microsoft · iclanton · Feb 25, 2026 · Feb 21, 2026 · Feb 21, 2026 · Feb 21, 2026
diff --git a/common/config/azure-pipelines/bump-decoupled-deps.yaml b/common/config/azure-pipelines/bump-decoupled-deps.yaml
@@ -0,0 +1,107 @@
+parameters:
+  - name: delayMinutes
+    displayName: 'Minutes to wait for packages to propagate before running'
+    type: number
+    default: 5
+
+variables:
+  - name: FORCE_COLOR
+    value: 1
+  - name: BranchName
+    value: 'automated/bump-decoupled-deps'
+  - name: CommitMessage
+    value: 'chore: bump decoupled local dependencies'
+
+resources:
+  pipelines:
+    - pipeline: npmPublish
+      source: 'rushstack NPM Publish'
+      trigger:
+        branches:
+          include:
+            - main
+    - pipeline: npmPublishRush
+      source: 'rushstack NPM Publish (rush)'
+      trigger:
+        branches:
+          include:
+            - main
+  repositories:
+    - repository: 1esPipelines
+      type: git
+      name: 1ESPipelineTemplates/1ESPipelineTemplates
+      ref: refs/tags/release
+
+extends:
+  template: v1/1ES.Official.PipelineTemplate.yml@1esPipelines
+  parameters:
+    pool:
+      name: Azure-Pipelines-1ESPT-ExDShared
+      os: windows
+    stages:
+      - stage:
+        jobs:
+          - job:
+            pool:
+              name: publish-rushstack
+              os: linux
+            steps:
+              - checkout: self
+                persistCredentials: true
+
+              - bash: |
+                  echo "Waiting ${{ parameters.delayMinutes }} minute(s) for packages to propagate to npm..."
+                  sleep $(( ${{ parameters.delayMinutes }} * 60 ))
+                displayName: 'Wait for packages to propagate'
+
+              - template: /common/config/azure-pipelines/templates/install-node.yaml@self
+
+              - script: 'git config --local user.email rushbot@users.noreply.github.com'
+                displayName: 'git config email'
+
+              - script: 'git config --local user.name Rushbot'
+                displayName: 'git config name'
+
+              - script: 'node common/scripts/install-run-rush.js install'
+                displayName: 'Rush Install'
+
+              - script: 'node common/scripts/install-run-rush.js build --to repo-toolbox --verbose'
+                displayName: 'Rush Build (repo-toolbox)'
+
+              - script: 'node repo-scripts/repo-toolbox/lib-commonjs/start.js bump-decoupled-local-dependencies'
+                displayName: 'Bump decoupled local dependencies'
+
+              - script: 'node common/scripts/install-run-rush.js update'
+                displayName: 'Rush Update'
+
+              - bash: |
+                  set -e
+
+                  if git diff --quiet; then
+                    echo "No changes detected. Skipping commit and PR."
+                    echo "##vso[task.setvariable variable=HasChanges]false"
+                    exit 0
+                  fi
+
+                  echo "##vso[task.setvariable variable=HasChanges]true"
+
+                  git checkout -B $(BranchName)
+                  git add --all
+                  git commit -m "$(CommitMessage)"
+                displayName: 'Commit dependency changes'
+
+              - bash: |
+                  set -e
+
+                  node common/scripts/install-run-rush.js change \
+                    --bulk \
+                    --bump-type none \
+                    --commit-message "chore: generate change files for decoupled dependency bump"
+                displayName: 'Generate change files'
+                condition: and(succeeded(), eq(variables.HasChanges, 'true'))
+
+              - template: /common/config/azure-pipelines/templates/push-and-create-github-pr.yaml@self
+                parameters:
+                  BranchName: $(BranchName)
+                  PrTitle: $(CommitMessage)
+                  PrDescription: 'Automated PR to bump decoupled local dependencies to the latest published versions.'
@@ -0,0 +1,86 @@
+parameters:
+  - name: BranchName
+    type: string
+  - name: PrTitle
+    type: string
+  - name: PrDescription
+    type: string
+    default: ''
+  - name: TargetBranch
+    type: string
+    default: 'main'
+  - name: HasChangesVariableName
+    type: string
+    default: 'HasChanges'
+
+steps:
+  - bash: |
+      set -e
+      git push origin ${{ parameters.BranchName }} --force
+    displayName: 'Push branch'
+    condition: and(succeeded(), eq(variables['${{ parameters.HasChangesVariableName }}'], 'true'))
+
+  - bash: |
+      set -e
+
+      # Derive owner/repo from the git remote
+      REPO_SLUG=$(git remote get-url origin | sed -E 's#.*github\.com[:/](.+/[^.]+)(\.git)?$#\1#')
+      echo "Repository: ${REPO_SLUG}"
+
+      # Extract the authorization header that AzDO configured via persistCredentials
+      AUTH_HEADER=$(git config --get-regexp 'http\..*\.extraheader' | head -1 | sed 's/^[^ ]* //')
+      if [ -z "$AUTH_HEADER" ]; then
+        echo "##[error]Could not extract authorization header from git config. Ensure persistCredentials is enabled on the checkout step."
+        exit 1
+      fi
+
+      PR_TITLE="${{ parameters.PrTitle }}"
+      PR_BODY="${{ parameters.PrDescription }}"
+      API_BASE="https://api.github.com/repos/${REPO_SLUG}"
+
+      # Helper to call the GitHub API and fail with a visible error
+      github_api() {
+        local RESPONSE HTTP_CODE
+        RESPONSE=$(curl -s -w "\n%{http_code}" "$@")
+        HTTP_CODE=$(echo "$RESPONSE" | tail -n1)
+        BODY=$(echo "$RESPONSE" | sed '$d')
+
+        if [[ "$HTTP_CODE" -ge 200 && "$HTTP_CODE" -lt 300 ]]; then
+          echo "$BODY"
+        else
+          echo "::error::GitHub API returned HTTP ${HTTP_CODE}:" >&2
+          echo "$BODY" >&2
+          return 1
+        fi
+      }
+
+      # Check if a PR already exists for this branch
+      OWNER=$(echo "${REPO_SLUG}" | cut -d/ -f1)
+      EXISTING_PR=$(github_api \
+        -H "$AUTH_HEADER" \
+        -H "Accept: application/vnd.github+json" \
+        "${API_BASE}/pulls?head=${OWNER}:${{ parameters.BranchName }}&state=open" \
+        | jq '.[0].number // empty')
+
+      if [ -n "$EXISTING_PR" ]; then
+        echo "Updating existing PR #${EXISTING_PR}"
+        github_api -X PATCH \
+          -H "$AUTH_HEADER" \
+          -H "Accept: application/vnd.github+json" \
+          "${API_BASE}/pulls/${EXISTING_PR}" \
+          -d "$(jq -n --arg body "$PR_BODY" '{body: $body}')"
+      else
+        echo "Creating new PR"
+        github_api -X POST \
+          -H "$AUTH_HEADER" \
+          -H "Accept: application/vnd.github+json" \
+          "${API_BASE}/pulls" \
+          -d "$(jq -n \
+            --arg title "$PR_TITLE" \
+            --arg body "$PR_BODY" \
+            --arg head "${{ parameters.BranchName }}" \
+            --arg base "${{ parameters.TargetBranch }}" \
+            '{title: $title, body: $body, head: $head, base: $base}')"
+      fi
+    displayName: 'Create or update GitHub PR'
+    condition: and(succeeded(), eq(variables['${{ parameters.HasChangesVariableName }}'], 'true'))