From 66021fd9f8c64ca1087fab0553f4990514d64809 Mon Sep 17 00:00:00 2001
From: "Patrick Nelson (VS)" <panelson@microsoft.com>
Date: Wed, 24 Jun 2026 10:29:03 -0700
Subject: [PATCH] Change to use 1ES nuget publish

---
 build/yaml/stages/release.yaml | 80 +++++++++++++++++++---------------
 1 file changed, 46 insertions(+), 34 deletions(-)

diff --git a/build/yaml/stages/release.yaml b/build/yaml/stages/release.yaml
index 9dced5f5..2f71de64 100644
--- a/build/yaml/stages/release.yaml
+++ b/build/yaml/stages/release.yaml
@@ -28,6 +28,23 @@ stages:
   - deployment: Publish
     displayName: Publish NuGets to internal InstrumentationEngine Feed
     environment: CLRIE-Release-Internal-NuGet-Feed
+    pool:
+      name: VSEngSS-Microbuild2022-1ES
+      os: windows
+    templateContext:
+      outputs:
+      - output: nuget
+        displayName: Push to DevDiv InstrumentationEngine feed
+        nuGetFeedType: internal
+        publishVstsFeed: 59c1dfae-dea5-4ea5-ac83-c9abcb4ac339
+        # 1ES requires every packagesToPush entry to live under packageParentPath, which must be
+        # an existing folder (no wildcards). $(ArtifactsDirectory) == $(Pipeline.Workspace), the
+        # root all pipeline-resource artifacts download into.
+        packageParentPath: $(ArtifactsDirectory)
+        packagesToPush: $(ArtifactsDirectory)\$(WindowsInstrumentationEngineNuGetArtifactPathPattern);$(ArtifactsDirectory)\$(LinuxInstrumentationEngineNuGetArtifactPathPattern)
+        allowPackageConflicts: true
+        publishPackageMetadata: true
+        verbosityPush: Detailed
     strategy:
       runOnce:
         deploy:
@@ -48,38 +65,33 @@ stages:
 
           - task: NuGetAuthenticate@1
             displayName: NuGet Authenticate
-
-          - task: NuGetCommand@2
-            displayName: Push to DevDiv InstrumentationEngine feed
-            inputs:
-              command: push
-              nuGetFeedType: internal
-              publishVstsFeed: 59c1dfae-dea5-4ea5-ac83-c9abcb4ac339
-              packagesToPush: $(ArtifactsDirectory)\$(WindowsInstrumentationEngineNuGetArtifactPathPattern);$(ArtifactsDirectory)\$(LinuxInstrumentationEngineNuGetArtifactPathPattern)
-              allowPackageConflicts: true
-              publishPackageMetadata: true
-              verbosityPush: Detailed
-
-          # Classic equivalent: "Promote package to Release View" (deprecated marketplace task,
-          # gated on PromoteToRelease). Implemented here against the Azure Artifacts packaging
-          # REST API; only runs when PromoteToRelease is set to 'True'.
-          - task: PowerShell@2
-            displayName: Promote package to Release View
-            condition: and(succeeded(), eq(variables['PromoteToRelease'], 'True'))
-            env:
-              SYSTEM_ACCESSTOKEN: $(System.AccessToken)
-            inputs:
-              targetType: inline
-              script: |
-                $feedId = '59c1dfae-dea5-4ea5-ac83-c9abcb4ac339'
-                $headers = @{ Authorization = "Bearer $env:SYSTEM_ACCESSTOKEN" }
-                $root = Join-Path $env:ArtifactsDirectory 'ClrInstrumentationEngine-Signed-Yaml'
-                Get-ChildItem -Path $root -Recurse -Filter *.nupkg | ForEach-Object {
-                  if ($_.Name -match '^(?<id>.+?)\.(?<ver>\d+\..*)\.nupkg$') {
-                    $id = $Matches.id; $ver = $Matches.ver
-                    $uri = "https://pkgs.dev.azure.com/DevDiv/_apis/packaging/feeds/$feedId/nuget/packages/$id/versions/$ver?api-version=7.1-preview.1"
-                    $body = @{ views = @{ op = 'add'; path = '/views/-'; value = 'Release' } } | ConvertTo-Json -Depth 5
-                    Write-Host "Promoting $id $ver to Release view"
-                    Invoke-RestMethod -Uri $uri -Method Patch -Headers $headers -Body $body -ContentType 'application/json'
+          # The 'nuget' output declared in templateContext.outputs pushes the packages here,
+          # immediately after these deploy steps complete.
+        on:
+          # The 'on success' hook runs after the deploy phase (including the NuGet push above)
+          # has succeeded, so the promote step always runs after the packages are published.
+          success:
+            steps:
+            # Classic equivalent: "Promote package to Release View" (deprecated marketplace task,
+            # gated on PromoteToRelease). Implemented here against the Azure Artifacts packaging
+            # REST API; only runs when PromoteToRelease is set to 'True'.
+            - task: PowerShell@2
+              displayName: Promote package to Release View
+              condition: and(succeeded(), eq(variables['PromoteToRelease'], 'True'))
+              env:
+                SYSTEM_ACCESSTOKEN: $(System.AccessToken)
+              inputs:
+                targetType: inline
+                script: |
+                  $feedId = '59c1dfae-dea5-4ea5-ac83-c9abcb4ac339'
+                  $headers = @{ Authorization = "Bearer $env:SYSTEM_ACCESSTOKEN" }
+                  $root = Join-Path $env:ArtifactsDirectory 'ClrInstrumentationEngine-Signed-Yaml'
+                  Get-ChildItem -Path $root -Recurse -Filter *.nupkg | ForEach-Object {
+                    if ($_.Name -match '^(?<id>.+?)\.(?<ver>\d+\..*)\.nupkg$') {
+                      $id = $Matches.id; $ver = $Matches.ver
+                      $uri = "https://pkgs.dev.azure.com/DevDiv/_apis/packaging/feeds/$feedId/nuget/packages/$id/versions/$ver?api-version=7.1-preview.1"
+                      $body = @{ views = @{ op = 'add'; path = '/views/-'; value = 'Release' } } | ConvertTo-Json -Depth 5
+                      Write-Host "Promoting $id $ver to Release view"
+                      Invoke-RestMethod -Uri $uri -Method Patch -Headers $headers -Body $body -ContentType 'application/json'
+                    }
                   }
-                }