From d23d1045e3388627d4130f01cd0d3e53af161172 Mon Sep 17 00:00:00 2001
From: Eric Johnson <ericjohnson327@gmail.com>
Date: Wed, 25 Sep 2024 15:54:47 -0700
Subject: [PATCH] Enable APIScan (#450)

---
 build/azure-pipelines.yml |  59 ++++++++++++++++++++++++++------------
 build/surrogate.xml       | Bin 0 -> 6304 bytes
 2 files changed, 41 insertions(+), 18 deletions(-)
 create mode 100644 build/surrogate.xml

diff --git a/build/azure-pipelines.yml b/build/azure-pipelines.yml
index debeb36..a7b25cc 100644
--- a/build/azure-pipelines.yml
+++ b/build/azure-pipelines.yml
@@ -7,6 +7,10 @@ parameters:
   - name: SignOutput
     type: boolean
     default: False
+  - name: APIScanDisabled
+    displayName: "Disable API Scan"
+    type: boolean
+    default: false
   - name: Platforms
     type: object
     default:
@@ -25,6 +29,12 @@ variables:
   appxPackageDir: 'AppxPackages'
   testOutputArtifactDir: 'TestResults'
 
+# APIScan only runs in release mode in the release branch
+  ${{ if eq(variables['Build.SourceBranchName'], 'release') }}:
+    apiscanMode: release
+  ${{ else }}:
+    apiscanMode: prerelease
+
 resources:
   repositories:
   - repository: m365Pipelines
@@ -201,24 +211,6 @@ extends:
                       }
                     ]
 
-            # Commented out until our implementation is fixed
-            # - task: AzureKeyVault@1
-            #   inputs:
-            #     azureSubscription: 'DevHomeAzureServiceConnection'
-            #     KeyVaultName: 'DevHomeKeyVault'
-            #     SecretsFilter: 'ApiScanConnectionString'
-            #     RunAsPreJob: false
-
-            # - task: APIScan@2
-            #   inputs:
-            #     softwareFolder: '$(Build.StagingDirectory)'
-            #     softwareName: 'Dev Home GitHub Extension'
-            #     softwareVersionNum: '1.0'
-            #     softwareBuildNum: '$(Build.BuildId)'
-            #     symbolsFolder: 'SRV*http://symweb'
-            #   env:
-            #     AzureServicesAuthConnectionString: $(ApiScanConnectionString)
-
             - task: Windows Application Driver@0
               condition: and(always(), ne('${{ platform}}', 'arm64'))
               inputs:
@@ -261,6 +253,37 @@ extends:
                 SymbolServerType: TeamServices
                 SymbolsProduct: DevHomeGitHubExtension
 
+            # Only run APIScan for non-arm release to avoid duplicate results unless it is disabled.
+            # Copy surrogate file to binary directory to use relative paths which are not architecture dependent.
+            - task: CopyFiles@2
+              condition: and(ne('${{ platform }}', 'arm64'), eq('${{ configuration }}', 'release'), ne(${{ parameters.APIScanDisabled }}, true))
+              inputs:
+                 SourceFolder: '$(Build.SourcesDirectory)\build'
+                 Contents: 'surrogate.xml'
+                 TargetFolder: '$(Build.ArtifactStagingDirectory)\rawBinaries'
+
+            - task: APIScan@2
+              displayName: Run APIScan
+              condition: and(ne('${{ platform }}', 'arm64'), eq('${{ configuration }}', 'release'), ne(${{ parameters.APIScanDisabled }}, true))
+              inputs:
+                softwareFolder: '$(appxPackageDir)\${{ configuration }}'
+                softwareName: 'Dev Home GitHub Extension'
+                softwareVersionNum: '1.0'
+                softwareBuildNum: '$(Build.BuildId)'
+                isLargeApp: false
+                toolVersion: 'Latest'
+                # PAT required to get debug symbols on 1ES VM.
+                symbolsFolder: '$(Build.ArtifactStagingDirectory)\rawBinaries'
+                # Use surrogate.xml to map release binaries in the MSIX to debug binaries for APIScan.
+                # surrogate.xml can be created by using SurrogateGenerator.ps1 PowerShell script.
+                surrogateConfigurationFolder: '$(Build.ArtifactStagingDirectory)\rawBinaries'
+                modeType: '$(apiscanMode)'
+                preserveLogsFolder: true
+                azureSubscription: DevHomeAzureServiceConnection
+              env:
+                AzureServicesAuthConnectionString: RunAs=App;AppId=$(AppId);TenantId=$(TenantId);ServiceConnectionId=$(ServiceConnectionId);
+                SYSTEM_ACCESSTOKEN: $(System.AccessToken)
+
             templateContext:
               outputs:
               - output: pipelineArtifact
diff --git a/build/surrogate.xml b/build/surrogate.xml
new file mode 100644
index 0000000000000000000000000000000000000000..1e1ce315e9b70ec9b493faf68ce2dd00a62e73cf
GIT binary patch
literal 6304
zcmeHMT~ER=6g|%-{)dG}69(#wF%#lf)I<{_nE2oe0)ojH1O~#NSI^yOgh99Z5i>*6
zjBfon_xALjb{+3;9;%q42Okb5Xk&;GUeHH?BNVU;7iH!SYXUS`-ePTlPE<Qah-VaW
zz!p_hu#GKvIL0lmP-E)`Th=fp=8!!*d=7~-B3f)Q;Qb-*#iCg2vOdIsWhJK9D7pOI
zrx$%<bXdAaf6DZ$ga_Q<I<nIxYLDo}$hQ$O#B!6R;(5|m>sM?Q=Hqo}L6S#r8uWcI
z=Vz3t*R_jTQ?<$5Tf<+C;|ewCtNl+Re;Q<OMlAE53Q0Vek=-ZGfKR^r(Y%I4l^D^D
zQuWs5>8KUXx5pVyvz*Rb(ry;oSI6ODkynSaF0tK>BI}GSPjE?odc3<JQz4(mWbmA^
zC<+kXV*Xs}$!C%{Eg8>gY00|Dtj6O{D$%TGonsU2N$i;Nl*W&X9Xv99mnX$_opCv!
zSF&>4F&7V~MobDDCZm#e%c@=<bxG~7Z>3_=YFf9Nr1PfuQ~6(NI!ncM#-7hh6dy)w
z?ItVxXKY!0FYYZSYqU~?%F}mO(=}Y7sXQI^fA85Q5i9SNR@M498Ce6999b<}EzA0m
zx4l~8^mKlLk#kMkDm&$jqLi&?%<A0gJa0O`=T|5dxpv>y@7p?_tfsA|^QP&|{aTiF
WLiuDSKe}E0ex}ZzQj`5ZK?NV$WhG$%

literal 0
HcmV?d00001