Skip to content

Add manual validation when NuGet publishing is enabled #9461

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 2 commits into from
Apr 27, 2025
+16 −114
Merged

Add manual validation when NuGet publishing is enabled #9461

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
a5b002c
Remove ESRP from build yaml
benjaminpetit Apr 25, 2025
24da2ea
Add manual approval step for nuget publishing
benjaminpetit Apr 25, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
130 changes: 16 additions & 114 deletions .azure/pipelines/templates/build.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -53,21 +53,28 @@ parameters:

jobs:

# Approval needed for publishing to nuget.org
- ${{ if and(eq(parameters.codesign, true), eq(parameters.publish_nuget, true)) }}:
- job: PreDeploymentApprovalJob
displayName: Pre-Deployment Approval
condition: succeeded()
timeoutInMinutes: 2880
pool: server
steps:
- task: ManualValidation@1
inputs:
notifyUsers: ${{ variables.notifyUsers }}
approvers: ${{ variables.approvers }}

# Build, sign dlls, build nuget pkgs, then sign them
- job: Build
displayName: Build and create NuGet packages
dependsOn: PreDeploymentApprovalJob
variables:
${{ if eq(parameters.codesign, true) }}:
${{ if eq(variables['System.TeamProject'], 'internal') }}:
esrp_signing: false
microbuild_signing: true
publishVstsFeed: 'public/orleans-nightly'
${{ else }}:
esrp_signing: true
microbuild_signing: false
publishVstsFeed: 'orleans-public/orleans-nightly'
microbuild_signing: true
publishVstsFeed: 'public/orleans-nightly'
${{ else }}:
esrp_signing: false
microbuild_signing: false
${{ if ne(variables['System.TeamProject'], 'GitHub - PR Builds') }}:
templateContext:
Expand Down Expand Up @@ -131,78 +138,6 @@ jobs:
- ${{ if eq(variables.runCodeQL3000, 'true') }}:
- task: CodeQL3000Finalize@0
displayName: CodeQL Finalize
# DLL code signing
- ${{ if eq(variables.esrp_signing, true) }}:
- task: UseDotNet@2
displayName: 'Codesign: Use .NET Core'
inputs:
packageType: runtime
version: $(codesign_runtime)
- task: CopyFiles@2
displayName: 'Codesign: Copy Files for signing'
inputs:
SourceFolder: '$(build.sourcesdirectory)'
Contents: |
src/**/bin/${{parameters.build_configuration}}/**/Orleans*.dll
src/**/bin/${{parameters.build_configuration}}/**/Microsoft.Orleans.*.dll
!src/BootstrapBuild/**
TargetFolder: '$(build.artifactstagingdirectory)\codesign'
CleanTargetFolder: true
- task: SFP.build-tasks.custom-build-task-1.EsrpCodeSigning@1
displayName: 'Codesign: ESRP CodeSigning'
inputs:
ConnectedServiceName: 'CodeSign Service (NuGet)'
FolderPath: '$(build.artifactstagingdirectory)\codesign'
Pattern: '*'
signConfigType: inlineSignParams
inlineOperation: |
[
{
"keyCode": "CP-230012",
"operationSetCode": "SigntoolSign",
"parameters": [
{
"parameterName": "OpusName",
"parameterValue": "Microsoft"
},
{
"parameterName": "OpusInfo",
"parameterValue": "http://www.microsoft.com"
},
{
"parameterName": "FileDigest",
"parameterValue": "/fd \"SHA256\""
},
{
"parameterName": "PageHash",
"parameterValue": "/NPH"
},
{
"parameterName": "TimeStamp",
"parameterValue": "/tr \"http://rfc3161.gtm.corp.microsoft.com/TSS/HttpTspServer\" /td sha256"
}
],
"toolName": "sign",
"toolVersion": "1.0"
},
{
"keyCode": "CP-230012",
"operationSetCode": "SigntoolVerify",
"parameters": [ ],
"toolName": "sign",
"toolVersion": "1.0"
}
]
SessionTimeout: 180
VerboseLogin: true
- task: CopyFiles@2
displayName: 'Codesign: Copy Signed Files Back'
inputs:
SourceFolder: '$(build.artifactstagingdirectory)\codesign'
Contents: '**\*'
TargetFolder: '$(build.sourcesdirectory)'
OverWrite: true
# End DLL code signing
- task: CmdLine@2
displayName: Pack
inputs:
Expand All @@ -212,39 +147,6 @@ jobs:
${{ if eq(parameters.include_suffix, true) }}:
VersionSuffix: ${{parameters.version_suffix}}
OfficialBuild: $(official_build)
# NuGet code signing
- ${{ if eq(variables.esrp_signing, true) }}:
- task: UseDotNet@2
displayName: 'Codesign: Use .NET Core'
inputs:
packageType: runtime
version: $(codesign_runtime)
- task: SFP.build-tasks.custom-build-task-1.EsrpCodeSigning@1
displayName: 'Codesign: ESRP CodeSigning (nuget)'
inputs:
ConnectedServiceName: 'CodeSign Service (NuGet)'
FolderPath: '$(build.sourcesdirectory)/Artifacts/${{parameters.build_configuration}}'
Pattern: '*.nupkg'
signConfigType: inlineSignParams
inlineOperation: |
[
{
"keyCode": "CP-401405",
"operationSetCode": "NuGetSign",
"parameters": [],
"toolName": "sign",
"toolVersion": "1.0"
},
{
"keyCode": "CP-401405",
"operationSetCode": "NuGetVerify",
"parameters": [ ],
"toolName": "sign",
"toolVersion": "1.0"
}
]
SessionTimeout: 180
VerboseLogin: true
# Signing
- ${{ if eq(variables.microbuild_signing, true) }}:
- task: NuGetCommand@2
Expand Down
Loading