254 lines
9.9 KiB
YAML
254 lines
9.9 KiB
YAML
parameters:
|
|
parentJobs: []
|
|
|
|
jobs:
|
|
- job: build_nuget
|
|
dependsOn:
|
|
${{ parameters.parentJobs }}
|
|
displayName: Build NuGet packages
|
|
condition: succeeded()
|
|
pool: Package ES Standard Build
|
|
|
|
timeoutInMinutes: 90
|
|
|
|
variables:
|
|
- name: runCodesignValidationInjection
|
|
value: false
|
|
- name: NugetSecurityAnalysisWarningLevel
|
|
value: none
|
|
- name: build
|
|
value: ${{ parameters.buildName }}
|
|
- group: ESRP
|
|
- name: GenAPIToolPath
|
|
value: '$(System.ArtifactsDirectory)/GenAPI'
|
|
- name: PackagePath
|
|
value: '$(System.ArtifactsDirectory)/UnifiedPackagePath'
|
|
- name: winFxdPath
|
|
value: '$(System.ArtifactsDirectory)/winFxd'
|
|
- name: winFxdWinDesktopPath
|
|
value: '$(System.ArtifactsDirectory)/winFxdWinDesktop'
|
|
- name: linuxFxdPath
|
|
value: '$(System.ArtifactsDirectory)/linuxFxd'
|
|
|
|
steps:
|
|
- checkout: self
|
|
clean: true
|
|
|
|
- checkout: ComplianceRepo
|
|
clean: true
|
|
|
|
- template: SetVersionVariables.yml
|
|
parameters:
|
|
ReleaseTagVar: $(ReleaseTagVar)
|
|
|
|
- powershell: |
|
|
$content = Get-Content "$env:REPOROOT/global.json" -Raw | ConvertFrom-Json
|
|
$vstsCommandString = "vso[task.setvariable variable=SDKVersion]$($content.sdk.version)"
|
|
Write-Host "sending " + $vstsCommandString
|
|
Write-Host "##$vstsCommandString"
|
|
displayName: 'Find SDK version from global.json'
|
|
|
|
- task: DotNetCoreInstaller@0
|
|
displayName: 'Use .NET Core SDK from global.json'
|
|
inputs:
|
|
version: '$(SDKVersion)'
|
|
|
|
- task: DownloadBuildArtifacts@0
|
|
displayName: 'Download PowerShell build artifacts - finalResults'
|
|
inputs:
|
|
buildType: current
|
|
downloadType: single
|
|
artifactName: finalResults
|
|
downloadPath: '$(System.ArtifactsDirectory)'
|
|
|
|
- task: DownloadBuildArtifacts@0
|
|
displayName: 'Download PowerShell build artifacts - macosPkgResults'
|
|
inputs:
|
|
buildType: current
|
|
downloadType: single
|
|
artifactName: macosPkgResults
|
|
downloadPath: '$(System.ArtifactsDirectory)'
|
|
|
|
- powershell: 'Get-ChildItem $(System.ArtifactsDirectory) -recurse'
|
|
displayName: 'Capture downloaded artifacts'
|
|
|
|
- powershell: |
|
|
$packagePath = (Join-Path $(System.ArtifactsDirectory) packages)
|
|
New-Item $packagePath -ItemType Directory -Force > $null
|
|
$packages = Get-ChildItem $(System.ArtifactsDirectory) -Include *.zip, *.tar.gz -Recurse
|
|
$packages | ForEach-Object { Copy-Item $_.FullName -Destination $packagePath -Verbose }
|
|
Get-ChildItem $packagePath -Recurse
|
|
displayName: 'Conflate packages to same folder'
|
|
|
|
- task: ExtractFiles@1
|
|
displayName: 'Extract files win-fxdependent'
|
|
inputs:
|
|
archiveFilePatterns: '$(System.ArtifactsDirectory)/packages/PowerShell-*-win-fxdependent.zip'
|
|
destinationFolder: '$(winFxdPath)'
|
|
|
|
- task: ExtractFiles@1
|
|
displayName: 'Extract files win-fxdependentWinDesktop'
|
|
inputs:
|
|
archiveFilePatterns: '$(System.ArtifactsDirectory)/packages/PowerShell-*-win-fxdependentWinDesktop.zip'
|
|
destinationFolder: '$(winFxdWinDesktopPath)'
|
|
|
|
- task: ExtractFiles@1
|
|
displayName: 'Extract files linux-fxdependent'
|
|
inputs:
|
|
archiveFilePatterns: '$(System.ArtifactsDirectory)/packages/powershell-*-linux-x64-fxdependent.tar.gz'
|
|
destinationFolder: '$(linuxFxdPath)'
|
|
|
|
- task: PkgESInstallNuGetToolsPackage@10
|
|
displayName: 'Install package Microsoft.DotNet.BuildTools.GenAPI'
|
|
inputs:
|
|
packageName: Microsoft.DotNet.BuildTools.GenAPI
|
|
packageVersion: '1.0.0-beta-00081'
|
|
packageSources: 'https://nuget.org/api/v2'
|
|
installRoot: '$(GenAPIToolPath)'
|
|
|
|
- template: SetVersionVariables.yml
|
|
parameters:
|
|
ReleaseTagVar: $(ReleaseTagVar)
|
|
|
|
- template: shouldSign.yml
|
|
|
|
- task: NuGetToolInstaller@1
|
|
displayName: 'Install NuGet.exe'
|
|
|
|
- powershell: |
|
|
Import-Module $env:REPOROOT\build.psm1
|
|
Import-Module $env:REPOROOT\tools\packaging
|
|
Find-Dotnet
|
|
New-ILNugetPackage -PackagePath "$(PackagePath)" -PackageVersion "$(Version)" -WinFxdBinPath '$(winFxdPath)' -LinuxFxdBinPath '$(linuxFxdPath)' -GenAPIToolPath "$(GenAPIToolPath)"
|
|
displayName: 'Create Nuget Package Folders'
|
|
|
|
- powershell: |
|
|
Get-ChildItem $(linuxFxdPath)
|
|
Get-ChildItem $(winFxdPath)
|
|
Get-ChildItem $(winFxdWinDesktopPath)
|
|
displayName: Capture fxd folders
|
|
|
|
- powershell: |
|
|
Import-Module $env:REPOROOT\build.psm1
|
|
Import-Module $env:REPOROOT\tools\packaging
|
|
Find-Dotnet
|
|
# Create unified package first
|
|
New-GlobalToolNupkg -UnifiedPackage -LinuxBinPath "$(linuxFxdPath)" -WindowsBinPath "$(winFxdPath)" -WindowsDesktopBinPath "$(winFxdWinDesktopPath)" -PackageVersion "$(Version)" -DestinationPath "$(PackagePath)\globaltool"
|
|
|
|
# Create packages for dotnet sdk
|
|
New-GlobalToolNupkg -LinuxBinPath "$(linuxFxdPath)" -WindowsBinPath "$(winFxdPath)" -WindowsDesktopBinPath "$(winFxdWinDesktopPath)" -PackageVersion "$(Version)" -DestinationPath "$(PackagePath)\globaltool"
|
|
displayName: 'Create Global tool packages'
|
|
|
|
- powershell: |
|
|
Get-ChildItem "$(PackagePath)" -Recurse
|
|
displayName: Capture generated packages
|
|
|
|
- template: EsrpSign.yml@ComplianceRepo
|
|
parameters:
|
|
buildOutputPath: $(PackagePath)
|
|
signOutputPath: $(System.ArtifactsDirectory)\signed
|
|
certificateId: "CP-401405"
|
|
pattern: |
|
|
**\*.nupkg
|
|
useMinimatch: true
|
|
shouldSign: $(SHOULD_SIGN)
|
|
displayName: Sign NuPkg
|
|
|
|
- pwsh: |
|
|
if (-not (Test-Path '$(System.ArtifactsDirectory)\signed\')) { $null = New-Item -ItemType Directory -Path '$(System.ArtifactsDirectory)\signed\' }
|
|
Copy-Item -Path '$(PackagePath)\*.nupkg' -Destination '$(System.ArtifactsDirectory)\signed\' -Verbose -Force
|
|
Copy-Item -Path '$(PackagePath)\globaltool\*.nupkg' -Destination '$(System.ArtifactsDirectory)\signed\' -Verbose -Force
|
|
displayName: Fake copy when not signing
|
|
condition: eq(variables['SHOULD_SIGN'], 'false')
|
|
|
|
- powershell: |
|
|
Import-Module "${env:REPOROOT}\build.psm1" -Force
|
|
Get-ChildItem -Recurse "$(System.ArtifactsDirectory)\signed\*.nupkg" -Verbose | ForEach-Object { Start-NativeExecution -sb { nuget.exe verify -All $_.FullName } }
|
|
displayName: Verify all packages are signed
|
|
condition: eq(variables['SHOULD_SIGN'], 'true')
|
|
|
|
- task: securedevelopmentteam.vss-secure-development-tools.build-task-antimalware.AntiMalware@3
|
|
displayName: 'Run MpCmdRun.exe'
|
|
inputs:
|
|
FileDirPath: '$(PackagePath)'
|
|
TreatStaleSignatureAs: Warning
|
|
|
|
- task: securedevelopmentteam.vss-secure-development-tools.build-task-publishsecurityanalysislogs.PublishSecurityAnalysisLogs@2
|
|
displayName: 'Publish Security Analysis Logs'
|
|
|
|
- template: upload-final-results.yml
|
|
parameters:
|
|
artifactPath: '$(System.ArtifactsDirectory)\signed'
|
|
|
|
- powershell: |
|
|
if (-not (Test-Path "$(System.ArtifactsDirectory)\signed\globaltool"))
|
|
{
|
|
$null = New-Item -Path "$(System.ArtifactsDirectory)\signed\globaltool" -ItemType Directory -Force
|
|
}
|
|
|
|
Move-Item -Path "$(System.ArtifactsDirectory)\signed\PowerShell.*" -Destination "$(System.ArtifactsDirectory)\signed\globaltool" -Force
|
|
Get-ChildItem "$(System.ArtifactsDirectory)\signed\globaltool" -Recurse
|
|
displayName: Move global tool packages to subfolder and capture
|
|
|
|
- pwsh: |
|
|
$packagePath = (Join-Path $(System.ArtifactsDirectory) checksum)
|
|
New-Item $packagePath -ItemType Directory -Force > $null
|
|
$srcPaths = @("$(System.ArtifactsDirectory)\finalResults", "$(System.ArtifactsDirectory)\macosPkgResults", "$(System.ArtifactsDirectory)\signed")
|
|
|
|
$packages = Get-ChildItem -Path $srcPaths -Include *.zip, *.tar.gz, *.msi*, *.pkg, *.deb, *.rpm -Exclude "PowerShell-Symbols*" -Recurse
|
|
$packages | ForEach-Object { Copy-Item $_.FullName -Destination $packagePath -Verbose }
|
|
|
|
$packagePathList = Get-ChildItem $packagePath -Recurse | Select-Object -ExpandProperty FullName | Out-String
|
|
Write-Verbose -Verbose $packagePathList
|
|
|
|
$checksums = Get-ChildItem -Path $packagePath |
|
|
ForEach-Object {
|
|
Write-Verbose -Verbose "Generating checksum file for $($_.FullName)"
|
|
$packageName = $_.Name
|
|
$hash = (Get-FileHash -Path $_.FullName -Algorithm SHA512).Hash.ToLower()
|
|
|
|
# the '*' before the packagename signifies it is a binary
|
|
"$hash *$packageName"
|
|
}
|
|
|
|
$checksums | Out-File -FilePath "$packagePath\SHA512SUMS" -Force
|
|
|
|
|
|
$fileContent = Get-Content -Path "$packagePath\SHA512SUMS" -Raw | Out-String
|
|
Write-Verbose -Verbose -Message $fileContent
|
|
|
|
Copy-Item -Path "$packagePath\SHA512SUMS" -Destination '$(System.ArtifactsDirectory)\signed\' -verbose
|
|
Copy-Item -Path "$packagePath\SHA512SUMS" -Destination '$(System.ArtifactsDirectory)\signed\globaltool\' -verbose
|
|
displayName: Generate checksum file
|
|
|
|
- template: upload-final-results.yml
|
|
parameters:
|
|
artifactPath: '$(System.ArtifactsDirectory)\checksum'
|
|
artifactFilter: SHA512SUMS
|
|
|
|
- task: AzureFileCopy@4
|
|
displayName: 'Upload NuGet packages to Azure'
|
|
inputs:
|
|
SourcePath: '$(System.ArtifactsDirectory)\signed\*'
|
|
azureSubscription: '$(AzureFileCopySubscription)'
|
|
Destination: AzureBlob
|
|
storage: '$(StorageAccount)'
|
|
ContainerName: '$(AzureVersion)-nuget'
|
|
condition: and(succeeded(), eq(variables['SHOULD_SIGN'], 'true'))
|
|
|
|
- task: AzureFileCopy@4
|
|
displayName: 'Upload global tool packages to Azure'
|
|
inputs:
|
|
sourcePath: '$(System.ArtifactsDirectory)\signed\globaltool\*'
|
|
azureSubscription: '$(GlobalToolSubscription)'
|
|
Destination: AzureBlob
|
|
storage: '$(GlobalToolStorageAccount)'
|
|
ContainerName: 'tool'
|
|
blobPrefix: '$(Version)'
|
|
condition: and(succeeded(), eq(variables['SHOULD_SIGN'], 'true'))
|
|
|
|
- task: ms.vss-governance-buildtask.governance-build-task-component-detection.ComponentGovernanceComponentDetection@0
|
|
displayName: 'Component Detection'
|
|
inputs:
|
|
sourceScanPath: '$(PackagePath)'
|