From 50b3d6b23a49520af3f4525a250429cc2036fac2 Mon Sep 17 00:00:00 2001 From: Liviu Dima Date: Thu, 10 Oct 2024 13:59:25 +0300 Subject: [PATCH 1/6] Migrate release pipeline to governed template --- .azure-devops/nova-facade-release.yml | 111 +++++++++++++++----------- 1 file changed, 65 insertions(+), 46 deletions(-) diff --git a/.azure-devops/nova-facade-release.yml b/.azure-devops/nova-facade-release.yml index 6f573a0..ab8d0d5 100644 --- a/.azure-devops/nova-facade-release.yml +++ b/.azure-devops/nova-facade-release.yml @@ -1,6 +1,13 @@ -pr: none +resources: + repositories: + - repository: 1ESPipelineTemplates + type: git + name: 1ESPipelineTemplates/1ESPipelineTemplates + ref: refs/tags/release + trigger: - main +pr: none schedules: - cron: 0 0 * * Mon displayName: Nova-Facade weekly pipeline validation @@ -14,52 +21,64 @@ variables: - name: tags value: production,externalfacing - name: serviceTreeID - value: 6F8CD842-E117-412F-BAE4-56A3B6166594 + value: ade7d667-42f5-485a-91a9-f1dc6482a9b0 - name: adoNpmFeedBaseUrl value: https://pkgs.dev.azure.com/domoreexp/_apis/packaging/feeds/npm-mirror -jobs: - - job: compliance - displayName: Compliance checks - pool: - name: 1ES-Teams-Windows-2022-DomoreexpGithub - steps: - - template: ./steps/service-tree.yml - parameters: - serviceTreeID: $(serviceTreeID) - - template: ./steps/compliance-steps.yml +extends: + template: v1/1ES.Official.PipelineTemplate.yml@1ESPipelineTemplates + stages: + - stage: Release_And_Compliance + jobs: + - job: compliance + displayName: Compliance checks + pool: + name: Azure-Pipelines-1ESPT-ExDShared + image: windows-2022 + os: windows + steps: + - template: ./steps/service-tree.yml@self + parameters: + serviceTreeID: $(serviceTreeID) + - template: ./steps/compliance-steps.yml@self - - job: Release - variables: - - group: oss-secrets - dependsOn: Compliance - pool: "1ES-Teams-Ubuntu-Latest-Compliant-NCUS" - steps: - - template: ./steps/service-tree.yml - parameters: - serviceTreeID: $(serviceTreeID) - - script: yarn - displayName: yarn - - script: | - yarn ci - displayName: build and test [test] - - script: | - git config user.email "gql-svc@microsoft.com" - git config user.name "Graphitation Service Account" - git remote set-url origin https://gql-svc:$(ossGithubPAT)@github.com/microsoft/nova-facade.git - displayName: Configure git for release - - script: yarn release -y -n $(ossNpmToken) --access public - displayName: Release - - task: AzureArtifacts.manifest-generator-task.manifest-generator-task.ManifestGeneratorTask@0 - displayName: 📒 Generate Manifest - inputs: - BuildDropPath: $(System.DefaultWorkingDirectory) - - task: PublishPipelineArtifact@1 - displayName: 📒 Publish Manifest - inputs: - artifactName: SBom-$(System.JobAttempt) - targetPath: $(System.DefaultWorkingDirectory)/_manifest - - template: ./steps/pierce-ado-npm-mirror-cache.yml - parameters: - adoNpmFeedPat: $(adoNpmFeedPat) - adoNpmFeedBaseUrl: $(adoNpmFeedBaseUrl) + - job: Release + variables: + - group: oss-secrets + dependsOn: Compliance + pool: + name: Azure-Pipelines-1ESPT-ExDShared + image: ubuntu-latest + os: linux + templateContext: + type: releaseJob + isProduction: true + steps: + - template: ./steps/service-tree.yml@self + parameters: + serviceTreeID: $(serviceTreeID) + - script: yarn + displayName: yarn + - script: | + yarn ci + displayName: build and test [test] + - script: | + git config user.email "gql-svc@microsoft.com" + git config user.name "Graphitation Service Account" + git remote set-url origin https://gql-svc:$(ossGithubPAT)@github.com/microsoft/nova-facade.git + displayName: Configure git for release + - script: yarn release -y -n $(ossNpmToken) --access public + displayName: Release + - task: AzureArtifacts.manifest-generator-task.manifest-generator-task.ManifestGeneratorTask@0 + displayName: 📒 Generate Manifest + inputs: + BuildDropPath: $(System.DefaultWorkingDirectory) + - task: PublishPipelineArtifact@1 + displayName: 📒 Publish Manifest + inputs: + artifactName: SBom-$(System.JobAttempt) + targetPath: $(System.DefaultWorkingDirectory)/_manifest + - template: ./steps/pierce-ado-npm-mirror-cache.yml@self + parameters: + adoNpmFeedPat: $(adoNpmFeedPat) + adoNpmFeedBaseUrl: $(adoNpmFeedBaseUrl) From d86a0af21c4a0e29535dbcb72f9ffb463b57da29 Mon Sep 17 00:00:00 2001 From: Liviu Dima Date: Thu, 10 Oct 2024 14:49:19 +0300 Subject: [PATCH 2/6] Update Release task to 1ES --- .azure-devops/nova-facade-release.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.azure-devops/nova-facade-release.yml b/.azure-devops/nova-facade-release.yml index ab8d0d5..75e7659 100644 --- a/.azure-devops/nova-facade-release.yml +++ b/.azure-devops/nova-facade-release.yml @@ -73,7 +73,7 @@ extends: displayName: 📒 Generate Manifest inputs: BuildDropPath: $(System.DefaultWorkingDirectory) - - task: PublishPipelineArtifact@1 + - task: 1ES.PublishPipelineArtifact@1 displayName: 📒 Publish Manifest inputs: artifactName: SBom-$(System.JobAttempt) From b62c5fbffabd12032d44bda432c2c480bb884a5b Mon Sep 17 00:00:00 2001 From: Liviu Dima Date: Thu, 10 Oct 2024 15:59:24 +0300 Subject: [PATCH 3/6] Update to valid config. --- .azure-devops/nova-facade-release.yml | 123 ++++++++++++++------------ 1 file changed, 67 insertions(+), 56 deletions(-) diff --git a/.azure-devops/nova-facade-release.yml b/.azure-devops/nova-facade-release.yml index 75e7659..d25c9c2 100644 --- a/.azure-devops/nova-facade-release.yml +++ b/.azure-devops/nova-facade-release.yml @@ -5,9 +5,9 @@ resources: name: 1ESPipelineTemplates/1ESPipelineTemplates ref: refs/tags/release +pr: none trigger: - main -pr: none schedules: - cron: 0 0 * * Mon displayName: Nova-Facade weekly pipeline validation @@ -21,64 +21,75 @@ variables: - name: tags value: production,externalfacing - name: serviceTreeID - value: ade7d667-42f5-485a-91a9-f1dc6482a9b0 + value: 6F8CD842-E117-412F-BAE4-56A3B6166594 - name: adoNpmFeedBaseUrl value: https://pkgs.dev.azure.com/domoreexp/_apis/packaging/feeds/npm-mirror extends: - template: v1/1ES.Official.PipelineTemplate.yml@1ESPipelineTemplates - stages: - - stage: Release_And_Compliance - jobs: - - job: compliance - displayName: Compliance checks - pool: - name: Azure-Pipelines-1ESPT-ExDShared - image: windows-2022 - os: windows - steps: - - template: ./steps/service-tree.yml@self - parameters: - serviceTreeID: $(serviceTreeID) - - template: ./steps/compliance-steps.yml@self + template: v1/1ES.Unofficial.PipelineTemplate.yml@1ESPipelineTemplates - - job: Release + parameters: + sdl: + sourceAnalysisPool: + name: Azure-Pipelines-1ESPT-ExDShared + image: windows-2022 + os: windows + stages: + - stage: release variables: - - group: oss-secrets - dependsOn: Compliance - pool: - name: Azure-Pipelines-1ESPT-ExDShared - image: ubuntu-latest - os: linux - templateContext: - type: releaseJob - isProduction: true - steps: - - template: ./steps/service-tree.yml@self - parameters: - serviceTreeID: $(serviceTreeID) - - script: yarn - displayName: yarn - - script: | - yarn ci - displayName: build and test [test] - - script: | - git config user.email "gql-svc@microsoft.com" - git config user.name "Graphitation Service Account" - git remote set-url origin https://gql-svc:$(ossGithubPAT)@github.com/microsoft/nova-facade.git - displayName: Configure git for release - - script: yarn release -y -n $(ossNpmToken) --access public - displayName: Release - - task: AzureArtifacts.manifest-generator-task.manifest-generator-task.ManifestGeneratorTask@0 - displayName: 📒 Generate Manifest - inputs: - BuildDropPath: $(System.DefaultWorkingDirectory) - - task: 1ES.PublishPipelineArtifact@1 - displayName: 📒 Publish Manifest - inputs: - artifactName: SBom-$(System.JobAttempt) - targetPath: $(System.DefaultWorkingDirectory)/_manifest - - template: ./steps/pierce-ado-npm-mirror-cache.yml@self - parameters: - adoNpmFeedPat: $(adoNpmFeedPat) - adoNpmFeedBaseUrl: $(adoNpmFeedBaseUrl) + # OPTIONAL: Set this varibale to 'true' to enable signing in a target stage. + # Remove if signing is not required. + Build.ESRP.CodeSign.Enabled: true + # OPTIONAL: To disable required tools not applicable in the pipeline set to false. + # Supported values: BinSkim, Roslyn, ESLint, PREFast. + Build.SDL..Enabled: false + Build.SDL..Enabled: true + jobs: + - job: compliance + displayName: Compliance checks + pool: + name: Azure-Pipelines-1ESPT-ExDShared + image: windows-2022 + os: windows + steps: + - template: .azure-devops/steps/service-tree.yml@self + parameters: + serviceTreeID: $(serviceTreeID) + + - job: Release + variables: + - group: oss-secrets + dependsOn: Compliance + pool: + name: Azure-Pipelines-1ESPT-ExDShared + image: ubuntu-latest + os: linux + steps: + - template: .azure-devops/steps/service-tree.yml@self + parameters: + serviceTreeID: $(serviceTreeID) + - script: yarn + displayName: yarn + - script: | + yarn ci + displayName: build and test [test] + - script: | + git config user.email "gql-svc@microsoft.com" + git config user.name "Graphitation Service Account" + git remote set-url origin https://gql-svc:$(ossGithubPAT)@github.com/microsoft/nova-facade.git + displayName: Configure git for release + - script: yarn release -y -n $(ossNpmToken) --access public + displayName: Release + - task: AzureArtifacts.manifest-generator-task.manifest-generator-task.ManifestGeneratorTask@0 + displayName: 📒 Generate Manifest + inputs: + BuildDropPath: $(System.DefaultWorkingDirectory) + - task: 1ES.PublishPipelineArtifact@1 + displayName: 📒 Publish Manifest + inputs: + artifactName: SBom-$(System.JobAttempt) + targetPath: $(System.DefaultWorkingDirectory)/_manifest + - template: .azure-devops/steps/pierce-ado-npm-mirror-cache.yml@self + parameters: + adoNpmFeedPat: $(adoNpmFeedPat) + adoNpmFeedBaseUrl: $(adoNpmFeedBaseUrl) From bb438f8102e1d77467cf3fb54c02d51f21b72b65 Mon Sep 17 00:00:00 2001 From: Liviu Dima Date: Fri, 11 Oct 2024 10:58:02 +0300 Subject: [PATCH 4/6] Use official template --- .azure-devops/nova-facade-release.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.azure-devops/nova-facade-release.yml b/.azure-devops/nova-facade-release.yml index d25c9c2..a48eff0 100644 --- a/.azure-devops/nova-facade-release.yml +++ b/.azure-devops/nova-facade-release.yml @@ -26,7 +26,7 @@ variables: value: https://pkgs.dev.azure.com/domoreexp/_apis/packaging/feeds/npm-mirror extends: - template: v1/1ES.Unofficial.PipelineTemplate.yml@1ESPipelineTemplates + template: v1/1ES.Official.PipelineTemplate.yml@1ESPipelineTemplates parameters: sdl: From d9c3a28b5192897a57ab28a8941a124c5aa5f41d Mon Sep 17 00:00:00 2001 From: Liviu Dima Date: Fri, 11 Oct 2024 11:49:59 +0300 Subject: [PATCH 5/6] Remove manifest generation as it is part of publish artifacts. --- .azure-devops/nova-facade-release.yml | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/.azure-devops/nova-facade-release.yml b/.azure-devops/nova-facade-release.yml index a48eff0..2653b46 100644 --- a/.azure-devops/nova-facade-release.yml +++ b/.azure-devops/nova-facade-release.yml @@ -21,7 +21,7 @@ variables: - name: tags value: production,externalfacing - name: serviceTreeID - value: 6F8CD842-E117-412F-BAE4-56A3B6166594 + value: ade7d667-42f5-485a-91a9-f1dc6482a9b0 - name: adoNpmFeedBaseUrl value: https://pkgs.dev.azure.com/domoreexp/_apis/packaging/feeds/npm-mirror @@ -80,10 +80,6 @@ extends: displayName: Configure git for release - script: yarn release -y -n $(ossNpmToken) --access public displayName: Release - - task: AzureArtifacts.manifest-generator-task.manifest-generator-task.ManifestGeneratorTask@0 - displayName: 📒 Generate Manifest - inputs: - BuildDropPath: $(System.DefaultWorkingDirectory) - task: 1ES.PublishPipelineArtifact@1 displayName: 📒 Publish Manifest inputs: From 90d042abd25008130a96f9a4c18d13566b02290d Mon Sep 17 00:00:00 2001 From: Liviu Dima Date: Mon, 14 Oct 2024 12:27:19 +0300 Subject: [PATCH 6/6] Simplify pipeline and remove unneeded files. --- .azure-devops/nova-facade-release.yml | 17 +-------- .azure-devops/steps/compliance-steps.yml | 46 ------------------------ .azure-devops/steps/service-tree.yml | 12 ------- 3 files changed, 1 insertion(+), 74 deletions(-) delete mode 100644 .azure-devops/steps/compliance-steps.yml delete mode 100644 .azure-devops/steps/service-tree.yml diff --git a/.azure-devops/nova-facade-release.yml b/.azure-devops/nova-facade-release.yml index 2653b46..e3eae86 100644 --- a/.azure-devops/nova-facade-release.yml +++ b/.azure-devops/nova-facade-release.yml @@ -45,29 +45,14 @@ extends: Build.SDL..Enabled: false Build.SDL..Enabled: true jobs: - - job: compliance - displayName: Compliance checks - pool: - name: Azure-Pipelines-1ESPT-ExDShared - image: windows-2022 - os: windows - steps: - - template: .azure-devops/steps/service-tree.yml@self - parameters: - serviceTreeID: $(serviceTreeID) - - job: Release variables: - group: oss-secrets - dependsOn: Compliance pool: name: Azure-Pipelines-1ESPT-ExDShared image: ubuntu-latest os: linux steps: - - template: .azure-devops/steps/service-tree.yml@self - parameters: - serviceTreeID: $(serviceTreeID) - script: yarn displayName: yarn - script: | @@ -88,4 +73,4 @@ extends: - template: .azure-devops/steps/pierce-ado-npm-mirror-cache.yml@self parameters: adoNpmFeedPat: $(adoNpmFeedPat) - adoNpmFeedBaseUrl: $(adoNpmFeedBaseUrl) + adoNpmFeedBaseUrl: $(adoNpmFeedBaseUrl) \ No newline at end of file diff --git a/.azure-devops/steps/compliance-steps.yml b/.azure-devops/steps/compliance-steps.yml deleted file mode 100644 index 5261317..0000000 --- a/.azure-devops/steps/compliance-steps.yml +++ /dev/null @@ -1,46 +0,0 @@ -# These steps have to run on a windows machine, -# and therefore unfortunately can't be integrated in the regular steps - -steps: - - task: UseDotNet@2 - condition: succeededOrFailed() - displayName: "Use .NET Core sdk 3.x" - inputs: - version: 3.x - steps: - - - task: securedevelopmentteam.vss-secure-development-tools.build-task-credscan.CredScan@3 - condition: succeededOrFailed() - displayName: "🧭 Run Credential Scanner" - inputs: - debugMode: false - - - task: securedevelopmentteam.vss-secure-development-tools.build-task-eslint.ESLint@1 - condition: succeededOrFailed() - displayName: "🧭 Run ESLint" - - - task: securedevelopmentteam.vss-secure-development-tools.build-task-publishsecurityanalysislogs.PublishSecurityAnalysisLogs@3 - displayName: "🧭 Publish Guardian Artifacts - All Tools" - inputs: - ArtifactType: M365 - condition: succeededOrFailed() - - - task: AssetRetention@3 - displayName: 🧭 Arrow Retention - inputs: - ArrowServiceConnection: "Arrow_Domoreexpgithub_PROD" - AssetGroupName: "$(System.TeamProject)_$(Build.DefinitionName)" - AssetNumber: "$(Build.BuildId)" - IsShipped: false - DropsToRetain: "CodeAnalysisLogs" - condition: and(succeeded(), eq(variables['Build.SourceBranch'], 'refs/heads/main')) - - - task: securedevelopmentteam.vss-secure-development-tools.build-task-postanalysis.PostAnalysis@2 - displayName: "🧭 Guardian Break" - inputs: - GdnBreakPolicyMinSev: Warning - GdnBreakAllTools: true - GdnBreakGdnToolESLint: true - GdnBreakGdnToolESLintSeverity: Warning - GdnBreakPolicy: M365 - condition: succeededOrFailed() diff --git a/.azure-devops/steps/service-tree.yml b/.azure-devops/steps/service-tree.yml deleted file mode 100644 index fe96400..0000000 --- a/.azure-devops/steps/service-tree.yml +++ /dev/null @@ -1,12 +0,0 @@ -parameters: - - name: serviceTreeID - type: string - default: "PLEASE USE YOUR SERVICE TREE ID FOR THE REPO" - -steps: - - task: skvso.servicetree-build-tasks.servicetree-link-build-task.servicetree-link-build-task@1 - displayName: "ServiceTree Integration" - inputs: - ServiceTreeGateway: "ServiceTree Gateway" - Service: ${{ parameters.serviceTreeID }} - BuildOutputUsage: production