From 573a1b06c9901f9c718ec3fe24dbf5e2c16dde7d Mon Sep 17 00:00:00 2001 From: James Truher Date: Tue, 12 Jan 2021 14:43:08 -0800 Subject: [PATCH] Add a lot of comments to the yaml --- .ci/releaseBuild.yml | 53 +++++++++++++++++++++++++++++++++++--------- 1 file changed, 43 insertions(+), 10 deletions(-) diff --git a/.ci/releaseBuild.yml b/.ci/releaseBuild.yml index be5414079..3441b87a5 100644 --- a/.ci/releaseBuild.yml +++ b/.ci/releaseBuild.yml @@ -1,4 +1,7 @@ +# The name of the build that will be seen in mscodehub name: PSSA-Release-$(Build.BuildId) +# how is the build triggered +# since this is a release build, no trigger as it's a manual release trigger: none pr: @@ -7,18 +10,26 @@ pr: - master - release* +# variables to set in the build environment variables: DOTNET_CLI_TELEMETRY_OPTOUT: 1 POWERSHELL_TELEMETRY_OPTOUT: 1 +# since this build relies on templates, we need access to those +# This needs a service connection in the build to work +# the *name* of the service connection must be the same as the endpoint resources: repositories: - repository: ComplianceRepo type: github endpoint: ComplianceGHRepo name: PowerShell/compliance + # this can be any branch of your choosing ref: master +# the stages in this build. There are 2 +# the assumption for script analyzer is that test is done as part of +# CI so we needn't do it here stages: - stage: Build displayName: Build @@ -27,16 +38,21 @@ stages: jobs: - job: Build_Job displayName: Build Microsoft.PowerShell.ScriptAnalyzer + # note the variable reference to ESRP. + # this must be created in Project -> Pipelines -> Library -> VariableGroups + # where it describes the link to the SigningServer variables: - group: ESRP steps: - checkout: self + # the steps for building the module go here - pwsh: | Set-Location "$(Build.SourcesDirectory)/OSS_Microsoft_PSSA" try { ./build.ps1 -Configuration Release -All } catch { throw $_ } displayName: Execute build + # these are setting vso variables which will be persisted between stages - pwsh: | $signSrcPath = "$(Build.SourcesDirectory)/OSS_Microsoft_PSSA/out" # Set signing src path variable @@ -73,8 +89,15 @@ stages: displayName: Setup variables for signing + # checkout the Compliance repository so it can be used to do the actual signing - checkout: ComplianceRepo + # in script analyzer, we must sign with 2 different certs + # the normal cert for MS created items and the 3rd party cert + # this the MS authored step + # Because this needs 2 certs, we do it in 2 steps. + # the first step signs the binaries and puts them in a staging directory which + # will then be used for the second step. - template: EsrpSign.yml@ComplianceRepo parameters: # the folder which contains the binaries to sign @@ -92,6 +115,11 @@ stages: **\*.ps1xml **\Microsoft*.dll + # this is the second step of the signing. + # note that the buildOutputPath (where we get the files to sign) + # is the same as the signOutputPath in the previous step + # at the end of this step we will have all the files signed that should be + # signOutPath is the location which contains the files we will use to make the module - template: EsrpSign.yml@ComplianceRepo parameters: # the folder which contains the binaries to sign @@ -104,20 +132,26 @@ stages: # the file pattern to use - only sign newtonsoft pattern: 'Newtonsoft*.dll' + # now create the nupkg which we will use to publish the module + # to the powershell gallery (not part of this yaml) - pwsh: | Set-Location "$(Build.SourcesDirectory)/OSS_Microsoft_PSSA" ./build -BuildNupkg -signed displayName: Create nupkg for publishing + # finally publish the parts of the build which will be used in the next stages + # if it's not published, the subsequent stages will not be able to access it. + # This is the build directory (it contains all of the dll/pdb files) - publish: "$(Build.SourcesDirectory)/OSS_Microsoft_PSSA" artifact: build displayName: publish build directory - # export the nupkg only + # export the nupkg only which will be used in the release pipeline - publish: "$(signOutPath)/PSScriptAnalyzer.$(moduleVersion).nupkg" artifact: nupkg displayName: Publish module nupkg +# Now on to the compliance stage - stage: compliance displayName: Compliance dependsOn: Build @@ -131,24 +165,23 @@ stages: - download: current artifact: build - - pwsh: | - Get-ChildItem -Path "$(Pipeline.Workspace)\build" -Recurse - Get-Location - Get-ChildItem -Recurse -File -Name - displayName: Capture downloaded artifacts - + # use the templates in the compliance repo + # since script analyzer has modules, we're using the assembly-module-compliance template + # if you don't have assemblies, you should use script-module-compliance template - template: assembly-module-compliance.yml@ComplianceRepo parameters: - # component-governance + # component-governance - the path to sources sourceScanPath: '$(Build.SourcesDirectory)/OSS_Microsoft_PSSA' - # binskim + # binskim - this isn't recursive, so you need the path to the assemblies AnalyzeTarget: '$(Pipeline.Workspace)\build\bin\PSV7Release\netcoreapp3.1\*.dll' - # credscan + # credscan - scan the repo for credentials + # you can suppress some files with this. suppressionsFile: '$(Build.SourcesDirectory)/OSS_Microsoft_PSSA/tools/ReleaseBuild/CredScan.Suppressions.json' # TermCheck optionsRulesDBPath: '' optionsFTPath: '' # tsa-upload + # the compliance scanning must be uploaded, which you need to request codeBaseName: 'PSSA_202004' # selections APIScan: false # set to false when not using Windows APIs.