-
Notifications
You must be signed in to change notification settings - Fork 69
/
azure-pipelines.yml
110 lines (103 loc) · 3.64 KB
/
azure-pipelines.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
# Overridden in the UI
trigger: none
pr: none
parameters:
- name: runCompliance
displayName: 'Run post-build compliance tasks (such as API Scan)'
type: boolean
default: false
- name: buildAgent
displayName: 'The build agent to use'
type: object
default:
name: Maui-1ESPT
image: 1ESPT-Windows2022
os: windows
variables:
- template: /scripts/azure-pipelines-variables.yml@self
resources:
repositories:
- repository: internal-templates
type: github
name: xamarin/yaml-templates
endpoint: xamarin
ref: refs/heads/main
- repository: 1ESPipelineTemplates
type: git
name: 1ESPipelineTemplates/1ESPipelineTemplates
ref: refs/tags/release
extends:
template: v1/1ES.Official.PipelineTemplate.yml@1ESPipelineTemplates
parameters:
pool: ${{ parameters.buildAgent }}
customBuildTags:
- ES365AIMigrationTooling
stages:
- stage: build
displayName: Build
jobs:
- job: build
displayName: Build
templateContext:
sdl:
apiscan:
enabled: true
binskim:
enabled: true
break: false
codeInspector:
enabled: true
credscan:
enabled: true
policheck:
enabled: true
spotBugs:
enabled: false
outputParentDirectory: 'output'
outputs:
- output: pipelineArtifact
displayName: 'Upload NuGets'
artifactName: 'nuget'
targetPath: 'output/nugets'
steps:
- template: /scripts/azure-pipelines-steps-prepare.yml@self
- pwsh: dotnet cake --target=pack
displayName: Pack NuGets
env:
JavaSdkDirectory: $(JAVA_HOME)
- stage: signing
displayName: Sign NuGets
dependsOn: build
jobs:
- template: sign-artifacts/jobs/v2.yml@internal-templates
parameters:
usePipelineArtifactTasks: true
use1ESTemplate: true
${{ if or( eq(variables['Build.SourceBranch'], 'refs/heads/main'), startsWith(variables['Build.SourceBranch'], 'refs/heads/release/') ) }}:
signType: 'Real'
${{ else }}:
signType: 'Test'
- ${{ if or( eq(variables['Build.Reason'], 'Schedule'), parameters.runCompliance ) }}:
- template: security/apiscan/v0.yml@internal-templates
parameters:
windowsPoolName: ${{ parameters.buildAgent.name }}
windowsImageOverride: ${{ parameters.buildAgent.image }}
timeoutInMinutes: 480
stageDependsOn:
- build
scanArtifacts:
- nuget
apiScanSoftwareName: SkiaSharp
apiScanSoftwareVersionNum: $(MAJOR_VERSION)
apiScanAuthConnectionString: 'runAs=App;AppId=$(ApiScanClientId)'
preScanSteps:
- pwsh: |
$nupkgs = (Get-ChildItem "$(Build.ArtifactStagingDirectory)\binaries-to-scan\*\*.*nupkg")
foreach ($nupkg in $nupkgs) {
$filename = $nupkg.Name.TrimEnd('.nupkg')
$dest = "$(Build.ArtifactStagingDirectory)\binaries-to-scan\nuget_symbols-extracted\$filename"
Write-Host "Extracting '$nupkg' to '$dest'..."
Expand-Archive $nupkg $dest
Remove-Item $nupkg
}
displayName: Extract all the .nupkg files