-
Notifications
You must be signed in to change notification settings - Fork 93
/
.vsts-ci.yml
158 lines (151 loc) · 6.07 KB
/
.vsts-ci.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
# Pipeline: https://dnceng.visualstudio.com/internal/_build?definitionId=1190
variables:
- name: _TeamName
value: DotNetCore
- name: Build.Repository.Clean
value: true
- name: Codeql.Enabled
value: true
- name: Codeql.TSAEnabled
value: true
- group: DotNet-Sign-SDLValidation-Params
- template: /eng/common/templates-official/variables/pool-providers.yml
trigger:
batch: true
branches:
include:
- main
paths:
exclude:
- "*.md"
pr:
autoCancel: false
branches:
include:
- '*'
resources:
repositories:
- repository: 1esPipelines
type: git
name: 1ESPipelineTemplates/1ESPipelineTemplates
ref: refs/tags/release
extends:
template: v1/1ES.Official.PipelineTemplate.yml@1esPipelines
parameters:
sdl:
sourceAnalysisPool:
name: $(DncEngInternalBuildPool)
image: 1es-windows-2022
os: windows
customBuildTags:
- ES365AIMigrationTooling
stages:
- stage: Build_Windows
displayName: Build Windows
jobs:
- ${{ if and(eq(variables['System.TeamProject'], 'internal'), notin(variables['Build.Reason'], 'PullRequest'), eq(variables['Build.SourceBranch'], 'refs/heads/main')) }}:
- template: /eng/common/templates-official/job/onelocbuild.yml@self
parameters:
LclSource: lclFilesfromPackage
LclPackageId: 'LCL-JUNO-PROD-SIGNCLI'
MirrorRepo: sign
- template: /eng/common/templates-official/jobs/jobs.yml@self
parameters:
enableMicrobuild: true
enablePublishBuildArtifacts: true
enablePublishBuildAssets: true
enablePublishUsingPipelines: true
enableTelemetry: true
jobs:
- job: Windows
pool: # See https://helix.dot.net/ for VM names.
name: NetCore1ESPool-Internal
demands: ImageOverride -equals windows.vs2022preview.amd64
variables:
# Only enable publishing in official builds.
- ${{ if and(eq(variables['System.TeamProject'], 'internal'), notin(variables['Build.Reason'], 'PullRequest')) }}:
# Publish-Build-Assets provides: MaestroAccessToken, BotAccount-dotnet-maestro-bot-PAT
- group: Publish-Build-Assets
- name: _SignType
value: real
- name: _OfficialBuildArgs
value: /p:DotNetPublishUsingPipelines=true
/p:DotNetSignType=$(_SignType)
/p:OfficialBuildId=$(BUILD.BUILDNUMBER)
/p:TeamName=$(_TeamName)
- ${{ else }}:
- name: _SignType
value: test
- name: _OfficialBuildArgs
value: ''
strategy:
matrix:
Release:
_BuildConfig: Release
steps:
- task: CodeQL3000Init@0
displayName: Initialize CodeQL
condition: and(succeeded(), eq(variables['Codeql.Enabled'], 'true'))
- script: eng\common\CIBuild.cmd
-configuration $(_BuildConfig)
-prepareMachine
$(_OfficialBuildArgs)
name: Build
displayName: Build and run tests
condition: succeeded()
- task: CodeQL3000Finalize@0
displayName: Finalize CodeQL
condition: and(succeeded(), eq(variables['Codeql.Enabled'], 'true'))
# Guardian requires npm.
- task: NodeTool@0
inputs:
versionSpec: '18.x'
# Validates compiler/linker settings and other security-related binary characteristics.
# https://github.com/Microsoft/binskim
# YAML reference: https://eng.ms/docs/security-compliance-identity-and-management-scim/security/azure-security/cloudai-security-fundamentals-engineering/security-integration/guardian-wiki/sdl-azdo-extension/binskim-build-task#v4
- task: BinSkim@4
displayName: Run BinSkim
inputs:
InputType: Basic
Function: analyze
TargetPattern: binskimPattern
AnalyzeTargetBinskim: $(Build.SourcesDirectory)\artifacts\bin\Sign.Cli\$(_BuildConfig)\net8.0\win-x64\publish\*.dll
AnalyzeSymPath: 'SRV*https://symweb'
condition: succeededOrFailed()
- task: PublishTestResults@2
displayName: 'Publish Unit Test Results'
inputs:
testResultsFormat: xUnit
testResultsFiles: '$(Build.SourcesDirectory)/artifacts/TestResults/**/*.xml'
mergeTestResults: true
searchFolder: $(System.DefaultWorkingDirectory)
testRunTitle: sign unit tests - $(Agent.JobName)
condition: succeededOrFailed()
- task: ComponentGovernanceComponentDetection@0
displayName: Component Governance scan
inputs:
ignoreDirectories: '$(Build.SourcesDirectory)/.packages,$(Build.SourcesDirectory)/artifacts/obj/Sign.Cli'
- template: /eng/common/templates-official/post-build/post-build.yml@self
parameters:
publishingInfraVersion: 3
enableSymbolValidation: true
enableSourceLinkValidation: true
validateDependsOn:
- Build_Windows
publishDependsOn:
- Validate
# This is to enable SDL runs part of Post-Build Validation Stage
SDLValidationParameters:
enable: true
params: ' -SourceToolsList @("policheck","credscan")
-TsaInstanceURL $(_TsaInstanceURL)
-TsaProjectName $(_TsaProjectName)
-TsaNotificationEmail $(_TsaNotificationEmail)
-TsaCodebaseAdmin $(_TsaCodebaseAdmin)
-TsaBugAreaPath $(_TsaBugAreaPath)
-TsaIterationPath $(_TsaIterationPath)
-TsaRepositoryName dotnet-sign
-TsaCodebaseName dotnet-sign
-TsaOnboard $True
-TsaPublish $True
-PoliCheckAdditionalRunConfigParams @("UserExclusionPath < $(Build.SourcesDirectory)/eng/PoliCheckExclusions.xml")'