-
Notifications
You must be signed in to change notification settings - Fork 4k
/
azure-pipelines-compliance.yml
128 lines (115 loc) · 4.53 KB
/
azure-pipelines-compliance.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
# Name: DotNet-Roslyn-Compliance
# URL: https://devdiv.visualstudio.com/DevDiv/_build?definitionId=16722
#
# Responsible for running compliance checks.
#
# NOTE: triggers for this build are defined in the Web UI instead of here in the YAML file so they
# apply to all branches.
queue:
name: VSEngSS-MicroBuild2022-1ES
demands: Cmd
timeoutInMinutes: 90
variables:
- group: DotNet-Roslyn-ApiScan
- name: BuildConfiguration
value: Release
- name: TeamName
value: DotNet-Roslyn
- name: SignType
value: test
- name: DOTNET_SKIP_FIRST_TIME_EXPERIENCE
value: true
- name: _DevDivDropAccessToken
value: $(System.AccessToken)
- name: Codeql.Enabled
value: false
- name: Codeql.SkipTaskAutoInjection
value: true
steps:
- template: eng/pipelines/checkout-windows-task.yml
- powershell: Write-Host "##vso[task.setvariable variable=SourceBranchName]$('$(Build.SourceBranch)'.Substring('refs/heads/'.Length))"
displayName: Setting SourceBranchName variable
- powershell: Write-Host "##vso[task.setvariable variable=VisualStudio.DropName]Products/$(System.TeamProject)/$(Build.Repository.Name)/$(SourceBranchName)/$(Build.BuildNumber)"
displayName: Setting VisualStudio.DropName variable
- task: PowerShell@2
displayName: Build
inputs:
filePath: eng/build.ps1
arguments: -ci
-prepareMachine
-restore
-build
-configuration $(BuildConfiguration)
-officialBuildId $(Build.BuildNumber)
-officialSkipTests true
-officialSkipApplyOptimizationData true
-officialSourceBranchName $(SourceBranchName)
-officialVisualStudioDropAccessToken $(_DevDivDropAccessToken)
/p:RepositoryName=$(Build.Repository.Name)
/p:VisualStudioDropName=$(VisualStudio.DropName)
- task: CopyFiles@2
# APIScan can take a long time, so here we copy (mostly) just the product binaries and related .pdbs
# in an effort to limit what it needs to work on.
displayName: Copy Roslyn assemblies for APIScan
inputs:
SourceFolder: '$(Build.SourcesDirectory)\artifacts\bin\Roslyn.VisualStudio.Setup\$(BuildConfiguration)\net472' # Limit to (mostly) product binaries
Contents: |
Microsoft.CodeAnalysis*.dll
Microsoft.CodeAnalysis*.pdb
Microsoft.VisualStudio.LanguageServices*.dll
Microsoft.VisualStudio.LanguageServices*.pdb
TargetFolder: '$(Agent.TempDirectory)\APIScanFiles'
continueOnError: true
- task: CopyFiles@2
displayName: Copy csc assemblies for APIScan
inputs:
SourceFolder: '$(Build.SourcesDirectory)\artifacts\bin\csc\$(BuildConfiguration)\net472'
Contents: |
csc.dll
csc.pdb
TargetFolder: '$(Agent.TempDirectory)\APIScanFiles'
continueOnError: true
- task: CopyFiles@2
displayName: Copy vbc assemblies for APIScan
inputs:
SourceFolder: '$(Build.SourcesDirectory)\artifacts\bin\vbc\$(BuildConfiguration)\net472'
Contents: |
vbc.dll
vbc.pdb
TargetFolder: '$(Agent.TempDirectory)\APIScanFiles'
continueOnError: true
- task: CopyFiles@2
displayName: Copy VBCSCompiler assemblies for APIScan
inputs:
SourceFolder: '$(Build.SourcesDirectory)\artifacts\bin\VBCSCompiler\$(BuildConfiguration)\net472'
Contents: |
VBCSCompiler.dll
VBCSCompiler.pdb
TargetFolder: '$(Agent.TempDirectory)\APIScanFiles'
continueOnError: true
- task: APIScan@2
# Scan for the use of undocumented APIs.
displayName: Run APIScan
inputs:
softwareFolder: '$(Agent.TempDirectory)\APIScanFiles' # Only examine the product binaries we previously copied.
softwareName: 'Dotnet-Roslyn'
softwareVersionNum: '17.0'
softwareBuildNum: '$(Build.BuildId)'
symbolsFolder: 'SRV*http://symweb'
env:
AzureServicesAuthConnectionString: runAs=App;AppId=$(MicroBuildApiScanClientId)
continueOnError: true
- task: TSAUpload@2
# Scan the output of previous steps and create bugs for any problems.
displayName: Upload results and create bugs
inputs:
GdnPublishTsaOnboard: true
GdnPublishTsaConfigFile: '$(Build.SourcesDirectory)\eng\TSAConfig.gdntsa' # All relevant settings are in this file.
continueOnError: true
- task: PublishSecurityAnalysisLogs@3
displayName: Publishing analysis artifacts
inputs:
ArtifactName: 'CodeAnalysisLogs'
ArtifactType: 'Container' # Associate the artifacts with the build.
AllTools: true # Look for logs from all tools.
ToolLogsNotFoundAction: 'Standard' # If a log is not found just output a message to that effect.