MicroBuild to 1ES PT template transition (#246)

Co-authored-by: Andrew Arnott <andrew.arnott@microsoft.com>
microsoft · Jan 26, 2024 · 89ada64 · 89ada64
1 parent 5f486de
commit 89ada64
Show file tree

Hide file tree

Showing 6 changed files with 141 additions and 56 deletions.
diff --git a/.vscode/settings.json b/.vscode/settings.json
@@ -2,6 +2,7 @@
   "files.trimTrailingWhitespace": true,
   "files.insertFinalNewline": true,
   "files.trimFinalNewlines": true,
+  "azure-pipelines.1ESPipelineTemplatesSchemaFile": true,
   "omnisharp.enableEditorConfigSupport": true,
   "omnisharp.enableRoslynAnalyzers": true,
   "dotnet.completion.showCompletionItemsFromUnimportedNamespaces": true,

diff --git a/azure-pipelines/build.yml b/azure-pipelines/build.yml
@@ -3,6 +3,14 @@ parameters:
   type: object
   default:
     vmImage: windows-2022
+- name: linuxPool
+  type: object
+  default:
+    vmImage: ubuntu-20.04
+- name: macOSPool
+  type: object
+  default:
+    vmImage: macOS-12
 - name: includeMacOS
   type: boolean
 - name: RunTests
@@ -14,6 +22,17 @@ parameters:
 - name: EnableAPIScan
   type: boolean
   default: false
+- name: artifact_names
+  type: object
+  default:
+  - build_logs
+  - coverageResults
+  - deployables
+  - projectAssetsJson
+  - symbols
+  - testResults
+  - test_symbols
+  - Variables
 
 jobs:
 - job: Windows
@@ -23,6 +42,25 @@ jobs:
   - ${{ if eq(variables['system.collectionId'], '011b8bdf-6d56-4f87-be0d-0092136884d9') }}:
     # https://dev.azure.com/devdiv/DevDiv/_wiki/wikis/DevDiv.wiki/25351/APIScan-step-by-step-guide-to-setting-up-a-Pipeline
     - group: VSCloudServices-APIScan # Expected to provide ApiScanClientId, ApiScanSecret, ApiScanTenant
+  ${{ if eq(variables['system.collectionId'], '011b8bdf-6d56-4f87-be0d-0092136884d9') }}:
+    templateContext:
+      outputParentDirectory: $(Build.ArtifactStagingDirectory)
+      outputs:
+      - ${{ each artifact_name in parameters.artifact_names }}:
+        - output: pipelineArtifact
+          displayName: 📢 Publish ${{ artifact_name }}-Windows
+          targetPath: $(Build.ArtifactStagingDirectory)/${{ artifact_name }}-Windows
+          artifactName: ${{ artifact_name }}-Windows
+      - output: pipelineArtifact
+        displayName: 📢 Publish VSInsertion-Windows
+        targetPath: $(Build.ArtifactStagingDirectory)/VSInsertion-Windows
+        artifactName: VSInsertion-Windows
+      # This is useful when false positives appear so we can copy some of the output into the suppressions file.
+      - output: pipelineArtifact
+        displayName: 📢 Publish Guardian failures
+        targetPath: $(Build.ArtifactStagingDirectory)/guardian_failures_as_suppressions
+        artifactName: guardian_failures_as_suppressions
+        condition: failed()
   steps:
   - checkout: self
     fetchDepth: 0 # avoid shallow clone so nbgv can do its work.
@@ -52,8 +90,16 @@ jobs:
   - template: expand-template.yml
 
 - job: Linux
-  pool:
-    vmImage: Ubuntu 20.04
+  pool: ${{ parameters.linuxPool }}
+  ${{ if eq(variables['system.collectionId'], '011b8bdf-6d56-4f87-be0d-0092136884d9') }}:
+    templateContext:
+      outputParentDirectory: $(Build.ArtifactStagingDirectory)
+      outputs:
+      - ${{ each artifact_name in parameters.artifact_names }}:
+        - output: pipelineArtifact
+          displayName: 📢 Publish ${{ artifact_name }}-Linux
+          targetPath: $(Build.ArtifactStagingDirectory)/${{ artifact_name }}-Linux
+          artifactName: ${{ artifact_name }}-Linux
   steps:
   - checkout: self
     fetchDepth: 0 # avoid shallow clone so nbgv can do its work.
@@ -68,8 +114,16 @@ jobs:
 
 - job: macOS
   condition: ${{ parameters.includeMacOS }}
-  pool:
-    vmImage: macOS-12
+  pool: ${{ parameters.macOSPool }}
+  ${{ if eq(variables['system.collectionId'], '011b8bdf-6d56-4f87-be0d-0092136884d9') }}:
+    templateContext:
+      outputParentDirectory: $(Build.ArtifactStagingDirectory)
+      outputs:
+      - ${{ each artifact_name in parameters.artifact_names }}:
+        - output: pipelineArtifact
+          displayName: 📢 Publish ${{ artifact_name }}-macOS
+          targetPath: $(Build.ArtifactStagingDirectory)/${{ artifact_name }}-macOS
+          artifactName: ${{ artifact_name }}-macOS
   steps:
   - checkout: self
     fetchDepth: 0 # avoid shallow clone so nbgv can do its work.

diff --git a/azure-pipelines/dotnet.yml b/azure-pipelines/dotnet.yml
@@ -15,10 +15,17 @@ steps:
   displayName: ⚙ Update pipeline variables based on build outputs
   condition: succeededOrFailed()
 
-- powershell: azure-pipelines/artifacts/_pipelines.ps1 -ArtifactNameSuffix "-$(Agent.JobName)" -Verbose
-  failOnStderr: true
-  displayName: 📢 Publish artifacts
-  condition: succeededOrFailed()
+- ${{ if eq(variables['system.collectionId'], '011b8bdf-6d56-4f87-be0d-0092136884d9') }}:
+  - powershell: azure-pipelines/artifacts/_pipelines.ps1 -StageOnly -AvoidSymbolicLinks -ArtifactNameSuffix "-$(Agent.JobName)" -Verbose
+    failOnStderr: true
+    displayName: 📢 Publish artifacts
+    condition: succeededOrFailed()
+
+- ${{ if ne(variables['system.collectionId'], '011b8bdf-6d56-4f87-be0d-0092136884d9') }}:
+  - powershell: azure-pipelines/artifacts/_pipelines.ps1 -ArtifactNameSuffix "-$(Agent.JobName)" -Verbose
+    failOnStderr: true
+    displayName: 📢 Publish artifacts
+    condition: succeededOrFailed()
 
 - ${{ if and(ne(variables['codecov_token'], ''), parameters.RunTests) }}:
   - powershell: |

diff --git a/azure-pipelines/microbuild.after.yml b/azure-pipelines/microbuild.after.yml
@@ -10,10 +10,6 @@ steps:
       $(Build.SourcesDirectory)/bin/Packages/$(BuildConfiguration)/NuGet
   condition: and(succeeded(), eq(variables['Agent.OS'], 'Windows_NT'))
 
-- task: MicroBuildCleanup@1
-  condition: succeededOrFailed()
-  displayName: ⚙️ MicroBuild Cleanup
-
 - task: Ref12Analyze@0
   displayName: 📑 Ref12 (Codex) Analyze
   inputs:

diff --git a/azure-pipelines/official.yml b/azure-pipelines/official.yml
@@ -42,24 +42,75 @@ parameters:
   type: boolean
   default: true
 
-stages:
+resources:
+  repositories:
+  - repository: MicroBuildTemplate
+    type: git
+    name: 1ESPipelineTemplates/MicroBuildTemplate
+    ref: refs/tags/release
 
-- stage: Build
-  variables:
-    DOTNET_SKIP_FIRST_TIME_EXPERIENCE: true
-    BuildConfiguration: Release
-    NUGET_PACKAGES: $(Agent.TempDirectory)/.nuget/packages
-    SignTypeSelection: ${{ parameters.SignTypeSelection }}
-    Packaging.EnableSBOMSigning: false
-    Codeql.Enabled: true
-
-  jobs:
-  - template: build.yml
+extends:
+  ${{ if parameters.EnableCompliance }}:
+    template: azure-pipelines/MicroBuild.1ES.Official.yml@MicroBuildTemplate
     parameters:
-      EnableCompliance: ${{ parameters.EnableCompliance }}
-      EnableAPIScan: ${{ parameters.EnableAPIScan }}
-      windowsPool: VSEngSS-MicroBuild2022-1ES
-      includeMacOS: ${{ parameters.includeMacOS }}
-      RunTests: ${{ parameters.RunTests }}
-
-- template: prepare-insertion-stages.yml
+      sdl:
+        sourceAnalysisPool: VSEngSS-MicroBuild2022-1ES
+      stages:
+      - stage: Build
+        variables:
+          DOTNET_SKIP_FIRST_TIME_EXPERIENCE: true
+          BuildConfiguration: Release
+          NUGET_PACKAGES: $(Agent.TempDirectory)/.nuget/packages
+          SignTypeSelection: ${{ parameters.SignTypeSelection }}
+          Packaging.EnableSBOMSigning: false
+          Codeql.Enabled: true
+        jobs:
+        - template: /azure-pipelines/build.yml@self
+          parameters:
+            EnableCompliance: ${{ parameters.EnableCompliance }}
+            EnableAPIScan: ${{ parameters.EnableAPIScan }}
+            windowsPool: VSEngSS-MicroBuild2022-1ES
+            linuxPool:
+              name: AzurePipelines-EO
+              demands:
+              - ImageOverride -equals AzurePipelinesUbuntu20.04compliantGPT
+              os: Linux
+            macOSPool:
+              name: Azure Pipelines
+              vmImage: macOS-12
+              os: macOS
+            includeMacOS: ${{ parameters.includeMacOS }}
+            RunTests: ${{ parameters.RunTests }}
+      - template: /azure-pipelines/prepare-insertion-stages.yml@self
+  ${{ else }}:
+    template: azure-pipelines/MicroBuild.1ES.Unofficial.yml@MicroBuildTemplate
+    parameters:
+      sdl:
+        sourceAnalysisPool: VSEngSS-MicroBuild2022-1ES
+      stages:
+      - stage: Build
+        variables:
+          DOTNET_SKIP_FIRST_TIME_EXPERIENCE: true
+          BuildConfiguration: Release
+          NUGET_PACKAGES: $(Agent.TempDirectory)/.nuget/packages
+          SignTypeSelection: ${{ parameters.SignTypeSelection }}
+          Packaging.EnableSBOMSigning: false
+          Codeql.Enabled: true
+        jobs:
+        - template: /azure-pipelines/build.yml@self
+          parameters:
+            EnableCompliance: ${{ parameters.EnableCompliance }}
+            EnableAPIScan: ${{ parameters.EnableAPIScan }}
+            windowsPool: VSEngSS-MicroBuild2022-1ES
+            linuxPool:
+              name: AzurePipelines-EO
+              demands:
+              - ImageOverride -equals AzurePipelinesUbuntu20.04compliantGPT
+              os: Linux
+            macOSPool:
+              name: Azure Pipelines
+              vmImage: macOS-12
+              os: macOS
+            includeMacOS: ${{ parameters.includeMacOS }}
+            RunTests: ${{ parameters.RunTests }}
+      - template: /azure-pipelines/prepare-insertion-stages.yml@self
diff --git a/azure-pipelines/secure-development-tools.yml b/azure-pipelines/secure-development-tools.yml
@@ -6,18 +6,8 @@ steps:
 - powershell: echo "##vso[build.addbuildtag]compliance"
   displayName: 🏷️ Tag run with 'compliance'
 
-- task: CredScan@3
-  displayName: 🔍 Run CredScan
-
-- task: PoliCheck@2
-  displayName: 🔍 Run PoliCheck
-  inputs:
-    targetType: F
-    targetArgument: $(System.DefaultWorkingDirectory)
-    optionsUEPATH: $(System.DefaultWorkingDirectory)\azure-pipelines\PoliCheckExclusions.xml
-
 - task: CopyFiles@2
-  displayName: 📂 Collect APIScan/BinSkim inputs
+  displayName: 📂 Collect APIScan inputs
   inputs:
     SourceFolder: $(Build.ArtifactStagingDirectory)/Symbols-$(Agent.JobName)
     # Exclude any patterns from the Contents (e.g. `!**/git2*`) that we have symbols for but do not need to run APIScan on.
@@ -29,14 +19,6 @@ steps:
       !**/osx*/**
     TargetFolder: $(Build.ArtifactStagingDirectory)/APIScanInputs
 
-- task: BinSkim@4
-  displayName: 🔍 Run BinSkim
-  inputs:
-    InputType: Basic
-    Function: analyze
-    TargetPattern: guardianGlob
-    AnalyzeTargetGlob: $(Build.ArtifactStagingDirectory)/APIScanInputs/**/*.dll;$(Build.ArtifactStagingDirectory)/APIScanInputs/**/*.exe
-
 - task: APIScan@2
   displayName: 🔍 Run APIScan
   inputs:
@@ -72,9 +54,3 @@ steps:
     GdnBreakSuppressionSets: falsepositives
     GdnBreakOutputSuppressionFile: $(Build.ArtifactStagingDirectory)/guardian_failures_as_suppressions/
     GdnBreakOutputSuppressionSet: falsepositives
-
-# This is useful when false positives appear so we can copy some of the output into the suppressions file.
-- publish: $(Build.ArtifactStagingDirectory)/guardian_failures_as_suppressions
-  artifact: guardian_failures_as_suppressions
-  displayName: 🔍 Publish Guardian failures
-  condition: failed()