From b011cf7785d4d89ff1aabbffa4b9ca7ff10a10ba Mon Sep 17 00:00:00 2001
From: Ben Hillis <benhillis@gmail.com>
Date: Thu, 14 May 2026 23:34:19 -0700
Subject: [PATCH] Pipelines: exclude in-repo .ps1 scripts from CodeSign
 post-analysis (#40541)

The Guardian CodeSign tool was scanning all .ps1 files in the source tree
and failing the release build on diagnostic / dev / test helper scripts that
aren't shipped (the OneBranch codesign targetGlob already restricts signing
to .dll/.exe/.sys/.msi/.msix/.appx/.nupkg).

Set ob_sdl_codeSignValidation_excludes to skip **\*.ps1 at the pipeline
level for the release, nightly, and PR OneBranch pipelines, and combine
with the existing testbin\** exclude in build-job.yml.

Co-authored-by: Ben Hillis <benhill@ntdev.microsoft.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---
 .pipelines/build-job.yml                   | 3 +--
 .pipelines/wsl-build-nightly-onebranch.yml | 1 +
 .pipelines/wsl-build-pr-onebranch.yml      | 1 +
 .pipelines/wsl-build-release-onebranch.yml | 1 +
 4 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/.pipelines/build-job.yml b/.pipelines/build-job.yml
index 0655db7a2..e98f84780 100644
--- a/.pipelines/build-job.yml
+++ b/.pipelines/build-job.yml
@@ -70,8 +70,7 @@ jobs:
       ob_artifactBaseName: 'drop_wsl'
       ob_artifactSuffix: '${{ parameters.artifactSuffix }}'
       packageStagingDir: '$(Build.SourcesDirectory)\packageStagingDir'
-      ${{ if parameters.includeTestArtifacts }}:
-        ob_sdl_codeSignValidation_excludes: -|**testbin\**
+      ob_sdl_codeSignValidation_excludes: -|**\*.ps1;-|**\testbin\**
       ${{ if parameters.includeCodeQL }}:
         Codeql.PublishDatabaseLog: true
         Codeql.SourceRoot: src
diff --git a/.pipelines/wsl-build-nightly-onebranch.yml b/.pipelines/wsl-build-nightly-onebranch.yml
index 1434dd233..3d490f2dd 100644
--- a/.pipelines/wsl-build-nightly-onebranch.yml
+++ b/.pipelines/wsl-build-nightly-onebranch.yml
@@ -11,6 +11,7 @@ schedules:
 variables:
   WindowsContainerImage: "onebranch.azurecr.io/windows/ltsc2022/vse2022:latest"
   WindowsHostVersion: '1ESWindows2022'
+  ob_sdl_codeSignValidation_excludes: -|**\*.ps1
 
 resources:
   repositories:
diff --git a/.pipelines/wsl-build-pr-onebranch.yml b/.pipelines/wsl-build-pr-onebranch.yml
index 92a8a4cbd..1eeea2473 100644
--- a/.pipelines/wsl-build-pr-onebranch.yml
+++ b/.pipelines/wsl-build-pr-onebranch.yml
@@ -7,6 +7,7 @@ trigger:
 variables:
   WindowsContainerImage: "onebranch.azurecr.io/windows/ltsc2022/vse2022:latest"
   WindowsHostVersion: '1ESWindows2022'
+  ob_sdl_codeSignValidation_excludes: -|**\*.ps1
 
 resources:
   repositories:
diff --git a/.pipelines/wsl-build-release-onebranch.yml b/.pipelines/wsl-build-release-onebranch.yml
index 65baa55f2..896877679 100644
--- a/.pipelines/wsl-build-release-onebranch.yml
+++ b/.pipelines/wsl-build-release-onebranch.yml
@@ -21,6 +21,7 @@ trigger:
 variables:
   WindowsContainerImage: "onebranch.azurecr.io/windows/ltsc2022/vse2022:latest"
   WindowsHostVersion: '1ESWindows2022'
+  ob_sdl_codeSignValidation_excludes: -|**\*.ps1
 
 resources:
   repositories: