Merged PR 7394: Sync development to main

mssql-rs Build Service (SqlClientDrivers) · saurabh500 · commit 203160e156e4 · 2026-04-28T12:53:36.000Z
Sync of development to main branch.

Before merging this PR, ensure that the CI has had a good run on the development branch.
diff --git a/.pipeline/templates/build-template-container.yml b/.pipeline/templates/build-template-container.yml
@@ -37,6 +37,10 @@ parameters:
   default: ''
 
 steps:
+- template: generate-sql-password-template.yml
+  parameters:
+    osType: Linux
+
 - task: DockerInstaller@0
   inputs:
     dockerVersion: '29.0.0'
diff --git a/.pipeline/templates/build-template.yml b/.pipeline/templates/build-template.yml
@@ -37,6 +37,10 @@ parameters:
   default: true
 
 steps:
+- template: generate-sql-password-template.yml
+  parameters:
+    osType: ${{ parameters.osType }}
+
 - script: cargo fetch
   displayName: Fetch Crates
 
diff --git a/.pipeline/templates/cargo-authenticate-template.yml b/.pipeline/templates/cargo-authenticate-template.yml
@@ -15,12 +15,15 @@ steps:
 - ${{ if eq(parameters.osType, 'Windows') }}:
   - pwsh: .pipeline/scripts/apply-ci-cargo-config.ps1
     displayName: Apply CI cargo configuration
+    condition: ne(variables['Build.Reason'], 'PullRequest')
 
 - ${{ if ne(parameters.osType, 'Windows') }}:
   - script: bash .pipeline/scripts/apply-ci-cargo-config.sh
     displayName: Apply CI cargo configuration
+    condition: ne(variables['Build.Reason'], 'PullRequest')
 
 - task: CargoAuthenticate@0
   inputs:
     configFile: '.cargo/config.toml'
   displayName: Authenticate cargo registries
+  condition: ne(variables['Build.Reason'], 'PullRequest')
diff --git a/.pipeline/templates/generate-sql-password-template.yml b/.pipeline/templates/generate-sql-password-template.yml
@@ -0,0 +1,69 @@
+# Generates a strong random SQL Server password and exposes it as the
+# job-scoped runtime variable SQL_PASSWORD (secret-masked in logs).
+#
+# Idempotent within a single job: a non-secret marker variable
+# SQL_PASSWORD_GENERATED is set on first run and inspected on subsequent
+# invocations, so including this template from multiple step-templates
+# in the same job will only generate the password once.
+#
+# Subsequent steps in the job consume the value via the standard
+# `$(SQL_PASSWORD)` macro syntax — no caller changes required.
+
+parameters:
+  - name: osType
+    type: string
+    default: Linux
+    values:
+      - Windows
+      - Linux
+      - MacOS
+
+steps:
+  - ${{ if eq(parameters.osType, 'Windows') }}:
+      - task: PowerShell@2
+        displayName: 'Generate SQL_PASSWORD (job-scoped)'
+        inputs:
+          targetType: 'inline'
+          script: |
+            $ErrorActionPreference = 'Stop'
+            if ($env:SQL_PASSWORD_GENERATED -eq '1') {
+              Write-Host 'SQL_PASSWORD already generated for this job; skipping'
+              exit 0
+            }
+            $bytes = New-Object byte[] 24
+            $rng = [System.Security.Cryptography.RandomNumberGenerator]::Create()
+            try {
+              $rng.GetBytes($bytes)
+              $rand = ([Convert]::ToBase64String($bytes)) -replace '[+/=]',''
+              while ($rand.Length -lt 22) {
+                $rng.GetBytes($bytes)
+                $rand = $rand + (([Convert]::ToBase64String($bytes)) -replace '[+/=]','')
+              }
+            } finally {
+              $rng.Dispose()
+            }
+            $rand = $rand.Substring(0, 22)
+            # Prepend a known mix to guarantee SQL Server password-policy classes.
+            $pwd = 'Aa1!' + $rand
+            Write-Host "##vso[task.setvariable variable=SQL_PASSWORD;issecret=true]$pwd"
+            Write-Host "##vso[task.setvariable variable=SQL_PASSWORD_GENERATED]1"
+            Write-Host "Generated SQL_PASSWORD (length=$($pwd.Length))"
+
+  - ${{ if ne(parameters.osType, 'Windows') }}:
+      - bash: |
+          set -euo pipefail
+          if [ "${SQL_PASSWORD_GENERATED:-}" = "1" ]; then
+            echo "SQL_PASSWORD already generated for this job; skipping"
+            exit 0
+          fi
+          rand=$(openssl rand -base64 24 | tr -d '=+/' | head -c 22)
+          while [ "${#rand}" -lt 22 ]; do
+            rand="${rand}$(openssl rand -base64 24 | tr -d '=+/' | head -c 4)"
+          done
+          rand="${rand:0:22}"
+          # Prepend a known mix to guarantee SQL Server password-policy classes.
+          pwd="Aa1!${rand}"
+          echo "##vso[task.setvariable variable=SQL_PASSWORD;issecret=true]${pwd}"
+          echo "##vso[task.setvariable variable=SQL_PASSWORD_GENERATED]1"
+          echo "Generated SQL_PASSWORD (length=${#pwd})"
+        displayName: 'Generate SQL_PASSWORD (job-scoped)'
diff --git a/.pipeline/templates/sql-setup-template.yml b/.pipeline/templates/sql-setup-template.yml
@@ -8,6 +8,10 @@ parameters:
   - MacOS
 
 steps:
+- template: generate-sql-password-template.yml
+  parameters:
+    osType: ${{ parameters.buildTarget }}
+
 - ${{ if eq(parameters.buildTarget, 'Windows') }}:
   - task: PowerShell@2
     displayName: 'Generate Certificate for TLS encryption '
diff --git a/.pipeline/templates/test-longhaul-template.yml b/.pipeline/templates/test-longhaul-template.yml
@@ -13,6 +13,10 @@ parameters:
   default: 1000
 
 steps:
+- template: generate-sql-password-template.yml
+  parameters:
+    osType: Linux
+
 - task: DockerInstaller@0
   inputs:
     dockerVersion: '29.0.0'
diff --git a/.pipeline/templates/test-matrix-template-alpine.yml b/.pipeline/templates/test-matrix-template-alpine.yml
@@ -15,6 +15,9 @@ jobs:
       demands:
         - ${{ parameters.poolImageOverride }}
     steps:
+      - template: generate-sql-password-template.yml
+        parameters:
+          osType: Linux
       - task: DockerInstaller@0
         inputs:
           dockerVersion: '29.0.0'
diff --git a/.pipeline/templates/test-matrix-template-alpine_arm64.yml b/.pipeline/templates/test-matrix-template-alpine_arm64.yml
@@ -14,6 +14,9 @@ jobs:
       demands:
         - ${{ parameters.poolImageOverride }}
     steps:
+      - template: generate-sql-password-template.yml
+        parameters:
+          osType: Linux
       - task: DockerInstaller@0
         inputs:
           dockerVersion: '29.0.0'
diff --git a/.pipeline/templates/test-matrix-template-arm64.yml b/.pipeline/templates/test-matrix-template-arm64.yml
@@ -12,6 +12,9 @@ jobs:
       demands:
         - imageOverride -equals RUST-UBUNTU-ARM64
     steps:
+      - template: generate-sql-password-template.yml
+        parameters:
+          osType: Linux
       - task: DockerInstaller@0
         inputs:
           dockerVersion: '29.0.0'
diff --git a/.pipeline/templates/test-matrix-template.yml b/.pipeline/templates/test-matrix-template.yml
@@ -12,6 +12,9 @@ jobs:
       demands:
         - imageOverride -equals RUST-1ES-UBUSLIM
     steps:
+      - template: generate-sql-password-template.yml
+        parameters:
+          osType: Linux
       - task: DockerInstaller@0
         inputs:
           dockerVersion: '29.0.0'
diff --git a/.pipeline/templates/test-mssql-python-macos-template.yml b/.pipeline/templates/test-mssql-python-macos-template.yml
@@ -3,6 +3,11 @@
 # via Colima (no TLS certs) and runs pytest with TrustServerCertificate=yes.
 
 steps:
+# ── 0. Generate per-job SQL_PASSWORD ─────────────────────────────────────────
+- template: generate-sql-password-template.yml
+  parameters:
+    osType: MacOS
+
 # ── 1. Python & Cargo setup ──────────────────────────────────────────────────
 - task: UsePythonVersion@0
   inputs:
diff --git a/.pipeline/templates/test-mssql-python-template.yml b/.pipeline/templates/test-mssql-python-template.yml
@@ -3,6 +3,10 @@
 # Then builds wheel artifact with both bindings
 
 steps:
+- template: generate-sql-password-template.yml
+  parameters:
+    osType: Linux
+
 - task: DockerInstaller@0
   inputs:
     dockerVersion: '29.0.0'
