forked from dotnet/sign
-
Notifications
You must be signed in to change notification settings - Fork 0
/
.vsts-ci.yml
147 lines (142 loc) · 5.63 KB
/
.vsts-ci.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
variables:
- name: _TeamName
value: DotNetCore
- name: Build.Repository.Clean
value: true
- name: Codeql.Enabled
value: ${{ eq(variables['System.TeamProject'], 'internal') }}
- name: Codeql.TSAEnabled
value: ${{ eq(variables['System.TeamProject'], 'internal') }}
- ${{ if eq(variables['System.TeamProject'], 'internal') }}:
- group: DotNet-Sign-SDLValidation-Params
# CI and PR triggers
trigger:
batch: true
branches:
include:
- main
paths:
exclude:
- "*.md"
pr:
autoCancel: false
branches:
include:
- '*'
# Build
stages:
- stage: Build_Windows
displayName: Build Windows
jobs:
- ${{ if and(eq(variables['System.TeamProject'], 'internal'), notin(variables['Build.Reason'], 'PullRequest'), eq(variables['Build.SourceBranch'], 'refs/heads/main')) }}:
- template: /eng/common/templates/job/onelocbuild.yml
parameters:
LclSource: lclFilesfromPackage
LclPackageId: 'LCL-JUNO-PROD-SIGNCLI'
MirrorRepo: sign
- template: /eng/common/templates/jobs/jobs.yml
parameters:
enableMicrobuild: true
enablePublishBuildArtifacts: true
enablePublishBuildAssets: true
enablePublishUsingPipelines: true
enableTelemetry: true
jobs:
- job: Windows
pool: # See https://helix.dot.net/ for VM names.
${{ if eq(variables['System.TeamProject'], 'internal') }}:
name: NetCore1ESPool-Internal
demands: ImageOverride -equals windows.vs2022preview.amd64
${{ else }}:
name: NetCore-Public
demands: ImageOverride -equals windows.vs2022preview.amd64.open
variables:
# Only enable publishing in official builds.
- ${{ if and(eq(variables['System.TeamProject'], 'internal'), notin(variables['Build.Reason'], 'PullRequest')) }}:
# Publish-Build-Assets provides: MaestroAccessToken, BotAccount-dotnet-maestro-bot-PAT
- group: Publish-Build-Assets
- name: _SignType
value: real
- name: _OfficialBuildArgs
value: /p:DotNetPublishUsingPipelines=true
/p:DotNetSignType=$(_SignType)
/p:OfficialBuildId=$(BUILD.BUILDNUMBER)
/p:TeamName=$(_TeamName)
- ${{ else }}:
- name: _SignType
value: test
- name: _OfficialBuildArgs
value: ''
strategy:
matrix:
Release:
_BuildConfig: Release
steps:
- ${{ if eq(variables['System.TeamProject'], 'internal') }}:
- task: CodeQL3000Init@0
displayName: Initialize CodeQL
condition: and(succeeded(), eq(variables['Codeql.Enabled'], 'true'))
- script: eng\common\CIBuild.cmd
-configuration $(_BuildConfig)
-prepareMachine
$(_OfficialBuildArgs)
name: Build
displayName: Build and run tests
condition: succeeded()
- ${{ if eq(variables['System.TeamProject'], 'internal') }}:
- task: CodeQL3000Finalize@0
displayName: Finalize CodeQL
condition: and(succeeded(), eq(variables['Codeql.Enabled'], 'true'))
# Guardian requires npm.
- task: NodeTool@0
inputs:
versionSpec: '18.x'
# Validates compiler/linker settings and other security-related binary characteristics.
# https://github.com/Microsoft/binskim
# YAML reference: https://eng.ms/docs/security-compliance-identity-and-management-scim/security/azure-security/cloudai-security-fundamentals-engineering/security-integration/guardian-wiki/sdl-azdo-extension/binskim-build-task#v4
- task: BinSkim@4
displayName: Run BinSkim
inputs:
InputType: Basic
Function: analyze
TargetPattern: binskimPattern
AnalyzeTargetBinskim: $(Build.SourcesDirectory)\artifacts\bin\Sign.Cli\$(_BuildConfig)\net6.0\win10-x64\publish\*.dll
AnalyzeSymPath: 'SRV*https://symweb'
condition: succeededOrFailed()
- task: PublishTestResults@2
displayName: 'Publish Unit Test Results'
inputs:
testResultsFormat: xUnit
testResultsFiles: '$(Build.SourcesDirectory)/artifacts/TestResults/**/*.xml'
mergeTestResults: true
searchFolder: $(System.DefaultWorkingDirectory)
testRunTitle: sign unit tests - $(Agent.JobName)
condition: succeededOrFailed()
- task: ComponentGovernanceComponentDetection@0
displayName: Component Governance scan
inputs:
ignoreDirectories: '$(Build.SourcesDirectory)/.packages,$(Build.SourcesDirectory)/artifacts/obj/Sign.Cli'
- ${{ if eq(variables['System.TeamProject'], 'internal') }}:
- template: eng\common\templates\post-build\post-build.yml
parameters:
publishingInfraVersion: 3
enableSymbolValidation: true
enableSourceLinkValidation: true
validateDependsOn:
- Build_Windows
publishDependsOn:
- Validate
# This is to enable SDL runs part of Post-Build Validation Stage
SDLValidationParameters:
enable: true
params: ' -SourceToolsList @("policheck","credscan")
-TsaInstanceURL $(_TsaInstanceURL)
-TsaProjectName $(_TsaProjectName)
-TsaNotificationEmail $(_TsaNotificationEmail)
-TsaCodebaseAdmin $(_TsaCodebaseAdmin)
-TsaBugAreaPath $(_TsaBugAreaPath)
-TsaIterationPath $(_TsaIterationPath)
-TsaRepositoryName dotnet-sign
-TsaCodebaseName dotnet-sign
-TsaOnboard $True
-TsaPublish $True'