Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
182 changes: 135 additions & 47 deletions .azure-devops/graphitation-release.yml
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,8 @@ variables:
value: production,externalfacing
- name: serviceTreeID
value: ade7d667-42f5-485a-91a9-f1dc6482a9b0
- name: packagesArtifactName
value: packed-packages
- name: adoNpmFeedBaseUrl
Comment thread
pavelglac marked this conversation as resolved.
value: https://pkgs.dev.azure.com/DomoreexpGithub/_packaging/GraphQL/npm/registry/
- name: adoMirrorNpmFeedBaseUrl
Expand All @@ -24,8 +26,8 @@ extends:
template: v1/1ES.Official.PipelineTemplate.yml@1ESPipelineTemplates

parameters:
# settings:
# networkIsolationPolicy: Permissive,CFSClean
settings:
networkIsolationPolicy: Permissive,CFSClean
sdl:
sourceAnalysisPool:
name: Azure-Pipelines-1ESPT-ExDShared
Expand All @@ -34,39 +36,37 @@ extends:
stages:
- stage: release
variables:
# OPTIONAL: Set this varibale to 'true' to enable signing in a target stage.
# Remove if signing is not required.
Build.ESRP.CodeSign.Enabled: true
# ESRP publishing is handled by EsrpRelease@9.
Build.ESRP.CodeSign.Enabled: false
Comment thread
celiac747 marked this conversation as resolved.
# OPTIONAL: To disable required tools not applicable in the pipeline set to false.
# Supported values: BinSkim, Roslyn, ESLint, PREFast.
Build.SDL.<Roslyn>.Enabled: false
Build.SDL.<ESLint>.Enabled: true
jobs:
- job: Release
- job: Build
displayName: Build, test, and pack Graphitation packages
pool:
name: Azure-Pipelines-1ESPT-ExDShared
image: ubuntu-latest
os: linux
workspace:
clean: all
variables:
artifactPath: $(Build.StagingDirectory)/out
packagesArtifactPath: $(Build.StagingDirectory)/out/${{ variables.packagesArtifactName }}
templateContext:
outputParentDirectory: $(artifactPath)
outputs:
- output: pipelineArtifact
artifactName: ${{ variables.packagesArtifactName }}
targetPath: $(packagesArtifactPath)
steps:
- checkout: self
persistCredentials: true # fix for beachball: https://github.com/microsoft/beachball/issues/674
- script: |
cat <<'EOF' > "$(Agent.TempDirectory)/npm-mirror.npmrc"
always-auth=true
registry=$(adoMirrorNpmFeedBaseUrl)
EOF
displayName: Create temporary .npmrc for mirror feed
- task: npmAuthenticate@0
inputs:
workingFile: "$(Agent.TempDirectory)/npm-mirror.npmrc"
- script: |
TOKEN=$(grep '_authToken' "$(Agent.TempDirectory)/npm-mirror.npmrc" | head -1 | cut -d'=' -f2)
echo "##vso[task.setvariable variable=NPM_TOKEN;issecret=true]$TOKEN"
displayName: Extract token from .npmrc
- script: |
yarn config set npmAlwaysAuth true
yarn config set npmRegistryServer $(adoMirrorNpmFeedBaseUrl)
displayName: Configure yarn for ADO npm feed

- template: /.azure-devops/steps/npm-auth-steps.yml@self
parameters:
adoMirrorNpmFeedBaseUrl: ${{ variables.adoMirrorNpmFeedBaseUrl }}
- script: yarn install
displayName: yarn
env:
Expand All @@ -77,40 +77,128 @@ extends:
displayName: build and test [test]
env:
NPM_CONFIG_USERCONFIG: $(Agent.TempDirectory)/npm-mirror.npmrc

- script: |
git config user.email "gql-svc@microsoft.com"
git config user.name "Graphitation Service Account"
git fetch origin main
displayName: Configure git for release
- script: |
mkdir -p "$(packagesArtifactPath)"
packLayersPath="$(Build.StagingDirectory)/beachball-packed-layers"
releaseBranch="origin/${BUILD_SOURCEBRANCH#refs/heads/}"

if [ "${BUILD_SOURCEBRANCH}" = "refs/heads/main" ]; then
yarn beachball publish -b "$releaseBranch" -t latest -y -n $(ossNpmToken) --access public --no-push --keep-change-files
else
yarn beachball canary -b "$releaseBranch" -t canary -y -n $(ossNpmToken) --access public
fi
displayName: Release to the npm registry
- script: |
git restore .
displayName: Discard beachball's changes
yarn beachball publish -b "$releaseBranch" -t latest -y --access public --no-push --keep-change-files --pack-to-path "$packLayersPath"

find "$packLayersPath" -type f -name "*.tgz" -exec cp {} "$(packagesArtifactPath)" \;
displayName: Pack packages with beachball
env:
NPM_CONFIG_USERCONFIG: $(Agent.TempDirectory)/npm-mirror.npmrc

- job: PrivateAdoRelease
displayName: Release to ADO npm feed
dependsOn: Build
pool:
name: Azure-Pipelines-1ESPT-ExDShared
image: ubuntu-latest
os: linux
steps:
- checkout: self
persistCredentials: true # fix for beachball: https://github.com/microsoft/beachball/issues/674

- template: /.azure-devops/steps/npm-auth-steps.yml@self
parameters:
adoMirrorNpmFeedBaseUrl: ${{ variables.adoMirrorNpmFeedBaseUrl }}

- script: yarn install
displayName: yarn install
env:
YARN_NPM_AUTH_TOKEN: $(NPM_TOKEN)
NPM_CONFIG_USERCONFIG: $(Agent.TempDirectory)/npm-mirror.npmrc

- script: yarn build
displayName: build
env:
NPM_CONFIG_USERCONFIG: $(Agent.TempDirectory)/npm-mirror.npmrc

- script: |
echo "always-auth=true" > .npmrc
echo "registry=$(adoNpmFeedBaseUrl)" >> .npmrc
displayName: Create .npmrc for private ADO feed

- task: npmAuthenticate@0
displayName: npm authenticate for private ADO feed
inputs:
workingFile: ".npmrc"

- script: |
releaseBranch="origin/${BUILD_SOURCEBRANCH#refs/heads/}"
yarn beachball publish -b "$releaseBranch" -t latest -y --registry $(adoNpmFeedBaseUrl) --no-push --keep-change-files
displayName: Release to the ADO npm feed

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's confusing a bit: in job "Build" we now have steps for release, and then we have a separate "Release" job

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Agree. The logic was that is expesive to have it as separate job because you need to install dependencies and build packages. Now the job for releasing to the ADO takes 8 min.

Image

env:
NPM_CONFIG_USERCONFIG: $(Build.SourcesDirectory)/.npmrc

if [ "${BUILD_SOURCEBRANCH}" = "refs/heads/main" ]; then
yarn beachball publish -b "$releaseBranch" -t latest -y --registry $(adoNpmFeedBaseUrl)
else
yarn beachball canary -b "$releaseBranch" -t canary -y --registry $(adoNpmFeedBaseUrl)
fi
displayName: Release to the ado npm feed
- task: 1ES.PublishPipelineArtifact@1
displayName: 📒 Publish Manifest
- job: PublicNpmRelease
displayName: ESRP release to public npm
dependsOn: Build
pool:
name: Azure-Pipelines-1ESPT-ExDShared
image: ubuntu-latest
os: linux
variables:
packagesArtifactPath: $(Agent.BuildDirectory)/${{ variables.packagesArtifactName }}
templateContext:
type: releaseJob
isProduction: true
inputs:
- input: pipelineArtifact
artifactName: ${{ variables.packagesArtifactName }}
targetPath: $(packagesArtifactPath)
steps:
- script: find "$(packagesArtifactPath)" -maxdepth 2 -type f -name "*.tgz" -print
displayName: Show packages artifact contents

- task: EsrpRelease@9
displayName: ESRP Release to npm
inputs:
artifactName: SBom-$(System.JobAttempt)
targetPath: $(System.DefaultWorkingDirectory)/_manifest
connectedservicename: $(Release.ConnectedServiceName)
usemanagedidentity: true
keyvaultname: $(Release.KeyVaultName)
signcertname: $(Release.SignCertName)
clientid: $(Release.ClientId)
contenttype: npm
folderlocation: $(packagesArtifactPath)
owners: $(Release.Owners)
approvers: $(Release.Approvers)
mainpublisher: ESRPRELPACMAN
domaintenantid: $(Release.DomainTenantId)

- job: Bump
displayName: Bump package versions
dependsOn:
- PrivateAdoRelease
- PublicNpmRelease
condition: and(succeeded(), startsWith(variables['Build.SourceBranch'], 'refs/heads/'))
pool:
name: Azure-Pipelines-1ESPT-ExDShared
image: ubuntu-latest
os: linux
steps:
- checkout: self
persistCredentials: true # fix for beachball: https://github.com/microsoft/beachball/issues/674

- template: /.azure-devops/steps/npm-auth-steps.yml@self
parameters:
adoMirrorNpmFeedBaseUrl: ${{ variables.adoMirrorNpmFeedBaseUrl }}

- script: yarn install
displayName: yarn install
env:
YARN_NPM_AUTH_TOKEN: $(NPM_TOKEN)
NPM_CONFIG_USERCONFIG: $(Agent.TempDirectory)/npm-mirror.npmrc

- script: |
git config user.email "gql-svc@microsoft.com"
git config user.name "Graphitation Service Account"
releaseBranchName="${BUILD_SOURCEBRANCH#refs/heads/}"
releaseBranch="origin/$releaseBranchName"
git fetch origin "$releaseBranchName"
yarn beachball publish -b "$releaseBranch" -t latest -y --access public --no-publish --message "applying package updates [skip ci]"
displayName: Bump versions and push changelogs
env:
NPM_CONFIG_USERCONFIG: $(Agent.TempDirectory)/npm-mirror.npmrc
25 changes: 25 additions & 0 deletions .azure-devops/steps/npm-auth-steps.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
# Reusable steps to authenticate against the ADO npm mirror feed and configure
# both npm and yarn to use it. Consumed via `- template: templates/npm-auth-steps.yml`.
parameters:
- name: adoMirrorNpmFeedBaseUrl
type: string

steps:
- script: |
cat <<'EOF' > "$(Agent.TempDirectory)/npm-mirror.npmrc"
always-auth=true
registry=${{ parameters.adoMirrorNpmFeedBaseUrl }}
EOF
displayName: Create temporary .npmrc for mirror feed
- task: npmAuthenticate@0
displayName: npm authenticate
inputs:
workingFile: "$(Agent.TempDirectory)/npm-mirror.npmrc"
- script: |
TOKEN=$(grep '_authToken' "$(Agent.TempDirectory)/npm-mirror.npmrc" | head -1 | cut -d'=' -f2)
echo "##vso[task.setvariable variable=NPM_TOKEN;issecret=true]$TOKEN"
displayName: Extract token from .npmrc
- script: |
yarn config set npmAlwaysAuth true
yarn config set npmRegistryServer ${{ parameters.adoMirrorNpmFeedBaseUrl }}
displayName: Configure yarn for ADO npm feed
2 changes: 1 addition & 1 deletion package.json
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,7 @@
"devDependencies": {
"@babel/core": "^7.14.0",
"@babel/preset-typescript": "^7.14.0",
"beachball": "^2.47.1",
"beachball": "3.0.0-alpha.4",

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why do we upgrade to this alpha version?

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yes, we need to have pack-to-path option

"graphql": "^15.0.0",
"lage": "^2.7.14",
"patch-package": "^7.0.0",
Expand Down
Loading
Loading