RecursiveExtractor/Pipelines/recursive-extractor-release.yml at 90ce6ac357f6186e2678158a17f3a66b9b133417 · microsoft/RecursiveExtractor · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
name: RecursiveExtractor_Release_$(SourceBranchName)_$(Date:yyyyMMdd)$(Rev:.r)
trigger: none
pr: none

resources:
  repositories:
    - repository: templates
      type: git
      name: Data/OSS-Tools-Pipeline-Templates
      ref: refs/tags/v2.0.0
    - repository: 1esPipelines
      type: git
      name: 1ESPipelineTemplates/1ESPipelineTemplates
      ref: refs/tags/release

variables:
  BuildConfiguration: 'Release'
  DotnetVersion: '9.0.x'

extends:
  template: v1/1ES.Official.PipelineTemplate.yml@1esPipelines
  parameters:
    pool:
      name: MSSecurity-1ES-Build-Agents-Pool
      image: MSSecurity-1ES-Windows-2022
      os: windows
    sdl:
      armory:
        enabled: false
      sourceRepositoriesToScan:
        exclude:
          - repository: 1esPipelines
          - repository: templates
    stages:
    - stage: Test
      dependsOn: []
      jobs:
      - template: dotnet-test-job.yml@templates
        parameters:
          jobName: 'lib_dotnet_test_windows'
          dotnetVersions: ['8.0.x', '9.0.x']
          projectPath: 'RecursiveExtractor.Tests/RecursiveExtractor.Tests.csproj'
          poolName: MSSecurity-1ES-Build-Agents-Pool
          poolImage: MSSecurity-1ES-Windows-2022
          poolOs: windows
      - template: dotnet-test-job.yml@templates
        parameters:
          jobName: 'cli_dotnet_test_windows'
          dotnetVersions: ['8.0.x', '9.0.x']
          projectPath: 'RecursiveExtractor.Cli.Tests/RecursiveExtractor.Cli.Tests.csproj'
          poolName: MSSecurity-1ES-Build-Agents-Pool
          poolImage: MSSecurity-1ES-Windows-2022
          poolOs: windows

    - stage: Build
      dependsOn:
      - Test
      jobs:
      - template: nuget-build-job.yml@templates
        parameters:
          jobName: 'pack_lib'
          buildConfiguration: ${{ variables.BuildConfiguration }}
          dotnetVersion: ${{ variables.DotnetVersion }}
          projectPath: 'RecursiveExtractor/RecursiveExtractor.csproj'
          projectName: 'RecursiveExtractor'
          customPackFlags: '/p:ContinuousIntegrationBuild=true'
          artifactName: 'lib-archive'
          preBuild:
          - template: nbgv-set-version-steps.yml@templates
      - template: nuget-build-job.yml@templates
        parameters:
          jobName: 'pack_cli'
          buildConfiguration: ${{ variables.BuildConfiguration }}
          dotnetVersion: ${{ variables.DotnetVersion }}
          projectPath: 'RecursiveExtractor.Cli/RecursiveExtractor.Cli.csproj'
          projectName: 'RecursiveExtractor_CLI'
          customPackFlags: '/p:ContinuousIntegrationBuild=true'
          artifactName: 'cli-archive'
          preBuild:
          - template: nbgv-set-version-steps.yml@templates

    - stage: Release
      dependsOn:
      - Build
      condition: succeeded()
      jobs:
      - job: sign_hash_release
        displayName: Code Sign, Generate Hashes, Publish Public Releases
        templateContext:
          outputs:
          - output: pipelineArtifact
            path: '$(Build.StagingDirectory)'
            artifact: 'Signed_Binaries_$(System.JobId)_$(System.JobAttempt)'
          # see https://eng.ms/docs/cloud-ai-platform/devdiv/one-engineering-system-1es/1es-docs/1es-pipeline-templates/features/outputs/nuget-packages
          - output: nuget
            useDotNetTask: false
            packagesToPush: '$(Build.StagingDirectory)/*.nupkg'
            packageParentPath: '$(Build.StagingDirectory)'
            nuGetFeedType: external
            publishPackageMetadata: true
            publishFeedCredentials: 'sdl-oss-nuget-publish'
        steps:
        - task: UseDotNet@2
          inputs:
            packageType: 'sdk'
            version: '6.0.x' # ESRP requires a specific version.
        - template: nbgv-set-version-steps.yml@templates
        - task: DownloadPipelineArtifact@2
          inputs:
            displayName: 'Download lib-archive'
            buildType: 'current'
            artifactName: 'lib-archive'
            targetPath: $(Build.BinariesDirectory)\Unsigned_Binaries\
        - task: DownloadPipelineArtifact@2
          inputs:
            displayName: 'Download cli-archive'
            buildType: 'current'
            artifactName: 'cli-archive'
            targetPath: $(Build.BinariesDirectory)\Unsigned_Binaries\
        - task: ExtractFiles@1
          displayName: Extract Artifacts for Signing
          inputs:
            archiveFilePatterns: '$(Build.BinariesDirectory)\Unsigned_Binaries\*.zip'
            destinationFolder: '$(Build.BinariesDirectory)'
            cleanDestinationFolder: false
            overwriteExistingFiles: true
        - task: AntiMalware@4
          displayName: Anti-Malware Scan
          inputs:
            InputType: 'Basic'
            ScanType: 'CustomScan'
            FileDirPath: '$(Build.BinariesDirectory)'
            EnableServices: true
            SupportLogOnError: true
            TreatSignatureUpdateFailureAs: 'Warning'
            SignatureFreshness: 'UpToDate'
            TreatStaleSignatureAs: 'Warning'
        - task: EsrpCodeSigning@5
          displayName: Code Sign Nuget Packages
          inputs:
            ConnectedServiceName: 'oss-esrp-signing-recext-v5-connection'
            AppRegistrationClientId: 'caf746ee-b288-4155-8cc0-0bedca65f230'
            AppRegistrationTenantId: '33e01921-4d64-4f8c-a055-5bdaffd5e33d'
            AuthAKVName: 'oss-signing-vault'
            AuthCertName: 'oss-recursive-auth-cert'
            AuthSignCertName: 'oss-recursive-signing-cert'
            FolderPath: '$(Build.BinariesDirectory)'
            Pattern: '*.nupkg, *.snupkg'
            signConfigType: 'inlineSignParams'
            inlineOperation: |
              [
                      {
                          "KeyCode" : "CP-401405",
                          "OperationCode" : "NuGetSign",
                          "Parameters" : {},
                          "ToolName" : "sign",
                          "ToolVersion" : "1.0"
                      },
                      {
                          "KeyCode" : "CP-401405",
                          "OperationCode" : "NuGetVerify",
                          "Parameters" : {},
                          "ToolName" : "sign",
                          "ToolVersion" : "1.0"
                      }
                  ]
            SessionTimeout: '60'
            MaxConcurrency: '50'
            MaxRetryAttempts: '5'
        - powershell: 'Get-ChildItem -Path ''$(Build.BinariesDirectory)'' -Recurse CodeSign* | foreach { Remove-Item -Path $_.FullName }'
          displayName: 'Delete Code Sign Summaries'
        - task: PowerShell@2
          displayName: Move NuGet Packages
          inputs:
            targetType: 'inline'
            script: |
              mv $env:BUILD_BINARIESDIRECTORY/*.nupkg $env:BUILD_STAGINGDIRECTORY/
              mv $env:BUILD_BINARIESDIRECTORY/*.snupkg $env:BUILD_STAGINGDIRECTORY/