Skip to content

Encryption Pipelines: Adds SDK-surface parity build to catch TypeLoad gaps#5798

Merged
microsoft-github-policy-service[bot] merged 5 commits intomasterfrom
users/ntripician/encryption-pipeline-sdkref
Apr 24, 2026
Merged

Encryption Pipelines: Adds SDK-surface parity build to catch TypeLoad gaps#5798
microsoft-github-policy-service[bot] merged 5 commits intomasterfrom
users/ntripician/encryption-pipeline-sdkref

Conversation

@NaluTripician
Copy link
Copy Markdown
Contributor

@NaluTripician NaluTripician commented Apr 21, 2026
edited
Loading

Problem

The Encryption and Encryption.Custom official release pipelines previously built each project only against the pinned Microsoft.Azure.Cosmos NuGet declared in the project file. That does not detect abstract members added to Container on master that lack an unconditional override in EncryptionContainer — the exact class of defect fixed by #5783 (SemanticRerankAsync TypeLoadException).

The customer-facing symptom from #5783:

System.TypeLoadException: Method SemanticRerankAsync in type Microsoft.Azure.Cosmos.Encryption.Custom.EncryptionContainer does not have an implementation.

Why a naive SDKREF build is not enough

The override was gated #if PREVIEW && SDKPROJECTREF. Any build that defines both symbols — which is what the existing PR-validation build (build-preview.yml) does, and what an obvious "build with SdkProjectRef=true" addition would also do — compiles the override back in and the missing-implementation condition never manifests:

Build mode PREVIEW SDKPROJECTREF Override present? Catches the bug?
Current default (NuGet ref, pinned 3.41.0-preview.0) — (no abstract either)
-p:IsPreview=true -p:SdkProjectRef=true ❌ (masks the defect)
New parity build (DefineSdkProjectRefSymbol=false)

The bug only manifests when PREVIEW is on and SDKPROJECTREF is off, linked against an SDK that contains the new abstract member. That is the exact surface of the shipped Encryption.Custom NuGet.

Change

  1. Decouple the SDKPROJECTREF preprocessor define from the SdkProjectRef MSBuild property via a new DefineSdkProjectRefSymbol knob in both:

    • Microsoft.Azure.Cosmos.Encryption.Custom/src/Microsoft.Azure.Cosmos.Encryption.Custom.csproj
    • Microsoft.Azure.Cosmos.Encryption/src/Microsoft.Azure.Cosmos.Encryption.csproj

    Default behaviour is unchanged: SdkProjectRef=true still sets SDKPROJECTREF. Pipelines can now opt out with -p:DefineSdkProjectRefSymbol=false.

  2. Add two build steps to each encryption official release-gate template (templates/static-tools-encryption.yml, templates/static-tools-encryption-custom.yml):

    • SDKREF build-p:IsPreview=true -p:SdkProjectRef=true. Verifies the full project-reference path still compiles against master SDK source.
    • NuGet-surface parity build-p:IsPreview=true -p:SdkProjectRef=true -p:DefineSdkProjectRefSymbol=false. Links against master SDK source with the exact preprocessor surface of the shipped NuGet. Any newly-added abstract member on Container under #if PREVIEW without an unconditional override in EncryptionContainer now fails this step with CS0534.

Proof the pipeline catches #5783

I reverted #5783 in a worktree (virtualabstract on Container.SemanticRerankAsync) and ran the new parity build for Encryption.Custom:

error CS0534: 'EncryptionContainer' does not implement inherited abstract
member 'Container.SemanticRerankAsync(string, IEnumerable<string>,
IDictionary<string, object>, CancellationToken)'
Build FAILED.

That is exactly the runtime TypeLoadException surface from the customer report, caught at compile time.

All six build permutations (default / SDKREF / parity × Encryption / Encryption.Custom) pass at the fixed state:

Project Default (NuGet) SDKREF NuGet-surface parity
Microsoft.Azure.Cosmos.Encryption
Microsoft.Azure.Cosmos.Encryption.Custom

Type of change

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to not work as expected)
  • This change requires a documentation update

Closing issues

Related to #5783.

@azure-pipelines
Copy link
Copy Markdown

azure-pipelines Bot commented Apr 21, 2026

Azure Pipelines:
Successfully started running 1 pipeline(s).

@NaluTripician
Encryption Pipelines: Adds SDK-surface parity build to catch TypeLoad…
ed8ee9d 
… gaps

The Encryption and Encryption.Custom official release pipelines previously

built each project only against the pinned Microsoft.Azure.Cosmos NuGet.

That does not detect abstract members added to Container on master that lack

an unconditional override in EncryptionContainer - the exact class of defect

fixed by PR #5783 (SemanticRerankAsync TypeLoadException).

The override for the fixed method was gated '#if PREVIEW && SDKPROJECTREF',

so a build that defines both symbols (the existing PR validation pattern)

also masks the defect: the override is compiled back in and the missing-

implementation condition never manifests. The bug only surfaces when the

Encryption.Custom NuGet is built with PREVIEW on and SDKPROJECTREF off and

is then loaded against an SDK that contains the new abstract member.

This change:

1. Decouples the SDKPROJECTREF preprocessor define from the SdkProjectRef

   MSBuild property via a new DefineSdkProjectRefSymbol knob. Default

   behavior is unchanged: SdkProjectRef=true still sets SDKPROJECTREF.

2. Adds two build steps to each encryption official release-gate template:

   - SDKREF build: '-p:IsPreview=true -p:SdkProjectRef=true' - verifies the

     full project-reference path still compiles against master SDK source.

   - NuGet-surface parity build: '-p:IsPreview=true -p:SdkProjectRef=true

     -p:DefineSdkProjectRefSymbol=false' - links against master SDK source

     with the exact preprocessor surface of the shipped NuGet (PREVIEW on,

     SDKPROJECTREF off). Any newly-added abstract member on Container that

     lacks an unconditional override in EncryptionContainer now fails this

     step with CS0534.

Verified locally by reverting PR #5783 in a worktree: the parity build for

Encryption.Custom fails with CS0534 on SemanticRerankAsync, exactly catching

the bug. All six build permutations (default + SDKREF + parity for both

Encryption and Encryption.Custom) pass at the fixed state.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@NaluTripician NaluTripician force-pushed the users/ntripician/encryption-pipeline-sdkref branch from 5d167db to ed8ee9d Compare April 21, 2026 23:11
@azure-pipelines
Copy link
Copy Markdown

azure-pipelines Bot commented Apr 21, 2026

Azure Pipelines:
Successfully started running 1 pipeline(s).

@NaluTripician NaluTripician changed the title Encryption Pipelines: Adds SDKREF build alongside default NuGet build Encryption Pipelines: Adds SDK-surface parity build to catch TypeLoad gaps Apr 21, 2026
kushagraThapar
kushagraThapar reviewed Apr 22, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@kushagraThapar kushagraThapar left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Shall we add a new job that handles this for the CI pipeline for every PR? Otherwise, we will still miss this when developing, right?

@NaluTripician
Copy link
Copy Markdown
Contributor Author

NaluTripician commented Apr 22, 2026

Shall we add a new job that handles this for the CI pipeline for every PR? Otherwise, we will still miss this when developing, right?

@kushagraThapar this should now trigger with every PR once merged

kushagraThapar
kushagraThapar reviewed Apr 22, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@kushagraThapar kushagraThapar left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Shall we add a new job that handles this for the CI pipeline for every PR? Otherwise, we will still miss this when developing, right?

Comment thread templates/static-tools-encryption.yml
@NaluTripician
Encryption Pipelines: Adds NuGet-surface parity build to PR CI
7287c8e 
Adds the same NuGet-surface parity build (IsPreview=true, SdkProjectRef=true,
DefineSdkProjectRefSymbol=false) to templates/build-preview.yml, which is
invoked on every PR via azure-pipelines.yml. The existing release-gate copy
in templates/static-tools-encryption{,-custom}.yml is kept as a
belt-and-suspenders check, but only ran at release time because those
templates are consumed exclusively by azure-pipelines-encryption-{custom-,}official.yml
which use trigger: none / pr: none.

This ensures new abstract members on Container under #if PREVIEW that lack
an unconditional override in EncryptionContainer fail at PR-time with CS0534
instead of at customer runtime as TypeLoadException.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@azure-pipelines
Copy link
Copy Markdown

azure-pipelines Bot commented Apr 22, 2026

Azure Pipelines:
Successfully started running 1 pipeline(s).

@azure-pipelines
Copy link
Copy Markdown

azure-pipelines Bot commented Apr 23, 2026

Azure Pipelines:
Successfully started running 1 pipeline(s).

@NaluTripician NaluTripician requested a review from kirillg as a code owner April 23, 2026 20:44
@azure-pipelines
Copy link
Copy Markdown

azure-pipelines Bot commented Apr 23, 2026

Azure Pipelines:
Successfully started running 1 pipeline(s).

@NaluTripician NaluTripician force-pushed the users/ntripician/encryption-pipeline-sdkref branch from 09ea3e4 to 84832a5 Compare April 23, 2026 21:32
@azure-pipelines
Copy link
Copy Markdown

azure-pipelines Bot commented Apr 23, 2026

Azure Pipelines:
Successfully started running 1 pipeline(s).

@azure-pipelines
Copy link
Copy Markdown

azure-pipelines Bot commented Apr 23, 2026

Azure Pipelines:
Successfully started running 1 pipeline(s).

@azure-pipelines
Copy link
Copy Markdown

azure-pipelines Bot commented Apr 24, 2026

Azure Pipelines:
Successfully started running 1 pipeline(s).

kundadebdatta
kundadebdatta approved these changes Apr 24, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@kundadebdatta kundadebdatta left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM.

@NaluTripician NaluTripician added the auto-merge Enables automation to merge PRs label Apr 24, 2026
@microsoft-github-policy-service microsoft-github-policy-service Bot enabled auto-merge (squash) April 24, 2026 21:48
@microsoft-github-policy-service microsoft-github-policy-service Bot merged commit ee8836e into master Apr 24, 2026
32 checks passed
@microsoft-github-policy-service microsoft-github-policy-service Bot deleted the users/ntripician/encryption-pipeline-sdkref branch April 24, 2026 22:14
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kushagraThapar kushagraThapar kushagraThapar approved these changes

@kundadebdatta kundadebdatta kundadebdatta approved these changes

@ananth7592 ananth7592 ananth7592 approved these changes

@kirankumarkolli kirankumarkolli Awaiting requested review from kirankumarkolli kirankumarkolli is a code owner

@FabianMeiswinkel FabianMeiswinkel Awaiting requested review from FabianMeiswinkel FabianMeiswinkel is a code owner

@sboshra sboshra Awaiting requested review from sboshra sboshra is a code owner

@Pilchie Pilchie Awaiting requested review from Pilchie Pilchie is a code owner

@kirillg kirillg Awaiting requested review from kirillg

Assignees

No one assigned

Labels

auto-merge Enables automation to merge PRs

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@NaluTripician @kushagraThapar @kundadebdatta @ananth7592