Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 5 additions & 3 deletions .azure-pipelines/1ES.Build.yml
Original file line number Diff line number Diff line change
Expand Up @@ -92,8 +92,8 @@ extends:
# (mxc-binaries-<triplet>) so Package_MXC_NPM_SDK can consume it.
- template: .azure-pipelines/templates/Mac.Build.Job.yml@self

- stage: Package_MXC_NPM_SDK
displayName: 'Package Npm Sdk'
- stage: Package_MXC
displayName: 'Package MXC'
dependsOn: Build_Binaries
jobs:
- template: .azure-pipelines/templates/Package.NpmSdk.Job.yml@self
Expand All @@ -112,6 +112,8 @@ extends:

ESRPInfo: ${{ parameters.ESRPInfo }}

- template: .azure-pipelines/templates/Mxc.Binary.Packaging.Job.yml@self

- stage: SDK_Unit_Tests
displayName: 'SDK Unit Tests'
dependsOn: []
Expand All @@ -122,7 +124,7 @@ extends:

- stage: SDK_Integration_Tests
displayName: 'SDK Integration Tests'
dependsOn: Package_MXC_NPM_SDK
dependsOn: Package_MXC
jobs:
- template: .azure-pipelines/templates/SDK.Integration.Test.Job.yml@self
parameters:
Expand Down
9 changes: 9 additions & 0 deletions .azure-pipelines/templates/Mac.Build.Job.yml
Original file line number Diff line number Diff line change
Expand Up @@ -89,6 +89,15 @@ jobs:
contents: mxc-exec-mac
targetFolder: $(outputDirectory)/$(targetTriple)

# Copy the .dSYM bundle into a sibling `symbols/` subdir, mirroring the
# Windows/Linux pattern (see Rust.Build.Job.yml for the BinSkim rationale).
- task: CopyFiles@2
displayName: Copy dSYM bundle
inputs:
sourceFolder: $(targetTripleDir)
contents: 'mxc-exec-mac.dSYM/**'
targetFolder: $(outputDirectory)/$(targetTriple)/symbols

- task: 1ES.PublishPipelineArtifact@1
displayName: Publish
inputs:
Expand Down
61 changes: 61 additions & 0 deletions .azure-pipelines/templates/Mxc.Binary.Packaging.Job.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,61 @@
# Copyright (c) Microsoft Corporation. All rights reserved.
# Licensed under the MIT License.
#
# Bundles the per-arch build artifacts into a single mxc-release-binaries.zip
# (x64/ + arm64/ folders containing executables and symbol files) for upload
# to the GitHub Release page, until we publish to a symbol server. Runs in
# parallel with the npm SDK packaging job.

parameters:
- name: targets
type: object
default:
- artifact: wxc-binaries-x86_64-pc-windows-msvc
sdkArch: x64
- artifact: wxc-binaries-aarch64-pc-windows-msvc
sdkArch: arm64
- artifact: lxc-binaries-x86_64-unknown-linux-gnu
sdkArch: x64
- artifact: lxc-binaries-aarch64-unknown-linux-gnu
sdkArch: arm64
- artifact: mxc-binaries-aarch64-apple-darwin
sdkArch: arm64

jobs:
- job: package_mxc_release_binaries
displayName: Package Mxc Release Binaries
pool:
name: Azure-Pipelines-1ESPT-ExDShared
image: ubuntu-latest
os: linux
variables:
stagingDirectory: $(Build.SourcesDirectory)/release-binaries-staging
outputDirectory: $(Build.SourcesDirectory)/out
artifactName: mxc-release-binaries

steps:
- checkout: none

# Download all per-arch artifacts into a flat <arch>/ layout matching the
# one that ships in the npm package.
- ${{ each target in parameters.targets }}:
- task: DownloadPipelineArtifact@2
displayName: Download ${{ target.artifact }}
inputs:
artifact: ${{ target.artifact }}
path: $(stagingDirectory)/${{ target.sdkArch }}

- task: ArchiveFiles@2
displayName: Archive mxc-release-binaries.zip
inputs:
rootFolderOrFile: '$(stagingDirectory)'
includeRootFolder: false
archiveType: zip
archiveFile: '$(outputDirectory)/release-binaries/mxc-release-binaries.zip'
replaceExistingArchive: true

- task: 1ES.PublishPipelineArtifact@1
displayName: Publish mxc-release-binaries artifact
inputs:
path: '$(outputDirectory)/release-binaries'
artifactName: $(artifactName)
20 changes: 16 additions & 4 deletions .azure-pipelines/templates/Package.NpmSdk.Job.yml
Original file line number Diff line number Diff line change
Expand Up @@ -2,16 +2,24 @@
# Licensed under the MIT License.

parameters:
- name: Targets
- name: targets
type: object
default: [] # list of { artifact, path, sdkArch }
default:
- artifact: wxc-binaries-x86_64-pc-windows-msvc
sdkArch: x64
- artifact: wxc-binaries-aarch64-pc-windows-msvc
sdkArch: arm64
- artifact: lxc-binaries-x86_64-unknown-linux-gnu
sdkArch: x64
- artifact: lxc-binaries-aarch64-unknown-linux-gnu
sdkArch: arm64
- name: ESRPInfo
type: object
default: {}

jobs:
- job: package_mxc_npm_sdk
displayName: Package Mxc Npm Sdk
- job: package_npm_sdk
displayName: Package Npm Sdk
pool:
name: Azure-Pipelines-1ESPT-ExDShared
image: ubuntu-latest
Expand Down Expand Up @@ -42,6 +50,10 @@ jobs:
- script: chmod +x $(sdkDirectory)/bin/*/lxc-exec
displayName: Restore execute permission on lxc-exec

# Drop symbol files from the npm package β€” symbols ship separately.
- script: rm -rf $(sdkDirectory)/bin/*/symbols
displayName: Strip symbols/ from npm package

- script: |
set -euo pipefail
find $(sdkDirectory)/bin -name mxc-exec-mac -exec chmod +x {} +
Expand Down
15 changes: 15 additions & 0 deletions .azure-pipelines/templates/Rust.Build.Job.yml
Original file line number Diff line number Diff line change
Expand Up @@ -175,6 +175,21 @@ jobs:
contents: wslcsdk.dll
targetFolder: $(outputDirectory)/$(targetTriple)

# Copy symbol files into a sibling `symbols/` subdir, NOT alongside the
# binaries. Workaround for BinSkim BA2007: when the pdb is co-located,
# BinSkim reads its S_COMPILE3 records and flags `-wd4146` in the
# statically-linked MS CRT obj files (libucrt.lib internals). We still
# want +crt-static so consumers don't need a vcruntime DLL β€” separating
# the pdb hides those records from BinSkim without changing the binary.
- task: CopyFiles@2
displayName: Copy symbol files
inputs:
sourceFolder: $(targetTripleDir)
contents: |
*.pdb
*.dwp
targetFolder: $(outputDirectory)/$(targetTriple)/symbols

- task: 1ES.PublishPipelineArtifact@1
displayName: Publish
inputs:
Expand Down
35 changes: 31 additions & 4 deletions .cargo/config.toml
Original file line number Diff line number Diff line change
@@ -1,8 +1,35 @@

# Use static CRT for Windows targets so vcruntime DLLs don't need to be
# pre-installed on the machine.
# Hardening flags for Windows targets. Most flags apply to both arches;
# /CETCOMPAT is x86/x64 only (Intel Control-flow Enforcement Technology;
# ARM64 uses Pointer Authentication / BTI instead).
#
# Shared flags:
# - control-flow-guard (rustc) + /guard:cf (linker) β€” Control Flow Guard
# - target-feature=+crt-static β€” static CRT so vcruntime DLLs aren't needed at runtime
# - /DYNAMICBASE β€” ASLR
# - /LTCG β€” link-time codegen (pairs best with profile-level lto = "thin"|"fat")
# - -D warnings β€” make warnings fatal at compile time

[target.x86_64-pc-windows-msvc]
rustflags = ["-C", "target-feature=+crt-static"]
rustflags = [
"-C",
"control-flow-guard",
"-C",
"target-feature=+crt-static",
"-C",
"link-args=/guard:cf /DYNAMICBASE /CETCOMPAT /LTCG",
"-D",
"warnings",
]

[target.aarch64-pc-windows-msvc]
rustflags = ["-C", "target-feature=+crt-static"]
rustflags = [
"-C",
"control-flow-guard",
"-C",
"target-feature=+crt-static",
"-C",
"link-args=/guard:cf /DYNAMICBASE /LTCG",
"-D",
"warnings",
]
10 changes: 10 additions & 0 deletions src/Cargo.toml
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,16 @@ members = [
]
resolver = "3"

# Full debug info so we can analyse customer crash dumps in WinDbg until we
# publish to a symbol server. `strip = "debuginfo"` removes embedded debug
# sections from the binary itself (mainly relevant on Linux β€” Windows pdbs
# are already split by `split-debuginfo = "packed"`). Full debug info still
# ships via the side-by-side .pdb / .dwp files.
[profile.release]
debug = "full"
split-debuginfo = "packed"
strip = "debuginfo"

[workspace.package]
edition = "2021"

Expand Down
Loading