From c9af9015bd25392eb42e75a255b8df41a089cbd1 Mon Sep 17 00:00:00 2001 From: David Alcantar Date: Fri, 28 Aug 2020 12:56:32 -0700 Subject: [PATCH] Update release/2.2 Pipeline Structure (#537) Bring in updates for build pipeline to use templates --- Pipelines/core-pipeline.yml | 366 ++++++++++++++ Pipelines/pr-validation.yml | 115 ----- Pipelines/release.yml | 468 ------------------ Pipelines/sdl.yml | 92 ---- .../dotnet-publish-linux-mac-job.yml | 88 ++++ .../dotnet-publish-win-netcore-job.yml | 99 ++++ Pipelines/templates/dotnet-test-job.yml | 44 ++ .../templates/nbgv-set-version-steps.yml | 10 + Pipelines/templates/nuget-build-job.yml | 82 +++ Pipelines/templates/sdl-job.yml | 27 + 10 files changed, 716 insertions(+), 675 deletions(-) create mode 100644 Pipelines/core-pipeline.yml delete mode 100644 Pipelines/pr-validation.yml delete mode 100644 Pipelines/release.yml delete mode 100644 Pipelines/sdl.yml create mode 100644 Pipelines/templates/dotnet-publish-linux-mac-job.yml create mode 100644 Pipelines/templates/dotnet-publish-win-netcore-job.yml create mode 100644 Pipelines/templates/dotnet-test-job.yml create mode 100644 Pipelines/templates/nbgv-set-version-steps.yml create mode 100644 Pipelines/templates/nuget-build-job.yml create mode 100644 Pipelines/templates/sdl-job.yml diff --git a/Pipelines/core-pipeline.yml b/Pipelines/core-pipeline.yml new file mode 100644 index 000000000..5307243b3 --- /dev/null +++ b/Pipelines/core-pipeline.yml @@ -0,0 +1,366 @@ +# Azure Pipelines +# https://aka.ms/yaml + +name: ASA_$(SourceBranchName)_$(Date:yyyyMMdd)$(Rev:.r) +trigger: + batch: true + branches: + include: + - release/v2.* + exclude: + - release/v2.0 + paths: + include: + - Cli + - Lib + - Pipelines + - analyses.json +pr: + branches: + include: + - main + - release/* + paths: + include: + - Benchmarks + - Cli + - Lib + - Pipelines + - Tests + - analyses.json + +stages: +- stage: Test + jobs: + - template: templates/dotnet-test-job.yml + parameters: + dotnetVersion: 3.1.x + projectPath: 'Tests/Tests.csproj' + +- stage: SDL + dependsOn: Test + jobs: + - template: templates/sdl-job.yml + parameters: + serviceTreeID: 'ac84de32-6898-4dad-ace3-78e8098175dc' + +- stage: Build + dependsOn: Test + jobs: + - template: templates/dotnet-publish-linux-mac-job.yml + parameters: + dotnetVersion: '3.1.x' + projectPath: 'Cli/Cli.csproj' + projectName: 'ASA' + preBuild: + - template: templates/nbgv-set-version-steps.yml + - template: templates/dotnet-publish-win-netcore-job.yml + parameters: + dotnetVersion: '3.1.x' + projectPath: 'Cli/Cli.csproj' + projectName: 'ASA' + preBuild: + - template: templates/nbgv-set-version-steps.yml + - template: templates/nuget-build-job.yml + parameters: + jobName: 'pack_lib' + dotnetVersion: '3.1.x' + projectPath: 'Lib/Lib.csproj' + projectName: 'ASA_Lib' + - template: templates/nuget-build-job.yml + parameters: + jobName: 'pack_cli' + dotnetVersion: '3.1.x' + projectPath: 'Cli/Cli.csproj' + projectName: 'ASA_CLI' + +- stage: Release + dependsOn: + - SDL + - Build + condition: and(succeeded(), in(variables['Build.Reason'], 'IndividualCI', 'BatchedCI')) + jobs: + - job: sign_hash_release + displayName: Code Sign, Generate Hashes, Publish Public Releases + pool: + vmImage: 'windows-latest' + steps: + - task: UseDotNet@2 + inputs: + packageType: 'sdk' + version: '3.1.x' + - script: 'dotnet tool install -g nbgv' + displayName: 'Install GitVersioning' + - task: PowerShell@2 + displayName: Set Release Version + inputs: + targetType: 'inline' + script: | + $version = (nbgv get-version -v AssemblyInformationalVersion).split('+')[0] + Write-Host "##vso[task.setvariable variable=ReleaseVersion;]$version" + - task: DownloadBuildArtifacts@0 + displayName: Download Unsigned Archives + inputs: + buildType: 'current' + downloadType: 'specific' + itemPattern: 'Unsigned_Binaries/*.zip' + downloadPath: '$(Build.BinariesDirectory)' + - task: ExtractFiles@1 + displayName: Extract Artifacts for Signing + inputs: + archiveFilePatterns: '$(Build.BinariesDirectory)\*.zip' + destinationFolder: '$(Build.BinariesDirectory)' + cleanDestinationFolder: false + - task: AntiMalware@3 + displayName: Anti-Malware Scan + inputs: + InputType: 'Basic' + ScanType: 'CustomScan' + FileDirPath: '$(Build.BinariesDirectory)' + EnableServices: true + SupportLogOnError: true + TreatSignatureUpdateFailureAs: 'Warning' + SignatureFreshness: 'UpToDate' + TreatStaleSignatureAs: 'Warning' + - task: UseDotNet@2 + inputs: + packageType: 'sdk' + version: '2.1.804' + - task: EsrpCodeSigning@1 + displayName: Code Sign Linux + inputs: + ConnectedServiceName: 'CodeSignforATSAN' + FolderPath: '$(Build.BinariesDirectory)/linux/ASA_linux_$(ReleaseVersion)' + Pattern: 'Asa.dll, AsaLib.dll, Asa.Views.dll' + signConfigType: 'inlineSignParams' + inlineOperation: | + [ + { + "KeyCode" : "CP-230012", + "OperationCode" : "SigntoolSign", + "Parameters" : { + "OpusName" : "Microsoft", + "OpusInfo" : "http://www.microsoft.com", + "FileDigest" : "/fd \"SHA256\"", + "PageHash" : "/NPH", + "TimeStamp" : "/tr \"http://rfc3161.gtm.corp.microsoft.com/TSS/HttpTspServer\" /td sha256" + }, + "ToolName" : "sign", + "ToolVersion" : "1.0" + }, + { + "KeyCode" : "CP-230012", + "OperationCode" : "SigntoolVerify", + "Parameters" : {}, + "ToolName" : "sign", + "ToolVersion" : "1.0" + } + ] + SessionTimeout: '60' + MaxConcurrency: '50' + MaxRetryAttempts: '5' + - task: EsrpCodeSigning@1 + displayName: Code Sign MacOS + inputs: + ConnectedServiceName: 'CodeSignforATSAN' + FolderPath: '$(Build.BinariesDirectory)/macos/ASA_macos_$(ReleaseVersion)' + Pattern: 'Asa.dll, AsaLib.dll, Asa.Views.dll' + signConfigType: 'inlineSignParams' + inlineOperation: | + [ + { + "KeyCode" : "CP-230012", + "OperationCode" : "SigntoolSign", + "Parameters" : { + "OpusName" : "Microsoft", + "OpusInfo" : "http://www.microsoft.com", + "FileDigest" : "/fd \"SHA256\"", + "PageHash" : "/NPH", + "TimeStamp" : "/tr \"http://rfc3161.gtm.corp.microsoft.com/TSS/HttpTspServer\" /td sha256" + }, + "ToolName" : "sign", + "ToolVersion" : "1.0" + }, + { + "KeyCode" : "CP-230012", + "OperationCode" : "SigntoolVerify", + "Parameters" : {}, + "ToolName" : "sign", + "ToolVersion" : "1.0" + } + ] + SessionTimeout: '60' + MaxConcurrency: '50' + MaxRetryAttempts: '5' + - task: EsrpCodeSigning@1 + displayName: Code Sign Windows + inputs: + ConnectedServiceName: 'CodeSignforATSAN' + FolderPath: '$(Build.BinariesDirectory)/win/ASA_win_$(ReleaseVersion)' + Pattern: 'Asa.exe, Asa.dll, AsaLib.dll, Asa.Views.dll' + signConfigType: 'inlineSignParams' + inlineOperation: | + [ + { + "KeyCode" : "CP-230012", + "OperationCode" : "SigntoolSign", + "Parameters" : { + "OpusName" : "Microsoft", + "OpusInfo" : "http://www.microsoft.com", + "FileDigest" : "/fd \"SHA256\"", + "PageHash" : "/NPH", + "TimeStamp" : "/tr \"http://rfc3161.gtm.corp.microsoft.com/TSS/HttpTspServer\" /td sha256" + }, + "ToolName" : "sign", + "ToolVersion" : "1.0" + }, + { + "KeyCode" : "CP-230012", + "OperationCode" : "SigntoolVerify", + "Parameters" : {}, + "ToolName" : "sign", + "ToolVersion" : "1.0" + } + ] + SessionTimeout: '60' + MaxConcurrency: '50' + MaxRetryAttempts: '5' + - task: EsrpCodeSigning@1 + displayName: Code Sign .NET Core App + inputs: + ConnectedServiceName: 'CodeSignforATSAN' + FolderPath: '$(Build.BinariesDirectory)/netcoreapp/ASA_netcoreapp_$(ReleaseVersion)' + Pattern: 'Asa.exe, Asa.dll, AsaLib.dll, Asa.Views.dll' + signConfigType: 'inlineSignParams' + inlineOperation: | + [ + { + "KeyCode" : "CP-230012", + "OperationCode" : "SigntoolSign", + "Parameters" : { + "OpusName" : "Microsoft", + "OpusInfo" : "http://www.microsoft.com", + "FileDigest" : "/fd \"SHA256\"", + "PageHash" : "/NPH", + "TimeStamp" : "/tr \"http://rfc3161.gtm.corp.microsoft.com/TSS/HttpTspServer\" /td sha256" + }, + "ToolName" : "sign", + "ToolVersion" : "1.0" + }, + { + "KeyCode" : "CP-230012", + "OperationCode" : "SigntoolVerify", + "Parameters" : {}, + "ToolName" : "sign", + "ToolVersion" : "1.0" + } + ] + SessionTimeout: '60' + MaxConcurrency: '50' + MaxRetryAttempts: '5' + - task: EsrpCodeSigning@1 + displayName: Code Sign Nuget Packages + inputs: + ConnectedServiceName: 'CodeSignforATSAN' + FolderPath: '$(Build.BinariesDirectory)' + Pattern: '*.nupkg, *.snupkg' + signConfigType: 'inlineSignParams' + inlineOperation: | + [ + { + "KeyCode" : "CP-401405", + "OperationCode" : "NuGetSign", + "Parameters" : {}, + "ToolName" : "sign", + "ToolVersion" : "1.0" + }, + { + "KeyCode" : "CP-401405", + "OperationCode" : "NuGetVerify", + "Parameters" : {}, + "ToolName" : "sign", + "ToolVersion" : "1.0" + } + ] + SessionTimeout: '60' + MaxConcurrency: '50' + MaxRetryAttempts: '5' + - powershell: 'Get-ChildItem -Path ''$(Build.BinariesDirectory)'' -Recurse CodeSign* | foreach { Remove-Item -Path $_.FullName }' + displayName: 'Delete Code Sign Summaries' + - task: ArchiveFiles@2 + displayName: Archive Artifact - Linux + inputs: + rootFolderOrFile: '$(Build.BinariesDirectory)/linux/ASA_linux_$(ReleaseVersion)' + includeRootFolder: true + archiveType: 'zip' + archiveFile: '$(Build.StagingDirectory)/ASA_linux_$(ReleaseVersion).zip' + replaceExistingArchive: true + - task: ArchiveFiles@2 + displayName: Archive Artifact - MacOS + inputs: + rootFolderOrFile: '$(Build.BinariesDirectory)/macos/ASA_macos_$(ReleaseVersion)' + includeRootFolder: true + archiveType: 'zip' + archiveFile: '$(Build.StagingDirectory)/ASA_macos_$(ReleaseVersion).zip' + replaceExistingArchive: true + - task: ArchiveFiles@2 + displayName: Archive Artifact - Windows + inputs: + rootFolderOrFile: '$(Build.BinariesDirectory)/win/ASA_win_$(ReleaseVersion)' + includeRootFolder: true + archiveType: 'zip' + archiveFile: '$(Build.StagingDirectory)/ASA_win_$(ReleaseVersion).zip' + replaceExistingArchive: true + - task: ArchiveFiles@2 + displayName: Archive Artifact - .NET Core App + inputs: + rootFolderOrFile: '$(Build.BinariesDirectory)/netcoreapp/ASA_netcoreapp_$(ReleaseVersion)' + includeRootFolder: true + archiveType: 'zip' + archiveFile: '$(Build.StagingDirectory)/ASA_netcoreapp_$(ReleaseVersion).zip' + replaceExistingArchive: true + - task: PowerShell@2 + displayName: Generate Hashes + inputs: + targetType: 'inline' + script: | + Get-ChildItem $(Build.StagingDirectory) | Foreach-Object { + $name = $_.Name + $tmp = (Get-FileHash "$(Build.StagingDirectory)\$name").Hash + Add-Content $(Build.StagingDirectory)\HASHES.txt "$tmp`t$name" + } + - task: PowerShell@2 + displayName: Move NuGet Packages + inputs: + targetType: 'inline' + script: | + mv $env:BUILD_BINARIESDIRECTORY/*.nupkg $env:BUILD_STAGINGDIRECTORY/ + mv $env:BUILD_BINARIESDIRECTORY/*.snupkg $env:BUILD_STAGINGDIRECTORY/ + - task: PublishPipelineArtifact@1 + displayName: Publish Signed Artifacts to Pipeline + inputs: + targetPath: '$(Build.StagingDirectory)' + artifact: 'Signed_Binaries' + - task: GitHubRelease@1 + displayName: Release to GitHub + inputs: + gitHubConnection: 'Gabe-Asa' + repositoryName: 'microsoft/AttackSurfaceAnalyzer' + action: 'create' + target: '$(Build.SourceVersion)' + tagSource: 'userSpecifiedTag' + tag: 'v$(ReleaseVersion)' + title: 'v$(ReleaseVersion)' + assets: | + $(Build.StagingDirectory)/*.zip + $(Build.StagingDirectory)/HASHES.txt + changeLogCompareToRelease: 'lastNonDraftRelease' + changeLogType: 'commitBased' + - task: NuGetCommand@2 + displayName: Push NuGet Packages + inputs: + command: 'push' + packagesToPush: '$(Build.StagingDirectory)/*.nupkg' + nuGetFeedType: 'external' + publishFeedCredentials: 'CST-E Nuget CI' + verbosityPush: 'Normal' \ No newline at end of file diff --git a/Pipelines/pr-validation.yml b/Pipelines/pr-validation.yml deleted file mode 100644 index 8926b7049..000000000 --- a/Pipelines/pr-validation.yml +++ /dev/null @@ -1,115 +0,0 @@ -name: ASA PR Validation - -trigger: none -pr: - autoCancel: true - branches: - include: - - master - - release/* - exclude: - - azure_pipelines - paths: - include: - - Cli - - Lib - - Tests - - Benchmarks - - Pipelines - - analyses.json - -variables: - solution: '**/*.sln' - buildPlatform: 'Any CPU' - buildConfiguration: 'Debug' - -stages: -- stage: Test - jobs: - - job: Windows - pool: - vmImage: 'windows-latest' - steps: - - script: 'dotnet tool install -g nbgv' - displayName: 'Install GitVersioning' - - task: UseDotNet@2 - inputs: - packageType: 'sdk' - version: '3.1.x' - - - task: DotNetCoreCLI@2 - displayName: 'Build Tests' - inputs: - projects: 'Tests/Tests.csproj' - arguments: '--configuration $(BuildConfiguration) --output $(build.binariesdirectory)\Tests' - - - task: VSTest@2 - displayName: 'Run Tests' - inputs: - testAssemblyVer2: AsaTests.dll - searchFolder: '$(build.binariesdirectory)\Tests' - -- stage: Build - jobs: - - job: All - pool: - vmImage: 'windows-latest' - steps: - - task: UseDotNet@2 - inputs: - packageType: 'sdk' - version: '3.1.x' - - - task: DotNetCoreCLI@2 - displayName: 'Publish ASA Windows' - inputs: - command: publish - projects: 'Cli/Cli.csproj' - arguments: '--configuration $(BuildConfiguration) --output $(build.artifactstagingdirectory)/windows -r win-x86' - zipAfterPublish: true - - - task: DotNetCoreCLI@2 - displayName: 'Publish ASA Linux' - inputs: - command: publish - projects: 'Cli/Cli.csproj' - arguments: '--configuration $(BuildConfiguration) --output $(build.artifactstagingdirectory)/linux -r linux-x64' - zipAfterPublish: true - - - task: DotNetCoreCLI@2 - displayName: 'Publish ASA macOS' - inputs: - command: publish - projects: 'Cli/Cli.csproj' - arguments: '--configuration $(BuildConfiguration) --output $(build.artifactstagingdirectory)/macos -r osx-x64' - zipAfterPublish: true - - - task: DotNetCoreCLI@2 - displayName: Pack Nupkg (Lib) - inputs: - command: 'custom' - custom: 'pack' - arguments: 'Lib -c $(BuildConfiguration) -o $(build.artifactstagingdirectory)/nuget_lib' - - - task: DotNetCoreCLI@2 - displayName: Pack Nupkg (Cli) - inputs: - command: 'custom' - custom: 'pack' - arguments: 'Cli -c $(BuildConfiguration) -o $(build.artifactstagingdirectory)/nuget_cli' - - - task: AntiMalware@3 - inputs: - InputType: 'Basic' - ScanType: 'CustomScan' - FileDirPath: '$(Build.StagingDirectory)' - EnableServices: true - SupportLogOnError: false - TreatSignatureUpdateFailureAs: 'Warning' - SignatureFreshness: 'UpToDate' - TreatStaleSignatureAs: 'Warning' - - - task: PublishBuildArtifacts@1 - displayName: 'Publish Artifact' - inputs: - PathtoPublish: '$(build.artifactstagingdirectory)' \ No newline at end of file diff --git a/Pipelines/release.yml b/Pipelines/release.yml deleted file mode 100644 index a8d2aa4b9..000000000 --- a/Pipelines/release.yml +++ /dev/null @@ -1,468 +0,0 @@ -name: ASA Release - -pr: none -trigger: - batch: true - paths: - include: - - Cli - - Lib - - Pipelines - - analyses.json - branches: - include: - - release/v2.* - exclude: - - release/v2.0 - -variables: - solution: '**/*.sln' - buildPlatform: 'Any CPU' - buildConfiguration: 'Release' - -stages: -- stage: Test - jobs: - - job: Windows - pool: - vmImage: 'windows-latest' - - steps: - - script: 'dotnet tool install -g nbgv' - displayName: 'Install GitVersioning' - - - task: UseDotNet@2 - inputs: - packageType: 'sdk' - version: '3.1.x' - - - task: DotNetCoreCLI@2 - displayName: 'Build Tests' - inputs: - projects: 'Tests/Tests.csproj' - arguments: '--configuration $(BuildConfiguration) --output $(build.binariesdirectory)\Tests' - - - task: VSTest@2 - displayName: 'Run Tests' - inputs: - testAssemblyVer2: AsaTests.dll - searchFolder: '$(build.binariesdirectory)\Tests' - -- stage: Build - jobs: - - job: Windows - pool: - vmImage: 'windows-latest' - - steps: - - task: ComponentGovernanceComponentDetection@0 - inputs: - scanType: 'Register' - verbosity: 'Normal' - alertWarningLevel: 'High' - - task: UseDotNet@2 - inputs: - packageType: 'sdk' - version: '3.1.x' - - - script: 'dotnet tool install -g nbgv' - displayName: 'Install GitVersioning' - - - task: DotNetCoreCLI@2 - displayName: 'Publish ASA Windows' - inputs: - command: publish - projects: 'Cli/Cli.csproj' - arguments: '--configuration $(BuildConfiguration) --output $(build.binariesdirectory)\windows\ -r win-x64' - zipAfterPublish: false - - - task: AntiMalware@3 - inputs: - InputType: 'Basic' - ScanType: 'CustomScan' - FileDirPath: '$(Build.binariesdirectory)' - EnableServices: true - SupportLogOnError: false - TreatSignatureUpdateFailureAs: 'Warning' - SignatureFreshness: 'UpToDate' - TreatStaleSignatureAs: 'Warning' - - - task: PublishBuildArtifacts@1 - displayName: 'Publish Interim Build Artifacts' - inputs: - PathtoPublish: '$(build.binariesdirectory)\windows' - ArtifactName: 'WindowsBuild' - - # Signing task requires .NET Core 2.X - - task: UseDotNet@2 - inputs: - packageType: 'runtime' - version: '2.2.x' - - - task: EsrpCodeSigning@1 - inputs: - ConnectedServiceName: 'CodeSignforATSAN' - FolderPath: '$(build.binariesdirectory)/windows' - Pattern: 'Asa.exe, Asa.dll, AsaLib.dll' - signConfigType: 'inlineSignParams' - inlineOperation: | - [ - { - "keyCode": "CP-230012", - "operationSetCode": "SigntoolSign", - "parameters": [ - { - "parameterName": "OpusName", - "parameterValue": "Microsoft" - }, - { - "parameterName": "OpusInfo", - "parameterValue": "http://www.microsoft.com" - }, - { - "parameterName": "PageHash", - "parameterValue": "/NPH" - }, - { - "parameterName": "FileDigest", - "parameterValue": "/fd sha256" - }, - { - "parameterName": "TimeStamp", - "parameterValue": "/tr \"http://rfc3161.gtm.corp.microsoft.com/TSS/HttpTspServer\" /td sha256" - } - ], - "toolName": "signtool.exe", - "toolVersion": "6.2.9304.0" - } - ] - SessionTimeout: '60' - MaxConcurrency: '50' - MaxRetryAttempts: '5' - - - task: PowerShell@2 - displayName: Compile CodeSign Summaries for Publication - inputs: - targetType: 'inline' - script: | - mkdir $(build.binariesdirectory)\CodeSign - Get-ChildItem -Path $(build.binariesdirectory) -Recurse -Filter CodeSign* | foreach { Copy-Item -Path $_.FullName -Destination $(build.binariesdirectory)\CodeSign\$_.Name } - - - task: PublishBuildArtifacts@1 - displayName: 'Publish CodeSign Summaries' - inputs: - PathtoPublish: '$(build.binariesdirectory)\CodeSign' - ArtifactName: 'CodeSign' - - - task: PowerShell@2 - displayName: Prepare Artifacts - inputs: - targetType: 'inline' - script: | - $longVersion = (nbgv get-version -v AssemblyInformationalVersion) - $version = $longVersion.split('+')[0] - $asaFolder = "$(build.binariesdirectory)\Asa-win-$version" - mkdir $asaFolder - - Move-Item -Path "$(build.binariesdirectory)\windows" -Destination $asaFolder - - 7z a "$(build.artifactstagingdirectory)\Asa-win-$version.zip" $asaFolder - - Get-ChildItem $(build.artifactstagingdirectory) | Foreach-Object{ - $name = $_.Name - $tmp = (Get-FileHash "$(build.artifactstagingdirectory)\$name").Hash - Add-Content $(build.binariesdirectory)\HASHES_WINDOWS.txt "$tmp`t$name" - } - - - task: PublishBuildArtifacts@1 - displayName: 'Publish HASHES.txt' - inputs: - PathtoPublish: '$(build.binariesdirectory)\HASHES_WINDOWS.txt' - ArtifactName: 'HASHES' - - - task: PublishBuildArtifacts@1 - displayName: 'Publish Artifact' - inputs: - PathtoPublish: '$(build.artifactstagingdirectory)' - ArtifactName: 'BINARIES' - - - task: GitHubRelease@1 - displayName: 'GitHub release update' - inputs: - gitHubConnection: 'Gabe-Asa' - action: edit - tag: 'v$(Build.BuildNumber)' - title: 'v$(Build.BuildNumber)' - assets: '$(build.artifactstagingdirectory)/*' - assetUploadMode: replace - isDraft: false - isPreRelease: false - changeLogCompareToRelease: lastNonDraftRelease - - - job: Linux - pool: - vmImage: 'ubuntu-latest' - steps: - - script: 'dotnet tool install -g nbgv' - displayName: 'Install GitVersioning' - - task: UseDotNet@2 - inputs: - packageType: 'sdk' - version: '3.1.x' - - task: DotNetCoreCLI@2 - displayName: 'Publish ASA Linux' - inputs: - command: publish - projects: 'Cli/Cli.csproj' - arguments: '--configuration $(BuildConfiguration) --output $(build.binariesdirectory)/linux -r linux-x64' - zipAfterPublish: false - - - task: CmdLine@2 - inputs: - script: | - VERSION="$(nbgv get-version -v AssemblyInformationalVersion | cut -d'+' -f 1)" - - mv $BIN_DIR/linux $BIN_DIR/Asa-linux-$VERSION - - tar -czvf $ART_DIR/Asa-linux-$VERSION.tar.gz $BIN_DIR/Asa-linux-$VERSION - - sha256sum $ART_DIR/Asa-linux-$VERSION.tar.gz | awk ' { n=split($2, a, "/"); $2 = a[n]; print; } ' OFS='\t' >> $BIN_DIR/HASHES_LINUX.txt - displayName: 'Prepare Artifacts' - env: - BIN_DIR: $(build.binariesdirectory) - ART_DIR: $(build.artifactstagingdirectory) - SRC_DIR: $(build.sourcesdirectory) - - - task: PublishBuildArtifacts@1 - displayName: 'Publish HASHES' - inputs: - PathtoPublish: '$(build.binariesdirectory)/HASHES_LINUX.txt' - ArtifactName: 'HASHES' - - - task: PublishBuildArtifacts@1 - displayName: 'Publish Build Artifacts' - inputs: - PathtoPublish: '$(build.artifactstagingdirectory)/' - ArtifactName: 'BINARIES' - - - task: GitHubRelease@1 - displayName: 'GitHub release update' - inputs: - gitHubConnection: 'Gabe-Asa' - action: edit - tag: 'v$(Build.BuildNumber)' - title: 'v$(Build.BuildNumber)' - assets: '$(build.artifactstagingdirectory)/*' - assetUploadMode: replace - isDraft: false - isPreRelease: false - changeLogCompareToRelease: lastNonDraftRelease - - - job: Mac - pool: - vmImage: 'macOS-latest' - steps: - - script: 'dotnet tool install -g nbgv' - displayName: 'Install GitVersioning' - - task: UseDotNet@2 - inputs: - packageType: 'sdk' - version: '3.1.x' - - - task: DotNetCoreCLI@2 - displayName: 'Publish ASA macOS' - inputs: - command: publish - projects: 'Cli/Cli.csproj' - arguments: '--configuration $(BuildConfiguration) --output $(build.binariesdirectory)/macos -r osx-x64' - zipAfterPublish: false - - - task: CmdLine@2 - inputs: - script: | - VERSION="$(nbgv get-version -v AssemblyInformationalVersion | cut -d'+' -f 1)" - - mv $BIN_DIR/macos $BIN_DIR/Asa-macos-$VERSION - - tar -czvf $ART_DIR/Asa-macos-$VERSION.tar.gz $BIN_DIR/Asa-macos-$VERSION - - sha256sum $ART_DIR/Asa-macos-$VERSION.tar.gz | awk ' { n=split($2, a, "/"); $2 = a[n]; print; } ' OFS='\t' >> $BIN_DIR/HASHES_MAC.txt - displayName: 'Prepare Artifacts' - env: - BIN_DIR: $(build.binariesdirectory) - ART_DIR: $(build.artifactstagingdirectory) - SRC_DIR: $(build.sourcesdirectory) - - - task: PublishBuildArtifacts@1 - displayName: 'Publish HASHES' - inputs: - PathtoPublish: '$(build.binariesdirectory)/HASHES_MAC.txt' - ArtifactName: 'HASHES' - - - task: PublishBuildArtifacts@1 - displayName: 'Publish Build Artifaces' - inputs: - PathtoPublish: '$(build.artifactstagingdirectory)/' - ArtifactName: 'BINARIES' - - - task: GitHubRelease@1 - displayName: 'GitHub release update' - inputs: - gitHubConnection: 'Gabe-Asa' - action: edit - tag: 'v$(Build.BuildNumber)' - title: 'v$(Build.BuildNumber)' - assets: '$(build.artifactstagingdirectory)/*' - assetUploadMode: replace - isDraft: false - isPreRelease: false - changeLogCompareToRelease: lastNonDraftRelease - - - job: Nuget - pool: - vmImage: 'windows-latest' - steps: - - task: UseDotNet@2 - inputs: - packageType: 'sdk' - version: '3.1.x' - - - script: 'dotnet tool install -g nbgv' - displayName: 'Install GitVersioning' - - - task: DotNetCoreCLI@2 - displayName: Nupkg (Lib) - inputs: - command: 'custom' - custom: 'pack' - arguments: 'Lib -c $(BuildConfiguration) -o $(build.binariesdirectory)\nuget /p:PublicRelease=true' - - - task: DotNetCoreCLI@2 - displayName: Nupkg (Cli) - inputs: - command: 'custom' - custom: 'pack' - arguments: 'Cli -c $(BuildConfiguration) -o $(build.binariesdirectory)\nuget /p:PublicRelease=true' - - - task: AntiMalware@3 - inputs: - InputType: 'Basic' - ScanType: 'CustomScan' - FileDirPath: '$(Build.binariesdirectory)' - EnableServices: true - SupportLogOnError: false - TreatSignatureUpdateFailureAs: 'Warning' - SignatureFreshness: 'UpToDate' - TreatStaleSignatureAs: 'Warning' - - - task: PublishBuildArtifacts@1 - displayName: 'Publish Interim Build Artifacts' - inputs: - PathtoPublish: '$(build.binariesdirectory)\nuget' - ArtifactName: 'NugetBuilds' - - # Signing task requires .NET Core 2.X - - task: UseDotNet@2 - inputs: - packageType: 'runtime' - version: '2.2.x' - - - task: EsrpCodeSigning@1 - inputs: - ConnectedServiceName: 'CodeSignforATSAN' - FolderPath: '$(build.binariesdirectory)\nuget' - Pattern: '*.nupkg' - signConfigType: 'inlineSignParams' - inlineOperation: | - [ - { - "keyCode": "CP-401405", - "operationSetCode": "NuGetSign", - "parameters": [ ], - "toolName": "sign", - "toolVersion": "1.0" - }, - { - "keyCode": "CP-401405", - "operationSetCode": "NuGetVerify", - "parameters": [ ], - "toolName": "sign", - "toolVersion": "1.0" - } - ] - SessionTimeout: '60' - MaxConcurrency: '50' - MaxRetryAttempts: '5' - - - task: PowerShell@2 - displayName: Compile CodeSign Summaries for Publication - inputs: - targetType: 'inline' - script: | - mkdir $(build.binariesdirectory)\CodeSign - Get-ChildItem -Path $(build.binariesdirectory) -Recurse -Filter CodeSign* | foreach { Copy-Item -Path $_.FullName -Destination $(build.binariesdirectory)\CodeSign\$_.Name } - - - task: PublishBuildArtifacts@1 - displayName: 'Publish CodeSign Summaries' - inputs: - PathtoPublish: '$(build.binariesdirectory)\CodeSign' - ArtifactName: 'CodeSign_Nuget' - - - task: PowerShell@2 - displayName: Prepare Artifacts - inputs: - targetType: 'inline' - script: | - Move-Item -Path "$(build.binariesdirectory)\nuget\*.nupkg" -Destination "$(build.artifactstagingdirectory)" - Move-Item -Path "$(build.binariesdirectory)\nuget\*.snupkg" -Destination "$(build.artifactstagingdirectory)" - - - task: PublishBuildArtifacts@1 - displayName: 'Publish Artifact' - inputs: - PathtoPublish: '$(build.artifactstagingdirectory)' - ArtifactName: 'BINARIES' - - - task: NuGetCommand@2 - displayName: Deploy Nuget Release - enabled: true - inputs: - command: 'push' - packagesToPush: '$(build.artifactstagingdirectory)/*.nupkg' - nuGetFeedType: 'external' - publishFeedCredentials: 'CST-E Nuget CI' - verbosityPush: 'Normal' - -- stage: Hashes - jobs: - - job: CombineAndPublish - pool: - vmImage: 'windows-latest' - steps: - - task: DownloadBuildArtifacts@0 - displayName: 'Download HASH files' - inputs: - downloadType: specific - itemPattern: 'HASHES/*.txt' - downloadPath: '$(build.binariesdirectory)' - - - powershell: 'Get-Content $(build.binariesdirectory)\HASHES\HASHES_LINUX.txt, $(build.binariesdirectory)\HASHES\HASHES_MAC.txt, $(build.binariesdirectory)\HASHES\HASHES_WINDOWS.txt | Set-Content $(build.binariesdirectory)\HASHES.txt' - displayName: 'PowerShell Script' - - - task: PublishBuildArtifacts@1 - displayName: 'Publish HASHES' - inputs: - PathtoPublish: '$(build.binariesdirectory)/HASHES.txt' - ArtifactName: 'HASHES' - - - task: GitHubRelease@1 - displayName: 'GitHub release update' - inputs: - gitHubConnection: 'Gabe-Asa' - action: edit - tag: 'v$(Build.BuildNumber)' - title: 'v$(Build.BuildNumber)' - assets: '$(build.binariesdirectory)/HASHES.txt' - assetUploadMode: replace - isDraft: false - isPreRelease: false - changeLogCompareToRelease: lastNonDraftRelease \ No newline at end of file diff --git a/Pipelines/sdl.yml b/Pipelines/sdl.yml deleted file mode 100644 index 22f97d957..000000000 --- a/Pipelines/sdl.yml +++ /dev/null @@ -1,92 +0,0 @@ -name: ASA SDL - -trigger: none -pr: none - -schedules: -- cron: "0 6 * * *" - displayName: Daily 2am - branches: - include: - - master - - releases/* - -pool: - vmImage: 'windows-latest' - -variables: - solution: '**/*.sln' - buildPlatform: 'Any CPU' - buildConfiguration: 'Release' - -steps: -- task: UseDotNet@2 - displayName: Use DotNet 3.1 - inputs: - packageType: 'sdk' - version: '3.1.x' - -- script: 'dotnet tool install -g nbgv' - displayName: 'Install GitVersioning' - -- task: CredScan@2 - inputs: - toolMajorVersion: 'V2' - outputFormat: 'sarif' - -- task: SdtReport@1 - inputs: - VstsConsole: false - TsvFile: false - AllTools: false - APIScan: false - BinSkim: false - CodesignValidation: false - CredScan: true - FortifySCA: false - FxCop: false - ModernCop: false - MSRD: false - PoliCheck: false - RoslynAnalyzers: false - SDLNativeRules: false - Semmle: false - SemmleBreakOn: 'Error' - TSLint: false - ToolLogsNotFoundAction: 'Standard' - -- task: DotNetCoreCLI@2 - displayName: Build Asa - inputs: - command: 'build' - projects: '$(build.sourcesdirectory)\Cli\Cli.csproj' - -- task: ComponentGovernanceComponentDetection@0 - displayName: Component Detection - inputs: - scanType: 'Register' - verbosity: 'Verbose' - alertWarningLevel: 'High' - -- task: notice@0 - displayName: Notice Generator - inputs: - outputformat: 'text' - -- task: PublishPipelineArtifact@1 - displayName: Publish CredScan Result - inputs: - targetPath: '$(Pipeline.Workspace)\_sdt\logs\CredentialScanner\CredentialScanner-matches.sarif' - artifact: 'CredScan.sarif' - -- task: PublishPipelineArtifact@1 - displayName: Publish JS Semmle Result - inputs: - targetPath: '$(Pipeline.Workspace)\_sdt\logs\Semmle\javascript\microsoft.AttackSurfaceAnalyzer-javascript-1.sarif' - artifact: 'SemmleJS.sarif' - -- task: PublishPipelineArtifact@1 - displayName: Publish SDT Report - inputs: - targetPath: '$(Pipeline.Workspace)\_sdt\logs\SdtReport.html' - artifact: 'SdtReport.html' \ No newline at end of file diff --git a/Pipelines/templates/dotnet-publish-linux-mac-job.yml b/Pipelines/templates/dotnet-publish-linux-mac-job.yml new file mode 100644 index 000000000..bb007d588 --- /dev/null +++ b/Pipelines/templates/dotnet-publish-linux-mac-job.yml @@ -0,0 +1,88 @@ +parameters: +# Job Name +- name: jobName + type: string + default: 'publish_linux_mac' +# Optional Pre-Build Steps +- name: 'preBuild' + type: stepList + default: [] +# Version of Dotnet SDK to use +- name: dotnetVersion + type: string + default: '3.1.x' +# Version of NuGet Tool to use +- name: nugetVersion + type: string + default: '5.x' +# Path to .csproj or .sln +- name: projectPath + type: string + default: '' +# Build Configuration +- name: buildConfiguration + type: string + default: 'Release' +# Project Name +- name: projectName + type: string + default: '' +# Release Version +- name: releaseVersion + type: string + default: '' +# Pipeline Artifact Name +- name: artifactName + type: string + default: 'Unsigned_Binaries' + +jobs: +- job: ${{ parameters.jobName }} + displayName: Dotnet Publish Linux/Mac + pool: + vmImage: 'ubuntu-latest' + steps: + - task: UseDotNet@2 + displayName: Install Dotnet SDK + inputs: + packageType: 'sdk' + version: ${{ parameters.dotnetVersion }} + - task: NuGetToolInstaller@1 + displayName: Install Nuget Tool + inputs: + versionSpec: ${{ parameters.nugetVersion }} + - ${{ parameters.preBuild }} + - task: DotNetCoreCLI@2 + displayName: Restore + inputs: + command: 'restore' + projects: ${{ parameters.projectPath }} + verbosityRestore: 'Normal' + - task: DotNetCoreCLI@2 + displayName: Publish Linux x64 + inputs: + command: 'publish' + arguments: '${{ parameters.projectPath }} -c ${{ parameters.buildConfiguration }} -o bin/linux/${{ parameters.projectName }}_linux_$(ReleaseVersion) -r linux-x64' + publishWebProjects: false + zipAfterPublish: false + - task: DotNetCoreCLI@2 + displayName: Publish MacOS x64 + inputs: + command: 'publish' + arguments: '${{ parameters.projectPath }} -c ${{ parameters.buildConfiguration }} -o bin/macos/${{ parameters.projectName }}_macos_$(ReleaseVersion) -r osx-x64' + publishWebProjects: false + zipAfterPublish: false + - task: ArchiveFiles@2 + displayName: Archive Builds + inputs: + rootFolderOrFile: 'bin' + includeRootFolder: false + archiveType: 'zip' + archiveFile: 'Archives/${{ parameters.projectName }}_Nix.zip' + replaceExistingArchive: true + - task: PublishBuildArtifacts@1 + displayName: Pipeline Publish Archive + inputs: + PathtoPublish: 'Archives' + ArtifactName: '${{ parameters.artifactName }}' + publishLocation: 'Container' \ No newline at end of file diff --git a/Pipelines/templates/dotnet-publish-win-netcore-job.yml b/Pipelines/templates/dotnet-publish-win-netcore-job.yml new file mode 100644 index 000000000..e80fb1a23 --- /dev/null +++ b/Pipelines/templates/dotnet-publish-win-netcore-job.yml @@ -0,0 +1,99 @@ +parameters: +# Job Name +- name: jobName + type: string + default: 'publish_win' +# Optional Pre-Build Steps +- name: 'preBuild' + type: stepList + default: [] +# Version of Dotnet SDK to use +- name: dotnetVersion + type: string + default: '3.1.x' +# Version of NuGet Tool to use +- name: nugetVersion + type: string + default: '5.x' +# Path to .csproj or .sln +- name: projectPath + type: string + default: '' +# Build Configuration +- name: buildConfiguration + type: string + default: 'Release' +# Project Name +- name: projectName + type: string + default: '' +# Release Version +- name: releaseVersion + type: string + default: '' +# Pipeline Artifact Name +- name: artifactName + type: string + default: 'Unsigned_Binaries' + +jobs: +- job: ${{ parameters.jobName }} + displayName: Dotnet Publish Win/NetCoreApp + pool: + vmImage: 'windows-latest' + steps: + - task: UseDotNet@2 + displayName: Install Dotnet SDK + inputs: + packageType: 'sdk' + version: ${{ parameters.dotnetVersion }} + - task: NuGetToolInstaller@1 + displayName: Install Nuget Tool + inputs: + versionSpec: ${{ parameters.nugetVersion }} + - ${{ parameters.preBuild }} + - task: DotNetCoreCLI@2 + displayName: Restore + inputs: + command: 'restore' + projects: ${{ parameters.projectPath }} + verbosityRestore: 'Normal' + - task: DotNetCoreCLI@2 + displayName: Publish Win x64 + inputs: + command: 'publish' + arguments: '${{ parameters.projectPath }} -c ${{ parameters.buildConfiguration }} -o bin/win/${{ parameters.projectName }}_win_$(ReleaseVersion) -r win-x64' + publishWebProjects: false + zipAfterPublish: false + - task: DotNetCoreCLI@2 + displayName: Build .NET Core App + inputs: + command: 'build' + arguments: '${{ parameters.projectPath }} -c ${{ parameters.buildConfiguration }} -o bin/netcoreapp/${{ parameters.projectName }}_netcoreapp_$(ReleaseVersion)' + publishWebProjects: false + zipAfterPublish: false + - task: AntiMalware@3 + displayName: Anti-Malware Scan + inputs: + InputType: 'Basic' + ScanType: 'CustomScan' + FileDirPath: 'bin' + EnableServices: true + SupportLogOnError: true + TreatSignatureUpdateFailureAs: 'Warning' + SignatureFreshness: 'UpToDate' + TreatStaleSignatureAs: 'Warning' + - task: ArchiveFiles@2 + displayName: Archive Builds + inputs: + rootFolderOrFile: 'bin' + includeRootFolder: false + archiveType: 'zip' + archiveFile: 'Archives\${{ parameters.projectName }}_Win_NetCoreApp.zip' + replaceExistingArchive: true + - task: PublishBuildArtifacts@1 + displayName: Pipeline Publish Archive + inputs: + PathtoPublish: 'Archives' + ArtifactName: '${{ parameters.artifactName }}' + publishLocation: 'Container' \ No newline at end of file diff --git a/Pipelines/templates/dotnet-test-job.yml b/Pipelines/templates/dotnet-test-job.yml new file mode 100644 index 000000000..7c0e3d2bd --- /dev/null +++ b/Pipelines/templates/dotnet-test-job.yml @@ -0,0 +1,44 @@ +parameters: +# Job Name +- name: jobName + type: string + default: 'dotnet_test' +# Version of Dotnet SDK to use +- name: dotnetVersion + type: string + default: '3.1.x' +# Version of NuGet Tool to use +- name: nugetVersion + type: string + default: '5.x' +# List of paths to .csproj +- name: projectPath + type: string + default: '' + +jobs: +- job: ${{ parameters.jobName }} + displayName: Dotnet Test + pool: + vmImage: 'windows-latest' + steps: + - task: UseDotNet@2 + displayName: Install Dotnet SDK + inputs: + packageType: 'sdk' + version: ${{ parameters.dotnetVersion }} + - task: NuGetToolInstaller@1 + displayName: Install Nuget Tool + inputs: + versionSpec: ${{ parameters.nugetVersion }} + - task: DotNetCoreCLI@2 + displayName: Dotnet Restore + inputs: + command: 'restore' + projects: ${{ parameters.projectPath }} + verbosityRestore: 'Normal' + - task: DotNetCoreCLI@2 + displayName: Dotnet Test + inputs: + command: 'test' + projects: ${{ parameters.projectPath }} \ No newline at end of file diff --git a/Pipelines/templates/nbgv-set-version-steps.yml b/Pipelines/templates/nbgv-set-version-steps.yml new file mode 100644 index 000000000..5ca7752d8 --- /dev/null +++ b/Pipelines/templates/nbgv-set-version-steps.yml @@ -0,0 +1,10 @@ +steps: +- script: 'dotnet tool install -g nbgv' + displayName: 'Install GitVersioning' +- task: PowerShell@2 + displayName: Set Release Version + inputs: + targetType: 'inline' + script: | + $version = (nbgv get-version -v AssemblyInformationalVersion).split('+')[0] + Write-Host "##vso[task.setvariable variable=releaseVersion;]$version" \ No newline at end of file diff --git a/Pipelines/templates/nuget-build-job.yml b/Pipelines/templates/nuget-build-job.yml new file mode 100644 index 000000000..1dda17bb6 --- /dev/null +++ b/Pipelines/templates/nuget-build-job.yml @@ -0,0 +1,82 @@ +parameters: +# Job Name +- name: jobName + type: string + default: 'nuget_pack' +# Version of Dotnet SDK to use +- name: dotnetVersion + type: string + default: '3.1.x' +# Version of NuGet Tool to use +- name: nugetVersion + type: string + default: '5.x' +# Path to .csproj or .sln +- name: projectPath + type: string + default: '' +# Build Configuration +- name: buildConfiguration + type: string + default: 'Release' +# Project Name +- name: projectName + type: string + default: '' +# Pipeline Artifact Name +- name: artifactName + type: string + default: 'Unsigned_Binaries' + +jobs: +- job: ${{ parameters.jobName }} + displayName: NuGet Package + pool: + vmImage: 'windows-latest' + steps: + - task: UseDotNet@2 + displayName: Install Dotnet SDK + inputs: + packageType: 'sdk' + version: ${{ parameters.dotnetVersion }} + - task: NuGetToolInstaller@1 + displayName: Install Nuget Tool + inputs: + versionSpec: ${{ parameters.nugetVersion }} + - task: DotNetCoreCLI@2 + displayName: Dotnet Restore + inputs: + command: 'restore' + projects: ${{ parameters.projectPath }} + verbosityRestore: 'Normal' + - task: DotNetCoreCLI@2 + displayName: Pack Nupkg + inputs: + command: 'custom' + custom: 'pack' + arguments: '${{ parameters.projectPath }} -c ${{ parameters.buildConfiguration }} -o Packages' + - task: AntiMalware@3 + displayName: Anti-Malware Scan + inputs: + InputType: 'Basic' + ScanType: 'CustomScan' + FileDirPath: 'Packages' + EnableServices: true + SupportLogOnError: true + TreatSignatureUpdateFailureAs: 'Warning' + SignatureFreshness: 'UpToDate' + TreatStaleSignatureAs: 'Warning' + - task: ArchiveFiles@2 + displayName: Archive Packages + inputs: + rootFolderOrFile: 'Packages' + includeRootFolder: false + archiveType: 'zip' + archiveFile: 'Archives\${{ parameters.projectName }}_NuGet.zip' + replaceExistingArchive: true + - task: PublishBuildArtifacts@1 + displayName: Pipeline Publish Archive + inputs: + PathtoPublish: 'Archives' + ArtifactName: '${{ parameters.artifactName }}' + publishLocation: 'Container' \ No newline at end of file diff --git a/Pipelines/templates/sdl-job.yml b/Pipelines/templates/sdl-job.yml new file mode 100644 index 000000000..e565247f3 --- /dev/null +++ b/Pipelines/templates/sdl-job.yml @@ -0,0 +1,27 @@ +parameters: +# Service Tree ID of application +- name: serviceTreeID + type: string + default: '' + +jobs: +- job: sdl_tools + displayName: SDL Tools + pool: + vmImage: 'windows-latest' + steps: + - task: CodeInspector@2 + continueOnError: true + inputs: + ProductId: ${{ parameters.serviceTreeID }} + - task: CredScan@3 + inputs: + verboseOutput: true + - task: notice@0 + enabled: false + continueOnError: true + inputs: + outputformat: 'text' + - task: SdtReport@2 + inputs: + GdnExportAllTools: true \ No newline at end of file