Setup compliant build

Work in progress.
PowerShell · Aug 24, 2022 · a29f5c3 · a29f5c3
1 parent 3f95224
commit a29f5c3
Show file tree

Hide file tree

Showing 13 changed files with 263 additions and 259 deletions.
diff --git a/.vsts-ci/azure-pipelines-ci.yml b/.vsts-ci/azure-pipelines-ci.yml
@@ -8,47 +8,24 @@ variables:
   - name: DOTNET_CLI_TELEMETRY_OPTOUT
     value: 'true'
 
-trigger:
-  batch: true
-  branches:
-    include:
-      - master
-  paths:
-    exclude:
-      - /.dependabot/*
-      - /.poshchan/*
-      - /.github/**/*
-      - /.vscode/**/*
-      - /.vsts-ci/misc-analysis.yml
-      - /tools/**/*
-      - .editorconfig
-      - .gitattributes
-      - .gitignore
-      - /docs/**/*
-      - /CHANGELOG.md
-      - /CONTRIBUTING.md
-      - /README.md
-      - /LICENSE.txt
-      - /CODE_OF_CONDUCT.md
-
 jobs:
-- job: 'PS6_Win10'
-  displayName: PowerShell 6 | Windows 10
+- job: windows2022pwsh
+  displayName: Windows 2022 PowerShell 7
   pool:
-    vmImage: 'vs2017-win2016'
+    vmImage: windows-2022
   steps:
   - template: templates/ci-general.yml
 
-- job: 'PS6_macOS'
-  displayName: PowerShell 6 | macOS
+- job: macOS11
+  displayName: macOS 11
   pool:
-    vmImage: 'macOS-10.14'
+    vmImage: macOS-11
   steps:
   - template: templates/ci-general.yml
 
-- job: 'PS6_Ubuntu'
-  displayName: PowerShell 6 | Ubuntu
+- job: ubuntu2004
+  displayName: Ubuntu 20.04
   pool:
-    vmImage: 'ubuntu-16.04'
+    vmImage: ubuntu-20.04
   steps:
   - template: templates/ci-general.yml
diff --git a/.vsts-ci/azure-pipelines-release.yml b/.vsts-ci/azure-pipelines-release.yml
@@ -1,6 +1,3 @@
-# NOTE:
-# We stop signing GraphicalTools now since we aren't doing anymore work on it until MAUI
-
 name: PR-$(System.PullRequest.PullRequestNumber)-$(Date:yyyyMMdd)$(Rev:.rr)
 
 variables:
@@ -12,158 +9,68 @@ variables:
     value: 'true'
 
 trigger:
-  batch: true
   branches:
     include:
-      - master
-  paths:
-    exclude:
-      - /.dependabot/*
-      - /.poshchan/*
-      - /.github/**/*
-      - /.vscode/**/*
-      - /.vsts-ci/misc-analysis.yml
-      - /tools/**/*
-      - .editorconfig
-      - .gitattributes
-      - .gitignore
-      - /docs/**/*
-      - /CHANGELOG.md
-      - /CONTRIBUTING.md
-      - /README.md
-      - /LICENSE.txt
-      - /CODE_OF_CONDUCT.md
+      - release
 
 resources:
   repositories:
   - repository: ComplianceRepo
     type: github
-    endpoint: ComplianceGHRepo
+    endpoint: GitHub
     name: PowerShell/compliance
 
 stages:
 - stage: Build
-  displayName: Build
+  displayName: Build the release
   jobs:
-  - job: 'ReleaseBuild'
-    displayName: Release Build
+  - job: Build
     pool:
-      vmImage: 'windows-latest'
+      name: 1ES
+      demands: ImageOverride -equals PSMMS2019-Secure
     steps:
     - template: templates/ci-general.yml
-    - pwsh: |
-        Get-ChildItem -Recurse '$(Build.SourcesDirectory)'
-      displayName: Capture downloaded artifacts
-    - publish: '$(Build.SourcesDirectory)\src\Microsoft.PowerShell.ConsoleGuiTools\obj\project.assets.json'
-      artifact: ConsoleGuiToolsAssetsJson
-      displayName: Publish ConsoleGuiTools project.assets.json
 
-  - job: 'SignBuild'
-    displayName: Signing Build
-    dependsOn: 'ReleaseBuild'
+- stage: Sign
+  displayName: Sign the release
+  jobs:
+  - job: Sign
     pool:
-      name: 'Package ES Standard Build'
-      demands: DotNetFramework
+      name: 1ES
+      demands: ImageOverride -equals PSMMS2019-Secure
     variables:
     - group: ESRP
     steps:
-    - powershell: |
-        Get-ChildItem -Path env:
-      displayName: Capture environment
-      condition: succeededOrFailed()
-
-    - task: DownloadBuildArtifacts@0
-      displayName: 'Download Build Artifacts'
-      inputs:
-        downloadType: specific
-
-    - pwsh: |
-        Expand-Archive -Path "$env:BUILD_ARTIFACTSTAGINGDIRECTORY\GraphicalTools\Microsoft.PowerShell.ConsoleGuiTools-Windows_NT.zip" -DestinationPath "$env:BUILD_ARTIFACTSTAGINGDIRECTORY\Microsoft.PowerShell.ConsoleGuiTools"
-      displayName: 'Extract build zip'
-
-    - template: EsrpSign.yml@ComplianceRepo
-      parameters:
-        # the folder which contains the binaries to sign
-        buildOutputPath: $(Build.ArtifactStagingDirectory)\Microsoft.PowerShell.ConsoleGuiTools
-        # the location to put the signed output
-        signOutputPath: $(Build.ArtifactStagingDirectory)\Microsoft.PowerShell.ConsoleGuiTools-Signed
-        # the certificate ID to use
-        certificateId: "CP-230012"
-        # The file pattern to use
-        # If not using minimatch: comma separated, with * supported
-        # If using minimatch: newline separated, with !, **, and * supported.
-        # See link in the useMinimatch comments.
-        pattern: 'Microsoft.PowerShell.*.dll,Microsoft.PowerShell.*.psd1,Microsoft.PowerShell.*.psm1'
-        # decides if the task should use minimatch for the pattern matching.
-        # https://github.com/isaacs/minimatch#features
-        useMinimatch: false
-
-    - pwsh: |
-        $signed="$env:BUILD_ARTIFACTSTAGINGDIRECTORY\Microsoft.PowerShell.ConsoleGuiTools-Signed\*"
-        $notSigned="$env:BUILD_ARTIFACTSTAGINGDIRECTORY\Microsoft.PowerShell.ConsoleGuiTools"
-        Copy-Item $signed $notSigned -Recurse -Force -Verbose
-      displayName: 'Copy signed files to unsigned folder'
-
-    - template: EsrpSign.yml@ComplianceRepo
-      parameters:
-        # the folder which contains the binaries to sign
-        buildOutputPath: $(Build.ArtifactStagingDirectory)\Microsoft.PowerShell.ConsoleGuiTools
-        # the location to put the signed output
-        signOutputPath: $(Build.ArtifactStagingDirectory)\Microsoft.PowerShell.ConsoleGuiTools-Signed
-        # the certificate ID to use
-        certificateId: "CP-231522"
-        # The file pattern to use
-        # If not using minimatch: comma separated, with * supported
-        # If using minimatch: newline separated, with !, **, and * supported.
-        # See link in the useMinimatch comments.
-        pattern: 'NStack.dll,Terminal.Gui.dll'
-        # decides if the task should use minimatch for the pattern matching.
-        # https://github.com/isaacs/minimatch#features
-        useMinimatch: false
-
-    - pwsh: |
-        $signed="$(Build.ArtifactStagingDirectory)\Microsoft.PowerShell.ConsoleGuiTools-Signed\*"
-        $notSigned="$(Build.ArtifactStagingDirectory)\Microsoft.PowerShell.ConsoleGuiTools"
-        Copy-Item $signed $notSigned -Recurse -Force -Verbose
-      displayName: 'Copy signed files to unsigned folder'
+    - template: templates/release-general.yml
 
-    - publish: $(Build.ArtifactStagingDirectory)\Microsoft.PowerShell.ConsoleGuiTools
-      artifact: Microsoft.PowerShell.ConsoleGuiTools-Signed
-      displayName: 'Upload Artifacts'
-      condition: succeededOrFailed()
-
-- stage: compliance
-  displayName: Compliance
-  dependsOn: Build
+- stage: PublishGitHub
+  displayName: Publish the draft release
   jobs:
-  - job: Compliance_Job
+  - deployment: Publish
+    environment: GraphicalTools-GitHub
     pool:
-      name: Package ES Standard Build
-    steps:
-    - checkout: self
-    - checkout: ComplianceRepo
-    - download: current
-      artifact: Microsoft.PowerShell.ConsoleGuiTools-Signed
-    - download: current
-      artifact: ConsoleGuiToolsAssetsJson
-
-    - pwsh: |
-        Get-ChildItem -Recurse '$(Pipeline.Workspace)'
-      displayName: Capture downloaded artifacts
-
-    - template: assembly-module-compliance.yml@ComplianceRepo
-      parameters:
-        # binskim
-        AnalyzeTarget: '$(Pipeline.Workspace)\Microsoft.PowerShell.ConsoleGuiTools-Signed\*.dll'
-        AnalyzeSymPath: 'SRV*'
-        # component-governance
-        sourceScanPath: '$(Pipeline.Workspace)\ConsoleGuiToolsAssetsJson'
-        # credscan
-        suppressionsFile: ''
-        # TermCheck
-        optionsRulesDBPath: ''
-        optionsFTPath: ''
-        # tsa-upload
-        codeBaseName: 'PSGraphicalTools_20201123'
-        # selections
-        APIScan: false # set to false when not using Windows APIs.
+      name: 1ES
+      demands: ImageOverride -equals PSMMSUbuntu20.04-Secure
+    variables:
+    - group: Publish
+    strategy:
+      runOnce:
+        deploy:
+          steps:
+          - template: templates/publish-github.yml
+
+- stage: PublishMarkets
+  displayName: Publish to marketplace and gallery
+  jobs:
+  - deployment: Publish
+    environment: GraphicalTools-Gallery
+    pool:
+      name: 1ES
+      demands: ImageOverride -equals PSMMSUbuntu20.04-Secure
+    variables:
+    - group: Publish
+    strategy:
+      runOnce:
+        deploy:
+          steps:
+          - template: templates/publish-markets.yml
diff --git a/.vsts-ci/misc-analysis.yml b/.vsts-ci/misc-analysis.yml
@@ -1,30 +1,25 @@
 name: PR-$(System.PullRequest.PullRequestNumber)-$(Date:yyyyMMdd)$(Rev:.rr)
+
 trigger:
-  # Batch merge builds together while a merge build is running
-  batch: true
   branches:
     include:
     - master
 
 pr:
-  branches:
-    include:
-    - master
+- master
 
 resources:
   repositories:
   - repository: ComplianceRepo
     type: github
-    endpoint: ComplianceGHRepo
+    endpoint: GitHub
     name: PowerShell/compliance
 
 jobs:
-- job: Compliance_Job
+- job: Compliance
   pool:
     vmImage: windows-latest
   steps:
   - checkout: self
-    clean: true
   - checkout: ComplianceRepo
-    clean: true
   - template: ci-compliance.yml@ComplianceRepo
diff --git a/.vsts-ci/templates/ci-general.yml b/.vsts-ci/templates/ci-general.yml
@@ -1,25 +1,67 @@
 parameters:
-  pwsh: true
+- name: pwsh
+  type: boolean
+  default: true
 
 steps:
-  - pwsh: Write-Host "##vso[build.updatebuildnumber]$env:BUILD_SOURCEBRANCHNAME-$env:BUILD_SOURCEVERSION-$((get-date).ToString("yyyyMMddhhmmss"))"
-    displayName: Set Build Name for Non-PR
-    condition: ne(variables['Build.Reason'], 'PullRequest')
-  - task: PowerShell@2
-    inputs:
-      filePath: scripts/azurePipelinesBuild.ps1
-      pwsh: ${{ parameters.pwsh }}
-  - task: PublishTestResults@2
-    inputs:
-      testRunner: VSTest
-      testResultsFiles: '**/*.trx'
-    condition: succeededOrFailed()
-  - task: PublishTestResults@2
-    inputs:
-      testRunner: NUnit
-      testResultsFiles: '**/TestResults.xml'
-    condition: succeededOrFailed()
-  - task: PublishBuildArtifacts@1
-    inputs:
-      ArtifactName: GraphicalTools
-      PathtoPublish: '$(Build.ArtifactStagingDirectory)'
+- task: PowerShell@2
+  displayName: PowerShell version
+  inputs:
+    targetType: inline
+    script: $PSVersionTable
+    pwsh: ${{ parameters.pwsh }}
+
+- task: UseDotNet@2
+  displayName: Install .NET 6.0.x SDK
+  inputs:
+    packageType: sdk
+    version: 6.0.x
+    performMultiLevelLookup: true
+
+- task: PowerShell@2
+  displayName: Build and test
+  inputs:
+    filePath: tools/azurePipelinesBuild.ps1
+    pwsh: ${{ parameters.pwsh }}
+
+- task: PublishTestResults@2
+  displayName: Publish VSTest results
+  inputs:
+    testRunner: VSTest
+    testResultsFiles: '**/*.trx'
+  condition: succeededOrFailed()
+
+- task: PublishTestResults@2
+  displayName: Publish NUnit results
+  inputs:
+    testRunner: NUnit
+    testResultsFiles: '**/TestResults.xml'
+  condition: succeededOrFailed()
+
+# NOTE: We zip the artifacts because they're ~20 MB compressed, but ~300 MB raw,
+# and we have limited pipeline artifact storage space.
+- task: ArchiveFiles@2
+  displayName: Zip build output
+  inputs:
+    rootFolderOrFile: module
+    includeRootFolder: false
+    archiveType: zip
+    archiveFile: GraphicalTools-Build.zip
+    verbose: true
+
+- publish: GraphicalTools-Build.zip
+  artifact: GraphicalTools-Build-$(System.JobId)
+  displayName: Publish build output archive
+
+- task: ArchiveFiles@2
+  displayName: Zip sources with `project.assets.json`
+  inputs:
+    rootFolderOrFile: src
+    includeRootFolder: false
+    archiveType: zip
+    archiveFile: GraphicalTools-Sources.zip
+    verbose: true
+
+- publish: GraphicalTools-Sources.zip
+  artifact: GraphicalTools-Sources-$(System.JobId)
+  displayName: Publish sources archive