microsoft
diff --git a/‎.ado/publish.yml‎
Lines changed: 79 additions & 110 deletions b/‎.ado/publish.yml‎
Lines changed: 79 additions & 110 deletions
@@ -1,10 +1,6 @@
 name: 0.0.$(Date:yyMM.d)$(Rev:rrr)
 
 parameters:
-- name: performBeachballCheck
-  displayName: Perform Beachball Check (Disable when promoting)
-  type: boolean
-  default: true
 - name: AgentPool
   type: object
   default:
@@ -49,23 +45,10 @@ parameters:
     - Name: Arm64ReleaseFabric
       BuildConfiguration: Release
       BuildPlatform: ARM64
-    - Name: X64DebugFabric
-      BuildConfiguration: Debug
-      BuildPlatform: x64
-    - Name: X86DebugFabric
-      BuildConfiguration: Debug
-      BuildPlatform: x86
-    - Name: Arm64DebugFabric
-      BuildConfiguration: Debug
-      BuildPlatform: ARM64
 
 variables:
   - template: variables/windows.yml
   - group: RNW Secrets
-  - name: FailCGOnAlert
-    value: false
-  - name: EnableCodesign
-    value: true
 
 trigger: none
 pr: none
@@ -80,54 +63,50 @@ extends:
   template: v1/1ES.Official.PipelineTemplate.yml@1ESPipelineTemplates
   parameters:
     pool: ${{ parameters.AgentPool.Medium }}
-    customBuildTags:
-    - ES365AIMigrationTooling
+    featureFlags:
+      autoEnablePREfastWithNewRuleset: false # PREfast produces 0 actionable findings; auto-enable injects /analyze into every C++ TU, generating ~2656 SARIF files that Guardian uploads for ~19 min per native build
     sdl:
       credscan:
           suppressionsFile: $(Build.SourcesDirectory)\.ado\config\CredScanSuppressions.json
       spotBugs:
           enabled: false # We don't have any java, but random packages in node_modules do
+      prefast:
+          enabled: false
     stages:
     - stage: RNWPublish
       jobs:
-        - job: RnwPublishPrep
-          displayName: React-Native-Windows Publish Prep
+        # Set version variables
+        - job: SetVersionVars
+          displayName: Set Version Variables
           pool: ${{ parameters.AgentPool.Medium }}
-          timeoutInMinutes: 120
-          cancelTimeoutInMinutes: 5
+          timeoutInMinutes: 15
           steps:
-          - template: .ado/templates/checkout-full.yml@self
+          - template: .ado/templates/checkout-shallow.yml@self
+
+          - template: .ado/templates/set-version-vars.yml@self
             parameters:
-              persistCredentials: false
+              buildEnvironment: Continuous
 
-          - powershell: gci env:/BUILD_*
-            displayName: Show build information
+          # We new npmPack.js in Release pipeline to detect already published NPM packages and avoid publishing them again
+          - script: copy ".ado\scripts\npmPack.js" "$(Build.StagingDirectory)\versionEnvVars\npmPack.js"
+            displayName: Include npmPack.js in VersionEnvVars artifact
 
-          - template: .ado/templates/prepare-js-env.yml@self
+          templateContext:
+            outputs:
+              - output: pipelineArtifact
+                displayName: 'Publish version variables'
+                targetPath: $(Build.StagingDirectory)/versionEnvVars
+                artifactName: VersionEnvVars
 
-          - template: .ado/templates/run-compliance-prebuild.yml@self
-
-          - script: if not exist %USERPROFILE%\AppData\Roaming\npm (mkdir %USERPROFILE%\AppData\Roaming\npm)
-            displayName: Fix missing npm config
-
-          - pwsh: |
-              npx beachball check --verbose 2>&1 | Tee-Object -Variable beachballOutput
-              $beachballErrors = $beachballOutput | Where-Object { $_ -match "ERROR: *"}
-              $beachballErrors | ForEach { Write-Host "##vso[task.logissue type=error]$_" }
-              if ( $beachballErrors.Count -gt 0)  { throw "Beachball check found $($beachballErrors.Count) errors." }
-            displayName: Beachball Check
-            condition: ${{ parameters.performBeachballCheck }}
-
-        - job: RnwNpmPublish
-          displayName: React-Native-Windows Npm Pack
-          dependsOn: RnwPublishPrep
-          pool:
-            name: Azure-Pipelines-1ESPT-ExDShared
-            image: windows-latest
-            os: windows
-          timeoutInMinutes: 120
+        # Create NPM packages
+        - job: RnwNpmPack
+          displayName: Create NPM packages
+          pool: ${{ parameters.AgentPool.Medium }}
+          timeoutInMinutes: 60
           cancelTimeoutInMinutes: 5
           steps:
+          - template: .ado/templates/checkout-shallow.yml@self
+
           - template: .ado/templates/prepare-js-env.yml@self
             parameters:
               agentImage: HostedImage
@@ -138,45 +117,30 @@ extends:
           - script: dir /s "$(Pipeline.Workspace)\published-packages"
             displayName: Show created npm packages
 
-          - template: .ado/templates/set-version-vars.yml@self
-            parameters:
-              buildEnvironment: Continuous
-
-          - script: echo NpmDistTag is $(NpmDistTag)
-            displayName: Show NPM dist tag
-
-          - script: copy ".ado\scripts\npmPack.js" "$(Build.StagingDirectory)\versionEnvVars\npmPack.js"
-            displayName: Include npmPack.js in VersionEnvVars artifact
-
-          - task: AzureArtifacts.manifest-generator-task.manifest-generator-task.ManifestGeneratorTask@0
-            displayName: 📒 Generate Manifest Npm
-            inputs:
-              BuildDropPath: $(System.DefaultWorkingDirectory)
-
           templateContext:
             outputs:
               - output: pipelineArtifact
                 displayName: 'Publish npm pack artifacts'
                 condition: succeededOrFailed()
                 targetPath: $(Pipeline.Workspace)/published-packages
                 artifactName: NpmPackedTarballs
-              - output: pipelineArtifact
-                displayName: "📒 Publish Manifest Npm"
-                artifactName: SBom-$(System.JobAttempt)
-                targetPath: $(System.DefaultWorkingDirectory)/_manifest
-                sbomEnabled: false # This output is in fact an SBOM itself
-              - output: pipelineArtifact
-                displayName: 'Publish version variables'
-                targetPath: $(Build.StagingDirectory)/versionEnvVars
-                artifactName: VersionEnvVars
 
+        # Run linting
+        - template: .ado/jobs/linting.yml@self
+          parameters:
+            buildEnvironment: Continuous
+            AgentPool: ${{ parameters.AgentPool }}
+
+        # Create and sign Destop DLLs
         - ${{ each matrix in parameters.desktopBuildMatrix }}:
           - job: RnwNativeBuildDesktop${{ matrix.Name }}
             displayName: Build Desktop ${{ matrix.Name }}
-            dependsOn: RnwNpmPublish
+            dependsOn: SetVersionVars
             pool: ${{ parameters.AgentPool.Large }}
             timeoutInMinutes: 360 # CodeQL requires 3x usual build timeout
             steps:
+            - template: .ado/templates/checkout-shallow.yml@self
+
             - template: .ado/templates/prepare-js-env.yml@self
 
             - template: .ado/templates/prepare-build-env.yml@self
@@ -190,10 +154,11 @@ extends:
             - template: .ado/templates/msbuild-sln.yml@self
               parameters:
                 solutionDir: vnext
-                solutionName: ReactWindows-Desktop.sln
+                solutionName: ReactWindows-Desktop.Publish.slnf
                 buildPlatform: ${{ matrix.BuildPlatform }}
                 buildConfiguration: ${{ matrix.BuildConfiguration }}
                 oneESMode: true ## Files are only copied to staging, not published
+                msbuildArguments: /p:ForceImportAfterCppTargets=$(Build.SourcesDirectory)\vnext\PropertySheets\CIBuildOptimizations.props
 
             - template: .ado/templates/publish-build-artifacts.yml@self
               parameters:
@@ -202,14 +167,20 @@ extends:
                 buildPlatform: ${{ matrix.BuildPlatform }}
                 buildConfiguration: ${{ matrix.BuildConfiguration }}
                 contents: |
-                  React.Windows.Desktop\**
-                  React.Windows.Desktop.DLL\**
-                  React.Windows.Desktop.Test.DLL\**
+                  React.Windows.Desktop\Microsoft.ReactNative.winmd
+                  React.Windows.Desktop.DLL\react-native-win32.*
 
-            - template: .ado/templates/component-governance.yml@self
+            - template: .ado/templates/esrp-codesign-binaries.yml@self
+              parameters:
+                displayName: 'CodeSign Desktop Binaries'
+                folderPath: $(Build.StagingDirectory)/NuGet/Desktop/${{ matrix.BuildPlatform }}/${{ matrix.BuildConfiguration }}
+                pattern: |
+                  **/react-native-win32.dll
 
             templateContext:
               sdl:
+                prefast:
+                  enabled: false
                 binskim:
                   analyzeTargetGlob: '$(Build.SourcesDirectory)\vnext\target\${{ matrix.BuildPlatform }}\${{ matrix.BuildConfiguration }}\React.Windows.Desktop.DLL\react-native-win32.dll'
               outputs:
@@ -228,13 +199,16 @@ extends:
                 artifactName: Desktop.${{matrix.buildPlatform}}.${{matrix.buildConfiguration}}
                 targetPath: $(Build.StagingDirectory)/NuGet/Desktop/${{matrix.buildPlatform}}/${{matrix.buildConfiguration}}
 
+        # Create and sign Universal DLLs
         - ${{ each matrix in parameters.universalBuildMatrix }}:
           - job: RnwNativeBuildUniversal${{ matrix.Name }}
             displayName: Build Universal ${{ matrix.Name }}
-            dependsOn: RnwNpmPublish
+            dependsOn: SetVersionVars
             pool: ${{ parameters.AgentPool.Large }}
             timeoutInMinutes: 360 # CodeQL requires 3x usual build timeout
             steps:
+            - template: .ado/templates/checkout-shallow.yml@self
+
             - template: .ado/templates/prepare-js-env.yml@self
 
             - template: .ado/templates/prepare-build-env.yml@self
@@ -248,10 +222,11 @@ extends:
             - template: .ado/templates/msbuild-sln.yml@self
               parameters:
                 solutionDir: vnext
-                solutionName: Microsoft.ReactNative.NewArch.sln
+                solutionName: Microsoft.ReactNative.NewArch.Publish.slnf
                 buildPlatform: ${{ matrix.BuildPlatform }}
                 buildConfiguration: ${{ matrix.BuildConfiguration }}
                 oneESMode: true ## Files are only copied to staging, not published
+                msbuildArguments: /p:ForceImportAfterCppTargets=$(Build.SourcesDirectory)\vnext\PropertySheets\CIBuildOptimizations.props
 
             - task: PowerShell@2
               displayName: Make AnyCPU Reference Assemblies
@@ -266,13 +241,22 @@ extends:
                 buildPlatform: ${{ matrix.BuildPlatform }}
                 buildConfiguration: ${{ matrix.BuildConfiguration }}
                 contents: |
-                  Microsoft.ReactNative\**
-                  Microsoft.ReactNative.CsWinRT\**
+                  Microsoft.ReactNative\Microsoft.ReactNative.*
+                  Microsoft.ReactNative.CsWinRT\Microsoft.ReactNative.Projection.*
 
-            - template: .ado/templates/component-governance.yml@self
+            - template: .ado/templates/esrp-codesign-binaries.yml@self
+              parameters:
+                displayName: 'CodeSign Microsoft.ReactNative Binaries'
+                folderPath: $(Build.StagingDirectory)/NuGet/ReactWindows/${{ matrix.BuildPlatform }}/${{ matrix.BuildConfiguration }}
+                pattern: |
+                  **/Microsoft.ReactNative.dll
+                  **/Microsoft.ReactNative.winmd
+                  **/Microsoft.ReactNative.Projection.dll
 
             templateContext:
               sdl:
+                prefast:
+                  enabled: false
                 binskim:
                   analyzeTargetGlob: '$(Build.SourcesDirectory)\vnext\target\${{ matrix.BuildPlatform }}\${{ matrix.BuildConfiguration }}\Microsoft.ReactNative\Microsoft.ReactNative.dll'
               outputs:
@@ -291,16 +275,18 @@ extends:
                 artifactName: ReactWindows.${{ matrix.BuildPlatform }}.${{ matrix.BuildConfiguration }}
                 targetPath: $(Build.StagingDirectory)/NuGet/ReactWindows/${{ matrix.BuildPlatform }}/${{ matrix.BuildConfiguration }}
 
+        # Create Nuget packages
         - job: RNWNuget
+          displayName: Pack NuGet
           dependsOn:
-            - RnwNpmPublish
+            - RnwNpmPack
+            - Linting
             - ${{ each matrix in parameters.desktopBuildMatrix }}:
               - RnwNativeBuildDesktop${{ matrix.Name }}
             - ${{ each matrix in parameters.universalBuildMatrix }}:
               - RnwNativeBuildUniversal${{ matrix.Name }}
-          displayName: Sign Binaries and Publish NuGet
           pool: ${{ parameters.AgentPool.Medium }}
-          timeoutInMinutes: 120 # Protect against the long CodeSign task
+          timeoutInMinutes: 60 # Protect against the long CodeSign task
 
           steps:
           - template: .ado/templates/checkout-shallow.yml@self
@@ -309,7 +295,7 @@ extends:
 
           - template: .ado/templates/apply-published-version-vars.yml@self
 
-          # The commit tag in the nuspec requires that we use at least nuget 5.8 (because things break with nuget versions before and Vs 16.8 or later)
+          # The commit tag in the nuspec requires that we use at least nuget 5.8 (because things break with nuget versions before and VS 16.8 or later)
           - task: NuGetToolInstaller@1
             inputs:
               versionSpec: ">=5.8.0"
@@ -321,8 +307,6 @@ extends:
               npmVersion: $(npmVersion)
               packMicrosoftReactNative: true
               packMicrosoftReactNativeCxx: true
-              ${{ if or(eq(variables['EnableCodesign'], 'true'), endsWith(variables['Build.SourceBranchName'], '-stable')) }}: # Sign if EnableCodeSign or on *-stable release builds
-                signMicrosoft: true
               slices:
                 - platform: x64
                   configuration: Release
@@ -337,8 +321,6 @@ extends:
               publishCommitId: $(publishCommitId)
               npmVersion: $(npmVersion)
               packDesktop: true
-              ${{ if or(eq(variables['EnableCodesign'], 'true'), endsWith(variables['Build.SourceBranchName'], '-stable')) }}: # Sign if EnableCodeSign or on *-stable release builds
-                signMicrosoft: true
               slices:
                 - platform: x64
                   configuration: Release
@@ -353,24 +335,11 @@ extends:
                 - platform: ARM64EC
                   configuration: Debug
 
-          # Symbol Publishing for Work Item 59264834 - MSRC Compliance
-          # continueOnError: Duplicate symbols are expected when the pipeline
-          # is re-run for the same version. The symbols already exist on the
-          # server, so it is safe to continue.
-          - task: PublishSymbols@2
-            displayName: 'Publish Symbols to Microsoft Symbol Server'
-            continueOnError: true
-            inputs:
-              UseNetCoreClientTool: true
-              ConnectedServiceName: Office-React-Native-Windows-Bot
-              SymbolsFolder: '$(System.DefaultWorkingDirectory)\NugetRoot'
-              SearchPattern: '**/*.pdb'
-              SymbolServerType: 'TeamServices'
-              SymbolsProduct: 'ReactNativeWindows'
-              SymbolsVersion: '$(Build.BuildNumber)'
-              SymbolsArtifactName: 'ReactNativeWindows-Symbols-$(Build.BuildId)'
-              DetailedLog: true
-              TreatNotIndexedAsWarning: false
+          - template: .ado/templates/esrp-codesign-nuget.yml@self
+            parameters:
+              displayName: 'CodeSign all NuGet packages'
+              folderPath: $(System.DefaultWorkingDirectory)/NugetRootFinal
+              pattern: '**/*.nupkg'
 
           templateContext:
             sdl: