Fix tagging and improve security (#15860)

Author: vmoroz

.ado/build-template.yml

@@ -112,9 +112,9 @@ extends:
           # 1. Detect whether this is a release build or a developer build
           - pwsh: |
               $param = '${{ parameters.isReleaseBuild }}'
-              $buildReason = '$(Build.Reason)'
-              $sourceMessage = '$(Build.SourceVersionMessage)'
-              $prSourceBranch = '$(System.PullRequest.SourceBranch)'
+              $buildReason = $env:BUILD_REASON
+              $sourceMessage = $env:SOURCE_MESSAGE
+              $prSourceBranch = $env:PR_SOURCE_BRANCH
 
               if ($param -eq 'true') {
                 $isRelease = $true
@@ -144,6 +144,10 @@ extends:
               Write-Host "##vso[task.setvariable variable=isReleaseBuild]$isRelease"
             name: detectScenario
             displayName: Detect build scenario
+            env:
+              BUILD_REASON: $(Build.Reason)
+              SOURCE_MESSAGE: $(Build.SourceVersionMessage)
+              PR_SOURCE_BRANCH: $(System.PullRequest.SourceBranch)
 
           # 2. Full checkout (needed for beachball bump on developer builds;
           #    harmless ~1 min overhead on release builds where bump is skipped)
@@ -178,14 +182,18 @@ extends:
             condition: and(succeeded(), eq(variables['detectScenario.isReleaseBuild'], 'False'))
 
           # 5. Beachball check (Developer PR only)
-          - script: npx beachball check --branch origin/$(BeachBallBranchName) --verbose --changehint "##vso[task.logissue type=error]Run 'yarn change' from root of repo to generate a change file."
+          - pwsh: npx beachball check --branch "origin/$env:BEACHBALL_BRANCH" --verbose --changehint "##vso[task.logissue type=error]Run 'yarn change' from root of repo to generate a change file."
             displayName: Check for change files
             condition: and(succeeded(), eq(variables['detectScenario.isReleaseBuild'], 'False'), eq(variables['Build.Reason'], 'PullRequest'))
+            env:
+              BEACHBALL_BRANCH: $(BeachBallBranchName)
 
           # 6. Bump versions via prepare-release (Developer builds only)
-          - script: npx prepare-release --bump-only --branch $(BeachBallBranchName) --no-color
+          - pwsh: npx prepare-release --bump-only --branch $env:BEACHBALL_BRANCH --no-color
             displayName: Bump versions (prepare-release --bump-only)
             condition: and(succeeded(), eq(variables['detectScenario.isReleaseBuild'], 'False'))
+            env:
+              BEACHBALL_BRANCH: $(BeachBallBranchName)
 
           # 7. Read version and set pipeline variables (always)
           - template: .ado/templates/set-version-vars.yml@self
@@ -470,13 +478,17 @@ extends:
 
           # Tag the source commit when a RELEASE build succeeds (CI only)
           - ${{ if eq(parameters.buildEnvironment, 'Continuous') }}:
-            - script: |
-                TAG_NAME="react-native-windows_v$(npmVersion)"
-                echo "Creating tag $TAG_NAME on $(Build.SourceVersion)"
-                git -c http.extraheader="AUTHORIZATION: bearer $(System.AccessToken)" tag "$TAG_NAME" "$(Build.SourceVersion)"
-                git -c http.extraheader="AUTHORIZATION: bearer $(System.AccessToken)" push origin "$TAG_NAME"
+            - pwsh: |
+                $tag = "react-native-windows_v$(npmVersion)"
+                Write-Host "Creating tag $tag on $(Build.SourceVersion)"
+                $authHeader = "AUTHORIZATION: bearer $env:SYSTEM_ACCESSTOKEN"
+                Write-Host "##vso[task.setsecret]$authHeader"
+                git -c http.extraheader="$authHeader" tag $tag "$(Build.SourceVersion)"
+                git -c http.extraheader="$authHeader" push origin $tag
               displayName: Tag release sources
               condition: and(succeeded(), startsWith(variables['Build.SourceVersionMessage'], 'RELEASE:'))
+              env:
+                SYSTEM_ACCESSTOKEN: $(System.AccessToken)
 
           templateContext:
             sdl:

.ado/prepare-release-bot.yml

@@ -70,10 +70,13 @@ jobs:
         - pwsh: Write-Host "##vso[task.setvariable variable=TargetBranch]${{ parameters.targetBranch }}"
           displayName: Set target branch from parameter
       - ${{ else }}:
-        - pwsh: Write-Host "##vso[task.setvariable variable=TargetBranch]$(Build.SourceBranchName)"
+        - pwsh: Write-Host "##vso[task.setvariable variable=TargetBranch]$env:SOURCE_BRANCH_NAME"
           displayName: Set target branch from source
+          env:
+            SOURCE_BRANCH_NAME: $(Build.SourceBranchName)
 
-      - script: npx prepare-release --branch $(TargetBranch) --no-color
+      - pwsh: npx prepare-release --branch $env:TARGET_BRANCH --no-color
         displayName: Prepare Release
         env:
           GH_TOKEN: $(GitHubOAuthToken)
+          TARGET_BRANCH: $(TargetBranch)

.ado/release.yml

@@ -55,27 +55,44 @@ extends:
         steps:
         - checkout: none
 
-        - script: |
-            echo == Build Variables ==
-            echo Build.Reason:               $(Build.Reason)
-            echo Build.SourceBranch:         $(Build.SourceBranch)
-            echo Build.SourceVersion:        $(Build.SourceVersion)
-            echo Build.SourceVersionMessage: $(Build.SourceVersionMessage)
-            echo Build.BuildNumber:          $(Build.BuildNumber)
-            echo Build.BuildId:              $(Build.BuildId)
-            echo Build.DefinitionName:       $(Build.DefinitionName)
-            echo Build.Repository.Name:      $(Build.Repository.Name)
-            echo System.TeamProject:         $(System.TeamProject)
-            echo.
-            echo == Pipeline Resource: Publish ==
-            echo Publish.runName:            $(resources.pipeline.Publish.runName)
-            echo Publish.runID:              $(resources.pipeline.Publish.runID)
-            echo Publish.sourceBranch:       $(resources.pipeline.Publish.sourceBranch)
-            echo Publish.sourceCommit:       $(resources.pipeline.Publish.sourceCommit)
-            echo Publish.pipelineID:         $(resources.pipeline.Publish.pipelineID)
-            echo Publish.requestedFor:       $(resources.pipeline.Publish.requestedFor)
-            echo Publish.requestedForID:     $(resources.pipeline.Publish.requestedForID)
+        - pwsh: |
+            Write-Host "== Build Variables =="
+            Write-Host "Build.Reason:               $env:BUILD_REASON"
+            Write-Host "Build.SourceBranch:         $env:BUILD_SOURCEBRANCH"
+            Write-Host "Build.SourceVersion:        $env:BUILD_SOURCEVERSION"
+            Write-Host "Build.SourceVersionMessage: $env:BUILD_SOURCEVERSIONMESSAGE"
+            Write-Host "Build.BuildNumber:          $env:BUILD_BUILDNUMBER"
+            Write-Host "Build.BuildId:              $env:BUILD_BUILDID"
+            Write-Host "Build.DefinitionName:       $env:BUILD_DEFINITIONNAME"
+            Write-Host "Build.Repository.Name:      $env:BUILD_REPOSITORY_NAME"
+            Write-Host "System.TeamProject:         $env:SYSTEM_TEAMPROJECT"
+            Write-Host ""
+            Write-Host "== Pipeline Resource: Publish =="
+            Write-Host "Publish.runName:            $env:PUBLISH_RUNNAME"
+            Write-Host "Publish.runID:              $env:PUBLISH_RUNID"
+            Write-Host "Publish.sourceBranch:       $env:PUBLISH_SOURCEBRANCH"
+            Write-Host "Publish.sourceCommit:       $env:PUBLISH_SOURCECOMMIT"
+            Write-Host "Publish.pipelineID:         $env:PUBLISH_PIPELINEID"
+            Write-Host "Publish.requestedFor:       $env:PUBLISH_REQUESTEDFOR"
+            Write-Host "Publish.requestedForID:     $env:PUBLISH_REQUESTEDFORID"
           displayName: Log all pipeline variables
+          env:
+            BUILD_REASON: $(Build.Reason)
+            BUILD_SOURCEBRANCH: $(Build.SourceBranch)
+            BUILD_SOURCEVERSION: $(Build.SourceVersion)
+            BUILD_SOURCEVERSIONMESSAGE: $(Build.SourceVersionMessage)
+            BUILD_BUILDNUMBER: $(Build.BuildNumber)
+            BUILD_BUILDID: $(Build.BuildId)
+            BUILD_DEFINITIONNAME: $(Build.DefinitionName)
+            BUILD_REPOSITORY_NAME: $(Build.Repository.Name)
+            SYSTEM_TEAMPROJECT: $(System.TeamProject)
+            PUBLISH_RUNNAME: $(resources.pipeline.Publish.runName)
+            PUBLISH_RUNID: $(resources.pipeline.Publish.runID)
+            PUBLISH_SOURCEBRANCH: $(resources.pipeline.Publish.sourceBranch)
+            PUBLISH_SOURCECOMMIT: $(resources.pipeline.Publish.sourceCommit)
+            PUBLISH_PIPELINEID: $(resources.pipeline.Publish.pipelineID)
+            PUBLISH_REQUESTEDFOR: $(resources.pipeline.Publish.requestedFor)
+            PUBLISH_REQUESTEDFORID: $(resources.pipeline.Publish.requestedForID)
 
         - pwsh: |
             $buildReason = $env:BUILD_REASON
@@ -255,11 +272,11 @@ extends:
         steps:
         - task: NuGetToolInstaller@1
           displayName: 'Use NuGet'
-        - task: CmdLine@2
+        - pwsh: nuget.exe SetApiKey $env:NUGET_API_KEY
           displayName: NuGet SetApiKey (nuget.org)
-          inputs:
-            script: nuget.exe SetApiKey $(nugetorg-apiKey-push)
-            workingDirectory: $(Pipeline.Workspace)/ReactWindows-final-nuget
+          workingDirectory: $(Pipeline.Workspace)/ReactWindows-final-nuget
+          env:
+            NUGET_API_KEY: $(nugetorg-apiKey-push)
         - script: dir /S "$(Pipeline.Workspace)\ReactWindows-final-nuget"
           displayName: Show directory contents
         - script: nuget.exe push .\Microsoft.ReactNative.*.nupkg -Source https://api.nuget.org/v3/index.json -SkipDuplicate -NoSymbol -NonInteractive -Verbosity Detailed

.ado/templates/compute-beachball-branch-name.yml

@@ -1,12 +1,16 @@
 steps:
   - pwsh: |
-      Write-Host "Setting BeachBallBranchName to $(System.PullRequest.TargetBranch)"
-      Write-Host "##vso[task.setvariable variable=BeachBallBranchName]$(System.PullRequest.TargetBranch)"
+      Write-Host "Setting BeachBallBranchName to $env:PR_TARGET_BRANCH"
+      Write-Host "##vso[task.setvariable variable=BeachBallBranchName]$env:PR_TARGET_BRANCH"
     displayName: Set BeachBallBranchName for Pull Request
     condition: ${{ eq(variables['Build.Reason'], 'PullRequest') }}
+    env:
+      PR_TARGET_BRANCH: $(System.PullRequest.TargetBranch)
 
   - pwsh: |
-      Write-Host "Setting BeachBallBranchName to $(Build.SourceBranchName)"
-      Write-Host "##vso[task.setvariable variable=BeachBallBranchName]$(Build.SourceBranchName)"
+      Write-Host "Setting BeachBallBranchName to $env:SOURCE_BRANCH_NAME"
+      Write-Host "##vso[task.setvariable variable=BeachBallBranchName]$env:SOURCE_BRANCH_NAME"
     displayName: Set BeachBallBranchName for CI
     condition: ${{ ne(variables['Build.Reason'], 'PullRequest') }}
+    env:
+      SOURCE_BRANCH_NAME: $(Build.SourceBranchName)

.ado/templates/verdaccio-start.yml

@@ -17,8 +17,10 @@ steps:
   - template: compute-beachball-branch-name.yml
 
   - ${{ if eq(parameters.beachballPublish, true) }}:
-    - script: npx beachball bump --branch origin/$(BeachBallBranchName) --no-push --yes --verbose --changehint "Run `yarn change` from root of repo to generate a change file."
+    - pwsh: npx beachball bump --branch "origin/$env:BEACHBALL_BRANCH" --no-push --yes --verbose --changehint "Run 'yarn change' from root of repo to generate a change file."
       displayName: Beachball bump versions
+      env:
+        BEACHBALL_BRANCH: $(BeachBallBranchName)
 
     - script: node .ado/scripts/npmPack.js --clean --no-color
       displayName: Pack all workspace packages

.ado/variables/shared.yml

@@ -1,10 +1,4 @@
 variables:
-  # Task auto-injection configuration
-  Codeql.SkipTaskAutoInjection: true
-  NugetSecurityAnalysisWarningLevel: 'warn'
-  runCodesignValidationInjection: false
-  skipComponentGovernanceDetection: true
-  
   # Enables `chalk` to show colored output to Azure Pipelines
   FORCE_COLOR: 3