diff --git a/pipelines/Create ESRP service connection.yml b/pipelines/Create ESRP service connection.yml deleted file mode 100644 index e1bf92475..000000000 --- a/pipelines/Create ESRP service connection.yml +++ /dev/null @@ -1,126 +0,0 @@ -# Copyright (c) Microsoft Corporation. All rights reserved. -# Licensed under the MIT License. - -# This pipeline was generated from the classic pipeline "Create ESRP service connection" on 2023-12-07 with https://aka.ms/1ESPTMigration (v1.1.0): https://dev.azure.com/accessibility-insights-private/Accessibility%20Insights%20(private)/_build?definitionId=133 -# -# The following items require attention: -# Variables were exported from the classic pipeline, confirm that `variables` values do not contain private information. If a variable contains private information, follow the guidance on handling secret variables: https://learn.microsoft.com/en-us/azure/devops/pipelines/process/set-secret-variables -# Agent Queue 'Azure Pipelines' was used with unrecognized Agent Specification, vmImage property must be specified to determine image - https://docs.microsoft.com/en-us/azure/devops/pipelines/agents/hosted?view=azure-devops&tabs=yaml#software -# No trigger found, defaulting to 'none'. Update the trigger as needed. -# No name found, setting the default value '$(Date:yyyyMMdd).$(Rev:r)'. This value determines how your pipeline runs are numbered. Update the name as needed: https://learn.microsoft.com/en-us/azure/devops/pipelines/process/run-number?view=azure-devops&tabs=yaml - -name: $(Date:yyyyMMdd).$(Rev:r) - -variables: - - name: Codeql.SkipTaskAutoInjection - value: true - - group: a11y-insights-esrp-signing-certificate - -resources: - repositories: - - repository: self - type: git - ref: refs/heads/main - - repository: 1esPipelines - type: git - name: 1ESPipelineTemplates/1ESPipelineTemplates - ref: refs/tags/release - -trigger: none - -extends: - template: v1/1ES.Official.PipelineTemplate.yml@1esPipelines - parameters: - pool: - os: windows - image: windows-2022-secure - name: $(a11yInsightsPool) - stages: - - stage: Stage - jobs: - - job: Job_1 - displayName: Create ESRP service connection - steps: - - checkout: self - clean: true - fetchTags: false - - task: CmdLine@2 - displayName: Show environment variables - inputs: - script: set - - task: PowerShell@2 - displayName: Create connection - inputs: - targetType: inline - script: |- - # This script grabs the latest ESRP client secret & cert - # from the PME KeyVault and creates a new service - # connection called 'a11y-insights-esrp-code-signing (staging)' with those values. - # This script does not actually rotate the certificates. - # You still need to JIT into the PME KV and create a new - # version of the certificate. Once you've done that, - # you can run this pipeline and test the newly created - # service connection. - - Write-Host "Finding path for new config file" - - $TempPath = $env:TEMP.ToString() + "\" - $randomId = [GUID]::NewGuid().ToString() - $resultFile = $TempPath + $randomId + ".json" - - $ConfigJson = @" - { - "administratorsGroup":null, - "authorization":{ - "scheme":"UsernamePassword", - "parameters":{ - "username":"", - "password":"", - "tenantid":"", - "RequestSignCertConnectedService":"" - } - }, - "createdBy":null, - "data":{ - - }, - "description":"ESRP service connection used for all signing requests", - "groupScopeId":null, - "name":"a11y-insights-esrp-code-signing (staging)", - "operationStatus":null, - "readersGroup":null, - "type":"PRSS", - "url":"https://api.esrp.microsoft.com/api/v2", - "isShared":false, - "owner":"library" - } - "@ - - try { - az devops configure --defaults organization=$(System.TeamFoundationCollectionUri) project="$(system.teamProject)" --use-git-aliases true - - Write-Host "Updating config object" - $ConfigObj = $ConfigJson | ConvertFrom-Json - - # Username comes from the AAD App ID in the microsoft tenant - $ConfigObj.authorization.parameters.username = "$(a11y-unified-esrp-client-app)" - $ConfigObj.authorization.parameters.password = "$(a11y-unified-esrp-client-secret)" - $ConfigObj.authorization.parameters.RequestSignCertConnectedService = "$(a11y-unified-esrp-cert)" - - Write-Host "Creating config file" - $JsonText = $ConfigObj | ConvertTo-Json - - $Utf8NoBomEncoding = New-Object System.Text.UTF8Encoding $False - [System.IO.File]::WriteAllLines($resultFile, $JsonText, $Utf8NoBomEncoding) - - Write-Host "Updating service connection" - az devops service-endpoint create --service-endpoint-configuration $resultFile --org "$(System.TeamFoundationCollectionUri)" --project "$(system.teamProject)" | Out-Null - } finally { - Write-Host "removing key file" - Remove-Item $resultFile - } - env: - AZURE_DEVOPS_EXT_PAT: $(a11y-unified-service-connection-pat) - a11y-unified-esrp-client-secret: $(a11y-unified-esrp-client-secret) - a11y-unified-esrp-cert: $(a11y-unified-esrp-cert) - a11y-unified-esrp-client-app: $(a11y-unified-esrp-client-app) diff --git a/pipelines/canary-release.yaml b/pipelines/canary-release.yaml index 74fe4e081..85ef3955b 100644 --- a/pipelines/canary-release.yaml +++ b/pipelines/canary-release.yaml @@ -19,7 +19,10 @@ variables: trigger: none pool: - vmImage: ubuntu-latest + name: $(a11yInsightsPool) + vmImage: $(linuxImage) + demands: + - ImageOverride -equals $(linuxImage) resources: pipelines: diff --git a/pipelines/generate-vs-marketplace-token.yaml b/pipelines/generate-vs-marketplace-token.yaml new file mode 100644 index 000000000..dd88ed29b --- /dev/null +++ b/pipelines/generate-vs-marketplace-token.yaml @@ -0,0 +1,17 @@ +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. + +steps: + - task: AzureCLI@2 + displayName: Get accessToken + name: getAccessToken + inputs: + azureSubscription: a11y-insights-action-prod + scriptType: pscore + scriptLocation: 'inlineScript' + ## The guid after --resource in the following command maps to the Azure DevOps Services + ## REST API (https://learn.microsoft.com/en-us/rest/api/azure/devops/tokens/) + inlineScript: | + $accessToken = az account get-access-token --resource 499b84ac-1321-427f-aa17-267ca6975798 --query "accessToken" --output tsv + write-host "##vso[task.setsecret]$accessToken" + write-host "##vso[task.setendpoint id=$(MARKETPLACE_RESOURCE_ID);field=authParameter;key=password]$accessToken" diff --git a/pipelines/package-vsix-file.yaml b/pipelines/package-vsix-file.yaml index bb6438537..e27a5455e 100644 --- a/pipelines/package-vsix-file.yaml +++ b/pipelines/package-vsix-file.yaml @@ -35,7 +35,7 @@ steps: runId: $(resources.pipeline.accessibility-insights-action-ci.runID) artifact: ado-extension-drop path: '$(System.DefaultWorkingDirectory)/ado-extension-drop' - + - template: generate-vs-marketplace-token.yaml - task: QueryAzureDevOpsExtensionVersion@4 name: QueryVersion inputs: @@ -81,16 +81,21 @@ steps: outputPath: '$(Build.ArtifactStagingDirectory)/${{ parameters.environment }}.vsix' - task: UseDotNet@2 - displayName: 'Use .NET Core sdk 2.1.x' + displayName: 'Use .NET Core sdk 6.0.x' inputs: packageType: 'sdk' - version: '2.1.x' + version: '6.0.x' - - task: SFP.build-tasks.custom-build-task-1.EsrpCodeSigning@1 + - task: EsrpCodeSigning@5 condition: and(succeeded(), eq('${{ parameters.shouldSign }}', 'true')) displayName: 'ESRP: Sign VSIX file ' inputs: - ConnectedServiceName: 'a11y-insights-esrp-code-signing' + ConnectedServiceName: 'a11y-insights-esrp-code-signing-mi' + AppRegistrationClientId: $(esrp-app-registration-client-id) + AppRegistrationTenantId: $(esrp-app-registration-tenant-id) + AuthAKVName: 'a11y-insights-esrp-certs' + AuthCertName: 'a11y-insights-action-esrp-auth-cert' + AuthSignCertName: 'a11y-insights-action-esrp-cert' FolderPath: '$(Build.ArtifactStagingDirectory)' Pattern: '${{ parameters.environment }}.vsix' signConfigType: inlineSignParams diff --git a/pipelines/prod-release.yaml b/pipelines/prod-release.yaml index 044dd02d8..0b1c75733 100644 --- a/pipelines/prod-release.yaml +++ b/pipelines/prod-release.yaml @@ -14,7 +14,10 @@ parameters: trigger: none pool: - vmImage: ubuntu-latest + name: $(a11yInsightsPool) + vmImage: $(linuxImage) + demands: + - ImageOverride -equals $(linuxImage) resources: pipelines: diff --git a/pipelines/publish-vsix-file.yaml b/pipelines/publish-vsix-file.yaml index 77701939a..fba2a04ba 100644 --- a/pipelines/publish-vsix-file.yaml +++ b/pipelines/publish-vsix-file.yaml @@ -20,6 +20,7 @@ steps: downloadType: 'single' artifactName: '${{ parameters.environment }}-vsix' downloadPath: '$(System.DefaultWorkingDirectory)' + - template: generate-vs-marketplace-token.yaml - task: PublishAzureDevOpsExtension@3 inputs: connectTo: 'VsTeam' diff --git a/pipelines/release-template.yaml b/pipelines/release-template.yaml index 159b804c7..a49a51ec6 100644 --- a/pipelines/release-template.yaml +++ b/pipelines/release-template.yaml @@ -14,6 +14,11 @@ parameters: jobs: - job: package_job + pool: + name: $(a11yInsightsPool) + vmImage: $(linuxImage) + demands: + - ImageOverride -equals $(linuxImage) steps: - template: package-vsix-file.yaml parameters: