[Diagnostic – DO NOT MERGE] Bump Arcade to main to validate MicroBuild signing fix

[rmarinho]

⚠️ Diagnostic / exploratory branch — not for merge

This PR is a vehicle to manually queue the official internal pipeline from a branch that has the MicroBuild signing plugin preview wired up, in order to validate whether dotnet/arcade#16185 actually fixes today's CI failure.

The clean fix for the repo is the backport dotnet/arcade#16821 (still open), which would land via normal dependency flow. This PR is not a replacement for that.

Background

All 8 Windows signing jobs in internal pipeline run 2990253 failed at the Install MicroBuild plugin (Windows) step with:

This module requires Az.Accounts version 5.5.0. An earlier version of Az.Accounts is imported
in the current PowerShell session.
…
The term 'Get-AzKeyVaultSecret' is not recognized as the name of a cmdlet…

Root cause: MicroBuildSigningPlugin@4 (version 5.4.0 — see the "Please use latest plugin version" warning) installs Az.KeyVault 6.5.0 which requires Az.Accounts 5.5.0, but the 1ES Windows image preloads an older Az.Accounts. The Az.KeyVault module fails to load, KeyVault cmdlets are unavailable, and the signing cert (sign-auth-ame-ssl-onecert) can't be fetched.

The same failure is hitting vscode-maui, aspnetcore-ci-official, and (per dotnet/sdk#54566) dotnetup CI on the same day.

dotnet/arcade#16185 (merged to main 2025-10-06) introduced an enablePreviewMicrobuild: true parameter that switches to MicroBuildSigningPluginPreview@4, which carries the updated Az module set. That change has not been backported to release/10.0 (PR #16821 is still open).

What this PR changes

File	Change
eng/Version.Details.xml	Microsoft.DotNet.Arcade.Sdk 10.0.0-beta.26257.101 (dotnet/dotnet) → 11.0.0-beta.26302.1 (dotnet/arcade)
global.json	SDK 10.0.106 → 11.0.100-preview.5.26227.104, msbuild Arcade 10→11 beta, allowPrerelease: true (the new Arcade bootstrap uses dotnet package download, a .NET 11 SDK command)
eng/common/**	~48 files regenerated by darc update-dependencies --id 316751 --name Microsoft.DotNet.Arcade.Sdk; ships the new install-microbuild-impl.yml + the enablePreviewMicrobuild parameter plumbing
eng/pipelines/devflow-official.yml	adds enablePreviewMicrobuild: true next to enableMicrobuild: true so the new template actually calls MicroBuildSigningPluginPreview@4
NuGet.config	whitespace-only change from darc

Validation path

This PR will not validate the fix via GitHub Actions PR validation — devflow-official.yml is pr: none, and the MicroBuild install step is gated on notin(Build.Reason, 'PullRequest'). The intended validation is:

1. Maintainer manually queues the official internal pipeline dotnet-maui-labs-official from rmarinho/update-arcade-microbuild-fix.
2. Observe whether Install MicroBuild plugin (Windows) succeeds (the failing step in build 2990253).

Expected outcome

• ✅ Install MicroBuild plugin (Windows) succeeds → confirms enablePreviewMicrobuild is the right fix and we just need to wait for / nudge [release/10.0] Enable microbuild preview plugin (backport of #16185) arcade#16821.
• ❌ Subsequent workload-install / build steps are expected to fail because MAUI workloads are not published for .NET 11 preview SDK. Those failures are out of scope for this diagnostic.

Why not just wait for dotnet/arcade#16821?

We can, and that's the right long-term path. This PR exists to give the team a concrete, validated answer to "will the preview plugin actually fix our pipeline?" before nudging or escalating that backport.

References

• Failing build: https://dev.azure.com/dnceng/internal/_build/results?buildId=2990253
• Arcade fix on main: Enable microbuild preview plugin arcade#16185
• Open release/10.0 backport: [release/10.0] Enable microbuild preview plugin (backport of #16185) arcade#16821
• Same symptom on dotnet/sdk: Enable Microbuild Plugin Preview Feature sdk#54566

Co-authored-by: Copilot

[github-actions]

Expert Code Review — PR #307

Methodology: 3 independent reviewers with adversarial consensus
Result: 2 findings posted as inline comments (1 🔴 critical, 1 🟡 moderate)

Findings Summary

All findings are posted inline on the relevant lines. No overflow.

#	Severity	Consensus	File	Line	Finding
1	🔴 Critical	3/3	global.json	3	SDK bump to .NET 11 preview breaks all CI/dev builds if accidentally merged
2	🟡 Moderate	2/3	eng/pipelines/devflow-official.yml	90	enablePreviewMicrobuild: true is unconditional; confirm Arcade 10 backport exposes this param before adding to main permanently

Discarded Findings

These were flagged by a single reviewer but did not achieve consensus after follow-up evaluation:

• eng/Version.Details.xml URI changed from VMR to dotnet/arcade — expected for diagnostic; not a defect given PR is draft/DO NOT MERGE
• eng/common/post-build/sourcelink-validation.ps1 deleted — consistent auto-generated Arcade 11 regeneration; templates updated in same PR
• eng/common/cross/install-debs.py asyncio.gather behavioral change — intentional upstream Arcade change
• eng/common/pipeline-logging-functions.ps1 telemetry prefix removed — upstream change (discarded below follow-up cap)

CI Status

Multiple CI jobs failing (expected per PR description — .NET 11 preview SDK has no MAUI workloads). CLA check passed. This is consistent with the stated diagnostic intent.

Test Coverage

N/A — this PR contains no application code changes. All modifications are build infrastructure (SDK version, pipeline config, auto-generated Arcade files).

---

Generated by Expert Code Review · 3 independent reviewers with adversarial consensus

Generated by Expert Code Review (auto) for issue #307 · ● 9.9M · ◷

[github-actions]

Review Finding Evaluation

Evaluated three disputed findings against PR context (diagnostic draft, explicitly marked DO NOT MERGE).

Finding 1 (Arcade SDK source URI → dotnet/arcade) — ⚪ Not actionable. The change is intentional and fully documented in the PR description. Draft status and title prevent accidental merge. The production fix path is the release/10.0 backport (arcade#16821).

Finding 2 (sourcelink-validation.ps1 deleted) — ⚪ Not actionable. eng/common/ files are auto-generated as a consistent unit by darc update-dependencies. Arcade's own CI validates internal consistency of cross-references. No selective file restoration is possible or appropriate.

Finding 3 (return_exceptions=True removed in install-debs.py) — ⚪ Not actionable. This is an intentional upstream change in Arcade main. eng/common/ files are never locally modified — they are overwritten on every dependency update. The behavioral change is owned by the Arcade team.

Summary: All three findings describe real differences from the current main branch, but none represent bugs or actionable issues given that (a) this is a diagnostic draft PR not intended for merge, and (b) eng/common/ changes are upstream-owned and internally consistent.

Generated by Expert Code Review (auto) for issue #307 · ● 9.9M

[github-actions]

🔴 CRITICAL · 3/3 consensus

Accidental merge breaks all CI and contributor builds. The SDK is bumped from 10.0.106 to 11.0.100-preview.5.26227.104. MAUI workloads are not published for .NET 11 preview — if this PR is merged (even accidentally), every CI workflow and local dev build fails immediately.

The PR is correctly marked Draft and "DO NOT MERGE", but protective automation (e.g., a do-not-merge label that gates merging, or a branch protection rule) would add defense-in-depth beyond relying on human attention.

[github-actions]

🟡 MODERATE · 2/3 consensus

enablePreviewMicrobuild: true is unconditional. This is correct for the diagnostic purpose (validating the MicroBuild fix on Arcade 11), but if the eventual fix on main comes via dotnet/arcade#16821 (Arcade 10 backport), confirm that the release/10.0 template also exposes this parameter before adding this line permanently. Otherwise, consider gating it behind a pipeline parameter (default false) so the stable signing path remains the default on main.