Add check to not private builds to public channels

eng/publishing/v3/publish.yml

@@ -97,7 +97,7 @@ stages:
           /p:PublishingInfraVersion=3
           /p:BARBuildId=${{ parameters.BARBuildId }}
           /p:TargetChannels='${{ parameters.PromoteToChannelIds }}'
-          /p:IsInternalBuild=${{ contains(variables['AzDOBranch'], 'internal/') }}
+          /p:IsInternalBuild=$(IsInternalBuild)
           /p:NugetPath=$(NuGetExeToolPath)
           /p:MaestroApiEndpoint='$(MaestroApiEndPoint)'
           /p:BuildAssetRegistryToken='$(AuthenticateMaestro.MaestroToken)'

eng/publishing/v3/validate-and-locate-build.ps1

@@ -60,6 +60,11 @@ try {
     $buildNumberName = $buildNumberName.Substring(0, 255)
   }
 
+  $isInternalBuild = $false
+  if ([string]::IsNullOrEmpty($buildInfo.gitHubRepository) -and $buildInfo.azureDevOpsBranch.Contains("internal/release")) {
+    $isInternalBuild = $true
+  }
+
   # Set tags on publishing for visibility
   Write-Host "##vso[build.updatebuildnumber]$buildNumberName"
   Write-Host "##vso[build.addbuildtag]Channel(s) - $channelNames"
@@ -71,6 +76,7 @@ try {
   Write-Host "##vso[task.setvariable variable=AzDOBuildId]$($buildInfo.azureDevOpsBuildId)"
   Write-Host "##vso[task.setvariable variable=AzDOAccount]$($buildInfo.azureDevOpsAccount)"
   Write-Host "##vso[task.setvariable variable=AzDOBranch]$($buildInfo.azureDevOpsBranch)"
+  Write-Host "##vso[task.setvariable variable=IsInternalBuild]$isInternalBuild"
 }
 catch {
   Write-Host $_

src/Microsoft.DotNet.Build.Tasks.Feed.Tests/PublishArtifactsInManifestTests.cs

@@ -95,7 +95,7 @@ public async Task PushNugetPackageTestsAsync(int pushAttemptsBeforeSuccess, bool
             // Functionality is the same as this is in the base class, create a v2 object to test. 
             var task = new PublishArtifactsInManifestV3
             {
-                InternalBuild = true,
+                IsInternalBuild = true,
                 BuildEngine = buildEngine,
                 NugetPath = fakeNugetExeName,
                 MaxRetryCount = 5, // In case the default changes, lock to 5 so the test data works

src/Microsoft.DotNet.Build.Tasks.Feed/src/PublishArtifactsInManifest.cs

@@ -122,7 +122,7 @@ public class PublishArtifactsInManifest : MSBuildTaskBase
         /// Whether this build is internal or not. If true, extra checks are done to avoid accidental
         /// publishing of assets to public feeds or storage accounts.
         /// </summary>
-        public bool InternalBuild { get; set; }
+        public bool IsInternalBuild { get; set; }
 
         public bool PublishInstallersAndChecksums { get; set; } = false;
 
@@ -347,7 +347,7 @@ internal PublishArtifactsInManifestBase ConstructPublishingV3Task(BuildModel bui
                 MaestroApiEndpoint = this.MaestroApiEndpoint,
                 BuildAssetRegistryToken = this.BuildAssetRegistryToken,
                 NugetPath = this.NugetPath,
-                InternalBuild = this.InternalBuild,
+                IsInternalBuild = this.IsInternalBuild,
                 SkipSafetyChecks = this.SkipSafetyChecks,
                 AkaMSClientId = this.AkaMSClientId,
                 AkaMSClientCertificate = !string.IsNullOrEmpty(AkaMSClientCertificate) ?

src/Microsoft.DotNet.Build.Tasks.Feed/src/PublishArtifactsInManifestBase.cs

@@ -118,7 +118,7 @@ public abstract class PublishArtifactsInManifestBase : Microsoft.Build.Utilities
         /// Whether this build is internal or not. If true, extra checks are done to avoid accidental
         /// publishing of assets to public feeds or storage accounts.
         /// </summary>
-        public bool InternalBuild { get; set; } = false;
+        public bool IsInternalBuild { get; set; } = false;
 
         /// <summary>
         /// If true, safety checks only print messages and do not error
@@ -349,17 +349,20 @@ protected async Task PersistPendingAssetLocationAsync(IMaestroApi client)
         }
 
         /// <summary>
-        /// Protect against accidental publishing of internal assets to non-internal feeds.
+        /// Run a check to verify that we're not publishing an internal build to non-internal feeds.
         /// </summary>
-        protected void CheckForInternalBuildsOnPublicFeeds(TargetFeedConfig feedConfig)
+        protected void CheckForInternalBuildsOnPublicFeeds()
         {
             // If separated out for clarity.
-            if (!SkipSafetyChecks)
+            if (!SkipSafetyChecks && IsInternalBuild)
             {
-                if (InternalBuild && !feedConfig.Internal)
+                foreach (TargetFeedConfig feedConfig in FeedConfigs.Values.SelectMany(x => x))
                 {
-                    Log.LogError($"Use of non-internal feed '{feedConfig.TargetURL}' is invalid for an internal build. This can be overridden with '{nameof(SkipSafetyChecks)}= true'");
-                }
+                    if (feedConfig.Internal == false)
+                    {
+                        Log.LogError($"Internal builds shouldn't be published to public feed '{feedConfig.TargetURL}'. This behavior can be overridden with '{nameof(SkipSafetyChecks)}= true'");
+                    }
+                }             
             }
         }
 

src/Microsoft.DotNet.Build.Tasks.Feed/src/PublishArtifactsInManifestV3.cs

@@ -182,6 +182,7 @@ public override async Task<bool> ExecuteAsync()
                 }
 
                 CheckForStableAssetsInNonIsolatedFeeds();
+                CheckForInternalBuildsOnPublicFeeds();
 
                 if (Log.HasLoggedErrors)
                 {