azure-pipelines: Only enable signing on builds that aren't PRs and on specific branches

azure-pipelines/1esstages.yml

@@ -19,7 +19,8 @@ stages:
             templateContext:
               mb: # Enable the MicroBuild Signing toolset
                 signing:
-                  enabled: true
+                  # Enable the signing toolset when the build is not a PR and the branch is main or starts with rel/
+                  enabled: $[and(ne(variables['Build.Reason'], 'PullRequest'), or(eq(variables['Build.SourceBranchName'], 'main'), startsWith(variables['Build.SourceBranchName'], 'rel/')))]
                   signType: real # options are 'real' & 'test'
                   zipSources: false
               outputs:

azure-pipelines/templates/sign.yml

@@ -11,6 +11,8 @@ steps:
           Write-Output "SignExtension.signproj file not found. Skipping signing."
       }
     displayName: "\U0001F449 Check for SignExtension.signproj File"
+    # Run this step when the build is not a PR and the branch is main or starts with rel/
+    condition: and(ne(variables['Build.Reason'], 'PullRequest'), or(eq(variables['Build.SourceBranchName'], 'main'), startsWith(variables['Build.SourceBranchName'], 'rel/')))
 
   # put the extension name and version from the package.json into variables to use later. Variables can be used in later steps as $(package.name) and $(package.version)
   - pwsh: |