Skip to content

Commit

Permalink
Update Arcade and .NET SDK (#785)
Browse files Browse the repository at this point in the history
Resolve #784.
  • Loading branch information
dtivel authored Nov 1, 2024
1 parent 029731c commit 8b9d88d
Show file tree
Hide file tree
Showing 27 changed files with 361 additions and 91 deletions.
15 changes: 7 additions & 8 deletions eng/common/post-build/publish-using-darc.ps1
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,6 @@ param(
[Parameter(Mandatory=$true)][int] $BuildId,
[Parameter(Mandatory=$true)][int] $PublishingInfraVersion,
[Parameter(Mandatory=$true)][string] $AzdoToken,
[Parameter(Mandatory=$true)][string] $MaestroToken,
[Parameter(Mandatory=$false)][string] $MaestroApiEndPoint = 'https://maestro.dot.net',
[Parameter(Mandatory=$true)][string] $WaitPublishingFinish,
[Parameter(Mandatory=$false)][string] $ArtifactsPublishingAdditionalParameters,
Expand Down Expand Up @@ -31,13 +30,13 @@ try {
}

& $darc add-build-to-channel `
--id $buildId `
--publishing-infra-version $PublishingInfraVersion `
--default-channels `
--source-branch main `
--azdev-pat $AzdoToken `
--bar-uri $MaestroApiEndPoint `
--password $MaestroToken `
--id $buildId `
--publishing-infra-version $PublishingInfraVersion `
--default-channels `
--source-branch main `
--azdev-pat "$AzdoToken" `
--bar-uri "$MaestroApiEndPoint" `
--ci `
@optionalParams

if ($LastExitCode -ne 0) {
Expand Down
4 changes: 2 additions & 2 deletions eng/common/sdl/NuGet.config
Original file line number Diff line number Diff line change
Expand Up @@ -5,11 +5,11 @@
</solution>
<packageSources>
<clear />
<add key="guardian" value="https://securitytools.pkgs.visualstudio.com/_packaging/Guardian/nuget/v3/index.json" />
<add key="guardian" value="https://pkgs.dev.azure.com/dnceng/_packaging/Guardian1ESPTUpstreamOrgFeed/nuget/v3/index.json" />
</packageSources>
<packageSourceMapping>
<packageSource key="guardian">
<package pattern="microsoft.guardian.cli" />
<package pattern="Microsoft.Guardian.Cli.win-x64" />
</packageSource>
</packageSourceMapping>
<disabledPackageSources>
Expand Down
4 changes: 1 addition & 3 deletions eng/common/sdl/execute-all-sdl-tools.ps1
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,6 @@ Param(
[string] $BranchName=$env:BUILD_SOURCEBRANCH, # Optional: name of branch or version of gdn settings; defaults to master
[string] $SourceDirectory=$env:BUILD_SOURCESDIRECTORY, # Required: the directory where source files are located
[string] $ArtifactsDirectory = (Join-Path $env:BUILD_ARTIFACTSTAGINGDIRECTORY ('artifacts')), # Required: the directory where build artifacts are located
[string] $AzureDevOpsAccessToken, # Required: access token for dnceng; should be provided via KeyVault

# Optional: list of SDL tools to run on source code. See 'configure-sdl-tool.ps1' for tools list
# format.
Expand Down Expand Up @@ -75,7 +74,7 @@ try {
}

Exec-BlockVerbosely {
& $(Join-Path $PSScriptRoot 'init-sdl.ps1') -GuardianCliLocation $guardianCliLocation -Repository $RepoName -BranchName $BranchName -WorkingDirectory $workingDirectory -AzureDevOpsAccessToken $AzureDevOpsAccessToken -GuardianLoggerLevel $GuardianLoggerLevel
& $(Join-Path $PSScriptRoot 'init-sdl.ps1') -GuardianCliLocation $guardianCliLocation -Repository $RepoName -BranchName $BranchName -WorkingDirectory $workingDirectory -GuardianLoggerLevel $GuardianLoggerLevel
}
$gdnFolder = Join-Path $workingDirectory '.gdn'

Expand Down Expand Up @@ -104,7 +103,6 @@ try {
-TargetDirectory $targetDirectory `
-GdnFolder $gdnFolder `
-ToolsList $tools `
-AzureDevOpsAccessToken $AzureDevOpsAccessToken `
-GuardianLoggerLevel $GuardianLoggerLevel `
-CrScanAdditionalRunConfigParams $CrScanAdditionalRunConfigParams `
-PoliCheckAdditionalRunConfigParams $PoliCheckAdditionalRunConfigParams `
Expand Down
8 changes: 0 additions & 8 deletions eng/common/sdl/init-sdl.ps1
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,6 @@ Param(
[string] $Repository,
[string] $BranchName='master',
[string] $WorkingDirectory,
[string] $AzureDevOpsAccessToken,
[string] $GuardianLoggerLevel='Standard'
)

Expand All @@ -21,14 +20,7 @@ $ci = $true
# Don't display the console progress UI - it's a huge perf hit
$ProgressPreference = 'SilentlyContinue'

# Construct basic auth from AzDO access token; construct URI to the repository's gdn folder stored in that repository; construct location of zip file
$encodedPat = [Convert]::ToBase64String([System.Text.Encoding]::ASCII.GetBytes(":$AzureDevOpsAccessToken"))
$escapedRepository = [Uri]::EscapeDataString("/$Repository/$BranchName/.gdn")
$uri = "https://dev.azure.com/dnceng/internal/_apis/git/repositories/sdl-tool-cfg/Items?path=$escapedRepository&versionDescriptor[versionOptions]=0&`$format=zip&api-version=5.0"
$zipFile = "$WorkingDirectory/gdn.zip"

Add-Type -AssemblyName System.IO.Compression.FileSystem
$gdnFolder = (Join-Path $WorkingDirectory '.gdn')

try {
# if the folder does not exist, we'll do a guardian init and push it to the remote repository
Expand Down
4 changes: 3 additions & 1 deletion eng/common/sdl/sdl.ps1
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,8 @@ function Install-Gdn {
[Parameter(Mandatory=$true)]
[string]$Path,

[string]$Source = "https://pkgs.dev.azure.com/dnceng/_packaging/Guardian1ESPTUpstreamOrgFeed/nuget/v3/index.json",

# If omitted, install the latest version of Guardian, otherwise install that specific version.
[string]$Version
)
Expand All @@ -19,7 +21,7 @@ function Install-Gdn {
$ci = $true
. $PSScriptRoot\..\tools.ps1

$argumentList = @("install", "Microsoft.Guardian.Cli", "-Source https://securitytools.pkgs.visualstudio.com/_packaging/Guardian/nuget/v3/index.json", "-OutputDirectory $Path", "-NonInteractive", "-NoCache")
$argumentList = @("install", "Microsoft.Guardian.Cli.win-x64", "-Source $Source", "-OutputDirectory $Path", "-NonInteractive", "-NoCache")

if ($Version) {
$argumentList += "-Version $Version"
Expand Down
23 changes: 14 additions & 9 deletions eng/common/templates-official/job/publish-build-assets.yml
Original file line number Diff line number Diff line change
Expand Up @@ -76,13 +76,16 @@ jobs:

- task: NuGetAuthenticate@1

- task: PowerShell@2
- task: AzureCLI@2
displayName: Publish Build Assets
inputs:
filePath: eng\common\sdk-task.ps1
arguments: -task PublishBuildAssets -restore -msbuildEngine dotnet
azureSubscription: "Darc: Maestro Production"
scriptType: ps
scriptLocation: scriptPath
scriptPath: $(Build.SourcesDirectory)/eng/common/sdk-task.ps1
arguments: >
-task PublishBuildAssets -restore -msbuildEngine dotnet
/p:ManifestsPath='$(Build.StagingDirectory)/Download/AssetManifests'
/p:BuildAssetRegistryToken=$(MaestroAccessToken)
/p:MaestroApiEndpoint=https://maestro-prod.westus2.cloudapp.azure.com
/p:PublishUsingPipelines=${{ parameters.publishUsingPipelines }}
/p:OfficialBuildId=$(Build.BuildNumber)
Expand Down Expand Up @@ -137,14 +140,16 @@ jobs:
BARBuildId: ${{ parameters.BARBuildId }}
PromoteToChannelIds: ${{ parameters.PromoteToChannelIds }}

- task: PowerShell@2
- task: AzureCLI@2
displayName: Publish Using Darc
inputs:
filePath: $(Build.SourcesDirectory)/eng/common/post-build/publish-using-darc.ps1
arguments: -BuildId $(BARBuildId)
azureSubscription: "Darc: Maestro Production"
scriptType: ps
scriptLocation: scriptPath
scriptPath: $(Build.SourcesDirectory)/eng/common/post-build/publish-using-darc.ps1
arguments: -BuildId $(BARBuildId)
-PublishingInfraVersion 3
-AzdoToken '$(publishing-dnceng-devdiv-code-r-build-re)'
-MaestroToken '$(MaestroApiAccessToken)'
-AzdoToken '$(System.AccessToken)'
-WaitPublishingFinish true
-ArtifactsPublishingAdditionalParameters '${{ parameters.artifactsPublishingAdditionalParameters }}'
-SymbolPublishingAdditionalParameters '${{ parameters.symbolPublishingAdditionalParameters }}'
Expand Down
8 changes: 8 additions & 0 deletions eng/common/templates-official/job/source-build.yml
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,12 @@ parameters:
# container and pool.
platform: {}

# If set to true and running on a non-public project,
# Internal blob storage locations will be enabled.
# This is not enabled by default because many repositories do not need internal sources
# and do not need to have the required service connections approved in the pipeline.
enableInternalSources: false

jobs:
- job: ${{ parameters.jobNamePrefix }}_${{ parameters.platform.name }}
displayName: Source-Build (${{ parameters.platform.name }})
Expand Down Expand Up @@ -62,6 +68,8 @@ jobs:
clean: all

steps:
- ${{ if eq(parameters.enableInternalSources, true) }}:
- template: /eng/common/templates-official/steps/enable-internal-runtimes.yml
- template: /eng/common/templates-official/steps/source-build.yml
parameters:
platform: ${{ parameters.platform }}
16 changes: 7 additions & 9 deletions eng/common/templates-official/job/source-index-stage1.yml
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,7 @@ jobs:
value: ${{ parameters.sourceIndexPackageSource }}
- name: BinlogPath
value: ${{ parameters.binlogPath }}
- template: /eng/common/templates/variables/pool-providers.yml
- template: /eng/common/templates-official/variables/pool-providers.yml

${{ if ne(parameters.pool, '') }}:
pool: ${{ parameters.pool }}
Expand All @@ -34,7 +34,8 @@ jobs:
demands: ImageOverride -equals windows.vs2019.amd64.open
${{ if eq(variables['System.TeamProject'], 'internal') }}:
name: $(DncEngInternalBuildPool)
demands: ImageOverride -equals windows.vs2019.amd64
image: windows.vs2022.amd64
os: windows

steps:
- ${{ each preStep in parameters.preSteps }}:
Expand Down Expand Up @@ -70,16 +71,13 @@ jobs:
scriptType: 'ps'
scriptLocation: 'inlineScript'
inlineScript: |
echo "##vso[task.setvariable variable=ARM_CLIENT_ID]$env:servicePrincipalId"
echo "##vso[task.setvariable variable=ARM_ID_TOKEN]$env:idToken"
echo "##vso[task.setvariable variable=ARM_TENANT_ID]$env:tenantId"
echo "##vso[task.setvariable variable=ARM_CLIENT_ID;issecret=true]$env:servicePrincipalId"
echo "##vso[task.setvariable variable=ARM_ID_TOKEN;issecret=true]$env:idToken"
echo "##vso[task.setvariable variable=ARM_TENANT_ID;issecret=true]$env:tenantId"
- script: |
echo "Client ID: $(ARM_CLIENT_ID)"
echo "ID Token: $(ARM_ID_TOKEN)"
echo "Tenant ID: $(ARM_TENANT_ID)"
az login --service-principal -u $(ARM_CLIENT_ID) --tenant $(ARM_TENANT_ID) --allow-no-subscriptions --federated-token $(ARM_ID_TOKEN)
displayName: "Login to Azure"
- script: $(Agent.TempDirectory)/.source-index/tools/UploadIndexStage1 -i .source-index/stage1output -n $(Build.Repository.Name) -s netsourceindexstage1 -b stage1
displayName: Upload stage1 artifacts to source index
displayName: Upload stage1 artifacts to source index
8 changes: 8 additions & 0 deletions eng/common/templates-official/jobs/source-build.yml
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,12 @@ parameters:
# one job runs on 'defaultManagedPlatform'.
platforms: []

# If set to true and running on a non-public project,
# Internal nuget and blob storage locations will be enabled.
# This is not enabled by default because many repositories do not need internal sources
# and do not need to have the required service connections approved in the pipeline.
enableInternalSources: false

jobs:

- ${{ if ne(parameters.allCompletedJobId, '') }}:
Expand All @@ -38,9 +44,11 @@ jobs:
parameters:
jobNamePrefix: ${{ parameters.jobNamePrefix }}
platform: ${{ platform }}
enableInternalSources: ${{ parameters.enableInternalSources }}

- ${{ if eq(length(parameters.platforms), 0) }}:
- template: /eng/common/templates-official/job/source-build.yml
parameters:
jobNamePrefix: ${{ parameters.jobNamePrefix }}
platform: ${{ parameters.defaultManagedPlatform }}
enableInternalSources: ${{ parameters.enableInternalSources }}
10 changes: 6 additions & 4 deletions eng/common/templates-official/post-build/post-build.yml
Original file line number Diff line number Diff line change
Expand Up @@ -272,14 +272,16 @@ stages:

- task: NuGetAuthenticate@1

- task: PowerShell@2
- task: AzureCLI@2
displayName: Publish Using Darc
inputs:
filePath: $(Build.SourcesDirectory)/eng/common/post-build/publish-using-darc.ps1
azureSubscription: "Darc: Maestro Production"
scriptType: ps
scriptLocation: scriptPath
scriptPath: $(Build.SourcesDirectory)/eng/common/post-build/publish-using-darc.ps1
arguments: -BuildId $(BARBuildId)
-PublishingInfraVersion ${{ parameters.publishingInfraVersion }}
-AzdoToken '$(publishing-dnceng-devdiv-code-r-build-re)'
-MaestroToken '$(MaestroApiAccessToken)'
-AzdoToken '$(System.AccessToken)'
-WaitPublishingFinish true
-ArtifactsPublishingAdditionalParameters '${{ parameters.artifactsPublishingAdditionalParameters }}'
-SymbolPublishingAdditionalParameters '${{ parameters.symbolPublishingAdditionalParameters }}'
28 changes: 28 additions & 0 deletions eng/common/templates-official/steps/enable-internal-runtimes.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
# Obtains internal runtime download credentials and populates the 'dotnetbuilds-internal-container-read-token-base64'
# variable with the base64-encoded SAS token, by default

parameters:
- name: federatedServiceConnection
type: string
default: 'dotnetbuilds-internal-read'
- name: outputVariableName
type: string
default: 'dotnetbuilds-internal-container-read-token-base64'
- name: expiryInHours
type: number
default: 1
- name: base64Encode
type: boolean
default: true

steps:
- ${{ if ne(variables['System.TeamProject'], 'public') }}:
- template: /eng/common/templates-official/steps/get-delegation-sas.yml
parameters:
federatedServiceConnection: ${{ parameters.federatedServiceConnection }}
outputVariableName: ${{ parameters.outputVariableName }}
expiryInHours: ${{ parameters.expiryInHours }}
base64Encode: ${{ parameters.base64Encode }}
storageAccount: dotnetbuilds
container: internal
permissions: rl
2 changes: 0 additions & 2 deletions eng/common/templates-official/steps/execute-sdl.yml
Original file line number Diff line number Diff line change
Expand Up @@ -9,8 +9,6 @@ parameters:

steps:
- task: NuGetAuthenticate@1
inputs:
nuGetServiceConnections: GuardianConnect

- task: NuGetToolInstaller@1
displayName: 'Install NuGet.exe'
Expand Down
52 changes: 52 additions & 0 deletions eng/common/templates-official/steps/get-delegation-sas.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,52 @@
parameters:
- name: federatedServiceConnection
type: string
- name: outputVariableName
type: string
- name: expiryInHours
type: number
default: 1
- name: base64Encode
type: boolean
default: false
- name: storageAccount
type: string
- name: container
type: string
- name: permissions
type: string
default: 'rl'

steps:
- task: AzureCLI@2
displayName: 'Generate delegation SAS Token for ${{ parameters.storageAccount }}/${{ parameters.container }}'
inputs:
azureSubscription: ${{ parameters.federatedServiceConnection }}
scriptType: 'pscore'
scriptLocation: 'inlineScript'
inlineScript: |
# Calculate the expiration of the SAS token and convert to UTC
$expiry = (Get-Date).AddHours(${{ parameters.expiryInHours }}).ToUniversalTime().ToString("yyyy-MM-ddTHH:mm:ssZ")
# Temporarily work around a helix issue where SAS tokens with / in them will cause incorrect downloads
# of correlation payloads. https://github.com/dotnet/dnceng/issues/3484
$sas = ""
do {
$sas = az storage container generate-sas --account-name ${{ parameters.storageAccount }} --name ${{ parameters.container }} --permissions ${{ parameters.permissions }} --expiry $expiry --auth-mode login --as-user -o tsv
if ($LASTEXITCODE -ne 0) {
Write-Error "Failed to generate SAS token."
exit 1
}
} while($sas.IndexOf('/') -ne -1)
if ($LASTEXITCODE -ne 0) {
Write-Error "Failed to generate SAS token."
exit 1
}
if ('${{ parameters.base64Encode }}' -eq 'true') {
$sas = [Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes($sas))
}
Write-Host "Setting '${{ parameters.outputVariableName }}' with the access token value"
Write-Host "##vso[task.setvariable variable=${{ parameters.outputVariableName }};issecret=true]$sas"
40 changes: 40 additions & 0 deletions eng/common/templates-official/steps/get-federated-access-token.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,40 @@
parameters:
- name: federatedServiceConnection
type: string
- name: outputVariableName
type: string
- name: stepName
type: string
default: 'getFederatedAccessToken'
- name: condition
type: string
default: ''
# Resource to get a token for. Common values include:
# - '499b84ac-1321-427f-aa17-267ca6975798' for Azure DevOps
# - 'https://storage.azure.com/' for storage
# Defaults to Azure DevOps
- name: resource
type: string
default: '499b84ac-1321-427f-aa17-267ca6975798'
- name: isStepOutputVariable
type: boolean
default: false

steps:
- task: AzureCLI@2
displayName: 'Getting federated access token for feeds'
name: ${{ parameters.stepName }}
${{ if ne(parameters.condition, '') }}:
condition: ${{ parameters.condition }}
inputs:
azureSubscription: ${{ parameters.federatedServiceConnection }}
scriptType: 'pscore'
scriptLocation: 'inlineScript'
inlineScript: |
$accessToken = az account get-access-token --query accessToken --resource ${{ parameters.resource }} --output tsv
if ($LASTEXITCODE -ne 0) {
Write-Error "Failed to get access token for resource '${{ parameters.resource }}'"
exit 1
}
Write-Host "Setting '${{ parameters.outputVariableName }}' with the access token value"
Write-Host "##vso[task.setvariable variable=${{ parameters.outputVariableName }};issecret=true;isOutput=${{ parameters.isStepOutputVariable }}]$accessToken"
Loading

0 comments on commit 8b9d88d

Please sign in to comment.