Make Nuget package pipeline 1ES compliant

tools/ci_build/github/azure-pipelines/publish-nuget.yml

@@ -8,35 +8,48 @@ resources:
         - main
         - rel-*
     branch: main
-
+  repositories:
+  - repository: 1esPipelines
+    type: git
+    name: 1ESPipelineTemplates/1ESPipelineTemplates
+    ref: refs/tags/release
 parameters:
-  - name: isReleaseBuild
-    type: boolean
-    default: false
+- name: isReleaseBuild
+  type: boolean
+  default: false
 
 variables:
-  - name: ArtifactFeed
-    ${{ if eq(parameters.isReleaseBuild, false) }}:
-      value: ort-cuda-11-nightly
-    ${{ else }}:
-      value: onnxruntime-cuda-11
-
-stages:
-  - template: templates/publish-nuget-steps.yml
-    parameters:
-      stage_name: 'Publish_NuGet_Package_And_Report'
-      include_cpu_ep: true
-      download_artifacts_steps:
+- name: ArtifactFeed
+  ${{ if eq(parameters.isReleaseBuild, false) }}:
+    value: ort-cuda-11-nightly
+  ${{ else }}:
+    value: onnxruntime-cuda-11
+extends:
+  # The pipeline extends the 1ES PT which will inject different SDL and compliance tasks.
+  # For non-production pipelines, use "Unofficial" as defined below.
+  # For productions pipelines, use "Official".
+  template: v1/1ES.Official.PipelineTemplate.yml@1esPipelines
+  parameters:
+    sdl:
+      sourceAnalysisPool:
+        name: onnxruntime-Win-CPU-2022
+        os: windows
+    stages:
+    - template: templates/publish-nuget-steps.yml
+      parameters:
+        stage_name: 'Publish_NuGet_Package_And_Report'
+        include_cpu_ep: true
+        download_artifacts_steps:
         - download: build
           displayName: 'Download Pipeline Artifact - Signed NuGet Package'
           artifact: 'drop-signed-nuget-dml'
         - script: move "$(Pipeline.Workspace)\build\drop-signed-nuget-dml\*" $(Build.BinariesDirectory)\nuget-artifact\final-package
 
-  # Publish CUDA 11 Nuget/Java pkgs to ADO feed
-  - template: stages/nuget-cuda-publishing-stage.yml
-    parameters:
-      artifact_feed: $(ArtifactFeed)
+    # Publish CUDA 11 Nuget/Java pkgs to ADO feed
+    - template: stages/nuget-cuda-publishing-stage.yml
+      parameters:
+        artifact_feed: $(ArtifactFeed)
 
-  - template: stages/java-cuda-publishing-stage.yml
-    parameters:
-      artifact_feed: $(ArtifactFeed)
+    - template: stages/java-cuda-publishing-stage.yml
+      parameters:
+        artifact_feed: $(ArtifactFeed)

tools/ci_build/github/azure-pipelines/stages/java-cuda-publishing-stage.yml

@@ -11,7 +11,8 @@ stages:
     condition: ${{ or(eq(parameters.artifact_feed, 'onnxruntime-cuda-11'), eq(parameters.artifact_feed, 'onnxruntime-cuda-12')) }}
     workspace:
       clean: all
-    pool: 'onnxruntime-Win-CPU-2022'
+    pool:
+      name: 'onnxruntime-Win-CPU-2022'
     variables:
     - name: SYSTEM_ACCESSTOKEN
       value: $(System.AccessToken)

tools/ci_build/github/azure-pipelines/stages/nuget-cuda-publishing-stage.yml

@@ -1,71 +1,71 @@
 parameters:
-  - name: artifact_feed
-    type: string
-    default: 'onnxruntime-cuda-12'
+- name: artifact_feed
+  type: string
+  default: 'onnxruntime-cuda-12'
 
 stages:
-  - stage: NuGet_Publishing_GPU
-    jobs:
-      - job: NuGet_Publishing_GPU
-        workspace:
-          clean: all
-        variables:
-        - name: GDN_CODESIGN_TARGETDIRECTORY
-          value: '$(Build.BinariesDirectory)/nuget-artifact/final-package'
-        pool: 'onnxruntime-Win-CPU-2022'
-        steps:
-          - checkout: none
+- stage: NuGet_Publishing_GPU
+  jobs:
+  - job: NuGet_Publishing_GPU
+    workspace:
+      clean: all
+    variables:
+    - name: GDN_CODESIGN_TARGETDIRECTORY
+      value: '$(Build.BinariesDirectory)/nuget-artifact/final-package'
+    pool: 'onnxruntime-Win-CPU-2022'
+    steps:
+    - checkout: none
 
-          - task: NuGetToolInstaller@1
-            inputs:
-              versionSpec: 6.8.x
+    - task: NuGetToolInstaller@1
+      inputs:
+        versionSpec: 6.8.x
 
-          - script: mkdir "$(Build.BinariesDirectory)\nuget-artifact\final-package"
-
-          - download: build
-            displayName: 'Download Pipeline Artifact - Signed NuGet Package'
-            artifact: 'drop-signed-nuget-GPU'
-
-          - script: move "$(Pipeline.Workspace)\build\drop-signed-nuget-GPU\*" "$(Build.BinariesDirectory)\nuget-artifact\final-package"
-
-          - powershell: |
-              New-Item -Path $(Agent.TempDirectory) -Name "binfiles" -ItemType "directory"
-              $base_path_name = Join-Path -Path $(Agent.TempDirectory) -ChildPath "binfiles"
-              Get-ChildItem $Env:BUILD_BINARIESDIRECTORY\nuget-artifact\final-package -Filter *.nupkg |
-                  Foreach-Object {
-                   $dir_name = Join-Path -Path $base_path_name -ChildPath $_.Basename
-                   $cmd = "7z.exe x $($_.FullName) -y -o$dir_name"
-                   Write-Output $cmd
-                   Invoke-Expression -Command $cmd
-                  }
-              dir $(Agent.TempDirectory)
-              tree $(Agent.TempDirectory)
-            workingDirectory: '$(Agent.TempDirectory)'
+    - script: mkdir "$(Build.BinariesDirectory)\nuget-artifact\final-package"
 
-          - task: CodeSign@1
-            displayName: 'Run Codesign Validation'
+    - download: build
+      displayName: 'Download Pipeline Artifact - Signed NuGet Package'
+      artifact: 'drop-signed-nuget-GPU'
 
-          - task: PublishSecurityAnalysisLogs@3
-            displayName: 'Publish Security Analysis Logs'
-            continueOnError: true
+    - script: move "$(Pipeline.Workspace)\build\drop-signed-nuget-GPU\*" "$(Build.BinariesDirectory)\nuget-artifact\final-package"
 
-          - task: PostAnalysis@2
-            inputs:
-              GdnBreakAllTools: true
-              GdnBreakPolicy: M365
-              GdnBreakPolicyMinSev: Error
+    - powershell: |
+        New-Item -Path $(Agent.TempDirectory) -Name "binfiles" -ItemType "directory"
+        $base_path_name = Join-Path -Path $(Agent.TempDirectory) -ChildPath "binfiles"
+        Get-ChildItem $Env:BUILD_BINARIESDIRECTORY\nuget-artifact\final-package -Filter *.nupkg |
+            Foreach-Object {
+             $dir_name = Join-Path -Path $base_path_name -ChildPath $_.Basename
+             $cmd = "7z.exe x $($_.FullName) -y -o$dir_name"
+             Write-Output $cmd
+             Invoke-Expression -Command $cmd
+            }
+        dir $(Agent.TempDirectory)
+        tree $(Agent.TempDirectory)
+      workingDirectory: '$(Agent.TempDirectory)'
 
-          - template: ../nuget/templates/get-nuget-package-version-as-variable.yml
-            parameters:
-              packageFolder: '$(Build.BinariesDirectory)/nuget-artifact/final-package'
-          #This task must be run on a Windows machine
-          - task: NuGetCommand@2
-            displayName: 'NuGet push ${{ parameters.artifact_feed }}'
-            inputs:
-              command: push
-              packagesToPush: '$(Build.BinariesDirectory)/nuget-artifact/final-package/*.nupkg'
-              publishVstsFeed: 'PublicPackages/${{ parameters.artifact_feed }}'
-              allowPackageConflicts: true
+    - task: CodeSign@1
+      displayName: 'Run Codesign Validation'
+
+    - task: PublishSecurityAnalysisLogs@3
+      displayName: 'Publish Security Analysis Logs'
+      continueOnError: true
+
+    - task: PostAnalysis@2
+      inputs:
+        GdnBreakAllTools: true
+        GdnBreakPolicy: M365
+        GdnBreakPolicyMinSev: Error
+
+    - template: ../nuget/templates/get-nuget-package-version-as-variable.yml
+      parameters:
+        packageFolder: '$(Build.BinariesDirectory)/nuget-artifact/final-package'
+    #This task must be run on a Windows machine
+    - task: 1ES.PublishNuget@1
+      displayName: 'NuGet push ${{ parameters.artifact_feed }}'
+      inputs:
+        packagesToPush: '$(Build.BinariesDirectory)/nuget-artifact/final-package/*.nupkg'
+        packageParentPath: '$(Build.BinariesDirectory)'
+        publishVstsFeed: 'PublicPackages/${{ parameters.artifact_feed }}'
+        allowPackageConflicts: true
 
 
 

tools/ci_build/github/azure-pipelines/stages/py-cuda-publishing-stage.yml

@@ -7,13 +7,15 @@ stages:
 - stage: Python_Publishing_GPU
   jobs:
   - job: Python_Publishing_GPU
-    pool: 'onnxruntime-Ubuntu2204-AMD-CPU'
+    pool:
+      name: 'onnxruntime-Ubuntu2204-AMD-CPU'
+      os: linux
     steps:
     - checkout: none
     - download: build
       displayName: 'Download Pipeline Artifact'
       artifact: 'whl'
-      
+
     - task: UsePythonVersion@0
       inputs:
         versionSpec: '3.13'

tools/ci_build/github/azure-pipelines/templates/publish-nuget-steps.yml

@@ -17,7 +17,8 @@ stages:
     variables:
     - name: GDN_CODESIGN_TARGETDIRECTORY
       value: '$(Agent.TempDirectory)\binfiles'
-    pool: 'onnxruntime-Win-CPU-2022'
+    pool:
+      name: 'onnxruntime-Win-CPU-2022'
 
     steps:
     # https://learn.microsoft.com/en-us/azure/devops/pipelines/yaml-schema/resources-pipelines-pipeline?view=azure-pipelines#pipeline-resource-metadata-as-predefined-variables
@@ -53,25 +54,25 @@ stages:
         displayName: 'Post binary sizes to the dashboard database using command line'
         inputs:
           script: |
-              echo changing directory to artifact download path
-              cd $(Build.BinariesDirectory)/nuget-artifact/final-package
-              echo processing nupkg
-              SETLOCAL EnableDelayedExpansion
-              FOR /R %%i IN (*.nupkg) do (
-              set filename=%%~ni
-              IF NOT "!filename:~25,7!"=="Managed" (
-                echo processing %%~ni.nupkg
-                copy %%~ni.nupkg %%~ni.zip
-                echo copied to zip
-                echo listing lib files in the zip
-                REM use a single .csv file to put the data
-                echo os,arch,build_config,size > $(Build.BinariesDirectory)\binary_size_data.txt
-                7z.exe l -slt %%~ni.zip runtimes\linux-arm64\native\libonnxruntime.so | findstr /R /C:"^Size = [0-9]*" | for /F "tokens=3" %%a  in ('more') do if not "%%a" == "" echo linux,aarch64,default,%%a >> $(Build.BinariesDirectory)\binary_size_data.txt
-                7z.exe l -slt %%~ni.zip runtimes\osx-x64\native\libonnxruntime.dylib | findstr /R /C:"^Size = [0-9]*" | for /F "tokens=3" %%a  in ('more') do if not "%%a" == "" echo osx,x64,default,%%a >> $(Build.BinariesDirectory)\binary_size_data.txt
-                7z.exe l -slt %%~ni.zip runtimes\win-x64\native\onnxruntime.dll | findstr /R /C:"^Size = [0-9]*" | for /F "tokens=3" %%a  in ('more') do if not "%%a" == "" echo win,x64,default,%%a >> $(Build.BinariesDirectory)\binary_size_data.txt
-                7z.exe l -slt %%~ni.zip runtimes\win-x86\native\onnxruntime.dll | findstr /R /C:"^Size = [0-9]*" | for /F "tokens=3" %%a  in ('more') do if not "%%a" == "" echo win,x86,default,%%a >> $(Build.BinariesDirectory)\binary_size_data.txt
-                )
+            echo changing directory to artifact download path
+            cd $(Build.BinariesDirectory)/nuget-artifact/final-package
+            echo processing nupkg
+            SETLOCAL EnableDelayedExpansion
+            FOR /R %%i IN (*.nupkg) do (
+            set filename=%%~ni
+            IF NOT "!filename:~25,7!"=="Managed" (
+              echo processing %%~ni.nupkg
+              copy %%~ni.nupkg %%~ni.zip
+              echo copied to zip
+              echo listing lib files in the zip
+              REM use a single .csv file to put the data
+              echo os,arch,build_config,size > $(Build.BinariesDirectory)\binary_size_data.txt
+              7z.exe l -slt %%~ni.zip runtimes\linux-arm64\native\libonnxruntime.so | findstr /R /C:"^Size = [0-9]*" | for /F "tokens=3" %%a  in ('more') do if not "%%a" == "" echo linux,aarch64,default,%%a >> $(Build.BinariesDirectory)\binary_size_data.txt
+              7z.exe l -slt %%~ni.zip runtimes\osx-x64\native\libonnxruntime.dylib | findstr /R /C:"^Size = [0-9]*" | for /F "tokens=3" %%a  in ('more') do if not "%%a" == "" echo osx,x64,default,%%a >> $(Build.BinariesDirectory)\binary_size_data.txt
+              7z.exe l -slt %%~ni.zip runtimes\win-x64\native\onnxruntime.dll | findstr /R /C:"^Size = [0-9]*" | for /F "tokens=3" %%a  in ('more') do if not "%%a" == "" echo win,x64,default,%%a >> $(Build.BinariesDirectory)\binary_size_data.txt
+              7z.exe l -slt %%~ni.zip runtimes\win-x86\native\onnxruntime.dll | findstr /R /C:"^Size = [0-9]*" | for /F "tokens=3" %%a  in ('more') do if not "%%a" == "" echo win,x86,default,%%a >> $(Build.BinariesDirectory)\binary_size_data.txt
               )
+            )
 
       - task: AzureCLI@2
         displayName: 'Azure CLI'
@@ -123,14 +124,14 @@ stages:
         GdnBreakPolicyMinSev: Error
 
     #TODO: allow choosing different feeds
-    - task: NuGetCommand@2
+    - task: 1ES.PublishNuget@1
       displayName: 'Copy Signed Native NuGet Package to ORT-NIGHTLY'
       inputs:
-        command: 'push'
         packagesToPush: '$(Build.BinariesDirectory)/nuget-artifact/final-package/*.nupkg'
+        packageParentPath: '$(Build.BinariesDirectory)'
         publishVstsFeed: '2692857e-05ef-43b4-ba9c-ccf1c22c437c/7982ae20-ed19-4a35-a362-a96ac99897b7'
         allowPackageConflicts: true
 
     - template: component-governance-component-detection-steps.yml
-      parameters :
-        condition : 'succeeded'
+      parameters:
+        condition: 'succeeded'