[ci] Enable api scan on dnceng (#30984)

* [ci] List dlls

* Fix steps

* Again

* Again

* yml

* Execute post steps

* Try run apiscan

* Try add ids

* TRY AGAIN

* Try 1ES tasks

* Fxi ident

* Remove publish

* Try template context

* isProduction

* try outputs

* not release job

* Fix artifact name

* Try again fix variables

* Try push metadat files

* Try hardcode

* Try again

* Update variables

Author: rmarinho

eng/pipelines/arcade/stage-api-scan.yml

@@ -0,0 +1,79 @@
+# Template for APIScan stage
+
+parameters:
+- name: prepareSteps
+  type: stepList
+  default: []
+- name: postSteps
+  type: stepList
+  default: []
+- name: pool
+  type: object
+- name: dependsOnStage
+  type: object
+  default: []
+- name: softwareName
+  type: string
+  default: 'MAUI'
+- name: softwareVersion
+  type: string
+  default: '9.0'
+- name: softwareBuildNum
+  type: string
+  default: '$(Build.BuildId)'
+- name: softwareFolder
+  type: string
+  default: '$(Agent.TempDirectory)/APIScanFiles'
+- name: AppId
+  type: string
+  default: $(ApiScanAppId)
+- name: TenantId
+  type: string
+  default: $(ApiScanTenantId)
+- name: ServiceConnectionId
+  type: string
+  default: $(ApiScanServiceConnectionId)
+
+stages:
+- stage: APIScan
+  displayName: Run APIScan
+  dependsOn: ${{ parameters.dependsOnStage }}
+  jobs:
+  - job: api_scan
+    displayName: APIScan Job
+    pool: ${{ parameters.pool }}
+    templateContext:
+      type: releaseJob
+      isProduction: true
+      inputs:
+      - input: pipelineArtifact
+        artifactName: APIScanFiles
+        targetPath: ${{ parameters.softwareFolder }}
+    steps:
+    - ${{ each step in parameters.prepareSteps }}:
+      - ${{ each pair in step }}:
+          ${{ pair.key }}: ${{ pair.value }}
+
+    - task: APIScan@2
+      displayName: Run APIScan
+      inputs:
+        softwareFolder: ${{ parameters.softwareFolder }}
+        softwareName: ${{ parameters.softwareName }}
+        softwareVersionNum: ${{ parameters.softwareVersion }}
+        softwareBuildNum: ${{ parameters.softwareBuildNum }}
+        azureSubscription: 'dotnet-apiscan'
+      env:
+        AzureServicesAuthConnectionString: RunAs=App;AppId=${{ parameters.AppId }};TenantId=${{ parameters.TenantId }};ServiceConnectionId=${{ parameters.ServiceConnectionId }};
+        SYSTEM_ACCESSTOKEN: $(System.AccessToken)
+
+    - task: PublishSecurityAnalysisLogs@3
+      displayName: Publishing analysis artifacts
+      inputs:
+        ArtifactName: 'CodeAnalysisLogs'
+        ArtifactType: 'Container'
+        AllTools: true
+        ToolLogsNotFoundAction: 'Standard'
+
+    - ${{ each step in parameters.postSteps }}:
+      - ${{ each pair in step }}:
+          ${{ pair.key }}: ${{ pair.value }}

eng/pipelines/arcade/stage-pack.yml

@@ -39,9 +39,19 @@ stages:
       sourceIndexParams: ${{ parameters.sourceIndexParams }}
       publishAssetsImmediately: true
       enablePublishBuildArtifacts: true
-      enablePublishTestResults: true
+      enablePublishTestResults: false
+      templateContext:
+        outputs:
+        - output: pipelineArtifact
+          artifact: APIScanFiles
+          path: $(Agent.TempDirectory)/APIScanFiles
+        - output: pipelineArtifact
+          artifact: Metadata
+          path: $(Agent.TempDirectory)/metadata
+
       workspace:
         clean: all
+
       jobs:
       - job: pack_net_Windows
         displayName: Pack Windows
@@ -56,16 +66,6 @@ stages:
           - ${{ each pair in step }}:
               ${{ pair.key }}: ${{ pair.value }}
 
-        # - script: $(_buildScript)
-        #           -restore -build
-        #           -configuration $(_BuildConfig)
-        #           /p:ArchiveTests=true
-        #           /p:TreatWarningsAsErrors=false
-        #           /p:_SkipUpdateBuildNumber=true
-        #           /bl:$(Build.Arcade.LogsPath)build.binlog
-        #           $(_OfficialBuildIdArgs)
-        #   displayName: 🛠️ Build
-
         # Run on public pipeline
         - ${{ if parameters.runAsPublic }}:
           - script: $(_buildScript) -restore -pack -publish $(_PublishArgs) -configuration $(_BuildConfig) /bl:$(Build.Arcade.LogsPath)/$(_BuildConfig)/pack.binlog $(_OfficialBuildIdArgs)
@@ -79,3 +79,24 @@ stages:
           # only for workloads
           - script: $(_buildScript) -restore -build -sign $(_SignArgs) -publish $(_PublishArgs) -configuration $(_BuildConfig) /bl:$(Build.Arcade.LogsPath)/$(_BuildConfig)/build-workloads.binlog -projects src/Workload/workloads.csproj $(_OfficialBuildIdArgs)
             displayName: Build Workloads, Sign & Publish
+
+        - task: CopyFiles@2
+          displayName: Copy assemblies for APIScan
+          inputs:
+            SourceFolder: '$(Build.SourcesDirectory)\artifacts\bin\Controls.Core'
+            Contents: |
+              **/*.dll
+              **/*.pdb
+            TargetFolder: '$(Agent.TempDirectory)\APIScanFiles'
+
+        - task: CopyFiles@2
+          displayName: Copy Metadata
+          inputs:
+            SourceFolder: '$(Build.SourcesDirectory)\artifacts\packages\$(_BuildConfig)\Shipping\metadata'
+            Contents: |
+              **/*.json
+            TargetFolder: '$(Agent.TempDirectory)\metadata'
+
+        - ${{ each step in parameters.postSteps }}:
+          - ${{ each pair in step }}:
+              ${{ pair.key }}: ${{ pair.value }}

eng/pipelines/arcade/variables.yml

@@ -26,6 +26,12 @@ variables:
   value: false
 - name: _OfficialBuildIdArgs
   value: /p:OfficialBuildId=$(_BuildOfficalId) /p:_SkipUpdateBuildNumber=true
+- name: ApiScanAppId
+  value: cbde2fca-1ca1-47f7-8212-fcdf1a556eb2
+- name: ApiScanTenantId
+  value: 72f988bf-86f1-41af-91ab-2d7cd011db47
+- name: ApiScanServiceConnectionId
+  value: 334a6802-ebad-4fb1-bc3b-105bcc70bda2
 # Produce test-signed build for PR and Public builds
 - ${{ if or(eq(variables['_RunAsPublic'], 'true'), eq(variables['Build.Reason'], 'PullRequest')) }}:
   # needed for darc (dependency flow) publishing

eng/pipelines/azure-pipelines-internal.yml

@@ -95,7 +95,13 @@ extends:
             skipAndroidCreateAvds: true
             skipProvisioning: true
             skipXcode: true
-      # Publish and validation steps. Only run in official builds
+
+    - template: /eng/pipelines/arcade/stage-api-scan.yml@self
+      parameters:
+        pool: ${{ parameters.VM_IMAGE_HOST }}
+        dependsOnStage: Pack
+
+    # Publish and validation steps. Only run in official builds
     - template: /eng/common/templates-official/post-build/post-build.yml@self
       parameters:
         publishingInfraVersion: 3