Speed up the publish pipeline

[vmoroz]

Description

Type of Change

• New feature (non-breaking change which adds functionality)
• Automation (AI changes or Github Actions to reduce effort of manual tasks)

Why

The publish pipeline took ~2h 13m. This PR restructures it to run faster and sign all binaries correctly.

Key motivations:

• Pipeline was bottlenecked by a sequential RnwPublishPrep gate job, test project compilation, full git clones, and redundant PREfast analysis
• Several DLLs in NuGet packages (react-native-win32.dll, Microsoft.ReactNative.Projection.dll) were never code-signed
• ESRP signing config (auth credentials, inline operations) was duplicated across call sites
• Artifacts were ~21 GB larger than necessary (static libs, duplicate PDBs, test DLLs)
• PDB symbols were published for every build, not just releases

What

Pipeline restructure:

• Replace RnwPublishPrep gate job with lightweight SetVersionVars job (~5m vs ~18m)
• Parallelize RnwNpmPack (no longer depends on prep job)
• Add Linting job as parallel quality gate

Build optimization:

• Create .slnf solution filters excluding test projects from publish builds
• Disable PREfast via featureFlags.autoEnablePREfastWithNewRuleset: false
• Enable /MP multi-threaded compilation via CIBuildOptimizations.props
• Skip NuGet restore in CI builds (nuget-restore-task.js)
• Remove Universal Debug builds (never packed into NuGet)
• Narrow artifact globs to only nuspec-required files (~21 GB savings)
• Shallow checkout (fetchDepth: 1) for all jobs

Code signing:

• Sign react-native-win32.dll in Desktop build jobs (was never signed)
• Sign Microsoft.ReactNative.Projection.dll in Universal build jobs (was never signed)
• Create reusable esrp-codesign-binaries.yml and esrp-codesign-nuget.yml templates
• Remove all dead signing code from prep-and-pack-single.yml and prep-and-pack-nuget.yml
• Make signing unconditional (remove EnableCodesign variable and -stable branch checks)

Release pipeline:

• Move PDB symbol publishing from publish.yml to release.yml (only published for actual releases)
• Extract PDBs from signed NuGet packages, publish with IndexSources: false (SourceLink already embedded)

Cleanup:

• Remove explicit Component Governance calls from build jobs (auto-injected by 1ES PT)
• Remove FailCGOnAlert variable (only used by removed Component Governance calls)
• Remove performBeachballCheck parameter
• Upgrade ESRP tasks: EsrpCodeSigning@5 → @6, EsrpRelease@10 → @11
• Fix broken GitHub docs URL in branch-lifecycle-policy.md

Screenshots

N/A — pipeline changes only.

Testing

• 10+ pipeline test runs on user/vmorozov/1es-pt-migration-publish branch
• Best result: 57m 26s (Run 10) — down from 2h 13m baseline (57% reduction)
• Verified PDB symbol publishing from release.yml (10 PDBs in 34s)
• Pending: CSV audit verification for newly signed binaries

Changelog

Should this change be included in the release notes: no

Internal pipeline optimization — no user-facing changes.

Microsoft Reviewers: Open in CodeFlow

[acoates-ms]

Enable /MP multi-threaded compilation via CIBuildOptimizations.props:
Does this need: #15747 ?

[vmoroz]

Enable /MP multi-threaded compilation via CIBuildOptimizations.props: Does this need: #15747 ?

No, I did not observe any such issues. Are they specific to test projects or projects based on RNW?

[vineethkuttan]

Enable /MP multi-threaded compilation via CIBuildOptimizations.props: Does this need: #15747 ?

No, I did not observe any such issues. Are they specific to test projects or projects based on RNW?

Projects based on RNW