dotnet · paulmedynski · Jan 26, 2026 · Jan 26, 2026 · Jan 26, 2026 · Jan 27, 2026
@@ -12,10 +12,19 @@
 name: "CodeQL Advanced"
 
 on:
+  # Scan on pushes to main only.
   push:
-    branches: [ "main", "feat/*", "dev/**/*" ]
+    branches:
+      - main
+
+  # Scan on PRs that target matching branches.
   pull_request:
-    branches: [ "main", "feat/*", "dev/**/*" ]
+    branches:
+      - main
+      - feat/**
+      - dev/**
+
+  # Scan weekly on Saturdays at 23:33 UTC
   schedule:
     - cron: '33 23 * * 6'
 

@@ -87,7 +87,6 @@
   <!-- MDS Dependencies -->
 
   <ItemGroup>
-    <PackageVersion Include="Azure.Identity" Version="1.17.0" />
     <PackageVersion Include="Microsoft.Data.SqlClient.SNI" Version="6.0.2" />
     <PackageVersion Include="Microsoft.Data.SqlClient.SNI.runtime" Version="6.0.2" />
     <PackageVersion Include="Microsoft.IdentityModel.JsonWebTokens" Version="8.14.0" />
@@ -116,7 +115,9 @@
   <!-- ===================================================================== -->
   <!-- Azure Dependencies -->
 
-  <!-- None -->
+  <ItemGroup>
+    <PackageVersion Include="Azure.Identity" Version="1.17.0" />
+  </ItemGroup>
 
   <!-- ===================================================================== -->
   <!-- AKV Dependencies -->

@@ -36,9 +36,11 @@ jobs:
   - script: SET
     displayName: 'Print Environment Variables'
 
-  - powershell: |
+  - pwsh: |
       Write-Host "##vso[task.setvariable variable=CDP_BUILD_TYPE_COPY;isOutput=true]$($env:CDP_BUILD_TYPE)"
+    # This variable is used far away in validate-signed-packages-job.yml.
     name: GetBuildType
+    displayName: Get Build Type
 
   # Install the .NET SDK.
   - template: /eng/pipelines/steps/install-dotnet.yml@self

@@ -4,14 +4,9 @@
 # See the LICENSE file in the project root for more information.                #
 #################################################################################
 parameters:
-  - name: downloadPackageStep
-    type: step
-    default:
-      script: echo <empty step>
 
-  - name: dependsOn
+  - name: artifactName
     type: string
-    default: empty
 
   - name: isPreview
     type: boolean
@@ -21,10 +16,9 @@ parameters:
     type: number
 
 jobs:
+
 - job: run_tests_package_reference
   displayName: 'Run tests with package reference'
-  ${{ if ne(parameters.dependsOn, 'empty')}}:
-    dependsOn: '${{parameters.dependsOn }}'
 
   # Some of our tests take longer than the default 60 minutes to run on some
   # OSes and configurations.
@@ -42,7 +36,10 @@ jobs:
   steps:
   - template: /eng/pipelines/common/templates/steps/pre-build-step.yml
 
-  - ${{parameters.downloadPackageStep }}
+  - download: current
+    artifact: ${{parameters.artifactName}}
+    patterns: '**/*.*nupkg'
+    displayName: 'Download NuGet Package'
 
   - template: /eng/pipelines/common/templates/steps/update-config-file-step.yml
     parameters:
@@ -52,7 +49,7 @@ jobs:
 
   - template: /eng/pipelines/common/templates/steps/prepare-test-db-step.yml
 
-# build & test
+  # build & test
   - template: /eng/pipelines/common/templates/steps/build-and-run-tests-netfx-step.yml
     parameters:
       ${{ if parameters.isPreview }}:

@@ -4,35 +4,17 @@
 # See the LICENSE file in the project root for more information.                #
 #################################################################################
 parameters:
-  - name: downloadPackageStep
-    type: step
-    default:
-      script: echo <empty step>
 
-  - name: packageFolderName
+  - name: artifactName
     type: string
-    default: drop_build_build_signed_package
-
-  - name: dependsOn
-    type: string
-    default: ''
-
-  - name: packageType
-    type: string
-    default: both
-    values:
-    - dll
-    - pdb
-    - both
 
   - name: isPreview
     type: boolean
 
 jobs:
 - job: validate_signed_package
   displayName: 'Verify signed package'
-  ${{ if ne(parameters.dependsOn, '')}}:
-    dependsOn: '${{parameters.dependsOn }}'
+
   pool:
     type: windows  # read more about custom job pool types at https://aka.ms/obpipelines/yaml/jobs
     isCustom: true
@@ -43,9 +25,11 @@ jobs:
   - template: /eng/pipelines/libraries/mds-validation-variables.yml@self
 
   - name: pathToDownloadedNuget # path to the downloaded nuget files
-    value: $(Pipeline.Workspace)\${{parameters.packageFolderName }}
+    value: $(Pipeline.Workspace)\${{parameters.artifactName }}
 
   - name: BuildType
+    # This variable is set in the build-signed-package-job.yml job. Any changes
+    # to the names of the stage, job, or variable must be reflected here.
     value: $[ stageDependencies.buildMDS.build_signed_package.outputs['GetBuildType.CDP_BUILD_TYPE_COPY'] ]
 
   - ${{ if parameters.isPreview }}:
@@ -69,7 +53,10 @@ jobs:
       nuget locals all -Clear
     displayName: 'Clear local cache'
 
-  - ${{parameters.downloadPackageStep }}
+  - download: current
+    artifact: ${{parameters.artifactName}}
+    patterns: '**/*.*nupkg'
+    displayName: 'Download NuGet Package'
 
   - powershell: |
       # Install nuget package
@@ -82,21 +69,12 @@ jobs:
     displayName: 'Extract Nuget in temp folder'
 
   - powershell: |
-      # Artifact is stored in the Nuget folder
-      $packageType = '${{parameters.packageType}}'
-
       Write-Host "--------------------------------------------------"
       Write-Host "This will verify the artifact signature" -ForegroundColor Green
       Write-Host "--------------------------------------------------"
 
-      if ($packageType -eq 'dll' -or $packageType -eq 'both')
-      {
-        nuget verify -All $(pathToDownloadedNuget)\*.nupkg
-      }
-      if ($packageType -eq 'pdb' -or $packageType -eq 'both')
-      {
-        nuget verify -All $(pathToDownloadedNuget)\*.snupkg
-      }
+      nuget verify -All $(pathToDownloadedNuget)\*.nupkg
+      nuget verify -All $(pathToDownloadedNuget)\*.snupkg
     displayName: 'Verify nuget signature'
 
   - powershell: |

@@ -32,7 +32,7 @@ steps:
       msBuildCommandline: >-
         msbuild
         ${{parameters.sourceRoot}}\build.proj
+        -t:BuildAllConfigurations
         -p:configuration=Release
         -p:GenerateNuget=false
         -p:BuildTools=false
-        -p:SigningKeyPath=$(Agent.TempDirectory)\netfxKeypair.snk
@@ -159,21 +159,12 @@ extends:
       jobs:
       - template: /eng/pipelines/common/templates/jobs/validate-signed-package-job.yml@self
         parameters:
-          packageFolderName: $(mdsArtifactName)
+          artifactName: $(mdsArtifactName)
           isPreview: ${{ parameters['isPreview'] }}
-          downloadPackageStep:
-            download: current
-            artifact: $(mdsArtifactName)
-            patterns: '**/*.*nupkg'
-            displayName: 'Download NuGet Package'
 
 # Disabling as of 10/15/2025 due to OneBranch apparently disallowing MSBuild tasks in validation stages.
 #      - template: /eng/pipelines/common/templates/jobs/run-tests-package-reference-job.yml@self
 #        parameters:
+#          artifactName: $(mdsArtifactName)
 #          isPreview: ${{ parameters['isPreview'] }}
 #          timeout: ${{ parameters.testJobTimeout }}
-#          downloadPackageStep:
-#            download: current
-#            artifact: $(mdsArtifactName)
-#            patterns: '**/*.nupkg'
-#            displayName: 'Download NuGet Package'
@@ -89,6 +89,9 @@ jobs:
                 $jsonParams | ConvertFrom-Json | Format-List
             displayName: 'Output Job Parameters'
 
+          # Install the .NET SDK.
+          - template: /eng/pipelines/steps/install-dotnet.yml@self
+
           # Perform analysis before building, since this step will clobber build
           # output.
           - template: /eng/pipelines/steps/roslyn-analyzers-akv-step.yml@self

@@ -273,10 +273,10 @@ jobs:
 
       # List the DLLs in the output directory for debugging purposes.
       - ${{ if eq(parameters.debug, true) }}:
-        - pwsh: >
+        - pwsh: >-
             Get-ChildItem
-              -Path "src/Microsoft.Data.SqlClient.Extensions/Azure/test/bin/${{ parameters.buildConfiguration }}"
-              -Recurse
+            -Path "src/Microsoft.Data.SqlClient.Extensions/Azure/test/bin/${{ parameters.buildConfiguration }}"
+            -Recurse
           displayName: '[Debug] List Output DLLs'
 
       # Run the tests for each .NET runtime.

@@ -30,7 +30,7 @@ pr:
   branches:
     include:
     # GitHub repo branch targets that will trigger PR validation builds.
-    - dev/**/*
+    - dev/*
     - feat/*
     - main
 

@@ -30,7 +30,7 @@ pr:
   branches:
     include:
     # GitHub repo branch targets that will trigger PR validation builds.
-    - dev/**/*
+    - dev/*
     - feat/*
     - main
 

@@ -31,9 +31,6 @@ steps:
         retryCount: 5
         secureFile: 'netfxKeypair.snk'
 
-  # Install the .NET SDK.
-  - template: /eng/pipelines/steps/install-dotnet.yml@self
-
   - task: MSBuild@1
     displayName: 'Build.proj - BuildAkv'
     inputs:
@@ -46,6 +43,6 @@ steps:
             -p:MdsPackageVersion=${{ parameters.mdsPackageVersion }}
             -p:ReferenceType=Package
             -p:SigningKeyPath=$(Agent.TempDirectory)/netfxKeypair.snk
-            
+
   - script: tree /a /f $(BUILD_OUTPUT)
     displayName: Output Build Output Tree
@@ -11,7 +11,7 @@ public abstract class SqlAuthenticationProviderException : Exception
     /// The string value used when the failure code is not known.
     /// </summary>
     private const string Unknown = "Unknown";
-    
+
     /// <include file='../doc/SqlAuthenticationProviderException.xml' path='docs/members[@name="SqlAuthenticationProviderException"]/ctor1/*'/>
     protected SqlAuthenticationProviderException(
         string message,
@@ -37,7 +37,7 @@ protected SqlAuthenticationProviderException(
         Method = method;
         FailureCode = failureCode;
         ShouldRetry = shouldRetry;
-        RetryPeriod = shouldRetry && retryPeriod > 0? retryPeriod : 0;
+        RetryPeriod = (shouldRetry && retryPeriod > 0) ? retryPeriod : 0;
     }
 
     /// <include file='../doc/SqlAuthenticationProviderException.xml' path='docs/members[@name="SqlAuthenticationProviderException"]/Method/*'/>

@@ -358,20 +358,36 @@ previousPw is byte[] previousPwBytes &&
             if (ex is MsalServiceException svcEx &&
                 svcEx.StatusCode == MsalRetryStatusCode)
             {
-                int retryPeriod = 0;
-
                 var retryAfter = svcEx.Headers.RetryAfter;
                 if (retryAfter is not null)
                 {
+                    // Prefer the Delta value over Date.
+                    double totalMilliseconds = 0;
+
                     if (retryAfter.Delta.HasValue)
                     {
-                        retryPeriod = retryAfter.Delta.Value.Milliseconds;
+                        totalMilliseconds = retryAfter.Delta.Value.TotalMilliseconds;
                     }
                     else if (retryAfter.Date.HasValue)
                     {
-                        retryPeriod = Convert.ToInt32(retryAfter.Date.Value.Offset.TotalMilliseconds);
+                        var now = DateTimeOffset.UtcNow;
+                        if (retryAfter.Date.Value > now)
+                        {
+                            totalMilliseconds = (retryAfter.Date.Value - now).TotalMilliseconds;
+                        }
                     }
 
+                    int retryPeriod =
+                        // Ignore nonsensical values.
+                        totalMilliseconds <= 0
+                        ? 0
+                        // Avoid overflow when converting to an int.
+                        : totalMilliseconds > int.MaxValue
+                            ? int.MaxValue
+                            // Convert from double to int safely.
+                            : Convert.ToInt32(totalMilliseconds);
+
+                    // Report the retryable error.
                     throw new Extensions.Azure.AuthenticationException(
                         parameters.AuthenticationMethod,
                         ex.ErrorCode,

@@ -95,6 +95,7 @@
   </ItemGroup>
 
   <ItemGroup>
+    <PackageReference Include="Azure.Core" />
     <PackageReference Include="Azure.Identity" />
     <PackageReference Include="Microsoft.Extensions.Caching.Memory" />
   </ItemGroup>

@@ -3,11 +3,16 @@
 // See the LICENSE file in the project root for more information.
 
 /// <summary>
-/// Adds the missing IsEmpty() method to string that doesn't waste time on null checks like
-/// String.IsNullOrEmpty() does, and has a nice shorter name.
+/// String extensions used by our tests.
 /// </summary>
 internal static class StringExtensions
 {
+    /// <summary>
+    /// Adds the IsEmpty() method to string that doesn't waste time on null checks
+    /// like String.IsNullOrEmpty() does, and has a nice short name.
+    /// </summary>
+    /// <param name="str">The string to check; must not be null.</param>
+    /// <returns>True if the string is empty, false otherwise.</returns>
     internal static bool IsEmpty(this string str)
     {
         return str.Length == 0;