microsoft · bwateratmsft · Jan 28, 2026 · Jan 28, 2026 · Jan 28, 2026 · Jan 28, 2026
@@ -0,0 +1,92 @@
+name: Release Pipeline Templates
+
+on:
+  workflow_dispatch:
+    inputs:
+      branch:
+        description: "Branch to update (e.g., azext-pt/v1)"
+        required: true
+        default: "azext-pt/v1"
+
+jobs:
+  create-pr:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      pull-requests: write
+    steps:
+      - uses: actions/github-script@v7
+        with:
+          script: |
+            const branch = '${{ inputs.branch }}';
+
+            // Validate branch format
+            if (!/^azext-pt\/v\d+$/.test(branch)) {
+              core.setFailed(`Branch must match pattern azext-pt/vN (e.g., azext-pt/v1)`);
+              return;
+            }
+
+            // Get main branch SHA
+            const { data: mainRef } = await github.rest.git.getRef({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              ref: 'heads/main'
+            });
+            const mainSha = mainRef.object.sha;
+
+            // Check if release branch exists
+            let branchExists = true;
+            let branchSha = null;
+            try {
+              const { data: branchRef } = await github.rest.git.getRef({
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                ref: `heads/${branch}`
+              });
+              branchSha = branchRef.object.sha;
+            } catch (e) {
+              if (e.status === 404) {
+                branchExists = false;
+              } else {
+                throw e;
+              }
+            }
+
+            // Create branch if it doesn't exist
+            if (!branchExists) {
+              await github.rest.git.createRef({
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                ref: `refs/heads/${branch}`,
+                sha: mainSha
+              });
+              core.summary.addHeading('✅ Branch Created', 2);
+              core.summary.addRaw(`**Branch:** \`${branch}\`\n\n`);
+              core.summary.addRaw(`**Commit:** \`${mainSha}\`\n`);
+              await core.summary.write();
+              return;
+            }
+
+            // Check if already up to date
+            if (mainSha === branchSha) {
+              core.notice(`Branch ${branch} is already up to date with main`);
+              core.summary.addHeading('ℹ️ No Changes', 2);
+              core.summary.addRaw(`Branch \`${branch}\` is already at the same commit as \`main\`.\n`);
+              await core.summary.write();
+              return;
+            }
+
+            // Create PR
+            const { data: pr } = await github.rest.pulls.create({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              head: 'main',
+              base: branch,
+              title: `Release pipeline templates to ${branch}`,
+              body: `Updates \`${branch}\` to match \`main\`.\n\n**Current ${branch}:** \`${branchSha}\`\n**New (from main):** \`${mainSha}\`\n\nTriggered by @${{ github.actor }} via workflow dispatch.`
+            });
+
+            core.summary.addHeading('✅ PR Created', 2);
+            core.summary.addRaw(`**PR:** ${pr.html_url}\n\n`);
+            core.summary.addRaw(`**Target Branch:** \`${branch}\`\n`);
+            await core.summary.write();
@@ -0,0 +1,87 @@
+parameters:
+  # Set to true for official builds, false for PRs and other unofficial builds
+  - name: isOfficialBuild
+    type: boolean
+    default: true
+
+  # The jobs to run. Use to parallelize building in subdirectories
+  - name: jobs
+    type: object
+    default:
+      - name: Root
+        working_directory: .
+
+  # The pool to use for the SDL stage
+  - name: sdlPool
+    type: object
+    default:
+      name: VSEngSS-MicroBuild2022-1ES
+      image: server2022-microbuildVS2022-1es
+      os: windows
+
+  # The pool to use for the build stage
+  - name: buildPool
+    type: object
+    default:
+      name: AzurePipelines-EO
+      image: 1ESPT-Ubuntu22.04
+      os: linux
+
+  # Set to 'real' or 'test' to enable MicroBuild signing
+  - name: signType
+    type: string
+    values:
+      - real
+      - test
+      - none
+    default: real
+
+  # Supply to disable MicroBuild signing steps and use these instead
+  - name: alternativeSigningSteps
+    type: stepList
+    default: []
+
+  # Additional steps to run during setup (e.g. npm authenticate etc.)
+  - name: additionalSetupSteps
+    type: stepList
+    default: []
+
+  # Set to the ARM service connection name to enable tests with Azure federated credentials
+  - name: testARMServiceConnection
+    type: string
+    default: ""
+
+resources:
+  repositories:
+    - repository: MicroBuildTemplate
+      type: git
+      name: 1ESPipelineTemplates/MicroBuildTemplate
+      ref: refs/heads/release
+
+extends:
+  ${{ if eq(parameters.isOfficialBuild, true) }}:
+    template: azure-pipelines/MicroBuild.1ES.Official.yml@MicroBuildTemplate
+  ${{ else }}:
+    template: azure-pipelines/MicroBuild.1ES.Unofficial.yml@MicroBuildTemplate
+
+  parameters:
+    sdl:
+      ${{ if eq(parameters.isOfficialBuild, true) }}:
+        tsa:
+          enabled: true
+      componentgovernance:
+        directoryExclusionPatterns: "**/.vscode-test"
+      codeql:
+        excludePathPatterns: "**/.vscode-test, **/dist"
+
+    pool: ${{ parameters.sdlPool }}
+
+    stages:
+      - template: ./stages/1es-stages.yml
+        parameters:
+          jobs: ${{ parameters.jobs }}
+          buildPool: ${{ parameters.buildPool }}
+          signType: ${{ parameters.signType }}
+          alternativeSigningSteps: ${{ parameters.alternativeSigningSteps }}
+          additionalSetupSteps: ${{ parameters.additionalSetupSteps }}
+          testARMServiceConnection: ${{ parameters.testARMServiceConnection }}
@@ -0,0 +1,115 @@
+parameters:
+  # The name of the package to publish.
+  # This is regex matched against .vsix files found in the build artifact.
+  - name: packageToPublish
+    type: string
+
+  # The intended package version to publish.
+  # This is used to verify the version in package.json matches the version to publish to avoid publishing the wrong package/version
+  - name: publishVersion
+    type: string
+
+  # When true, skips the deployment job that actually publishes the package
+  - name: dryRun
+    type: boolean
+    default: false
+
+  # In the build artifacts, the name of the artifact containing the package to publish
+  - name: artifactName
+    type: string
+    default: Build Root
+
+  # The service connection that VSCE will use to publish the extension
+  - name: releaseServiceConnection
+    type: string
+
+  # Set to the AzDO environment used for enforcing approval before the release runs
+  - name: releaseApprovalEnvironment
+    type: string
+    default: ""
+
+  # The pool to use for releases
+  - name: releasePool
+    type: object
+    default:
+      name: VSEngSS-MicroBuild2022-1ES
+      image: server2022-microbuildVS2022-1es
+      os: windows
+
+resources:
+  repositories:
+    - repository: MicroBuildTemplate
+      type: git
+      name: 1ESPipelineTemplates/MicroBuildTemplate
+      ref: refs/heads/release
+
+extends:
+  template: azure-pipelines/MicroBuild.1ES.Official.Publish.yml@MicroBuildTemplate
+  parameters:
+    pool: ${{ parameters.releasePool }}
+    stages:
+      - stage: ReleaseStage
+        displayName: Release extension
+        jobs:
+          - job: Publish
+            displayName: Publish extension
+            # TODO: not working, `jobs.job` doesn't support `environment`, only `jobs.deployment` does
+            # ${{ if ne(parameters.releaseApprovalEnvironment, '') }}:
+            #   environment: ${{ parameters.releaseApprovalEnvironment }}
+            templateContext:
+              type: releaseJob
+              isProduction: true
+              inputs:
+                - input: pipelineArtifact
+                  pipeline: build
+                  targetPath: "$(System.DefaultWorkingDirectory)"
+                  artifactName: "${{ parameters.artifactName }}"
+            steps:
+              - checkout: none
+
+              - task: NodeTool@0
+                displayName: "\U0001F449 Using Node.js"
+                inputs:
+                  versionSpec: 22.x
+
+              - template: azdo-pipelines/templates/find-vsixs.yml@azExtTemplates
+                parameters:
+                  vsixName: ${{ parameters.packageToPublish }}
+                  publishVersion: ${{ parameters.publishVersion }}
+
+              - template: azdo-pipelines/templates/set-release-build-number.yml@azExtTemplates
+                parameters:
+                  packageToPublish: ${{ parameters.packageToPublish }}
+                  publishVersion: ${{ parameters.publishVersion }}
+                  dryRun: ${{ parameters.dryRun }}
+
+              # Publish the package to VS Marketplace
+              - ${{ if eq(parameters.dryRun, false) }}:
+                  - task: AzureCLI@2
+                    displayName: "\U0001F449 Publish VSIXs to Marketplace"
+                    inputs:
+                      azureSubscription: ${{ parameters.releaseServiceConnection }}
+                      scriptType: pscore
+                      scriptLocation: inlineScript
+                      inlineScript: |
+                        $vsixList = @('$(vsixListJson)' | ConvertFrom-Json)
+
+                        # Publish each of the found VSIXs, automatically adding the enabled API proposals argument as well
+                        foreach ($vsix in $vsixList) {
+                            Set-Location $vsix.directory
+
+                            $commandLine = "npx @vscode/vsce@latest publish --azure-credential --packagePath $($vsix.vsixName) --manifestPath $($vsix.manifestName) --signaturePath $($vsix.signatureName)"
+                            if ($vsix.proposedApis -ne $null -and $vsix.proposedApis.Count -gt 0) {
+                                $commandLine += " --allow-proposed-apis $($vsix.proposedApis -join ' ')"
+                            }
+
+                            Write-Output "Publishing VSIX: $($vsix.vsixName) with command:"
+                            Write-Output "    $($commandLine)"
+
+                            # Execute the publish command line
+                            # Invoke-Expression $commandLine # TODO: temporarily disabled for testing
+                            # if ($LASTEXITCODE -ne 0) {
+                            #     Write-Error "Failed to publish VSIX: $($vsix.vsixName)"
+                            #     exit 1
+                            # }
+                        }