From ade64172c41dd86bd46ca92357b3ccd4230ce57d Mon Sep 17 00:00:00 2001 From: Justin Chung Date: Mon, 27 Jan 2025 15:41:29 -0600 Subject: [PATCH 1/3] Fix pipeline issues --- .pipelines/PowerShell-Release-Official.yml | 16 ++--- .pipelines/templates/release-create-msix.yml | 60 ++++++++++--------- .../release-validate-fxdpackages.yml | 29 +++++++-- .pipelines/templates/uploadToAzure.yml | 4 +- 4 files changed, 62 insertions(+), 47 deletions(-) diff --git a/.pipelines/PowerShell-Release-Official.yml b/.pipelines/PowerShell-Release-Official.yml index 2acdbe4d7ac..baa68232ed4 100644 --- a/.pipelines/PowerShell-Release-Official.yml +++ b/.pipelines/PowerShell-Release-Official.yml @@ -195,6 +195,7 @@ extends: jobtype: 'linux' artifactName: 'drop_linux_package_fxdependent' packageNamePattern: '**/*linux-x64-fxdependent.tar.gz' + enableCredScan: false - template: /.pipelines/templates/release-validate-fxdpackages.yml@self parameters: @@ -331,25 +332,20 @@ extends: displayName: Publish PMC dependsOn: PushGitTagAndMakeDraftPublic jobs: - - template: /.pipelines/templates/release-publish-pmc.yml@self + - template: /.pipelines/templates/approvalJob.yml@self parameters: - skipPublish: ${{ parameters.SkipPMCPublish }} + displayName: Publish to PMC + jobName: ReleaseToPMC + instructions: | + Run PowerShell-Release-Official-Azure.yml pipeline to publish to PMC - stage: ReleaseDocker dependsOn: PushGitTagAndMakeDraftPublic displayName: 'Docker Release' jobs: - - template: /.pipelines/templates/approvalJob.yml@self - parameters: - displayName: Start Docker Build - jobName: StartDockerBuild - instructions: | - Kick off Docker build - - template: /.pipelines/templates/approvalJob.yml@self parameters: displayName: Start Docker Release - dependsOnJob: StartDockerBuild jobName: StartDockerRelease instructions: | Kickoff docker release diff --git a/.pipelines/templates/release-create-msix.yml b/.pipelines/templates/release-create-msix.yml index cf459d81ad0..cdb86544baf 100644 --- a/.pipelines/templates/release-create-msix.yml +++ b/.pipelines/templates/release-create-msix.yml @@ -28,24 +28,38 @@ jobs: displayName: Download x86 msix patterns: '**/*.msix' - - task: AzurePowerShell@5 - displayName: Install makeappx tool - retryCountOnTaskFailure: 1 - inputs: - azureSubscription: az-blob-cicd-infra - scriptType: inlineScript - azurePowerShellVersion: LatestVersion - pwsh: true - inline: | - $toolsDir = '$(Pipeline.Workspace)\releasePipeline\tools' - New-Item $toolsDir -Type Directory -Force > $null - Invoke-RestMethod -Uri '$(makeappUrlDirect)' -OutFile "$toolsDir\makeappx.zip" - Expand-Archive "$toolsDir\makeappx.zip" -DestinationPath "$toolsDir\makeappx" -Force - $exePath = "$toolsDir\makeappx\makeappx.exe" + - pwsh: | + $azureRmModule = Get-InstalledModule AzureRM -ErrorAction SilentlyContinue -Verbose + if ($azureRmModule) { + Write-Host 'AzureRM module exists. Removing it' + Uninstall-AzureRm + Write-Host 'AzureRM module removed' + } - $vstsCommandString = "vso[task.setvariable variable=MakeAppxPath]$exePath" - Write-Host "sending " + $vstsCommandString - Write-Host "##$vstsCommandString" + Install-Module -Name Az.Storage -Force -AllowClobber -Scope CurrentUser -Verbose + displayName: Remove AzRM modules and install Az.Storage + + + # Finds the makeappx tool on the machine with image: 'onebranch.azurecr.io/windows/ltsc2022/vse2022:latest' + - pwsh: | + $cmd = Get-Command makeappx.exe -ErrorAction Ignore + if ($cmd) { + Write-Verbose -Verbose 'makeappx available in PATH' + $exePath = $cmd.Source + } else { + $toolsDir = '$(Pipeline.Workspace)\releasePipeline\tools' + New-Item $toolsDir -Type Directory -Force > $null + $makeappx = Get-ChildItem -Recurse 'C:\Program Files (x86)\Windows Kits\10\makeappx.exe' | + Where-Object { $_.DirectoryName -match 'x64' } | + Select-Object -Last 1 + $exePath = $makeappx.FullName + Write-Verbose -Verbose 'makeappx was found:' + } + $vstsCommandString = "vso[task.setvariable variable=MakeAppxPath]$exePath" + Write-Host "sending " + $vstsCommandString + Write-Host "##$vstsCommandString" + displayName: Find makeappx tool + retryCountOnTaskFailure: 1 - pwsh: | $sourceDir = '$(Pipeline.Workspace)\releasePipeline\msix' @@ -73,18 +87,6 @@ jobs: displayName: Create MsixBundle retryCountOnTaskFailure: 1 - - pwsh: | - $azureRmModule = Get-InstalledModule AzureRM -ErrorAction SilentlyContinue -Verbose - if ($azureRmModule) { - Write-Host 'AzureRM module exists. Removing it' - Uninstall-AzureRm - Write-Host 'AzureRM module removed' - } - - Install-Module -Name Az.Storage -Force -AllowClobber -Scope CurrentUser -Verbose - - displayName: Remove AzRM modules and install Az.Storage - - task: AzurePowerShell@5 displayName: Upload msix to blob inputs: diff --git a/.pipelines/templates/release-validate-fxdpackages.yml b/.pipelines/templates/release-validate-fxdpackages.yml index 344db621632..f7c9dced1a5 100644 --- a/.pipelines/templates/release-validate-fxdpackages.yml +++ b/.pipelines/templates/release-validate-fxdpackages.yml @@ -1,10 +1,25 @@ parameters: - jobName: "" - displayName: "" - jobtype: "" - artifactName: "" - packageNamePattern: "" - arm64: "no" + - name: jobName + type: string + default: "" + - name: displayName + type: string + default: "" + - name: jobtype + type: string + default: "" + - name: artifactName + type: string + default: "" + - name: packageNamePattern + type: string + default: "" + - name: arm64 + type: string + default: "no" + - name: enableCredScan + type: boolean + default: true jobs: - job: ${{ parameters.jobName }} @@ -19,6 +34,8 @@ jobs: value: $(Build.SourcesDirectory)\PowerShell\.config\suppress.json - name: ob_sdl_tsa_configFile value: $(Build.SourcesDirectory)\PowerShell\.config\tsaoptions.json + - name: ob_sdl_credscan_enabled + value: ${{ parameters.enableCredScan }} pool: type: ${{ parameters.jobtype }} diff --git a/.pipelines/templates/uploadToAzure.yml b/.pipelines/templates/uploadToAzure.yml index 7156dedff7a..cd6f7d6739c 100644 --- a/.pipelines/templates/uploadToAzure.yml +++ b/.pipelines/templates/uploadToAzure.yml @@ -6,7 +6,7 @@ jobs: type: windows variables: - name: ob_sdl_sbom_enabled - value: false + value: true - name: runCodesignValidationInjection value: false - name: NugetSecurityAnalysisWarningLevel @@ -241,7 +241,7 @@ jobs: Write-Verbose -Verbose "Creating output directory for GitHub Release files: $(ob_outputDirectory)/GitHubPackages" New-Item -Path $(ob_outputDirectory)/GitHubPackages -ItemType Directory -Force Get-ChildItem -Path "$(Build.ArtifactStagingDirectory)/downloads/*" -Recurse | - Where-Object { $_.Extension -notin '.msix', '.nupkg' } | + Where-Object { $_.Extension -notin '.msix', '.nupkg' -and $_.Name -notmatch '-gc'} | Copy-Item -Destination $(ob_outputDirectory)/GitHubPackages -Recurse -Verbose Write-Verbose -Verbose "Creating output directory for NuGet packages: $(ob_outputDirectory)/NuGetPackages" From c87850e1a6ca6a258c8006e7fd3f48211f518dc2 Mon Sep 17 00:00:00 2001 From: Justin Chung Date: Thu, 30 Jan 2025 16:20:18 -0600 Subject: [PATCH 2/3] Disable credscan on arm 64 --- .pipelines/PowerShell-Release-Official.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.pipelines/PowerShell-Release-Official.yml b/.pipelines/PowerShell-Release-Official.yml index baa68232ed4..bbd59da7519 100644 --- a/.pipelines/PowerShell-Release-Official.yml +++ b/.pipelines/PowerShell-Release-Official.yml @@ -195,7 +195,6 @@ extends: jobtype: 'linux' artifactName: 'drop_linux_package_fxdependent' packageNamePattern: '**/*linux-x64-fxdependent.tar.gz' - enableCredScan: false - template: /.pipelines/templates/release-validate-fxdpackages.yml@self parameters: @@ -205,6 +204,7 @@ extends: artifactName: 'drop_linux_package_fxdependent' packageNamePattern: '**/*linux-x64-fxdependent.tar.gz' arm64: 'yes' + enableCredScan: false - stage: validatePackages displayName: 'Validate Packages' From 241d53d80ab9dd1ad5b29706fbcb0887c245f498 Mon Sep 17 00:00:00 2001 From: Justin Chung <124807742+jshigetomi@users.noreply.github.com> Date: Thu, 30 Jan 2025 16:41:00 -0600 Subject: [PATCH 3/3] Update .pipelines/PowerShell-Release-Official.yml Co-authored-by: Travis Plunk --- .pipelines/PowerShell-Release-Official.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.pipelines/PowerShell-Release-Official.yml b/.pipelines/PowerShell-Release-Official.yml index bbd59da7519..537d0fbee2e 100644 --- a/.pipelines/PowerShell-Release-Official.yml +++ b/.pipelines/PowerShell-Release-Official.yml @@ -202,6 +202,7 @@ extends: displayName: 'Validate Linux ARM64 Fxd Packages' jobtype: 'linux' artifactName: 'drop_linux_package_fxdependent' + # this is really an architecture independent package packageNamePattern: '**/*linux-x64-fxdependent.tar.gz' arm64: 'yes' enableCredScan: false