Merge branch 'main' into bump_v8

Author: dkurepa

eng/docker-tools/DEV-GUIDE.md

@@ -143,6 +143,7 @@ Build Stage
               ▼
           Post_Build Stage
             ├── Merge image info files
+            ├── Create multi-arch manifests
             └── Consolidate SBOMs
                     │
                     ▼
@@ -191,13 +192,35 @@ Common patterns:
 - `"publish"` - Publish only (when re-running a failed publish from a previous build)
 - `"build,test,sign,publish"` - Full pipeline
 
-**Note:** The `Post_Build` stage is implicitly included whenever `build` is in the stages list. You don't need to specify it separately—it automatically runs after Build to merge image info files and consolidate SBOMs.
+**Note:** The `Post_Build` stage is implicitly included whenever `build` is in the stages list. You don't need to specify it separately—it automatically runs after Build to merge image info files, create and validate multi-arch manifests, and consolidate SBOMs.
 
 The stages variable is useful for:
 - Re-running just the publish stage after fixing a transient failure
 - Skipping tests during initial development
 - Running isolated stages for debugging
 
+### Decoupling build OS from the base image OS
+
+By default, a platform's `osVersion` represents the base image OS version, but also determines what
+build leg an image is built in. This can cause problems when build image and base image don't match
+up. For example, building a .NET app on Windows Server 2025 and copying the artifacts into a
+Windows Server 2019 base image won't work, because the build matrix generation will attempt to
+build the image on the Server 2019 build leg (which can't run Server 2025 images).
+
+To fix this, set the optional `buildOsVersion` field in order to override only the OS used in the
+build matrix generation. Here is an example of building a Windows Server 2019 image using Windows
+Server 2025:
+
+```jsonc
+{
+  // ...
+  "os": "windows",
+  "osVersion": "windowsservercore-ltsc2019",
+  "buildOsVersion": "windowsservercore-ltsc2025"
+  // ...
+}
+```
+
 ### Image Info Files: The Build's Memory
 
 Image info files (defined by [`ImageArtifactDetails`](https://github.com/dotnet/docker-tools/blob/main/src/ImageBuilder/Models/Image/ImageArtifactDetails.cs)) are the mechanism that tracks what was built:
@@ -458,7 +481,7 @@ If the Dockerfile is in the manifest but you don't see a build job for it, the b
 ```yaml
 windowsLtsc2025Amd64:
   src-windowsservercore-ltsc2025-helix-graph:
-    imageBuilderPaths: --path src/windowsservercore/ltsc2025/helix/amd64 --path src/windowsservercore/ltsc2025/helix/webassembly/amd64
+    imageBuilderPaths: --path src/windowsservercore/ltsc2025/helix/amd64 --path src/windowsservercore/ltsc2025/helix/webassembly-net8/amd64 --path src/windowsservercore/ltsc2025/helix/webassembly/amd64
     legName: windows-ltsc2025amd64src-windowsservercore-ltsc2025-helix-graph
     osType: windows
     architecture: amd64

eng/pipelines/steps/pip-authenticate.yml

@@ -10,7 +10,12 @@ steps:
     artifactFeeds: public/dotnet-public-pypi,public/helix-client-prod
     onlyAddExtraIndex: false
 - powershell: |
+    # common.yml seeds imageBuilderBuildArgs with the anonymous PIP_INDEX_URL so
+    # public pipelines can build. On internal builds, replace that default with
+    # the authenticated URL produced by PipAuthenticate above (it embeds a PAT),
+    # rather than appending a duplicate --build-arg.
     $options = "$(imageBuilderBuildArgs)"
-    $options += " --build-arg PIP_INDEX_URL=$env:PIP_INDEX_URL --build-arg NPM_TOKEN=$(System.AccessToken)"
+    $options = $options -replace '--build-arg PIP_INDEX_URL=\S+', "--build-arg PIP_INDEX_URL=$env:PIP_INDEX_URL"
+    $options += " --build-arg NPM_TOKEN=$(System.AccessToken)"
     echo "##vso[task.setvariable variable=imageBuilderBuildArgs]$options"
   displayName: Set PIP and NPM Build Args

eng/pipelines/variables/common.yml

@@ -24,7 +24,10 @@ variables:
 - name: publishReadme
   value: false
 - name: imageBuilderBuildArgs
-  value: ''
+  # Default build args. PIP_INDEX_URL defaults to the public PyPI (anonymous and
+  # unthrottled, unlike the Azure Artifacts mirror) and is overwritten with an
+  # authenticated mirror URL by pip-authenticate.yml in internal pipelines.
+  value: '--build-arg PIP_INDEX_URL=https://pypi.org/simple/ --build-arg HELIX_FEED=https://dnceng.pkgs.visualstudio.com/public/_packaging/helix-client-prod/pypi/simple'
 - name: publicGitRepoUri
   value: https://github.com/dotnet/dotnet-buildtools-prereqs-docker
 - name: publicSourceBranch

src/almalinux/10/helix/amd64/Dockerfile

@@ -2,6 +2,7 @@ FROM library/almalinux:10 AS venv
 
 ARG PIP_INDEX_URL
 ENV PIP_INDEX_URL=${PIP_INDEX_URL}
+ARG HELIX_FEED
 
 RUN dnf upgrade --refresh -y \
     && dnf install --setopt tsflags=nodocs -y \
@@ -13,7 +14,6 @@ RUN dnf upgrade --refresh -y \
 
 RUN python3 -m venv /venv \
     && . /venv/bin/activate \
-    && HELIX_FEED=https://dnceng.pkgs.visualstudio.com/public/_packaging/helix-client-prod/pypi/simple \
     && pip download --no-deps --index-url $HELIX_FEED --extra-index-url $PIP_INDEX_URL helix-scripts \
     && pip install --index-url $PIP_INDEX_URL ./helix_scripts-*-py3-none-any.whl \
     && rm ./helix_scripts-*-py3-none-any.whl

src/almalinux/8/helix/amd64/Dockerfile

@@ -2,6 +2,7 @@ FROM library/almalinux:8
 
 ARG PIP_INDEX_URL
 ENV PIP_INDEX_URL=${PIP_INDEX_URL}
+ARG HELIX_FEED
 
 RUN dnf upgrade --refresh -y \
     && dnf install --setopt tsflags=nodocs -y  \
@@ -38,7 +39,6 @@ ENV VIRTUAL_ENV=/home/helixbot/.vsts-env
 
 RUN python -m venv $VIRTUAL_ENV && \
     ${VIRTUAL_ENV}/bin/pip install --upgrade pip setuptools && \
-    HELIX_FEED=https://dnceng.pkgs.visualstudio.com/public/_packaging/helix-client-prod/pypi/simple && \
     ${VIRTUAL_ENV}/bin/pip download --no-deps --index-url $HELIX_FEED --extra-index-url $PIP_INDEX_URL helix-scripts && \
     ${VIRTUAL_ENV}/bin/pip install --index-url $PIP_INDEX_URL ./helix_scripts-*-py3-none-any.whl && \
     rm ./helix_scripts-*-py3-none-any.whl

src/almalinux/9/helix/amd64/Dockerfile

@@ -2,6 +2,7 @@ FROM library/almalinux:9 AS venv
 
 ARG PIP_INDEX_URL
 ENV PIP_INDEX_URL=${PIP_INDEX_URL}
+ARG HELIX_FEED
 
 RUN dnf upgrade --refresh -y \
     && dnf install --setopt tsflags=nodocs -y \
@@ -14,7 +15,6 @@ RUN dnf upgrade --refresh -y \
 RUN python3 -m venv /venv \
     && . /venv/bin/activate \
     && pip install --upgrade pip setuptools \
-    && HELIX_FEED=https://dnceng.pkgs.visualstudio.com/public/_packaging/helix-client-prod/pypi/simple \
     && pip download --no-deps --index-url $HELIX_FEED --extra-index-url $PIP_INDEX_URL helix-scripts \
     && pip install --index-url $PIP_INDEX_URL ./helix_scripts-*-py3-none-any.whl \
     && rm ./helix_scripts-*-py3-none-any.whl

src/alpine/3.23/helix/Dockerfile

@@ -2,6 +2,7 @@ FROM library/alpine:3.23 AS venv
 
 ARG PIP_INDEX_URL
 ENV PIP_INDEX_URL=${PIP_INDEX_URL}
+ARG HELIX_FEED
 
 RUN apk add --upgrade --no-cache \
         cargo \
@@ -14,7 +15,6 @@ RUN apk add --upgrade --no-cache \
 
 RUN python3 -m venv /venv && \
         source /venv/bin/activate && \
-        HELIX_FEED=https://dnceng.pkgs.visualstudio.com/public/_packaging/helix-client-prod/pypi/simple && \
         pip download --no-deps --index-url $HELIX_FEED --extra-index-url $PIP_INDEX_URL helix-scripts && \
         pip install --index-url $PIP_INDEX_URL ./helix_scripts-*-py3-none-any.whl && \
         rm ./helix_scripts-*-py3-none-any.whl

src/alpine/3.24/helix/Dockerfile

@@ -2,6 +2,7 @@ FROM library/alpine:3.24 AS venv
 
 ARG PIP_INDEX_URL
 ENV PIP_INDEX_URL=${PIP_INDEX_URL}
+ARG HELIX_FEED
 
 RUN apk add --upgrade --no-cache \
         cargo \
@@ -14,7 +15,6 @@ RUN apk add --upgrade --no-cache \
 
 RUN python3 -m venv /venv && \
         source /venv/bin/activate && \
-        HELIX_FEED=https://dnceng.pkgs.visualstudio.com/public/_packaging/helix-client-prod/pypi/simple && \
         pip download --no-deps --index-url $HELIX_FEED --extra-index-url $PIP_INDEX_URL helix-scripts && \
         pip install --index-url $PIP_INDEX_URL ./helix_scripts-*-py3-none-any.whl && \
         rm ./helix_scripts-*-py3-none-any.whl

src/alpine/edge/helix/Dockerfile

@@ -2,6 +2,7 @@ FROM library/alpine:edge AS venv
 
 ARG PIP_INDEX_URL
 ENV PIP_INDEX_URL=${PIP_INDEX_URL}
+ARG HELIX_FEED
 
 RUN apk add --upgrade --no-cache \
         cargo \
@@ -14,7 +15,6 @@ RUN apk add --upgrade --no-cache \
 
 RUN python3 -m venv /venv && \
         source /venv/bin/activate && \
-        HELIX_FEED=https://dnceng.pkgs.visualstudio.com/public/_packaging/helix-client-prod/pypi/simple && \
         pip download --no-deps --index-url $HELIX_FEED --extra-index-url $PIP_INDEX_URL helix-scripts && \
         pip install --index-url $PIP_INDEX_URL ./helix_scripts-*-py3-none-any.whl && \
         rm ./helix_scripts-*-py3-none-any.whl

src/azurelinux/3.0/helix/Dockerfile

@@ -2,6 +2,7 @@ FROM mcr.microsoft.com/azurelinux/base/core:3.0 as venv
 
 ARG PIP_INDEX_URL
 ENV PIP_INDEX_URL=${PIP_INDEX_URL}
+ARG HELIX_FEED
 
 RUN tdnf install --refresh -y \
     build-essential \
@@ -14,7 +15,6 @@ RUN tdnf install --refresh -y \
 
 RUN python3 -m venv /venv && \
         source /venv/bin/activate && \
-        HELIX_FEED=https://dnceng.pkgs.visualstudio.com/public/_packaging/helix-client-prod/pypi/simple && \
         pip download --no-deps --index-url $HELIX_FEED --extra-index-url $PIP_INDEX_URL helix-scripts && \
         pip install --index-url $PIP_INDEX_URL ./helix_scripts-*-py3-none-any.whl && \
         rm ./helix_scripts-*-py3-none-any.whl