From 6a757a1d353232c7db78ad1410a44774c39d8165 Mon Sep 17 00:00:00 2001 From: Andy Jordan <2226434+andyleejordan@users.noreply.github.com> Date: Thu, 5 Mar 2026 13:42:59 -0800 Subject: [PATCH 01/12] Switch CFS to msazure feed The crux of our problems was the cross-org feed permissions. --- .cargo/config.toml | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/.cargo/config.toml b/.cargo/config.toml index 511ebe358..39c82a34b 100644 --- a/.cargo/config.toml +++ b/.cargo/config.toml @@ -3,7 +3,10 @@ registry-auth = true [registries] -POWERSHELL = { index = "sparse+https://pkgs.dev.azure.com/powershell/PowerShell/_packaging/powershell/Cargo/index/" } +DSCCargoMirror = { index = "sparse+https://pkgs.dev.azure.com/msazure/One/_packaging/DSCCargoMirror/Cargo/index/" } + +[source.crates-io] +replace-with = "DSCCargoMirror" [registry] global-credential-providers = ["cargo:token"] @@ -36,10 +39,6 @@ rustflags = [ "-Dwarnings" ] -# The following is only needed for release builds -[source.crates-io] -replace-with = "POWERSHELL" - # Enable running `cargo xtask ` [alias] xtask = "run --package xtask --" From fb709ff2f1ccd48a67148eb152ac6d0a81175a0d Mon Sep 17 00:00:00 2001 From: Andy Jordan <2226434+andyleejordan@users.noreply.github.com> Date: Thu, 5 Mar 2026 14:45:27 -0800 Subject: [PATCH 02/12] Update from ms-prod-1.88 to ms-prod-1.93 The version ms-stable stopped being supported in 2024 so we've been on an old toolchain. --- .pipelines/DSC-Official.yml | 6 +++--- .pipelines/DSC-Windows.yml | 2 +- helpers.build.psm1 | 2 +- packaging.ps1 | 2 +- 4 files changed, 6 insertions(+), 6 deletions(-) diff --git a/.pipelines/DSC-Official.yml b/.pipelines/DSC-Official.yml index 2978e359f..8aaaccd25 100644 --- a/.pipelines/DSC-Official.yml +++ b/.pipelines/DSC-Official.yml @@ -313,7 +313,7 @@ extends: steps: - task: RustInstaller@1 inputs: - rustVersion: ms-stable + rustVersion: ms-prod-1.93 toolchainFeed: $(Rust.SDK) additionalTargets: x86_64-unknown-linux-musl displayName: Install Rust @@ -352,7 +352,7 @@ extends: steps: - task: RustInstaller@1 inputs: - rustVersion: ms-stable + rustVersion: ms-prod-1.93 toolchainFeed: $(Rust.SDK) additionalTargets: aarch64-unknown-linux-musl displayName: Install Rust @@ -420,7 +420,7 @@ extends: steps: - task: RustInstaller@1 inputs: - rustVersion: ms-stable + rustVersion: ms-prod-1.93 toolchainFeed: $(Rust.SDK) additionalTargets: $(buildName) displayName: Install Rust diff --git a/.pipelines/DSC-Windows.yml b/.pipelines/DSC-Windows.yml index 1ede90d8f..7ff7743bb 100644 --- a/.pipelines/DSC-Windows.yml +++ b/.pipelines/DSC-Windows.yml @@ -32,7 +32,7 @@ steps: ob_restore_phase: true - task: RustInstaller@1 inputs: - rustVersion: ms-stable + rustVersion: ms-prod-1.93 toolchainFeed: ${{ parameters.RustSDK }} additionalTargets: ${{ parameters.buildName }} displayName: Install Rust diff --git a/helpers.build.psm1 b/helpers.build.psm1 index 9c9dac003..a99a9e89f 100644 --- a/helpers.build.psm1 +++ b/helpers.build.psm1 @@ -370,7 +370,7 @@ function Get-RustUp { if ($null -ne (Get-Command msrustup -CommandType Application -ErrorAction Ignore)) { Write-Verbose -Verbose "Using msrustup" $rustup = 'msrustup' - $channel = 'ms-stable' + $channel = 'ms-prod-1.93' if ($architecture -eq 'current') { $env:MSRUSTUP_TOOLCHAIN = "$architecture" } diff --git a/packaging.ps1 b/packaging.ps1 index 1932c0428..8c7fb97e1 100755 --- a/packaging.ps1 +++ b/packaging.ps1 @@ -163,7 +163,7 @@ $channel = 'stable' if ($null -ne (Get-Command msrustup -CommandType Application -ErrorAction Ignore)) { Write-Verbose -Verbose "Using msrustup" $rustup = 'msrustup' - $channel = 'ms-stable' + $channel = 'ms-prod-1.93' if ($architecture -eq 'current') { $env:MSRUSTUP_TOOLCHAIN = "$architecture" } From b9546a79af353ba3293796b8ce5496e8cba5cacf Mon Sep 17 00:00:00 2001 From: Andy Jordan <2226434+andyleejordan@users.noreply.github.com> Date: Thu, 5 Mar 2026 14:55:40 -0800 Subject: [PATCH 03/12] Switch OneBranch to msazure CFS feed Which removes the need to do complicated authentication. --- .pipelines/DSC-Official.yml | 58 +++++++------------------------------ .pipelines/DSC-Windows.yml | 23 +++------------ 2 files changed, 14 insertions(+), 67 deletions(-) diff --git a/.pipelines/DSC-Official.yml b/.pipelines/DSC-Official.yml index 8aaaccd25..6d773914e 100644 --- a/.pipelines/DSC-Official.yml +++ b/.pipelines/DSC-Official.yml @@ -99,17 +99,6 @@ extends: Write-Host "##$vstsCommandString" name: Package displayName: Set Package Version - - task: AzureCLI@2 - displayName: Get Az Token - inputs: - azureSubscription: PowerShell-CICD-Feed-Access - scriptType: pscore - scriptLocation: inlineScript - inlineScript: | - $token = az account get-access-token --query accessToken --resource 499b84ac-1321-427f-aa17-267ca6975798 -o tsv - $vstsCommandString = "vso[task.setvariable variable=AzToken;isoutput=true]$token" - Write-Host "Setting token" - Write-Host "##$vstsCommandString" - job: BuildWin_x64 dependsOn: SetPackageVersion @@ -117,7 +106,6 @@ extends: ob_sdl_tsa_configFile: '$(System.DefaultWorkingDirectory)\.config\tsaoptions.json' ob_outputDirectory: '$(Build.ArtifactStagingDirectory)' signSrcPath: '$(System.DefaultWorkingDirectory)\out' - AzToken: $[ dependencies.SetPackageVersion.outputs['AzToken'] ] ob_sdl_sbom_enabled: true ob_signing_setup_enabled: true ob_sdl_codeql_compiled_enabled: true @@ -129,7 +117,6 @@ extends: buildName: x86_64-pc-windows-msvc signSrcPath: '$(signSrcPath)' PackageRoot: '$(PackageRoot)' - aztoken: '$(AzToken)' rustSDK: '$(Rust.SDK)' - job: BuildWin_arm64 @@ -138,7 +125,6 @@ extends: ob_sdl_tsa_configFile: '$(System.DefaultWorkingDirectory)\.config\tsaoptions.json' ob_outputDirectory: '$(Build.ArtifactStagingDirectory)' signSrcPath: '$(System.DefaultWorkingDirectory)\out' - AzToken: $[ dependencies.SetPackageVersion.outputs['AzToken'] ] ob_sdl_sbom_enabled: true ob_signing_setup_enabled: true ob_sdl_codeql_compiled_enabled: true @@ -150,7 +136,6 @@ extends: buildName: aarch64-pc-windows-msvc signSrcPath: '$(signSrcPath)' PackageRoot: '$(PackageRoot)' - aztoken: '$(AzToken)' rustSDK: '$(Rust.SDK)' - job: CreateMsixBundle @@ -167,7 +152,6 @@ extends: ob_sdl_sbom_enabled: false ob_signing_setup_enabled: false ob_sdl_codeql_compiled_enabled: false - ob_restore_phase: true pool: type: windows steps: @@ -302,7 +286,6 @@ extends: variables: LinuxContainerImage: 'onebranch.azurecr.io/linux/ubuntu-2204:latest' PackageVersion: $[ dependencies.SetPackageVersion.outputs['Package.Version'] ] - AzToken: $[ dependencies.SetPackageVersion.outputs['AzToken'] ] ob_outputDirectory: '$(Build.ArtifactStagingDirectory)' ob_linuxSymbolsPublishing_enabled: true ob_linuxSymbolsPublishing_symbolsFolder: '$(System.DefaultWorkingDirectory)/DSC/bin' @@ -317,14 +300,13 @@ extends: toolchainFeed: $(Rust.SDK) additionalTargets: x86_64-unknown-linux-musl displayName: Install Rust - env: - ob_restore_phase: true + - task: CargoAuthenticate@0 + inputs: + configFile: '.cargo/config.toml' + displayName: Authenticate with Azure Artifacts - pwsh: | apt update apt -y install musl-tools rpm dpkg build-essential protobuf-compiler - $header = "Bearer $(AzToken)" - $env:CARGO_REGISTRIES_POWERSHELL_TOKEN = $header - $env:CARGO_REGISTRIES_POWERSHELL_CREDENTIAL_PROVIDER = 'cargo:token' ./build.ps1 -Release -Architecture x86_64-unknown-linux-musl ./packaging.ps1 -PackageType tgz -Architecture x86_64-unknown-linux-musl -Release ./packaging.ps1 -PackageType rpm -Architecture x86_64-unknown-linux-musl -Release @@ -340,7 +322,6 @@ extends: variables: LinuxContainerImage: 'onebranch.azurecr.io/linux/ubuntu-2204-arm64:latest' PackageVersion: $[ dependencies.SetPackageVersion.outputs['Package.Version'] ] - AzToken: $[ dependencies.SetPackageVersion.outputs['AzToken'] ] ob_outputDirectory: '$(Build.ArtifactStagingDirectory)' ob_linuxSymbolsPublishing_enabled: true ob_linuxSymbolsPublishing_symbolsFolder: '$(System.DefaultWorkingDirectory)/DSC/bin' @@ -356,16 +337,10 @@ extends: toolchainFeed: $(Rust.SDK) additionalTargets: aarch64-unknown-linux-musl displayName: Install Rust - env: - ob_restore_phase: true - - task: AzureCLI@2 - displayName: Azure CLI + - task: CargoAuthenticate@0 inputs: - azureSubscription: PowerShell-CICD-Feed-Access - scriptType: pscore - scriptLocation: inlineScript - inlineScript: | - az account show + configFile: '.cargo/config.toml' + displayName: Authenticate with Azure Artifacts - pwsh: | $env:CC_aarch64_unknown_linux_musl='clang' $env:AR_aarch64_unknown_linux_musl='llvm-ar' @@ -386,9 +361,6 @@ extends: if ((openssl version -d) -match 'OPENSSLDIR: "(?.*?)"') { $env:OPENSSL_LIB_DIR = $matches['dir'] } - $header = "Bearer $(AzToken)" - $env:CARGO_REGISTRIES_POWERSHELL_TOKEN = $header - $env:CARGO_REGISTRIES_POWERSHELL_CREDENTIAL_PROVIDER = 'cargo:token' ./build.ps1 -Release -Architecture aarch64-unknown-linux-musl ./packaging.ps1 -PackageType tgz -Architecture aarch64-unknown-linux-musl -Release ./packaging.ps1 -PackageType rpm -Architecture aarch64-unknown-linux-musl -Release @@ -403,7 +375,6 @@ extends: dependsOn: SetPackageVersion variables: PackageVersion: $[ dependencies.SetPackageVersion.outputs['Package.Version'] ] - AzToken: $[ dependencies.SetPackageVersion.outputs['AzToken'] ] ob_outputDirectory: '$(Build.ArtifactStagingDirectory)' displayName: BuildMac pool: @@ -424,20 +395,11 @@ extends: toolchainFeed: $(Rust.SDK) additionalTargets: $(buildName) displayName: Install Rust - env: - ob_restore_phase: true - - task: AzureCLI@2 - displayName: Azure CLI + - task: CargoAuthenticate@0 inputs: - azureSubscription: PowerShell-CICD-Feed-Access - scriptType: pscore - scriptLocation: inlineScript - inlineScript: | - az account show + configFile: '.cargo/config.toml' + displayName: Authenticate with Azure Artifacts - pwsh: | - $header = "Bearer $(AzToken)" - $env:CARGO_REGISTRIES_POWERSHELL_TOKEN = $header - $env:CARGO_REGISTRIES_POWERSHELL_CREDENTIAL_PROVIDER = 'cargo:token' Write-Verbose -Verbose "Building for $(buildName)" ./build.ps1 -Release -Architecture $(buildName) ./packaging.ps1 -PackageType tgz -Architecture $(buildName) -Release diff --git a/.pipelines/DSC-Windows.yml b/.pipelines/DSC-Windows.yml index 7ff7743bb..c662a814f 100644 --- a/.pipelines/DSC-Windows.yml +++ b/.pipelines/DSC-Windows.yml @@ -8,40 +8,31 @@ parameters: - name: BuildConfiguration type: string default: Release - - name: aztoken - type: string - name: RustSDK type: string steps: - checkout: self - env: - ob_restore_phase: true - task: CodeQL3000Init@0 # Add CodeQL Init task right before your 'Build' step. inputs: Enabled: true AnalyzeInPipeline: true Language: rust - env: - ob_restore_phase: true - pwsh: | $tmpdir = "$(Agent.TempDirectory)" Write-Host "##vso[task.setvariable variable=CARGO_TARGET_DIR;]$tmpdir" displayName: 🛠️ Workaround for the LoadLibrary ACCESS_VIOLATION OneBranch issue - env: - ob_restore_phase: true - task: RustInstaller@1 inputs: rustVersion: ms-prod-1.93 toolchainFeed: ${{ parameters.RustSDK }} additionalTargets: ${{ parameters.buildName }} displayName: Install Rust - env: - ob_restore_phase: true +- task: CargoAuthenticate@0 + inputs: + configFile: '.cargo/config.toml' + displayName: Authenticate with Azure Artifacts - pwsh: | - $header = "Bearer ${{ parameters.aztoken }}" - $env:CARGO_REGISTRIES_POWERSHELL_TOKEN = $header - $env:CARGO_REGISTRIES_POWERSHELL_CREDENTIAL_PROVIDER = 'cargo:token' Set-Location "$(Build.SourcesDirectory)/DSC" $LLVMBIN = "$($env:PROGRAMFILES)\Microsoft Visual Studio\2022\Enterprise\VC\Tools\Llvm\bin" if (!(Test-Path $LLVMBIN)) { @@ -52,13 +43,9 @@ steps: Write-Verbose -Verbose "Building for ${{ parameters.buildName }}" ./build.ps1 -Release -Architecture ${{ parameters.buildName }} -SkipLinkCheck -Verbose displayName: 'Build ${{ parameters.buildName }}' - env: - ob_restore_phase: true condition: succeeded() - task: CodeQL3000Finalize@0 # Add CodeQL Finalize task right after your 'Build' step. condition: always() - env: - ob_restore_phase: true - pwsh: | $null = New-Item -ItemType Directory -Path "${{ parameters.PackageRoot }}" -ErrorAction Ignore $null = New-Item -ItemType Directory -Path "${{ parameters.PackageRoot }}/out" -ErrorAction Ignore @@ -72,8 +59,6 @@ steps: write-host 'Binaries in ${{ parameters.signSrcPath }}' dir -r "${{ parameters.signSrcPath }}" displayName: Copy built binaries - env: - ob_restore_phase: true condition: succeeded() - task: onebranch.pipeline.signing@1 displayName: Sign 1st party files From d2924066ce7da1d950f09786e0dfbd7260cc7a7a Mon Sep 17 00:00:00 2001 From: Andy Jordan <2226434+andyleejordan@users.noreply.github.com> Date: Thu, 5 Mar 2026 18:00:49 -0800 Subject: [PATCH 04/12] Remove `-UseCFSAuth` in favor of auto-auth via task (or user setup) --- .github/instructions/instructions.md | 1 - .pipelines/DSC-Windows.yml | 2 +- build.ps1 | 5 ++--- helpers.build.psm1 | 25 +------------------------ packaging.ps1 | 20 +------------------- 5 files changed, 5 insertions(+), 48 deletions(-) diff --git a/.github/instructions/instructions.md b/.github/instructions/instructions.md index 9e263e1dc..3c0d951b2 100644 --- a/.github/instructions/instructions.md +++ b/.github/instructions/instructions.md @@ -416,7 +416,6 @@ The build script automatically installs these. If issues persist: | `-UseCFS` | Switch | Use Component Framework Service | | `-UpdateLockFile` | Switch | Update Cargo.lock file | | `-Audit` | Switch | Run cargo audit for security vulnerabilities | -| `-UseCFSAuth` | Switch | Use CFS authentication | | `-Clean` | Switch | Clean build artifacts before building | | `-CacheRustBuild` | Switch | Cache Rust build artifacts | | `-RustDocs` | Switch | Generate Rust documentation | diff --git a/.pipelines/DSC-Windows.yml b/.pipelines/DSC-Windows.yml index c662a814f..dc4ed60ce 100644 --- a/.pipelines/DSC-Windows.yml +++ b/.pipelines/DSC-Windows.yml @@ -30,7 +30,7 @@ steps: displayName: Install Rust - task: CargoAuthenticate@0 inputs: - configFile: '.cargo/config.toml' + configFile: '$(Build.SourcesDirectory)/DSC/.cargo/config.toml' displayName: Authenticate with Azure Artifacts - pwsh: | Set-Location "$(Build.SourcesDirectory)/DSC" diff --git a/build.ps1 b/build.ps1 index 7479946cb..0f07ca224 100755 --- a/build.ps1 +++ b/build.ps1 @@ -94,7 +94,6 @@ param( [switch]$UseCFS, [switch]$UpdateLockFile, [switch]$Audit, - [switch]$UseCFSAuth, [switch]$Clean, [switch]$CacheRustBuild, [switch]$RustDocs, @@ -113,7 +112,7 @@ begin { Import-Module ./helpers.build.psm1 -Force -Verbose:$false $usingADO = ($null -ne $env:TF_BUILD) - if ($usingADO -or $UseCFSAuth) { + if ($usingADO) { $UseCFS = $true } # Import the build data @@ -183,7 +182,7 @@ process { Write-BuildProgress @progressParams -Status 'Configuring Rust environment' [hashtable]$priorRustEnvironment = Set-RustEnvironment -CacheRustBuild:$CacheRustBuild @VerboseParam Write-BuildProgress @progressParams -Status 'Configuring Cargo environment' - Set-CargoEnvironment -UseCFS:$UseCFS -UseCFSAuth:$UseCFSAuth @VerboseParam + Set-CargoEnvironment -UseCFS:$UseCFS @VerboseParam # Install or update rust if (!$usingADO) { diff --git a/helpers.build.psm1 b/helpers.build.psm1 index a99a9e89f..4e9ce7fba 100644 --- a/helpers.build.psm1 +++ b/helpers.build.psm1 @@ -805,8 +805,7 @@ function Set-CargoEnvironment { #> [cmdletbinding()] param( - [switch]$UseCFS, - [switch]$UseCFSAuth + [switch]$UseCFS ) process { @@ -814,28 +813,6 @@ function Set-CargoEnvironment { Write-Host "Using CFS for cargo source replacement" ${env:CARGO_SOURCE_crates-io_REPLACE_WITH} = $null $env:CARGO_REGISTRIES_CRATESIO_INDEX = $null - - if ($UseCFSAuth) { - if ($null -eq (Get-Command 'az' -ErrorAction Ignore)) { - throw "Azure CLI not found" - } - - if ($null -ne (Get-Command az -ErrorAction Ignore)) { - Write-Host "Getting token" - $accessToken = az account get-access-token --query accessToken --resource 499b84ac-1321-427f-aa17-267ca6975798 -o tsv - if ($LASTEXITCODE -ne 0) { - Write-Warning "Failed to get access token, use 'az login' first, or use '-useCratesIO' to use crates.io. Proceeding with anonymous access." - } else { - $header = "Bearer $accessToken" - $env:CARGO_REGISTRIES_POWERSHELL_TOKEN = $header - $env:CARGO_REGISTRIES_POWERSHELL_CREDENTIAL_PROVIDER = 'cargo:token' - $env:CARGO_REGISTRIES_POWERSHELL_INDEX = "sparse+https://pkgs.dev.azure.com/powershell/PowerShell/_packaging/powershell~force-auth/Cargo/index/" - } - } - else { - Write-Warning "Azure CLI not found, proceeding with anonymous access." - } - } } else { # this will override the config.toml Write-Host "Setting CARGO_SOURCE_crates-io_REPLACE_WITH to 'crates-io'" diff --git a/packaging.ps1 b/packaging.ps1 index 8c7fb97e1..ef912eb4e 100755 --- a/packaging.ps1 +++ b/packaging.ps1 @@ -18,7 +18,6 @@ param( [switch]$UseCFS, [switch]$UpdateLockFile, [switch]$Audit, - [switch]$UseCFSAuth, [switch]$Clean, [switch]$Verbose ) @@ -30,7 +29,7 @@ trap { $env:RUSTC_LOG=$null $usingADO = ($null -ne $env:TF_BUILD) -if ($usingADO -or $UseCFSAuth) { +if ($usingADO) { $UseCFS = $true } @@ -178,23 +177,6 @@ if ($null -ne $packageType) { Write-Host "Using CFS for cargo source replacement" ${env:CARGO_SOURCE_crates-io_REPLACE_WITH} = $null $env:CARGO_REGISTRIES_CRATESIO_INDEX = $null - - if ($UseCFSAuth) { - if ($null -eq (Get-Command 'az' -ErrorAction Ignore)) { - throw "Azure CLI not found" - } - - Write-Host "Getting token" - $accessToken = az account get-access-token --query accessToken --resource 499b84ac-1321-427f-aa17-267ca6975798 -o tsv - if ($LASTEXITCODE -ne 0) { - Write-Warning "Failed to get access token, use 'az login' first, or use '-useCratesIO' to use crates.io. Proceeding with anonymous access." - } else { - $header = "Bearer $accessToken" - $env:CARGO_REGISTRIES_POWERSHELL_TOKEN = $header - $env:CARGO_REGISTRIES_POWERSHELL_CREDENTIAL_PROVIDER = 'cargo:token' - $env:CARGO_REGISTRIES_POWERSHELL_INDEX = "sparse+https://pkgs.dev.azure.com/powershell/PowerShell/_packaging/powershell~force-auth/Cargo/index/" - } - } } else { # this will override the config.toml Write-Host "Setting CARGO_SOURCE_crates-io_REPLACE_WITH to 'crates-io'" From af6d3e0b96290d7bc342a803c16cfeff7009add5 Mon Sep 17 00:00:00 2001 From: Andy Jordan <2226434+andyleejordan@users.noreply.github.com> Date: Thu, 5 Mar 2026 20:39:54 -0800 Subject: [PATCH 05/12] Fix RPM package --- packaging/rpm/dsc.spec | 1 + 1 file changed, 1 insertion(+) diff --git a/packaging/rpm/dsc.spec b/packaging/rpm/dsc.spec index 424283519..76267d725 100644 --- a/packaging/rpm/dsc.spec +++ b/packaging/rpm/dsc.spec @@ -33,6 +33,7 @@ ln -s /opt/dsc/dsc-bicep-ext $RPM_BUILD_ROOT/usr/bin/dsc-bicep-ext %files /opt/dsc/* /usr/bin/dsc +/usr/bin/dsc-bicep-ext %changelog * Wed Oct 22 2025 Microsoft Corporation From 8135ff6baf0e6783c7cc62420a55c521b8b06a1b Mon Sep 17 00:00:00 2001 From: Andy Jordan <2226434+andyleejordan@users.noreply.github.com> Date: Thu, 5 Mar 2026 21:41:23 -0800 Subject: [PATCH 06/12] Clean up pwsh tasks --- .pipelines/DSC-Windows.yml | 10 +++------- 1 file changed, 3 insertions(+), 7 deletions(-) diff --git a/.pipelines/DSC-Windows.yml b/.pipelines/DSC-Windows.yml index dc4ed60ce..ae966da35 100644 --- a/.pipelines/DSC-Windows.yml +++ b/.pipelines/DSC-Windows.yml @@ -33,7 +33,6 @@ steps: configFile: '$(Build.SourcesDirectory)/DSC/.cargo/config.toml' displayName: Authenticate with Azure Artifacts - pwsh: | - Set-Location "$(Build.SourcesDirectory)/DSC" $LLVMBIN = "$($env:PROGRAMFILES)\Microsoft Visual Studio\2022\Enterprise\VC\Tools\Llvm\bin" if (!(Test-Path $LLVMBIN)) { throw "LLVM path '$LLVMBIN' does not exist" @@ -42,8 +41,8 @@ steps: write-verbose -verbose (gcm clang.exe | out-string) Write-Verbose -Verbose "Building for ${{ parameters.buildName }}" ./build.ps1 -Release -Architecture ${{ parameters.buildName }} -SkipLinkCheck -Verbose + workingDirectory: $(Build.SourcesDirectory)/DSC displayName: 'Build ${{ parameters.buildName }}' - condition: succeeded() - task: CodeQL3000Finalize@0 # Add CodeQL Finalize task right after your 'Build' step. condition: always() - pwsh: | @@ -59,7 +58,6 @@ steps: write-host 'Binaries in ${{ parameters.signSrcPath }}' dir -r "${{ parameters.signSrcPath }}" displayName: Copy built binaries - condition: succeeded() - task: onebranch.pipeline.signing@1 displayName: Sign 1st party files inputs: @@ -79,14 +77,12 @@ steps: TargetFolder: $(Build.SourcesDirectory)/DSC/bin/${{ parameters.buildName }}/${{ parameters.BuildConfiguration }} OverWrite: true - pwsh: | - Set-Location "$(Build.SourcesDirectory)/DSC" ./packaging.ps1 -PackageType zip -Architecture ${{ parameters.buildName }} -Release Copy-Item ./bin/*.zip "$(Build.ArtifactStagingDirectory)" -Verbose + workingDirectory: $(Build.SourcesDirectory)/DSC displayName: 'Zip ${{ parameters.buildName }}' - condition: succeeded() - pwsh: | - Set-Location "$(Build.SourcesDirectory)/DSC" ./build.ps1 -PackageType msix -Architecture ${{ parameters.buildName }} -Release -UseX64MakeAppx Copy-Item ./bin/msix/*.msix "$(Build.ArtifactStagingDirectory)" -Verbose + workingDirectory: $(Build.SourcesDirectory)/DSC displayName: 'Create msix for ${{ parameters.buildName }}' - condition: succeeded() From 3f4b8869f5381d2ce5b06111e734c2840bfae0c8 Mon Sep 17 00:00:00 2001 From: Andy Jordan <2226434+andyleejordan@users.noreply.github.com> Date: Thu, 5 Mar 2026 21:46:38 -0800 Subject: [PATCH 07/12] Fix path issues by removing redunant checkout step The OneBranch template automatically checks out the repo, doing it again is what messed up CodeQL and signing. --- .pipelines/DSC-Official.yml | 20 +++++--------------- .pipelines/DSC-Windows.yml | 17 +++-------------- 2 files changed, 8 insertions(+), 29 deletions(-) diff --git a/.pipelines/DSC-Official.yml b/.pipelines/DSC-Official.yml index 6d773914e..8e78b4b95 100644 --- a/.pipelines/DSC-Official.yml +++ b/.pipelines/DSC-Official.yml @@ -65,7 +65,6 @@ extends: forStages: [Build] credscan: enabled: true - scanFolder: $(System.DefaultWorkingDirectory) binskim: enabled: true apiscan: @@ -83,17 +82,13 @@ extends: type: windows vmImage: windows-latest variables: - repoRoot: '$(System.DefaultWorkingDirectory)\DSC' - ob_sdl_tsa_configFile: '$(System.DefaultWorkingDirectory)\.config\tsaoptions.json' ob_outputDirectory: '$(Build.ArtifactStagingDirectory)' ob_sdl_sbom_enabled: false ob_signing_setup_enabled: false ob_sdl_codeql_compiled_enabled: false steps: - - checkout: self - pwsh: | - Write-Verbose -Verbose (Get-ChildItem '$(repoRoot)' | Out-String) - $packageVersion = $(repoRoot)/packaging.ps1 -GetPackageVersion + $packageVersion = ./packaging.ps1 -GetPackageVersion $vstsCommandString = "vso[task.setvariable variable=Version;isoutput=true]$packageVersion" Write-Host ("sending " + $vstsCommandString) Write-Host "##$vstsCommandString" @@ -103,7 +98,6 @@ extends: - job: BuildWin_x64 dependsOn: SetPackageVersion variables: - ob_sdl_tsa_configFile: '$(System.DefaultWorkingDirectory)\.config\tsaoptions.json' ob_outputDirectory: '$(Build.ArtifactStagingDirectory)' signSrcPath: '$(System.DefaultWorkingDirectory)\out' ob_sdl_sbom_enabled: true @@ -122,7 +116,6 @@ extends: - job: BuildWin_arm64 dependsOn: SetPackageVersion variables: - ob_sdl_tsa_configFile: '$(System.DefaultWorkingDirectory)\.config\tsaoptions.json' ob_outputDirectory: '$(Build.ArtifactStagingDirectory)' signSrcPath: '$(System.DefaultWorkingDirectory)\out' ob_sdl_sbom_enabled: true @@ -144,9 +137,8 @@ extends: - BuildWin_arm64 variables: ob_outputDirectory: '$(Build.ArtifactStagingDirectory)' - ob_sdl_tsa_configFile: '$(System.DefaultWorkingDirectory)\.config\tsaoptions.json' ob_symbolsPublishing_enabled: true - ob_symbolsPublishing_symbolsFolder: '$(System.DefaultWorkingDirectory)\DSC\bin' + ob_symbolsPublishing_symbolsFolder: '$(Build.SourcesDirectory)\bin' ob_symbolsPublishing_searchPattern: '**/*.pdb' ob_symbolsPublishing_indexSources: true ob_sdl_sbom_enabled: false @@ -155,7 +147,6 @@ extends: pool: type: windows steps: - - checkout: self - download: current artifact: drop_BuildAndSign_BuildWin_x64 patterns: '*.msix' @@ -163,12 +154,11 @@ extends: artifact: drop_BuildAndSign_BuildWin_arm64 patterns: '*.msix' - pwsh: | - Set-Location "$(System.DefaultWorkingDirectory)\DSC" $null = New-Item -ItemType Directory -Path "./bin/msix" -Force -ErrorAction Ignore Copy-Item "$(Pipeline.Workspace)/drop_BuildAndSign_BuildWin_x64/*.msix" ./bin/msix -Verbose Copy-Item "$(Pipeline.Workspace)/drop_BuildAndSign_BuildWin_arm64/*.msix" ./bin/msix -Verbose ./build.ps1 -PackageType msixbundle - Copy-Item "$(System.DefaultWorkingDirectory)/DSC/bin/*.msixbundle" "$(ob_outputDirectory)" + Copy-Item "./bin/*.msixbundle" "$(ob_outputDirectory)" displayName: 'Create msixbundle' condition: succeeded() @@ -288,7 +278,7 @@ extends: PackageVersion: $[ dependencies.SetPackageVersion.outputs['Package.Version'] ] ob_outputDirectory: '$(Build.ArtifactStagingDirectory)' ob_linuxSymbolsPublishing_enabled: true - ob_linuxSymbolsPublishing_symbolsFolder: '$(System.DefaultWorkingDirectory)/DSC/bin' + ob_linuxSymbolsPublishing_symbolsFolder: '$(Build.SourcesDirectory)/bin' ob_linuxSymbolsPublishing_searchPattern: '**/*.dbg' displayName: Linux-x64-musl pool: @@ -324,7 +314,7 @@ extends: PackageVersion: $[ dependencies.SetPackageVersion.outputs['Package.Version'] ] ob_outputDirectory: '$(Build.ArtifactStagingDirectory)' ob_linuxSymbolsPublishing_enabled: true - ob_linuxSymbolsPublishing_symbolsFolder: '$(System.DefaultWorkingDirectory)/DSC/bin' + ob_linuxSymbolsPublishing_symbolsFolder: '$(Build.SourcesDirectory)/bin' ob_linuxSymbolsPublishing_searchPattern: '**/*.dbg' displayName: Linux-ARM64-musl pool: diff --git a/.pipelines/DSC-Windows.yml b/.pipelines/DSC-Windows.yml index ae966da35..812165e76 100644 --- a/.pipelines/DSC-Windows.yml +++ b/.pipelines/DSC-Windows.yml @@ -12,12 +12,6 @@ parameters: type: string steps: -- checkout: self -- task: CodeQL3000Init@0 # Add CodeQL Init task right before your 'Build' step. - inputs: - Enabled: true - AnalyzeInPipeline: true - Language: rust - pwsh: | $tmpdir = "$(Agent.TempDirectory)" Write-Host "##vso[task.setvariable variable=CARGO_TARGET_DIR;]$tmpdir" @@ -30,7 +24,7 @@ steps: displayName: Install Rust - task: CargoAuthenticate@0 inputs: - configFile: '$(Build.SourcesDirectory)/DSC/.cargo/config.toml' + configFile: '.cargo/config.toml' displayName: Authenticate with Azure Artifacts - pwsh: | $LLVMBIN = "$($env:PROGRAMFILES)\Microsoft Visual Studio\2022\Enterprise\VC\Tools\Llvm\bin" @@ -41,10 +35,7 @@ steps: write-verbose -verbose (gcm clang.exe | out-string) Write-Verbose -Verbose "Building for ${{ parameters.buildName }}" ./build.ps1 -Release -Architecture ${{ parameters.buildName }} -SkipLinkCheck -Verbose - workingDirectory: $(Build.SourcesDirectory)/DSC displayName: 'Build ${{ parameters.buildName }}' -- task: CodeQL3000Finalize@0 # Add CodeQL Finalize task right after your 'Build' step. - condition: always() - pwsh: | $null = New-Item -ItemType Directory -Path "${{ parameters.PackageRoot }}" -ErrorAction Ignore $null = New-Item -ItemType Directory -Path "${{ parameters.PackageRoot }}/out" -ErrorAction Ignore @@ -54,7 +45,7 @@ steps: # copy only the exes from the TMP folder since it contains intermediately built files we don't want to sign write-host 'Binaries in ${env:CARGO_TARGET_DIR}' Copy-Item -Path "$env:CARGO_TARGET_DIR/${{ parameters.buildName }}/${{ parameters.BuildConfiguration }}/*.exe" -Destination "${{ parameters.signSrcPath }}" -Verbose - Copy-Item -Path "$(Build.SourcesDirectory)/DSC/bin/${{ parameters.buildName }}/${{ parameters.BuildConfiguration }}/*" -Recurse -Destination "${{ parameters.signSrcPath }}" -Verbose -Force + Copy-Item -Path "./bin/${{ parameters.buildName }}/${{ parameters.BuildConfiguration }}/*" -Recurse -Destination "${{ parameters.signSrcPath }}" -Verbose -Force write-host 'Binaries in ${{ parameters.signSrcPath }}' dir -r "${{ parameters.signSrcPath }}" displayName: Copy built binaries @@ -74,15 +65,13 @@ steps: inputs: SourceFolder: "${{ parameters.signSrcPath }}" Contents: '**' - TargetFolder: $(Build.SourcesDirectory)/DSC/bin/${{ parameters.buildName }}/${{ parameters.BuildConfiguration }} + TargetFolder: ./bin/${{ parameters.buildName }}/${{ parameters.BuildConfiguration }} OverWrite: true - pwsh: | ./packaging.ps1 -PackageType zip -Architecture ${{ parameters.buildName }} -Release Copy-Item ./bin/*.zip "$(Build.ArtifactStagingDirectory)" -Verbose - workingDirectory: $(Build.SourcesDirectory)/DSC displayName: 'Zip ${{ parameters.buildName }}' - pwsh: | ./build.ps1 -PackageType msix -Architecture ${{ parameters.buildName }} -Release -UseX64MakeAppx Copy-Item ./bin/msix/*.msix "$(Build.ArtifactStagingDirectory)" -Verbose - workingDirectory: $(Build.SourcesDirectory)/DSC displayName: 'Create msix for ${{ parameters.buildName }}' From 92b2a615e281a12c8268d8b0e8f9706efb6b84b8 Mon Sep 17 00:00:00 2001 From: Andy Jordan <2226434+andyleejordan@users.noreply.github.com> Date: Fri, 6 Mar 2026 00:01:19 -0800 Subject: [PATCH 08/12] Pass `-UseX64MakeAppx` to fix MSIX build --- build.ps1 | 9 +++++---- helpers.build.psm1 | 16 ++++++++++++---- 2 files changed, 17 insertions(+), 8 deletions(-) diff --git a/build.ps1 b/build.ps1 index 0f07ca224..918d90236 100755 --- a/build.ps1 +++ b/build.ps1 @@ -299,10 +299,11 @@ process { if (-not [string]::IsNullOrEmpty($PackageType)) { $progressParams.Activity = "Packaging" $packageParams = @{ - BuildData = $BuildData - PackageType = $PackageType - Architecture = $Architecture - Release = $Release + BuildData = $BuildData + PackageType = $PackageType + Architecture = $Architecture + Release = $Release + UseX64MakeAppx = $UseX64MakeAppx } Write-BuildProgress @progressParams Build-DscPackage @packageParams @VerboseParam diff --git a/helpers.build.psm1 b/helpers.build.psm1 index 4e9ce7fba..c86775385 100644 --- a/helpers.build.psm1 +++ b/helpers.build.psm1 @@ -1209,7 +1209,12 @@ function Update-PathEnvironment { } } -function Find-MakeAppx() { +function Find-MakeAppx { + [CmdletBinding()] + param( + [switch]$UseX64MakeAppx + ) + $makeappx = Get-Command makeappx -CommandType Application -ErrorAction Ignore if ($null -eq $makeappx) { # try to find @@ -1786,7 +1791,8 @@ function Build-DscMsixPackage { 'x86_64-unknown-linux-musl' )] $Architecture = 'current', - [switch]$Release + [switch]$Release, + [switch]$UseX64MakeAppx ) begin { @@ -1803,7 +1809,7 @@ function Build-DscMsixPackage { $productVersion = Get-DscCliVersion $isPrivate = $packageType -eq 'msix-private' $isPreview = $productVersion -like '*-*' - $makeappx = Find-MakeAppx + $makeappx = Find-MakeAppx -UseX64MakeAppx:$UseX64MakeAppx $makepri = Get-Item (Join-Path $makeappx.Directory "makepri.exe") -ErrorAction Stop } @@ -2144,7 +2150,8 @@ function Build-DscPackage { 'x86_64-unknown-linux-musl' )] $Architecture = 'current', - [switch]$Release + [switch]$Release, + [switch]$UseX64MakeAppx ) begin { @@ -2159,6 +2166,7 @@ function Build-DscPackage { ArtifactDirectory = $artifactDirectory Architecture = $Architecture Release = $Release + UseX64MakeAppx = $UseX64MakeAppx } } From 31877f1eb540f02cb8fcba7ebf113c8385ebc5a1 Mon Sep 17 00:00:00 2001 From: Andy Jordan <2226434+andyleejordan@users.noreply.github.com> Date: Fri, 6 Mar 2026 08:49:37 -0800 Subject: [PATCH 09/12] Fix symbol publishing It never worked on Linux in the first place, so disable that. On Windows it needs to be where we built, not where we're packaging the MSIX (and so have lost our sources and symbols). --- .pipelines/DSC-Official.yml | 14 ++++---------- 1 file changed, 4 insertions(+), 10 deletions(-) diff --git a/.pipelines/DSC-Official.yml b/.pipelines/DSC-Official.yml index 8e78b4b95..44da5e15d 100644 --- a/.pipelines/DSC-Official.yml +++ b/.pipelines/DSC-Official.yml @@ -103,6 +103,8 @@ extends: ob_sdl_sbom_enabled: true ob_signing_setup_enabled: true ob_sdl_codeql_compiled_enabled: true + ob_symbolsPublishing_enabled: true + ob_symbolsPublishing_indexSources: true pool: type: windows steps: @@ -121,6 +123,8 @@ extends: ob_sdl_sbom_enabled: true ob_signing_setup_enabled: true ob_sdl_codeql_compiled_enabled: true + ob_symbolsPublishing_enabled: true + ob_symbolsPublishing_indexSources: true pool: type: windows steps: @@ -137,10 +141,6 @@ extends: - BuildWin_arm64 variables: ob_outputDirectory: '$(Build.ArtifactStagingDirectory)' - ob_symbolsPublishing_enabled: true - ob_symbolsPublishing_symbolsFolder: '$(Build.SourcesDirectory)\bin' - ob_symbolsPublishing_searchPattern: '**/*.pdb' - ob_symbolsPublishing_indexSources: true ob_sdl_sbom_enabled: false ob_signing_setup_enabled: false ob_sdl_codeql_compiled_enabled: false @@ -277,9 +277,6 @@ extends: LinuxContainerImage: 'onebranch.azurecr.io/linux/ubuntu-2204:latest' PackageVersion: $[ dependencies.SetPackageVersion.outputs['Package.Version'] ] ob_outputDirectory: '$(Build.ArtifactStagingDirectory)' - ob_linuxSymbolsPublishing_enabled: true - ob_linuxSymbolsPublishing_symbolsFolder: '$(Build.SourcesDirectory)/bin' - ob_linuxSymbolsPublishing_searchPattern: '**/*.dbg' displayName: Linux-x64-musl pool: type: linux @@ -313,9 +310,6 @@ extends: LinuxContainerImage: 'onebranch.azurecr.io/linux/ubuntu-2204-arm64:latest' PackageVersion: $[ dependencies.SetPackageVersion.outputs['Package.Version'] ] ob_outputDirectory: '$(Build.ArtifactStagingDirectory)' - ob_linuxSymbolsPublishing_enabled: true - ob_linuxSymbolsPublishing_symbolsFolder: '$(Build.SourcesDirectory)/bin' - ob_linuxSymbolsPublishing_searchPattern: '**/*.dbg' displayName: Linux-ARM64-musl pool: type: linux From a8238ff3c23b11f0d4e1905ccb52fc254f32d15a Mon Sep 17 00:00:00 2001 From: Andy Jordan <2226434+andyleejordan@users.noreply.github.com> Date: Fri, 6 Mar 2026 10:12:47 -0800 Subject: [PATCH 10/12] Fix msixbundle path We were assuming this was bin root (like in the old package script). --- .pipelines/DSC-Official.yml | 2 +- helpers.build.psm1 | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.pipelines/DSC-Official.yml b/.pipelines/DSC-Official.yml index 44da5e15d..af5506be1 100644 --- a/.pipelines/DSC-Official.yml +++ b/.pipelines/DSC-Official.yml @@ -157,7 +157,7 @@ extends: $null = New-Item -ItemType Directory -Path "./bin/msix" -Force -ErrorAction Ignore Copy-Item "$(Pipeline.Workspace)/drop_BuildAndSign_BuildWin_x64/*.msix" ./bin/msix -Verbose Copy-Item "$(Pipeline.Workspace)/drop_BuildAndSign_BuildWin_arm64/*.msix" ./bin/msix -Verbose - ./build.ps1 -PackageType msixbundle + ./build.ps1 -Release -PackageType msixbundle Copy-Item "./bin/*.msixbundle" "$(ob_outputDirectory)" displayName: 'Create msixbundle' condition: succeeded() diff --git a/helpers.build.psm1 b/helpers.build.psm1 index c86775385..b577a284c 100644 --- a/helpers.build.psm1 +++ b/helpers.build.psm1 @@ -1819,7 +1819,7 @@ function Build-DscMsixPackage { $msixArguments = @( 'bundle' '/d', $artifactDirectory.MsixBundle - '/p', "$($artifactDirectory.Bin)\$packageName.msixbundle" + '/p', "$($artifactDirectory.BinRoot)\$packageName.msixbundle" ) & $makeappx @msixArguments return From 01846cd9f88aeda8019c41f38c73c93ea10cc0f0 Mon Sep 17 00:00:00 2001 From: Andy Jordan <2226434+andyleejordan@users.noreply.github.com> Date: Mon, 9 Mar 2026 13:55:27 -0700 Subject: [PATCH 11/12] Update CFS feed for PSGallery packages And update PSDesiredStateConfiguration to 2.0.8. This feed is already dedicated to mirroring the PSGallery. Importantly, it does not have NuGet.org as an upstream since doing so can cause package name conflicts. While it is cross-org, we are not depending on automated write-access and it is purposely publicly-readable. --- helpers.build.psm1 | 6 +++--- packaging.ps1 | 6 +++--- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/helpers.build.psm1 b/helpers.build.psm1 index b577a284c..1f9bc4ee8 100644 --- a/helpers.build.psm1 +++ b/helpers.build.psm1 @@ -745,7 +745,7 @@ function Install-PowerShellTestPrerequisite { $repository = 'CFS' if ($null -eq (Get-PSResourceRepository -Name CFS -ErrorAction Ignore)) { "Registering CFS repository" - Register-PSResourceRepository -uri 'https://pkgs.dev.azure.com/powershell/PowerShell/_packaging/powershell/nuget/v2' -Name CFS -Trusted + Register-PSResourceRepository -Uri "https://pkgs.dev.azure.com/powershell/PowerShell/_packaging/PowerShellGalleryMirror/nuget/v3/index.json" -Name CFS -Trusted } } } @@ -753,10 +753,10 @@ function Install-PowerShellTestPrerequisite { process { if ($IsWindows) { # PSDesiredStateConfiguration module is needed for Microsoft.Windows/WindowsPowerShell adapter - $FullyQualifiedName = @{ModuleName="PSDesiredStateConfiguration";ModuleVersion="2.0.7"} + $FullyQualifiedName = @{ModuleName="PSDesiredStateConfiguration";ModuleVersion="2.0.8"} if (-not(Get-Module -ListAvailable -FullyQualifiedName $FullyQualifiedName)) { - Install-PSResource -Name PSDesiredStateConfiguration -Version 2.0.7 -Repository $repository -TrustRepository + Install-PSResource -Name PSDesiredStateConfiguration -Version 2.0.8 -Repository $repository -TrustRepository } } diff --git a/packaging.ps1 b/packaging.ps1 index ef912eb4e..54bcca3d1 100755 --- a/packaging.ps1 +++ b/packaging.ps1 @@ -548,16 +548,16 @@ if ($Test) { $repository = 'CFS' if ($null -eq (Get-PSResourceRepository -Name CFS -ErrorAction Ignore)) { "Registering CFS repository" - Register-PSResourceRepository -uri 'https://pkgs.dev.azure.com/powershell/PowerShell/_packaging/powershell/nuget/v2' -Name CFS -Trusted + Register-PSResourceRepository -Uri "https://pkgs.dev.azure.com/powershell/PowerShell/_packaging/PowerShellGalleryMirror/nuget/v3/index.json" -Name CFS -Trusted } } if ($IsWindows) { # PSDesiredStateConfiguration module is needed for Microsoft.Windows/WindowsPowerShell adapter - $FullyQualifiedName = @{ModuleName="PSDesiredStateConfiguration";ModuleVersion="2.0.7"} + $FullyQualifiedName = @{ModuleName="PSDesiredStateConfiguration";ModuleVersion="2.0.8"} if (-not(Get-Module -ListAvailable -FullyQualifiedName $FullyQualifiedName)) { - Install-PSResource -Name PSDesiredStateConfiguration -Version 2.0.7 -Repository $repository -TrustRepository + Install-PSResource -Name PSDesiredStateConfiguration -Version 2.0.8 -Repository $repository -TrustRepository } } From 68958c2d9c6dc29270c2f9a3b3997b45026abade Mon Sep 17 00:00:00 2001 From: Andy Jordan <2226434+andyleejordan@users.noreply.github.com> Date: Mon, 9 Mar 2026 16:28:49 -0700 Subject: [PATCH 12/12] Document `-UseX64MakeAppx` workaround --- helpers.build.psm1 | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/helpers.build.psm1 b/helpers.build.psm1 index 1f9bc4ee8..d890df612 100644 --- a/helpers.build.psm1 +++ b/helpers.build.psm1 @@ -1212,6 +1212,10 @@ function Update-PathEnvironment { function Find-MakeAppx { [CmdletBinding()] param( + # When packaging in OneBranch, the MSIX is created on an x64 image for + # the arm64 package, and our tooling expects to use the architecture + # passed, so we have to override it here. It may be possible to + # workaround this in another way, but deferring further investigation. [switch]$UseX64MakeAppx ) @@ -2166,14 +2170,13 @@ function Build-DscPackage { ArtifactDirectory = $artifactDirectory Architecture = $Architecture Release = $Release - UseX64MakeAppx = $UseX64MakeAppx } } process { Write-Verbose "Packaging DSC..." if ($packageType -match 'msix') { - Build-DscMsixPackage @buildParams -PackageType $packageType + Build-DscMsixPackage @buildParams -PackageType $packageType -UseX64MakeAppx:$UseX64MakeAppx } elseif ($packageType -eq 'tgz') { Build-DscTgzPackage @buildParams } elseif ($packageType -eq 'zip') {