Merge branch 'master' into user/sanjuyadav/vso_task_lib_runtime

Author: sanjuyadav24

docs/threat-model/AgentsTasks-ThreatModel.tm7

@@ -0,0 +1,12 @@
+# Threat Model
+
+A threat model provides a visual representation of how components in the stack interact. When the model is accurate, security and compliance teams can evaluate it effectively, identifying potential vulnerabilities and areas for optimization.
+
+Keeping the threat model up to date helps protect **both** customer data and Microsoft assets.
+
+- 📥 [Download the Threat Modeling Tool](https://aka.ms/threatmodelingtool)  
+- 📚 [Learn more about threat modeling](https://osgwiki.com/wiki/Task_-_Services_Security:_Complete_And_Upload_A_Threat_Model)
+
+> **Note:** Diagrams of various flows are exported and checked in as PNGs for easy reference.  
+> When updating the threat model, make sure to check in the latest PNG to:  
+> `azure-pipelines-agent/docs/threat-model/Export`

docs/threat-model/Export/Configure Agent - Threat Model.png

@@ -937,11 +937,18 @@ public async Task GetSourceAsync(
             executionContext.Debug($"sourceVersion : {sourceVersion}");
             executionContext.Debug($"fetchTags : {fetchTags}");
 
+            // Determine if we should use fetch by commit based on shallow vs full clone scenarios
+            bool shouldFetchByCommit = fetchByCommit && !string.IsNullOrEmpty(sourceVersion) &&
+                (fetchDepth > 0 || AgentKnobs.FetchByCommitForFullClone.GetValue(executionContext).AsBoolean());
+
+            executionContext.Debug($"shouldFetchByCommit : {shouldFetchByCommit}");
+
             if (IsPullRequest(sourceBranch))
             {
                 // Build a 'fetch-by-commit' refspec iff the server allows us to do so in the shallow fetch scenario
+                // or if it's a full clone and the FetchByCommitForFullClone knob is enabled
                 // Otherwise, fall back to fetch all branches and pull request ref
-                if (fetchDepth > 0 && fetchByCommit && !string.IsNullOrEmpty(sourceVersion))
+                if (shouldFetchByCommit)
                 {
                     refFetchedByCommit = $"{_remoteRefsPrefix}{sourceVersion}";
                     additionalFetchSpecs.Add($"+{sourceVersion}:{refFetchedByCommit}");
@@ -955,8 +962,9 @@ public async Task GetSourceAsync(
             else
             {
                 // Build a refspec iff the server allows us to fetch a specific commit in the shallow fetch scenario
+                // or if it's a full clone and the FetchByCommitForFullClone knob is enabled
                 // Otherwise, use the default fetch behavior (i.e. with no refspecs)
-                if (fetchDepth > 0 && fetchByCommit && !string.IsNullOrEmpty(sourceVersion))
+                if (shouldFetchByCommit)
                 {
                     refFetchedByCommit = $"{_remoteRefsPrefix}{sourceVersion}";
                     additionalFetchSpecs.Add($"+{sourceVersion}:{refFetchedByCommit}");

docs/threat-model/Export/Job Execution - Threat Model.png

@@ -200,6 +200,13 @@ public class AgentKnobs
             new EnvironmentKnobSource("AGENT_USE_NODE20_IN_UNSUPPORTED_SYSTEM"),
             new BuiltInDefaultKnobSource("false"));
 
+        public static readonly Knob FetchByCommitForFullClone = new Knob(
+            nameof(FetchByCommitForFullClone),
+            "If true, allow fetch by commit when doing a full clone (depth=0).",
+            new RuntimeKnobSource("VSTS.FetchByCommitForFullClone"),
+            new EnvironmentKnobSource("VSTS_FETCHBYCOMMITFORFULLCLONE"),
+            new BuiltInDefaultKnobSource("false"));
+
         // Agent logging
         public static readonly Knob AgentPerflog = new Knob(
             nameof(AgentPerflog),