dotnet · paulmedynski · Feb 12, 2026 · Feb 11, 2026 · Feb 11, 2026 · Feb 11, 2026
@@ -99,6 +99,10 @@ parameters:
     type: boolean
     default: false
 
+  # The SA password to set when configuring SQL Server.
+  - name: saPassword
+    type: string
+
 jobs:
 - job: ${{ format('{0}', coalesce(parameters.jobDisplayName, parameters.image, 'unknown_image')) }}
 
@@ -158,29 +162,11 @@ jobs:
         referenceType: ${{ parameters.referenceType }}
         mdsPackageVersion: ${{ parameters.mdsPackageVersion }}
 
-  # Pipelines running via forks of the repo won't have access to secrets brought in from Azure
-  # DevOps Library groups.  This includes the $(Password) used to configure local SQL Server
-  # instances.  In such a case, we must generate a random password and clobber $(Password).
-  #
-  # From this point forward in this job, any pipeline runtime expansion of $(Password) will use the
-  # random value.  This includes the SQL Server config templates (configure-sql-server-*.yml), and
-  # the expansion of connection strings via our configProperties parameter.
-  #
-  # Azure Pipelines provides the System.PullRequest.IsFork variable that is available at template
-  # expansion time.  See:
-  #
-  #  https://learn.microsoft.com/en-us/azure/devops/pipelines/build/variables?view=azure-devops&tabs=yaml#system-variables
-  #
-  - ${{ if eq(variables['System.PullRequest.IsFork'], 'true') }}:
-    - pwsh: |
-        $guid = [guid]::NewGuid().ToString()
-        Write-Host "##vso[task.setvariable variable=Password;isSecret=true]$guid"
-      displayName: Generate random SQL Server password for forked repo
-
   - ${{ if ne(parameters.configProperties, '{}') }}:
     - template: /eng/pipelines/common/templates/steps/update-config-file-step.yml@self # update config.json file
       parameters:
         debug: ${{ parameters.debug }}
+        saPassword: ${{ parameters.saPassword }}
         UseManagedSNIOnWindows: ${{ parameters.usemanagedSNI }}
         ${{ if parameters.configProperties.TCPConnectionString }}:
           TCPConnectionString: ${{ parameters.configProperties.TCPConnectionString }}
@@ -257,6 +243,7 @@ jobs:
         parameters:
           operatingSystem: ${{ parameters.operatingSystem }}
           netcoreVersionTestUtils: ${{ parameters.netcoreVersionTestUtils }}
+          saPassword: ${{ parameters.saPassword }}
           ${{ if parameters.configProperties.instanceName }}:
             instanceName: ${{ parameters.configProperties.instanceName }}
           ${{ if parameters.configProperties.user }}:

@@ -46,6 +46,8 @@ jobs:
 
   - template: /eng/pipelines/common/templates/steps/update-config-file-step.yml
     parameters:
+      # We use the Library $(Password) variable as the SA password in this pipeline.
+      saPassword: $(Password)
       TCPConnectionString: $(SQL_TCP_CONN_STRING)
       NPConnectionString: $(SQL_NP_CONN_STRING)
       SupportsIntegratedSecurity: false

@@ -3,13 +3,20 @@
 # The .NET Foundation licenses this file to you under the MIT license.          #
 # See the LICENSE file in the project root for more information.                #
 #################################################################################
+
+# This stage depends on the secrets_stage.
+
 parameters:
   - name: abstractionsArtifactsName
     type: string
 
   - name: abstractionsPackageVersion
     type: string
 
+  - name: additionalDependsOn
+    type: object
+    default: []
+
   - name: buildConfiguration
     type: string
     values:
@@ -20,10 +27,6 @@ parameters:
     type: boolean
     default: false
 
-  - name: dependsOn
-    type: object
-    default: []
-
   - name: mdsArtifactsName
     type: string
     default: MDS.Artifacts
@@ -56,7 +59,15 @@ stages:
 - ${{ each config in parameters.testConfigurations }}:
   - ${{ each image in config.value.images }}:
     - stage: ${{ image.key }}
-      dependsOn: ${{ parameters.dependsOn }}
+      dependsOn:
+        - secrets_stage
+        - ${{ parameters.additionalDependsOn }}
+
+      variables:
+        # Bring the SA password from the secrets_stage into scope here.
+        - name: saPassword
+          value: $[stageDependencies.secrets_stage.secrets_job.outputs['SaPassword.Value']]
+
       jobs:
       - ${{ each targetFramework in config.value.TargetFrameworks }}:
         - ${{ each platform in config.value.buildPlatforms }}:
@@ -87,6 +98,7 @@ stages:
                   configSqlFor: ${{ config.value.configSqlFor }}
                   operatingSystem: ${{ config.value.operatingSystem }}
                   isArm64: ${{ eq(config.value.isArm64, 'true') }}
+                  saPassword: $(saPassword)
                   ${{if ne(config.value.configProperties, '{}') }}:
                     ${{ each x86TF in config.value.configProperties.x86TestTargetFrameworks }}:
                       ${{ if eq(x86TF, targetFramework) }}:
@@ -123,6 +135,7 @@ stages:
                     configSqlFor: ${{ config.value.configSqlFor }}
                     operatingSystem: ${{ config.value.operatingSystem }}
                     isArm64: ${{ eq(config.value.isArm64, 'true') }}
+                    saPassword: $(saPassword)
                     ${{if and(eq(usemanagedSNI, false), ne(config.value.configProperties, '{}')) }}:
                       ${{ each x86TF in config.value.configProperties.x86TestTargetFrameworks }}:
                         ${{ if eq(x86TF, targetFramework) }}:

@@ -7,48 +7,51 @@
 # This step configures an existing SQL Server running on the local Linux host.  For example, our 1ES
 # Hosted Pool has images like ADO-UB20-SQL22 that come with SQL Server 2022 pre-installed and
 # running.
-#
-# The SA password is set to the value of the $(Password) variable defined in the ADO Library "ADO
-# Test Configuration properties", brought in by common/templates/libraries/ci-build-variables.yml.
+
+parameters:
+
+  # The SA password to set when configuring SQL Server.
+  - name: saPassword
+    type: string
 
 steps:
-# Linux only steps
-- bash: |
-    sudo systemctl stop mssql-server
-
-    # Password for the SA user (required)
-
-    MSSQL_SA_PW="$(Password)"
-
-    # Product ID of the version of SQL server you're installing
-    # Must be evaluation, developer, express, web, standard, enterprise, or your 25 digit product key
-    MSSQL_PID="enterprise"
-
-    echo Running mssql-conf setup...
-    sudo MSSQL_SA_PASSWORD="$MSSQL_SA_PW" \
-          MSSQL_PID="$MSSQL_PID" \
-          /opt/mssql/bin/mssql-conf -n setup accept-eula
-
-    # Connect to server and get the version:
-    counter=1
-    errstatus=1
-    while [ $counter -le 5 ] && [ $errstatus = 1 ]
-    do
-      echo Waiting for SQL Server to start...
-      sleep 3s
-      /opt/mssql-tools/bin/sqlcmd \
-        -S localhost \
-        -U SA \
-        -P $MSSQL_SA_PW\
-        -Q "SELECT @@VERSION" 2>/dev/null
-      errstatus=$?
-      ((counter++))
-    done
-
-    # Display error if connection failed:
-    if [ $errstatus = 1 ]
-    then
-      echo Cannot connect to SQL Server, installation aborted
-      exit $errstatus
-    fi
-  displayName: 'Configure SQL Server [Linux]'
+
+  # Configure SQL Server.
+  - bash: |
+      sudo systemctl stop mssql-server
+
+      # Password for the SA user (required)
+      MSSQL_SA_PW="${{ parameters.saPassword }}"
+
+      # Product ID of the version of SQL server you're installing
+      # Must be evaluation, developer, express, web, standard, enterprise, or your 25 digit product key
+      MSSQL_PID="enterprise"
+
+      echo Running mssql-conf setup...
+      sudo MSSQL_SA_PASSWORD="$MSSQL_SA_PW" \
+            MSSQL_PID="$MSSQL_PID" \
+            /opt/mssql/bin/mssql-conf -n setup accept-eula
+
+      # Connect to server and get the version:
+      counter=1
+      errstatus=1
+      while [ $counter -le 5 ] && [ $errstatus = 1 ]
+      do
+        echo Waiting for SQL Server to start...
+        sleep 3s
+        /opt/mssql-tools/bin/sqlcmd \
+          -S localhost \
+          -U SA \
+          -P "$MSSQL_SA_PW" \
+          -Q "SELECT @@VERSION" 2>/dev/null
+        errstatus=$?
+        ((counter++))
+      done
+
+      # Display error if connection failed:
+      if [ $errstatus = 1 ]
+      then
+        echo Cannot connect to SQL Server, installation aborted
+        exit $errstatus
+      fi
+    displayName: 'Configure SQL Server [Linux]'