Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[ci] Add API Scan job #1178

Merged
merged 3 commits into from
Jan 10, 2024
Merged
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
86 changes: 74 additions & 12 deletions build-tools/automation/azure-pipelines.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,10 @@ pr:
- README.md
- Documentation/*

parameters:
- name: ApiScanSourceBranch
default: 'refs/heads/main'

# Global variables
variables:
RunningOnCI: true
Expand Down Expand Up @@ -57,19 +61,11 @@ jobs:

- template: templates\fail-on-issue.yaml

- task: ArchiveFiles@2
displayName: 'Archive build outputs'
inputs:
rootFolderOrFile: 'bin'
archiveType: 'zip'
archiveFile: '$(Build.ArtifactStagingDirectory)/bin-dotnet.zip'
replaceExistingArchive: true
condition: succeededOrFailed()

- task: PublishBuildArtifacts@1
displayName: 'Publish Artifact: debug'
- task: PublishPipelineArtifact@1
displayName: Publish build artifacts
inputs:
ArtifactName: debug
artifactName: artifacts
targetPath: bin
condition: succeededOrFailed()

- job: mac_dotnet_build
Expand All @@ -96,6 +92,72 @@ jobs:
- template: templates\fail-on-issue.yaml


- job: api_scan
displayName: API Scan
dependsOn: windows_dotnet_build
condition: and(eq(dependencies.windows_dotnet_build.result, 'Succeeded'), eq(variables['Build.SourceBranch'], '${{ parameters.ApiScanSourceBranch }}'))
pool:
name: Azure Pipelines
vmImage: windows-2022
timeoutInMinutes: 480
workspace:
clean: all
steps:
- task: DownloadPipelineArtifact@2
displayName: Download build artifacts
inputs:
artifactName: artifacts
downloadPath: $(Build.SourcesDirectory)

### Copy .dll, .exe, .pdb files for APIScan
- task: CopyFiles@2
displayName: Collect Files for APIScan
inputs:
Contents: |
$(Build.SourcesDirectory)\$(Build.Configuration)$(NetCoreTargetFrameworkPathSuffix)\**\?(*.dll|*.exe|*.pdb)
!$(Build.SourcesDirectory)\**\jnimarshalmethod-gen.*
!$(Build.SourcesDirectory)\**\Mono.CSharp.dll
!$(Build.SourcesDirectory)\**\SgmlReader.exe
!$(Build.SourcesDirectory)\**\win-*\java-interop.dll
TargetFolder: $(Build.StagingDirectory)\apiscan
OverWrite: true
flattenFolders: true

- task: APIScan@2
displayName: Run APIScan
inputs:
softwareFolder: $(Build.StagingDirectory)\apiscan
symbolsFolder: 'SRV*http://symweb;$(Build.StagingDirectory)\apiscan'
softwareName: $(ApiScanName)
softwareVersionNum: $(Build.SourceBranchName)-$(Build.SourceVersion)$(System.JobAttempt)
isLargeApp: true
toolVersion: Latest
env:
AzureServicesAuthConnectionString: runAs=App;AppId=$(ApiScanClientId);TenantId=$(ApiScanTenant);AppKey=$(ApiScanSecret)

- task: SdtReport@2
displayName: Guardian Export - Security Report
inputs:
GdnExportAllTools: false
GdnExportGdnToolApiScan: true
GdnExportOutputSuppressionFile: source.gdnsuppress

- task: PublishSecurityAnalysisLogs@3
displayName: Publish Guardian Artifacts
inputs:
ArtifactName: APIScan Logs
ArtifactType: Container
AllTools: false
APIScan: true
ToolLogsNotFoundAction: Warning

- task: PostAnalysis@2
displayName: Fail Build on Guardian Issues
inputs:
GdnBreakAllTools: false
GdnBreakGdnToolApiScan: true


- job: OneLocBuild
displayName: OneLocBuild
condition: and(eq(variables['System.TeamProject'], 'DevDiv'), eq(variables['Build.SourceBranch'], 'refs/heads/main'))
Expand Down