From 7e98da45dcc9bf6ada8024c634739c194f77a3f4 Mon Sep 17 00:00:00 2001 From: Maggie Kimani Date: Thu, 30 Mar 2023 16:41:43 +0300 Subject: [PATCH 1/3] Update build tasks --- .azure-pipelines/ci-build.yml | 47 +++++++++++++++++++---------------- 1 file changed, 26 insertions(+), 21 deletions(-) diff --git a/.azure-pipelines/ci-build.yml b/.azure-pipelines/ci-build.yml index 244797588..66e90d0fd 100644 --- a/.azure-pipelines/ci-build.yml +++ b/.azure-pipelines/ci-build.yml @@ -21,7 +21,7 @@ pool: variables: buildPlatform: 'Any CPU' buildConfiguration: 'Release' - ProductBinPath: '$(Build.SourcesDirectory)\src\Microsoft.OpenApi\bin\$(BuildConfiguration)' + ProductBinPath: '$(Build.SourcesDirectory)\src\Microsoft.OpenApi\bin\$(BuildConfiguration)' stages: @@ -31,22 +31,22 @@ stages: - job: build steps: - task: UseDotNet@2 - displayName: 'Use .NET 2' # needed for ESRP signing + displayName: 'Use .NET 6' # needed for ESRP signing inputs: - version: 2.x + version: 6.x - task: UseDotNet@2 displayName: 'Use .NET 7' inputs: version: 7.x - - task: PoliCheck@1 + - task: PoliCheck@2 displayName: 'Run PoliCheck "/src"' inputs: inputType: CmdLine cmdLineArgs: '/F:$(Build.SourcesDirectory)/src /T:9 /Sev:"1|2" /PE:2 /O:poli_result_src.xml' - - task: PoliCheck@1 + - task: PoliCheck@2 displayName: 'Run PoliCheck "/test"' inputs: inputType: CmdLine @@ -75,14 +75,14 @@ stages: arguments: '--configuration $(BuildConfiguration) --no-build' # CredScan - - task: securedevelopmentteam.vss-secure-development-tools.build-task-credscan.CredScan@2 + - task: securedevelopmentteam.vss-secure-development-tools.build-task-credscan.CredScan@3 displayName: 'Run CredScan - Src' inputs: toolMajorVersion: 'V2' scanFolder: '$(Build.SourcesDirectory)\src' debugMode: false - - task: securedevelopmentteam.vss-secure-development-tools.build-task-credscan.CredScan@2 + - task: securedevelopmentteam.vss-secure-development-tools.build-task-credscan.CredScan@3 displayName: 'Run CredScan - Test' inputs: toolMajorVersion: 'V2' @@ -95,7 +95,7 @@ stages: FileDirPath: '$(ProductBinPath)' enabled: false - - task: BinSkim@3 + - task: BinSkim@4 displayName: 'Run BinSkim - Product Binaries' inputs: InputType: Basic @@ -105,24 +105,28 @@ stages: AnalyzeHashes: true AnalyzeEnvironment: true - - task: PublishSecurityAnalysisLogs@2 + - task: PublishSecurityAnalysisLogs@3 displayName: 'Publish Security Analysis Logs' inputs: ArtifactName: SecurityLogs - - task: PostAnalysis@1 + - task: PostAnalysis@2 displayName: 'Post Analysis' inputs: BinSkim: true CredScan: true PoliCheck: true - - task: SFP.build-tasks.custom-build-task-1.EsrpCodeSigning@1 + - task: EsrpCodeSigning@2 displayName: 'ESRP CodeSigning' inputs: ConnectedServiceName: 'microsoftgraph ESRP CodeSign DLL and NuGet (AKV)' FolderPath: src signConfigType: inlineSignParams + UseMinimatch: true + Pattern: | + **\*.exe + **\*.dll inlineOperation: | [ { @@ -162,26 +166,27 @@ stages: } ] SessionTimeout: 20 - + # Pack - pwsh: dotnet pack $(Build.SourcesDirectory)/src/Microsoft.OpenApi/Microsoft.OpenApi.csproj -o $(Build.ArtifactStagingDirectory) --configuration $(BuildConfiguration) --no-build --include-symbols --include-source /p:SymbolPackageFormat=snupkg displayName: 'pack OpenAPI' - + # Pack - pwsh: dotnet pack $(Build.SourcesDirectory)/src/Microsoft.OpenApi.Readers/Microsoft.OpenApi.Readers.csproj -o $(Build.ArtifactStagingDirectory) --configuration $(BuildConfiguration) --no-build --include-symbols --include-source /p:SymbolPackageFormat=snupkg displayName: 'pack Readers' # Pack - pwsh: dotnet pack $(Build.SourcesDirectory)/src/Microsoft.OpenApi.Hidi/Microsoft.OpenApi.Hidi.csproj -o $(Build.ArtifactStagingDirectory) --configuration $(BuildConfiguration) --no-build --include-symbols --include-source /p:SymbolPackageFormat=snupkg - displayName: 'pack Hidi' - - - task: SFP.build-tasks.custom-build-task-1.EsrpCodeSigning@1 + displayName: 'pack Hidi' + + - task: EsrpCodeSigning@2 displayName: 'ESRP CodeSigning Nuget Packages' inputs: ConnectedServiceName: 'microsoftgraph ESRP CodeSign DLL and NuGet (AKV)' FolderPath: '$(Build.ArtifactStagingDirectory)' Pattern: '*.nupkg' signConfigType: inlineSignParams + UseMinimatch: true inlineOperation: | [ { @@ -209,7 +214,7 @@ stages: $xml = [Xml] (Get-Content .\src\Microsoft.OpenApi.Hidi\Microsoft.OpenApi.Hidi.csproj) $version = $xml.Project.PropertyGroup.Version echo $version - echo "##vso[task.setvariable variable=hidiversion]$version" + echo "##vso[task.setvariable variable=hidiversion]$version" # publish hidi as an .exe - task: DotNetCoreCLI@2 @@ -219,7 +224,7 @@ stages: arguments: -c Release --runtime win-x64 /p:PublishSingleFile=true /p:PackAsTool=false --self-contained --output $(Build.ArtifactStagingDirectory)/Microsoft.OpenApi.Hidi-v$(hidiversion) projects: 'src/Microsoft.OpenApi.Hidi/Microsoft.OpenApi.Hidi.csproj' publishWebProjects: False - zipAfterPublish: false + zipAfterPublish: false - task: CopyFiles@2 displayName: Prepare staging folder for upload @@ -236,7 +241,7 @@ stages: - task: PublishBuildArtifacts@1 displayName: 'Publish Artifact: Hidi' - inputs: + inputs: ArtifactName: Microsoft.OpenApi.Hidi-v$(hidiversion) PathtoPublish: '$(Build.ArtifactStagingDirectory)/Microsoft.OpenApi.Hidi-v$(hidiversion)' @@ -295,8 +300,8 @@ stages: { "label" : "enhancement", "V2-Enhancement", "displayName" : "Enhancements", "state" : "closed" }, { "label" : "bug", "bug-fix", "displayName" : "Bugs", "state" : "closed" }, { "label" : "documentation", "doc", "displayName" : "Documentation", "state" : "closed"}, - { "label" : "dependencies", "displayName" : "Package Updates", "state" : "closed" }]' - + { "label" : "dependencies", "displayName" : "Package Updates", "state" : "closed" }]' + - deployment: deploy_lib dependsOn: [] environment: nuget-org From d8b89d9da501bcc7e0af2186bcb4445785ba1e5f Mon Sep 17 00:00:00 2001 From: Maggie Kimani Date: Thu, 30 Mar 2023 16:47:23 +0300 Subject: [PATCH 2/3] Fix indentation --- .azure-pipelines/ci-build.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.azure-pipelines/ci-build.yml b/.azure-pipelines/ci-build.yml index 66e90d0fd..2be356791 100644 --- a/.azure-pipelines/ci-build.yml +++ b/.azure-pipelines/ci-build.yml @@ -124,9 +124,9 @@ stages: FolderPath: src signConfigType: inlineSignParams UseMinimatch: true - Pattern: | - **\*.exe - **\*.dll + Pattern: | + **\*.exe + **\*.dll inlineOperation: | [ { From 163b7bb6d08641baa6cef566f56611251e228032 Mon Sep 17 00:00:00 2001 From: Maggie Kimani Date: Fri, 31 Mar 2023 15:28:56 +0300 Subject: [PATCH 3/3] Fix binskim target argument --- .azure-pipelines/ci-build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.azure-pipelines/ci-build.yml b/.azure-pipelines/ci-build.yml index 2be356791..8b23b8d10 100644 --- a/.azure-pipelines/ci-build.yml +++ b/.azure-pipelines/ci-build.yml @@ -99,7 +99,7 @@ stages: displayName: 'Run BinSkim - Product Binaries' inputs: InputType: Basic - AnalyzeTarget: '$(ProductBinPath)\**\Microsoft.OpenApi.dll' + AnalyzeTargetGlob: '$(ProductBinPath)\**\Microsoft.OpenApi.dll' AnalyzeSymPath: '$(ProductBinPath)' AnalyzeVerbose: true AnalyzeHashes: true