[release/5.0] Fix SDL error reporting

Documentation/Policy/PowershellBestPractices.md

@@ -101,7 +101,7 @@ if ($LASTEXITCODE -ne 0) {
 }
 ```
 
-*There is a known issue when using `$LASTEXITCODE` in release builds where PowerShell will report that the variable has not been set. As a workaround, simply set `$LASTEXITCODE = 0` at the top of your script.*
+*There is a known issue when using `$LASTEXITCODE` in release builds where PowerShell will report that the variable has not been set. As a workaround, simply set `$global:LASTEXITCODE = 0` at the top of your script.*
 
 ## Set StrictMode and ErrorActionPreference at the top of every file
 

eng/common/sdl/execute-all-sdl-tools.ps1

@@ -32,7 +32,7 @@ try {
   $ErrorActionPreference = 'Stop'
   Set-StrictMode -Version 2.0
   $disableConfigureToolsetImport = $true
-  $LASTEXITCODE = 0
+  $global:LASTEXITCODE = 0
 
   # `tools.ps1` checks $ci to perform some actions. Since the SDL
   # scripts don't necessarily execute in the same agent that run the
@@ -82,13 +82,22 @@ try {
 
   if ($ArtifactToolsList -and $ArtifactToolsList.Count -gt 0) {
     & $(Join-Path $PSScriptRoot 'run-sdl.ps1') -GuardianCliLocation $guardianCliLocation -WorkingDirectory $workingDirectory -TargetDirectory $ArtifactsDirectory -GdnFolder $gdnFolder -ToolsList $ArtifactToolsList -AzureDevOpsAccessToken $AzureDevOpsAccessToken -UpdateBaseline $UpdateBaseline -GuardianLoggerLevel $GuardianLoggerLevel -CrScanAdditionalRunConfigParams $CrScanAdditionalRunConfigParams -PoliCheckAdditionalRunConfigParams $PoliCheckAdditionalRunConfigParams
+    if ($LASTEXITCODE -ne 0) {
+      ExitWithExitCode $LASTEXITCODE
+    }
   }
   if ($SourceToolsList -and $SourceToolsList.Count -gt 0) {
     & $(Join-Path $PSScriptRoot 'run-sdl.ps1') -GuardianCliLocation $guardianCliLocation -WorkingDirectory $workingDirectory -TargetDirectory $SourceDirectory -GdnFolder $gdnFolder -ToolsList $SourceToolsList -AzureDevOpsAccessToken $AzureDevOpsAccessToken -UpdateBaseline $UpdateBaseline -GuardianLoggerLevel $GuardianLoggerLevel -CrScanAdditionalRunConfigParams $CrScanAdditionalRunConfigParams -PoliCheckAdditionalRunConfigParams $PoliCheckAdditionalRunConfigParams
+    if ($LASTEXITCODE -ne 0) {
+      ExitWithExitCode $LASTEXITCODE
+    }
   }
 
   if ($UpdateBaseline) {
     & (Join-Path $PSScriptRoot 'push-gdn.ps1') -Repository $RepoName -BranchName $BranchName -GdnFolder $GdnFolder -AzureDevOpsAccessToken $AzureDevOpsAccessToken -PushReason 'Update baseline'
+    if ($LASTEXITCODE -ne 0) {
+      ExitWithExitCode $LASTEXITCODE
+    }
   }
 
   if ($TsaPublish) {

eng/common/sdl/init-sdl.ps1

@@ -10,7 +10,7 @@ Param(
 $ErrorActionPreference = 'Stop'
 Set-StrictMode -Version 2.0
 $disableConfigureToolsetImport = $true
-$LASTEXITCODE = 0
+$global:LASTEXITCODE = 0
 
 # `tools.ps1` checks $ci to perform some actions. Since the SDL
 # scripts don't necessarily execute in the same agent that run the

eng/common/sdl/push-gdn.ps1

@@ -9,7 +9,7 @@ Param(
 $ErrorActionPreference = 'Stop'
 Set-StrictMode -Version 2.0
 $disableConfigureToolsetImport = $true
-$LASTEXITCODE = 0
+$global:LASTEXITCODE = 0
 
 try {
   # `tools.ps1` checks $ci to perform some actions. Since the SDL
@@ -46,19 +46,26 @@ try {
     Write-PipelineTelemetryError -Force -Category 'Sdl' -Message "Git add failed with exit code $LASTEXITCODE."
     ExitWithExitCode $LASTEXITCODE
   }
-  Write-Host "git -c user.email=`"[email protected]`" -c user.name=`"Dotnet Bot`" commit -m `"$PushReason for $Repository/$BranchName`""
-  git -c user.email="[email protected]" -c user.name="Dotnet Bot" commit -m "$PushReason for $Repository/$BranchName"
+  # check if there are any staged changes (0 = no changes, 1 = changes)
+  # if we don't do this and there's nothing to commit `git commit` will return
+  # exit code 1 and we will fail
+  Write-Host "git diff --cached --exit-code"
+  git diff --cached --exit-code
+  Write-Host "git diff exit code: $LASTEXITCODE"
   if ($LASTEXITCODE -ne 0) {
-    Write-PipelineTelemetryError -Force -Category 'Sdl' -Message "Git commit failed with exit code $LASTEXITCODE."
-    ExitWithExitCode $LASTEXITCODE
+    Write-Host "git -c user.email=`"[email protected]`" -c user.name=`"Dotnet Bot`" commit -m `"$PushReason for $Repository/$BranchName`""
+    git -c user.email="[email protected]" -c user.name="Dotnet Bot" commit -m "$PushReason for $Repository/$BranchName"
+    if ($LASTEXITCODE -ne 0) {
+      Write-PipelineTelemetryError -Force -Category 'Sdl' -Message "Git commit failed with exit code $LASTEXITCODE."
+      ExitWithExitCode $LASTEXITCODE
+    }
+    Write-Host 'git push'
+    git push
+    if ($LASTEXITCODE -ne 0) {
+      Write-PipelineTelemetryError -Force -Category 'Sdl' -Message "Git push failed with exit code $LASTEXITCODE."
+      ExitWithExitCode $LASTEXITCODE
+    }
   }
-  Write-Host 'git push'
-  git push
-  if ($LASTEXITCODE -ne 0) {
-    Write-PipelineTelemetryError -Force -Category 'Sdl' -Message "Git push failed with exit code $LASTEXITCODE."
-    ExitWithExitCode $LASTEXITCODE
-  }
-
   # Return to the original directory
   Pop-Location
 }

eng/common/sdl/run-sdl.ps1

@@ -13,7 +13,7 @@ Param(
 $ErrorActionPreference = 'Stop'
 Set-StrictMode -Version 2.0
 $disableConfigureToolsetImport = $true
-$LASTEXITCODE = 0
+$global:LASTEXITCODE = 0
 
 try {
   # `tools.ps1` checks $ci to perform some actions. Since the SDL