.azure-pipelines: introduce esrp/sign.yml template

mjcheetham · mjcheetham · commit 6eaea92f6434 · 2026-05-14T14:13:11.000+01:00
Refactor the three EsrpCodeSigning@6 invocations in release.yml
(Payload binaries, FastFetch, installer) to use a shared
.azure-pipelines/esrp/sign.yml step template, modeled on the same
template in microsoft/git.

The template:

  * Forwards the per-call inputs (displayName, folderPath, pattern,
    inlineOperation) to EsrpCodeSigning@6.

  * Provides defaults for the ESRP connection parameters that point
    at the standard pipeline variables ($(esrpAppConnectionName),
    $(esrpClientId), etc.), so callers don't repeat them.

  * Runs an inline PowerShell@2 step right after each signing
    operation that removes the CodeSignSummary-&lt;guid&gt;.md report
    ESRP CLI drops into the signing folder. Without this, those
    .md files would otherwise end up packaged into SetupGVFS.exe
    (Payload), or uploaded as part of the FastFetch and Installer
    pipeline artifacts.

Net effect on release.yml is a small reduction in line count and,
more importantly, cleanup is no longer something a future caller
can forget to wire up.

Signed-off-by: Matthew John Cheetham &lt;mjcheetham@outlook.com&gt;
diff --git a/.azure-pipelines/esrp/sign.yml b/.azure-pipelines/esrp/sign.yml
@@ -0,0 +1,59 @@
+# Reusable step template for ESRP code signing via EsrpCodeSigning@6.
+#
+# Wraps a single signing operation with automatic cleanup of the
+# CodeSignSummary-<guid>.md report ESRP CLI drops into the signing
+# folder -- otherwise that file is packaged into the installer or
+# uploaded as part of the pipeline artifact.
+#
+parameters:
+  - name: displayName
+    type: string
+  - name: folderPath
+    type: string
+  - name: pattern
+    type: string
+  - name: inlineOperation
+    type: string
+  # ESRP connection parameters (defaults use pipeline variables)
+  - name: connectedServiceName
+    type: string
+    default: $(esrpAppConnectionName)
+  - name: appRegistrationClientId
+    type: string
+    default: $(esrpClientId)
+  - name: appRegistrationTenantId
+    type: string
+    default: $(esrpTenantId)
+  - name: authAkvName
+    type: string
+    default: $(esrpKeyVaultName)
+  - name: authSignCertName
+    type: string
+    default: $(esrpSignReqCertName)
+  - name: serviceEndpointUrl
+    type: string
+    default: $(esrpEndpointUrl)
+
+steps:
+  - task: EsrpCodeSigning@6
+    displayName: '${{ parameters.displayName }}'
+    inputs:
+      connectedServiceName: '${{ parameters.connectedServiceName }}'
+      useMSIAuthentication: true
+      appRegistrationClientId: '${{ parameters.appRegistrationClientId }}'
+      appRegistrationTenantId: '${{ parameters.appRegistrationTenantId }}'
+      authAkvName: '${{ parameters.authAkvName }}'
+      authSignCertName: '${{ parameters.authSignCertName }}'
+      serviceEndpointUrl: '${{ parameters.serviceEndpointUrl }}'
+      folderPath: '${{ parameters.folderPath }}'
+      pattern: '${{ parameters.pattern }}'
+      useMinimatch: true
+      signConfigType: inlineSignParams
+      inlineOperation: ${{ parameters.inlineOperation }}
+
+  - task: PowerShell@2
+    displayName: 'Clean up code signing artifacts (${{ parameters.displayName }})'
+    inputs:
+      targetType: inline
+      script: |
+        Remove-Item -Force "${{ parameters.folderPath }}\CodeSignSummary-*.md" -ErrorAction SilentlyContinue
diff --git a/.azure-pipelines/release.yml b/.azure-pipelines/release.yml
@@ -143,16 +143,9 @@ extends:
               # The installer hasn't been built yet, so it can be packaged from
               # signed binaries in a single Inno Setup pass.
               - ${{ if eq(parameters.esrp, true) }}:
-                - task: EsrpCodeSigning@6
-                  displayName: 'Sign VFS for Git binaries'
-                  inputs:
-                    connectedServiceName: $(esrpAppConnectionName)
-                    useMSIAuthentication: true
-                    appRegistrationClientId: $(esrpClientId)
-                    appRegistrationTenantId: $(esrpTenantId)
-                    authAkvName: $(esrpKeyVaultName)
-                    authSignCertName: $(esrpSignReqCertName)
-                    serviceEndpointUrl: $(esrpEndpointUrl)
+                - template: .azure-pipelines/esrp/sign.yml@self
+                  parameters:
+                    displayName: 'Sign VFS for Git binaries'
                     folderPath: $(OutDir)\GVFS.Payload\bin\$(BuildConfiguration)\win-x64
                     pattern: |
                       GitHooksLoader.exe
@@ -163,8 +156,6 @@ extends:
                       GVFS.ReadObjectHook.exe
                       GVFS.Service.exe
                       GVFS.VirtualFileSystemHook.exe
-                    useMinimatch: true
-                    signConfigType: inlineSignParams
                     inlineOperation: |
                       [
                         {
@@ -189,20 +180,11 @@ extends:
                         }
                       ]
 
-                - task: EsrpCodeSigning@6
-                  displayName: 'Sign FastFetch'
-                  inputs:
-                    connectedServiceName: $(esrpAppConnectionName)
-                    useMSIAuthentication: true
-                    appRegistrationClientId: $(esrpClientId)
-                    appRegistrationTenantId: $(esrpTenantId)
-                    authAkvName: $(esrpKeyVaultName)
-                    authSignCertName: $(esrpSignReqCertName)
-                    serviceEndpointUrl: $(esrpEndpointUrl)
+                - template: .azure-pipelines/esrp/sign.yml@self
+                  parameters:
+                    displayName: 'Sign FastFetch'
                     folderPath: $(OutDir)\FastFetch\bin\$(BuildConfiguration)\net10.0-windows10.0.17763.0\win-x64\publish
                     pattern: 'FastFetch.exe'
-                    useMinimatch: true
-                    signConfigType: inlineSignParams
                     inlineOperation: |
                       [
                         {
@@ -240,20 +222,11 @@ extends:
                 displayName: 'Build VFS for Git installer'
 
               - ${{ if eq(parameters.esrp, true) }}:
-                - task: EsrpCodeSigning@6
-                  displayName: 'Sign VFS for Git installer'
-                  inputs:
-                    connectedServiceName: $(esrpAppConnectionName)
-                    useMSIAuthentication: true
-                    appRegistrationClientId: $(esrpClientId)
-                    appRegistrationTenantId: $(esrpTenantId)
-                    authAkvName: $(esrpKeyVaultName)
-                    authSignCertName: $(esrpSignReqCertName)
-                    serviceEndpointUrl: $(esrpEndpointUrl)
+                - template: .azure-pipelines/esrp/sign.yml@self
+                  parameters:
+                    displayName: 'Sign VFS for Git installer'
                     folderPath: $(OutDir)\GVFS.Installers\bin\$(BuildConfiguration)\win-x64
                     pattern: 'SetupGVFS.*.exe'
-                    useMinimatch: true
-                    signConfigType: inlineSignParams
                     inlineOperation: |
                       [
                         {
