diff --git a/azure-pipelines-pr.yml b/azure-pipelines-pr.yml new file mode 100644 index 000000000..9c3ab173b --- /dev/null +++ b/azure-pipelines-pr.yml @@ -0,0 +1,121 @@ +# +# See https://docs.microsoft.com/azure/devops/pipelines/yaml-schema for details +# + + +variables: + - name: _TeamName + value: AspNetCore + - name: DOTNET_SKIP_FIRST_TIME_EXPERIENCE + value: true + - name: _PublishUsingPipelines + value: true + - name: _BuildConfig + value: Release + - template: /eng/common/templates/variables/pool-providers.yml + # Rely on task Arcade injects, not auto-injected build step. + - name: skipComponentGovernanceDetection + value: true + # Rely on explicit tasks, not auto-injected build steps. CodeQL3000 not enabled by default in any case. + - name: Codeql.SkipTaskAutoInjection + value: true + +pr: + autoCancel: false + branches: + include: + - '*' + +stages: +- stage: build + displayName: Build + jobs: + - template: /eng/common/templates/jobs/jobs.yml + parameters: + enableMicrobuild: true + enablePublishBuildArtifacts: true + enablePublishTestResults: true + enablePublishBuildAssets: true + enablePublishUsingPipelines: true + enableTelemetry: true + mergeTestResults: true + jobs: + - job: Windows + pool: + name: $(DncEngPublicBuildPool) + demands: ImageOverride -equals windows.vs2019.amd64.open + variables: + - name: _OfficialBuildArgs + value: '' + - name: _SignType + value: test + + steps: + - checkout: self + clean: true + - script: eng\common\cibuild.cmd -configuration $(_BuildConfig) -prepareMachine $(_OfficialBuildArgs) + displayName: Build and Publish + - task: PublishBuildArtifacts@1 + displayName: Upload TestResults + condition: always() + continueOnError: true + inputs: + pathtoPublish: artifacts/TestResults/$(_BuildConfig)/ + artifactName: $(Agent.Os)_$(Agent.JobName) TestResults + artifactType: Container + parallel: true + - task: PublishBuildArtifacts@1 + displayName: Upload package artifacts + condition: and(succeeded(), eq(variables['system.pullrequest.isfork'], false), eq(variables['_BuildConfig'], 'Release')) + inputs: + pathtoPublish: artifacts/packages/ + artifactName: artifacts + artifactType: Container + parallel: true + + - job: Ubuntu + pool: + vmImage: ubuntu-latest + variables: + - name: _SignType + value: none + steps: + - checkout: self + clean: true + - script: eng/common/cibuild.sh + --configuration $(_BuildConfig) + --prepareMachine + displayName: Build + - task: PublishBuildArtifacts@1 + displayName: Upload TestResults + condition: always() + continueOnError: true + inputs: + pathtoPublish: artifacts/TestResults/$(_BuildConfig)/ + artifactName: $(Agent.Os)_$(Agent.JobName) TestResults + artifactType: Container + parallel: true + + - job: macOS_latest + displayName: 'macOS latest' + pool: + vmImage: macOS-latest + variables: + - name: _SignType + value: none + steps: + - checkout: self + clean: true + - script: eng/common/cibuild.sh + --configuration $(_BuildConfig) + --prepareMachine + displayName: Build + - task: PublishBuildArtifacts@1 + displayName: Upload TestResults + condition: always() + continueOnError: true + inputs: + pathtoPublish: artifacts/TestResults/$(_BuildConfig)/ + artifactName: $(Agent.Os)_$(Agent.JobName) TestResults + artifactType: Container + parallel: true diff --git a/azure-pipelines.yml b/azure-pipelines.yml index dd1db5460..55521ba5c 100644 --- a/azure-pipelines.yml +++ b/azure-pipelines.yml @@ -1,7 +1,3 @@ -# -# See https://docs.microsoft.com/azure/devops/pipelines/yaml-schema for details -# - schedules: - cron: 0 9 * * 1 displayName: "Run CodeQL3000 weekly, Monday at 2:00 AM PDT" @@ -12,39 +8,33 @@ schedules: always: true parameters: - # Parameter below is ignored in public builds. - # - # Choose whether to run the CodeQL3000 tasks. - # Manual builds align w/ official builds unless this parameter is true. - - name: runCodeQL3000 - default: false - displayName: Run CodeQL3000 tasks - type: boolean - +- name: runCodeQL3000 + default: false + displayName: Run CodeQL3000 tasks + type: boolean variables: - - name: _TeamName - value: AspNetCore - - name: DOTNET_SKIP_FIRST_TIME_EXPERIENCE - value: true - - name: _PublishUsingPipelines - value: true - - name: _BuildConfig - value: Release - - name: runCodeQL3000 - value: ${{ and(ne(variables['System.TeamProject'], 'public'), or(eq(variables['Build.Reason'], 'Schedule'), and(eq(variables['Build.Reason'], 'Manual'), eq(parameters.runCodeQL3000, 'true')))) }} - - template: /eng/common/templates/variables/pool-providers.yml - # Rely on task Arcade injects, not auto-injected build step. - - name: skipComponentGovernanceDetection - value: true - # Rely on explicit tasks, not auto-injected build steps. CodeQL3000 not enabled by default in any case. - - name: Codeql.SkipTaskAutoInjection - value: true - - # used for post-build phases, internal builds only - - ${{ if and(ne(variables['System.TeamProject'], 'public'), notin(variables['Build.Reason'], 'PullRequest'), ne(variables.runCodeQL3000, 'true')) }}: - - group: YARP-SDLValidation-Params + # Needed for Arcade template +- name: _TeamName + value: AspNetCore + # Needed for Microbuild template +- name: TeamName + value: AspNetCore +- name: DOTNET_SKIP_FIRST_TIME_EXPERIENCE + value: true +- name: _PublishUsingPipelines + value: true +- name: _BuildConfig + value: Release +- name: runCodeQL3000 + value: ${{ and(ne(variables['System.TeamProject'], 'public'), or(eq(variables['Build.Reason'], 'Schedule'), and(eq(variables['Build.Reason'], 'Manual'), eq(parameters.runCodeQL3000, 'true')))) }} +- template: /eng/common/templates/variables/pool-providers.yml@self +- name: skipComponentGovernanceDetection + value: true +- name: Codeql.SkipTaskAutoInjection + value: true +- ${{ if and(ne(variables['System.TeamProject'], 'public'), notin(variables['Build.Reason'], 'PullRequest'), ne(variables.runCodeQL3000, 'true')) }}: + - group: YARP-SDLValidation-Params -# CI and PR triggers trigger: batch: true branches: @@ -58,171 +48,113 @@ pr: branches: include: - '*' + +resources: + repositories: + - repository: MicroBuildTemplate + type: git + name: 1ESPipelineTemplates/MicroBuildTemplate + ref: refs/tags/release -stages: -- stage: build - displayName: Build - jobs: - - template: /eng/common/templates/jobs/jobs.yml - parameters: - enableMicrobuild: ${{ ne(variables.runCodeQL3000, 'true') }} - enablePublishBuildArtifacts: true - enablePublishTestResults: ${{ ne(variables.runCodeQL3000, 'true') }} - enablePublishBuildAssets: ${{ ne(variables.runCodeQL3000, 'true') }} - enablePublishUsingPipelines: ${{ variables._PublishUsingPipelines }} - enableTelemetry: true - mergeTestResults: true +extends: + template: azure-pipelines/MicroBuild.1ES.Official.yml@MicroBuildTemplate + parameters: + sdl: + sourceAnalysisPool: + name: $(DncEngInternalBuildPool) + image: 1es-windows-2022-pt + os: windows + customBuildTags: + - ES365AIMigrationTooling + stages: + - stage: build + displayName: Build jobs: - - job: Windows - pool: - ${{ if eq(variables['System.TeamProject'], 'public') }}: - name: $(DncEngPublicBuildPool) - demands: ImageOverride -equals windows.vs2019.amd64.open - ${{ if ne(variables['System.TeamProject'], 'public') }}: - name: $(DncEngInternalBuildPool) - demands: ImageOverride -equals windows.vs2019.amd64 - ${{ if eq(variables.runCodeQL3000, 'true') }}: - # Component governance and SBOM creation are not needed here. Disable what Arcade would inject. - disableComponentGovernance: true - enableSbom: false - variables: - - ${{ if eq(variables.runCodeQL3000, 'true') }}: - - _OfficialBuildArgs: /p:Test=false /p:Sign=false /p:Pack=false /p:Publish=false /p:UseSharedCompilation=false - - _SignType: none - # Security analysis is included in normal runs. Disable its auto-injection. - - skipNugetSecurityAnalysis: true - # Do not let CodeQL3000 Extension gate scan frequency. - - Codeql.Cadence: 0 - # Enable CodeQL3000 unconditionally so it may be run on any branch. - - Codeql.Enabled: true - # Ignore test and infrastructure code. - - Codeql.SourceRoot: src - # CodeQL3000 needs this plumbed along as a variable to enable TSA. - - Codeql.TSAEnabled: ${{ eq(variables['Build.Reason'], 'Schedule') }} - # Default expects tsaoptions.json under SourceRoot. - - Codeql.TSAOptionsPath: '$(Build.SourcesDirectory)/.config/tsaoptions.json' - # Only enable publishing in official builds. - - ${{ if and(ne(variables['System.TeamProject'], 'public'), notin(variables['Build.Reason'], 'PullRequest'), ne(variables.runCodeQL3000, 'true')) }}: - # Publish-Build-Assets provides: MaestroAccessToken, BotAccount-dotnet-maestro-bot-PAT - - group: Publish-Build-Assets - - name: _OfficialBuildArgs - value: /p:DotNetSignType=$(_SignType) - /p:TeamName=$(_TeamName) - /p:DotNetPublishUsingPipelines=$(_PublishUsingPipelines) - /p:OfficialBuildId=$(BUILD.BUILDNUMBER) - - name: _SignType - value: real - # else - - ${{ if or(eq(variables['System.TeamProject'], 'public'), in(variables['Build.Reason'], 'PullRequest')) }}: - - name: _OfficialBuildArgs - value: '' - - name: _SignType - value: test - - steps: - - checkout: self - clean: true - - ${{ if eq(variables.runCodeQL3000, 'true') }}: - - task: CodeQL3000Init@0 - displayName: CodeQL Initialize - - script: "echo ##vso[build.addbuildtag]CodeQL3000" - displayName: 'Set CI CodeQL3000 tag' - condition: ne(variables.CODEQL_DIST,'') - - script: eng\common\cibuild.cmd -configuration $(_BuildConfig) -prepareMachine $(_OfficialBuildArgs) - displayName: Build and Publish - - ${{ if eq(variables.runCodeQL3000, 'true') }}: - - task: CodeQL3000Finalize@0 - displayName: CodeQL Finalize - - ${{ else }}: - - task: PublishBuildArtifacts@1 - displayName: Upload TestResults - condition: always() - continueOnError: true - inputs: - pathtoPublish: artifacts/TestResults/$(_BuildConfig)/ - artifactName: $(Agent.Os)_$(Agent.JobName) TestResults - artifactType: Container - parallel: true - - task: PublishBuildArtifacts@1 - displayName: Upload package artifacts - condition: and(succeeded(), eq(variables['system.pullrequest.isfork'], false), eq(variables['_BuildConfig'], 'Release')) - inputs: - pathtoPublish: artifacts/packages/ - artifactName: artifacts - artifactType: Container - parallel: true - - - ${{ if or(eq(variables['System.TeamProject'], 'public'), in(variables['Build.Reason'], 'PullRequest')) }}: - - job: Ubuntu - pool: - vmImage: ubuntu-latest - variables: - - name: _SignType - value: none - steps: - - checkout: self - clean: true - - script: eng/common/cibuild.sh - --configuration $(_BuildConfig) - --prepareMachine - displayName: Build - - task: PublishBuildArtifacts@1 - displayName: Upload TestResults - condition: always() - continueOnError: true - inputs: - pathtoPublish: artifacts/TestResults/$(_BuildConfig)/ - artifactName: $(Agent.Os)_$(Agent.JobName) TestResults - artifactType: Container - parallel: true - - - job: macOS_latest - displayName: 'macOS latest' - pool: - vmImage: macOS-latest - variables: - - name: _SignType - value: none - steps: - - checkout: self - clean: true - - script: eng/common/cibuild.sh - --configuration $(_BuildConfig) - --prepareMachine - displayName: Build - - task: PublishBuildArtifacts@1 - displayName: Upload TestResults - condition: always() - continueOnError: true - inputs: - pathtoPublish: artifacts/TestResults/$(_BuildConfig)/ - artifactName: $(Agent.Os)_$(Agent.JobName) TestResults - artifactType: Container - parallel: true - -- ${{ if and(ne(variables['System.TeamProject'], 'public'), notin(variables['Build.Reason'], 'PullRequest'), ne(variables.runCodeQL3000, 'true')) }}: - - template: eng\common\templates\post-build\post-build.yml - parameters: - publishingInfraVersion: 3 - # Symbol validation isn't being very reliable lately. This should be enabled back - # once this issue is resolved: https://github.com/dotnet/arcade/issues/2871 - enableSymbolValidation: false - # It's a private repo in github so this won't pass until we create an internal mirror - enableSourceLinkValidation: false - enableSigningValidation: false - enableNugetValidation: false - # This is to enable SDL runs part of Post-Build Validation Stage - SDLValidationParameters: - enable: true - continueOnError: false - params: ' -SourceToolsList @("policheck","credscan") - -TsaInstanceURL $(_TsaInstanceURL) - -TsaProjectName $(_TsaProjectName) - -TsaNotificationEmail $(_TsaNotificationEmail) - -TsaCodebaseAdmin $(_TsaCodebaseAdmin) - -TsaBugAreaPath $(_TsaBugAreaPath) - -TsaIterationPath $(_TsaIterationPath) - -TsaRepositoryName "ReverseProxy" - -TsaCodebaseName "ReverseProxy" - -TsaPublish $True - -PoliCheckAdditionalRunConfigParams @("UserExclusionPath < $(Build.SourcesDirectory)/eng/PoliCheckExclusions.xml")' + - template: /eng/common/templates-official/jobs/jobs.yml@self + parameters: + enableMicrobuild: ${{ ne(variables.runCodeQL3000, 'true') }} + enablePublishBuildArtifacts: true + enablePublishTestResults: ${{ ne(variables.runCodeQL3000, 'true') }} + enablePublishBuildAssets: ${{ ne(variables.runCodeQL3000, 'true') }} + enablePublishUsingPipelines: ${{ variables._PublishUsingPipelines }} + enableTelemetry: true + mergeTestResults: true + jobs: + - job: Windows + pool: + name: $(DncEngInternalBuildPool) + image: 1es-windows-2022-pt + os: windows + ${{ if eq(variables.runCodeQL3000, 'true') }}: + disableComponentGovernance: true + enableSbom: false + variables: + - ${{ if eq(variables.runCodeQL3000, 'true') }}: + - _OfficialBuildArgs: /p:Test=false /p:Sign=false /p:Pack=false /p:Publish=false /p:UseSharedCompilation=false + - _SignType: none + - skipNugetSecurityAnalysis: true + - Codeql.Cadence: 0 + - Codeql.Enabled: true + - Codeql.SourceRoot: src + - Codeql.TSAEnabled: ${{ eq(variables['Build.Reason'], 'Schedule') }} + - Codeql.TSAOptionsPath: '$(Build.SourcesDirectory)/.config/tsaoptions.json' + - ${{ if ne(variables.runCodeQL3000, 'true') }}: + - group: Publish-Build-Assets + - name: _OfficialBuildArgs + value: /p:DotNetSignType=$(_SignType) + /p:TeamName=$(_TeamName) + /p:DotNetPublishUsingPipelines=$(_PublishUsingPipelines) + /p:OfficialBuildId=$(BUILD.BUILDNUMBER) + - name: _SignType + value: real + steps: + - checkout: self + clean: true + - ${{ if eq(variables.runCodeQL3000, 'true') }}: + - task: CodeQL3000Init@0 + displayName: CodeQL Initialize + - script: "echo ##vso[build.addbuildtag]CodeQL3000" + displayName: 'Set CI CodeQL3000 tag' + condition: ne(variables.CODEQL_DIST,'') + - script: eng\common\cibuild.cmd -configuration $(_BuildConfig) -prepareMachine $(_OfficialBuildArgs) + displayName: Build and Publish + - ${{ if eq(variables.runCodeQL3000, 'true') }}: + - task: CodeQL3000Finalize@0 + displayName: CodeQL Finalize + - ${{ else }}: + - task: 1ES.PublishBuildArtifacts@1 + displayName: Upload TestResults + condition: always() + continueOnError: true + inputs: + PathtoPublish: artifacts/TestResults/$(_BuildConfig)/ + ArtifactName: $(Agent.Os)_$(Agent.JobName) TestResults + PublishLocation: Container + - task: 1ES.PublishBuildArtifacts@1 + displayName: Upload package artifacts + condition: and(succeeded(), eq(variables['system.pullrequest.isfork'], false), eq(variables['_BuildConfig'], 'Release')) + inputs: + PathtoPublish: artifacts/packages/ + ArtifactName: artifacts + PublishLocation: Container + - ${{ if ne(variables.runCodeQL3000, 'true') }}: + - template: /eng/common/templates-official/post-build/post-build.yml@self + parameters: + publishingInfraVersion: 3 + enableSymbolValidation: false + enableSourceLinkValidation: false + enableSigningValidation: false + enableNugetValidation: false + SDLValidationParameters: + enable: true + continueOnError: false + params: ' -SourceToolsList @("policheck","credscan") + -TsaInstanceURL $(_TsaInstanceURL) + -TsaProjectName $(_TsaProjectName) + -TsaNotificationEmail $(_TsaNotificationEmail) + -TsaCodebaseAdmin $(_TsaCodebaseAdmin) + -TsaBugAreaPath $(_TsaBugAreaPath) + -TsaIterationPath $(_TsaIterationPath) + -TsaRepositoryName "ReverseProxy" + -TsaCodebaseName "ReverseProxy" + -TsaPublish $True -PoliCheckAdditionalRunConfigParams @("UserExclusionPath < $(Build.SourcesDirectory)/eng/PoliCheckExclusions.xml")' \ No newline at end of file