diff --git a/.ado/governance.yml b/.ado/governance.yml new file mode 100644 index 00000000..e2f9816c --- /dev/null +++ b/.ado/governance.yml @@ -0,0 +1,53 @@ +name: pyqir-governance + +trigger: +- main + +pr: +- main + +schedules: +- cron: "0 9 * * Sat" + displayName: 'Build for CodeQL' + branches: + include: + - main + always: true + +variables: + CARGO_TERM_COLOR: always + RUST_TOOLCHAIN_VERSION: "1.77" + +jobs: +- job: "pyqir_governance" + pool: + vmImage: 'ubuntu-latest' + timeoutInMinutes: 240 + steps: + - task: ms.vss-governance-buildtask.governance-build-task-component-detection.ComponentGovernanceComponentDetection@0 + displayName: 'Component detection' + + - task: RustInstaller@1 + inputs: + rustVersion: ms-$(RUST_TOOLCHAIN_VERSION) + cratesIoFeedOverride: $(cratesIoFeedOverride) + toolchainFeed: $(toolchainFeed) + displayName: Install Rust toolchain + + - task: UsePythonVersion@0 + inputs: + versionSpec: '3.11' + + - script: | + sudo apt-get install -y ninja-build + displayName: Build VSCode Extension + + - task: CodeQL3000Init@0 + displayName: CodeQL Initialize + + - script: | + ./build.ps1 -t default + displayName: Build + + - task: CodeQL3000Finalize@0 + displayName: CodeQL Finalize diff --git a/.ado/release.yml b/.ado/release.yml new file mode 100644 index 00000000..c9c18d43 --- /dev/null +++ b/.ado/release.yml @@ -0,0 +1,150 @@ +name: pyqir-publish-$(BuildId) + +trigger: none +pr: none + +variables: + CARGO_TERM_COLOR: always + RUST_TOOLCHAIN_VERSION: "1.77" + +jobs: +- job: "Build" + strategy: + matrix: + linux_x64: + imageName: 'ubuntu-20.04' + arch: x86_64 + mac_x64: + imageName: 'macOS-latest' + arch: x86_64 + mac_aarch64: + imageName: 'macOS-14' + arch: aarch64 + windows: + imageName: 'windows-latest' + arch: x86_64 + pool: + vmImage: $(imageName) + variables: + arch: $(arch) + timeoutInMinutes: 90 + + steps: + # common init steps + - task: RustInstaller@1 + inputs: + rustVersion: ms-$(RUST_TOOLCHAIN_VERSION) + cratesIoFeedOverride: $(cratesIoFeedOverride) + toolchainFeed: $(toolchainFeed) + displayName: Install Rust toolchain + + - script: | + rustc --version + rustc --print target-list + displayName: View rust target info + + - task: UsePythonVersion@0 + inputs: + versionSpec: '3.11' + +# build + + - script: | + ./build.ps1 -t default + displayName: Build + +# publish the python artifacts + + - script: | + dir target\wheels\* + displayName: List Py Packages on Win + condition: eq(variables['Agent.OS'], 'Windows_NT') + + - script: | + ls target/wheels/* + displayName: List Py Packages on non-Win + condition: ne(variables['Agent.OS'], 'Windows_NT') + + - publish: $(System.DefaultWorkingDirectory)/target/wheels + artifact: Wheels.Mac.${{ variables['arch'] }} + displayName: Upload Python Artifacts Mac + condition: eq(variables['Agent.OS'], 'Darwin') + + - publish: $(System.DefaultWorkingDirectory)/target/wheels + artifact: Wheels.Win.${{ variables['arch'] }} + displayName: Upload Python Artifacts Win + condition: eq(variables['Agent.OS'], 'Windows_NT') + + - publish: $(System.DefaultWorkingDirectory)/target/wheels + artifact: Wheels.Linux.${{ variables['arch'] }} + displayName: Upload Python Artifacts Linux + condition: eq(variables['Agent.OS'], 'Linux') + +- job: "Merge" + pool: + vmImage: 'ubuntu-latest' + + steps: + - download: current + artifact: Wheels.Win.x86_64 + displayName: Download x86_64 Python Artifacts Win + + - download: current + artifact: Wheels.Mac.x86_64 + displayName: Download Python Artifacts Mac + + - download: current + artifact: Wheels.Mac.aarch64 + displayName: Download Python Artifacts Mac + + - download: current + artifact: Wheels.Linux.x86_64 + displayName: Download x86_64 Python Artifacts Linux + + - script: | + mkdir -p target/wheels + mv ../Wheels.Linux.x86_64/*.whl target/wheels + mv ../Wheels.Win.x86_64/*.whl target/wheels + mv ../Wheels.Mac.x86_64/*.whl target/wheels + mv ../Wheels.Mac.aarch64/*.whl target/wheels + ls target/wheels/* + displayName: Move Py Artifacts to Publishing Dir + + - publish: $(System.DefaultWorkingDirectory)/target/wheels + artifact: wheels + displayName: Upload Python Artifacts + + +- job: "Approval" + dependsOn: + - Build + - Merge + + pool: server + timeoutInMinutes: 1440 # job times out in 1 day + steps: + - task: ManualValidation@0 + timeoutInMinutes: 1440 # task times out in 1 day + inputs: + notifyUsers: '' + instructions: 'Please verify artifacts and approve the release' + onTimeout: 'reject' + + +- job: "Publish_Python_Packages" + dependsOn: Approval + pool: + vmImage: 'ubuntu-latest' + + steps: + - download: current + artifact: wheels + displayName: Download Python Artifacts + + - script: | + mkdir -p target/wheels + mv ../wheels/*.whl target/wheels + ls target/wheels/* + displayName: Move Py Artifacts to Publishing Dir + +# Add ESRP steps here diff --git a/.github/workflows/devskim.yml b/.github/workflows/devskim.yml new file mode 100644 index 00000000..52776076 --- /dev/null +++ b/.github/workflows/devskim.yml @@ -0,0 +1,33 @@ +name: DevSkim + +on: + pull_request: + branches: [ main ] + merge_group: + workflow_dispatch: + schedule: + # set schedule to run at 2AM PT on Saturdays + - cron: '0 9 * * Sat' + +jobs: + lint: + name: DevSkim + runs-on: ubuntu-latest + permissions: + # required for all workflows + security-events: write + + # only required for workflows in private repositories + actions: read + contents: read + steps: + - name: Checkout code + uses: actions/checkout@v3 + + - name: Run DevSkim scanner + uses: microsoft/DevSkim-Action@v1 + + - name: Upload DevSkim scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: devskim-results.sarif