Fix/daily ci pool image (#2098)

* fix: add missing image property to daily-ci pipeline pool configuration

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* fix: update spotbugs plugin to 6.5.4

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* fix: update sonarqube plugin to 7.3.0.8198

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* Update SpotBugs plugin version to 6.5.5

* fix: add pluginManagement repositories to settings.gradle

Adds gradlePluginPortal() and mavenCentral() as plugin repositories
to ensure plugins can be resolved in restricted network environments
like the Azure DevOps 1ESPT pipeline agents.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* Downgrade SpotBugs plugin version to 6.5.4

* fix: make spotbugs/sonarqube plugins conditional for restricted CI environments

Moves spotbugs and sonarqube from the plugins block to buildscript
dependencies with conditional application. Pass -PskipCodeAnalysis
to skip loading these plugins in environments without external
Maven repository access (e.g., ADO 1ESPT pipeline agents).

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* Change build command from 'assemble' to 'build'

* fix: use system properties for skipCodeAnalysis flag

Project properties (-P) are not available in the buildscript block
during early Gradle evaluation. Switch to system properties (-D)
which are available everywhere via System.getProperty().

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* fix: use Gradle@4 ADO task for daily-ci build

Replace shell script steps with the managed Gradle@4 task which
handles Java setup, dependency resolution, and JUnit test result
publishing natively within ADO infrastructure.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* revert: restore original plugins block in build.gradle

Reverts the conditional buildscript/skipCodeAnalysis changes now that
the daily-ci pipeline uses the managed Gradle@4 ADO task instead.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* fix: match Go SDK daily-ci pool config (remove image property)

The Go SDK daily-ci pipeline works with the same pool without
specifying an image. Removing the image property to use the pool's
default image which has internet access. Also removes the
skipCodeAnalysis flag since build.gradle uses the standard plugins
block.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* fix: enable 1ES internal module proxy for Java dependency resolution

Adds the java.internalModuleProxy feature flag (matching the Go SDK's
golang.internalModuleProxy pattern) to route dependency resolution
through the 1ES internal proxy, bypassing network isolation on the
Azure-Pipelines-1ESPT-ExDShared pool. Also restores image: ubuntu-latest
to match the working Go SDK pipeline configuration.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* test: strip spotbugs/sonarqube plugins in daily-ci to test core dep resolution

Adds a sed step to remove the spotbugs and sonarqube plugin declarations
from build.gradle before running Gradle on network-isolated 1ES agents.
This tests whether the java.internalModuleProxy feature flag enables
Maven Central access for core dependencies (okhttp, etc.).

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* fix: also strip spotbugs/sonarqube config blocks from build.gradle

The previous sed only removed plugin declarations but left the
spotbugsMain, spotbugsTest, and sonarqube configuration blocks
which reference the removed plugins.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* test: add networkIsolation overrideAllowRules for Maven/Gradle repos

Attempts to whitelist Maven Central, Gradle Plugin Portal, and Gradle
services endpoints through 1ES network isolation override rules.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* Add network isolation policy to CI build pipeline

* fix: correct YAML indentation for settings.networkIsolationPolicy

Moves settings under parameters and removes the rejected
networkIsolation.overrideAllowRules parameter.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* fix: route Gradle deps through CFS upstream Azure Artifacts feed

Generates an init.gradle script that redirects all Gradle repositories
(both dependencies and plugins) to the GraphDeveloperExperiences_Public
Azure Artifacts feed, which has Maven Central as a CFS upstream. This
complies with network isolation on 1ES agents by routing through the
approved Centralized Feed Service instead of public endpoints.

Also removes failed featureFlags and networkIsolationPolicy parameters
that are not supported for Java in 1ES Pipeline Templates.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* fix: remove sed steps, let plugins resolve through CFS feed

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* fix: add CFS upstream feed to build.gradle and settings.gradle

Adds the GraphDeveloperExperiences_Public Azure Artifacts feed (with
Maven Central upstream) to both repositories and publishing.repositories
in build.gradle, and to pluginManagement in settings.gradle. Removes
the init.gradle pipeline workaround in favor of direct configuration.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* fix: add Gradle credentials step for CFS feed authentication

Writes GraphDeveloperExperiences_Public credentials to
~/.gradle/gradle.properties using System.AccessToken for
authentication against the Azure Artifacts CFS upstream feed.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* fix: move CFS feed credentials to gradle.properties

Moves GraphDeveloperExperiences_Public credentials from pipeline
script step to gradle.properties. The token will be overridden
via ADO environment variables at pipeline runtime.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* fix: pass CFS feed token via ADO pipeline variable

Overrides GraphDeveloperExperiences_PublicPassword at build time
using the ARTIFACTS_PAT pipeline variable passed via -P flag.
Configure ARTIFACTS_PAT as a secret variable in the ADO pipeline.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* fix: remove underscore from Gradle repo name (identity constraint)

Gradle PasswordCredentials requires the repository name to contain
only letters and digits. Renames GraphDeveloperExperiences_Public
to GraphDeveloperExperiencesPublic across all config files.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* fix: restore underscores in Azure Artifacts feed URLs

The Gradle repo name must be letters/digits only, but the actual
feed URLs must use the real feed name with underscores.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* fix: restore sed step to strip spotbugs/sonarqube plugins

SpotBugs and SonarQube Gradle plugin marker artifacts are only
published to Gradle Plugin Portal, not Maven Central. The CFS
upstream feed proxies Maven Central but not the Plugin Portal,
so these plugins must be stripped before building.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* fix: strip mavenCentral() and gradlePluginPortal() in pipeline

CFS blocks direct access to public repos with a hard socket error.
Gradle treats this as a failure rather than falling through to the
next repository. Remove public repo declarations so only the CFS
upstream feed is used for dependency resolution.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* feat: enable SpotBugs via Gradle@4 built-in inputs

Uses the Gradle@4 task's native SpotBugs support which resolves
the plugin via Maven coordinates (available on CFS feed) rather
than the Gradle Plugin Portal marker artifact.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* revert: remove SpotBugs from Gradle@4 inputs

Gradle@4 resolves SpotBugs from plugins.gradle.org which is blocked
by CFS. SpotBugs remains available in local dev and GitHub Actions CI.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

---------

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Author: ramsessanchez

.azure-pipelines/daily-ci-build.yml

@@ -21,6 +21,7 @@ extends:
   parameters:
     pool:
       name: Azure-Pipelines-1ESPT-ExDShared
+      image: ubuntu-latest
       os: linux
     sdl:
       sourceAnalysisPool:
@@ -42,17 +43,26 @@ extends:
               - checkout: self
                 submodules: recursive
 
-              - task: JavaToolInstaller@0
-                displayName: Set up Java
+              - script: |
+                  sed -i "/com.github.spotbugs/d" build.gradle
+                  sed -i "/org.sonarqube/d" build.gradle
+                  sed -i "/spotbugsMain/,/^}/d" build.gradle
+                  sed -i "/spotbugsTest/,/^}/d" build.gradle
+                  sed -i "/sonarqube {/,/^}/d" build.gradle
+                  sed -i "/mavenCentral()/d" build.gradle
+                  sed -i "/gradlePluginPortal()/d" settings.gradle
+                  sed -i "/mavenCentral()/d" settings.gradle
+                displayName: Strip plugins and public repos for network-isolated build
+
+              - task: Gradle@4
+                displayName: Build and Test SDK
                 inputs:
-                  versionSpec: '17'
+                  gradleWrapperFile: 'gradlew'
+                  workingDirectory: '$(Build.SourcesDirectory)'
+                  tasks: 'assemble test'
+                  options: '--no-daemon -PGraphDeveloperExperiencesPublicPassword=$(ARTIFACTS_PAT)'
+                  publishJUnitResults: true
+                  testResultsFiles: '**/TEST-*.xml'
+                  javaHomeOption: 'JDKVersion'
+                  jdkVersionOption: '1.17'
                   jdkArchitectureOption: 'x64'
-                  jdkSourceOption: 'PreInstalled'
-
-              - script: chmod +x gradlew && ./gradlew assemble
-                displayName: Build SDK
-                workingDirectory: $(Build.SourcesDirectory)
-
-              - script: ./gradlew test
-                displayName: Run unit tests
-                workingDirectory: $(Build.SourcesDirectory)

build.gradle

@@ -5,8 +5,8 @@ plugins {
     id 'maven-publish'
     id 'signing'
     id 'jacoco'
-    id 'com.github.spotbugs' version '6.2.5'
-    id "org.sonarqube" version "7.2.2.6593"
+    id 'com.github.spotbugs' version '6.5.4'
+    id "org.sonarqube" version "7.3.0.8198"
 
 }
 
@@ -69,6 +69,14 @@ sourceSets {
 repositories {
     // You can declare any Maven/Ivy/file repository here.
     mavenCentral()
+    maven {
+        url 'https://microsoftgraph.pkgs.visualstudio.com/0985d294-5762-4bc2-a565-161ef349ca3e/_packaging/GraphDeveloperExperiences_Public/maven/v1'
+        name 'GraphDeveloperExperiencesPublic'
+        credentials(PasswordCredentials)
+        authentication {
+            basic(BasicAuthentication)
+        }
+    }
 }
 
 apply from: "gradle/dependencies.gradle"
@@ -119,6 +127,14 @@ publishing {
             name = "ADO"
             url = layout.buildDirectory.dir("publishing-repository")
         }
+        maven {
+            url 'https://microsoftgraph.pkgs.visualstudio.com/0985d294-5762-4bc2-a565-161ef349ca3e/_packaging/GraphDeveloperExperiences_Public/maven/v1'
+            name 'GraphDeveloperExperiencesPublic'
+            credentials(PasswordCredentials)
+            authentication {
+                basic(BasicAuthentication)
+            }
+        }
     }
 }
 

gradle.properties

@@ -37,3 +37,7 @@ mavenArtifactSuffix =
 #enable mavenCentralPublishingEnabled to publish to maven central
 mavenCentralSnapshotArtifactSuffix = -SNAPSHOT
 mavenCentralPublishingEnabled=false
+
+# Azure Artifacts CFS feed credentials
+GraphDeveloperExperiencesPublicUsername=microsoftgraph
+GraphDeveloperExperiencesPublicPassword=PERSONAL_ACCESS_TOKEN

settings.gradle

@@ -1,3 +1,18 @@
+pluginManagement {
+    repositories {
+        gradlePluginPortal()
+        mavenCentral()
+        maven {
+            url 'https://microsoftgraph.pkgs.visualstudio.com/0985d294-5762-4bc2-a565-161ef349ca3e/_packaging/GraphDeveloperExperiences_Public/maven/v1'
+            name 'GraphDeveloperExperiencesPublic'
+            credentials(PasswordCredentials)
+            authentication {
+                basic(BasicAuthentication)
+            }
+        }
+    }
+}
+
 /*
  * This file was generated by the Gradle 'init' task.
  *