diff --git a/Pipelines/core-pipeline.yml b/Pipelines/core-pipeline.yml index d3d78a64..4d7d03b2 100644 --- a/Pipelines/core-pipeline.yml +++ b/Pipelines/core-pipeline.yml @@ -2,322 +2,67 @@ # https://aka.ms/yaml name: OSSGadget_$(SourceBranchName)_$(Date:yyyyMMdd)$(Rev:.r) -trigger: - batch: true - branches: - include: - - main - paths: - include: - - Pipelines - - src -pr: none +# trigger: +# batch: true +# branches: +# include: +# - main +# paths: +# include: +# - Pipelines +# - src +# pr: none -stages: -- stage: Test - jobs: - - template: templates/dotnet-test-job.yml - parameters: - projectPath: 'src/oss-tests/oss-tests.csproj' +trigger: none +pr: none -- stage: Build - dependsOn: Test - jobs: - - template: templates/dotnet-build-publish-all-platforms-job.yml - parameters: - solutionPath: 'src/OSSGadget.sln' - csprojPath: 'src/**/!(CryptoGatherer)/*.csproj' - projectName: 'OSSGadget' - preBuild: - - template: templates/nbgv-set-version-steps.yml +resources: + repositories: + - repository: templates + type: git + name: SecurityEngineering/OSS-Tools-Pipeline-Templates + ref: refs/tags/v2.0.0 + - repository: 1esPipelines + type: git + name: 1ESPipelineTemplates/1ESPipelineTemplates + ref: refs/tags/release -- stage: SDL - dependsOn: Build - jobs: - - template: templates/sdl-job.yml - parameters: - serviceTreeID: 'e6121b8f-ffd8-40b1-981d-a5ea5c121baa' +variables: + BuildConfiguration: 'Release' + dotnetVersion: '8.0.x' -- stage: Release - dependsOn: - - SDL - condition: and(succeeded(), in(variables['Build.Reason'], 'IndividualCI', 'BatchedCI')) - jobs: - - job: sign_hash_release - displayName: Code Sign, Generate Hashes, Publish Public Releases +extends: + template: v1/1ES.Official.PipelineTemplate.yml@1esPipelines + parameters: pool: - name: CSPA - demands: ImageOverride -equals ubuntu-22.04-image-base - steps: - - task: UseDotNet@2 - inputs: - packageType: 'sdk' - - script: 'dotnet tool update -g nbgv' - displayName: 'Install GitVersioning' - - task: PowerShell@2 - displayName: Set Release Version - inputs: - targetType: 'inline' - script: | - $version = (nbgv get-version -v AssemblyInformationalVersion).split('+')[0] - Write-Host "##vso[task.setvariable variable=ReleaseVersion;]$version" - - task: DownloadBuildArtifacts@0 - displayName: Download Unsigned Binary Archives - inputs: - buildType: 'current' - downloadType: 'specific' - itemPattern: 'Unsigned_Binaries/*.tar.gz' - downloadPath: '$(Build.BinariesDirectory)' - - task: ExtractFiles@1 - displayName: Extract Binaries for Signing - inputs: - archiveFilePatterns: '$(Build.BinariesDirectory)/Unsigned_Binaries/*.tar.gz' - destinationFolder: '$(Build.BinariesDirectory)' - cleanDestinationFolder: false - - task: UseDotNet@2 - inputs: - packageType: 'sdk' - version: '2.1.804' - - task: EsrpCodeSigning@1 - displayName: Code Sign Linux - inputs: - ConnectedServiceName: 'OSSGadget_CodeSign' - FolderPath: '$(Build.BinariesDirectory)/linux/OSSGadget_linux_$(ReleaseVersion)' - Pattern: 'oss-characteristic.dll, oss-defog.dll, oss-detect-backdoor.dll, oss-detect-cryptography.dll, oss-diff.dll, oss-download.dll, oss-find-domain-squats.dll, oss-find-source.dll, oss-find-squats.dll, oss-health.dll, oss-metadata.dll, oss-risk-calculator.dll, Shared.dll' - signConfigType: 'inlineSignParams' - inlineOperation: | - [ - { - "KeyCode" : "CP-230012", - "OperationCode" : "SigntoolSign", - "Parameters" : { - "OpusName" : "Microsoft", - "OpusInfo" : "http://www.microsoft.com", - "FileDigest" : "/fd \"SHA256\"", - "PageHash" : "/NPH", - "TimeStamp" : "/tr \"http://rfc3161.gtm.corp.microsoft.com/TSS/HttpTspServer\" /td sha256" - }, - "ToolName" : "sign", - "ToolVersion" : "1.0" - }, - { - "KeyCode" : "CP-230012", - "OperationCode" : "SigntoolVerify", - "Parameters" : {}, - "ToolName" : "sign", - "ToolVersion" : "1.0" - } - ] - SessionTimeout: '60' - MaxConcurrency: '50' - MaxRetryAttempts: '5' - - task: EsrpCodeSigning@1 - displayName: Code Sign MacOS - inputs: - ConnectedServiceName: 'OSSGadget_CodeSign' - FolderPath: '$(Build.BinariesDirectory)/macos/OSSGadget_macos_$(ReleaseVersion)' - Pattern: 'oss-characteristic.dll, oss-defog.dll, oss-detect-backdoor.dll, oss-detect-cryptography.dll, oss-diff.dll, oss-download.dll, oss-find-domain-squats.dll, oss-find-source.dll, oss-find-squats.dll, oss-health.dll, oss-metadata.dll, oss-risk-calculator.dll, Shared.dll' - signConfigType: 'inlineSignParams' - inlineOperation: | - [ - { - "KeyCode" : "CP-230012", - "OperationCode" : "SigntoolSign", - "Parameters" : { - "OpusName" : "Microsoft", - "OpusInfo" : "http://www.microsoft.com", - "FileDigest" : "/fd \"SHA256\"", - "PageHash" : "/NPH", - "TimeStamp" : "/tr \"http://rfc3161.gtm.corp.microsoft.com/TSS/HttpTspServer\" /td sha256" - }, - "ToolName" : "sign", - "ToolVersion" : "1.0" - }, - { - "KeyCode" : "CP-230012", - "OperationCode" : "SigntoolVerify", - "Parameters" : {}, - "ToolName" : "sign", - "ToolVersion" : "1.0" - } - ] - SessionTimeout: '60' - MaxConcurrency: '50' - MaxRetryAttempts: '5' - - task: EsrpCodeSigning@1 - displayName: Code Sign Windows - inputs: - ConnectedServiceName: 'OSSGadget_CodeSign' - FolderPath: '$(Build.BinariesDirectory)/win/OSSGadget_win_$(ReleaseVersion)' - Pattern: 'oss-characteristic.dll, oss-defog.dll, oss-detect-backdoor.dll, oss-detect-cryptography.dll, oss-diff.dll, oss-download.dll, oss-find-domain-squats.dll, oss-find-source.dll, oss-find-squats.dll, oss-health.dll, oss-metadata.dll, oss-risk-calculator.dll, Shared.dll' - signConfigType: 'inlineSignParams' - inlineOperation: | - [ - { - "KeyCode" : "CP-230012", - "OperationCode" : "SigntoolSign", - "Parameters" : { - "OpusName" : "Microsoft", - "OpusInfo" : "http://www.microsoft.com", - "FileDigest" : "/fd \"SHA256\"", - "PageHash" : "/NPH", - "TimeStamp" : "/tr \"http://rfc3161.gtm.corp.microsoft.com/TSS/HttpTspServer\" /td sha256" - }, - "ToolName" : "sign", - "ToolVersion" : "1.0" - }, - { - "KeyCode" : "CP-230012", - "OperationCode" : "SigntoolVerify", - "Parameters" : {}, - "ToolName" : "sign", - "ToolVersion" : "1.0" - } - ] - SessionTimeout: '60' - MaxConcurrency: '50' - MaxRetryAttempts: '5' - - task: EsrpCodeSigning@1 - displayName: Code Sign .NET Core App - inputs: - ConnectedServiceName: 'OSSGadget_CodeSign' - FolderPath: '$(Build.BinariesDirectory)/netcoreapp/OSSGadget_netcoreapp_$(ReleaseVersion)' - Pattern: 'oss-characteristic.dll, oss-defog.dll, oss-detect-backdoor.dll, oss-detect-cryptography.dll, oss-diff.dll, oss-download.dll, oss-find-domain-squats.dll, oss-find-source.dll, oss-find-squats.dll, oss-health.dll, oss-metadata.dll, oss-risk-calculator.dll, Shared.dll' - signConfigType: 'inlineSignParams' - inlineOperation: | - [ - { - "KeyCode" : "CP-230012", - "OperationCode" : "SigntoolSign", - "Parameters" : { - "OpusName" : "Microsoft", - "OpusInfo" : "http://www.microsoft.com", - "FileDigest" : "/fd \"SHA256\"", - "PageHash" : "/NPH", - "TimeStamp" : "/tr \"http://rfc3161.gtm.corp.microsoft.com/TSS/HttpTspServer\" /td sha256" - }, - "ToolName" : "sign", - "ToolVersion" : "1.0" - }, - { - "KeyCode" : "CP-230012", - "OperationCode" : "SigntoolVerify", - "Parameters" : {}, - "ToolName" : "sign", - "ToolVersion" : "1.0" - } - ] - SessionTimeout: '60' - MaxConcurrency: '50' - MaxRetryAttempts: '5' - - powershell: 'Get-ChildItem -Path ''$(Build.BinariesDirectory)'' -Recurse CodeSign* | foreach { Remove-Item -Path $_.FullName }' - displayName: 'Delete Code Sign Summaries' - - task: ArchiveFiles@2 - displayName: Archive Artifact - Linux - inputs: - rootFolderOrFile: '$(Build.BinariesDirectory)/linux/OSSGadget_linux_$(ReleaseVersion)' - includeRootFolder: true - archiveType: 'tar' - archiveFile: '$(Build.StagingDirectory)/OSSGadget_linux_$(ReleaseVersion).tar.gz' - replaceExistingArchive: true - - task: ArchiveFiles@2 - displayName: Archive Artifact - MacOS - inputs: - rootFolderOrFile: '$(Build.BinariesDirectory)/macos/OSSGadget_macos_$(ReleaseVersion)' - includeRootFolder: true - archiveType: 'tar' - archiveFile: '$(Build.StagingDirectory)/OSSGadget_macos_$(ReleaseVersion).tar.gz' - replaceExistingArchive: true - - task: ArchiveFiles@2 - displayName: Archive Artifact - Windows - inputs: - rootFolderOrFile: '$(Build.BinariesDirectory)/win/OSSGadget_win_$(ReleaseVersion)' - includeRootFolder: true - archiveType: 'zip' - archiveFile: '$(Build.StagingDirectory)/OSSGadget_win_$(ReleaseVersion).zip' - replaceExistingArchive: true - - task: ArchiveFiles@2 - displayName: Archive Artifact - .NET Core App - inputs: - rootFolderOrFile: '$(Build.BinariesDirectory)/netcoreapp/OSSGadget_netcoreapp_$(ReleaseVersion)' - includeRootFolder: true - archiveType: 'zip' - archiveFile: '$(Build.StagingDirectory)/OSSGadget_netcoreapp_$(ReleaseVersion).zip' - replaceExistingArchive: true - - task: PowerShell@2 - displayName: Generate Hashes - inputs: - targetType: 'inline' - script: | - Get-ChildItem $(Build.StagingDirectory) | Foreach-Object { - $name = $_.Name - $tmp = (Get-FileHash "$(Build.StagingDirectory)/$name").Hash - Add-Content $(Build.StagingDirectory)/HASHES.txt "$tmp`t$name" - } - - task: PublishPipelineArtifact@1 - displayName: Publish Signed Artifacts to Pipeline - inputs: - targetPath: '$(Build.StagingDirectory)' - artifact: 'Signed_Binaries' - - task: GitHubRelease@1 - displayName: Release to GitHub - inputs: - gitHubConnection: 'OSSGadget_gfs' - repositoryName: 'microsoft/OSSGadget' - action: 'create' - target: '$(Build.SourceVersion)' - tagSource: 'userSpecifiedTag' - tag: 'v$(ReleaseVersion)' - title: 'OSS Gadget v$(ReleaseVersion)' - assets: | - $(Build.StagingDirectory)/*.tar.gz - $(Build.StagingDirectory)/*.zip - $(Build.StagingDirectory)/HASHES.txt - changeLogCompareToRelease: 'lastNonDraftRelease' - changeLogType: 'commitBased' - -- stage: Publish_Shared_Nuget - dependsOn: - - SDL - condition: and(succeeded(), in(variables['Build.Reason'], 'IndividualCI', 'BatchedCI')) - jobs: - - template: templates/check-changes.yml - parameters: - jobName: 'check_changes_shared' - tagName: 'code_changed' - pathArgument: 'Pipelines/*.yml,src/*' - - template: templates/nuget-build-job.yml - parameters: - jobName: 'pack_shared' - projectPath: 'src/Shared/Shared.Lib.csproj' - projectName: 'Shared' - dependsOnArg: 'check_changes_shared' - conditionedOnTag: 'code_changed' - publishToNuget: true + name: MSSecurity-1ES-Build-Agents-Pool + image: MSSecurity-1ES-Windows-2022 + os: windows + stages: + - stage: Test + jobs: + - template: dotnet-test-job.yml@templates + parameters: + jobName: 'dotnet_test_windows' + dotnetVersions: ['6.0.x','7.0.x','8.0.x'] + poolName: MSSecurity-1ES-Build-Agents-Pool + poolImage: MSSecurity-1ES-Windows-2022 + poolOs: windows + projectPath: 'src/oss-tests/oss-tests.csproj' -- stage: Publish_OSS_Find_Squats_Nuget - dependsOn: - - SDL - condition: and(succeeded(), in(variables['Build.Reason'], 'IndividualCI', 'BatchedCI')) - jobs: - - template: templates/check-changes.yml - parameters: - jobName: 'check_changes_oss_find_squats' - tagName: 'code_changed' - pathArgument: 'Pipelines/*,src/*' - - template: templates/nuget-build-job.yml - parameters: - jobName: 'pack_oss_find_squats' - projectPath: 'src/oss-find-squats/oss-find-squats.csproj' - projectName: 'oss-find-squats' - dependsOnArg: 'check_changes_oss_find_squats' - conditionedOnTag: 'code_changed' - publishToNuget: true - - template: templates/nuget-build-job.yml - parameters: - jobName: 'pack_oss_find_squats_lib' - projectPath: 'src/oss-find-squats-lib/oss-find-squats-lib.csproj' - projectName: 'oss-find-squats-lib' - dependsOnArg: 'check_changes_oss_find_squats' - conditionedOnTag: 'code_changed' - publishToNuget: true \ No newline at end of file + - stage: Build + jobs: + - template: dotnet-build-job.yml@templates + parameters: + buildTool: 'dotnet' + buildConfiguration: 'Release' + dotnetVersion: '8.0.x' + targetFramework: 'net8.0' + projectPath: 'src/OSSGadget.sln' + projectName: 'OSSGadget' + poolName: MSSecurity-1ES-Build-Agents-Pool + poolImage: MSSecurity-1ES-Windows-2022 + poolOs: windows + artifactName: 'OSSGadget-archive' + preBuild: + - template: nbgv-set-version-steps.yml@templates \ No newline at end of file diff --git a/Pipelines/templates/check-changes.yml b/Pipelines/templates/check-changes.yml deleted file mode 100644 index 039dbf5f..00000000 --- a/Pipelines/templates/check-changes.yml +++ /dev/null @@ -1,43 +0,0 @@ -parameters: -# Job Name -- name: jobName - type: string - default: 'check_changes' -# tag name -- name: tagName - type: string - default: 'code_changed' -# Comma Separated paths Name -- name: pathArgument - type: string - default: '/' - -jobs: -- job: ${{ parameters.jobName }} - displayName: Checking for changed paths - steps: - - pwsh: | - $pathArgument = "${{ parameters.pathArgument }}" - $inputPaths = $pathArgument.Split(',') - - $changedPaths = git diff HEAD HEAD~ --name-only - foreach ($changedPath in $changedPaths) - { - if ($done) - { - break; - } - foreach ($inputPath in $inputPaths) - { - if ($changedPath -like "${inputPath}") - { - Write-Host "##vso[task.setvariable variable=${{ parameters.tagName }};isOutput=true]true" - Write-Host "${changedPath} is like ${inputPath}." - return - } - } - } - - Write-Host "##vso[task.setvariable variable=${{ parameters.tagName }};isOutput=true]false" - Write-Host "Found no matching paths." - name: check_script diff --git a/Pipelines/templates/dotnet-build-publish-all-platforms-job.yml b/Pipelines/templates/dotnet-build-publish-all-platforms-job.yml deleted file mode 100644 index 005318a8..00000000 --- a/Pipelines/templates/dotnet-build-publish-all-platforms-job.yml +++ /dev/null @@ -1,111 +0,0 @@ -parameters: -# Job Name -- name: jobName - type: string - default: 'publish_all_platforms' -# Optional Pre-Build Steps -- name: 'preBuild' - type: stepList - default: [] -# Version of Dotnet SDK to use -- name: dotnetVersion - type: string - default: '8.0.x' -# Version of Dotnet to publish -- name: dotnetPublishVersion - type: string - default: 'net8.0' -# Include preview versions of Dotnet SDK -- name: includePreviewVersions - type: boolean - default: false -# Version of NuGet Tool to use -- name: nugetVersion - type: string - default: '5.x' -# Path to .sln -- name: solutionPath - type: string - default: '' - # Path to recursively search for csproj files -- name: csprojPath - type: string - default: '' -# Build Configuration -- name: buildConfiguration - type: string - default: 'Release' -# Project Name -- name: projectName - type: string - default: '' -# Release Version -- name: releaseVersion - type: string - default: '' -# Pipeline Artifact Name -- name: artifactName - type: string - default: 'Unsigned_Binaries' - -jobs: -- job: ${{ parameters.jobName }} - displayName: Build and Publish All Platforms - pool: - vmImage: 'ubuntu-latest' - steps: - - task: UseDotNet@2 - displayName: Install Dotnet SDK - inputs: - packageType: 'sdk' - version: ${{ parameters.dotnetVersion }} - includePreviewVersions: ${{ parameters.includePreviewVersions }} - - ${{ parameters.preBuild }} - - task: DotNetCoreCLI@2 - displayName: Restore - inputs: - command: 'restore' - projects: ${{ parameters.solutionPath }} - verbosityRestore: 'Normal' - - task: DotNetCoreCLI@2 - displayName: Publish Linux x64 - inputs: - command: 'publish' - arguments: '${{ parameters.solutionPath }} -c ${{ parameters.buildConfiguration }} -o bin/linux/${{ parameters.projectName }}_linux_$(ReleaseVersion) --sc -r linux-x64 -f ${{ parameters.dotnetPublishVersion }}' - publishWebProjects: false - zipAfterPublish: false - - task: DotNetCoreCLI@2 - displayName: Publish MacOS x64 - inputs: - command: 'publish' - arguments: '${{ parameters.solutionPath }} -c ${{ parameters.buildConfiguration }} -o bin/macos/${{ parameters.projectName }}_macos_$(ReleaseVersion) --sc -r osx-x64 -f ${{ parameters.dotnetPublishVersion }}' - publishWebProjects: false - zipAfterPublish: false - - task: DotNetCoreCLI@2 - displayName: Publish Win x64 - inputs: - command: 'publish' - arguments: '${{ parameters.solutionPath }} -c ${{ parameters.buildConfiguration }} -o bin/win/${{ parameters.projectName }}_win_$(ReleaseVersion) --sc -r win-x64 -f ${{ parameters.dotnetPublishVersion }}' - publishWebProjects: false - zipAfterPublish: false - - task: DotNetCoreCLI@2 - displayName: Build .NET Core App - inputs: - command: 'publish' - arguments: '${{ parameters.solutionPath }} -c ${{ parameters.buildConfiguration }} -o bin/netcoreapp/${{ parameters.projectName }}_netcoreapp_$(ReleaseVersion) -f ${{ parameters.dotnetPublishVersion }}' - publishWebProjects: false - zipAfterPublish: false - - task: ArchiveFiles@2 - displayName: Archive Builds - inputs: - rootFolderOrFile: 'bin' - includeRootFolder: false - archiveType: 'tar' - archiveFile: 'Archives/${{ parameters.projectName }}_Unsigned.tar.gz' - replaceExistingArchive: true - - task: PublishBuildArtifacts@1 - displayName: Pipeline Publish Archive - inputs: - PathtoPublish: 'Archives' - ArtifactName: '${{ parameters.artifactName }}' - publishLocation: 'Container' diff --git a/Pipelines/templates/dotnet-test-job.yml b/Pipelines/templates/dotnet-test-job.yml deleted file mode 100644 index 077fe3e6..00000000 --- a/Pipelines/templates/dotnet-test-job.yml +++ /dev/null @@ -1,48 +0,0 @@ -parameters: -# Job Name -- name: jobName - type: string - default: 'dotnet_test' -# Version of Dotnet SDK to use -- name: dotnetVersions - type: object - default: ['6.0.x','8.0.x'] -# Should Dotnet SDK install preview versions? -- name: includePreviewVersions - type: boolean - default: false -# List of paths to .csproj -- name: projectPath - type: string - default: '' -# Additional 'dotnet test' arguments -- name: arguments - type: string - default: '' - -jobs: -- job: ${{ parameters.jobName }} - displayName: Dotnet Test - pool: - name: CSPA - demands: ImageOverride -equals win2022-image-base - steps: - # Install dotnet versions - - ${{ each version in parameters.dotnetVersions }}: - - task: UseDotNet@2 - displayName: Install Dotnet SDK - inputs: - packageType: 'sdk' - version: ${{ version }} - - task: DotNetCoreCLI@2 - displayName: Dotnet Restore - inputs: - command: 'restore' - projects: ${{ parameters.projectPath }} - verbosityRestore: 'Normal' - - task: DotNetCoreCLI@2 - displayName: Dotnet Test - inputs: - command: 'test' - projects: ${{ parameters.projectPath }} - arguments: ${{ parameters.arguments }} \ No newline at end of file diff --git a/Pipelines/templates/nbgv-set-version-steps.yml b/Pipelines/templates/nbgv-set-version-steps.yml deleted file mode 100644 index ca3a54eb..00000000 --- a/Pipelines/templates/nbgv-set-version-steps.yml +++ /dev/null @@ -1,10 +0,0 @@ -steps: -- script: 'dotnet tool update -g nbgv' - displayName: 'Install GitVersioning' -- task: PowerShell@2 - displayName: Set Release Version - inputs: - targetType: 'inline' - script: | - $version = (nbgv get-version -v AssemblyInformationalVersion).split('+')[0] - Write-Host "##vso[task.setvariable variable=releaseVersion;]$version" \ No newline at end of file diff --git a/Pipelines/templates/nuget-build-job.yml b/Pipelines/templates/nuget-build-job.yml deleted file mode 100644 index c8a1cd67..00000000 --- a/Pipelines/templates/nuget-build-job.yml +++ /dev/null @@ -1,148 +0,0 @@ -parameters: -# Job Name -- name: jobName - type: string - default: 'nuget_pack' -# Version of Dotnet SDK to use -- name: dotnetVersion - type: string - default: '8.0.x' -# Should Dotnet SDK install preview versions? -- name: includePreviewVersions - type: boolean - default: true -# Version of NuGet Tool to use -- name: nugetVersion - type: string - default: '5.x' -# Path to .csproj or .sln -- name: projectPath - type: string - default: '' -# Build Configuration -- name: buildConfiguration - type: string - default: 'Release' -# Project Name -- name: projectName - type: string - default: '' -# Pipeline Artifact Name -- name: artifactName - type: string - default: 'Unsigned_Binaries' -# Should the resulting built nugets be signed and published to Nuget.org -- name: publishToNuget - type: boolean - default: false -# The Job name for the pipeline that checked paths -- name: dependsOnArg - type: string - default: [] -# The tag set by the checking job -- name: conditionedOnTag - type: string - default: 'code_changed' -# Should the resulting nugets be marked as a public release (disable prerelease versioning) -- name: publicRelease - type: boolean - default: true - -jobs: -- job: ${{ parameters.jobName }} - dependsOn: ${{ parameters.dependsOnArg }} - condition: eq(dependencies.${{ parameters.dependsOnArg }}.outputs['check_script.${{ parameters.conditionedOnTag }}'], 'true') - displayName: NuGet Package ${{ parameters.projectName }} - pool: - name: CSPA - demands: ImageOverride -equals win2022-image-base - steps: - - task: UseDotNet@2 - displayName: Install Dotnet SDK - inputs: - packageType: 'sdk' - version: ${{ parameters.dotnetVersion }} - performMultiLevelLookup: true - includePreviewVersions: ${{ parameters.includePreviewVersions }} - - task: NuGetToolInstaller@1 - displayName: Install Nuget Tool - inputs: - versionSpec: ${{ parameters.nugetVersion }} - - task: DotNetCoreCLI@2 - displayName: Dotnet Restore - inputs: - command: 'restore' - projects: ${{ parameters.projectPath }} - verbosityRestore: 'Normal' - - task: DotNetCoreCLI@2 - displayName: Pack Nupkg - inputs: - command: 'custom' - custom: 'pack' - arguments: '${{ parameters.projectPath }} -c ${{ parameters.buildConfiguration }} -o Packages /p:PublicRelease=${{ parameters.publicRelease }}' - - task: AntiMalware@3 - displayName: Anti-Malware Scan - inputs: - InputType: 'Basic' - ScanType: 'CustomScan' - FileDirPath: 'Packages' - EnableServices: true - SupportLogOnError: true - TreatSignatureUpdateFailureAs: 'Warning' - SignatureFreshness: 'UpToDate' - TreatStaleSignatureAs: 'Warning' - - task: UseDotNet@2 - inputs: - packageType: 'sdk' - version: '2.1.804' - - task: EsrpCodeSigning@1 - displayName: Code Sign Nuget Packages - condition: and(succeeded(), eq('${{ parameters.publishToNuget }}', 'true')) - inputs: - ConnectedServiceName: 'CodeSignforATSAN' - FolderPath: 'Packages' - Pattern: '*.nupkg, *.snupkg' - signConfigType: 'inlineSignParams' - inlineOperation: | - [ - { - "KeyCode" : "CP-401405", - "OperationCode" : "NuGetSign", - "Parameters" : {}, - "ToolName" : "sign", - "ToolVersion" : "1.0" - }, - { - "KeyCode" : "CP-401405", - "OperationCode" : "NuGetVerify", - "Parameters" : {}, - "ToolName" : "sign", - "ToolVersion" : "1.0" - } - ] - SessionTimeout: '60' - MaxConcurrency: '50' - MaxRetryAttempts: '5' - - task: ArchiveFiles@2 - displayName: Archive Packages - inputs: - rootFolderOrFile: 'Packages' - includeRootFolder: false - archiveType: 'zip' - archiveFile: 'Archives/${{ parameters.projectName }}_NuGet.zip' - replaceExistingArchive: true - - task: PublishBuildArtifacts@1 - displayName: Pipeline Publish Archive - inputs: - PathtoPublish: 'Archives' - ArtifactName: '${{ parameters.artifactName }}' - publishLocation: 'Container' - - task: NuGetCommand@2 - displayName: Push NuGet Packages - condition: and(succeeded(), eq('${{ parameters.publishToNuget }}', 'true')) - inputs: - command: 'push' - packagesToPush: 'Packages/*.nupkg' - nuGetFeedType: 'external' - publishFeedCredentials: 'CST-E Nuget CI' - verbosityPush: 'Normal' \ No newline at end of file diff --git a/Pipelines/templates/sdl-job.yml b/Pipelines/templates/sdl-job.yml deleted file mode 100644 index 88410b27..00000000 --- a/Pipelines/templates/sdl-job.yml +++ /dev/null @@ -1,70 +0,0 @@ -parameters: -# Service Tree ID of application -- name: serviceTreeID - type: string - default: '' - -jobs: -- job: sdl_tools - displayName: SDL Tools - pool: - name: CSPA - demands: ImageOverride -equals win2022-image-base - steps: - - task: DownloadBuildArtifacts@0 - displayName: Download Unsigned Binary Archives - inputs: - buildType: 'current' - downloadType: 'specific' - itemPattern: 'Unsigned_Binaries/*.tar.gz' - downloadPath: '$(Build.BinariesDirectory)' - - task: ExtractFiles@1 - displayName: Extract Unsigned Binaries - inputs: - archiveFilePatterns: '$(Build.BinariesDirectory)/Unsigned_Binaries/*.tar.gz' - destinationFolder: '$(Build.BinariesDirectory)' - cleanDestinationFolder: false - - task: AntiMalware@3 - displayName: Anti-Malware Scan - inputs: - InputType: 'Basic' - ScanType: 'CustomScan' - FileDirPath: '$(Build.BinariesDirectory)' - EnableServices: true - SupportLogOnError: true - TreatSignatureUpdateFailureAs: 'Warning' - SignatureFreshness: 'UpToDate' - TreatStaleSignatureAs: 'Warning' - - task: BinSkim@3 - inputs: - InputType: 'Basic' - Function: 'analyze' - AnalyzeTarget: '$(Build.BinariesDirectory)/oss-*;$(Build.BinariesDirectory)/Shared.dll' - - task: PoliCheck@1 - continueOnError: true - inputs: - inputType: 'Basic' - targetType: 'F' - targetArgument: '$(Build.SourcesDirectory)' - result: 'PoliCheck.xml' - - task: CodeInspector@2 - continueOnError: true - inputs: - ProductId: ${{ parameters.serviceTreeID }} - - task: CredScan@3 - inputs: - verboseOutput: true - - task: notice@0 - enabled: false - continueOnError: true - inputs: - outputformat: 'text' - - task: SdtReport@2 - inputs: - GdnExportAllTools: true - - task: PublishSecurityAnalysisLogs@2 - inputs: - ArtifactName: 'CodeAnalysisLogs' - ArtifactType: 'Container' - AllTools: true - ToolLogsNotFoundAction: 'Standard' \ No newline at end of file