From 46bdc0b26773750d79f368c0205cad19528889a2 Mon Sep 17 00:00:00 2001
From: Ben Russell <russellben@microsoft.com>
Date: Tue, 19 Aug 2025 12:57:25 -0500
Subject: [PATCH 1/4] * Add signing key path to roslyn analyzers * Make signing
 key path an argument to build and roslyn analyzers steps * Enable strong name
 signing on buddy (unofficial) builds * Add akv official job to solution file

---
 eng/pipelines/jobs/build-akv-official-job.yml       |  2 ++
 eng/pipelines/steps/compound-build-akv-step.yml     | 13 ++++++++++++-
 eng/pipelines/steps/roslyn-analyzers-akv-step.yml   | 13 ++++++++++---
 src/Microsoft.Data.SqlClient.sln                    |  3 +++
 ...ent.AlwaysEncrypted.AzureKeyVaultProvider.csproj |  6 +++---
 5 files changed, 30 insertions(+), 7 deletions(-)

diff --git a/eng/pipelines/jobs/build-akv-official-job.yml b/eng/pipelines/jobs/build-akv-official-job.yml
index a4374b773b..af8f546eff 100644
--- a/eng/pipelines/jobs/build-akv-official-job.yml
+++ b/eng/pipelines/jobs/build-akv-official-job.yml
@@ -91,6 +91,7 @@ jobs:
                 assemblyFileVersion: '${{ parameters.assemblyFileVersion }}'
                 buildConfiguration: '${{ parameters.buildConfiguration }}'
                 mdsPackageVersion: '${{ parameters.mdsPackageVersion }}'
+                signingKeyPath: '$(Agent.TempDirectory)/netfxKeypair.snk'
                 
           - ${{ each targetFramework in parameters.targetFrameworks }}:  
               - template: ../steps/compound-extract-akv-apiscan-files-step.yml
@@ -105,6 +106,7 @@ jobs:
             parameters:
                 buildConfiguration: '${{ parameters.buildConfiguration }}'
                 mdsPackageVersion: '${{ parameters.mdsPackageVersion }}'
+                signingKeyPath: '$(Agent.TempDirectory)/netfxKeypair.snk'
 
           - template: ../steps/compound-esrp-code-signing-step.yml@self
             parameters:
diff --git a/eng/pipelines/steps/compound-build-akv-step.yml b/eng/pipelines/steps/compound-build-akv-step.yml
index 906dcfaf72..b7191d7df6 100644
--- a/eng/pipelines/steps/compound-build-akv-step.yml
+++ b/eng/pipelines/steps/compound-build-akv-step.yml
@@ -19,6 +19,9 @@ parameters:
     - name: mdsPackageVersion
       type: string
 
+    - name: signingKeyPath
+      type: string
+
 steps:
     - task: DownloadSecureFile@1
       displayName: 'Download Signing Key'
@@ -38,6 +41,14 @@ steps:
           packageType: 'runtime'
           version: '8.x'
 
+    # @TODO: TEMPORARY DIAGNOSTICS
+    - task: CopyFiles@2
+      displayName: 'DIAG: Copy SNK'
+      inputs:
+        contents: '*.snk'
+        sourceFolder: '$(Agent.TempDirectory)'
+        targetFolder: '$(ARTIFACT_PATH)/diag'
+
     - task: MSBuild@1
       displayName: 'Build.proj - BuildAkv'
       inputs:
@@ -48,7 +59,7 @@ steps:
               -p:AssemblyFileVersion=${{ parameters.assemblyFileVersion }}
               -p:NugetPackageVersion=${{ parameters.mdsPackageVersion }}
               -p:ReferenceType=Package
-              -p:SigningKeyPath=$(Agent.TempDirectory)/netfxKeypair.snk
+              -p:SigningKeyPath=${{ parameters.signingKeyPath }}
               
     - script: tree /a /f $(BUILD_OUTPUT)
       displayName: Output Build Output Tree
diff --git a/eng/pipelines/steps/roslyn-analyzers-akv-step.yml b/eng/pipelines/steps/roslyn-analyzers-akv-step.yml
index 0e05177d5a..fabef2217e 100644
--- a/eng/pipelines/steps/roslyn-analyzers-akv-step.yml
+++ b/eng/pipelines/steps/roslyn-analyzers-akv-step.yml
@@ -4,9 +4,13 @@
 # See the LICENSE file in the project root for more information.                #
 #################################################################################
 
-# @TODO: This can probably be made generic and pass in the command lines for msbuild
-#        BUT, they should be kept separate by now as we rebuild build.proj in parallel, we won't
-#        affect >1 project at a time.
+# NOTE: Because Roslyn analyzers run with the build process, this step must happen within our
+#   build in order to generate logs that Guardian/SDL can consume. HOWEVER - this step will rebuild
+#   the project and overwrite any previously build output! Therefore, the command line params in
+#   this step and the build step must be the same to avoid packaging invalid binaries!
+#   There is a way to avoid using this task and have analyzers run during the main build, but this
+#   task will ensure we are using the latest analyzers as per SDL.
+#   For more info, please see: https://eng.ms/docs/cloud-ai-platform/devdiv/one-engineering-system-1es/1es-mohanb/security-integration/guardian-wiki/sdl-azdo-extension/roslyn-analyzers-build-task
 
 parameters:
     - name: buildConfiguration
@@ -15,6 +19,8 @@ parameters:
     - name: mdsPackageVersion
       type: string
 
+    - name: signingKeyPath
+
 steps:
     - task: securedevelopmentteam.vss-secure-development-tools.build-task-roslynanalyzers.RoslynAnalyzers@3
       displayName: 'Roslyn Analyzers'
@@ -27,5 +33,6 @@ steps:
               -p:Configuration=${{ parameters.buildConfiguration }}
               -p:NugetPackageVersion=${{ parameters.mdsPackageVersion }}
               -p:ReferenceType=Package
+              -p:SigningKeyPath=${{ parameters.signingKeyPath }}
           msBuildVersion: 17.0
           setupCommandLinePicker: vs2022
diff --git a/src/Microsoft.Data.SqlClient.sln b/src/Microsoft.Data.SqlClient.sln
index e4d29d999c..c3a9eeb55b 100644
--- a/src/Microsoft.Data.SqlClient.sln
+++ b/src/Microsoft.Data.SqlClient.sln
@@ -287,6 +287,9 @@ Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "variables", "variables", "{
 	EndProjectSection
 EndProject
 Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "jobs", "jobs", "{09352F1D-878F-4F55-8AA2-6E47F1AD37D5}"
+	ProjectSection(SolutionItems) = preProject
+		..\eng\pipelines\jobs\build-akv-official-job.yml = ..\eng\pipelines\jobs\build-akv-official-job.yml
+	EndProjectSection
 EndProject
 Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "steps", "steps", "{AD738BD4-6A02-4B88-8F93-FBBBA49A74C8}"
 	ProjectSection(SolutionItems) = preProject
diff --git a/src/Microsoft.Data.SqlClient/add-ons/AzureKeyVaultProvider/Microsoft.Data.SqlClient.AlwaysEncrypted.AzureKeyVaultProvider.csproj b/src/Microsoft.Data.SqlClient/add-ons/AzureKeyVaultProvider/Microsoft.Data.SqlClient.AlwaysEncrypted.AzureKeyVaultProvider.csproj
index 51af5632e3..dcd2e49477 100644
--- a/src/Microsoft.Data.SqlClient/add-ons/AzureKeyVaultProvider/Microsoft.Data.SqlClient.AlwaysEncrypted.AzureKeyVaultProvider.csproj
+++ b/src/Microsoft.Data.SqlClient/add-ons/AzureKeyVaultProvider/Microsoft.Data.SqlClient.AlwaysEncrypted.AzureKeyVaultProvider.csproj
@@ -18,14 +18,14 @@
     <IsTrimmable Condition="'$(TargetGroup)'=='netcoreapp'">true</IsTrimmable>
     <IsAotCompatible Condition="'$(TargetGroup)'=='netcoreapp'">true</IsAotCompatible>
   </PropertyGroup>
+
   <!--Generating Strong Name-->
-  <PropertyGroup Condition="'$(CDP_BUILD_TYPE)'=='Official'">
+  <PropertyGroup Condition="'$(CDP_BUILD_TYPE)'=='Official' Or '$(CDP_BUILD_TYPE)'=='Buddy'">
     <SignAssembly>true</SignAssembly>
     <KeyFile>$(SigningKeyPath)</KeyFile>
-  </PropertyGroup>
-  <PropertyGroup>
     <AssemblyOriginatorKeyFile>$(SigningKeyPath)</AssemblyOriginatorKeyFile>
   </PropertyGroup>
+
   <PropertyGroup>
     <TargetFrameworkMonikerAssemblyAttributesPath>$([System.IO.Path]::Combine('$(IntermediateOutputPath)','$(GeneratedSourceFileName)'))</TargetFrameworkMonikerAssemblyAttributesPath>
   </PropertyGroup>

From ddb6548195adf8fb1a0a532edd514d02ff25c0e6 Mon Sep 17 00:00:00 2001
From: Ben Russell <russellben@microsoft.com>
Date: Tue, 19 Aug 2025 13:15:50 -0500
Subject: [PATCH 2/4] Remove diagnostic step ... thought I removed that already
 :man_facepalming:

---
 eng/pipelines/steps/compound-build-akv-step.yml | 8 --------
 1 file changed, 8 deletions(-)

diff --git a/eng/pipelines/steps/compound-build-akv-step.yml b/eng/pipelines/steps/compound-build-akv-step.yml
index b7191d7df6..fb6b0e2a06 100644
--- a/eng/pipelines/steps/compound-build-akv-step.yml
+++ b/eng/pipelines/steps/compound-build-akv-step.yml
@@ -41,14 +41,6 @@ steps:
           packageType: 'runtime'
           version: '8.x'
 
-    # @TODO: TEMPORARY DIAGNOSTICS
-    - task: CopyFiles@2
-      displayName: 'DIAG: Copy SNK'
-      inputs:
-        contents: '*.snk'
-        sourceFolder: '$(Agent.TempDirectory)'
-        targetFolder: '$(ARTIFACT_PATH)/diag'
-
     - task: MSBuild@1
       displayName: 'Build.proj - BuildAkv'
       inputs:

From d971533aac691a77aa0730913b9bd1049e9d5a09 Mon Sep 17 00:00:00 2001
From: Ben Russell <russellben@microsoft.com>
Date: Tue, 19 Aug 2025 13:17:57 -0500
Subject: [PATCH 3/4] Add string type to roslyn analyzer step argument

---
 eng/pipelines/steps/roslyn-analyzers-akv-step.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/eng/pipelines/steps/roslyn-analyzers-akv-step.yml b/eng/pipelines/steps/roslyn-analyzers-akv-step.yml
index fabef2217e..d65ec57ca4 100644
--- a/eng/pipelines/steps/roslyn-analyzers-akv-step.yml
+++ b/eng/pipelines/steps/roslyn-analyzers-akv-step.yml
@@ -20,6 +20,7 @@ parameters:
       type: string
 
     - name: signingKeyPath
+      type: string
 
 steps:
     - task: securedevelopmentteam.vss-secure-development-tools.build-task-roslynanalyzers.RoslynAnalyzers@3

From 4a6e6563f60ac3db4b45f317108929ecf21f9992 Mon Sep 17 00:00:00 2001
From: Ben Russell <russellben@microsoft.com>
Date: Tue, 19 Aug 2025 14:43:48 -0500
Subject: [PATCH 4/4] vbump

---
 eng/pipelines/variables/akv-official-variables.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/eng/pipelines/variables/akv-official-variables.yml b/eng/pipelines/variables/akv-official-variables.yml
index 8e602cb8f9..30176ac98b 100644
--- a/eng/pipelines/variables/akv-official-variables.yml
+++ b/eng/pipelines/variables/akv-official-variables.yml
@@ -30,7 +30,7 @@ variables:
     - name: versionMinor
       value: '1'
     - name: versionPatch
-      value: '1'
+      value: '2'
     - name: versionPreview
       value: '-preview1'