PowerShell · adityapatwardhan · Apr 3, 2026 · Mar 24, 2026 · Copilot · Apr 2, 2026
diff --git a/.github/agents/SplitADOPipelines.agent.md b/.github/agents/SplitADOPipelines.agent.md
@@ -0,0 +1,164 @@
+---
+name: SplitADOPipelines
+description: This agent will implement and restructure the repository's existing ADO pipelines into Official and NonOfficial pipelines.
+tools: ['vscode', 'execute', 'read', 'agent', 'edit', 'search', 'todo']
+---
+
+This agent will implement and restructure the repository's existing ADO pipelines into Official and NonOfficial pipelines. 
+
+A repository will have under the ./pipelines directory a series of yaml files that define the ADO pipelines for the repository.
+
+First confirm if the pipelines are using a toggle switch for Official and NonOfficial. This will look something like this
+
+```yaml
+parameters:
+  - name: templateFile
+    value: ${{ iif ( parameters.OfficialBuild, 'v2/OneBranch.Official.CrossPlat.yml@onebranchTemplates', 'v2/OneBranch.NonOfficial.CrossPlat.yml@onebranchTemplates' ) }}
+```
+
+Followed by:
+
+```yaml
+extends:
+  template: ${{ variables.templateFile }}
+```
+
+This is an indicator that this work needs to be done. This toggle switch is no longer allowed and the templates need to be hard coded.
+
+## Refactoring Steps
+
+### Step 1: Extract Shared Templates
+
+For each pipeline file that uses the toggle switch pattern (e.g., `PowerShell-Packages.yml`):
+
+1. Create a `./pipelines/templates` directory if it doesn't exist
+2. Extract the **variables section** into `./pipelines/templates/PowerShell-Packages-Variables.yml`
+3. Extract the **stages section** into `./pipelines/templates/PowerShell-Packages-Stages.yml`
+
+**IMPORTANT**: Only extract the `variables:` and `stages:` sections. All other sections (parameters, resources, extends, etc.) remain in the pipeline files.
+
+### Step 2: Create Official Pipeline (In-Place Refactoring)
+
+The original toggle-based file becomes the Official pipeline:
+
+1. **Keep the file in its original location** (e.g., `./pipelines/PowerShell-Packages.yml` stays where it is)
+2. Remove the toggle switch parameter (`templateFile` parameter)
+3. Hard-code the Official template reference:
+   ```yaml
+   extends:
+     template: v2/OneBranch.Official.CrossPlat.yml@onebranchTemplates
+   ```
+4. Replace the `variables:` section with a template reference:
+   ```yaml
+   variables:
+     - template: templates/PowerShell-Packages-Variables.yml
+   ```
+5. Replace the `stages:` section with a template reference:
+   ```yaml
+   stages:
+     - template: templates/PowerShell-Packages-Stages.yml
+   ```
+
+### Step 3: Create NonOfficial Pipeline
+
+1. Create `./pipelines/NonOfficial` directory if it doesn't exist
+2. Create the NonOfficial pipeline file (e.g., `./pipelines/NonOfficial/PowerShell-Packages-NonOfficial.yml`)
+3. Copy the structure from the refactored Official pipeline
+4. Hard-code the NonOfficial template reference:
+   ```yaml
+   extends:
+     template: v2/OneBranch.NonOfficial.CrossPlat.yml@onebranchTemplates
+   ```
+5. Reference the same shared templates:
+   ```yaml
+   variables:
+     - template: ../templates/PowerShell-Packages-Variables.yml
+
+   stages:
+     - template: ../templates/PowerShell-Packages-Stages.yml
+   ```
+
+**Note**: The NonOfficial pipeline uses `../templates/` because it's one directory deeper than the Official pipeline.
+
+### Step 4: Link NonOfficial Pipelines to NonOfficial Dependencies
+
+After creating NonOfficial pipelines, ensure they consume artifacts from other **NonOfficial** pipelines, not Official ones.
+
+1. **Check the `resources:` section** in each NonOfficial pipeline for `pipelines:` dependencies
+2. **Identify Official pipeline references** that need to be changed to NonOfficial
+3. **Update the `source:` field** to point to the NonOfficial version
+
+**Example Problem:** NonOfficial pipeline pointing to Official dependency
+```yaml
+resources:
+  pipelines:
+    - pipeline: CoOrdinatedBuildPipeline
+      source: 'PowerShell-Coordinated Binaries-Official'  # ❌ Wrong - Official!
+```
+
+**Solution:** Update to NonOfficial dependency
+```yaml
+resources:
+  pipelines:
+    - pipeline: CoOrdinatedBuildPipeline
+      source: 'PowerShell-Coordinated Binaries-NonOfficial'  # ✅ Correct - NonOfficial!
+```
+
+**IMPORTANT**: The `source:` field must match the **exact ADO pipeline definition name** as it appears in Azure DevOps, not necessarily the file name.
+
+### Step 5: Configure Release Environment Parameters (NonAzure Only)
+
+**This step only applies if the pipeline uses `category: NonAzure` in the release configuration.**
+
+If you detect this pattern in the original pipeline:
+
+```yaml
+extends:
+  template: v2/OneBranch.Official.CrossPlat.yml@onebranchTemplates  # or NonOfficial
+  parameters:
+    release:
+      category: NonAzure
+```
+
+Then you must configure the `ob_release_environment` parameter when referencing the stages template.
+
+#### Official Pipeline Configuration
+
+In the Official pipeline (e.g., `./pipelines/PowerShell-Packages.yml`):
+
+```yaml
+stages:
+  - template: templates/PowerShell-Packages-Stages.yml
+    parameters:
+      ob_release_environment: Production
+```
+
+#### NonOfficial Pipeline Configuration
+
+In the NonOfficial pipeline (e.g., `./pipelines/NonOfficial/PowerShell-Packages-NonOfficial.yml`):
+
+```yaml
+stages:
+  - template: ../templates/PowerShell-Packages-Stages.yml
+    parameters:
+      ob_release_environment: Test
+```
+
+#### Update Stages Template to Accept Parameter
+
+The extracted stages template (e.g., `./pipelines/templates/PowerShell-Packages-Stages.yml`) must declare the parameter at the top:
+
+```yaml
+parameters:
+  - name: ob_release_environment
+    type: string
+
+stages:
+  # ... rest of stages configuration using ${{ parameters.ob_release_environment }}
+```
+
+**IMPORTANT**: 
+- Only configure this for pipelines with `category: NonAzure`
+- Official pipelines always use `ob_release_environment: Production`
+- NonOfficial pipelines always use `ob_release_environment: Test`
+- The stages template must accept this parameter and use it in the appropriate stage configurations
@@ -0,0 +1,97 @@
+trigger: none
+
+parameters:
+  - name: InternalSDKBlobURL
+    displayName: URL to the blob having internal .NET SDK
+    type: string
+    default: ' '
+  - name: ReleaseTagVar
+    displayName: Release Tag
+    type: string
+    default: 'fromBranch'
+  - name: SKIP_SIGNING
+    displayName: Debugging - Skip Signing
+    type: string
+    default: 'NO'
+  - name: RUN_TEST_AND_RELEASE
+    displayName: Debugging - Run Test and Release Artifacts Stage
+    type: boolean
+    default: true
+  - name: RUN_WINDOWS
+    displayName: Debugging - Enable Windows Stage
+    type: boolean
+    default: true
+  - name: ENABLE_MSBUILD_BINLOGS
+    displayName: Debugging - Enable MSBuild Binary Logs
+    type: boolean
+    default: false
+  - name: FORCE_CODEQL
+    displayName: Debugging - Enable CodeQL and set cadence to 1 hour
+    type: boolean
+    default: false
+
+name: bins-$(BUILD.SOURCEBRANCHNAME)-nonofficial-$(Build.BuildId)
+
+resources:
+  repositories:
+  - repository: ComplianceRepo
+    type: github
+    endpoint: ComplianceGHRepo
+    name: PowerShell/compliance
+    ref: master
+  - repository: onebranchTemplates
+    type: git
+    name: OneBranch.Pipelines/GovernedTemplates
+    ref: refs/heads/main
+
+variables:
+  - template: ../templates/variables/PowerShell-Coordinated_Packages-Variables.yml
+    parameters:
+      InternalSDKBlobURL: ${{ parameters.InternalSDKBlobURL }}
+      ReleaseTagVar: ${{ parameters.ReleaseTagVar }}
+      SKIP_SIGNING: ${{ parameters.SKIP_SIGNING }}
+      ENABLE_MSBUILD_BINLOGS: ${{ parameters.ENABLE_MSBUILD_BINLOGS }}
+      FORCE_CODEQL: ${{ parameters.FORCE_CODEQL }}
+
+extends:
+  template: v2/OneBranch.NonOfficial.CrossPlat.yml@onebranchTemplates
+  parameters:
+    customTags: 'ES365AIMigrationTooling'
+    featureFlags:
+      LinuxHostVersion:
+          Network: KS3
+      WindowsHostVersion:
+          Network: KS3
+      incrementalSDLBinaryAnalysis: true
+    globalSdl:
+      disableLegacyManifest: true
+      # disabled Armorty as we dont have any ARM templates to scan. It fails on some sample ARM templates.
+      armory:
+        enabled: false
+      sbom:
+        enabled: true
+      codeql:
+        compiled:
+          enabled: $(CODEQL_ENABLED)
+        tsaEnabled: true # This enables TSA bug filing only for CodeQL 3000
+      credscan:
+        enabled: true
+        scanFolder:  $(Build.SourcesDirectory)
+        suppressionsFile: $(Build.SourcesDirectory)\.config\suppress.json
+      cg:
+        enabled: true
+        ignoreDirectories: '.devcontainer,demos,docker,docs,src,test,tools/packaging'
+      binskim:
+        enabled: false
+        exactToolVersion: 4.4.2
+      # APIScan requires a non-Ready-To-Run build
+      apiscan:
+        enabled: false
+      tsaOptionsFile: .config\tsaoptions.json
+
+    stages:
+    - template: ../templates/stages/PowerShell-Coordinated_Packages-Stages.yml
+      parameters:
+        RUN_WINDOWS: ${{ parameters.RUN_WINDOWS }}
+        RUN_TEST_AND_RELEASE: ${{ parameters.RUN_TEST_AND_RELEASE }}
+        OfficialBuild: false
@@ -0,0 +1,97 @@
+trigger: none
+
+parameters: # parameters are shown up in ADO UI in a build queue time
+  - name: ForceAzureBlobDelete
+    displayName: Delete Azure Blob
+    type: string
+    values:
+    - true
+    - false
+    default: false
+  - name: 'debug'
+    displayName: 'Enable debug output'
+    type: boolean
+    default: false
+  - name: InternalSDKBlobURL
+    displayName: URL to the blob having internal .NET SDK
+    type: string
+    default: ' '
+  - name: ReleaseTagVar
+    displayName: Release Tag
+    type: string
+    default: 'fromBranch'
+  - name: SKIP_SIGNING
+    displayName: Skip Signing
+    type: string
+    default: 'NO'
+  - name: disableNetworkIsolation
+    type: boolean
+    default: false
+
+name: pkgs-$(BUILD.SOURCEBRANCHNAME)-nonofficial-$(Build.BuildId)
+
+variables:
+  - template: ../templates/variables/PowerShell-Packages-Variables.yml
+    parameters:
+      debug: ${{ parameters.debug }}
+      ForceAzureBlobDelete: ${{ parameters.ForceAzureBlobDelete }}
+      ReleaseTagVar: ${{ parameters.ReleaseTagVar }}
+      disableNetworkIsolation: ${{ parameters.disableNetworkIsolation }}
+
+resources:
+  pipelines:
+    - pipeline: CoOrdinatedBuildPipeline
+      source: 'PowerShell-Coordinated_Packages-NonOfficial'
+      trigger:
+        branches:
+          include:
+            - master
+            - releases/*
+
+  repositories:
+    - repository: onebranchTemplates
+      type: git
+      name: OneBranch.Pipelines/GovernedTemplates
+      ref: refs/heads/main
+
+extends:
+  template: v2/OneBranch.NonOfficial.CrossPlat.yml@onebranchTemplates
+  parameters:
+    cloudvault:
+      enabled: false
+    featureFlags:
+      WindowsHostVersion:
+        Version: 2022
+        Network: KS3
+      LinuxHostVersion:
+        Network: KS3
+      linuxEsrpSigning: true
+      incrementalSDLBinaryAnalysis: true
+      disableNetworkIsolation: ${{ variables.disableNetworkIsolation }}
+    globalSdl:
+      disableLegacyManifest: true
+      # disabled Armorty as we dont have any ARM templates to scan. It fails on some sample ARM templates.
+      armory:
+        enabled: false
+      sbom:
+        enabled: true
+      compiled:
+        enabled: false
+      credscan:
+        enabled: true
+        scanFolder:  $(Build.SourcesDirectory)
+        suppressionsFile: $(Build.SourcesDirectory)\.config\suppress.json
+      cg:
+        enabled: true
+        ignoreDirectories: '.devcontainer,demos,docker,docs,src,test,tools/packaging'
+      binskim:
+        enabled: false
+        exactToolVersion: 4.4.2
+      # APIScan requires a non-Ready-To-Run build
+      apiscan:
+        enabled: false
+      tsaOptionsFile: .config\tsaoptions.json
+    stages:
+    - template: ../templates/stages/PowerShell-Packages-Stages.yml
+      parameters:
+        OfficialBuild: false