Streamline signing variables in Windows release build (#294)

zooba · web-flow · commit b2179610037b · 2025-10-17T11:15:52.000+01:00
Always passes the signing certificate as a template parameter and never as a variable.
Also cleans up the other queue time variables we have and updates the list in the main file.
diff --git a/windows-release/azure-pipelines.yml b/windows-release/azure-pipelines.yml
@@ -140,8 +140,14 @@ variables:
     SigningDescription: ${{ parameters.SigningDescription }}
   PublishARM64: ${{ parameters.DoARM64 }}
 # QUEUE TIME VARIABLES
-#  PyDotOrgUsername: ''
-#  PyDotOrgServer: ''
+#  OverrideNugetVersion: ''
+#  PyManagerIndexFilename: ''
+#  SkipNugetPublish: ''
+#  SkipPipTests: ''
+#  SkipPythonOrgPublish: ''
+#  SkipSBOM: ''
+#  SkipTests: ''
+#  SkipTkTests: ''
 
 trigger: none
 pr: none
@@ -193,61 +199,67 @@ stages:
       parameters:
         BuildToPackage: ${{ parameters.BuildToPackage }}
         DoFreethreaded: ${{ parameters.DoFreethreaded }}
+        SigningCertificate: ${{ iif(eq(parameters.SigningCertificate, 'Unsigned'), '', parameters.SigningCertificate) }}
     - template: stage-layout-symbols.yml
       parameters:
         BuildToPackage: ${{ parameters.BuildToPackage }}
         DoFreethreaded: ${{ parameters.DoFreethreaded }}
+        SigningCertificate: ${{ iif(eq(parameters.SigningCertificate, 'Unsigned'), '', parameters.SigningCertificate) }}
     - ${{ if eq(parameters.DoEmbed, 'true') }}:
       - template: stage-layout-embed.yml
         parameters:
           BuildToPackage: ${{ parameters.BuildToPackage }}
+          SigningCertificate: ${{ iif(eq(parameters.SigningCertificate, 'Unsigned'), '', parameters.SigningCertificate) }}
     - ${{ if eq(parameters.DoNuget, 'true') }}:
       - template: stage-layout-nuget.yml
         parameters:
           BuildToPackage: ${{ parameters.BuildToPackage }}
           DoFreethreaded: ${{ parameters.DoFreethreaded }}
+          SigningCertificate: ${{ iif(eq(parameters.SigningCertificate, 'Unsigned'), '', parameters.SigningCertificate) }}
     - ${{ if eq(parameters.DoMSIX, 'true') }}:
       - template: stage-layout-msix.yml
         parameters:
           BuildToPackage: ${{ parameters.BuildToPackage }}
+          SigningCertificate: ${{ iif(eq(parameters.SigningCertificate, 'Unsigned'), '', parameters.SigningCertificate) }}
     - ${{ if eq(parameters.DoPyManager, 'true') }}:
       - template: stage-layout-pymanager.yml
         parameters:
           BuildToPackage: ${{ parameters.BuildToPackage }}
           DoFreethreaded: ${{ parameters.DoFreethreaded }}
           DoEmbed: ${{ parameters.DoEmbed }}
+          SigningCertificate: ${{ iif(eq(parameters.SigningCertificate, 'Unsigned'), '', parameters.SigningCertificate) }}
 
   - stage: Pack
     dependsOn: Layout
     displayName: Pack
     jobs:
     #- ${{ if eq(parameters.DoEmbed, 'true') }}:
     #  - template: stage-pack-embed.yml
+    #    parameters:
+    #      SigningCertificate: ${{ iif(eq(parameters.SigningCertificate, 'Unsigned'), '', parameters.SigningCertificate) }}
     - ${{ if eq(parameters.DoMSI, 'true') }}:
       - template: stage-msi.yml
         parameters:
           BuildToPackage: ${{ parameters.BuildToPackage }}
           DoARM64: ${{ parameters.DoARM64}}
           DoFreethreaded: ${{ parameters.DoFreethreaded }}
-          ${{ if and(parameters.SigningCertificate, ne(parameters.SigningCertificate, 'Unsigned')) }}:
-            SigningCertificate: ${{ parameters.SigningCertificate }}
+          SigningCertificate: ${{ iif(eq(parameters.SigningCertificate, 'Unsigned'), '', parameters.SigningCertificate) }}
     - ${{ if eq(parameters.DoMSIX, 'true') }}:
       - template: stage-pack-msix.yml
         parameters:
-          ${{ if and(parameters.SigningCertificate, ne(parameters.SigningCertificate, 'Unsigned')) }}:
-            SigningCertificate: ${{ parameters.SigningCertificate }}
+          SigningCertificate: ${{ iif(eq(parameters.SigningCertificate, 'Unsigned'), '', parameters.SigningCertificate) }}
     - ${{ if eq(parameters.DoNuget, 'true') }}:
       - template: stage-pack-nuget.yml
         parameters:
           ${{ if eq(parameters.SignNuget, 'true') }}:
-            ${{ if and(parameters.SigningCertificate, ne(parameters.SigningCertificate, 'Unsigned')) }}:
-              SigningCertificate: ${{ parameters.SigningCertificate }}
+            SigningCertificate: ${{ iif(eq(parameters.SigningCertificate, 'Unsigned'), '', parameters.SigningCertificate) }}
           DoFreethreaded: ${{ parameters.DoFreethreaded }}
     - ${{ if eq(parameters.DoPyManager, 'true') }}:
       - template: stage-pack-pymanager.yml
         parameters:
           DoFreethreaded: ${{ parameters.DoFreethreaded }}
           DoEmbed: ${{ parameters.DoEmbed }}
+          SigningCertificate: ${{ iif(eq(parameters.SigningCertificate, 'Unsigned'), '', parameters.SigningCertificate) }}
 
   - stage: Test
     dependsOn: Pack
diff --git a/windows-release/stage-layout-embed.yml b/windows-release/stage-layout-embed.yml
@@ -1,5 +1,6 @@
 parameters:
   BuildToPackage: current
+  SigningCertificate: ''
 
 jobs:
 - job: Make_Embed_Layout
diff --git a/windows-release/stage-layout-full.yml b/windows-release/stage-layout-full.yml
@@ -1,6 +1,7 @@
 parameters:
   BuildToPackage: current
   DoFreethreaded: false
+  SigningCertificate: ''
 
 jobs:
 - job: Make_Layouts
@@ -131,10 +132,10 @@ jobs:
     displayName: 'Update TCL_LIBRARY'
     condition: and(succeeded(), variables['TclLibrary'])
 
-  - powershell: |
-      copy "$(Pipeline.Workspace)\bin_$(Name)\Activate.ps1" Lib\venv\scripts\common\Activate.ps1 -Force
-    displayName: 'Copy signed files into sources'
-    condition: and(succeeded(), variables['SigningCertificate'])
+  - ${{ if parameters.SigningCertificate }}:
+    - powershell: |
+        copy "$(Pipeline.Workspace)\bin_$(Name)\Activate.ps1" Lib\venv\scripts\common\Activate.ps1 -Force
+      displayName: 'Copy signed files into sources'
 
   - template: ./layout-command.yml
     parameters:
diff --git a/windows-release/stage-layout-msix.yml b/windows-release/stage-layout-msix.yml
@@ -1,5 +1,6 @@
 parameters:
   BuildToPackage: current
+  SigningCertificate: ''
 
 jobs:
 - job: Make_MSIX_Layout
@@ -69,25 +70,24 @@ jobs:
     displayName: 'Update TCL_LIBRARY'
     condition: and(succeeded(), variables['TclLibrary'])
 
-  - task: DownloadPipelineArtifact@2
-    displayName: 'Download artifact: cert'
-    condition: and(succeeded(), variables['SigningCertificate'])
-    inputs:
-      ${{ if eq(parameters.BuildToPackage, 'current') }}:
-        buildType: current
-      ${{ else }}:
-        buildType: specific
-        buildVersionToDownload: specific
-        project: $(resources.pipeline.build_to_package.projectId)
-        pipeline: $(resources.pipeline.build_to_package.pipelineId)
-        runId: $(resources.pipeline.build_to_package.runID)
-      artifact: cert
-      targetPath: $(Pipeline.Workspace)\cert
-
-  - powershell: |
-      copy "$(Pipeline.Workspace)\bin_$(Name)\Activate.ps1" Lib\venv\scripts\common\Activate.ps1 -Force
-    displayName: 'Copy signed files into sources'
-    condition: and(succeeded(), variables['SigningCertificate'])
+  - ${{ if parameters.SigningCertificate }}:
+    - task: DownloadPipelineArtifact@2
+      displayName: 'Download artifact: cert'
+      inputs:
+        ${{ if eq(parameters.BuildToPackage, 'current') }}:
+          buildType: current
+        ${{ else }}:
+          buildType: specific
+          buildVersionToDownload: specific
+          project: $(resources.pipeline.build_to_package.projectId)
+          pipeline: $(resources.pipeline.build_to_package.pipelineId)
+          runId: $(resources.pipeline.build_to_package.runID)
+        artifact: cert
+        targetPath: $(Pipeline.Workspace)\cert
+
+    - powershell: |
+        copy "$(Pipeline.Workspace)\bin_$(Name)\Activate.ps1" Lib\venv\scripts\common\Activate.ps1 -Force
+      displayName: 'Copy signed files into sources'
 
   - template: ./layout-command.yml
     parameters:
@@ -100,14 +100,14 @@ jobs:
     env:
       TCL_LIBRARY: $(TclLibrary)
 
-  # The dotnet sign tool shouldn't need this, but we do because of the sccd file
-  - powershell: |
-      $info = (gc "$(Pipeline.Workspace)\cert\certinfo.json" | ConvertFrom-JSON)
-      Write-Host "Side-loadable APPX must be signed with '$($info.Subject)'"
-      Write-Host "##vso[task.setvariable variable=APPX_DATA_PUBLISHER]$($info.Subject)"
-      Write-Host "##vso[task.setvariable variable=APPX_DATA_SHA256]$($info.SHA256)"
-    displayName: 'Override signing parameters'
-    condition: and(succeeded(), variables['SigningCertificate'])
+  - ${{ if parameters.SigningCertificate }}:
+    # The dotnet sign tool shouldn't need this, but we do because of the sccd file
+    - powershell: |
+        $info = (gc "$(Pipeline.Workspace)\cert\certinfo.json" | ConvertFrom-JSON)
+        Write-Host "Side-loadable APPX must be signed with '$($info.Subject)'"
+        Write-Host "##vso[task.setvariable variable=APPX_DATA_PUBLISHER]$($info.Subject)"
+        Write-Host "##vso[task.setvariable variable=APPX_DATA_SHA256]$($info.SHA256)"
+      displayName: 'Override signing parameters'
 
   - powershell: |
       Remove-Item "$(Build.ArtifactStagingDirectory)\appx" -Recurse -Force -EA 0
diff --git a/windows-release/stage-layout-nuget.yml b/windows-release/stage-layout-nuget.yml
@@ -1,6 +1,7 @@
 parameters:
   BuildToPackage: current
   DoFreethreaded: false
+  SigningCertificate: ''
 
 jobs:
 - job: Make_Nuget_Layout
@@ -64,10 +65,10 @@ jobs:
       artifact: bin_$(Name)
       targetPath: $(Pipeline.Workspace)\bin_$(Name)
 
-  - powershell: |
-      copy $(Pipeline.Workspace)\bin_$(Name)\Activate.ps1 Lib\venv\scripts\common\Activate.ps1 -Force
-    displayName: 'Copy signed files into sources'
-    condition: and(succeeded(), variables['SigningCertificate'])
+  - ${{ if parameters.SigningCertificate }}:
+    - powershell: |
+        copy $(Pipeline.Workspace)\bin_$(Name)\Activate.ps1 Lib\venv\scripts\common\Activate.ps1 -Force
+      displayName: 'Copy signed files into sources'
 
   - template: ./layout-command.yml
     parameters:
diff --git a/windows-release/stage-layout-pymanager.yml b/windows-release/stage-layout-pymanager.yml
@@ -3,6 +3,7 @@ parameters:
   DoFreethreaded: false
   DoEmbed: false
   LayoutScriptBranch: main
+  SigningCertificate: ''
 
 jobs:
 - job: Make_PyManager_Layouts
@@ -175,11 +176,11 @@ jobs:
     displayName: 'Update TCL_LIBRARY'
     condition: and(succeeded(), variables['TclLibrary'])
 
-  - powershell: |
-      copy "$(Pipeline.Workspace)\bin_$(Name)\Activate.ps1" Lib\venv\scripts\common\Activate.ps1 -Force
-    displayName: 'Copy signed files into sources'
-    workingDirectory: $(Build.SourcesDirectory)\cpython
-    condition: and(succeeded(), variables['SigningCertificate'])
+  - ${{ if parameters.SigningCertificate }}:
+    - powershell: |
+        copy "$(Pipeline.Workspace)\bin_$(Name)\Activate.ps1" Lib\venv\scripts\common\Activate.ps1 -Force
+      displayName: 'Copy signed files into sources'
+      workingDirectory: $(Build.SourcesDirectory)\cpython
 
   - template: ./layout-command.yml
     parameters:
diff --git a/windows-release/stage-layout-symbols.yml b/windows-release/stage-layout-symbols.yml
@@ -15,6 +15,7 @@ parameters:
   - win32_td
   - amd64_td
   - arm64_td
+  SigningCertificate: ''
 
 
 jobs:
diff --git a/windows-release/stage-pack-msix.yml b/windows-release/stage-pack-msix.yml
@@ -25,7 +25,7 @@ jobs:
         Name: amd64
         Artifact: appxstore
         Suffix: -store
-        Upload: true
+        CreateMsixUpload: true
       arm64:
         Name: arm64
         Artifact: appx
@@ -35,7 +35,7 @@ jobs:
         Name: arm64
         Artifact: appxstore
         Suffix: -store
-        Upload: true
+        CreateMsixUpload: true
 
   steps:
   - template: ./checkout.yml
@@ -70,26 +70,21 @@ jobs:
   - powershell: |
       7z a -tzip "$(Build.ArtifactStagingDirectory)\msixupload\$(Filename).msixupload" *
     displayName: 'Build msixupload'
-    condition: and(succeeded(), eq(variables['Upload'], 'true'))
+    condition: and(succeeded(), eq(variables['CreateMsixUpload'], 'true'))
     workingDirectory: $(Build.ArtifactStagingDirectory)\msix
 
   - task: PublishBuildArtifacts@1
     displayName: 'Publish Artifact: MSIX'
-    condition: and(succeeded(), or(ne(variables['ShouldSign'], 'true'), not(variables['SigningCertificate'])))
     inputs:
       PathtoPublish: '$(Build.ArtifactStagingDirectory)\msix'
-      ArtifactName: msix
-
-  - task: PublishBuildArtifacts@1
-    displayName: 'Publish Artifact: MSIX'
-    condition: and(succeeded(), eq(variables['ShouldSign'], 'true'), variables['SigningCertificate'])
-    inputs:
-      PathtoPublish: '$(Build.ArtifactStagingDirectory)\msix'
-      ArtifactName: unsigned_msix
+      ${{ if parameters.SigningCertificate }}:
+        ArtifactName: unsigned_msix
+      ${{ else }}:
+        ArtifactName: msix
 
   - task: PublishBuildArtifacts@1
     displayName: 'Publish Artifact: MSIXUpload'
-    condition: and(succeeded(), eq(variables['Upload'], 'true'))
+    condition: and(succeeded(), eq(variables['CreateMsixUpload'], 'true'))
     inputs:
       PathtoPublish: '$(Build.ArtifactStagingDirectory)\msixupload'
       ArtifactName: msixupload
diff --git a/windows-release/stage-pack-pymanager.yml b/windows-release/stage-pack-pymanager.yml
@@ -1,6 +1,7 @@
 parameters:
   DoFreethreaded: false
   DoEmbed: false
+  SigningCertificate: ''
 
   Artifacts:
   - name: win32
diff --git a/windows-release/stage-test-embed.yml b/windows-release/stage-test-embed.yml
@@ -1,7 +1,6 @@
 jobs:
 - job: Test_Embed
   displayName: Test Embed
-  condition: and(succeeded(), eq(variables['DoEmbed'], 'true'))
 
   pool:
     vmImage: windows-2022
diff --git a/windows-release/stage-test-nuget.yml b/windows-release/stage-test-nuget.yml
@@ -1,7 +1,6 @@
 jobs:
 - job: Test_Nuget
   displayName: Test Nuget
-  condition: and(succeeded(), eq(variables['DoNuget'], 'true'))
 
   pool:
     vmImage: windows-2022
