diff --git a/Expand-Template.ps1 b/Expand-Template.ps1 index 0bc5f44..9ba1f04 100755 --- a/Expand-Template.ps1 +++ b/Expand-Template.ps1 @@ -156,7 +156,7 @@ try { $YmlReplacements = @{ "(?m)^\s+- microbuild`r?`n"="" } - Replace-Placeholders -Path "azure-pipelines\official.yml" -Replacements $YmlReplacements + Replace-Placeholders -Path "azure-pipelines\unofficial.yml" -Replacements $YmlReplacements Replace-Placeholders -Path "azure-pipelines.yml" -Replacements $YmlReplacements $YmlReplacements = @{} diff --git a/azure-pipelines/apiscan.yml b/azure-pipelines/apiscan.yml index af78f15..c3c8aed 100644 --- a/azure-pipelines/apiscan.yml +++ b/azure-pipelines/apiscan.yml @@ -1,6 +1,8 @@ parameters: - name: windowsPool type: object +- name: RealSign + type: boolean jobs: - job: apiscan @@ -9,6 +11,12 @@ jobs: pool: ${{ parameters.windowsPool }} timeoutInMinutes: 120 templateContext: + ${{ if not(parameters.RealSign) }}: + mb: + signing: # if the build is test-signed, install the signing plugin so that CSVTestSignPolicy.xml is available + enabled: true + zipSources: false + signType: test outputs: - output: pipelineArtifact displayName: 📢 collect apiscan artifact diff --git a/azure-pipelines/build.yml b/azure-pipelines/build.yml index 279c10a..1a83058 100644 --- a/azure-pipelines/build.yml +++ b/azure-pipelines/build.yml @@ -313,3 +313,4 @@ jobs: - template: apiscan.yml parameters: windowsPool: ${{ parameters.windowsPool }} + RealSign: ${{ parameters.RealSign }} diff --git a/azure-pipelines/official.yml b/azure-pipelines/official.yml index 35beb81..a9b5b81 100644 --- a/azure-pipelines/official.yml +++ b/azure-pipelines/official.yml @@ -1,17 +1,5 @@ -trigger: - batch: true - branches: - include: - - main - - microbuild - - 'validate/*' - paths: - exclude: - - doc/ - - '*.md' - - .vscode/ - - azure-pipelines/release.yml - - azure-pipelines/vs-insertion.yml +trigger: none # We only want to trigger manually or based on a schedule +pr: none #schedules: #- cron: "0 3 * * *" # Daily @ 8 PM PST # displayName: Daily vs-insertion @@ -23,10 +11,6 @@ parameters: # As an entrypoint pipeline yml file, all parameters here show up in the Queue Run dialog. # If any paramaters should NOT be queue-time options, they should be removed from here # and references to them in this file replaced with hard-coded values. -- name: ForceOfficialBuild - displayName: Official build (sign, compliance, etc.) - type: boolean - default: false # this should remain false so PR builds using this pipeline are unofficial # - name: ShouldSkipOptimize # Uncomment this and references to it below when setting EnableOptProf to true in build.yml. # displayName: Skip OptProf optimization # type: boolean @@ -55,75 +39,44 @@ variables: - template: GlobalVariables.yml extends: - ${{ if or(parameters.ForceOfficialBuild, eq(variables['Build.Reason'],'Schedule')) }}: - template: azure-pipelines/MicroBuild.1ES.Official.yml@MicroBuildTemplate - parameters: - sdl: - sourceAnalysisPool: VSEngSS-MicroBuild2022-1ES - codeSignValidation: - enabled: true - break: true - additionalTargetsGlobPattern: -|Variables-*\*.ps1;-|APIScanInputs-*\**;-|test_symbols-*\**;-|MicroBuild\** - policheck: - enabled: true - exclusionsFile: $(System.DefaultWorkingDirectory)\azure-pipelines\PoliCheckExclusions.xml - suppression: - suppressionFile: $(System.DefaultWorkingDirectory)\azure-pipelines\falsepositives.gdnsuppress - sbom: - enabled: true - stages: - - stage: Build - variables: - - template: /azure-pipelines/BuildStageVariables.yml@self - jobs: - - template: /azure-pipelines/build.yml@self - parameters: - Is1ESPT: true - RealSign: true - # ShouldSkipOptimize: ${{ parameters.ShouldSkipOptimize }} - EnableAPIScan: ${{ and(parameters.EnableAPIScan, ne(variables['Build.Reason'], 'pullRequest')) }} - windowsPool: VSEngSS-MicroBuild2022-1ES - linuxPool: - name: AzurePipelines-EO - demands: - - ImageOverride -equals 1ESPT-Ubuntu22.04 - os: Linux - macOSPool: - name: Azure Pipelines - vmImage: macOS-14 - os: macOS - EnableMacOSBuild: ${{ parameters.EnableMacOSBuild }} - RunTests: ${{ parameters.RunTests }} - - template: /azure-pipelines/prepare-insertion-stages.yml@self + template: azure-pipelines/MicroBuild.1ES.Official.yml@MicroBuildTemplate + parameters: + sdl: + sourceAnalysisPool: VSEngSS-MicroBuild2022-1ES + codeSignValidation: + enabled: true + break: true + additionalTargetsGlobPattern: -|Variables-*\*.ps1;-|APIScanInputs-*\**;-|test_symbols-*\**;-|MicroBuild\** + policheck: + enabled: true + exclusionsFile: $(System.DefaultWorkingDirectory)\azure-pipelines\PoliCheckExclusions.xml + suppression: + suppressionFile: $(System.DefaultWorkingDirectory)\azure-pipelines\falsepositives.gdnsuppress + sbom: + enabled: true + stages: + - stage: Build + variables: + - template: /azure-pipelines/BuildStageVariables.yml@self + jobs: + - template: /azure-pipelines/build.yml@self parameters: + Is1ESPT: true RealSign: true - ${{ else }}: - template: azure-pipelines/MicroBuild.1ES.Unofficial.yml@MicroBuildTemplate - parameters: - sdl: - sourceAnalysisPool: VSEngSS-MicroBuild2022-1ES - suppression: - suppressionFile: $(System.DefaultWorkingDirectory)\azure-pipelines\falsepositives.gdnsuppress - stages: - - stage: Build - variables: - - template: /azure-pipelines/BuildStageVariables.yml@self - jobs: - - template: /azure-pipelines/build.yml@self - parameters: - Is1ESPT: true - RealSign: false - # ShouldSkipOptimize: ${{ parameters.ShouldSkipOptimize }} - EnableAPIScan: false - windowsPool: VSEngSS-MicroBuild2022-1ES - linuxPool: - name: AzurePipelines-EO - demands: - - ImageOverride -equals 1ESPT-Ubuntu22.04 - os: Linux - macOSPool: - name: Azure Pipelines - vmImage: macOS-14 - os: macOS - EnableMacOSBuild: ${{ parameters.EnableMacOSBuild }} - RunTests: ${{ parameters.RunTests }} + # ShouldSkipOptimize: ${{ parameters.ShouldSkipOptimize }} + EnableAPIScan: ${{ parameters.EnableAPIScan }} + windowsPool: VSEngSS-MicroBuild2022-1ES + linuxPool: + name: AzurePipelines-EO + demands: + - ImageOverride -equals 1ESPT-Ubuntu22.04 + os: Linux + macOSPool: + name: Azure Pipelines + vmImage: macOS-14 + os: macOS + EnableMacOSBuild: ${{ parameters.EnableMacOSBuild }} + RunTests: ${{ parameters.RunTests }} + - template: /azure-pipelines/prepare-insertion-stages.yml@self + parameters: + RealSign: true diff --git a/azure-pipelines/unofficial.yml b/azure-pipelines/unofficial.yml new file mode 100644 index 0000000..afce810 --- /dev/null +++ b/azure-pipelines/unofficial.yml @@ -0,0 +1,90 @@ +trigger: + batch: true + branches: + include: + - main + - microbuild + - 'validate/*' + paths: + exclude: + - doc/ + - '*.md' + - .vscode/ + - azure-pipelines/release.yml + - azure-pipelines/vs-insertion.yml + +parameters: +# As an entrypoint pipeline yml file, all parameters here show up in the Queue Run dialog. +# If any paramaters should NOT be queue-time options, they should be removed from here +# and references to them in this file replaced with hard-coded values. +# - name: ShouldSkipOptimize # Uncomment this and references to it below when setting EnableOptProf to true in build.yml. +# displayName: Skip OptProf optimization +# type: boolean +# default: false +- name: EnableMacOSBuild + displayName: Build on macOS + type: boolean + default: false # macOS is often bogged down in Azure Pipelines +- name: RunTests + displayName: Run tests + type: boolean + default: true +- name: EnableAPIScan + displayName: Include APIScan with compliance tools + type: boolean + default: false +- name: EnableProductionSDL + displayName: Enable Production SDL + type: boolean + default: false + +resources: + repositories: + - repository: MicroBuildTemplate + type: git + name: 1ESPipelineTemplates/MicroBuildTemplate + ref: refs/tags/release + +variables: +- template: GlobalVariables.yml + +extends: + template: azure-pipelines/MicroBuild.1ES.Unofficial.yml@MicroBuildTemplate + parameters: + sdl: + sourceAnalysisPool: VSEngSS-MicroBuild2022-1ES + suppression: + suppressionFile: $(System.DefaultWorkingDirectory)\azure-pipelines\falsepositives.gdnsuppress + enableProductionSDL: ${{ parameters.EnableProductionSDL }} + codeSignValidation: + enabled: ${{ parameters.EnableProductionSDL }} + break: true + policyFile: $(MBSIGN_APPFOLDER)\CSVTestSignPolicy.xml + policheck: + enabled: ${{ parameters.EnableProductionSDL }} + exclusionsFile: $(System.DefaultWorkingDirectory)\azure-pipelines\PoliCheckExclusions.xml + sbom: + enabled: ${{ parameters.EnableProductionSDL }} + stages: + - stage: Build + variables: + - template: /azure-pipelines/BuildStageVariables.yml@self + jobs: + - template: /azure-pipelines/build.yml@self + parameters: + Is1ESPT: true + RealSign: false + # ShouldSkipOptimize: ${{ parameters.ShouldSkipOptimize }} + EnableAPIScan: ${{ parameters.EnableAPIScan }} + windowsPool: VSEngSS-MicroBuild2022-1ES + linuxPool: + name: AzurePipelines-EO + demands: + - ImageOverride -equals 1ESPT-Ubuntu22.04 + os: Linux + macOSPool: + name: Azure Pipelines + vmImage: macOS-14 + os: macOS + EnableMacOSBuild: ${{ parameters.EnableMacOSBuild }} + RunTests: ${{ parameters.RunTests }}