AKV Official Pipeline

build.proj

@@ -188,7 +188,7 @@
 
   <Target Name="RunManualTests">
     <!-- Windows -->
     <Exec ConsoleToMsBuild="true" Command="$(DotnetPath)dotnet test &quot;@(ManualTestsProj)&quot; -p:Configuration=$(Configuration) -p:Target$(TFGroup)Version=$(TF) -p:ReferenceType=$(ReferenceType) --no-build -l &quot;console;verbosity=normal&quot; --collect &quot;Code coverage&quot; -p:TestSet=$(TestSet) --results-directory $(ResultsDirectory) -p:TestTargetOS=Windows$(TargetGroup) --filter &quot;category!=non$(TargetGroup)tests&amp;category!=failing&amp;category!=nonwindowstests&quot; &quot;--logger:trx;LogFilePrefix=Manual-Windows$(TargetGroup)-$(TestSet)&quot;" Condition="'$(IsEnabledWindows)' == 'true'"/>
     <!-- Unix -->
     <Exec ConsoleToMsBuild="true" Command="$(DotnetPath)dotnet test &quot;@(ManualTestsProj)&quot; -p:Configuration=$(Configuration) -p:TargetNetCoreVersion=$(TF) -p:ReferenceType=$(ReferenceType) --no-build -l &quot;console;verbosity=normal&quot; --collect &quot;Code coverage&quot; -p:TestSet=$(TestSet) --results-directory $(ResultsDirectory) -p:TestTargetOS=Unixnetcoreapp --filter &quot;category!=nonnetcoreapptests&amp;category!=failing&amp;category!=nonlinuxtests&amp;category!=nonuaptests&quot; &quot;--logger:trx;LogFilePrefix=Manual-Unixnetcoreapp-$(TestSet)&quot;" Condition="'$(IsEnabledWindows)' != 'true'"/>
   </Target>
@@ -201,6 +201,39 @@
     <RemoveDir Directories='$([System.IO.Directory]::GetDirectories(".",".nuget", SearchOption.AllDirectories))' />
   </Target>
 
+  <!-- AKV Targets ========================================================= -->
+  <Target Name="BuildAkv">
+    <!-- @TODO: TestTargetOS for restore poisons the project.assets.json file... We should remove it. -->
+    <!-- @TODO: TestTargetOS makes this far more complicated than it needs to be. We should remove it. -->
+    <!-- @TODO: RemoveProperties shouldn't be necessary -->
+    <Message Text=">>> Restoring AKV project" />
+    <MSBuild Projects="@(AKVProvider)" Targets="Restore"/>
+
+    <PropertyGroup>
+      <BuildAkvProperties>$(CI);TestTargetOS=$(TestOS)netfx;Platform=AnyCPU;$(ProjectProperties);$(NugetPackProperties)</BuildAkvProperties>
+    </PropertyGroup>
+    <Message Text=">>> Building AKV project for netfx [$(BuildAkvProperties)]" />
+    <MSBuild Projects="@(AKVProvider)" Properties="$(BuildAkvProperties);" />
+
+    <PropertyGroup>
+      <BuildAkvProperties>$(CI);TestTargetOS=$(TestOS)netcoreapp;$(ProjectProperties);Platform=AnyCPU;OSGroup=Unix;</BuildAkvProperties>
+    </PropertyGroup>
+    <Message Text=">>> Building AKV project for netcore/unix [$(BuildAkvProperties)]" />
+    <MSBuild Projects="@(AKVProvider)" Properties="$(BuildAkvProperties)" RemoveProperties="TargetsWindows;TargetsUnix;" />
+
+    <PropertyGroup>
+      <BuildAkvProperties>$(CI);TestTargetOS=$(TestOS)netcoreapp;$(ProjectProperties);Platform=AnyCPU;OSGroup=Windows_NT</BuildAkvProperties>
+    </PropertyGroup>
+    <Message Text=">>> Building AKV project for netcore/windows [$(BuildAkvProperties)]" />
+    <MSBuild Projects="@(AKVProvider)" Properties="$(BuildAkvProperties);" RemoveProperties="TargetsWindows;TargetsUnix;" />
+
+    <PropertyGroup>
+      <BuildAkvProperties>$(CI);TestTargetOS=$(TestOS)netcoreapp;$(ProjectProperties);Platform=AnyCPU;OSGroup=AnyOS;</BuildAkvProperties>
+    </PropertyGroup>
+    <Message Text=">>> Building AKV project for netcore/anyos [$(BuildAkvProperties)]" />
+    <MSBuild Projects="@(AKVProvider)" Properties="$(BuildAkvProperties)" RemoveProperties="TargetsWindows;TargetsUnix;" />
+  </Target>
+
   <Target Name="BuildAKVNetFx" Condition="'$(IsEnabledWindows)' == 'true'">
     <MSBuild Projects="@(AKVProvider)" Targets="restore" Properties="TestTargetOS=$(TestOS)netfx" />
     <Message Text=">>> Building AKVNetFx [$(CI);TestTargetOS=$(TestOS)netfx;Platform=AnyCPU;$(TestProjectProperties)] ..." Condition="!$(ReferenceType.Contains('Package'))"/>

eng/pipelines/akv-official-pipeline.yml

@@ -0,0 +1,146 @@
+#################################################################################
+# Licensed to the .NET Foundation under one or more agreements.                 #
+# The .NET Foundation licenses this file to you under the MIT license.          #
+# See the LICENSE file in the project root for more information.                #
+#################################################################################
+
+name: $(Year:YY)$(DayOfYear)$(Rev:.r)
+
+# @TODO: Add triggers and schedules
+
+parameters:
+    - name: oneBranchType
+      displayName: 'OneBranch template'
+      type: 'string'
+      values:
+          - 'Official'
+          - 'NonOfficial'
+      default: 'Official'
+
+    - name: buildConfiguration
+      displayName: 'Build configuration'
+      type: 'string'
+      values:
+          - 'Release'
+          - 'Debug'
+      default: 'Release'
+
+    - name: publishSymbols
+      displayName: 'Publish symbols'
+      type: 'boolean'
+      default: false
+
+    - name: runSdlTasks
+      displayName: 'Run SDL Tasks'
+      type: 'boolean'
+      default: true
+
+variables:
+    - template: /eng/pipelines/variables/common-variables.yml@self
+    - template: /eng/pipelines/variables/onebranch-variables.yml@self
+    - template: /eng/pipelines/variables/akv-official-variables.yml@self
+
+resources:
+    repositories:
+        - repository: templates
+          type: 'git'
+          name: 'OneBranch.Pipelines/GovernedTemplates'
+          ref: 'refs/heads/main'
+
+extends:
+    template: 'v2/OneBranch.${{ parameters.oneBranchType }}.CrossPlat.yml@templates'
+
+    parameters:
+        featureFlags:
+            WindowsHostVersion:
+                Version: '2022'
+
+        globalSdl:
+            # See https://aka.ms/obpipelines/sdl
+
+            apiscan:
+                enabled: ${{ parameters.runSdlTasks }}
+                softwareFolder: '${{ variables.apiScanDllPath }}'
+                softwareName: 'Microsoft.Data.SqlClient' # Note: This name is registered with ApiScan
+                softwareVersionNum: '${{ variables.assemblyFileVersion }}'
+                symbolsFolder: '${{ variables.apiScanPdbPath }}'
+
+            armory:
+                enabled: ${{ parameters.runSdlTasks }}
+                break: true
+
+            asyncSdl:
+                # If this should be enabled, move supported tools under this item,
+                # see https://aka.ms/obpipelines/asyncsdl
+                enabled: false
+
+            binskim:
+                enabled: ${{ parameters.runSdlTasks }}
+                break: true
+
+            codeinspector:
+                enabled: ${{ parameters.runSdlTasks }}
+                logLevel: Error
+
+            codeql:
+                enabled: ${{ parameters.runSdlTasks }}
+                sourceRoot: '$(REPO_ROOT)/src/Microsoft.Data.SqlClient/add-ons/AzureKeyVaultProvider'
+                # Note, this can only be done if project doesn't depend on other projects. In
+                #    package reference mode, this is true, but if we ever enable project reference
+                #    builds, this will have to be removed.
+
+            credscan:
+                enabled: ${{ parameters.runSdlTasks }}
+                suppressionsFile: '$(REPO_ROOT)/.config/CredScanSuppressions.json'
+
+            eslint:
+                enabled: false
+
+            policheck:
+                enabled: ${{ parameters.runSdlTasks }}
+                break: true
+                exclusionFile: '$(REPO_ROOT)/.config/PolicheckExclusions.xml'
+
+            roslyn:
+                enabled: ${{ parameters.runSdlTasks }}
+                break: true
+                # Requires RoslynAnalyzers task to be added after build task
+
+            publishLogs:
+                enabled: ${{ parameters.runSdlTasks }}
+
+            sbom:
+                enabled: ${{ parameters.runSdlTasks }}
+                packageName: 'Microsoft.Data.SqlClient.AlwaysEncrypted.AzureKeyVaultProvider'
+                packageVersion: ${{ variables.nugetPackageVersion }}
+
+            tsa:
+                # OneBranch publishes all sdl results to TSA. If TSA is disabled all SDL tools will
+                # be forced into 'break' build mode.
+                enabled: ${{ eq(parameters.oneBranchType, 'Official') }}
+                configFile: '$(REPO_ROOT)/.config/tsaoptions.json'
+
+        stages:
+            - stage: BuildAkv
+              displayName: 'Build AKV'
+              jobs:
+                  - template: /eng/pipelines/jobs/build-akv-official-job.yml@self
+                    parameters:
+                        apiScanDllPath: '${{ variables.apiScanDllPath }}'
+                        apiScanPdbPath: '${{ variables.apiScanPdbPath }}'
+                        assemblyFileVersion: '${{ variables.assemblyFileVersion }}'
+                        buildConfiguration: '${{ parameters.buildConfiguration }}'
+                        nugetPackageVersion: '${{ variables.nugetPackageVersion }}'
+                        mdsPackageVersion: '${{ variables.mdsPackageVersion }}'
+                        publishSymbols: '${{ parameters.publishSymbols }}'
+                        signingAppRegistrationClientId: '$(SigningAppRegistrationClientId)'
+                        signingAppRegistrationTenantId: '$(SigningAppRegistrationTenantId)'
+                        signingAkvName: '$(SigningAkvName)'
+                        signingAuthCertName: '$(SigningAuthCertName)'
+                        signingConnectedServiceName: '$(SigningConnectedServiceName)'
+                        signingSignCertName: '$(SigningSignCertName)'
+                        symbolsAzureSubscription: '$(SymbolsAzureSubscription)'
+                        symbolsPublishProjectName: '$(SymbolsPublishProjectName)'
+                        symbolsPublishServer: '$(SymbolsPublishServer)'
+                        symbolsPublishTokenUri: '$(SymbolsPublishTokenUri)'
+                        symbolsUploadAccount: '$(SymbolsUploadAccount)'

eng/pipelines/jobs/build-akv-official-job.yml

@@ -0,0 +1,154 @@
+#################################################################################
+# Licensed to the .NET Foundation under one or more agreements.                 #
+# The .NET Foundation licenses this file to you under the MIT license.          #
+# See the LICENSE file in the project root for more information.                #
+#################################################################################
+
+parameters:
+    - name: apiScanDllPath
+      type: string
+
+    - name: apiScanPdbPath
+      type: string
+
+    - name: assemblyFileVersion
+      type: string
+
+    - name: buildConfiguration
+      type: string
+
+    - name: nugetPackageVersion
+      type: string
+
+    - name: mdsPackageVersion
+      type: string
+
+    - name: publishSymbols
+      type: boolean
+
+    - name: signingAppRegistrationClientId
+      type: string
+
+    - name: signingAppRegistrationTenantId
+      type: string
+
+    - name: signingAkvName
+      type: string
+
+    - name: signingAuthCertName
+      type: string
+
+    - name: signingConnectedServiceName
+      type: string
+
+    - name: signingSignCertName
+      type: string
+
+    - name: symbolsAzureSubscription
+      type: string
+
+    - name: symbolsPublishProjectName
+      type: string
+
+    - name: symbolsPublishServer
+      type: string
+
+    - name: symbolsPublishTokenUri
+      type: string
+
+    - name: symbolsUploadAccount
+      type: string
+
+    # @TODO: This should be determined from build output, or at a higher level
+    - # Note: not intended to be passed in, is only used for copying files for ApiScan.
+      # This is only defined as a parameter since ADO pipelines do not support array variables.
+      name: targetFrameworks
+      type: object
+      default:
+          - net462
+          - net8.0
+          - net9.0
+
+jobs:
+    - job: buildSignedAkvPackage
+      displayName: 'Build Signed AKV Package'
+      pool:
+          type: windows
+
+      variables:
+          ob_outputDirectory: '$(ARTIFACT_PATH)'
+
+      steps:
+          - template: ../steps/script-output-environment-variables-step.yml@self
+
+          - powershell: |
+                $jsonParams = '${{ convertToJson(parameters) }}' -replace '\\', '\\'
+                $jsonParams | ConvertFrom-Json | Format-List
+            displayName: 'Output Job Parameters'
+
+          - template: ../steps/compound-build-akv-step.yml@self
+            parameters:
+                assemblyFileVersion: '${{ parameters.assemblyFileVersion }}'
+                buildConfiguration: '${{ parameters.buildConfiguration }}'
+                mdsPackageVersion: '${{ parameters.mdsPackageVersion }}'
+
+          - ${{ each targetFramework in parameters.targetFrameworks }}:  
+              - template: ../steps/compound-extract-akv-apiscan-files-step.yml
+                parameters:
+                    buildConfiguration: '${{ parameters.buildConfiguration }}'
+                    dllPath: '${{ parameters.apiScanDllPath }}'
+                    pdbPath: '${{ parameters.apiScanPdbPath }}'
+                    referenceType: Package
+                    targetFramework: '${{ targetFramework }}'
+
+          - template: ../steps/roslyn-analyzers-akv-step.yml@self
+            parameters:
+                buildConfiguration: '${{ parameters.buildConfiguration }}'
+                mdsPackageVersion: '${{ parameters.mdsPackageVersion }}'
+
+          - template: ../steps/compound-esrp-code-signing-step.yml@self
+            parameters:
+                akvName: '${{ parameters.signingAkvName }}'
+                appRegistrationClientId: '${{ parameters.signingAppRegistrationClientId }}'
+                appRegistrationTenantId: '${{ parameters.signingAppRegistrationTenantId }}'
+                artifactType: 'dll'
+                authCertName: '${{ parameters.signingAuthCertName }}'
+                connectedServiceName: '${{ parameters.signingConnectedServiceName }}'
+                signingCertName: '${{ parameters.signingSignCertName }}'
+
+          - template: ../steps/compound-nuget-pack-step.yml@self
+            parameters:
+                buildConfiguration: '${{ parameters.buildConfiguration }}'
+                generateSymbolsPackage: true    # Always generate symbols, even if they are not published
+                packageVersion: '${{ parameters.nugetPackageVersion }}'
+                nuspecPath: '$(REPO_ROOT)/tools/specs/add-ons/$(PACKAGE_NAME).nuspec'
+                outputDirectory: '$(ARTIFACT_PATH)'
+                referenceType: 'Package'
+
+          - template: ../steps/compound-esrp-code-signing-step.yml@self
+            parameters:
+                akvName: '${{ parameters.signingAkvName }}'
+                appRegistrationClientId: '${{ parameters.signingAppRegistrationClientId }}'
+                appRegistrationTenantId: '${{ parameters.signingAppRegistrationTenantId }}'
+                artifactType: 'pkg'
+                authCertName: '${{ parameters.signingAuthCertName }}'
+                connectedServiceName: '${{ parameters.signingConnectedServiceName }}'
+                signingCertName: '${{ parameters.signingSignCertName }}'
+
+          - ${{ if parameters.publishSymbols }}:
+            - template: ../steps/compound-publish-symbols-step.yml@self
+              parameters:
+                  artifactName: 'akv_symbols_$(System.TeamProject)_$(Build.Repository.Name)_$(Build.SourceBranchName)_${{ parameters.nugetPackageVersion }}_$(System.TimelineId)'
+                  azureSubscription: '${{ parameters.symbolsAzureSubscription }}'
+                  publishProjectName: '${{ parameters.symbolsPublishProjectName }}'
+                  packageName: '$(PACKAGE_NAME)'
+                  publishServer: '${{ parameters.symbolsPublishServer }}'
+                  publishToInternal: true
+                  publishToPublic: true
+                  publishTokenUri: '${{ parameters.symbolsPublishTokenUri }}'
+                  referenceType: 'Package'
+                  searchPattern: |
+                      Windows_NT/${{ parameters.buildConfiguration }}.AnyCPU/AzureKeyVaultProvider/**/$(PACKAGE_NAME).pdb
+                      AnyOS/${{ parameters.buildConfiguration }}.AnyCPU/AzureKeyVaultProvider/**/$(PACKAGE_NAME).pdb
+                  uploadAccount: '${{ parameters.symbolsUploadAccount }}'
+                  version: '${{ parameters.nugetPackageVersion }}'

eng/pipelines/steps/compound-build-akv-step.yml

@@ -0,0 +1,54 @@
+#################################################################################
+# Licensed to the .NET Foundation under one or more agreements.                 #
+# The .NET Foundation licenses this file to you under the MIT license.          #
+# See the LICENSE file in the project root for more information.                #
+#################################################################################
+
+# @TODO: This can probably be made generic and pass in the command lines for msbuild
+#        BUT, they should be kept separate by now as we rebuild build.proj in parallel, we won't
+#        affect >1 project at a time.
+# @TODO: NugetPackageVersion should not be used for MDS package version
+
+parameters:
+    - name: assemblyFileVersion
+      type: string
+
+    - name: buildConfiguration
+      type: string
+
+    - name: mdsPackageVersion
+      type: string
+
+steps:
+    - task: DownloadSecureFile@1
+      displayName: 'Download Signing Key'
+      inputs:
+          retryCount: 5
+          secureFile: 'netfxKeypair.snk'
+
+    - task: UseDotNet@2
+      displayName: 'Install .NET 9.x SDK'
+      inputs:
+          packageType: 'sdk'
+          version: '9.x'
+
+    - task: UseDotNet@2
+      displayName: 'Install .NET 8.x Runtime'
+      inputs:
+          packageType: 'runtime'
+          version: '8.x'
+
+    - task: MSBuild@1
+      displayName: 'Build.proj - BuildAkv'
+      inputs:
+          solution: '$(REPO_ROOT)/build.proj'
+          configuration: '${{ parameters.buildConfiguration }}'
+          msbuildArguments: >-
+              -t:BuildAkv
+              -p:AssemblyFileVersion=${{ parameters.assemblyFileVersion }}
+              -p:NugetPackageVersion=${{ parameters.mdsPackageVersion }}
+              -p:ReferenceType=Package
+              -p:SigningKeyPath=$(Agent.TempDirectory)/netfxKeypair.snk
+
+    - script: tree /a /f $(BUILD_OUTPUT)
+      displayName: Output Build Output Tree