[DO NOT MERGE] Testing new delta build flow

.github/workflows/ado/templates/sources-upload-stages.yml

@@ -138,12 +138,34 @@ stages:
           - script: |
               set -euo pipefail
               json_file="$(Build.ArtifactStagingDirectory)/changed-components/changed-components.json"
-              .github/workflows/scripts/control-tower/compute_changed.sh \
+              # Publish the changed-components JSON for post-mortem triage on
+              # EVERY exit path, not just success -- if azldev hard-fails on a
+              # consistency tripwire the partial JSON is exactly what an
+              # operator needs to investigate.
+              publish_artifact() {
+                if [[ -s "$json_file" ]]; then
+                  mkdir -p "$(ob_outputDirectory)/changed-components"
+                  cp "$json_file" "$(ob_outputDirectory)/changed-components/" || true
+                fi
+              }
+              trap publish_artifact EXIT
+
+              echo "##[group]Computing changed components"
+              .github/workflows/scripts/components/compute_changed.sh \
                 --output-file "$json_file" \
-                --publish-dir "$(ob_outputDirectory)" \
                 --source-commit "$(sourceCommit)" \
                 --target-commit "$(targetCommit)"
+              echo "##[endgroup]"
+
+              echo "##[group]Upload set (sourcesChange == true, changeType in {added, changed})"
+              upload_count=$(jq -r '[.[] | select(.sourcesChange == true and (.changeType | IN("added", "changed")))] | length' "$json_file")
+              jq -r '.[] | select(.sourcesChange == true and (.changeType | IN("added", "changed"))) | .component' "$json_file" | sort
+              echo "Total: $upload_count component(s) to upload."
+              echo "##[endgroup]"
+
               echo "##vso[task.setvariable variable=changedComponentsFile;isreadonly=true]$json_file"
+            env:
+              AZLDEV_ALLOW_ROOT: "1"
             displayName: "Compute changed components"
 
           # Render the components that need re-rendering (azldev-flagged plus
@@ -202,7 +224,6 @@ stages:
                   --build-reason "$BUILD_REASON" \
                   --changed-components-file "$CHANGED_COMPONENTS_FILE" \
                   --package-target azl4 \
-                  --official-build \
                   --commit-sha "$SOURCE_COMMIT" \
                   --repo-uri "$UPSTREAM_REPO_URL"
             env:

.github/workflows/scripts/components/compute_changed.sh

@@ -0,0 +1,36 @@
+#!/usr/bin/env bash
+# Compute the set of changed components between source and target commits.
+#
+# Writes one JSON entry per component to <output-file>, with fields:
+#   - component:     name
+#   - changeType:    'added' | 'changed' | 'unchanged' | 'deleted'
+#   - sourcesChange: bool (rendered 'sources' file differs across commits)
+#
+# azldev hard-fails if any component has sourcesChange == true without a
+# corresponding identity change (added/changed/deleted) -- supply-chain
+# drift protection.
+#
+# Callers are responsible for log grouping and artifact publication. If the
+# host runs azldev as root (CI containers), set AZLDEV_ALLOW_ROOT=1 in the
+# environment.
+
+set -euo pipefail
+
+usage() { echo "Usage: $0 --output-file FILE --source-commit SHA --target-commit SHA" >&2; exit 1; }
+
+while [[ $# -gt 0 ]]; do
+  case "$1" in
+    --output-file)    output_file="$2"; shift 2 ;;
+    --source-commit)  source_commit="$2"; shift 2 ;;
+    --target-commit)  target_commit="$2"; shift 2 ;;
+    *) usage ;;
+  esac
+done
+[[ -z "${output_file:-}" || -z "${source_commit:-}" || -z "${target_commit:-}" ]] && usage
+
+mkdir -p "$(dirname "$output_file")"
+
+azldev component changed --from "$target_commit" --to "$source_commit" -a --include-unchanged -O json > "$output_file"
+
+echo "Changed components (non-unchanged):"
+jq -r '.[] | select(.changeType != "unchanged") | "  \(.changeType)\t\(.component)"' "$output_file" | sort

.github/workflows/scripts/control-tower/render_and_verify.sh

@@ -36,7 +36,7 @@ git diff --no-renames --name-only "$target_commit" "$source_commit" -- "$specs_d
 # Render set is the union of:
 #   - components flagged by 'azldev component changed' (inputs differ)
 #   - components whose spec tree was touched directly in the PR
-changed=$(python3 .github/workflows/scripts/control-tower/compute_render_set.py \
+changed=$(python3 .github/workflows/scripts/components/compute_render_set.py \
   --changed-components-file "$changed_components_file" \
   --specs-diff-file "$specs_diff_file" \
   --specs-dir "$specs_dir")

.github/workflows/scripts/control-tower/run_package_build.py

@@ -157,12 +157,15 @@ def main() -> None:
 
     base_url = args.api_base_url.rstrip("/")
 
-    if args.build_reason == "PullRequest":
-        print(
-            "Skipping Control Tower call -- pull request triggers do not submit "
-            "package builds (unmerged code should not consume build capacity)."
-        )
-        return
+    # TESTING-ONLY: PR skip lifted so we can exercise the package-build
+    # submission from a draft PR. Scratch builds are safe to kick off from
+    # arbitrary refs. Drop this commit before merging anywhere.
+    # if args.build_reason == "PullRequest":
+    #     print(
+    #         "Skipping Control Tower call -- pull request triggers do not submit "
+    #         "package builds (unmerged code should not consume build capacity)."
+    #     )
+    #     return
 
     if not components:
         print("No components need a rebuild -- skipping package-build submission.")

.github/workflows/scripts/control-tower/run_prcheck.py

@@ -181,11 +181,13 @@ def main() -> None:
     print("Payload:")
     print(json.dumps(payload, indent=2))
 
-    if args.build_reason == "PullRequest":
-        print(
-            "Skipping Control Tower call - pull request triggers are not supported, yet."
-        )
-        return
+    # TESTING-ONLY: PR skip lifted so we can exercise the prcheck endpoint
+    # from a draft PR. Drop this commit before merging anywhere.
+    # if args.build_reason == "PullRequest":
+    #     print(
+    #         "Skipping Control Tower call - pull request triggers are not supported, yet."
+    #     )
+    #     return
 
     if not components:
         print(

base/comps/components.toml

@@ -6961,7 +6961,6 @@ includes = ["**/*.comp.toml", "component-check-disablement.toml", "component-min
 [components.wlr-protocols]
 [components.woff2]
 [components.woodstox-core]
-[components.words]
 [components.wqy-zenhei-fonts]
 [components.wsdd]
 [components.wsl-setup]

base/comps/words/words.comp.toml

@@ -0,0 +1,14 @@
+[components.words]
+
+# DO NOT MERGE -- pipeline test fixture for the package-build path of the
+# Control Tower integration. Adds a benign spec change that bumps the input
+# fingerprint, so 'azldev component changed' reports the component as
+# changeType=changed and Control Tower will be asked to rebuild it. The
+# Source: URL and lookaside sources file are left at their upstream values
+# so the rebuild can actually fetch the tarball.
+
+[[components.words.overlays]]
+type = "spec-search-replace"
+description = "DO NOT MERGE: tweak Summary to bump input fingerprint and trigger a package-build."
+regex = '^Summary:\s+Dictionary of English words for the /usr/share/dict directory$'
+replacement = "Summary: Dictionary of English words for the /usr/share/dict directory (Azure Linux test build)"

locks/words.lock

@@ -2,5 +2,5 @@
 version = 1
 import-commit = '24f3425a28d261a5b44fb4f9750af6dbfb24dcc2'
 upstream-commit = '24f3425a28d261a5b44fb4f9750af6dbfb24dcc2'
-input-fingerprint = 'sha256:1dc7a333d3f506025f1ef16de31e438b0e4429b2d734164d6c456addd5bc6805'
+input-fingerprint = 'sha256:dfeb78b1b52c39769949ea7e0daceefa9c0d2f87a43728193cad5238a9b4a77b'
 resolution-input-hash = 'sha256:466421704711c4fd3c71f0b2ed715a0e61d49e3e26f3a2637fee755795849c8e'