+- name: publishSymbols
+  displayName: 'Publish symbols'
+  type: boolean
+  default: false
+
+- name: CurrentNetFxVersion
+  displayName: 'Lowest supported .NET Framework version (MDS validation)'
+  type: string
+  default: 'net462'
+
+- name: isPreview
+  displayName: 'Is this a preview build?'
+  type: boolean
+  default: false
+
+# The timeout, in minutes, for each test job.
+- name: testJobTimeout
+  displayName: 'Test job timeout (in minutes)'
+  type: number
+  default: 60
+
+variables:
+  - template: /eng/pipelines/libraries/variables.yml@self
+  - name: packageFolderName
+    value: drop_buildMDS_build_signed_package
+  - name: PublishSymbols
+    value: ${{ parameters['publishSymbols'] }}
+  - name: CurrentNetFxVersion
+    value: ${{ parameters['CurrentNetFxVersion'] }}
+
+resources:
+  repositories: 
+    - repository: templates
+      type: git
+      name: OneBranch.Pipelines/GovernedTemplates
+      ref: refs/heads/main
+
+extends:
+  template: v2/OneBranch.NonOfficial.CrossPlat.yml@templates # https://aka.ms/obpipelines/templates
+  parameters:
+    featureFlags:
+      # Suggested by MerlinBot (https://sqlclientdrivers.visualstudio.com/ADO.Net/_git/dotnet-sqlclient/pullrequest/4882)
+      EnableCDPxPAT: false
+      WindowsHostVersion: 1ESWindows2022
+    globalSdl: # https://aka.ms/obpipelines/sdl
+      tsa:
+        # The OneBranch template will set 'break' to false for the other SDL
+        # tools when TSA is enabled.  This allows TSA to gather the results
+        # and publish them for downstream analysis.
+        enabled: true
+      apiscan:
+        enabled: true
+        softwareFolder: $(softwareFolder)
+        symbolsFolder: $(symbolsFolder)
+        softwarename: Microsoft.Data.SqlClient
+        versionNumber: $(AssemblyFileVersion)
+      codeql:
+        compiled:
+        enabled: ${{ not(parameters['isPreview']) }}
+      sbom:
+        enabled: ${{ not(parameters['isPreview']) }}
+        packageName: Microsoft.Data.SqlClient
+        packageVersion: $(NugetPackageVersion)
+      policheck:
+        enabled: ${{ not(parameters['isPreview']) }}
+        break: true # always break the build on policheck issues. You can disable it by setting to 'false'
+        exclusionsFile: $(REPOROOT)\.config\PolicheckExclusions.xml
+      asyncSdl:
+        enabled: false        
+        credscan:
+          enabled: ${{ not(parameters['isPreview']) }}
+          suppressionsFile: $(REPOROOT)/.config/CredScanSuppressions.json
+        binskim:
+          enabled: ${{ not(parameters['isPreview']) }}
+        armory:
+          enabled: ${{ not(parameters['isPreview']) }}
+          break: true
+        eslint: # TypeScript and JavaScript
+          enabled: false
+        roslyn:
+          enabled: ${{ not(parameters['isPreview']) }}
+          break: true
+        publishLogs:
+          enabled: ${{ not(parameters['isPreview']) }}
+        tsaOptionsPath: $(REPOROOT)\.config\tsaoptions.json
+        disableLegacyManifest: true
+    stages:
+    - stage: buildMDS
+      displayName: 'Build MDS'
+      jobs:
+      - template: eng/pipelines/common/templates/jobs/build-signed-package-job.yml@self
+        parameters:
+          symbolsFolder: $(symbolsFolder)
+          softwareFolder: $(softwareFolder)
+          publishSymbols: ${{ parameters['publishSymbols'] }}
+          isPreview: ${{ parameters['isPreview'] }}
+
+    - stage: mds_package_validation
+      displayName: 'MDS Package Validation'
+      dependsOn: buildMDS
+      jobs:
+      - template: eng/pipelines/common/templates/jobs/validate-signed-package-job.yml@self
+        parameters:
+          packageFolderName: $(packageFolderName)
+          isPreview: ${{ parameters['isPreview'] }}
+          downloadPackageStep:
+            download: current
+            artifact: $(packageFolderName)
+            patterns: '**/*.*nupkg'
+            displayName: 'Download NuGet Package'
+
+# Disabling as of 10/15/2025 due to OneBranch apparently disallowing MSBuild tasks in validation stages.
+#      - template: eng/pipelines/common/templates/jobs/run-tests-package-reference-job.yml@self
+#        parameters:
+#          packageFolderName: $(packageFolderName)
+#          isPreview: ${{ parameters['isPreview'] }}
+#          timeout: ${{ parameters.testJobTimeout }}
+#          downloadPackageStep:
+#            download: current
+#            artifact: $(packageFolderName)
+#            patterns: '**/*.nupkg'
+#            displayName: 'Download NuGet Package'
@@ -54,13 +54,6 @@ parameters: # parameters are shown up in ADO UI in a build queue time
   type: string
   default: 'net462'
 
-- name: oneBranchType
-  displayName: 'Select OneBranch template'
-  default: Official
-  values:
-  - NonOfficial
-  - Official
-
 - name: isPreview
   displayName: 'Is this a preview build?'
   type: boolean
@@ -89,7 +82,7 @@ resources:
       ref: refs/heads/main
 
 extends:
-  template: /v2/OneBranch.${{parameters.oneBranchType }}.CrossPlat.yml@templates # https://aka.ms/obpipelines/templates
+  template: v2/OneBranch.Official.CrossPlat.yml@templates # https://aka.ms/obpipelines/templates
   parameters:
     featureFlags:
       # Suggested by MerlinBot (https://sqlclientdrivers.visualstudio.com/ADO.Net/_git/dotnet-sqlclient/pullrequest/4882)
@@ -103,11 +96,6 @@ extends:
         enabled: true
       apiscan:
         enabled: true
-        # For non-official builds, the OneBranch template seems to set APIScan's
-        # 'break' to true even when TSA is enabled.  We don't want APIScan to
-        # break non-official builds, so we explicitly set 'break' to false here.
-        ${{ if ne(parameters.oneBranchType, 'Official') }}:
-          break: false
         softwareFolder: $(softwareFolder)
         symbolsFolder: $(symbolsFolder)
         softwarename: Microsoft.Data.SqlClient