Skip to content

Przepeck/windows ci sdl #3680

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 93 commits into
base: main
Choose a base branch
from
+333 −3
Open

Przepeck/windows ci sdl #3680

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
93 commits
Select commit Hold shift + click to select a range
dbcff80
added sign and bdba drafts to the windows ci pipeline
przepeck Sep 22, 2025
16451bc
updating signing files
przepeck Sep 23, 2025
806d161
excluded from sdl check new .bat files
przepeck Sep 24, 2025
ce76f48
refactoring to create separate pipe for SDL
przepeck Sep 24, 2025
e55f2ef
fixed stage structure
przepeck Sep 24, 2025
3d49841
moved git pulls to use user credentials
przepeck Sep 25, 2025
7d671bd
changed links to testing fork and valid raw content
przepeck Sep 25, 2025
619bb22
fit to new credentials
przepeck Sep 25, 2025
876c2d1
changed curl to cloning repo to use credentials
przepeck Sep 25, 2025
d2f39a2
added cleanup, using local signfile
przepeck Sep 25, 2025
ba7123e
minor fixes, adding python option to siginig script
przepeck Sep 26, 2025
a2c3ab0
corrected paths
przepeck Sep 26, 2025
6d4b189
added debug steps
przepeck Sep 26, 2025
1f1b5c9
corrected parameters
przepeck Sep 26, 2025
7d954d7
commented build stage to speed up testing and debugging
przepeck Sep 26, 2025
d298fd2
testing correct credentials
przepeck Sep 26, 2025
7349653
corrected path to bdba scans
przepeck Sep 26, 2025
62e754f
corrected path to bdba scans
przepeck Sep 26, 2025
af61db8
corrected path to bdba scans v2
przepeck Sep 26, 2025
8385fc4
corrected path to bdba scans v3
przepeck Sep 26, 2025
7079755
changes in filenames and cleaning temporal files
przepeck Sep 26, 2025
fe55f01
changes in filenames and cleaning temporal files v2
przepeck Sep 26, 2025
19ceae2
changes in filenames and cleaning temporal files v3
przepeck Sep 26, 2025
0a91e06
minor changes in errors and added signtool to PATH
przepeck Sep 26, 2025
7e5e2ba
corrected path for signing script
przepeck Sep 26, 2025
df30d1f
corrected path for signing script v2
przepeck Sep 26, 2025
8af3f83
fixed error raising after sdl actions
przepeck Sep 26, 2025
740f060
changed incorrect file in macro
przepeck Sep 26, 2025
5b5e779
removed redundant exit condition
przepeck Sep 26, 2025
543a682
removed redundant exit conditions v2
przepeck Sep 26, 2025
aefc7ab
enabling build step
przepeck Sep 26, 2025
5ba84a9
corrected path to log
przepeck Sep 26, 2025
2db4779
changed location
przepeck Sep 29, 2025
a46a54f
commented stages for debug reasons
przepeck Sep 29, 2025
8f33e3f
checking if OVMS_PASS is correct
przepeck Sep 29, 2025
e6dc3d7
enbale using special chars in password
przepeck Sep 29, 2025
41387af
enbale using special chars in password v2
przepeck Sep 29, 2025
d21bf9f
enbale using special chars in password v3
przepeck Sep 29, 2025
ff904e1
enbale using special chars in password v4
przepeck Sep 29, 2025
cc7b574
enable using special chars in password v5 - debug
przepeck Sep 29, 2025
2860237
enable using special chars in password v6
przepeck Sep 29, 2025
f6a7412
enable using special chars in password v7
przepeck Sep 29, 2025
f164b87
enable using special chars in password v8
przepeck Sep 29, 2025
cc13d86
enable using special chars in password v9
przepeck Sep 29, 2025
c9174cb
enable using special chars in password v10
przepeck Sep 29, 2025
3ddef00
enable using special chars in password v11
przepeck Sep 30, 2025
fc84ec7
enable using special chars in password v12
przepeck Sep 30, 2025
a9af04c
enable using special chars in password v13 - debug
przepeck Sep 30, 2025
fb42447
enable using special chars in password v14 - debug
przepeck Sep 30, 2025
7801c08
enable using special chars in password v15 - revert changes
przepeck Sep 30, 2025
e05565f
enabling special characters in the password for siging
przepeck Sep 30, 2025
56b0d4f
enabling special characters in the password for siging v2
przepeck Sep 30, 2025
c47049b
reverting previous changes
przepeck Sep 30, 2025
344948f
next debug try to get valid password
przepeck Sep 30, 2025
f6e801b
next debug try to get valid password v2
przepeck Sep 30, 2025
0a5cfb1
debugging BDBA
przepeck Oct 1, 2025
53fd7d9
using withCredentials to get user's password
przepeck Oct 1, 2025
882f70b
using withCredentials to get user's password v2
przepeck Oct 1, 2025
1998f6d
using withCredentials to get user's password v3
przepeck Oct 1, 2025
5723ead
uncommenting bdba for debug reasons
przepeck Oct 1, 2025
7d5f034
changing path for artifacts
przepeck Oct 1, 2025
cff96af
changing tar command to work
przepeck Oct 1, 2025
01335e0
changing tar command to work v2
przepeck Oct 1, 2025
97fe9af
uncommenting build and cleanup stages
przepeck Oct 2, 2025
5772227
implemeneted copilot suggestions
przepeck Oct 2, 2025
d15b828
corrected cleanup, changed stages
przepeck Oct 3, 2025
ac7ade6
corrected stage conditions
przepeck Oct 6, 2025
e190e26
deleted previous conditions
przepeck Oct 6, 2025
1e44c09
changed repositories to be parametrized
przepeck Oct 6, 2025
91f39b1
changed error checking in bdba execution
przepeck Oct 6, 2025
c5251c6
setting unstable message after finding vulnerabilities
przepeck Oct 7, 2025
297857d
removed comment
przepeck Oct 7, 2025
20a0507
change bdba repo to use external config
przepeck Oct 8, 2025
e231fa5
changed repo cloning to be independent from windows_signing
przepeck Oct 8, 2025
5e037b9
commenting build stage for debug reasons
przepeck Oct 8, 2025
d1fa07d
changed repo's name
przepeck Oct 8, 2025
f9e312d
uncommenting build and test stage
przepeck Oct 8, 2025
1852f27
Merge branch 'main' into przepeck/windows_ci_sdl
dtrawins Oct 10, 2025
afc88f4
changed cleaning script
przepeck Oct 13, 2025
78dd649
adding pulling for repos instead of cloning, adding RELEASE TYPE
przepeck Oct 13, 2025
78408c7
archiving signed ovms package
przepeck Oct 13, 2025
6af3e55
adding downloading files from package
przepeck Oct 13, 2025
cdbad9d
fixed condition location
przepeck Oct 13, 2025
c03e1cc
fixed pull files stage
przepeck Oct 13, 2025
07f8a03
fixed curl
przepeck Oct 13, 2025
e7783f7
coping signed files to archive it
przepeck Oct 13, 2025
b605471
fixed zipping
przepeck Oct 13, 2025
c2bfe55
removing ovms directory if exists to enable bdba scans version overri…
przepeck Oct 14, 2025
66ac7ad
changed order of the stages to enable bdba scans version override
przepeck Oct 14, 2025
16be5b0
review suggestions v1
przepeck Oct 17, 2025
cc22766
review suggestions v2 - adding parameter for branches for external re…
przepeck Oct 17, 2025
181be56
corrected variable name
przepeck Oct 17, 2025
83b1986
adding archiving sha256 file
przepeck Oct 17, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
127 changes: 127 additions & 0 deletions ci/build_test_release.groovy
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,127 @@
pipeline {
options {
timeout(time: 2, unit: 'HOURS')
}
agent {
label 'win_ovms'
}
environment {
BDBA_CREDS = credentials('BDBA_KEY')
}
stages {
stage ("Build and test windows") {
when { expression { env.PACKAGE_URL == "" } }
steps {
script {
echo "JOB_BASE_NAME: ${env.JOB_BASE_NAME}"
echo "WORKSPACE: ${env.WORKSPACE}"
echo "OVMS_PYTHON_ENABLED: ${env.OVMS_PYTHON_ENABLED}"
def windows = load 'ci/loadWin.groovy'
if (windows != null) {
try {
windows.setup_bazel_remote_cache()
windows.install_dependencies()
windows.clean()
windows.build()
windows.unit_test()
windows.check_tests()
def safeBranchName = env.BRANCH_NAME.replaceAll('/', '_')
def python_presence = ""
if (env.OVMS_PYTHON_ENABLED == "1") {
python_presence = "with_python"
} else {
python_presence = "without_python"
}
bat(returnStatus:true, script: "ECHO F | xcopy /Y /E ${env.WORKSPACE}\\dist\\windows\\ovms.zip \\\\${env.OV_SHARE_05_IP}\\data\\cv_bench_cache\\OVMS_do_not_remove\\ovms-windows-${python_presence}-${safeBranchName}-latest.zip")
} finally {
windows.archive_build_artifacts()
windows.archive_test_artifacts()
}
} else {
error "Cannot load ci/loadWin.groovy file."
}
}
}
}
stage ("Pull files"){
when { expression { env.PACKAGE_URL != "" } }
steps{
script {
def windows = load 'ci/loadWin.groovy'
if (windows != null) {
try {
windows.download_package()
} finally {
echo "Pull files finished"
}
} else {
error "Cannot load ci/loadWin.groovy file."
}
}
}
}
stage ("BDBA scans"){
when { expression { env.BDBA_SCAN == "true" } }
steps {
script {
def windows = load 'ci/loadWin.groovy'
if (windows != null) {
try {
windows.clone_sdl_repo()
windows.clone_bdba_repo()
windows.bdba()
def logFile = "${env.WORKSPACE}\\win_bdba.log"
def lastLine = bat(script: "powershell -Command \"Get-Content -Path '${logFile}' | Select-Object -Last 1\"", returnStdout: true).trim()
if (!lastLine.contains("Found 0 vulnerabilities")) {
unstable(message: lastLine)
}
} finally {
windows.archive_bdba_reports()
}
} else {
error "Cannot load ci/loadWin.groovy file."
}
}
}
}
stage ("Signing files"){
when { expression { env.SIGN_FILES == "true" } }
steps {
echo "OVMS_PYTHON_ENABLED: ${env.OVMS_PYTHON_ENABLED}"
withCredentials([
usernamePassword(
credentialsId: 'PRERELEASE_SIGN',
usernameVariable: 'PRERELEASE_USER',
passwordVariable: 'PRERELEASE_PASS'),
usernamePassword(
credentialsId: 'RELEASE_SIGN',
usernameVariable: 'RELEASE_USER',
passwordVariable: 'RELEASE_PASS'),
]) {
script {
if (env.RELEASE_TYPE == "RELEASE") {
env.SIGNING_USER = env.RELEASE_USER
env.OVMS_PASS = env.RELEASE_PASS
} else if (env.RELEASE_TYPE == "PRE-RELEASE") {
env.SIGNING_USER = env.PRERELEASE_USER
env.OVMS_PASS = env.PRERELEASE_PASS
} else {
error "Unknown RELEASE_TYPE: ${env.RELEASE_TYPE}"
}
def windows = load 'ci/loadWin.groovy'
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

do we need to load it in every stage?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It helps us to run stages separately, every stage should have its own context

if (windows != null) {
try {
windows.clone_sdl_repo()
windows.sign()
} finally {
windows.archive_sign_results()
}
} else {
error "Cannot load ci/loadWin.groovy file."
}
}
}
}
}
}
}
4 changes: 4 additions & 0 deletions ci/lib_search.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -149,6 +149,8 @@ def check_dir(start_dir):
"lib_custom_nodes_files",
"spelling-whitelist.txt",
"results.txt",
"windows_bdba.bat",
"windows_sign.bat",
]

exclude_directories = ['/dist/', 'release_files/thirdparty-licenses', 'extras/chat_template_examples']
Expand Down Expand Up @@ -242,6 +244,8 @@ def check_func(start_dir):
"internal_tests",
'cleanup_jenkins.bat',
".bazelversion",
"windows_bdba.bat",
"windows_sign.bat",
]

exclude_directories = ['/dist/']
Expand Down
141 changes: 138 additions & 3 deletions ci/loadWin.groovy
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -48,7 +48,7 @@ def cleanup_directories() {
println "Deleting: " + pathToDelete
status = bat(returnStatus: true, script: 'rmdir /s /q ' + pathToDelete)
if (status != 0) {
error "Error: Deleting directory ${pathToDelete} failed: ${status}. Check piepeline.log for details."
error "Error: Deleting directory ${pathToDelete} failed: ${status}. Check pipeline.log for details."
} else {
echo "Deleting directory ${pathToDelete} successful."
}
Expand Down Expand Up @@ -90,7 +90,7 @@ def deleteOldDirectories() {
println "Deleting: " + pathToDelete
status = bat(returnStatus: true, script: 'rmdir /s /q ' + pathToDelete)
if (status != 0) {
error "Error: Deleting directory ${pathToDelete} failed: ${status}. Check piepeline.log for details."
error "Error: Deleting directory ${pathToDelete} failed: ${status}. Check pipeline.log for details."
} else {
echo "Deleting directory ${pathToDelete} successful."
}
Expand All @@ -110,6 +110,14 @@ def install_dependencies() {

def clean() {
def output1 = bat(returnStdout: true, script: 'windows_clean_build.bat ' + get_short_bazel_path() + ' ' + env.OVMS_CLEAN_EXPUNGE)
if(fileExists('dist\\windows\\ovms')){
def status_del = bat(returnStatus: true, script: 'rmdir /s /q ovms')
if (status_del != 0) {
error "Error: Deleting existing ovms directory failed ${status_del}. Check pipeline.log for details."
} else {
echo "Existing ovms directory deleted successfully."
}
}
}

def build(){
Expand All @@ -128,6 +136,121 @@ def build(){
} else {
echo "Windows package created successfully."
}
def unzipCmd = "tar -xf dist\\windows\\ovms.zip"
def status_unzip = bat(returnStatus: true, script: "${unzipCmd}")
if (status_unzip != 0) {
error "Error: Unzipping package failed: ${status_unzip}."
} else {
echo "Package unzipped successfully."
}
}

def clone_sdl_repo()
{
if(!fileExists('sdl_repo')){
println "Starting code signing"
def statusPull = bat(returnStatus: true, script: 'git clone -b ' + env.SIGN_REPO_BRANCH + ' ' + env.SIGN_REPO + ' sdl_repo')
if (statusPull != 0) {
error "Error: Downloading sdl_repo failed ${statusPull}. Check pipeline.log for details."
} else {
echo "sdl_repo downloaded successfully."
}
}else{
println "Pulling latest changes in sdl_repo"
dir('sdl_repo') {
def statusPull = bat(returnStatus: true, script: 'git fetch && git reset --hard origin/'+env.SIGN_REPO_BRANCH)
if (statusPull != 0) {
error "Error: Pulling latest changes in sdl_repo failed ${statusPull}. Check pipeline.log for details."
} else {
echo "sdl_repo updated successfully."
}
}
}
}

def clone_bdba_repo()
{
if(!fileExists('repo_ci_infra')){
println "Starting BDBA infrastructure download"
def statusPull = bat(returnStatus: true, script: 'git clone -b ' + env.BDBA_REPO_BRANCH + ' ' + env.BDBA_REPO + ' repo_ci_infra')
if (statusPull != 0) {
error "Error: Downloading BDBA infrastructure failed ${statusPull}. Check pipeline.log for details."
} else {
echo "BDBA infrastructure downloaded successfully."
}
}else{
println "Pulling latest changes in BDBA infrastructure"
dir('repo_ci_infra') {
def statusPull = bat(returnStatus: true, script: 'git fetch && git reset --hard origin/'+env.BDBA_REPO_BRANCH)
if (statusPull != 0) {
error "Error: Pulling latest changes in BDBA infrastructure failed ${statusPull}. Check pipeline.log for details."
} else {
echo "BDBA infrastructure updated successfully."
}
}
}
}

def sign(){
println "SIGNING_USER=${env.SIGNING_USER}"
def status = bat(returnStatus: true, script: 'ci\\windows_sign.bat ' + env.SIGNING_USER + ' dist\\windows ' + env.OVMS_PYTHON_ENABLED)
if (status != 0) {
error "Error: Windows code signing failed ${status}. Check win_sign.log for details."
} else {
echo "Code signing successful."
}
}

def bdba(){
println "Starting BDBA scan"
def status = bat(returnStatus: true, script: 'ci\\windows_bdba.bat ' + env.BDBA_CREDS_PSW + ' dist\\windows sdl_repo\\ovms-package')
if (status != 0) {
error "Error: Windows BDBA scan failed ${status}. Check win_bdba.log for details."
} else {
echo "BDBA scan successful."
}
}

def download_package(){
println "Downloading package from URL: ${env.PACKAGE_URL}"
if(!fileExists('dist\\windows')){
def status = bat(returnStatus: true, script: 'mkdir dist\\windows')
if (status != 0) {
error "Error: Creating dist\\windows directory failed ${status}. Check pipeline.log for details."
} else {
echo "Directory dist\\windows created successfully."
}
}
dir('dist\\windows') {
if(fileExists('ovms.zip')){
def status_del = bat(returnStatus: true, script: 'del /f ovms.zip')
if (status_del != 0) {
error "Error: Deleting existing ovms.zip failed ${status_del}. Check pipeline.log for details."
} else {
echo "Existing ovms.zip deleted successfully."
}
}
if(fileExists('ovms')){
def status_del = bat(returnStatus: true, script: 'rmdir /s /q ovms')
if (status_del != 0) {
error "Error: Deleting existing ovms directory failed ${status_del}. Check pipeline.log for details."
} else {
echo "Existing ovms directory deleted successfully."
}
}
def status = bat(returnStatus: true, script: 'curl -L -k -o ovms.zip ' + env.PACKAGE_URL)
if (status != 0) {
error "Error: Downloading package failed ${status}. Check pipeline.log for details."
} else {
echo "Package downloaded successfully."
}
def status_unzip = bat(returnStatus: true, script: 'tar -xf ovms.zip')
if (status_unzip != 0) {
error "Error: Unzipping package failed: ${status_unzip}."
} else {
echo "Package unzipped successfully."
}
}
}

def unit_test(){
Expand Down Expand Up @@ -166,7 +289,7 @@ def check_tests(){

status = bat(returnStatus: true, script: 'grep " PASSED " win_full_test.log')
if (status != 0) {
error "Error: Windows run test failed ${status}. Expecting PASSED at the end of log. Check piepeline.log for details."
error "Error: Windows run test failed ${status}. Expecting PASSED at the end of log. Check pipeline.log for details."
} else {
echo "Success: Windows run test finished with success."
}
Expand All @@ -188,6 +311,18 @@ def archive_test_artifacts(){
archiveArtifacts allowEmptyArchive: true, artifacts: "win_test_log.zip"
}

def archive_bdba_reports(){
archiveArtifacts allowEmptyArchive: true, artifacts: "win_bdba.log"
archiveArtifacts allowEmptyArchive: true, artifacts: "ovms_windows_bdba_reports.zip"
}

def archive_sign_results(){
def python_suffix = env.OVMS_PYTHON_ENABLED == "0" ? "off" : "on"
archiveArtifacts allowEmptyArchive: true, artifacts: "win_sign.log"
archiveArtifacts allowEmptyArchive: true, artifacts: "dist\\windows\\ovms_windows_python_${python_suffix}.zip"
archiveArtifacts allowEmptyArchive: true, artifacts: "dist\\windows\\ovms_windows_python_${python_suffix}.zip.sha256"
}

def setup_bazel_remote_cache(){
def bazel_remote_cache_url = env.OVMS_BAZEL_REMOTE_CACHE_URL
def content = "build --remote_cache=\"${bazel_remote_cache_url}\""
Expand Down
36 changes: 36 additions & 0 deletions ci/windows_bdba.bat
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,36 @@
@echo off
set "BDBA_KEY=%1"
set "OVMS_PATH=..\%2"
set "CONFIG_PATH=..\%3"
cd repo_ci_infra

python -m venv venv

call venv\Scripts\activate

python -m pip install --upgrade pip

if exist requirements.txt (
pip install -r requirements.txt
)

for /f "tokens=2 delims==." %%I in ('wmic os get localdatetime /value') do set datetime=%%I
set datestamp=%datetime:~0,8%
set timestamp=%datetime:~8,4%
set filename=ovms_windows_%datestamp%_%timestamp%
set zipname="%filename%.zip"

copy %OVMS_PATH%\\ovms.zip %OVMS_PATH%\\%zipname%
if errorlevel 1 (
echo Failed to copy %OVMS_PATH%\ovms.zip to %OVMS_PATH%\%zipname%.
exit /b 1
)

echo "BDBA_KEY=%BDBA_KEY%"
echo "OVMS_PATH=%OVMS_PATH%"

python binary_scans\ovms_bdba.py --key %BDBA_KEY% --config_dir=%CONFIG_PATH% --type windows --build_dir %OVMS_PATH% --artifacts %zipname% --report_name %filename% 2>&1 | tee ..\win_bdba.log
if errorlevel 1 exit /b %errorlevel%

tar -a -c -f ..\ovms_windows_bdba_reports.zip ovms_windows*
del "%OVMS_PATH%\%zipname%"
28 changes: 28 additions & 0 deletions ci/windows_sign.bat
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
@echo off
set "OVMS_USER=%1"
set "OVMS_FILES=..\..\%2"
set "PYTHON=%3"
set PATH=%PATH%;C:\Jenkins\workspace\ovmsc\signfile;C:\Program Files (x86)\Windows Kits\10\bin\10.0.22621.0\x64

cd sdl_repo\windows_signing

if /I "%PYTHON%"=="1" (
set "PYTHON_OPT=--python"
) else (
set "PYTHON_OPT="
)

python check_signing.py --user=%OVMS_USER% --path=%OVMS_FILES% %PYTHON_OPT% --auto --verbose --print_all 2>&1 | tee ..\..\win_sign.log
python check_signing.py --zip --path=%OVMS_FILES% %PYTHON_OPT% --auto

for %%f in (ovms_windows_python_*) do (
copy "%%f" "%OVMS_FILES%"
)
for /f "tokens=* delims=" %%a in ('type ..\..\win_sign.log ^| tail -n 1') do (
echo %%a | findstr /C:"[ OK ]" >nul
if not errorlevel 1 (
exit /b 0
) else (
exit /b 1
)
)