Revert "Unified CI/PR Pipeline (#15848)"

.ado/compliance.yml

@@ -0,0 +1,140 @@
+name: 0.0.$(Date:yyMM.d)$(Rev:rrr)
+
+parameters:
+- name: AgentPool
+  type: object
+  default:
+    Medium:
+      name: rnw-pool-4-microsoft
+      demands: ImageOverride -equals rnw-img-vs2022-node22
+    Large:
+      name: rnw-pool-8-microsoft
+      demands: ImageOverride -equals rnw-img-vs2022-node22
+- name: forceCodeQL
+  displayName: Force CodeQL to rebuild databases
+  type: boolean
+  default: false
+- name: complianceWarnOnly
+  displayName: Convert compliance errors to warnings
+  type: boolean
+  default: true # Let's get all results in this pipeline
+
+variables:
+  - template: variables/windows.yml
+  - group: RNW Secrets
+  - name: Codeql.Enabled
+    value: true
+  - ${{ if eq(parameters.forceCodeQL, true) }}:
+    - name: Codeql.Cadence
+      value: 0
+  - ${{ if eq(parameters.forceCodeQL, false) }}:
+    - name: Codeql.Cadence
+      value: 120 # In hours, default to only run every 5 days
+
+trigger: none
+pr: none
+
+jobs:
+  - job: RnwUniversalCompliance
+    displayName: RNW Universal Compliance
+    pool: ${{ parameters.AgentPool.Large }}
+    timeoutInMinutes: 360 # Compliance tasks recommend to 3x usual build timeout
+
+    steps:
+      - template: templates/checkout-shallow.yml
+
+      - template: templates/prepare-js-env.yml
+
+      - template: templates/set-version-vars.yml
+        parameters:
+          buildEnvironment: Continuous
+
+      - template: templates/publish-version-vars.yml
+
+      - template: templates/prepare-build-env.yml
+        parameters:
+          platform: x64
+          configuration: Release
+          buildEnvironment: Continuous
+
+      - template: templates/apply-published-version-vars.yml
+
+      # Pre-build compliance tasks
+
+      - template: templates/run-compliance-prebuild.yml
+        parameters:
+          complianceWarnOnly: ${{ parameters.complianceWarnOnly }}
+
+      - task: NuGetAuthenticate@1
+
+      # AgentES Task (https://aka.ms/UES)
+      # Installs and runs the "Agent ES" tool, which scans the source code for banned file types.
+      - powershell: |
+          & nuget.exe install AgentES -FallbackSource https://microsoft.pkgs.visualstudio.com/_packaging/Undocked.Shell.Services/nuget/v3/index.json
+          $AgentESPath = (Get-ChildItem -Path AgentES* -Filter AgentES.exe -Recurse | %{$_.FullName})
+          & $AgentESPath $env:BUILD_SOURCESDIRECTORY -e:$env:BUILD_SOURCESDIRECTORY\.ado\config\AgentES.Exemptions.json -b
+        displayName: "⚖️ AgentES - Scan of Repository for UES Policy Violations"
+        workingDirectory: $(Agent.BuildDirectory)
+        continueOnError: ${{ parameters.complianceWarnOnly }}
+
+      # Initialize CodeQL 3000 Task (https://aka.ms/codeql3000)
+      # Performs static code analysis.
+      - task: CodeQL3000Init@0
+        displayName: "🛡️ Initialize CodeQL"
+        continueOnError: ${{ parameters.complianceWarnOnly }}
+
+      # Build RNW
+
+      - template: templates/msbuild-sln.yml
+        parameters:
+          solutionDir: vnext
+          solutionName: Microsoft.ReactNative.NewArch.sln
+          buildPlatform: x64
+          buildConfiguration: Release
+
+      # Post-build compliance tasks
+
+      - template: templates/run-compliance-postbuild.yml
+        parameters:
+          complianceWarnOnly: ${{ parameters.complianceWarnOnly }}
+
+      # Attack Surface Analyzer (ASA) for SDL compliance
+      # This is integrated into the compliance pipeline but runs independently
+      # Note: ASA requires before/after snapshots, so we run a separate analysis
+      - task: PowerShell@2
+        displayName: '🛡️ Attack Surface Analyzer - Note'
+        inputs:
+          targetType: inline
+          script: |
+            Write-Host "=========================================="
+            Write-Host "Attack Surface Analyzer (ASA) Information"
+            Write-Host "=========================================="
+            Write-Host ""
+            Write-Host "ASA runs as a separate job in the PR pipeline (see stages.yml)."
+            Write-Host "It performs before/after snapshot analysis of the build process."
+            Write-Host ""
+            Write-Host "For manual ASA runs or to view results:"
+            Write-Host "1. Check PR pipeline artifacts for ASA_Results"
+            Write-Host "2. Review docs/attack-surface-analyzer.md for guidance"
+            Write-Host "3. Run ASA locally: dotnet tool install -g Microsoft.CST.AttackSurfaceAnalyzer.CLI"
+            Write-Host ""
+            Write-Host "✅ ASA integration is active in PR builds"
+
+      # Finalize CodeQL 3000 Task (https://aka.ms/codeql3000)
+      # Performs static code analysis.
+      - task: CodeQL3000Finalize@0
+        displayName: "🛡️ Finalize CodeQL"
+        inputs:
+          # Enable TSA for automatic bug filing from CodeQL
+          TSAEnabled: true
+          TSAOptions: |
+            {
+              "areaPath": "OS\\Windows Client and Services\\WinPD\\SPICE\\ReactNative",
+              "iterationPath": "OS\\Future",
+              "notificationAliases": ["$(TSANotificationAliases)"],
+              "codebaseAdmins": ["$(TSACodebaseAdmins)"],
+              "bugTags": ["SDL", "Security"],
+              "instanceUrl": "https://dev.azure.com/microsoft",
+              "projectName": "OS"
+            }
+        continueOnError: ${{ parameters.complianceWarnOnly }}

.ado/continuous.yml

@@ -0,0 +1,28 @@
+name: RNW CI $(Date:yyyyMMdd).$(Rev:r)
+
+trigger: none # will disable CI builds entirely
+pr: none
+
+variables:
+  - group: RNW Secrets
+  - group: platform-override-zero-permission-token
+
+parameters:
+  - name: AgentPool
+    type: object
+    default:
+      Small:
+        name: rnw-pool-2
+        demands: ImageOverride -equals rnw-img-vs2022-node22
+      Medium:
+        name: rnw-pool-4
+        demands: ImageOverride -equals rnw-img-vs2022-node22
+      Large:
+        name: rnw-pool-8
+        demands: ImageOverride -equals rnw-img-vs2022-node22
+
+stages:
+  - template: stages.yml
+    parameters:
+      buildEnvironment: Continuous
+      AgentPool: ${{ parameters.AgentPool }}

.ado/integrate-rn.yaml

@@ -33,7 +33,7 @@ jobs:
         displayName: yarn integrate-rn
         continueOnError: true
 
-      - pwsh: |
+      - powershell: |
           if (!(Test-Path "$(Agent.TempDirectory)\integration-report.md")) {
             dir "$(Agent.TempDirectory)"
             throw "No integration report generated"
@@ -43,7 +43,7 @@ jobs:
           }
         displayName: Test for changes
 
-      - pwsh: |
+      - powershell: |
           $reportWithHeader = "${{ parameters.commitTitle}}`n`n" + (Get-Content -Raw $(Agent.TempDirectory)\integration-report.md)
           # Trim to max GitHub PR length
           $trimmedReport = $reportWithHeader.substring(0, [math]::min(65536, $reportWithHeader.length))
@@ -55,12 +55,12 @@ jobs:
           git commit -F $(Agent.TempDirectory)\commit-message.md
         displayName: Commit changes
 
-      - pwsh: |
+      - powershell: |
           $commitHash = git log --format=%H -n 1
           Write-Output "##vso[task.setvariable variable=FirstCommit]$commitHash"
         displayName: Save base commit
 
-      - pwsh: |
+      - powershell: |
           $patchScope = node -e "
           const path = require('path');
           const {enumerateRepoPackages} = require('@react-native-windows/package-utils');
@@ -72,7 +72,7 @@ jobs:
           yarn change --scope @($patchScope.split(',')) --message "${{ parameters.commitTitle}}" --type patch
         displayName: Create patch changefiles
 
-      - pwsh: |
+      - powershell: |
           $prereleaseScope = node -e "
           const path = require('path');
           const {enumerateRepoPackages} = require('@react-native-windows/package-utils');
@@ -93,7 +93,7 @@ jobs:
       - script: git push origin integrate-${{ parameters.reactNativeVersion }}
         displayName: Push changes
 
-      - pwsh: |
+      - powershell: |
           $headers = @{'Accept'='application/vnd.github.v3+json'; 'Authorization'='Token $(githubAuthToken)'}
           $body = '{"head": "integrate-${{ parameters.reactNativeVersion }}", "base": "main", "title": "${{ parameters.commitTitle}}"}'
           Invoke-WebRequest -Method Post -Headers $headers -Body $body https://api.github.com/repos/microsoft/react-native-windows/pulls