From a7e4f8c4b229f881d1ddc5696b70dd5a75603cfc Mon Sep 17 00:00:00 2001
From: dotnet-docker-bot <60522487+dotnet-docker-bot@users.noreply.github.com>
Date: Thu, 21 May 2026 08:34:42 -0700
Subject: [PATCH] Update common Docker engineering infrastructure with latest

---
 eng/docker-tools/DEV-GUIDE.md                          | 2 ++
 eng/docker-tools/templates/stages/publish.yml          | 6 +++++-
 eng/docker-tools/templates/variables/docker-images.yml | 2 +-
 3 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/eng/docker-tools/DEV-GUIDE.md b/eng/docker-tools/DEV-GUIDE.md
index f834566d86..28ddc471bc 100644
--- a/eng/docker-tools/DEV-GUIDE.md
+++ b/eng/docker-tools/DEV-GUIDE.md
@@ -427,6 +427,8 @@ When you queue a new run, you can override these as runtime parameters:
 
 This avoids the multi-hour rebuild cycle when you just need to retry a failed operation.
 
+When signing is enabled, use `"publish"` by itself only if the images from `sourceBuildPipelineRunId` were already signed and the current run is not building new images. Use `"sign,publish"` when the current run still needs to sign them before publishing.
+
 ---
 
 ## Troubleshooting
diff --git a/eng/docker-tools/templates/stages/publish.yml b/eng/docker-tools/templates/stages/publish.yml
index 7195aaa828..2c17283eca 100644
--- a/eng/docker-tools/templates/stages/publish.yml
+++ b/eng/docker-tools/templates/stages/publish.yml
@@ -47,7 +47,7 @@ stages:
   # Run when all of the following are true:
   # 1. The pipeline has not been canceled.
   # 2. The stages variable includes 'publish'.
-  # 3. Either signing is not enabled, or the Sign stage succeeded.
+  # 3. Either signing is not enabled, this run is reusing previously signed images, or the Sign stage succeeded.
   # 4. Either the stages variable does not include 'build', or Post_Build succeeded.
   # 5. Either the stages variable does not include 'test', or Test succeeded/was skipped.
   condition: "
@@ -56,6 +56,10 @@ stages:
       contains(variables['stages'], 'publish'),
       or(
         ne(lower('${{ parameters.publishConfig.Signing.Enabled }}'), 'true'),
+        and(
+          not(contains(variables['stages'], 'build')),
+          not(contains(variables['stages'], 'sign'))
+        ),
         in(dependencies.Sign.result, 'Succeeded', 'SucceededWithIssues')
       ),
       or(
diff --git a/eng/docker-tools/templates/variables/docker-images.yml b/eng/docker-tools/templates/variables/docker-images.yml
index eb0663cf45..8f7679aa66 100644
--- a/eng/docker-tools/templates/variables/docker-images.yml
+++ b/eng/docker-tools/templates/variables/docker-images.yml
@@ -1,5 +1,5 @@
 variables:
-  imageNames.imageBuilderName: mcr.microsoft.com/dotnet-buildtools/image-builder:2972986
+  imageNames.imageBuilderName: mcr.microsoft.com/dotnet-buildtools/image-builder:2980918
   imageNames.imageBuilder: $(imageNames.imageBuilderName)
   imageNames.imageBuilder.withrepo: imagebuilder-withrepo:$(Build.BuildId)-$(System.JobId)
   imageNames.testRunner: mcr.microsoft.com/dotnet-buildtools/prereqs:azurelinux3.0-docker-testrunner