ci: revert 1ES template compliance to unblock master

.devops/templates/compliance-job.yml

@@ -0,0 +1,50 @@
+# These steps have to run on a windows machine,
+# and therefore unfortunately can't be integrated in the regular steps
+
+jobs:
+  - job: compliance
+    displayName: Compliance checks
+    pool: uifabric-windows-2019-small
+    steps:
+      - task: UseDotNet@2
+        condition: succeededOrFailed()
+        displayName: 'Use .NET Core sdk 3.x'
+        inputs:
+          version: 3.x
+          steps:
+
+      - task: securedevelopmentteam.vss-secure-development-tools.build-task-credscan.CredScan@3
+        condition: succeededOrFailed()
+        displayName: '🧭 Run Credential Scanner'
+        inputs:
+          debugMode: false
+
+      - task: securedevelopmentteam.vss-secure-development-tools.build-task-eslint.ESLint@1
+        condition: succeededOrFailed()
+        displayName: '🧭 Run ESLint'
+
+      - task: securedevelopmentteam.vss-secure-development-tools.build-task-publishsecurityanalysislogs.PublishSecurityAnalysisLogs@3
+        displayName: '🧭 Publish Guardian Artifacts - All Tools'
+        inputs:
+          ArtifactType: M365
+        condition: succeededOrFailed()
+
+      - task: AssetRetention@3
+        displayName: 🧭 Arrow Retention
+        inputs:
+          ArrowServiceConnection: 'Arrow_uifabric_uifabric_PROD'
+          AssetGroupName: '$(System.TeamProject)_$(Build.DefinitionName)'
+          AssetNumber: '$(Build.BuildId)'
+          IsShipped: false
+          DropsToRetain: 'CodeAnalysisLogs'
+        condition: and(succeeded(), eq(variables['Build.SourceBranch'], 'refs/heads/master'))
+
+      - task: securedevelopmentteam.vss-secure-development-tools.build-task-postanalysis.PostAnalysis@2
+        displayName: '🧭 Guardian Break'
+        inputs:
+          GdnBreakPolicyMinSev: Warning
+          GdnBreakAllTools: true
+          GdnBreakGdnToolESLint: true
+          GdnBreakGdnToolESLintSeverity: Warning
+          GdnBreakPolicy: M365
+        condition: succeededOrFailed()

azure-pipelines.hotfix.yml

@@ -11,78 +11,68 @@ parameters:
 
 variables:
   - template: .devops/templates/variables.yml
+  - group: InfoSec-SecurityResults
   - name: tags
     value: production,externalfacing
 
-resources:
-  repositories:
-    - repository: 1esPipelines
-      type: git
-      name: 1ESPipelineTemplates/1ESPipelineTemplates
-      ref: refs/tags/release
-
-extends:
-  template: v1/1ES.Official.PipelineTemplate.yml@1esPipelines
-  parameters:
-    pool:
-      name: Azure-Pipelines-1ESPT-ExDShared
-      image: windows-latest
-      os: windows # We need windows because compliance task only run on windows.
-    stages:
-      - stage: main
-        jobs:
-          - job: Release
-            dependsOn: Compliance
-            pool:
-              name: '1ES-Host-Ubuntu'
-              image: '1ES-PT-Ubuntu-20.04'
-              os: linux
-            workspace:
-              clean: all
-            templateContext:
-              outputs:
-                - output: pipelineArtifact
-                  targetPath: $(System.DefaultWorkingDirectory)
-                  artifactName: output
-            steps:
-              - template: .devops/templates/tools.yml@self
-
-              - script: |
-                  node -e "if('$(targetNpmVersion)' === '') throw new Error('targetNpmVersion is not specified');"
-                displayName: 'Checking for targetNpmVersion variable'
-
-              - script: |
-                  npm install semver
-                  node -e "let semver = require('semver');if(semver.valid('$(targetNpmVersion)') === null){ throw new Error('Invalid version specified'); }"
-                displayName: 'Check targetNpmVersion is valid semver'
-
-              - task: Bash@3
-                inputs:
-                  filePath: yarn-ci.sh
-                displayName: yarn
-
-              - script: |
-                  npm version $(targetNpmVersion)
-                workingDirectory: 'packages/react'
-                displayName: 'Manually set package version'
-
-              - script: |
-                  yarn buildto @fluentui/react --production
-                displayName: yarn build to FUIR (Create production build)
-
-              - script: yarn workspace @fluentui/react bundle --production
-                displayName: yarn bundle FUIR
-
-              - script: |
-                  npm pack
-                displayName: 'Create tarball'
-                workingDirectory: 'packages/react'
-
-              - ${{ if ne(parameters.isTestRun, true) }}:
-                  - script: |
-                      npm publish packages/react/react-$(targetNpmVersion).tgz --tag hf8 --//registry.npmjs.org/:_authToken=$(npmToken)
-                    displayName: Publish new version
-
-              - template: .devops/templates/cleanup.yml@self
-                parameters:
-                  checkForModifiedFiles: false
+jobs:
+  - template: .devops/templates/compliance-job.yml
+
+  - job: Release
+    dependsOn: Compliance
+    pool: '1ES-Host-Ubuntu'
+    workspace:
+      clean: all
+    steps:
+      - template: .devops/templates/tools.yml
+
+      - script: |
+          node -e "if('$(targetNpmVersion)' === '') throw new Error('targetNpmVersion is not specified');"
+        displayName: 'Checking for targetNpmVersion variable'
+
+      - script: |
+          npm install semver
+          node -e "let semver = require('semver');if(semver.valid('$(targetNpmVersion)') === null){ throw new Error('Invalid version specified'); }"
+        displayName: 'Check targetNpmVersion is valid semver'
+
+      - task: Bash@3
+        inputs:
+          filePath: yarn-ci.sh
+        displayName: yarn
+
+      - script: |
+          npm version $(targetNpmVersion)
+        workingDirectory: 'packages/react'
+        displayName: 'Manually set package version'
+
+      - script: |
+          yarn buildto @fluentui/react --production
+        displayName: yarn build to FUIR (Create production build)
+
+      - script: yarn workspace @fluentui/react bundle --production
+        displayName: yarn bundle FUIR
+
+      - script: |
+          npm pack
+        displayName: 'Create tarball'
+        workingDirectory: 'packages/react'
+
+      - ${{ if ne(parameters.isTestRun, true) }}:
+          - script: |
+              npm publish packages/react/react-$(targetNpmVersion).tgz --tag hf8 --//registry.npmjs.org/:_authToken=$(npmToken)
+            displayName: Publish new version
+
+      - task: AzureArtifacts.manifest-generator-task.manifest-generator-task.ManifestGeneratorTask@0
+        displayName: 📒 Generate Manifest
+        inputs:
+          BuildDropPath: $(System.DefaultWorkingDirectory)
+
+      - task: PublishPipelineArtifact@1
+        displayName: 📒 Publish Manifest
+        inputs:
+          artifactName: SBom-$(System.JobAttempt)
+          targetPath: $(System.DefaultWorkingDirectory)/_manifest
+
+      - template: .devops/templates/cleanup.yml
+        parameters:
+          checkForModifiedFiles: false