From 0d54b50969b7ede31709098e054eebc8f980752f Mon Sep 17 00:00:00 2001
From: Matt Mitchell <mmitche@microsoft.com>
Date: Tue, 31 Mar 2026 07:08:34 -0700
Subject: [PATCH 01/11] Move to v4 publishing. (#16639)

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Co-authored-by: mmitche <8725170+mmitche@users.noreply.github.com>
(cherry picked from commit 4c3e42ccb3b43ee468c89a902c4c178a180ddc30)
---
 eng/Publishing.props                          |   1 +
 eng/build.yml                                 |   5 +-
 eng/common-variables.yml                      |   2 -
 eng/common/core-templates/jobs/jobs.yml       |   5 +
 .../core-templates/post-build/post-build.yml  | 105 ++++++++++++------
 eng/common/templates-official/job/job.yml     |  10 ++
 6 files changed, 93 insertions(+), 35 deletions(-)

diff --git a/eng/Publishing.props b/eng/Publishing.props
index fa47f5eb4b6..065b4af8b38 100644
--- a/eng/Publishing.props
+++ b/eng/Publishing.props
@@ -8,6 +8,7 @@
    <PropertyGroup>
      <!-- Do not auto-generate symbol packages. Arcade embeds all PDBs so it's just waste of space -->
      <AutoGenerateSymbolPackages>false</AutoGenerateSymbolPackages>
+     <PublishingVersion>4</PublishingVersion>
    </PropertyGroup>
 
 </Project>
diff --git a/eng/build.yml b/eng/build.yml
index 2c7cb0452de..4165b0ba787 100644
--- a/eng/build.yml
+++ b/eng/build.yml
@@ -22,11 +22,12 @@ stages:
         publish:
           artifacts: true
           logs: true
-          manifests: true
       enableMicrobuild: true
       microbuildUseESRP: ${{ parameters.microbuildUseESRP }}
+      enablePublishBuildAssets: true
       enableSourceIndex: true
       enableSourceBuild: true
+      publishingVersion: 4
       workspace:
         clean: all
       jobs:
@@ -62,7 +63,7 @@ stages:
 
 - template: /eng/common/templates-official/post-build/post-build.yml@self
   parameters:
-    publishingInfraVersion: 3
+    publishingInfraVersion: 4
     # signing validation will not run, even if the below value is 'true', if the 'PostBuildSign' variable is set to 'true'
     enableSigningValidation: false
     # Sourcelink validation isn't passing for Arcade due to some regressions. This should be
diff --git a/eng/common-variables.yml b/eng/common-variables.yml
index 4892a24959c..28da5202913 100644
--- a/eng/common-variables.yml
+++ b/eng/common-variables.yml
@@ -28,11 +28,9 @@ variables:
     - group: Publish-Build-Assets
     - group: DotNet-HelixApi-Access
     - group: SDL_Settings
-    # DotNetPublishUsingPipelines can be removed when Arcade itself consumes a new Arcade version.
     - name: _InternalBuildArgs
       value: /p:DotNetSignType=${{ parameters.signType }}
         /p:TeamName=$(_TeamName)
-        /p:DotNetPublishUsingPipelines=true
         /p:OfficialBuildId=$(BUILD.BUILDNUMBER)
     - name: PostBuildSign
       value: true
diff --git a/eng/common/core-templates/jobs/jobs.yml b/eng/common/core-templates/jobs/jobs.yml
index 01ada747665..cc8cce45278 100644
--- a/eng/common/core-templates/jobs/jobs.yml
+++ b/eng/common/core-templates/jobs/jobs.yml
@@ -43,6 +43,10 @@ parameters:
 
   artifacts: {}
   is1ESPipeline: ''
+
+  # Publishing version w/default.
+  publishingVersion: 3
+
   repositoryAlias: self
   officialBuildId: ''
 
@@ -102,6 +106,7 @@ jobs:
       parameters:
         is1ESPipeline: ${{ parameters.is1ESPipeline }}
         continueOnError: ${{ parameters.continueOnError }}
+        publishingVersion: ${{ parameters.publishingVersion }}
         dependsOn:
         - ${{ if ne(parameters.publishBuildAssetsDependsOn, '') }}:
           - ${{ each job in parameters.publishBuildAssetsDependsOn }}:
diff --git a/eng/common/core-templates/post-build/post-build.yml b/eng/common/core-templates/post-build/post-build.yml
index 2df4acb7685..905a6315e2d 100644
--- a/eng/common/core-templates/post-build/post-build.yml
+++ b/eng/common/core-templates/post-build/post-build.yml
@@ -9,6 +9,7 @@ parameters:
     default: 3
     values:
     - 3
+    - 4
 
   - name: BARBuildId
     displayName: BAR Build Id
@@ -140,16 +141,30 @@ stages:
             PromoteToChannelIds: ${{ parameters.PromoteToChannelIds }}
             is1ESPipeline: ${{ parameters.is1ESPipeline }}
 
-        - task: DownloadBuildArtifacts@0
-          displayName: Download Package Artifacts
-          inputs:
-            buildType: specific
-            buildVersionToDownload: specific
-            project: $(AzDOProjectName)
-            pipeline: $(AzDOPipelineId)
-            buildId: $(AzDOBuildId)
-            artifactName: PackageArtifacts
-            checkDownloadedFiles: true
+        - ${{ if ne(parameters.publishingInfraVersion, 4) }}:
+          - task: DownloadBuildArtifacts@0
+            displayName: Download Package Artifacts
+            inputs:
+              buildType: specific
+              buildVersionToDownload: specific
+              project: $(AzDOProjectName)
+              pipeline: $(AzDOPipelineId)
+              buildId: $(AzDOBuildId)
+              artifactName: PackageArtifacts
+              checkDownloadedFiles: true
+        - ${{ if eq(parameters.publishingInfraVersion, 4) }}:
+          - task: DownloadPipelineArtifact@2
+            displayName: Download Pipeline Artifacts (V4)
+            inputs:
+              itemPattern: '*/packages/**/*.nupkg'
+              targetPath: '$(Build.ArtifactStagingDirectory)/PipelineArtifactsDownload'
+          - task: CopyFiles@2
+            displayName: Flatten packages to PackageArtifacts
+            inputs:
+              SourceFolder: '$(Build.ArtifactStagingDirectory)/PipelineArtifactsDownload'
+              Contents: '**/*.nupkg'
+              TargetFolder: '$(Build.ArtifactStagingDirectory)/PackageArtifacts'
+              flattenFolders: true
 
         - task: PowerShell@2
           displayName: Validate
@@ -183,16 +198,30 @@ stages:
             PromoteToChannelIds: ${{ parameters.PromoteToChannelIds }}
             is1ESPipeline: ${{ parameters.is1ESPipeline }}
 
-        - task: DownloadBuildArtifacts@0
-          displayName: Download Package Artifacts
-          inputs:
-            buildType: specific
-            buildVersionToDownload: specific
-            project: $(AzDOProjectName)
-            pipeline: $(AzDOPipelineId)
-            buildId: $(AzDOBuildId)
-            artifactName: PackageArtifacts
-            checkDownloadedFiles: true
+        - ${{ if ne(parameters.publishingInfraVersion, 4) }}:
+          - task: DownloadBuildArtifacts@0
+            displayName: Download Package Artifacts
+            inputs:
+              buildType: specific
+              buildVersionToDownload: specific
+              project: $(AzDOProjectName)
+              pipeline: $(AzDOPipelineId)
+              buildId: $(AzDOBuildId)
+              artifactName: PackageArtifacts
+              checkDownloadedFiles: true
+        - ${{ if eq(parameters.publishingInfraVersion, 4) }}:
+          - task: DownloadPipelineArtifact@2
+            displayName: Download Pipeline Artifacts (V4)
+            inputs:
+              itemPattern: '*/packages/**/*.nupkg'
+              targetPath: '$(Build.ArtifactStagingDirectory)/PipelineArtifactsDownload'
+          - task: CopyFiles@2
+            displayName: Flatten packages to PackageArtifacts
+            inputs:
+              SourceFolder: '$(Build.ArtifactStagingDirectory)/PipelineArtifactsDownload'
+              Contents: '**/*.nupkg'
+              TargetFolder: '$(Build.ArtifactStagingDirectory)/PackageArtifacts'
+              flattenFolders: true
 
         # This is necessary whenever we want to publish/restore to an AzDO private feed
         # Since sdk-task.ps1 tries to restore packages we need to do this authentication here
@@ -244,16 +273,30 @@ stages:
             PromoteToChannelIds: ${{ parameters.PromoteToChannelIds }}
             is1ESPipeline: ${{ parameters.is1ESPipeline }}
 
-        - task: DownloadBuildArtifacts@0
-          displayName: Download Blob Artifacts
-          inputs:
-            buildType: specific
-            buildVersionToDownload: specific
-            project: $(AzDOProjectName)
-            pipeline: $(AzDOPipelineId)
-            buildId: $(AzDOBuildId)
-            artifactName: BlobArtifacts
-            checkDownloadedFiles: true
+        - ${{ if ne(parameters.publishingInfraVersion, 4) }}:
+          - task: DownloadBuildArtifacts@0
+            displayName: Download Blob Artifacts
+            inputs:
+              buildType: specific
+              buildVersionToDownload: specific
+              project: $(AzDOProjectName)
+              pipeline: $(AzDOPipelineId)
+              buildId: $(AzDOBuildId)
+              artifactName: BlobArtifacts
+              checkDownloadedFiles: true
+        - ${{ if eq(parameters.publishingInfraVersion, 4) }}:
+          - task: DownloadPipelineArtifact@2
+            displayName: Download Pipeline Artifacts (V4)
+            inputs:
+              itemPattern: '*/assets/**'
+              targetPath: '$(Build.ArtifactStagingDirectory)/PipelineArtifactsDownload'
+          - task: CopyFiles@2
+            displayName: Flatten assets to BlobArtifacts
+            inputs:
+              SourceFolder: '$(Build.ArtifactStagingDirectory)/PipelineArtifactsDownload'
+              Contents: '**/*'
+              TargetFolder: '$(Build.ArtifactStagingDirectory)/BlobArtifacts'
+              flattenFolders: true
 
         - task: PowerShell@2
           displayName: Validate
@@ -328,7 +371,7 @@ stages:
             scriptPath: $(System.DefaultWorkingDirectory)/eng/common/post-build/publish-using-darc.ps1
             arguments: >
               -BuildId $(BARBuildId)
-              -PublishingInfraVersion ${{ parameters.publishingInfraVersion }}
+              -PublishingInfraVersion 3
               -AzdoToken '$(System.AccessToken)'
               -WaitPublishingFinish true
               -RequireDefaultChannels ${{ parameters.requireDefaultChannels }}
diff --git a/eng/common/templates-official/job/job.yml b/eng/common/templates-official/job/job.yml
index 92a0664f564..1d4b7199e7c 100644
--- a/eng/common/templates-official/job/job.yml
+++ b/eng/common/templates-official/job/job.yml
@@ -68,6 +68,16 @@ jobs:
           targetPath: $(Build.ArtifactStagingDirectory)/sbom
           artifactName: $(ARTIFACT_NAME)
 
+      # V4 publishing: automatically publish staged artifacts as a pipeline artifact.
+      # The artifact name matches the SDK's FutureArtifactName ($(System.PhaseName)_Artifacts),
+      # which is encoded in the asset manifest for downstream publishing to discover.
+      - ${{ if eq(parameters.publishingVersion, 4) }}:
+        - output: pipelineArtifact
+          displayName: 'Publish V4 pipeline artifacts'
+          targetPath: '$(Build.ArtifactStagingDirectory)/artifacts'
+          artifactName: '$(System.PhaseName)_Artifacts'
+          continueOnError: true
+
       # add any outputs provided via root yaml
       - ${{ if ne(parameters.templateContext.outputs, '') }}:
         - ${{ each output in parameters.templateContext.outputs }}:

From 025f551ee667e010b1b0d2079df439388cc5d69a Mon Sep 17 00:00:00 2001
From: Matt Mitchell <mmitche@microsoft.com>
Date: Tue, 31 Mar 2026 13:15:01 -0700
Subject: [PATCH 02/11] Fix PostBuildLogs artifact name collision across jobs
 (#16651)

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
(cherry picked from commit bb726e8edb2ac9eff8c3d247238c64dff8acc0ab)

# Conflicts:
#	eng/common/core-templates/job/publish-build-assets.yml
#	eng/common/core-templates/steps/publish-logs.yml
---
 .../core-templates/job/publish-build-assets.yml      | 12 +++++++-----
 eng/common/core-templates/steps/publish-logs.yml     |  9 +++++----
 2 files changed, 12 insertions(+), 9 deletions(-)

diff --git a/eng/common/core-templates/job/publish-build-assets.yml b/eng/common/core-templates/job/publish-build-assets.yml
index 9afcb8ae159..8ed46971ae9 100644
--- a/eng/common/core-templates/job/publish-build-assets.yml
+++ b/eng/common/core-templates/job/publish-build-assets.yml
@@ -173,16 +173,17 @@ jobs:
             artifactName: AssetManifests
             displayName: 'Publish Merged Manifest'
             retryCountOnTaskFailure: 10 # for any logs being locked
-            sbomEnabled: false  # we don't need SBOM for logs
+            isProduction: false # just metadata for publishing
 
-    - template: /eng/common/core-templates/steps/publish-build-artifacts.yml
+    - template: /eng/common/core-templates/steps/publish-pipeline-artifacts.yml
       parameters:
         is1ESPipeline: ${{ parameters.is1ESPipeline }}
         args:
           displayName: Publish ReleaseConfigs Artifact
-          pathToPublish: '$(Build.StagingDirectory)/ReleaseConfigs'
-          publishLocation: Container
+          targetPath: '$(Build.StagingDirectory)/ReleaseConfigs'
           artifactName: ReleaseConfigs
+          retryCountOnTaskFailure: 10 # for any files being locked
+          isProduction: false # just metadata for publishing
 
     - ${{ if or(eq(parameters.publishAssetsImmediately, 'true'), eq(parameters.isAssetlessBuild, 'true')) }}:
       - template: /eng/common/core-templates/post-build/setup-maestro-vars.yml
@@ -218,4 +219,5 @@ jobs:
       - template: /eng/common/core-templates/steps/publish-logs.yml
         parameters:
           is1ESPipeline: ${{ parameters.is1ESPipeline }}
-          JobLabel: 'Publish_Artifacts_Logs'     
+          StageLabel: 'BuildAssetRegistry'
+          JobLabel: 'Publish_Artifacts_Logs'
diff --git a/eng/common/core-templates/steps/publish-logs.yml b/eng/common/core-templates/steps/publish-logs.yml
index a9ea99ba6aa..4eed0312b80 100644
--- a/eng/common/core-templates/steps/publish-logs.yml
+++ b/eng/common/core-templates/steps/publish-logs.yml
@@ -50,13 +50,14 @@ steps:
     TargetFolder: '$(Build.ArtifactStagingDirectory)/PostBuildLogs'
   condition: always()
 
-- template: /eng/common/core-templates/steps/publish-build-artifacts.yml
+- template: /eng/common/core-templates/steps/publish-pipeline-artifacts.yml
   parameters:
     is1ESPipeline: ${{ parameters.is1ESPipeline }}
     args:
       displayName: Publish Logs
-      pathToPublish: '$(Build.ArtifactStagingDirectory)/PostBuildLogs'
-      publishLocation: Container
-      artifactName: PostBuildLogs
+      targetPath: '$(Build.ArtifactStagingDirectory)/PostBuildLogs'
+      artifactName: PostBuildLogs_${{ parameters.StageLabel }}_${{ parameters.JobLabel }}_Attempt$(System.JobAttempt)
       continueOnError: true
       condition: always()
+      retryCountOnTaskFailure: 10 # for any files being locked
+      isProduction: false # logs are non-production artifacts

From 6df7201bed74f4c580a95026698d64fd6e75fe71 Mon Sep 17 00:00:00 2001
From: Matt Mitchell <mmitche@microsoft.com>
Date: Thu, 2 Apr 2026 09:25:19 -0700
Subject: [PATCH 03/11] Add enablePublishing parameter to opt out of V4
 artifact publishing (#16664)

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: mmitche <8725170+mmitche@users.noreply.github.com>
(cherry picked from commit 54b2ce2daa9f50a54842da5de80a19a26e0f529b)
---
 eng/common/core-templates/job/job.yml     | 1 +
 eng/common/templates-official/job/job.yml | 3 ++-
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/eng/common/core-templates/job/job.yml b/eng/common/core-templates/job/job.yml
index 5ce51840619..254f8ba91c0 100644
--- a/eng/common/core-templates/job/job.yml
+++ b/eng/common/core-templates/job/job.yml
@@ -24,6 +24,7 @@ parameters:
   enablePublishBuildArtifacts: false
   enablePublishBuildAssets: false
   enablePublishTestResults: false
+  enablePublishing: false
   enableBuildRetry: false
   mergeTestResults: false
   testRunTitle: ''
diff --git a/eng/common/templates-official/job/job.yml b/eng/common/templates-official/job/job.yml
index 1d4b7199e7c..4e6fc3c5ba7 100644
--- a/eng/common/templates-official/job/job.yml
+++ b/eng/common/templates-official/job/job.yml
@@ -71,7 +71,8 @@ jobs:
       # V4 publishing: automatically publish staged artifacts as a pipeline artifact.
       # The artifact name matches the SDK's FutureArtifactName ($(System.PhaseName)_Artifacts),
       # which is encoded in the asset manifest for downstream publishing to discover.
-      - ${{ if eq(parameters.publishingVersion, 4) }}:
+      # Jobs can opt in by setting enablePublishing: true.
+      - ${{ if and(eq(parameters.publishingVersion, 4), eq(parameters.enablePublishing, 'true')) }}:
         - output: pipelineArtifact
           displayName: 'Publish V4 pipeline artifacts'
           targetPath: '$(Build.ArtifactStagingDirectory)/artifacts'

From fdeb14ce02f27af79d7060ad9a9fb27d850f050c Mon Sep 17 00:00:00 2001
From: Juan Hoyos <19413848+hoyosjs@users.noreply.github.com>
Date: Thu, 2 Apr 2026 20:57:19 -0700
Subject: [PATCH 04/11] Unblock publish (#16676) Co-authored-by: mmitche
 <8725170+mmitche@users.noreply.github.com>

(cherry picked from commit 57e4e77230aeed59cca8144d5a6263ceff8296aa)
---
 eng/promote-build.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/eng/promote-build.yml b/eng/promote-build.yml
index d1faf9ac4b3..447a2d3eeaf 100644
--- a/eng/promote-build.yml
+++ b/eng/promote-build.yml
@@ -69,7 +69,7 @@ extends:
         os: windows
       ${{ else }}:
         name: NetCore1ESPool-Publishing-Internal
-        image: windows.vs2026.amd64
+        image: windows.vs2022.amd64
         os: windows
     sdl:
       policheck:
@@ -83,4 +83,4 @@ extends:
         PromoteToChannelIds: ${{ parameters.PromoteToChannelIds }}
         BARBuildId: ${{ parameters.BARBuildId }}
         symbolPublishingAdditionalParameters: ${{ parameters.SymbolPublishingAdditionalParameters }}
-        artifactsPublishingAdditionalParameters: ${{ parameters.ArtifactsPublishingAdditionalParameters }}
\ No newline at end of file
+        artifactsPublishingAdditionalParameters: ${{ parameters.ArtifactsPublishingAdditionalParameters }}

From 3ea990826080a837901257974f5f774f8722bba8 Mon Sep 17 00:00:00 2001
From: Matt Mitchell <mmitche@microsoft.com>
Date: Fri, 3 Apr 2026 06:54:33 -0700
Subject: [PATCH 05/11] Enable V4 publishing for Windows_NT official job
 (#16674)

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: mmitche <8725170+mmitche@users.noreply.github.com>
(cherry picked from commit 1ad138412feb0429a24aece92c4238616b4bb6f8)
---
 eng/build.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/eng/build.yml b/eng/build.yml
index 4165b0ba787..631c0942d61 100644
--- a/eng/build.yml
+++ b/eng/build.yml
@@ -32,6 +32,7 @@ stages:
         clean: all
       jobs:
       - job: Windows_NT
+        enablePublishing: true
         timeoutInMinutes: 90
         strategy:
           matrix:

From e810efc033a8448dfaa992360feab2fe944a1098 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Alexander=20K=C3=B6plinger?= <alex.koeplinger@outlook.com>
Date: Fri, 3 Apr 2026 18:08:16 +0200
Subject: [PATCH 06/11] Mark publishing artifacts as non-production and fix
 boolean property pass-through in 1ES publish template (#16672)

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: akoeplinger <1376924+akoeplinger@users.noreply.github.com>
Co-authored-by: mmitche <8725170+mmitche@users.noreply.github.com>
(cherry picked from commit c4cbe74c23e2196d9fde7b6dd63fbad6f688b80f)

# Conflicts:
#	eng/common/core-templates/job/publish-build-assets.yml
#	eng/common/templates-official/steps/publish-pipeline-artifacts.yml
---
 eng/common/core-templates/job/publish-build-assets.yml        | 2 +-
 .../templates-official/steps/publish-pipeline-artifacts.yml   | 4 +++-
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/eng/common/core-templates/job/publish-build-assets.yml b/eng/common/core-templates/job/publish-build-assets.yml
index 8ed46971ae9..06f2eed0323 100644
--- a/eng/common/core-templates/job/publish-build-assets.yml
+++ b/eng/common/core-templates/job/publish-build-assets.yml
@@ -172,7 +172,7 @@ jobs:
             targetPath: '$(Build.ArtifactStagingDirectory)/MergedManifest.xml'
             artifactName: AssetManifests
             displayName: 'Publish Merged Manifest'
-            retryCountOnTaskFailure: 10 # for any logs being locked
+            retryCountOnTaskFailure: 10 # for any files being locked
             isProduction: false # just metadata for publishing
 
     - template: /eng/common/core-templates/steps/publish-pipeline-artifacts.yml
diff --git a/eng/common/templates-official/steps/publish-pipeline-artifacts.yml b/eng/common/templates-official/steps/publish-pipeline-artifacts.yml
index 172f9f0fdc9..9e5981365e5 100644
--- a/eng/common/templates-official/steps/publish-pipeline-artifacts.yml
+++ b/eng/common/templates-official/steps/publish-pipeline-artifacts.yml
@@ -24,5 +24,7 @@ steps:
       artifactName: ${{ parameters.args.artifactName }}
     ${{ if parameters.args.properties }}:
       properties: ${{ parameters.args.properties }}
-    ${{ if parameters.args.sbomEnabled }}:
+    ${{ if ne(parameters.args.sbomEnabled, '') }}:
       sbomEnabled: ${{ parameters.args.sbomEnabled }}
+    ${{ if ne(parameters.args.isProduction, '') }}:
+      isProduction: ${{ parameters.args.isProduction }}

From 8d711fd2c84780f7a2b2ab24c14905bc9def674f Mon Sep 17 00:00:00 2001
From: Copilot <198982749+Copilot@users.noreply.github.com>
Date: Fri, 27 Mar 2026 10:55:49 +0000
Subject: [PATCH 07/11] Switch enablePublishBuildArtifacts to use pipeline
 artifacts (#16630)

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: mmitche <8725170+mmitche@users.noreply.github.com>
(cherry picked from commit ff190d85c40f4e9be5248d24df8869234d027af7)
---
 eng/common/templates-official/job/job.yml | 7 +++----
 eng/common/templates/job/job.yml          | 6 +++---
 2 files changed, 6 insertions(+), 7 deletions(-)

diff --git a/eng/common/templates-official/job/job.yml b/eng/common/templates-official/job/job.yml
index 4e6fc3c5ba7..a692df9a583 100644
--- a/eng/common/templates-official/job/job.yml
+++ b/eng/common/templates-official/job/job.yml
@@ -44,11 +44,10 @@ jobs:
             sbomEnabled: false  # we don't need SBOM for logs
 
       - ${{ if eq(parameters.enablePublishBuildArtifacts, true) }}:
-        - output: buildArtifacts
+        - output: pipelineArtifact
           displayName: Publish Logs
-          PathtoPublish: '$(Build.ArtifactStagingDirectory)/artifacts/log/$(_BuildConfig)'
-          publishLocation: Container
-          ArtifactName: ${{ coalesce(parameters.enablePublishBuildArtifacts.artifactName, '$(Agent.Os)_$(Agent.JobName)_Attempt$(System.JobAttempt)' ) }}
+          targetPath: '$(Build.ArtifactStagingDirectory)/artifacts/log/$(_BuildConfig)'
+          artifactName: ${{ coalesce(parameters.enablePublishBuildArtifacts.artifactName, '$(Agent.Os)_$(Agent.JobName)_Attempt$(System.JobAttempt)' ) }}
           continueOnError: true
           condition: always()
           sbomEnabled: false  # we don't need SBOM for logs
diff --git a/eng/common/templates/job/job.yml b/eng/common/templates/job/job.yml
index 238fa0818f7..7f1b5d97d1a 100644
--- a/eng/common/templates/job/job.yml
+++ b/eng/common/templates/job/job.yml
@@ -61,16 +61,16 @@ jobs:
               sbomEnabled: false  # we don't need SBOM for logs
 
     - ${{ if ne(parameters.enablePublishBuildArtifacts, 'false') }}:
-      - template: /eng/common/core-templates/steps/publish-build-artifacts.yml
+      - template: /eng/common/core-templates/steps/publish-pipeline-artifacts.yml
         parameters:
           is1ESPipeline: false
           args:
             displayName: Publish Logs
-            pathToPublish: '$(Build.ArtifactStagingDirectory)/artifacts/log/$(_BuildConfig)'
-            publishLocation: Container
+            targetPath: '$(Build.ArtifactStagingDirectory)/artifacts/log/$(_BuildConfig)'
             artifactName: ${{ coalesce(parameters.enablePublishBuildArtifacts.artifactName, '$(Agent.Os)_$(Agent.JobName)_Attempt$(System.JobAttempt)' ) }}
             continueOnError: true
             condition: always()
+            sbomEnabled: false
 
     - ${{ if eq(parameters.enableBuildRetry, 'true') }}:
       - template: /eng/common/core-templates/steps/publish-pipeline-artifacts.yml

From a267973956abae6ec33a2540c49ab5cd299cc6d0 Mon Sep 17 00:00:00 2001
From: Matt Mitchell <mmitche@microsoft.com>
Date: Mon, 30 Mar 2026 09:24:27 -0700
Subject: [PATCH 08/11] Migrate from PublishBuildArtifacts to
 PublishPipelineArtifact (#16638)

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
(cherry picked from commit b51669b172553e768a6fba4f3c17c1702b348b60)

# Conflicts:
#	eng/common/core-templates/steps/publish-logs.yml
---
 .../post-build/setup-maestro-vars.yml           |  2 +-
 eng/common/templates-official/job/job.yml       | 15 +++++++++++----
 eng/common/templates/job/job.yml                | 17 +++++++++++++----
 .../azure-pipelines-xcopy-msbuild.yml           |  7 +++----
 4 files changed, 28 insertions(+), 13 deletions(-)

diff --git a/eng/common/core-templates/post-build/setup-maestro-vars.yml b/eng/common/core-templates/post-build/setup-maestro-vars.yml
index a7abd58c4bb..b9ba3da9c87 100644
--- a/eng/common/core-templates/post-build/setup-maestro-vars.yml
+++ b/eng/common/core-templates/post-build/setup-maestro-vars.yml
@@ -8,7 +8,7 @@ steps:
     - 'Illegal entry point, is1ESPipeline is not defined. Repository yaml should not directly reference templates in core-templates folder.': error
 
   - ${{ if eq(coalesce(parameters.PromoteToChannelIds, 0), 0) }}:
-    - task: DownloadBuildArtifacts@0
+    - task: DownloadPipelineArtifact@0
       displayName: Download Release Configs
       inputs:
         buildType: current
diff --git a/eng/common/templates-official/job/job.yml b/eng/common/templates-official/job/job.yml
index a692df9a583..e84b8cb2d56 100644
--- a/eng/common/templates-official/job/job.yml
+++ b/eng/common/templates-official/job/job.yml
@@ -26,11 +26,18 @@ jobs:
       outputs:
       - ${{ if ne(parameters.artifacts.publish, '') }}:
         - ${{ if and(ne(parameters.artifacts.publish.artifacts, 'false'), ne(parameters.artifacts.publish.artifacts, '')) }}:
-          - output: buildArtifacts
+          - output: pipelineArtifact
             displayName: Publish pipeline artifacts
-            PathtoPublish: '$(Build.ArtifactStagingDirectory)/artifacts'
-            ArtifactName: ${{ coalesce(parameters.artifacts.publish.artifacts.name , 'Artifacts_$(Agent.Os)_$(_BuildConfig)') }}
-            condition: always()
+            targetPath: '$(Build.ArtifactStagingDirectory)/artifacts'
+            artifactName: ${{ coalesce(parameters.artifacts.publish.artifacts.name , 'Artifacts_$(Agent.Os)_$(_BuildConfig)') }}
+            condition: succeeded()
+            retryCountOnTaskFailure: 10 # for any logs being locked
+            continueOnError: true
+          - output: pipelineArtifact
+            displayName: Publish pipeline artifacts
+            targetPath: '$(Build.ArtifactStagingDirectory)/artifacts'
+            artifactName: ${{ coalesce(parameters.artifacts.publish.artifacts.name , 'Artifacts_$(Agent.Os)_$(_BuildConfig)') }}_Attempt$(System.JobAttempt)
+            condition: not(succeeded())
             retryCountOnTaskFailure: 10 # for any logs being locked
             continueOnError: true
         - ${{ if and(ne(parameters.artifacts.publish.logs, 'false'), ne(parameters.artifacts.publish.logs, '')) }}:
diff --git a/eng/common/templates/job/job.yml b/eng/common/templates/job/job.yml
index 7f1b5d97d1a..c096f906375 100644
--- a/eng/common/templates/job/job.yml
+++ b/eng/common/templates/job/job.yml
@@ -36,16 +36,25 @@ jobs:
     artifactPublishSteps:
     - ${{ if ne(parameters.artifacts.publish, '') }}:
       - ${{ if and(ne(parameters.artifacts.publish.artifacts, 'false'), ne(parameters.artifacts.publish.artifacts, '')) }}:
-        - template: /eng/common/core-templates/steps/publish-build-artifacts.yml
+        - template: /eng/common/core-templates/steps/publish-pipeline-artifacts.yml
           parameters:
             is1ESPipeline: false
             args:
               displayName: Publish pipeline artifacts
-              pathToPublish: '$(Build.ArtifactStagingDirectory)/artifacts'
-              publishLocation: Container
+              targetPath: '$(Build.ArtifactStagingDirectory)/artifacts'
               artifactName: ${{ coalesce(parameters.artifacts.publish.artifacts.name , 'Artifacts_$(Agent.Os)_$(_BuildConfig)') }}
               continueOnError: true
-              condition: always()
+              condition: succeeded()
+              retryCountOnTaskFailure: 10 # for any logs being locked
+        - template: /eng/common/core-templates/steps/publish-pipeline-artifacts.yml
+          parameters:
+            is1ESPipeline: false
+            args:
+              displayName: Publish pipeline artifacts
+              targetPath: '$(Build.ArtifactStagingDirectory)/artifacts'
+              artifactName: ${{ coalesce(parameters.artifacts.publish.artifacts.name , 'Artifacts_$(Agent.Os)_$(_BuildConfig)') }}_Attempt$(System.JobAttempt)
+              continueOnError: true
+              condition: not(succeeded())
               retryCountOnTaskFailure: 10 # for any logs being locked
       - ${{ if and(ne(parameters.artifacts.publish.logs, 'false'), ne(parameters.artifacts.publish.logs, '')) }}:
         - template: /eng/common/core-templates/steps/publish-pipeline-artifacts.yml
diff --git a/eng/xcopy-msbuild/azure-pipelines-xcopy-msbuild.yml b/eng/xcopy-msbuild/azure-pipelines-xcopy-msbuild.yml
index 1de479e6e9b..55b41095290 100644
--- a/eng/xcopy-msbuild/azure-pipelines-xcopy-msbuild.yml
+++ b/eng/xcopy-msbuild/azure-pipelines-xcopy-msbuild.yml
@@ -43,8 +43,7 @@ jobs:
         TargetFolder: '$(Build.ArtifactStagingDirectory)\publish'
         OverWrite: true
 
-    - task: PublishBuildArtifacts@1
+    - task: PublishPipelineArtifact@1
       inputs:
-        PathtoPublish: '$(Build.ArtifactStagingDirectory)\publish'
-        ArtifactName: 'package'
-        publishLocation: 'Container'
\ No newline at end of file
+        targetPath: '$(Build.ArtifactStagingDirectory)\publish'
+        artifactName: 'package'
\ No newline at end of file

From aaa16942a02fa73be61ad42c52a3321886c41672 Mon Sep 17 00:00:00 2001
From: Matt Mitchell <mmitche@microsoft.com>
Date: Tue, 31 Mar 2026 00:41:17 -0700
Subject: [PATCH 09/11] Fix ReleaseConfigs download path after pipeline
 artifacts migration (#16645)

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
(cherry picked from commit ed8c55112211adad2f28724afdbd8db2f7758c1a)
---
 eng/common/core-templates/post-build/setup-maestro-vars.yml | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/eng/common/core-templates/post-build/setup-maestro-vars.yml b/eng/common/core-templates/post-build/setup-maestro-vars.yml
index b9ba3da9c87..6dfa99ec5e3 100644
--- a/eng/common/core-templates/post-build/setup-maestro-vars.yml
+++ b/eng/common/core-templates/post-build/setup-maestro-vars.yml
@@ -8,12 +8,11 @@ steps:
     - 'Illegal entry point, is1ESPipeline is not defined. Repository yaml should not directly reference templates in core-templates folder.': error
 
   - ${{ if eq(coalesce(parameters.PromoteToChannelIds, 0), 0) }}:
-    - task: DownloadPipelineArtifact@0
+    - task: DownloadPipelineArtifact@2
       displayName: Download Release Configs
       inputs:
-        buildType: current
         artifactName: ReleaseConfigs
-        checkDownloadedFiles: true
+        targetPath: '$(Build.StagingDirectory)/ReleaseConfigs'
 
   - task: AzureCLI@2
     name: setReleaseVars

From bfe01369a7304a011f6913a1184316c2bb217d9d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Alexander=20K=C3=B6plinger?= <alex.koeplinger@outlook.com>
Date: Tue, 31 Mar 2026 21:01:38 +0200
Subject: [PATCH 10/11] Set isProduction: false for logs in 1ES PT and remove
 SBOM/CG (#16649)

(cherry picked from commit 4a92f9d767e7cc6b86b8efe38bf691d227613f4d)

# Conflicts:
#	eng/common/core-templates/job/publish-build-assets.yml
#	eng/common/core-templates/job/renovate.yml
#	eng/common/core-templates/steps/generate-sbom.yml
#	eng/common/core-templates/steps/publish-logs.yml
#	eng/common/generate-sbom-prep.sh
#	eng/common/templates-official/steps/publish-pipeline-artifacts.yml
---
 eng/common/core-templates/job/job.yml         |  4 --
 .../steps/component-governance.yml            | 16 -----
 .../core-templates/steps/generate-sbom.yml    | 60 ++++---------------
 .../core-templates/steps/source-build.yml     |  2 +-
 eng/common/generate-sbom-prep.ps1             | 29 ---------
 eng/common/generate-sbom-prep.sh              | 39 ------------
 eng/common/template-guidance.md               |  2 -
 eng/common/templates-official/job/job.yml     | 39 ++++--------
 .../steps/component-governance.yml            |  7 ---
 eng/common/templates/job/job.yml              | 38 +++++-------
 .../templates/steps/component-governance.yml  |  7 ---
 11 files changed, 39 insertions(+), 204 deletions(-)
 delete mode 100644 eng/common/core-templates/steps/component-governance.yml
 delete mode 100644 eng/common/generate-sbom-prep.ps1
 delete mode 100755 eng/common/generate-sbom-prep.sh
 delete mode 100644 eng/common/templates-official/steps/component-governance.yml
 delete mode 100644 eng/common/templates/steps/component-governance.yml

diff --git a/eng/common/core-templates/job/job.yml b/eng/common/core-templates/job/job.yml
index 254f8ba91c0..eaed6d87e65 100644
--- a/eng/common/core-templates/job/job.yml
+++ b/eng/common/core-templates/job/job.yml
@@ -30,7 +30,6 @@ parameters:
   testRunTitle: ''
   testResultsFormat: ''
   name: ''
-  componentGovernanceSteps: []
   preSteps: []
   artifactPublishSteps: []
   runAsPublic: false
@@ -147,9 +146,6 @@ jobs:
   - ${{ each step in parameters.steps }}:
     - ${{ step }}
 
-  - ${{ each step in parameters.componentGovernanceSteps }}:
-    - ${{ step }}
-
   - ${{ if and(eq(parameters.runAsPublic, 'false'), ne(variables['System.TeamProject'], 'public'), notin(variables['Build.Reason'], 'PullRequest')) }}:
     - template: /eng/common/core-templates/steps/cleanup-microbuild.yml
       parameters:
diff --git a/eng/common/core-templates/steps/component-governance.yml b/eng/common/core-templates/steps/component-governance.yml
deleted file mode 100644
index cf0649aa956..00000000000
--- a/eng/common/core-templates/steps/component-governance.yml
+++ /dev/null
@@ -1,16 +0,0 @@
-parameters:
-  disableComponentGovernance: false
-  componentGovernanceIgnoreDirectories: ''
-  is1ESPipeline: false
-  displayName: 'Component Detection'
-
-steps:
-- ${{ if eq(parameters.disableComponentGovernance, 'true') }}:
-  - script: echo "##vso[task.setvariable variable=skipComponentGovernanceDetection]true"
-    displayName: Set skipComponentGovernanceDetection variable
-- ${{ if ne(parameters.disableComponentGovernance, 'true') }}:
-  - task: ComponentGovernanceComponentDetection@0
-    continueOnError: true
-    displayName: ${{ parameters.displayName }}
-    inputs:
-      ignoreDirectories: ${{ parameters.componentGovernanceIgnoreDirectories }}
diff --git a/eng/common/core-templates/steps/generate-sbom.yml b/eng/common/core-templates/steps/generate-sbom.yml
index c05f6502797..aad0a8aeda3 100644
--- a/eng/common/core-templates/steps/generate-sbom.yml
+++ b/eng/common/core-templates/steps/generate-sbom.yml
@@ -1,54 +1,14 @@
-# BuildDropPath - The root folder of the drop directory for which the manifest file will be generated.
-# PackageName - The name of the package this SBOM represents.
-# PackageVersion - The version of the package this SBOM represents. 
-# ManifestDirPath - The path of the directory where the generated manifest files will be placed
-# IgnoreDirectories - Directories to ignore for SBOM generation. This will be passed through to the CG component detector.
-
 parameters:
-  PackageVersion: 10.0.0
-  BuildDropPath: '$(System.DefaultWorkingDirectory)/artifacts'
-  PackageName: '.NET'
-  ManifestDirPath: $(Build.ArtifactStagingDirectory)/sbom
-  IgnoreDirectories: ''
-  sbomContinueOnError: true
-  is1ESPipeline: false
-  # disable publishArtifacts if some other step is publishing the artifacts (like job.yml).
-  publishArtifacts: true
+  PackageVersion: unused
+  BuildDropPath: unused
+  PackageName: unused
+  ManifestDirPath: unused
+  IgnoreDirectories: unused
+  sbomContinueOnError: unused
+  is1ESPipeline: unused
+  publishArtifacts: unused
 
 steps:
-- task: PowerShell@2 
-  displayName: Prep for SBOM generation in (Non-linux)
-  condition: or(eq(variables['Agent.Os'], 'Windows_NT'), eq(variables['Agent.Os'], 'Darwin'))
-  inputs: 
-    filePath: ./eng/common/generate-sbom-prep.ps1
-    arguments: ${{parameters.manifestDirPath}}
-
-# Chmodding is a workaround for https://github.com/dotnet/arcade/issues/8461
 - script: |
-    chmod +x ./eng/common/generate-sbom-prep.sh
-    ./eng/common/generate-sbom-prep.sh ${{parameters.manifestDirPath}}
-  displayName: Prep for SBOM generation in (Linux)
-  condition: eq(variables['Agent.Os'], 'Linux')
-  continueOnError: ${{ parameters.sbomContinueOnError }}
-
-- task: AzureArtifacts.manifest-generator-task.manifest-generator-task.ManifestGeneratorTask@0
-  displayName: 'Generate SBOM manifest'
-  continueOnError: ${{ parameters.sbomContinueOnError }}
-  inputs:
-      PackageName: ${{ parameters.packageName }}
-      BuildDropPath: ${{ parameters.buildDropPath }}
-      PackageVersion: ${{ parameters.packageVersion }}
-      ManifestDirPath: ${{ parameters.manifestDirPath }}/$(ARTIFACT_NAME)
-      ${{ if ne(parameters.IgnoreDirectories, '') }}:
-        AdditionalComponentDetectorArgs: '--IgnoreDirectories ${{ parameters.IgnoreDirectories }}'
-
-- ${{ if eq(parameters.publishArtifacts, 'true')}}:
-  - template: /eng/common/core-templates/steps/publish-pipeline-artifacts.yml
-    parameters:
-      is1ESPipeline: ${{ parameters.is1ESPipeline }}
-      args:
-        displayName: Publish SBOM manifest
-        continueOnError: ${{parameters.sbomContinueOnError}}
-        targetPath: '${{ parameters.manifestDirPath }}'
-        artifactName: $(ARTIFACT_NAME)
-
+    echo "##vso[task.logissue type=warning]Including generate-sbom.yml is deprecated, SBOM generation is handled 1ES PT now. Remove this include."
+  displayName: Issue generate-sbom.yml deprecation warning
diff --git a/eng/common/core-templates/steps/source-build.yml b/eng/common/core-templates/steps/source-build.yml
index b9c86c18ae4..09ae5cd73ae 100644
--- a/eng/common/core-templates/steps/source-build.yml
+++ b/eng/common/core-templates/steps/source-build.yml
@@ -62,4 +62,4 @@ steps:
       artifactName: BuildLogs_SourceBuild_${{ parameters.platform.name }}_Attempt$(System.JobAttempt)
       continueOnError: true
       condition: succeededOrFailed()
-      sbomEnabled: false  # we don't need SBOM for logs
+      isProduction: false # logs are non-production artifacts
diff --git a/eng/common/generate-sbom-prep.ps1 b/eng/common/generate-sbom-prep.ps1
deleted file mode 100644
index a0c7d792a76..00000000000
--- a/eng/common/generate-sbom-prep.ps1
+++ /dev/null
@@ -1,29 +0,0 @@
-Param(
-    [Parameter(Mandatory=$true)][string] $ManifestDirPath    # Manifest directory where sbom will be placed
-)
-
-. $PSScriptRoot\pipeline-logging-functions.ps1
-
-# Normally - we'd listen to the manifest path given, but 1ES templates will overwrite if this level gets uploaded directly
-# with their own overwriting ours. So we create it as a sub directory of the requested manifest path.
-$ArtifactName = "${env:SYSTEM_STAGENAME}_${env:AGENT_JOBNAME}_SBOM"
-$SafeArtifactName = $ArtifactName -replace '["/:<>\\|?@*"() ]', '_'
-$SbomGenerationDir = Join-Path $ManifestDirPath $SafeArtifactName
-
-Write-Host "Artifact name before : $ArtifactName"
-Write-Host "Artifact name after : $SafeArtifactName"
-
-Write-Host "Creating dir $ManifestDirPath"
-
-# create directory for sbom manifest to be placed
-if (!(Test-Path -path $SbomGenerationDir))
-{
-  New-Item -ItemType Directory -path $SbomGenerationDir
-  Write-Host "Successfully created directory $SbomGenerationDir"
-}
-else{
-  Write-PipelineTelemetryError -category 'Build'  "Unable to create sbom folder."
-}
-
-Write-Host "Updating artifact name"
-Write-Host "##vso[task.setvariable variable=ARTIFACT_NAME]$SafeArtifactName"
diff --git a/eng/common/generate-sbom-prep.sh b/eng/common/generate-sbom-prep.sh
deleted file mode 100755
index b8ecca72bbf..00000000000
--- a/eng/common/generate-sbom-prep.sh
+++ /dev/null
@@ -1,39 +0,0 @@
-#!/usr/bin/env bash
-
-source="${BASH_SOURCE[0]}"
-
-# resolve $SOURCE until the file is no longer a symlink
-while [[ -h $source ]]; do
-  scriptroot="$( cd -P "$( dirname "$source" )" && pwd )"
-  source="$(readlink "$source")"
-
-  # if $source was a relative symlink, we need to resolve it relative to the path where the
-  # symlink file was located
-  [[ $source != /* ]] && source="$scriptroot/$source"
-done
-scriptroot="$( cd -P "$( dirname "$source" )" && pwd )"
-. $scriptroot/pipeline-logging-functions.sh
-
-
-# replace all special characters with _, some builds use special characters like : in Agent.Jobname, that is not a permissible name while uploading artifacts.
-artifact_name=$SYSTEM_STAGENAME"_"$AGENT_JOBNAME"_SBOM"
-safe_artifact_name="${artifact_name//["/:<>\\|?@*$" ]/_}"
-manifest_dir=$1
-
-# Normally - we'd listen to the manifest path given, but 1ES templates will overwrite if this level gets uploaded directly
-# with their own overwriting ours. So we create it as a sub directory of the requested manifest path.
-sbom_generation_dir="$manifest_dir/$safe_artifact_name"
-
-if [ ! -d "$sbom_generation_dir" ] ; then
-  mkdir -p "$sbom_generation_dir"
-  echo "Sbom directory created." $sbom_generation_dir
-else
-  Write-PipelineTelemetryError -category 'Build'  "Unable to create sbom folder."
-fi
-
-echo "Artifact name before : "$artifact_name
-echo "Artifact name after : "$safe_artifact_name
-export ARTIFACT_NAME=$safe_artifact_name
-echo "##vso[task.setvariable variable=ARTIFACT_NAME]$safe_artifact_name"
-
-exit 0
diff --git a/eng/common/template-guidance.md b/eng/common/template-guidance.md
index 4bf4cf41bd7..e2b07a865f1 100644
--- a/eng/common/template-guidance.md
+++ b/eng/common/template-guidance.md
@@ -82,7 +82,6 @@ eng\common\
             publish-build-artifacts.yml      (logic)
             publish-pipeline-artifacts.yml   (logic)
             component-governance.yml         (shim)
-            generate-sbom.yml                (shim)
             publish-logs.yml                 (shim)
             retain-build.yml                 (shim)
             send-to-helix.yml                (shim)
@@ -107,7 +106,6 @@ eng\common\
             setup-maestro-vars.yml           (logic)
         steps\
             component-governance.yml         (logic)
-            generate-sbom.yml                (logic)
             publish-build-artifacts.yml      (redirect)
             publish-logs.yml                 (logic)
             publish-pipeline-artifacts.yml   (redirect)
diff --git a/eng/common/templates-official/job/job.yml b/eng/common/templates-official/job/job.yml
index e84b8cb2d56..d68e9fbc265 100644
--- a/eng/common/templates-official/job/job.yml
+++ b/eng/common/templates-official/job/job.yml
@@ -1,24 +1,15 @@
 parameters:
-# Sbom related params
-  enableSbom: true
   runAsPublic: false
-  PackageVersion: 9.0.0
-  BuildDropPath: '$(System.DefaultWorkingDirectory)/artifacts'
+# Sbom related params, unused now and can eventually be removed
+  enableSbom: unused
+  PackageVersion: unused
+  BuildDropPath: unused
 
 jobs:
 - template: /eng/common/core-templates/job/job.yml
   parameters:
     is1ESPipeline: true
 
-    componentGovernanceSteps:
-    - ${{ if and(eq(parameters.runAsPublic, 'false'), ne(variables['System.TeamProject'], 'public'), notin(variables['Build.Reason'], 'PullRequest'), eq(parameters.enableSbom, 'true')) }}:
-      - template: /eng/common/templates/steps/generate-sbom.yml
-        parameters:
-          PackageVersion: ${{ parameters.packageVersion }}
-          BuildDropPath: ${{ parameters.buildDropPath }}
-          ManifestDirPath: $(Build.ArtifactStagingDirectory)/sbom
-          publishArtifacts: false
-
     # publish artifacts
     # for 1ES managed templates, use the templateContext.output to handle multiple outputs.
     templateContext:
@@ -31,14 +22,14 @@ jobs:
             targetPath: '$(Build.ArtifactStagingDirectory)/artifacts'
             artifactName: ${{ coalesce(parameters.artifacts.publish.artifacts.name , 'Artifacts_$(Agent.Os)_$(_BuildConfig)') }}
             condition: succeeded()
-            retryCountOnTaskFailure: 10 # for any logs being locked
+            retryCountOnTaskFailure: 10 # for any files being locked
             continueOnError: true
           - output: pipelineArtifact
             displayName: Publish pipeline artifacts
             targetPath: '$(Build.ArtifactStagingDirectory)/artifacts'
             artifactName: ${{ coalesce(parameters.artifacts.publish.artifacts.name , 'Artifacts_$(Agent.Os)_$(_BuildConfig)') }}_Attempt$(System.JobAttempt)
             condition: not(succeeded())
-            retryCountOnTaskFailure: 10 # for any logs being locked
+            retryCountOnTaskFailure: 10 # for any files being locked
             continueOnError: true
         - ${{ if and(ne(parameters.artifacts.publish.logs, 'false'), ne(parameters.artifacts.publish.logs, '')) }}:
           - output: pipelineArtifact
@@ -47,8 +38,8 @@ jobs:
             displayName: 'Publish logs'
             continueOnError: true
             condition: always()
-            retryCountOnTaskFailure: 10 # for any logs being locked
-            sbomEnabled: false  # we don't need SBOM for logs
+            retryCountOnTaskFailure: 10 # for any files being locked
+            isProduction: false # logs are non-production artifacts
 
       - ${{ if eq(parameters.enablePublishBuildArtifacts, true) }}:
         - output: pipelineArtifact
@@ -57,7 +48,8 @@ jobs:
           artifactName: ${{ coalesce(parameters.enablePublishBuildArtifacts.artifactName, '$(Agent.Os)_$(Agent.JobName)_Attempt$(System.JobAttempt)' ) }}
           continueOnError: true
           condition: always()
-          sbomEnabled: false  # we don't need SBOM for logs
+          retryCountOnTaskFailure: 10 # for any files being locked
+          isProduction: false # logs are non-production artifacts
 
       - ${{ if eq(parameters.enableBuildRetry, 'true') }}:
         - output: pipelineArtifact
@@ -65,14 +57,8 @@ jobs:
           artifactName: 'BuildConfiguration'
           displayName: 'Publish build retry configuration'
           continueOnError: true
-          sbomEnabled: false  # we don't need SBOM for BuildConfiguration
-
-      - ${{ if and(eq(parameters.runAsPublic, 'false'), ne(variables['System.TeamProject'], 'public'), notin(variables['Build.Reason'], 'PullRequest'), eq(parameters.enableSbom, 'true')) }}:
-        - output: pipelineArtifact
-          displayName: Publish SBOM manifest
-          continueOnError: true
-          targetPath: $(Build.ArtifactStagingDirectory)/sbom
-          artifactName: $(ARTIFACT_NAME)
+          retryCountOnTaskFailure: 10 # for any files being locked
+          isProduction: false # BuildConfiguration is a non-production artifact
 
       # V4 publishing: automatically publish staged artifacts as a pipeline artifact.
       # The artifact name matches the SDK's FutureArtifactName ($(System.PhaseName)_Artifacts),
@@ -84,6 +70,7 @@ jobs:
           targetPath: '$(Build.ArtifactStagingDirectory)/artifacts'
           artifactName: '$(System.PhaseName)_Artifacts'
           continueOnError: true
+          retryCountOnTaskFailure: 10 # for any files being locked
 
       # add any outputs provided via root yaml
       - ${{ if ne(parameters.templateContext.outputs, '') }}:
diff --git a/eng/common/templates-official/steps/component-governance.yml b/eng/common/templates-official/steps/component-governance.yml
deleted file mode 100644
index 30bb3985ca2..00000000000
--- a/eng/common/templates-official/steps/component-governance.yml
+++ /dev/null
@@ -1,7 +0,0 @@
-steps:
-- template: /eng/common/core-templates/steps/component-governance.yml
-  parameters:
-    is1ESPipeline: true
-
-    ${{ each parameter in parameters }}:
-      ${{ parameter.key }}: ${{ parameter.value }}
diff --git a/eng/common/templates/job/job.yml b/eng/common/templates/job/job.yml
index c096f906375..5e261f34db4 100644
--- a/eng/common/templates/job/job.yml
+++ b/eng/common/templates/job/job.yml
@@ -1,12 +1,12 @@
 parameters: 
   enablePublishBuildArtifacts: false
-  disableComponentGovernance: ''
-  componentGovernanceIgnoreDirectories: ''
-# Sbom related params
-  enableSbom: true
   runAsPublic: false
-  PackageVersion: 9.0.0
-  BuildDropPath: '$(System.DefaultWorkingDirectory)/artifacts'
+# CG related params, unused now and can eventually be removed
+  disableComponentGovernance: unused
+# Sbom related params, unused now and can eventually be removed
+  enableSbom: unused
+  PackageVersion: unused
+  BuildDropPath: unused
 
 jobs:
 - template: /eng/common/core-templates/job/job.yml
@@ -21,17 +21,10 @@ jobs:
     - ${{ each step in parameters.steps }}:
       - ${{ step }}
 
-    componentGovernanceSteps:
-    - template: /eng/common/templates/steps/component-governance.yml
-      parameters:
-        ${{ if eq(parameters.disableComponentGovernance, '') }}:
-          ${{ if and(ne(variables['System.TeamProject'], 'public'), notin(variables['Build.Reason'], 'PullRequest'), eq(parameters.runAsPublic, 'false'), or(startsWith(variables['Build.SourceBranch'], 'refs/heads/release/'), startsWith(variables['Build.SourceBranch'], 'refs/heads/dotnet/'), startsWith(variables['Build.SourceBranch'], 'refs/heads/microsoft/'), eq(variables['Build.SourceBranch'], 'refs/heads/main'))) }}:
-            disableComponentGovernance: false
-          ${{ else }}:
-            disableComponentGovernance: true
-        ${{ else }}:
-          disableComponentGovernance: ${{ parameters.disableComponentGovernance }}
-        componentGovernanceIgnoreDirectories: ${{ parameters.componentGovernanceIgnoreDirectories }}
+    # we don't run CG in public
+    - ${{ if eq(variables['System.TeamProject'], 'public') }}:
+      - script: echo "##vso[task.setvariable variable=skipComponentGovernanceDetection]true"
+        displayName: Set skipComponentGovernanceDetection variable
 
     artifactPublishSteps:
     - ${{ if ne(parameters.artifacts.publish, '') }}:
@@ -45,7 +38,7 @@ jobs:
               artifactName: ${{ coalesce(parameters.artifacts.publish.artifacts.name , 'Artifacts_$(Agent.Os)_$(_BuildConfig)') }}
               continueOnError: true
               condition: succeeded()
-              retryCountOnTaskFailure: 10 # for any logs being locked
+              retryCountOnTaskFailure: 10 # for any files being locked
         - template: /eng/common/core-templates/steps/publish-pipeline-artifacts.yml
           parameters:
             is1ESPipeline: false
@@ -55,7 +48,7 @@ jobs:
               artifactName: ${{ coalesce(parameters.artifacts.publish.artifacts.name , 'Artifacts_$(Agent.Os)_$(_BuildConfig)') }}_Attempt$(System.JobAttempt)
               continueOnError: true
               condition: not(succeeded())
-              retryCountOnTaskFailure: 10 # for any logs being locked
+              retryCountOnTaskFailure: 10 # for any files being locked
       - ${{ if and(ne(parameters.artifacts.publish.logs, 'false'), ne(parameters.artifacts.publish.logs, '')) }}:
         - template: /eng/common/core-templates/steps/publish-pipeline-artifacts.yml
           parameters:
@@ -66,8 +59,7 @@ jobs:
               displayName: 'Publish logs'
               continueOnError: true
               condition: always()
-              retryCountOnTaskFailure: 10 # for any logs being locked
-              sbomEnabled: false  # we don't need SBOM for logs
+              retryCountOnTaskFailure: 10 # for any files being locked
 
     - ${{ if ne(parameters.enablePublishBuildArtifacts, 'false') }}:
       - template: /eng/common/core-templates/steps/publish-pipeline-artifacts.yml
@@ -79,7 +71,7 @@ jobs:
             artifactName: ${{ coalesce(parameters.enablePublishBuildArtifacts.artifactName, '$(Agent.Os)_$(Agent.JobName)_Attempt$(System.JobAttempt)' ) }}
             continueOnError: true
             condition: always()
-            sbomEnabled: false
+            retryCountOnTaskFailure: 10 # for any files being locked
 
     - ${{ if eq(parameters.enableBuildRetry, 'true') }}:
       - template: /eng/common/core-templates/steps/publish-pipeline-artifacts.yml
@@ -90,4 +82,4 @@ jobs:
             artifactName: 'BuildConfiguration'
             displayName: 'Publish build retry configuration'
             continueOnError: true
-            sbomEnabled: false  # we don't need SBOM for BuildConfiguration
+            retryCountOnTaskFailure: 10 # for any files being locked
diff --git a/eng/common/templates/steps/component-governance.yml b/eng/common/templates/steps/component-governance.yml
deleted file mode 100644
index c12a5f8d21d..00000000000
--- a/eng/common/templates/steps/component-governance.yml
+++ /dev/null
@@ -1,7 +0,0 @@
-steps:
-- template: /eng/common/core-templates/steps/component-governance.yml
-  parameters:
-    is1ESPipeline: false
-
-    ${{ each parameter in parameters }}:
-      ${{ parameter.key }}: ${{ parameter.value }}

From 23666dbdd73aa1fcce84c4bfe381210dd4a93b03 Mon Sep 17 00:00:00 2001
From: "Matt Mitchell (.NET)" <mmitche@microsoft.com>
Date: Wed, 8 Apr 2026 11:29:35 -0700
Subject: [PATCH 11/11] Revert promote-build backport for release/10.0

---
 eng/promote-build.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/eng/promote-build.yml b/eng/promote-build.yml
index 447a2d3eeaf..76ff4a13733 100644
--- a/eng/promote-build.yml
+++ b/eng/promote-build.yml
@@ -69,7 +69,7 @@ extends:
         os: windows
       ${{ else }}:
         name: NetCore1ESPool-Publishing-Internal
-        image: windows.vs2022.amd64
+        image: windows.vs2026.amd64
         os: windows
     sdl:
       policheck: