From a7a0aa07ce646fbeefee35a107117c0af31223ec Mon Sep 17 00:00:00 2001 From: Gabe Stocco <98900+gfs@users.noreply.github.com> Date: Wed, 6 Nov 2024 10:23:37 -0800 Subject: [PATCH] Templatify core pipeline too --- Pipelines/asa-release.yml | 4 + Pipelines/core-pipeline.yml | 389 ++++-------------------------------- 2 files changed, 39 insertions(+), 354 deletions(-) diff --git a/Pipelines/asa-release.yml b/Pipelines/asa-release.yml index 7f7b8f13..9300baac 100644 --- a/Pipelines/asa-release.yml +++ b/Pipelines/asa-release.yml @@ -4,6 +4,10 @@ pr: none resources: repositories: + - repository: templates + type: git + name: SecurityEngineering/OSS-Tools-Pipeline-Templates + ref: refs/tags/v2.0.0 - repository: 1esPipelines type: git name: 1ESPipelineTemplates/1ESPipelineTemplates diff --git a/Pipelines/core-pipeline.yml b/Pipelines/core-pipeline.yml index 354c06b7..e84cbb3a 100644 --- a/Pipelines/core-pipeline.yml +++ b/Pipelines/core-pipeline.yml @@ -1,361 +1,42 @@ # Azure Pipelines # https://aka.ms/yaml -name: ASA_$(SourceBranchName)_$(Date:yyyyMMdd)$(Rev:.r) -trigger: - batch: true - branches: - include: - - release/v2.* - exclude: - - release/v2.0 - paths: - include: - - Cli - - Lib - - Pipelines - - analyses.json -pr: - branches: - include: - - main - - release/* - paths: - include: - - Benchmarks - - Cli - - Lib - - Pipelines - - Tests - - analyses.json +name: ASA_PR_$(SourceBranchName)_$(Date:yyyyMMdd)$(Rev:.r) +trigger: none +pr: none -stages: -- stage: Test - jobs: - - template: templates/dotnet-test-job.yml - parameters: - projectPath: 'Tests/Tests.csproj' +resources: + repositories: + - repository: templates + type: git + name: SecurityEngineering/OSS-Tools-Pipeline-Templates + ref: refs/tags/v2.0.0 + - repository: 1esPipelines + type: git + name: 1ESPipelineTemplates/1ESPipelineTemplates + ref: refs/tags/release -- stage: SDL - dependsOn: Test - jobs: - - template: templates/sdl-job.yml - parameters: - serviceTreeID: 'ac84de32-6898-4dad-ace3-78e8098175dc' +variables: + BuildConfiguration: 'Release' + DotnetVersion: '8.0.x' + DotnetTargetFramework: 'net8.0' -- stage: Build - dependsOn: Test - jobs: - - template: templates/dotnet-publish-linux-mac-job.yml - parameters: - projectPath: 'Cli/Cli.csproj' - projectName: 'ASA' - preBuild: - - template: templates/nbgv-set-version-steps.yml - - template: templates/dotnet-publish-win-netcore-job.yml - parameters: - projectPath: 'Cli/Cli.csproj' - projectName: 'ASA' - preBuild: - - template: templates/nbgv-set-version-steps.yml - - template: templates/nuget-build-job.yml - parameters: - jobName: 'pack_lib' - projectPath: 'Lib/Lib.csproj' - projectName: 'ASA_Lib' - - template: templates/nuget-build-job.yml - parameters: - jobName: 'pack_cli' - projectPath: 'Cli/Cli.csproj' - projectName: 'ASA_CLI' - -- stage: Release - dependsOn: - - SDL - - Build - condition: and(succeeded(), in(variables['Build.Reason'], 'IndividualCI', 'BatchedCI')) - jobs: - - job: sign_hash_release - displayName: Code Sign, Generate Hashes, Publish Public Releases +extends: + template: v1/1ES.Official.PipelineTemplate.yml@1esPipelines + parameters: pool: - vmImage: 'windows-latest' - steps: - - task: UseDotNet@2 - inputs: - packageType: 'sdk' - version: '5.x' - - script: 'dotnet tool update -g nbgv --configfile NuGet.Config.Public' - displayName: 'Update GitVersioning' - - task: PowerShell@2 - displayName: Set Release Version - inputs: - targetType: 'inline' - script: | - $version = (nbgv get-version -v AssemblyInformationalVersion).split('+')[0] - Write-Host "##vso[task.setvariable variable=ReleaseVersion;]$version" - - task: DownloadBuildArtifacts@0 - displayName: Download Unsigned Archives - inputs: - buildType: 'current' - downloadType: 'specific' - itemPattern: 'Unsigned_Binaries/*.zip' - downloadPath: '$(Build.BinariesDirectory)' - - task: ExtractFiles@1 - displayName: Extract Artifacts for Signing - inputs: - archiveFilePatterns: '$(Build.BinariesDirectory)\Unsigned_Binaries\*.zip' - destinationFolder: '$(Build.BinariesDirectory)' - cleanDestinationFolder: false - - task: AntiMalware@3 - displayName: Anti-Malware Scan - inputs: - InputType: 'Basic' - ScanType: 'CustomScan' - FileDirPath: '$(Build.BinariesDirectory)' - EnableServices: true - SupportLogOnError: true - TreatSignatureUpdateFailureAs: 'Warning' - SignatureFreshness: 'UpToDate' - TreatStaleSignatureAs: 'Warning' - - task: UseDotNet@2 - inputs: - packageType: 'sdk' - version: '2.1.804' - - task: EsrpCodeSigning@1 - displayName: Code Sign Linux - inputs: - ConnectedServiceName: 'CodeSignforATSAN' - FolderPath: '$(Build.BinariesDirectory)/linux/ASA_linux_$(ReleaseVersion)' - Pattern: 'Asa.dll, AsaLib.dll, Asa.Views.dll' - signConfigType: 'inlineSignParams' - inlineOperation: | - [ - { - "KeyCode" : "CP-230012", - "OperationCode" : "SigntoolSign", - "Parameters" : { - "OpusName" : "Microsoft", - "OpusInfo" : "http://www.microsoft.com", - "FileDigest" : "/fd \"SHA256\"", - "PageHash" : "/NPH", - "TimeStamp" : "/tr \"http://rfc3161.gtm.corp.microsoft.com/TSS/HttpTspServer\" /td sha256" - }, - "ToolName" : "sign", - "ToolVersion" : "1.0" - }, - { - "KeyCode" : "CP-230012", - "OperationCode" : "SigntoolVerify", - "Parameters" : {}, - "ToolName" : "sign", - "ToolVersion" : "1.0" - } - ] - SessionTimeout: '60' - MaxConcurrency: '50' - MaxRetryAttempts: '5' - - task: EsrpCodeSigning@1 - displayName: Code Sign MacOS - inputs: - ConnectedServiceName: 'CodeSignforATSAN' - FolderPath: '$(Build.BinariesDirectory)/macos/ASA_macos_$(ReleaseVersion)' - Pattern: 'Asa.dll, AsaLib.dll, Asa.Views.dll' - signConfigType: 'inlineSignParams' - inlineOperation: | - [ - { - "KeyCode" : "CP-230012", - "OperationCode" : "SigntoolSign", - "Parameters" : { - "OpusName" : "Microsoft", - "OpusInfo" : "http://www.microsoft.com", - "FileDigest" : "/fd \"SHA256\"", - "PageHash" : "/NPH", - "TimeStamp" : "/tr \"http://rfc3161.gtm.corp.microsoft.com/TSS/HttpTspServer\" /td sha256" - }, - "ToolName" : "sign", - "ToolVersion" : "1.0" - }, - { - "KeyCode" : "CP-230012", - "OperationCode" : "SigntoolVerify", - "Parameters" : {}, - "ToolName" : "sign", - "ToolVersion" : "1.0" - } - ] - SessionTimeout: '60' - MaxConcurrency: '50' - MaxRetryAttempts: '5' - - task: EsrpCodeSigning@1 - displayName: Code Sign Windows - inputs: - ConnectedServiceName: 'CodeSignforATSAN' - FolderPath: '$(Build.BinariesDirectory)/win/ASA_win_$(ReleaseVersion)' - Pattern: 'Asa.exe, Asa.dll, AsaLib.dll, Asa.Views.dll' - signConfigType: 'inlineSignParams' - inlineOperation: | - [ - { - "KeyCode" : "CP-230012", - "OperationCode" : "SigntoolSign", - "Parameters" : { - "OpusName" : "Microsoft", - "OpusInfo" : "http://www.microsoft.com", - "FileDigest" : "/fd \"SHA256\"", - "PageHash" : "/NPH", - "TimeStamp" : "/tr \"http://rfc3161.gtm.corp.microsoft.com/TSS/HttpTspServer\" /td sha256" - }, - "ToolName" : "sign", - "ToolVersion" : "1.0" - }, - { - "KeyCode" : "CP-230012", - "OperationCode" : "SigntoolVerify", - "Parameters" : {}, - "ToolName" : "sign", - "ToolVersion" : "1.0" - } - ] - SessionTimeout: '60' - MaxConcurrency: '50' - MaxRetryAttempts: '5' - - task: EsrpCodeSigning@1 - displayName: Code Sign .NET Core App - inputs: - ConnectedServiceName: 'CodeSignforATSAN' - FolderPath: '$(Build.BinariesDirectory)/netcoreapp/ASA_netcoreapp_$(ReleaseVersion)' - Pattern: 'Asa.exe, Asa.dll, AsaLib.dll, Asa.Views.dll' - signConfigType: 'inlineSignParams' - inlineOperation: | - [ - { - "KeyCode" : "CP-230012", - "OperationCode" : "SigntoolSign", - "Parameters" : { - "OpusName" : "Microsoft", - "OpusInfo" : "http://www.microsoft.com", - "FileDigest" : "/fd \"SHA256\"", - "PageHash" : "/NPH", - "TimeStamp" : "/tr \"http://rfc3161.gtm.corp.microsoft.com/TSS/HttpTspServer\" /td sha256" - }, - "ToolName" : "sign", - "ToolVersion" : "1.0" - }, - { - "KeyCode" : "CP-230012", - "OperationCode" : "SigntoolVerify", - "Parameters" : {}, - "ToolName" : "sign", - "ToolVersion" : "1.0" - } - ] - SessionTimeout: '60' - MaxConcurrency: '50' - MaxRetryAttempts: '5' - - task: EsrpCodeSigning@1 - displayName: Code Sign Nuget Packages - inputs: - ConnectedServiceName: 'CodeSignforATSAN' - FolderPath: '$(Build.BinariesDirectory)' - Pattern: '*.nupkg, *.snupkg' - signConfigType: 'inlineSignParams' - inlineOperation: | - [ - { - "KeyCode" : "CP-401405", - "OperationCode" : "NuGetSign", - "Parameters" : {}, - "ToolName" : "sign", - "ToolVersion" : "1.0" - }, - { - "KeyCode" : "CP-401405", - "OperationCode" : "NuGetVerify", - "Parameters" : {}, - "ToolName" : "sign", - "ToolVersion" : "1.0" - } - ] - SessionTimeout: '60' - MaxConcurrency: '50' - MaxRetryAttempts: '5' - - powershell: 'Get-ChildItem -Path ''$(Build.BinariesDirectory)'' -Recurse CodeSign* | foreach { Remove-Item -Path $_.FullName }' - displayName: 'Delete Code Sign Summaries' - - task: ArchiveFiles@2 - displayName: Archive Artifact - Linux - inputs: - rootFolderOrFile: '$(Build.BinariesDirectory)/linux/ASA_linux_$(ReleaseVersion)' - includeRootFolder: true - archiveType: 'zip' - archiveFile: '$(Build.StagingDirectory)/ASA_linux_$(ReleaseVersion).zip' - replaceExistingArchive: true - - task: ArchiveFiles@2 - displayName: Archive Artifact - MacOS - inputs: - rootFolderOrFile: '$(Build.BinariesDirectory)/macos/ASA_macos_$(ReleaseVersion)' - includeRootFolder: true - archiveType: 'zip' - archiveFile: '$(Build.StagingDirectory)/ASA_macos_$(ReleaseVersion).zip' - replaceExistingArchive: true - - task: ArchiveFiles@2 - displayName: Archive Artifact - Windows - inputs: - rootFolderOrFile: '$(Build.BinariesDirectory)/win/ASA_win_$(ReleaseVersion)' - includeRootFolder: true - archiveType: 'zip' - archiveFile: '$(Build.StagingDirectory)/ASA_win_$(ReleaseVersion).zip' - replaceExistingArchive: true - - task: ArchiveFiles@2 - displayName: Archive Artifact - .NET Core App - inputs: - rootFolderOrFile: '$(Build.BinariesDirectory)/netcoreapp/ASA_netcoreapp_$(ReleaseVersion)' - includeRootFolder: true - archiveType: 'zip' - archiveFile: '$(Build.StagingDirectory)/ASA_netcoreapp_$(ReleaseVersion).zip' - replaceExistingArchive: true - - task: PowerShell@2 - displayName: Generate Hashes - inputs: - targetType: 'inline' - script: | - Get-ChildItem $(Build.StagingDirectory) | Foreach-Object { - $name = $_.Name - $tmp = (Get-FileHash "$(Build.StagingDirectory)\$name").Hash - Add-Content $(Build.StagingDirectory)\HASHES.txt "$tmp`t$name" - } - - task: PowerShell@2 - displayName: Move NuGet Packages - inputs: - targetType: 'inline' - script: | - mv $env:BUILD_BINARIESDIRECTORY/*.nupkg $env:BUILD_STAGINGDIRECTORY/ - mv $env:BUILD_BINARIESDIRECTORY/*.snupkg $env:BUILD_STAGINGDIRECTORY/ - - task: PublishPipelineArtifact@1 - displayName: Publish Signed Artifacts to Pipeline - inputs: - targetPath: '$(Build.StagingDirectory)' - artifact: 'Signed_Binaries' - - task: GitHubRelease@1 - displayName: Release to GitHub - inputs: - gitHubConnection: 'Gabe-Asa' - repositoryName: 'microsoft/AttackSurfaceAnalyzer' - action: 'create' - target: '$(Build.SourceVersion)' - tagSource: 'userSpecifiedTag' - tag: 'v$(ReleaseVersion)' - title: 'v$(ReleaseVersion)' - assets: | - $(Build.StagingDirectory)/*.zip - $(Build.StagingDirectory)/HASHES.txt - changeLogCompareToRelease: 'lastNonDraftRelease' - changeLogType: 'commitBased' - - task: NuGetCommand@2 - displayName: Push NuGet Packages - inputs: - command: 'push' - packagesToPush: '$(Build.StagingDirectory)/*.nupkg' - nuGetFeedType: 'external' - publishFeedCredentials: 'CST-E Nuget CI' - verbosityPush: 'Normal' \ No newline at end of file + name: MSSecurity-1ES-Build-Agents-Pool + image: MSSecurity-1ES-Windows-2022 + os: windows + stages: + - stage: Test + dependsOn: [] + jobs: + - template: dotnet-test-job.yml@templates + parameters: + jobName: 'dotnet_test_windows' + dotnetVersions: ['6.0.x','7.0.x','8.0.x'] + poolName: MSSecurity-1ES-Build-Agents-Pool + poolImage: MSSecurity-1ES-Windows-2022 + poolOs: windows + projectPath: 'Tests/Tests.csproj' \ No newline at end of file