From da174764c2fd6f1979c86528eb1c744756a1fb01 Mon Sep 17 00:00:00 2001 From: Millicent Achieng Date: Wed, 29 May 2024 19:01:44 +0300 Subject: [PATCH 1/2] Update build pipeline to be 1ES compliant --- .azure-pipelines/ci-build.yml | 388 +++++++++++++++------------------- 1 file changed, 169 insertions(+), 219 deletions(-) diff --git a/.azure-pipelines/ci-build.yml b/.azure-pipelines/ci-build.yml index c3952a8c..6553fd88 100644 --- a/.azure-pipelines/ci-build.yml +++ b/.azure-pipelines/ci-build.yml @@ -12,235 +12,185 @@ pr: include: - master -pool: - name: Azure Pipelines - vmImage: windows-latest - demands: - - msbuild - - vstest - variables: buildPlatform: 'Any CPU' buildConfiguration: 'Release' ProductBinPath: '$(Build.SourcesDirectory)\bin\$(BuildConfiguration)' - -stages: - -- stage: build - jobs: - - job: build - steps: - - - task: UseDotNet@2 - displayName: 'Use .NET 2' # needed for ESRP signing - inputs: - version: 2.x - - - task: UseDotNet@2 - displayName: 'Use .NET 8' - inputs: - version: 8.x - - - task: PoliCheck@2 - displayName: 'Run PoliCheck "/src"' - inputs: - inputType: CmdLine - cmdLineArgs: '/F:$(Build.SourcesDirectory)/src /T:9 /Sev:"1|2" /PE:2 /O:poli_result_src.xml' - - - task: PoliCheck@2 - displayName: 'Run PoliCheck "/test"' - inputs: - inputType: CmdLine - cmdLineArgs: '/F:$(Build.SourcesDirectory)/test /T:9 /Sev:"1|2" /PE:2 /O:poli_result_test.xml' - - - task: PoliCheck@2 - displayName: 'PoliCheck for /tool' - inputs: - inputType: CmdLine - cmdLineArgs: '/F:$(Build.SourcesDirectory)/tool /T:9 /Sev:"1|2" /PE:2 /O:poli_result_tool.xml' - - # Install the nuget tool. - - task: NuGetToolInstaller@0 - displayName: 'Use NuGet >=5.2.0' - inputs: - versionSpec: '>=5.2.0' - checkLatest: true - - # Build the Product project - - task: DotNetCoreCLI@2 - displayName: 'build' - inputs: - projects: '$(Build.SourcesDirectory)\Microsoft.OpenApi.OData.sln' - arguments: '--configuration $(BuildConfiguration) --no-incremental' - - # Run the Unit test - - task: DotNetCoreCLI@2 - displayName: 'test' - inputs: - command: test - projects: '$(Build.SourcesDirectory)\Microsoft.OpenApi.OData.sln' - arguments: '--configuration $(BuildConfiguration) --no-build' - - # CredScan - - task: securedevelopmentteam.vss-secure-development-tools.build-task-credscan.CredScan@3 - displayName: 'Run CredScan - Src' - inputs: - toolMajorVersion: 'V2' - scanFolder: '$(Build.SourcesDirectory)\src' - debugMode: false - - - task: securedevelopmentteam.vss-secure-development-tools.build-task-credscan.CredScan@3 - displayName: 'Run CredScan - Test' - inputs: - toolMajorVersion: 'V2' - scanFolder: '$(Build.SourcesDirectory)\test' - debugMode: false - - - task: AntiMalware@3 - displayName: 'Run MpCmdRun.exe - ProductBinPath' - inputs: - FileDirPath: '$(ProductBinPath)' - enabled: false - - - task: BinSkim@4 - displayName: 'Run BinSkim - Product Binaries' - inputs: - InputType: Basic - AnalyzeTargetGlob: '$(ProductBinPath)\**\Microsoft.OpenApi.OData.Reader.dll' - AnalyzeSymPath: '$(ProductBinPath)' - AnalyzeVerbose: true - AnalyzeHashes: true - AnalyzeEnvironment: true - - - task: PublishSecurityAnalysisLogs@3 - displayName: 'Publish Security Analysis Logs' - inputs: - ArtifactName: SecurityLogs - - - task: PostAnalysis@2 - displayName: 'Post Analysis' - inputs: - BinSkim: true - CredScan: true - PoliCheck: true - - - task: SFP.build-tasks.custom-build-task-1.EsrpCodeSigning@1 - displayName: 'ESRP CodeSigning' - inputs: - ConnectedServiceName: 'microsoftgraph ESRP CodeSign DLL and NuGet (AKV)' - FolderPath: src - signConfigType: inlineSignParams - inlineOperation: | - [ - { - "keyCode": "CP-230012", - "operationSetCode": "SigntoolSign", - "parameters": [ - { - "parameterName": "OpusName", - "parameterValue": "Microsoft" - }, +resources: + repositories: + - repository: 1ESPipelineTemplates + type: git + name: 1ESPipelineTemplates/1ESPipelineTemplates + ref: refs/tags/release + +extends: + template: v1/1ES.Official.PipelineTemplate.yml@1ESPipelineTemplates + parameters: + pool: + name: Azure-Pipelines-1ESPT-ExDShared + image: windows-2022 + os: windows + demands: + - msbuild + - vstest + customBuildTags: + - ES365AIMigrationTooling + stages: + + - stage: build + jobs: + - job: build + templateContext: + outputs: + - output: pipelineArtifact + displayName: 'Publish Artifact: Nugets' + artifactName: Nugets + targetPath: '$(Build.ArtifactStagingDirectory)' + steps: + + - task: UseDotNet@2 + displayName: 'Use .NET 2' # needed for ESRP signing + inputs: + version: 2.x + + - task: UseDotNet@2 + displayName: 'Use .NET 8' + inputs: + version: 8.x + + # Install the nuget tool. + - task: NuGetToolInstaller@0 + displayName: 'Use NuGet >=5.2.0' + inputs: + versionSpec: '>=5.2.0' + checkLatest: true + + # Build the Product project + - task: DotNetCoreCLI@2 + displayName: 'build' + inputs: + projects: '$(Build.SourcesDirectory)\Microsoft.OpenApi.OData.sln' + arguments: '--configuration $(BuildConfiguration) --no-incremental' + + # Run the Unit test + - task: DotNetCoreCLI@2 + displayName: 'test' + inputs: + command: test + projects: '$(Build.SourcesDirectory)\Microsoft.OpenApi.OData.sln' + arguments: '--configuration $(BuildConfiguration) --no-build' + + - task: SFP.build-tasks.custom-build-task-1.EsrpCodeSigning@1 + displayName: 'ESRP CodeSigning' + inputs: + ConnectedServiceName: 'microsoftgraph ESRP CodeSign DLL and NuGet (AKV)' + FolderPath: src + signConfigType: inlineSignParams + inlineOperation: | + [ { - "parameterName": "OpusInfo", - "parameterValue": "http://www.microsoft.com" + "keyCode": "CP-230012", + "operationSetCode": "SigntoolSign", + "parameters": [ + { + "parameterName": "OpusName", + "parameterValue": "Microsoft" + }, + { + "parameterName": "OpusInfo", + "parameterValue": "http://www.microsoft.com" + }, + { + "parameterName": "FileDigest", + "parameterValue": "/fd \"SHA256\"" + }, + { + "parameterName": "PageHash", + "parameterValue": "/NPH" + }, + { + "parameterName": "TimeStamp", + "parameterValue": "/tr \"http://rfc3161.gtm.corp.microsoft.com/TSS/HttpTspServer\" /td sha256" + } + ], + "toolName": "sign", + "toolVersion": "1.0" }, { - "parameterName": "FileDigest", - "parameterValue": "/fd \"SHA256\"" - }, + "keyCode": "CP-230012", + "operationSetCode": "SigntoolVerify", + "parameters": [ ], + "toolName": "sign", + "toolVersion": "1.0" + } + ] + SessionTimeout: 20 + + # Pack + - task: DotNetCoreCLI@2 + displayName: 'pack' + inputs: + command: pack + projects: src/Microsoft.OpenApi.OData.Reader/Microsoft.OpenAPI.OData.Reader.csproj + arguments: '-o $(Build.ArtifactStagingDirectory) --configuration $(BuildConfiguration) --no-build --include-symbols --include-source /p:SymbolPackageFormat=snupkg' + + - task: PowerShell@2 + displayName: 'Validate project version has been incremented' + condition: and(contains(variables['build.sourceBranch'], 'refs/heads/master'), succeeded()) + inputs: + targetType: 'filePath' + filePath: $(System.DefaultWorkingDirectory)\scripts\ValidateProjectVersionUpdated.ps1 + pwsh: true + + - task: SFP.build-tasks.custom-build-task-1.EsrpCodeSigning@1 + displayName: 'ESRP CodeSigning Nuget Packages' + inputs: + ConnectedServiceName: 'microsoftgraph ESRP CodeSign DLL and NuGet (AKV)' + FolderPath: '$(Build.ArtifactStagingDirectory)' + Pattern: '*.nupkg' + signConfigType: inlineSignParams + inlineOperation: | + [ { - "parameterName": "PageHash", - "parameterValue": "/NPH" + "keyCode": "CP-401405", + "operationSetCode": "NuGetSign", + "parameters": [ ], + "toolName": "sign", + "toolVersion": "1.0" }, { - "parameterName": "TimeStamp", - "parameterValue": "/tr \"http://rfc3161.gtm.corp.microsoft.com/TSS/HttpTspServer\" /td sha256" + "keyCode": "CP-401405", + "operationSetCode": "NuGetVerify", + "parameters": [ ], + "toolName": "sign", + "toolVersion": "1.0" } - ], - "toolName": "sign", - "toolVersion": "1.0" - }, - { - "keyCode": "CP-230012", - "operationSetCode": "SigntoolVerify", - "parameters": [ ], - "toolName": "sign", - "toolVersion": "1.0" - } - ] - SessionTimeout: 20 - - # Pack - - task: DotNetCoreCLI@2 - displayName: 'pack' - inputs: - command: pack - projects: src/Microsoft.OpenApi.OData.Reader/Microsoft.OpenAPI.OData.Reader.csproj - arguments: '-o $(Build.ArtifactStagingDirectory) --configuration $(BuildConfiguration) --no-build --include-symbols --include-source /p:SymbolPackageFormat=snupkg' - - - task: PowerShell@2 - displayName: 'Validate project version has been incremented' - condition: and(contains(variables['build.sourceBranch'], 'refs/heads/master'), succeeded()) - inputs: - targetType: 'filePath' - filePath: $(System.DefaultWorkingDirectory)\scripts\ValidateProjectVersionUpdated.ps1 - pwsh: true - - - task: SFP.build-tasks.custom-build-task-1.EsrpCodeSigning@1 - displayName: 'ESRP CodeSigning Nuget Packages' - inputs: - ConnectedServiceName: 'microsoftgraph ESRP CodeSign DLL and NuGet (AKV)' - FolderPath: '$(Build.ArtifactStagingDirectory)' - Pattern: '*.nupkg' - signConfigType: inlineSignParams - inlineOperation: | - [ - { - "keyCode": "CP-401405", - "operationSetCode": "NuGetSign", - "parameters": [ ], - "toolName": "sign", - "toolVersion": "1.0" - }, - { - "keyCode": "CP-401405", - "operationSetCode": "NuGetVerify", - "parameters": [ ], - "toolName": "sign", - "toolVersion": "1.0" - } - ] - SessionTimeout: 20 - - - task: PublishPipelineArtifact@1 - displayName: 'Upload Artifact: Nugets' - inputs: - artifactName: Nugets - targetPath: $(Build.ArtifactStagingDirectory) - -- stage: deploy - condition: and(contains(variables['build.sourceBranch'], 'refs/heads/master'), succeeded()) - dependsOn: build - jobs: - - deployment: deploy - environment: nuget-org - strategy: - runOnce: - deploy: - pool: - vmImage: ubuntu-latest - steps: - - task: DownloadPipelineArtifact@2 - displayName: Download nupkg from artifacts - inputs: - artifact: Nugets - source: current - - task: NuGetCommand@2 - displayName: 'NuGet push' - inputs: - command: push - packagesToPush: '$(Pipeline.Workspace)/Nugets/Microsoft.OpenApi.OData.*.nupkg' - nuGetFeedType: external - publishFeedCredentials: 'OpenAPI Nuget Connection' + ] + SessionTimeout: 20 + + - stage: deploy + condition: and(contains(variables['build.sourceBranch'], 'refs/heads/master'), succeeded()) + dependsOn: build + jobs: + - deployment: deploy + environment: nuget-org + strategy: + runOnce: + deploy: + pool: + vmImage: ubuntu-latest + steps: + - task: DownloadPipelineArtifact@2 + displayName: Download nupkg from artifacts + inputs: + artifact: Nugets + source: current + - task: 1ES.PublishNuget@1 + displayName: 'NuGet push' + inputs: + useDotNetTask: true + packagesToPush: '$(Pipeline.Workspace)/Nugets/Microsoft.OpenApi.OData.*.nupkg' + nuGetFeedType: external + publishFeedCredentials: 'OpenAPI Nuget Connection' From cc905faa4cf69db173175d649524758430eb5098 Mon Sep 17 00:00:00 2001 From: Millicent Achieng Date: Thu, 30 May 2024 12:20:07 +0300 Subject: [PATCH 2/2] Additional updates to build pipeline definition --- .azure-pipelines/ci-build.yml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/.azure-pipelines/ci-build.yml b/.azure-pipelines/ci-build.yml index 6553fd88..d0823cf6 100644 --- a/.azure-pipelines/ci-build.yml +++ b/.azure-pipelines/ci-build.yml @@ -29,7 +29,7 @@ extends: parameters: pool: name: Azure-Pipelines-1ESPT-ExDShared - image: windows-2022 + image: windows-latest os: windows demands: - msbuild @@ -50,9 +50,9 @@ extends: steps: - task: UseDotNet@2 - displayName: 'Use .NET 2' # needed for ESRP signing + displayName: 'Use .NET 6' # needed for ESRP signing inputs: - version: 2.x + version: 6.x - task: UseDotNet@2 displayName: 'Use .NET 8' @@ -81,7 +81,7 @@ extends: projects: '$(Build.SourcesDirectory)\Microsoft.OpenApi.OData.sln' arguments: '--configuration $(BuildConfiguration) --no-build' - - task: SFP.build-tasks.custom-build-task-1.EsrpCodeSigning@1 + - task: SFP.build-tasks.custom-build-task-1.EsrpCodeSigning@3 displayName: 'ESRP CodeSigning' inputs: ConnectedServiceName: 'microsoftgraph ESRP CodeSign DLL and NuGet (AKV)' @@ -143,7 +143,7 @@ extends: filePath: $(System.DefaultWorkingDirectory)\scripts\ValidateProjectVersionUpdated.ps1 pwsh: true - - task: SFP.build-tasks.custom-build-task-1.EsrpCodeSigning@1 + - task: SFP.build-tasks.custom-build-task-1.EsrpCodeSigning@3 displayName: 'ESRP CodeSigning Nuget Packages' inputs: ConnectedServiceName: 'microsoftgraph ESRP CodeSign DLL and NuGet (AKV)' @@ -189,8 +189,8 @@ extends: - task: 1ES.PublishNuget@1 displayName: 'NuGet push' inputs: - useDotNetTask: true packagesToPush: '$(Pipeline.Workspace)/Nugets/Microsoft.OpenApi.OData.*.nupkg' nuGetFeedType: external publishFeedCredentials: 'OpenAPI Nuget Connection' + packageParentPath: '$(Pipeline.Workspace)'