Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

AzureAuth GitHub release through ADO pipeline #393

Merged
merged 10 commits into from
Jul 8, 2024
Merged

AzureAuth GitHub release through ADO pipeline #393

Changes from all commits
Commits
Show all changes
10 commits
Select commit Hold shift + click to select a range
ea59cef
add ado release pipeline
Haard30 Jun 25, 2024
e0ea255
Switch to official template
Haard30 Jun 26, 2024
a172bf7
switch pipeline to prod
Haard30 Jun 26, 2024
d4f409d
revert back to nonprod template while we wait for permissions
Haard30 Jun 26, 2024
4654555
Remove draft release to test end to end flow once
Haard30 Jun 26, 2024
788c80c
add manual approval job before publishing the release
Haard30 Jun 26, 2024
cc51dfd
Switch back to draft temporarily
Haard30 Jun 26, 2024
4fea3b9
change approval to agentless pool
Haard30 Jun 26, 2024
bda786a
Remove esrp comment as it is no longer relevant
Haard30 Jun 27, 2024
6aa824c
Make pipeline variable names consistent
Haard30 Jul 2, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
318 changes: 273 additions & 45 deletions .github/workflows/release-azure-pipelines.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,6 @@
parameters:
- name: version
type: string
default: 0.8.6
- name: prerelease
displayName: Prerelease?
type: boolean
Expand Down Expand Up @@ -38,6 +37,7 @@ variables:
readonly: true

trigger: none

pr: none

resources:
Expand Down Expand Up @@ -66,16 +66,16 @@ extends:
- job: validate
displayName: Validate
steps:
- checkout: self
- task: UsePythonVersion@0
displayName: Use Python $(pythonVersion)
inputs:
versionSpec: $(pythonVersion)
- task: Bash@3
inputs:
targetType: inline
script: |
echo ${{ parameters.version }} | python ./bin/version.py
- checkout: self
- task: UsePythonVersion@0
displayName: Use Python $(pythonVersion)
inputs:
versionSpec: $(pythonVersion)
- task: Bash@3
inputs:
targetType: inline
script: |
echo ${{ parameters.version }} | python ./bin/version.py

- stage: build
displayName: Build
Expand All @@ -93,40 +93,268 @@ extends:
targetPath: dist/${{ config.runtime }}
artifactName: azureauth-${{ parameters.version }}-${{ config.runtime }}
steps:
- checkout: self
- task: UseDotNet@2
displayName: Use .NET Core sdk 6.x
inputs:
version: 6.x
- checkout: self
- task: UseDotNet@2
displayName: Use .NET Core sdk 6.x
inputs:
version: 6.x
- task: NuGetToolInstaller@0
displayName: Use NuGet 6.x
inputs:
versionSpec: 6.x
- task: DotNetCoreCLI@2
displayName: Install dependencies
inputs:
command: restore
feedsToUse: select
vstsFeed: $(VSTS_FEED_ID)
includeNuGetOrg: false
arguments: --runtime ${{ config.runtime }}
- task: DotNetCoreCLI@2
displayName: Test
inputs:
command: test
arguments: --configuration release --no-restore

- task: DotNetCoreCLI@2
displayName: Build artifacts
env:
ADO_TOKEN: $(System.AccessToken)
inputs:
command: publish
projects: src/AzureAuth/AzureAuth.csproj
arguments: -p:Version=${{ parameters.version }} --configuration release --self-contained true --runtime ${{ config.runtime }} --output dist/${{ config.runtime }}
publishWebProjects: false
zipAfterPublish: false
modifyOutputPath: true
mvanchaa marked this conversation as resolved.
Show resolved Hide resolved
mvanchaa marked this conversation as resolved.
Show resolved Hide resolved

- task: NuGetToolInstaller@0
displayName: Use NuGet 6.x
inputs:
versionSpec: 6.x
- stage: sign
displayName: Sign
dependsOn: build
jobs:
- ${{ each config in parameters.buildConfigs }}:
- job: sign_${{ replace(config.runtime,'-', '_') }}
displayName: Signing ${{ config.runtime }}
pool:
name: Azure-Pipelines-1ESPT-ExDShared
image: windows-latest
os: windows
templateContext:
inputs:
- input: pipelineArtifact
artifactName: azureauth-${{ parameters.version }}-${{ config.runtime }}
targetPath: $(Build.ArtifactStagingDirectory)/azureauth-${{ parameters.version }}-${{ config.runtime }}
outputs:
- output: pipelineArtifact
artifactName: azureauth-${{ parameters.version }}-${{ config.runtime }}-signed
targetPath: $(Build.ArtifactStagingDirectory)/azureauth-${{ parameters.version }}-${{ config.runtime }}-signed
steps:
- task: EsrpCodeSigning@5
displayName: Sign artifacts win10-x64
condition: eq('${{ config.runtime }}', 'win10-x64')
inputs:
ConnectedServiceName: $(ESRP_KV_SERVICE_CONNECTION)
AppRegistrationClientId: $(SIGNING_AAD_ID)
AppRegistrationTenantId: $(SIGNING_TENANT_ID)
AuthAKVName: $(AZURE_VAULT)
AuthCertName: $(AZURE_VAULT_ESRP_AAD_CERT_NAME)
AuthSignCertName: $(AZURE_VAULT_ESRP_REQ_CERT_NAME)
mijpeterson marked this conversation as resolved.
Show resolved Hide resolved
FolderPath: $(Build.ArtifactStagingDirectory)/azureauth-${{ parameters.version }}-${{ config.runtime }}/AzureAuth
Pattern: '*.dll,*.exe'
signConfigType: 'inlineSignParams'
inlineOperation: |
[
{
"KeyCode": "$(SIGNING_KEY_CODE_AUTHENTICODE)",
"OperationCode": "SigntoolSign",
"ToolName": "sign",
"ToolVersion": "1.0",
"Parameters": {
"OpusName": "Microsoft",
"OpusInfo": "https://www.microsoft.com",
"FileDigest": "/fd SHA256",
"PageHash": "/NPH",
"TimeStamp": "/tr \"http://rfc3161.gtm.corp.microsoft.com/TSS/HttpTspServer\" /td sha256"
}
},
{
"KeyCode": "$(SIGNING_KEY_CODE_AUTHENTICODE)",
"OperationCode": "SigntoolVerify",
"ToolName": "sign",
"ToolVersion": "1.0",
"Parameters": {}
}
]
SessionTimeout: '60'
MaxConcurrency: '50'
MaxRetryAttempts: '5'
PendingAnalysisWaitTimeoutMinutes: '5'
# We need to zip the artifacts for osx before sending to ESRP for signing.
- task: ArchiveFiles@2
displayName: Codesigning - zip artifacts to send to ESRP
condition: startsWith('${{ config.runtime }}', 'osx')
inputs:
rootFolderOrFile: $(Build.ArtifactStagingDirectory)/azureauth-${{ parameters.version }}-${{ config.runtime }}
includeRootFolder: false
archiveType: zip
archiveFile: $(Build.ArtifactStagingDirectory)/azureauth-${{ parameters.version }}-${{ config.runtime }}.zip
- task: EsrpCodeSigning@5
displayName: Sign artifacts osx
condition: startsWith('${{ config.runtime }}', 'osx')
inputs:
ConnectedServiceName: $(ESRP_KV_SERVICE_CONNECTION)
AppRegistrationClientId: $(SIGNING_AAD_ID)
AppRegistrationTenantId: $(SIGNING_TENANT_ID)
AuthAKVName: $(AZURE_VAULT)
AuthCertName: $(AZURE_VAULT_ESRP_AAD_CERT_NAME)
AuthSignCertName: $(AZURE_VAULT_ESRP_REQ_CERT_NAME)
FolderPath: $(Build.ArtifactStagingDirectory)
Pattern: 'azureauth-${{ parameters.version }}-${{ config.runtime }}.zip'
signConfigType: 'inlineSignParams'
inlineOperation: |
[
{
"KeyCode": "$(SIGNING_KEY_CODE_MAC)",
"OperationCode": "MacAppDeveloperSign",
"ToolName": "sign",
"ToolVersion": "1.0",
"Parameters": {}
},
{
"KeyCode": "$(SIGNING_KEY_CODE_MAC)",
"OperationCode": "SigntoolVerify",
"ToolName": "sign",
"ToolVersion": "1.0",
"Parameters": {}
}
]
SessionTimeout: '60'
MaxConcurrency: '50'
MaxRetryAttempts: '5'
PendingAnalysisWaitTimeoutMinutes: '5'
- task: ExtractFiles@1
displayName: Extract signed artifacts osx
condition: startsWith('${{ config.runtime }}', 'osx')
inputs:
archiveFilePatterns: $(Build.ArtifactStagingDirectory)/azureauth-${{ parameters.version }}-${{ config.runtime }}.zip
destinationFolder: $(Build.ArtifactStagingDirectory)/azureauth-${{ parameters.version }}-${{ config.runtime }}
cleanDestinationFolder: true
overwriteExistingFiles: true
# We rename the signed artifacts to avoid conflicts with the unsigned pipeline artifacts from the previous stage.
- task: PowerShell@2
displayName: Rename signed artifacts
mvanchaa marked this conversation as resolved.
Show resolved Hide resolved
inputs:
workingDirectory: $(Build.ArtifactStagingDirectory)
targetType: 'inline'
script: |
mv "azureauth-${{ parameters.version }}-${{ config.runtime }}" "azureauth-${{ parameters.version }}-${{ config.runtime }}-signed"
Haard30 marked this conversation as resolved.
Show resolved Hide resolved

- task: DotNetCoreCLI@2
displayName: Install dependencies
inputs:
command: restore
feedsToUse: select
vstsFeed: $(vstsFeedId)
includeNuGetOrg: false
arguments: --runtime ${{ config.runtime }}
# Currently we package artifacts into the most commonly accessible archive format for their respective platforms.
- stage: package
displayName: Package
dependsOn: sign
jobs:
- job: package
displayName: Package
pool:
name: Azure-Pipelines-1ESPT-ExDShared
image: ubuntu-latest
os: linux
templateContext:
inputs:
- ${{ each config in parameters.buildConfigs }}:
- input: pipelineArtifact
artifactName: azureauth-${{ parameters.version }}-${{ config.runtime }}-signed
targetPath: $(Build.ArtifactStagingDirectory)/azureauth-${{ parameters.version }}-${{ config.runtime }}-signed
outputs:
- ${{ each config in parameters.buildConfigs }}:
- output: pipelineArtifact
artifactName: azureauth-${{ parameters.version }}-${{ config.runtime }}.${{ config.archiveExt }}
targetPath: $(Build.SourcesDirectory)/azureauth-${{ parameters.version }}-${{ config.runtime }}.${{ config.archiveExt }}
mvanchaa marked this conversation as resolved.
Show resolved Hide resolved
steps:
- task: ArchiveFiles@2
displayName: Create win10-x64 archive
inputs:
rootFolderOrFile: $(Build.ArtifactStagingDirectory)/azureauth-${{ parameters.version }}-win10-x64-signed/AzureAuth
includeRootFolder: false
archiveType: zip
archiveFile: azureauth-${{ parameters.version }}-win10-x64.zip
- task: Bash@3
displayName: Prepare osx-x64 executables
inputs:
targetType: inline
workingDirectory: $(Build.ArtifactStagingDirectory)
script: |
cd azureauth-${{ parameters.version }}-osx-x64-signed/AzureAuth
chmod +x azureauth createdump *.dylib
- task: ArchiveFiles@2
displayName: Create osx-x64 archive
inputs:
rootFolderOrFile: $(Build.ArtifactStagingDirectory)/azureauth-${{ parameters.version }}-osx-x64-signed/AzureAuth
includeRootFolder: false
archiveType: tar
tarCompression: gz
archiveFile: azureauth-${{ parameters.version }}-osx-x64.tar.gz
- task: Bash@3
displayName: Prepare osx-arm64 executables
inputs:
workingDirectory: $(Build.ArtifactStagingDirectory)
targetType: inline
script: |
cd azureauth-${{ parameters.version }}-osx-arm64-signed/AzureAuth
chmod +x azureauth createdump *.dylib
- task: ArchiveFiles@2
displayName: Create osx-arm64 archive
inputs:
rootFolderOrFile: $(Build.ArtifactStagingDirectory)/azureauth-${{ parameters.version }}-osx-arm64-signed/AzureAuth
includeRootFolder: false
archiveType: tar
tarCompression: gz
archiveFile: azureauth-${{ parameters.version }}-osx-arm64.tar.gz

- task: DotNetCoreCLI@2
displayName: Test
inputs:
command: test
arguments: --configuration release --no-restore

- task: DotNetCoreCLI@2
displayName: Build artifacts
env:
ADO_TOKEN: $(System.AccessToken)
inputs:
command: publish
projects: src/AzureAuth/AzureAuth.csproj
arguments: -p:Version=${{ parameters.version }} --configuration release --self-contained true --runtime ${{ config.runtime }} --output dist/${{ config.runtime }}
publishWebProjects: false
zipAfterPublish: false
modifyOutputPath: true
- stage: release
displayName: Release
dependsOn: package
jobs:
- job: approval
displayName: Manual Approval
pool: server
timeoutInMinutes: 5760 # job times out in 4 days
steps:
Haard30 marked this conversation as resolved.
Show resolved Hide resolved
- task: ManualValidation@0
timeoutInMinutes: 4320 # task times out in 3 days
inputs:
notifyUsers: $(REVIEWER)
instructions: 'Review the AzureAuth GitHub Release.'
- job: release
displayName: Release
dependsOn: approval
pool:
name: Azure-Pipelines-1ESPT-ExDShared
image: ubuntu-latest
os: linux
templateContext:
inputs:
- ${{ each config in parameters.buildConfigs }}:
- input: pipelineArtifact
artifactName: azureauth-${{ parameters.version }}-${{ config.runtime }}.${{ config.archiveExt }}
targetPath: $(Build.ArtifactStagingDirectory)/azureauth-${{ parameters.version }}-${{ config.runtime }}.${{ config.archiveExt }}
steps:
- task: GitHubRelease@1
displayName: Create AzureAuth GitHub Release
inputs:
gitHubConnection: $(GITHUB_RELEASE_SERVICE_CONNECTION)
repositoryName: 'AzureAD/microsoft-authentication-cli'
action: 'create'
target: $(Build.SourceVersion)
tagSource: 'userSpecifiedTag'
tag: ${{ parameters.version }}
isPrerelease: ${{ parameters.prerelease }}
Haard30 marked this conversation as resolved.
Show resolved Hide resolved
isDraft: true
addChangeLog: false
releaseNotesSource: 'inline'
releaseNotesInline: "Release ${{ parameters.version }}. See [`CHANGELOG.md`](https://github.com/AzureAD/microsoft-authentication-cli/blob/${{ parameters.version }}/CHANGELOG.md) for updates."
assets: |
$(Build.ArtifactStagingDirectory)/azureauth-${{ parameters.version }}-win10-x64.zip/azureauth-${{ parameters.version }}-win10-x64.zip
$(Build.ArtifactStagingDirectory)/azureauth-${{ parameters.version }}-osx-x64.tar.gz/azureauth-${{ parameters.version }}-osx-x64.tar.gz
$(Build.ArtifactStagingDirectory)/azureauth-${{ parameters.version }}-osx-arm64.tar.gz/azureauth-${{ parameters.version }}-osx-arm64.tar.gz
Loading