Merge branch 'main' into darc-main-476ee6a5-de68-485b-811e-e4d207ff5a3e

Author: mthalman

.config/dotnet-tools.json

@@ -3,11 +3,11 @@
   "isRoot": true,
   "tools": {
     "microsoft.dnceng.secretmanager": {
-      "version": "1.1.0-beta.25609.1",
+      "version": "1.1.0-beta.26118.1",
       "commands": [
         "secret-manager"
       ],
       "rollForward": false
     }
   }
-}
+}

.gitattributes

@@ -0,0 +1 @@
+*.json linguist-language=JSONC

.github/instructions/csharp.instructions.md

@@ -0,0 +1,59 @@
+---
+applyTo: "**/*.cs"
+---
+
+# C#/.NET Guidelines
+
+## Coding style
+
+For all new C# code:
+
+- Use file-scoped namespaces.
+- Use collection expresions - write `[1, 2, 3]` and not `new List<int> { 1, 2, 3 }`.
+- Use `var` for local variable declarations.
+- Use switch expressions and pattern matching.
+- Use string interpolation (`$"Hello, {name}!"`) instead of `string.Format` or concatenation.
+- Use `"""triple-quoted strings"""` for multi-line string literals. These can be interpolated as well.
+- Use expression-bodied members for simple getters and setters.
+
+## Code Design Rules
+
+- Use immutable records instead of classes for DTOs.
+- Do not default to `public` accessibility for members and classes. Follow the least-exposure rule: `private` > `internal` > `protected` > `public`
+- Do not add unused methods/parameters for use cases that were not asked for.
+- Reuse existing methods or services as much as possible.
+- Use composition over inheritance.
+- Use LINQ instead of for loops when working with collections.
+
+## Error Handling & Edge Cases
+
+- Guard early; use `string.IsNullOrWhiteSpace`, `ArgumentNullException.ThrowIfNull`, or `ArgumentNullException.ThrowIfNullOrWhiteSpace`.
+- Avoid using null for control flow.
+- In methods that return collections, return empty collections instead of null.
+- The null-forgiving operator (`!`) is **always** a code smell.
+- Do not add excessive or unnecessary try/catch blocks within the same assembly.
+
+## Async Best Practices
+
+- All async methods must have names ending with `Async`.
+- Always await async methods - do not "fire and forget".
+- Always accept and pass along a `CancellationToken` in async code.
+- Don’t add `async/await` if you can simply return a Task directly.
+
+## Testing
+
+- Use Shouldly when writing new assertions.
+- Use clear assertions that verify the outcome expressed by the test name.
+- Tests should be able to run in any order or in parallel.
+- Use or add helper methods for constructing mocks and complex test data objects.
+- Avoid disk I/O if possible; use in-memory alternatives or mocks.
+- Do not add "Arrange-Act-Assert" comments.
+
+## Comments
+
+- Add XML documentation comments for new **public** or **internal** types and members.
+- Primary documentation belongs on interfaces, implementations should use `<inheritdoc/>` unless additional context is needed.
+- Comments that simply restate the member or parameter name do not provide value.
+- Comments should provide additional context or explain non-obvious behavior, especially for parameters.
+- Comments inside methods should explain "why," not "what".
+- Avoid redundant comments that restate the code - not all code needs comments.

.gitignore

@@ -26,6 +26,7 @@ msbuild.wrn
 
 # .NET and tools directories
 .dotnet/
+.nuget/
 .packages/
 .tools/
 

AGENTS.md

@@ -0,0 +1,127 @@
+# AGENTS.md
+
+This file provides guidance to coding agents when working with code in this repository.
+
+## Overview
+
+This repository contains tooling for building and publishing Docker images in various .NET repos.
+The primary tool is **ImageBuilder**, a .NET CLI application that orchestrates Docker image builds based on manifest metadata files.
+
+## Project Structure
+
+This repo contains several projects:
+
+- **`src/ImageBuilder/`** - The main ImageBuilder CLI tool (executable)
+- **`src/ImageBuilder.Models/`** - Shared model definitions for manifest files and image metadata
+- **`src/ImageBuilder.Tests/`** - Unit tests using xUnit, Moq, and Shouldly
+- **`eng/src/file-pusher/`** - Utility for pushing files to storage
+- **`eng/src/yaml-updater/`** - Utility for updating YAML files
+
+## Building and Testing
+
+- To build all projects, run `dotnet build`.
+- To run tests, run `dotnet test`.
+- If you run into permission issues during builds relating to copying `.dll` files, run `dotnet clean` and/or `build.sh -clean` and then build again.
+
+### Build ImageBuilder Container Image
+
+See [src/README.md](src/README.md) for instructions on building single-platform and multi-arch ImageBuilder container images locally.
+
+## ImageBuilder Architecture
+
+ImageBuilder is a command-based CLI tool that operates on manifest files.
+The manifest file (`manifest.json`) is the primary metadata source that defines which Docker images to build, their tags, platforms, and dependencies.
+
+### Key Components
+
+- **Commands** (`src/ImageBuilder/Commands/`) - Each command implements a specific operation (build, publish, generateBuildMatrix, etc.). Commands inherit from `Command<TOptions>` and use System.CommandLine for argument parsing.
+- **Models** (`src/ImageBuilder.Models/Manifest/`) - Defines the manifest schema and image metadata structures
+- **Services** - Abstracted services for Docker operations, Azure Container Registry interactions, Git operations, etc.
+
+### Running ImageBuilder Locally
+
+For quick validation during local development, use `dotnet run`:
+
+```bash
+dotnet run --project src/ImageBuilder -- --help
+```
+
+## `eng/docker-tools` Infrastructure
+
+The `eng/docker-tools/` directory contains shared PowerShell scripts and Azure Pipelines templates used across all .NET Docker repositories.
+This repository is the source of truth for these files - changes made here are automatically synchronized to consuming repositories.
+
+For comprehensive documentation on the docker-tools infrastructure, pipeline architecture, image building workflows, and troubleshooting, see [eng/docker-tools/DEV-GUIDE.md](eng/docker-tools/DEV-GUIDE.md).
+
+## ImageBuilder Build and Deployment Workflow
+
+ImageBuilder is published as a container image to the Microsoft Artifact Registry (MAR) at `mcr.microsoft.com/dotnet-buildtools/image-builder`.
+The ImageBuilder container image is defined in `src/manifest.json`.
+It is built from Dockerfiles `src/Dockerfile.linux` and `src/Dockerfile.windows`.
+
+ImageBuilder uses itself to build its own container image.
+This means changes to ImageBuilder code and pipeline templates must be coordinated carefully in a two-step process.
+The version of ImageBuilder used by pipelines is specified in `eng/docker-tools/templates/variables/docker-images.yml` (`imageNames.imageBuilder` variable).
+
+### Two-Step Change Process
+
+When making changes that affect both ImageBuilder code and pipeline behavior:
+
+1. **Step 1: Update ImageBuilder code**
+   - Make code changes to ImageBuilder source
+   - Test locally using `dotnet run --project src/ImageBuilder`
+   - Propose changes in a pull request and wait for it to be merged and for CI to run.
+   - A pull request will automatically be created that updates `docker-images.yml` with the new ImageBuilder tag.
+2. **Step 2: Update pipeline/manifest to use new ImageBuilder**
+   - Once the new ImageBuilder image is published, pipeline templates in `eng/docker-tools/` can reference new features/commands
+   - Consuming repositories will get the updated pipeline templates AND the new ImageBuilder image
+
+### Why This Matters
+
+- **Pipeline templates** in `eng/docker-tools/templates/` invoke ImageBuilder commands
+- These templates run using a specific version/tag of the ImageBuilder container image
+- If you add a new ImageBuilder command or change command behavior, pipelines can't use it until a new ImageBuilder image is published
+- This means code changes and pipeline template changes that depend on them must be done in separate steps
+
+### Bootstrap Option for Development
+
+To test ImageBuilder code changes and pipeline template changes together without waiting for the two-step process, use the `bootstrapImageBuilder` parameter in the unofficial pipeline (`eng/pipelines/dotnet-buildtools-image-builder-unofficial.yml`).
+
+When `bootstrapImageBuilder: true`:
+
+- ImageBuilder is built from source at the start of every pipeline job
+- The pipeline uses the freshly-built ImageBuilder instead of pulling from MCR
+- This allows validating ImageBuilder changes and pipeline template changes in a single pipeline run
+
+Once changes are validated together via the bootstrap process, then changes can be proposed via the normal two-step change process described above.
+
+## Key File Formats
+
+### manifest.json (Input)
+
+Manifest files define metadata about which Docker images ImageBuilder will build. The schema is defined by the `Manifest` model in `src/ImageBuilder.Models/Manifest/Manifest.cs`. For detailed documentation, see [documentation/manifest-file.md](documentation/manifest-file.md).
+
+### image-info.json (Output)
+
+Image info files are ImageBuilder's output that describe which images were built.
+The schema is defined by the `ImageArtifactDetails` model in `src/ImageBuilder.Models/Image/ImageArtifactDetails.cs`.
+These files contain:
+
+- Image digests for each built platform
+- Tags applied to each image
+- Dockerfile paths and commit information
+- Build timestamps
+
+Image info files are used by subsequent pipeline stages and are published to the versions repository to track what was built.
+See [eng/docker-tools/DEV-GUIDE.md](eng/docker-tools/DEV-GUIDE.md) for more details on how image info flows through pipelines.
+
+## Documentation Maintenance
+
+When making changes to ImageBuilder, pipeline templates, or infrastructure:
+
+- Update [eng/docker-tools/DEV-GUIDE.md](eng/docker-tools/DEV-GUIDE.md) if you change pipeline architecture, workflows, or add new capabilities
+- Update [src/README.md](src/README.md) if you change how ImageBuilder container images are built
+- Update [documentation/manifest-file.md](documentation/manifest-file.md) if you modify the manifest schema
+- Update this file (AGENTS.md) if you add projects, change fundamental workflows, or modify architecture that affects how developers work with the codebase
+
+Keep documentation synchronized with code changes so future developers have accurate guidance.

Directory.Build.props

@@ -5,6 +5,7 @@
   <PropertyGroup Label="Build Settings">
     <LangVersion>latest</LangVersion>
     <TreatWarningsAsErrors>true</TreatWarningsAsErrors>
+    <Nullable>enable</Nullable>
   </PropertyGroup>
 
   <PropertyGroup Label="Packaging Settings">

documentation/images/request-signing-approval.png

@@ -0,0 +1,63 @@
+# Container Image Signing
+
+Container image signing uses ESRP via the MicroBuild signing plugin to sign Docker images with [Notary v2](https://notaryproject.dev/) signatures. When enabled, a Sign stage runs after images are built and before they are published.
+
+## How To Enable Image Signing
+
+### 1. Request Signing Approval
+
+Request signing approval for your image publishing pipeline in the Azure DevOps GUI:
+
+<img src="images/request-signing-approval.png" width="200">
+
+Follow the instructions in the approval request form.
+
+### 2. Enable Signing in Publish Configuration
+
+Signing is controlled by the `Signing` property of ImageBuilder's `PublishConfiguration`. It can be
+configured in two different ways:
+
+#### For .NET Repos
+
+Pass the `enableSigning: true` parameter to `publish-config-prod.yml` or `publish-config-nonprod.yml`:
+
+```yaml
+- template: /eng/docker-tools/templates/stages/dotnet/publish-config-prod.yml@self
+  parameters:
+    enableSigning: true
+    # ... other parameters ...
+```
+
+#### For Other Repos
+
+If your pipeline constructs its own `publishConfig` object, add the `Signing` section to the configuration.
+The `Signing` property maps to the [`SigningConfiguration`](../src/ImageBuilder/Configuration/SigningConfiguration.cs) model.
+
+```yaml
+publishConfig:
+  # ... existing publish configuration ...
+  Signing:
+    Enabled: true
+    # Get the appropriate ESRP signing keycode from the CSSC documentation:
+    #   https://aka.ms/cssc
+    # Then look up the corresponding MicroBuild keycode in MicroBuild's source code:
+    #   https://devdiv.visualstudio.com/Engineering/_git/Sign?version=GBmain&path=/src/CertificateMappings.xml
+    # These parameters refer to the MicroBuild signing keycode.
+    ImageSigningKeyCode: 1234
+    ReferrerSigningKeyCode: 5678
+    # Important distinction: "test" signing is not supported on Linux (MicroBuild limitation).
+    # For testing, use "real" signing with a testing certificate (from the CSSC documentation).
+    SignType: real
+    # Selects which set of root certificates to use when verifying signatures.
+    # The Notation trust store configurations and certificates are baked into the ImageBuilder image.
+    # Reference src/notation-trust/policies/ for available configurations.
+    TrustStoreName: supplychain
+```
+
+Additionally, the following variables must be available at pipeline run-time:
+
+- `TeamName` - Team name registered with MicroBuild for signing.
+- `MicroBuildFeedSource` - NuGet feed source for the MicroBuild signing plugin.
+- `MicroBuildPluginVersion` - Use `latest` unless testing a pre-release version of the signing plugin.
+
+See examples of these in [`variables/dotnet/common.yml`](../eng/docker-tools/templates/variables/dotnet/common.yml).

documentation/signing.md

@@ -5,7 +5,7 @@
   <PropertyGroup>
     <!-- Follow https://semver.org/spec/v2.0.0.html -->
     <MajorVersion>0</MajorVersion>
-    <MinorVersion>1</MinorVersion>
+    <MinorVersion>2</MinorVersion>
     <PatchVersion>0</PatchVersion>
     <VersionPrefix>$(MajorVersion).$(MinorVersion).$(PatchVersion)</VersionPrefix>
     <PreReleaseVersionLabel>beta</PreReleaseVersionLabel>

eng/Versions.props

@@ -0,0 +1,86 @@
+# Docker Tools / ImageBuilder Changelog
+
+All breaking changes and new features in `eng/docker-tools` will be documented in this file.
+
+---
+
+## 2026-03-04: Pre-build validation gated by `preBuildTestScriptPath` variable
+
+The `PreBuildValidation` job condition now checks the new `preBuildTestScriptPath` variable instead of `testScriptPath`.
+This allows repos to independently control whether pre-build validation runs, without affecting functional tests.
+
+The new variable defaults to `$(testScriptPath)`, so existing repos that have pre-build tests are not affected.
+Repos that do not have pre-build tests can set `preBuildTestScriptPath` to `""` to skip the job entirely.
+
+---
+
+## 2026-02-19: Separate Registry Endpoints from Authentication
+
+- Pull request: [#1945](https://github.com/dotnet/docker-tools/pull/1945)
+- Issue: [#1914](https://github.com/dotnet/docker-tools/issues/1914)
+
+Authentication details (`serviceConnection`, `resourceGroup`, `subscription`) have been moved from individual registry endpoints into a centralized `RegistryAuthentication` list.
+This fixes an issue where ACR authentication could fail when multiple service connections existed for the same registry.
+
+**Before:** Each registry endpoint embedded its own authentication:
+
+```yaml
+publishConfig:
+  BuildRegistry:
+    server: $(acr.server)
+    repoPrefix: "my-prefix/"
+    resourceGroup: $(resourceGroup)
+    subscription: $(subscription)
+    serviceConnection:
+      name: $(serviceConnectionName)
+      id: $(serviceConnection.id)
+      clientId: $(serviceConnection.clientId)
+      tenantId: $(tenant)
+  PublishRegistry:
+    server: $(acr.server)
+    repoPrefix: "publish/"
+    resourceGroup: $(resourceGroup)
+    subscription: $(subscription)
+    serviceConnection:
+      name: $(publishServiceConnectionName)
+      id: $(publishServiceConnection.id)
+      clientId: $(publishServiceConnection.clientId)
+      tenantId: $(tenant)
+```
+
+**After:** Registry endpoints only contain `server` and `repoPrefix`. Authentication is centralized:
+
+```yaml
+publishConfig:
+  BuildRegistry:
+    server: $(acr.server)
+    repoPrefix: "my-prefix/"
+  PublishRegistry:
+    server: $(acr.server)
+    repoPrefix: "publish/"
+  RegistryAuthentication:
+    - server: $(acr.server)
+      resourceGroup: $(resourceGroup)
+      subscription: $(subscription)
+      serviceConnection:
+        name: $(serviceConnectionName)
+        id: $(serviceConnection.id)
+        clientId: $(serviceConnection.clientId)
+        tenantId: $(tenant)
+```
+
+How to update:
+- Update any publishConfig parameters to match the new structure.
+    - Multiple registries can share authentication. If two registries use the same ACR server, only one entry is needed in `RegistryAuthentication`.
+    - The new structure should match [ImageBuilder's Configuration Model](https://github.com/dotnet/docker-tools/tree/a82572386854f15af441c50c6efa698a627e9f2b/src/ImageBuilder/Configuration).
+- Update service connection setup (if using `setup-service-connections.yml`):
+   - The template now supports looking up service connections from `publishConfig.RegistryAuthentication`
+   - Use the new `usesRegistries` parameter to specify which registries need auth setup:
+     ```yaml
+     - template: eng/docker-tools/templates/stages/setup-service-connections.yml
+       parameters:
+         publishConfig: ${{ variables.publishConfig }}
+         usesRegistries:
+           - $(buildRegistry.server)
+           - $(publishRegistry.server)
+     ```