Enable 1ES PT to be compliant for all production pipelines (microsoft…

…#29702)

.devops/CredScanSuppressions.json

@@ -0,0 +1,37 @@
+{
+  "tool": "Credential Scanner",
+  "suppressions": [
+    {
+      "file": ".git/config",
+      "_justification": "Standard token for CI pipeline"
+    },
+    {
+      "file": "node_modules/node-ipc/local-node-ipc-certs/private/oldclient.key",
+      "_justification": "External dependency node-ipc, not shipping these files"
+    },
+    {
+      "file": "node_modules/node-ipc/local-node-ipc-certs/private/server.key",
+      "_justification": "External dependency node-ipc, not shipping these files"
+    },
+    {
+      "file": "node_modules/node-ipc/local-node-ipc-certs/private/oldserver.key",
+      "_justification": "External dependency node-ipc, not shipping these files"
+    },
+    {
+      "file": "node_modules/node-ipc/local-node-ipc-certs/private/client.key",
+      "_justification": "External dependency node-ipc, not shipping these files"
+    },
+    {
+      "file": "node_modules/danger/node_modules/agent-base/test/ssl-cert-snakeoil.key",
+      "_justification": "External dependency danger has dependency agent-base with test certs, not shipping these files"
+    },
+    {
+      "file": "node_modules/danger/node_modules/http-proxy-agent/test/ssl-cert-snakeoil.key",
+      "_justification": "External dependency danger has dependency http-proxy-agent with test certs, not shipping these files"
+    },
+    {
+      "file": "node_modules/rollup-plugin-filesize/node_modules/node-gyp/test/fixtures/server.key",
+      "_justification": "External dependency rollup-plugin-filesize has dependency node-gyp with test certs, not shipping these files"
+    }
+  ]
+}

.devops/templates/build-test-lint.yml

@@ -0,0 +1,48 @@
+steps:
+  - template: tools.yml
+
+  - task: Bash@3
+    inputs:
+      filePath: yarn-ci.sh
+    displayName: yarn (install packages)
+
+  - script: |
+      yarn nx run @fluentui/workspace-plugin:check-graph
+      yarn nx g @fluentui/workspace-plugin:tsconfig-base-all --verify
+      yarn nx g @fluentui/workspace-plugin:normalize-package-dependencies --verify
+
+    displayName: Workspace lint
+
+  - script: |
+      # @fluentui/api-docs is used within apps/public-docsite-resources/just.config.ts, thus it needs to be build in advance
+      yarn workspace @fluentui/api-docs build
+      # @fluentui/digest is used within packages/fluentui/perf-test-northstar/just.config.ts, thus it needs to be build in advance
+      yarn workspace @fluentui/digest build
+      yarn tsc -p ./tsconfig.json
+    displayName: Type-check just.config.ts files
+
+  - script: |
+      yarn check:installed-dependencies-versions
+    displayName: 'check packages: installed dependencies versions'
+
+  - script: |
+      if [[ -n "$(targetBranch)" ]]; then
+        yarn format --since $(targetBranch) --check
+      else
+        yarn format --all --check
+      fi
+    displayName: check formatting
+
+  ## Danger.js checks for Fluent UI N*
+  - script: |
+      DANGER_DISABLE_TRANSPILATION="true" yarn danger ci
+    displayName: danger
+    condition: eq(variables.isPR, true)
+    env:
+      DANGER_GITHUB_API_TOKEN: $(DANGER_GITHUB_API_TOKEN)
+
+  - script: |
+      yarn buildci $(sinceArg)
+    displayName: build, test, lint, test-ssr
+
+  - template: cleanup.yml

.devops/templates/deployE2E.yml

@@ -0,0 +1,46 @@
+steps:
+  - template: tools.yml
+
+  - task: Bash@3
+    inputs:
+      filePath: yarn-ci.sh
+    displayName: yarn
+
+  # this also builds FUI N* docs if appropriate
+  - script: |
+      yarn bundle  $(sinceArg)
+    displayName: bundle
+
+  - script: |
+      yarn lage build-storybook  --verbose $(sinceArg)
+    displayName: build Storybooks
+
+  ## This runs regardless of scope, the app will adapt to the scope as well
+  - script: |
+      yarn workspace @fluentui/pr-deploy-site generate:site
+    displayName: generate PR Deploy Site
+
+  - task: AzureUpload@2
+    displayName: Upload PR deploy site
+    inputs:
+      azureSubscription: $(azureSubscription)
+      BlobPrefix: $(deployBasePath)
+      ContainerName: '$web'
+      SourcePath: 'apps/pr-deploy-site/dist'
+      storage: $(azureStorage)
+
+  - task: GithubPRStatus@0
+    displayName: 'Update PR deploy site github status'
+    inputs:
+      githubOwner: microsoft
+      githubRepo: fluentui
+      githubContext: 'Pull request demo site'
+      githubDescription: 'Click "Details" to go to the deployed demo site for this pull request'
+      # This MUST have a trailing slash, or the links to PR deploy site assets won't work
+      githubTargetLink: $(deployUrl)/
+
+  - script: |
+      yarn e2e $(sinceArg)
+    displayName: Cypress E2E tests
+
+  - template: cleanup.yml

azure-pipelines-ci.yml

@@ -0,0 +1,62 @@
+pr: none
+
+trigger: none
+
+variables:
+  - ${{ if not(startsWith(variables['Build.SourceBranch'], 'refs/heads/')) }}:
+      - name: sinceArg
+        value: --since $(targetBranch)
+
+  - group: fabric-variables
+
+  - template: .devops/templates/variables.yml
+
+resources:
+  repositories:
+    - repository: 1esPipelines
+      type: git
+      name: 1ESPipelineTemplates/1ESPipelineTemplates
+      ref: refs/tags/release
+
+extends:
+  template: v1/1ES.Official.PipelineTemplate.yml@1esPipelines
+  parameters:
+    pool:
+      name: Azure-Pipelines-1ESPT-ExDShared
+      image: windows-latest
+      os: windows # We need windows because compliance task only run on windows.
+    customBuildTags: null # send empty tags since it is not supported on GH repo's for PR's
+    customLogIssues: null # send empty tags since it is not supported on GH repo's for PR's
+    stages:
+      - stage: main
+        jobs:
+          - job: BuildTestLint
+            pool:
+              name: '1ES-Host-Ubuntu'
+              image: '1ES-PT-Ubuntu-20.04'
+              os: linux
+            workspace:
+              clean: all
+            steps:
+              - template: .devops/templates/build-test-lint.yml@self
+
+          - job: DeployE2E
+            displayName: Deploy and E2E
+            workspace:
+              clean: all
+            pool:
+              name: '1ES-Host-Ubuntu'
+              image: '1ES-PT-Ubuntu-20.04'
+              os: linux
+            templateContext:
+              outputs:
+                - output: pipelineArtifact
+                  targetPath: $(System.DefaultWorkingDirectory)/apps/pr-deploy-site/dist
+                  artifactName: web
+            steps:
+              - template: .devops/templates/deployE2E.yml@self
+
+              # False positive AV. Wi'l follow up with AV owners. For now to get compliant deleting file before.
+              - script: |
+                  rm apps/pr-deploy-site/dist/public-docsite-v9/storybook/407.13419a99614bf685f100.manager.bundle.js
+                displayName: 'Remove false positive file'

azure-pipelines-pr.yml

@@ -0,0 +1,31 @@
+pr:
+  - master
+
+# There's a separate pipeline for CI which also uses this file, but with a trigger override in the UI
+# https://dev.azure.com/uifabric/fabricpublic/_apps/hub/ms.vss-ciworkflow.build-ci-hub?_a=edit-build-definition&id=164&view=Tab_Triggers
+trigger: none
+
+variables:
+  - ${{ if not(startsWith(variables['Build.SourceBranch'], 'refs/heads/')) }}:
+      - name: sinceArg
+        value: --since $(targetBranch)
+
+  - group: fabric-variables
+
+  - template: .devops/templates/variables.yml
+
+pool: '1ES-Host-Ubuntu'
+
+jobs:
+  - job: BuildTestLint
+    workspace:
+      clean: all
+    steps:
+      - template: .devops/templates/build-test-lint.yml
+
+  - job: DeployE2E
+    displayName: Deploy and E2E
+    workspace:
+      clean: all
+    steps:
+      - template: .devops/templates/deployE2E.yml