From 74606ca5d248209b46129cdefbdc959f698f8bb3 Mon Sep 17 00:00:00 2001 From: Adam Ratzman Date: Wed, 27 Mar 2024 10:37:26 -0400 Subject: [PATCH] 1es migration (#9413) use 1es official pipeline template --- eng/pipelines/official.yml | 313 ++++++------------ eng/pipelines/optprof-scheduled.yml | 132 ++++++++ eng/pipelines/templates/analyze-api.yml | 100 ------ .../templates/analyze-compliance.yml | 123 +++---- .../templates/build-official-release.yml | 200 ++++++----- .../templates/build-pull-request.yml | 4 +- .../templates/generate-localization.yml | 15 +- .../templates/publish-assets-and-packages.yml | 122 ++----- 8 files changed, 426 insertions(+), 583 deletions(-) create mode 100644 eng/pipelines/optprof-scheduled.yml delete mode 100644 eng/pipelines/templates/analyze-api.yml diff --git a/eng/pipelines/official.yml b/eng/pipelines/official.yml index a020be59413..41d86e67c62 100644 --- a/eng/pipelines/official.yml +++ b/eng/pipelines/official.yml @@ -39,30 +39,11 @@ schedules: - main resources: - # These DartLab pipelines and repositories are only used by the Optimization stage. - pipelines: - # This name is the default value for the 'dartLabBuildResourceName' parameter in single-runsettings.yml. - - pipeline: DartLab - project: DevDiv - source: DartLab - branch: main - # This name is the default value for the 'dartLabOptProfBuildResourceName' parameter in single-runsettings.yml. - - pipeline: DartLab.OptProf - source: DartLab.OptProf - branch: main - tags: - - production repositories: - # This name is the default value for the 'dartLabTemplatesResourceName 'parameter in single-runsettings.yml. - - repository: DartLabTemplates - name: DartLab.Templates + - repository: MicroBuildTemplate type: git - ref: refs/heads/main - # This name is used to access the single-runsettings.yml template. - - repository: DartLabOptProfTemplates - name: DartLab.OptProf - type: git - ref: refs/tags/Production + name: 1ESPipelineTemplates/MicroBuildTemplate + ref: refs/tags/release # This repo is used to create the insertion PR into the vs-green repo. - repository: VSCodeExtensionRepo type: git @@ -72,12 +53,6 @@ resources: type: git name: dotnet-project-system-vscode -pool: - # Agent Queue: https://devdiv.visualstudio.com/DevDiv/_settings/agentqueues?queueId=3123&view=jobs - name: VSEngSS-MicroBuild2022-1ES - # Demands Docs: https://docs.microsoft.com/azure/devops/pipelines/process/demands?view=azure-devops&tabs=yaml#manually-entered-demands - demands: Cmd - # Note: Only add pipeline variables if they apply to most of the stages/jobs. variables: # The configuration for the build is used throughout the various pipelines as the file paths for output contain the build configuration as a folder name. @@ -107,7 +82,9 @@ variables: # - https://github.com/dotnet/Nerdbank.GitVersioning/issues/92 # Variable reference: https://learn.microsoft.com/en-us/azure/devops/pipelines/repos/pipeline-options-for-git?view=azure-devops&tabs=yaml#shallow-fetch Agent.Source.Git.ShallowFetchDepth: 0 - + TeamName: DotNet-Project-System + TeamEmail: dotnetdevexproj@microsoft.com + parameters: - name: CreateVSInsertion displayName: Create VS Insertion PR @@ -125,192 +102,114 @@ parameters: displayName: vs-green Insertion Branch Name type: string default: main -- name: CreateOptimizationData - displayName: Create Optimization Data - type: boolean - default: false # This should only be enabled when generating optimization data for the first time. # See details in the Build job for the MicroBuildOptProfPlugin task. - name: SkipOptimize displayName: Do Not Optimize Assemblies type: boolean default: false -# Useful when testing pipeline changes and running compliance is not necessary. -- name: SkipCompliance - displayName: Skip Compliance Validation - type: boolean - default: false -# This should only be enabled if we need to create AzDO work items based on Compliance failures. -- name: UploadTSAResults - displayName: Create Compliance Work Items - type: boolean - default: false ################################################################################################################################################################### # STAGES ################################################################################################################################################################### - -stages: -- stage: Build - displayName: Build - variables: - SkipOptimize: ${{ parameters.SkipOptimize }} - # Only used for tracking purposes in MicroBuild tasks. - # See: https://devdiv.visualstudio.com/DevDiv/_wiki/wikis/DevDiv.wiki/650/MicroBuild-Signing?anchor=high-level-steps-to-enable-signing - TeamName: DotNet-Project-System - # Auto-injects the CodeQL task. - # https://eng.ms/docs/cloud-ai-platform/devdiv/one-engineering-system-1es/1es-docs/codeql/configuring-codeql3000-ado-pipelines#monolithic-repos-and-multistage-pipelines - Codeql.SkipTaskAutoInjection: false - CreateVSInsertion: ${{ parameters.CreateVSInsertion }} - InsertionVSBranch: ${{ parameters.InsertionVSBranch }} - CreateVSGreenInsertion: ${{ parameters.CreateVSGreenInsertion }} - InsertionVSGreenBranch: ${{ parameters.InsertionVSGreenBranch }} - jobs: - - template: templates/build-official-release.yml - -- stage: Publish - displayName: Publish - dependsOn: Build - variables: - # https://devdiv.visualstudio.com/DevDiv/_library?itemType=VariableGroups&view=VariableGroupView&variableGroupId=434&path=DotNet-Project-System - # Variables used: - # - SymbolsUncPath - - group: DotNet-Project-System - jobs: - - template: templates/publish-assets-and-packages.yml - - template: templates/publish-symbols.yml - # Disabling RichNav due to an acquisition issue. See: https://dev.azure.com/devdiv/DevDiv/_workitems/edit/1659507 - # - template: templates/publish-richnav.yml - -# Skip this stage only when specifically requested (via SkipCompliance). -- ${{ if eq(parameters.SkipCompliance, false) }}: - - stage: Compliance - displayName: Compliance - dependsOn: Build - variables: - - name: UploadTSAResults - value: ${{ parameters.UploadTSAResults }} - - name: SoftwareVersion - value: $[ stageDependencies.Build.BuildOfficialRelease.outputs['SetPackageVersion.PackageVersion'] ] - # https://devdiv.visualstudio.com/DevDiv/_library?itemType=VariableGroups&view=VariableGroupView&variableGroupId=434&path=DotNet-Project-System - # Variables used: - # - ApiScanConnectionString - - group: DotNet-Project-System - jobs: - - template: templates/analyze-compliance.yml - - template: templates/analyze-api.yml - -- stage: Localization - displayName: Localization - # [] clears the dependency on the previous stages allowing parallelism. - dependsOn: [] - variables: - # Variable group containing the PATs required for running OneLocBuild. - # See: https://devdiv.visualstudio.com/DevDiv/_library?itemType=VariableGroups&view=VariableGroupView&variableGroupId=343&path=OneLocBuildVariables - # Variables used: - # - BotAccount-dotnet-bot-repo-PAT - # - dn-bot-ceapex-package-r - - group: OneLocBuildVariables - jobs: - - template: templates/generate-localization.yml - -# Run this stage only when specifically requested (via CreateOptimizationData) or when the pipeline was ran on a schedule. -- ${{ if or(eq(parameters.CreateOptimizationData, true), eq(variables['Build.Reason'], 'Schedule')) }}: - # This template is provided by the DartLabOptProfTemplates repo, declared in the repositories section (top of this file). - # It is a stage template, defining our entire Optimization stage. - - template: \templates\stages\visual-studio\single-runsettings.yml@DartLabOptProfTemplates - parameters: - name: Optimization - displayName: Optimization - dependsOn: - - Publish - # Only include the Compliance stage when it is not skipped. - - ${{ if eq(parameters.SkipCompliance, false) }}: - - Compliance +extends: + template: azure-pipelines/MicroBuild.1ES.Official.yml@MicroBuildTemplate + parameters: + sdl: + sourceAnalysisPool: VSEngSS-MicroBuild2022-1ES + tsa: + enabled: true + configFile: $(Build.SourcesDirectory)/eng/pipelines/configuration/TSAConfig.gdntsa + credscan: + enabled: true + policheck: + enabled: true + pool: + # Agent Queue: https://devdiv.visualstudio.com/DevDiv/_settings/agentqueues?queueId=3123&view=jobs + name: VSEngSS-MicroBuild2022-1ES + stages: + - stage: Build + displayName: Build variables: - - name: visualStudioBootstrapperURI - # If you set this value to the visualStudioBootstrapperURI parameter directly, it does not resolve correctly. Instead, we set it to a variable and pass that variable into the parameter. - # For parameter, variable, and expression syntax/usage, see: - # - https://docs.microsoft.com/azure/devops/pipelines/process/variables?view=azure-devops&tabs=yaml%2Cbatch#understand-variable-syntax - # - https://docs.microsoft.com/azure/devops/pipelines/process/expressions?view=azure-devops - # - https://docs.microsoft.com/azure/devops/pipelines/process/runtime-parameters?view=azure-devops&tabs=script#how-can-i-use-variables-inside-of-templates - # For variables across stages, see: - # - https://docs.microsoft.com/azure/devops/pipelines/process/variables?view=azure-devops&tabs=yaml%2Cbatch#use-outputs-in-a-different-stage - # - https://arunksingh16.medium.com/azure-devops-share-variable-across-stages-9bca85abfe8a - # - https://stackoverflow.com/a/57488169/294804 - # - https://github.com/microsoft/azure-pipelines-tasks/issues/4743 - value: $[ stageDependencies.Publish.PublishAssetsAndPackages.outputs['UpdateRunSettings.visualStudioBootstrapperURI'] ] - runSettingsURI: https://vsdrop.microsoft.com/file/v1/RunSettings/$(System.TeamProject)/dotnet/project-system/$(Build.SourceBranchName)/$(Build.BuildId);OptProf.runsettings - # This variable is set during the 'Update RunSettings' (UpdateRunSettings.ps1) step in the publish-assets-and-packages.yml. - # This variable is expanded when it is used: https://docs.microsoft.com/azure/devops/pipelines/process/variables?view=azure-devops&tabs=yaml%2Cbatch#macro-syntax-variables - visualStudioBootstrapperURI: $(visualStudioBootstrapperURI) - # The output of the optimization process. The first half of the path is provided to the DropNamePrefix input in the 'Install OptProf Plugin' (MicroBuildOptProfPlugin) step in build-official-release.yml. - optOptimizationInputsDropName: OptimizationInputs/$(System.TeamProject)/$(Build.Repository.Name)/$(Build.SourceVersion)/$(Build.BuildId)/$(System.StageAttempt) - testLabPoolName: VS-Platform - previousOptimizationInputsDropName: $(previousOptimizationInputsDropName) - prePublishOptimizationInputsDropStepList: - # This extracts the Metadata.json file information from the OptProf artifact in the build and sets the drop name to the previousOptimizationInputsDropName variable. - # The previousOptimizationInputsDropName variable enables LKG (Last Known Good) support. - # See LKG support for details: https://devdiv.visualstudio.com/DevDiv/_wiki/wikis/DevDiv.wiki/29053/Enabling-LKG-support - # This PowerShell script needs to be written in this YAML file directly as the job that runs this task does not have access to files on-disk (it does not perform a checkout). - - powershell: | - $artifactParameters = @{ - InstanceURL = 'https://dev.azure.com/devdiv' - ProjectName = 'DevDiv' - BuildID = '$(Build.BuildId)' - ArtifactName = 'OptProf' - OAuthAccessToken = (ConvertTo-SecureString '$(System.AccessToken)' -AsPlainText -Force) - } - $artifact = Get-BuildArtifact @artifactParameters - $containerName = $artifact.Resource.Data -Split '/' | Select-Object -Last 1 - $metadataString = Read-BuildArtifactFile @artifactParameters -FileName (Join-Path $containerName 'Metadata.json') - $dropName = ($metadataString | ConvertFrom-Json).OptimizationData - - Write-Host "previousOptimizationInputsDropName: $dropName" - Set-AzurePipelinesVariable 'previousOptimizationInputsDropName' $dropName - displayName: Set previousOptimizationInputsDropName variable - -# Run this stage only when specifically requested (via CreateVSInsertion or CreateVSGreenInsertion) or when the pipeline was ran on a schedule. -# Conditional insertion syntax: -# - https://docs.microsoft.com/azure/devops/pipelines/process/expressions?view=azure-devops#conditional-insertion -# - https://www.andrewhoefling.com/Blog/Post/conditional-insertion-in-azure-pipelines-yaml -- ${{ if or(eq(parameters.CreateVSInsertion, true), eq(parameters.CreateVSGreenInsertion, true), eq(variables['Build.Reason'], 'Schedule')) }}: - - stage: Insertion - displayName: Insertion - dependsOn: - # The Build dependsOn is required for putting that stage's variables into the stageDependencies property bag (for PackageVersion). - - Build - - Publish - # Only include the Compliance stage when it is not skipped. - - ${{ if eq(parameters.SkipCompliance, false) }}: - - Compliance - variables: - # Gets the PackageVersion variable produced by the Build pipeline. - PackageVersion: $[ stageDependencies.Build.BuildOfficialRelease.outputs['SetPackageVersion.PackageVersion'] ] - # Gets the AssemblyVersion variable produced by the Build pipeline. - AssemblyVersion: $[ stageDependencies.Build.BuildOfficialRelease.outputs['SetAssemblyVersion.AssemblyVersion'] ] - InsertionVSBranch: ${{ parameters.InsertionVSBranch }} - # Hard-coded assumption that the commit referenced by the previous VS insertion is within the last 100 commits in the $(InsertionVSBranch) of the VS repo. - PriorInsertionCommitDepth: 100 - # This variable is required by the component-insertion.yml template to insert the NPM package. - # The name of this package matches name defined in the package.json. - InsertNpmDependencies: '@microsoft/microsoft.visualstudio.projectsystem.managed@$(PackageVersion)' - InsertReviewers: '.NET Project System' - jobs: - - ${{ if or(eq(parameters.CreateVSInsertion, true), eq(variables['Build.Reason'], 'Schedule')) }}: - - template: templates/generate-vs-insertion.yml - - - ${{ if or(eq(parameters.CreateVSGreenInsertion, true), eq(variables['Build.Reason'], 'Schedule')) }}: - - template: azure-pipelines/external/component-insertion.yml@VSCodeExtensionRepo - parameters: - sourceBranch: $(Build.SourceBranch) - sourceCommit: $(Build.SourceVersion) - runName: $(Build.BuildNumber) - runID: $(Build.BuildId) - pipelineID: $(System.DefinitionId) - InsertTargetBranch: ${{ parameters.InsertionVSGreenBranch }} - ComponentSubDir: $(Build.Repository.Name) - - - template: eng/pipelines/templates/upgrade-version.yml@ProjectSystemVSCodeExtensionRepo - parameters: - packageVersion: $(PackageVersion) + # https://devdiv.visualstudio.com/DevDiv/_library?itemType=VariableGroups&view=VariableGroupView&variableGroupId=434&path=DotNet-Project-System + # Variables used: + # - ApiScanConnectionString + - group: DotNet-Project-System + jobs: + - template: eng/pipelines/templates/build-official-release.yml@self + parameters: + SkipOptimize: ${{ parameters.SkipOptimize }} + CreateVSInsertion: ${{ parameters.CreateVSInsertion }} + InsertionVSBranch: ${{ parameters.InsertionVSBranch }} + CreateVSGreenInsertion: ${{ parameters.CreateVSGreenInsertion }} + InsertionVSGreenBranch: ${{ parameters.InsertionVSGreenBranch }} + - stage: Publish + displayName: Publish + dependsOn: Build + variables: + # https://devdiv.visualstudio.com/DevDiv/_library?itemType=VariableGroups&view=VariableGroupView&variableGroupId=434&path=DotNet-Project-System + # Variables used: + # - SymbolsUncPath + - group: DotNet-Project-System + jobs: + - template: eng/pipelines/templates/publish-assets-and-packages.yml@self + - template: eng/pipelines/templates/publish-symbols.yml@self + # Disabling RichNav due to an acquisition issue. See: https://dev.azure.com/devdiv/DevDiv/_workitems/edit/1659507 + # - template: templates/publish-richnav.yml + + - stage: Localization + displayName: Localization + # [] clears the dependency on the previous stages allowing parallelism. + dependsOn: [] + variables: + # Variable group containing the PATs required for running OneLocBuild. + # See: https://devdiv.visualstudio.com/DevDiv/_library?itemType=VariableGroups&view=VariableGroupView&variableGroupId=343&path=OneLocBuildVariables + # Variables used: + # - BotAccount-dotnet-bot-repo-PAT + # - dn-bot-ceapex-package-r + - group: OneLocBuildVariables + jobs: + - template: eng/pipelines/templates/generate-localization.yml@self + + # Run this stage only when specifically requested (via CreateVSInsertion or CreateVSGreenInsertion) or when the pipeline was ran on a schedule. + # Conditional insertion syntax: + # - https://docs.microsoft.com/azure/devops/pipelines/process/expressions?view=azure-devops#conditional-insertion + # - https://www.andrewhoefling.com/Blog/Post/conditional-insertion-in-azure-pipelines-yaml + - ${{ if or(eq(parameters.CreateVSInsertion, true), eq(parameters.CreateVSGreenInsertion, true), eq(variables['Build.Reason'], 'Schedule')) }}: + - stage: Insertion + displayName: Insertion + dependsOn: + # The Build dependsOn is required for putting that stage's variables into the stageDependencies property bag (for PackageVersion). + - Build + - Publish + + variables: + # Gets the PackageVersion variable produced by the Build pipeline. + PackageVersion: $[ stageDependencies.Build.BuildOfficialRelease.outputs['SetPackageVersion.PackageVersion'] ] + # Gets the AssemblyVersion variable produced by the Build pipeline. + AssemblyVersion: $[ stageDependencies.Build.BuildOfficialRelease.outputs['SetAssemblyVersion.AssemblyVersion'] ] + InsertionVSBranch: ${{ parameters.InsertionVSBranch }} + # Hard-coded assumption that the commit referenced by the previous VS insertion is within the last 100 commits in the $(InsertionVSBranch) of the VS repo. + PriorInsertionCommitDepth: 100 + # This variable is required by the component-insertion.yml template to insert the NPM package. + # The name of this package matches name defined in the package.json. + InsertNpmDependencies: '@microsoft/microsoft.visualstudio.projectsystem.managed@$(PackageVersion)' + InsertReviewers: '.NET Project System' + jobs: + - ${{ if or(eq(parameters.CreateVSInsertion, true), eq(variables['Build.Reason'], 'Schedule')) }}: + - template: eng/pipelines/templates/generate-vs-insertion.yml@self + + - ${{ if or(eq(parameters.CreateVSGreenInsertion, true), eq(variables['Build.Reason'], 'Schedule')) }}: + - template: azure-pipelines/external/component-insertion.yml@VSCodeExtensionRepo + parameters: + sourceBranch: $(Build.SourceBranch) + sourceCommit: $(Build.SourceVersion) + runName: $(Build.BuildNumber) + runID: $(Build.BuildId) + pipelineID: $(System.DefinitionId) + InsertTargetBranch: ${{ parameters.InsertionVSGreenBranch }} + ComponentSubDir: $(Build.Repository.Name) + + - template: eng/pipelines/templates/upgrade-version.yml@ProjectSystemVSCodeExtensionRepo + parameters: + packageVersion: $(PackageVersion) \ No newline at end of file diff --git a/eng/pipelines/optprof-scheduled.yml b/eng/pipelines/optprof-scheduled.yml new file mode 100644 index 00000000000..e73f717a746 --- /dev/null +++ b/eng/pipelines/optprof-scheduled.yml @@ -0,0 +1,132 @@ +# Licensed to the .NET Foundation under one or more agreements. The .NET Foundation licenses this file to you under the MIT license. See the LICENSE.md file in the project root for more information. + +# Name: DotNet-Project-System-OptProf +# URL: https://devdiv.visualstudio.com/DevDiv/_build?definitionId=21326 + +# Consumes generated OptProf optimization data from the last successful run, and runs DartLab optimization template. + +################################################################################################################################################################### +# PIPELINE METADATA +################################################################################################################################################################### + +# Disable PR builds and triggers +trigger: none +pr: none + +schedules: + - cron: "0 10 */3 * *" # Approximately every 3 days, early in the morning + displayName: Semi-weekly OptProf run + branches: + include: + - main + always: true # we must keep data fresh since optimizationdata drops are purged after 30 days + +resources: + # These DartLab pipelines and repositories are only used by the Optimization stage. + pipelines: + - pipeline: Build + source: DotNet-Project-System + trigger: true + # This name is the default value for the 'dartLabBuildResourceName' parameter in single-runsettings.yml. + - pipeline: DartLab + project: DevDiv + source: DartLab + branch: main + # This name is the default value for the 'dartLabOptProfBuildResourceName' parameter in single-runsettings.yml. + - pipeline: DartLab.OptProf + source: DartLab.OptProf + branch: main + tags: + - production + repositories: + # This name is the default value for the 'dartLabTemplatesResourceName 'parameter in single-runsettings.yml. + - repository: DartLabTemplates + name: DartLab.Templates + type: git + ref: refs/heads/main + # This name is used to access the single-runsettings.yml template. + - repository: DartLabOptProfTemplates + name: DartLab.OptProf + type: git + ref: refs/tags/Production + +pool: + # Agent Queue: https://devdiv.visualstudio.com/DevDiv/_settings/agentqueues?queueId=3123&view=jobs + name: VSEngSS-MicroBuild2022-1ES + # Demands Docs: https://docs.microsoft.com/azure/devops/pipelines/process/demands?view=azure-devops&tabs=yaml#manually-entered-demands + demands: Cmd + +parameters: + - name: InsertTargetBranch + type: string + default: main + +# Note: Only add pipeline variables if they apply to most of the stages/jobs. +variables: + # Sets the fetch depth to no longer be a shallow clone. Nerdbank.GitVersioning requires a non-shallow clone. + # See: + # - https://github.com/dotnet/Nerdbank.GitVersioning/issues/423 + # - https://github.com/dotnet/Nerdbank.GitVersioning/issues/92 + # Variable reference: https://learn.microsoft.com/en-us/azure/devops/pipelines/repos/pipeline-options-for-git?view=azure-devops&tabs=yaml#shallow-fetch + Agent.Source.Git.ShallowFetchDepth: 0 + + TeamName: DotNet-Project-System + TeamEmail: dotnetdevexproj@microsoft.com + +################################################################################################################################################################### +# STAGES +################################################################################################################################################################### + +stages: +- template: \templates\stages\visual-studio\single-runsettings.yml@DartLabOptProfTemplates + parameters: + name: Optimization + displayName: Optimization + variables: + - name: VisualStudio.InstallationUnderTest.BootstrapperBranch + value: ${{ parameters.InsertTargetBranch }} + runSettingsURI: https://vsdrop.microsoft.com/file/v1/RunSettings/$(System.TeamProject)/dotnet/project-system/$(Build.SourceBranchName)/$(resources.pipeline.Build.runID);OptProf.runsettings + # This variable is set during the 'Update RunSettings' (UpdateRunSettings.ps1) step in the publish-assets-and-packages.yml. + # This variable is expanded when it is used: https://docs.microsoft.com/azure/devops/pipelines/process/variables?view=azure-devops&tabs=yaml%2Cbatch#macro-syntax-variables + visualStudioBootstrapperURI: $(VisualStudio.InstallationUnderTest.BootstrapperURL) + # The output of the optimization process. The first half of the path is provided to the DropNamePrefix input in the 'Install OptProf Plugin' (MicroBuildOptProfPlugin) step in build-official-release.yml. + optOptimizationInputsDropName: OptimizationInputs/$(System.TeamProject)/$(Build.Repository.Name)/$(Build.SourceVersion)/$(resources.pipeline.Build.runID)/$(System.StageAttempt) + testLabPoolName: VS-Platform + previousOptimizationInputsDropName: $(previousOptimizationInputsDropName) + ##### Step Hooks ##### + preTestMachineConfigurationStepList: + # Download the staging artifacts from the release pipeline. + - download: Build + displayName: Download Staging Artifacts + artifact: Staging + # Only download the necessary files for publishing. + patterns: | + MicroBuild/** + OptProf/** + - task: PowerShell@2 + inputs: + filePath: $(DartLab.Path)\Scripts\VisualStudio\Bootstrapper\Get-BootstrapperURL.ps1 + arguments: -BootstrapperInfoJsonURI '$(Pipeline.Workspace)\Build\Staging\MicroBuild\Output\BootstrapperInfo.json' -VSBranch '$(VisualStudio.InstallationUnderTest.BootstrapperBranch)' -OutVariableName 'VisualStudio.InstallationUnderTest.BootstrapperURL' + displayName: Set 'VisualStudio.InstallationUnderTest.BootstrapperURL' + + prePublishOptimizationInputsDropStepList: + # This extracts the Metadata.json file information from the OptProf artifact in the build and sets the drop name to the previousOptimizationInputsDropName variable. + # The previousOptimizationInputsDropName variable enables LKG (Last Known Good) support. + # See LKG support for details: https://devdiv.visualstudio.com/DevDiv/_wiki/wikis/DevDiv.wiki/29053/Enabling-LKG-support + # This PowerShell script needs to be written in this YAML file directly as the job that runs this task does not have access to files on-disk (it does not perform a checkout). + - powershell: | + $artifactParameters = @{ + InstanceURL = 'https://dev.azure.com/devdiv' + ProjectName = 'DevDiv' + BuildID = '$(resources.pipeline.Build.runID)' + ArtifactName = 'OptProf' + OAuthAccessToken = (ConvertTo-SecureString '$(System.AccessToken)' -AsPlainText -Force) + } + $artifact = Get-BuildArtifact @artifactParameters + $containerName = $artifact.Resource.Data -Split '/' | Select-Object -Last 1 + $metadataString = Read-BuildArtifactFile @artifactParameters -FileName (Join-Path $containerName 'Metadata.json') + $dropName = ($metadataString | ConvertFrom-Json).OptimizationData + + Write-Host "previousOptimizationInputsDropName: $dropName" + Set-AzurePipelinesVariable 'previousOptimizationInputsDropName' $dropName + displayName: Set previousOptimizationInputsDropName variable \ No newline at end of file diff --git a/eng/pipelines/templates/analyze-api.yml b/eng/pipelines/templates/analyze-api.yml deleted file mode 100644 index 1c34b860596..00000000000 --- a/eng/pipelines/templates/analyze-api.yml +++ /dev/null @@ -1,100 +0,0 @@ -# Licensed to the .NET Foundation under one or more agreements. The .NET Foundation licenses this file to you under the MIT license. See the LICENSE.md file in the project root for more information. - -jobs: -- job: AnalyzeAPI - displayName: Analyze API - timeoutInMinutes: 180 - # This is a non-critical job, so don't fail the build if it fails. - continueOnError: true - steps: - - ################################################################################################################################################################### - # DOWNLOAD ARTIFACTS - ################################################################################################################################################################### - - # Use a disabled, empty script to display the section header in the pipeline UI. - - script: - displayName: === Download Artifacts === - condition: false - - # Download the build artifacts from the Build job. - - download: current - displayName: Download Build Artifacts - artifact: $(Build.BuildNumber) - # Only download the necessary files for API validation. - patterns: | - bin/Dlls/**/Microsoft.VisualStudio.AppDesigner*.pdb - bin/Dlls/**/Microsoft.VisualStudio.Editors*.pdb - bin/Dlls/**/Microsoft.VisualStudio.ProjectSystem.Managed*.pdb - bin/Dlls/**/Microsoft.VisualStudio.AppDesigner*.dll - bin/Dlls/**/Microsoft.VisualStudio.Editors*.dll - bin/Dlls/**/Microsoft.VisualStudio.ProjectSystem.Managed*.dll - - ################################################################################################################################################################### - # RUN ANALYSIS - ################################################################################################################################################################### - - # Use a disabled, empty script to display the section header in the pipeline UI. - - script: - displayName: === Run Analysis === - condition: false - - # Scan for the use of undocumented APIs. - # YAML reference: https://eng.ms/docs/security-compliance-identity-and-management-scim/security/azure-security/cloudai-security-fundamentals-engineering/security-integration/guardian-wiki/sdl-azdo-extension/apiscan-build-task#v2 - - task: APIScan@2 - displayName: Run APIScan - inputs: - softwareFolder: $(Pipeline.Workspace)/$(Build.BuildNumber)/bin/Dlls - softwareName: Dotnet-Project-System - softwareVersionNum: $(SoftwareVersion) - softwareBuildNum: $(Build.BuildId) - symbolsFolder: SRV*http://symweb - noCopySymbols: true - noCopyBinaries: true - noDecompress: true - isLargeApp: true - verbosityLevel: minimal - preserveTempFiles: true - # APIScan requires an Azure Identity to run. That is provided via an Azure service principal. - # - https://microsoft.sharepoint.com/teams/apiscan/APIScan%20User%20Wiki/authentication_using_AAD_identities.aspx - # - https://microsoft.sharepoint.com/teams/apiscan/Lists/Contacts%20%20System%20Account%20and%20Wrappers/AllItems.aspx?skipSignal=true - # This value is provided from the DotNet-Project-System variable group, defined in the stage variables. - env: - AzureServicesAuthConnectionString: $(ApiScanConnectionString) - - ################################################################################################################################################################### - # PUBLISH RESULTS - ################################################################################################################################################################### - - # Use a disabled, empty script to display the section header in the pipeline UI. - - script: - displayName: === Publish Results === - condition: false - - # Only run this task if UploadTSAResults was specified. - - ${{ if eq(variables.UploadTSAResults, true) }}: - # Upload the output of the compliance tools to Trust Services Automation (TSA), and create Azure DevOps work items for failures. - # TSA overview: https://eng.ms/docs/cloud-ai-platform/developer-services/one-engineering-system-1es/1es-docs/trust-services-automation-tsa/tsa-overview - # YAML reference: https://eng.ms/docs/cloud-ai-platform/developer-services/one-engineering-system-1es/1es-docs/trust-services-automation-tsa/tsa-upload-build-task#yaml-reference - - task: TSAUpload@2 - displayName: Upload Results to TSA - inputs: - GdnPublishTsaOnboard: true - # Configures the compliance tool results to process. - # Configuration file format: - # - https://eng.ms/docs/security-compliance-identity-and-management-scim/security/azure-security/cloudai-security-fundamentals-engineering/security-integration/guardian-wiki/microsoft-guardian/guardian-tsa#tsa-options-file - # - https://dev.azure.com/securitytools/SecurityIntegration/_wiki/wikis/Guardian/1409/Guardian-TSA?anchor=tsa-options-file - GdnPublishTsaConfigFile: $(Build.SourcesDirectory)/eng/pipelines/configuration/TSAConfig.gdntsa - GdnPublishTsaExportedResultsPublishable: true - condition: succeededOrFailed() - - # Publishes the results as artifacts to the Azure Pipeline. - # YAML reference: https://eng.ms/docs/security-compliance-identity-and-management-scim/security/azure-security/cloudai-security-fundamentals-engineering/security-integration/guardian-wiki/sdl-azdo-extension/publish-security-analysis-logs#v3 - - task: PublishSecurityAnalysisLogs@3 - displayName: Publish API Artifacts - inputs: - ArtifactName: Analysis-API - ArtifactType: Container - AllTools: true - ToolLogsNotFoundAction: Standard - condition: succeededOrFailed() \ No newline at end of file diff --git a/eng/pipelines/templates/analyze-compliance.yml b/eng/pipelines/templates/analyze-compliance.yml index ccbd297b451..10b5a92c8e4 100644 --- a/eng/pipelines/templates/analyze-compliance.yml +++ b/eng/pipelines/templates/analyze-compliance.yml @@ -1,34 +1,12 @@ # Licensed to the .NET Foundation under one or more agreements. The .NET Foundation licenses this file to you under the MIT license. See the LICENSE.md file in the project root for more information. -jobs: -# Overview of tasks offered for security and compliance: -# - https://dev.azure.com/securitytools/SecurityIntegration/_wiki/wikis/Guardian/1425/Guardian-Tools -# - https://eng.ms/docs/security-compliance-identity-and-management-scim/security/azure-security/cloudai-security-fundamentals-engineering/security-integration/guardian-wiki -# - https://eng.ms/docs/security-compliance-identity-and-management-scim/security/azure-security/cloudai-security-fundamentals-engineering/security-integration/guardian-wiki/sdl-azdo-extension/secure-development-tools-extension-for-azure-devops#tools -# Other tools to consider: -# - InferSharp: https://dev.azure.com/securitytools/SecurityIntegration/_wiki/wikis/Guardian/1638/InferSharp-Usage -# - CodeQL: https://eng.ms/docs/security-compliance-identity-and-management-scim/security/azure-security/cloudai-security-fundamentals-engineering/security-integration/guardian-wiki/sdl-azdo-extension/codeql-build-task -- job: AnalyzeCompliance - displayName: Analyze Compliance - timeoutInMinutes: 20 - steps: +parameters: + - name: SoftwareVersion + type: string - ################################################################################################################################################################### - # DOWNLOAD ARTIFACTS - ################################################################################################################################################################### - - # Use a disabled, empty script to display the section header in the pipeline UI. - - script: - displayName: === Download Artifacts === - condition: false - - # Download the build artifacts from the Build job. - # The DownloadPipelineArtifact task is used since we can specify the output path. The 'download:' node doesn't allow changes in output location. - - task: DownloadPipelineArtifact@2 - displayName: Download Build Artifacts - inputs: - artifact: '$(Build.BuildNumber)' - path: $(Build.SourcesDirectory)/artifacts/$(BuildConfiguration) +steps: + # Most SDL tasks are run through the 1ES official pipeline template: https://eng.ms/docs/cloud-ai-platform/devdiv/one-engineering-system-1es/1es-docs/1es-pipeline-templates/features/sdlanalysis/overview + # However, we still must run CodeSign and APIScan ourselves ################################################################################################################################################################### # RUN ANALYSIS @@ -68,45 +46,28 @@ jobs: ExcludeFolders: bootstrapper condition: succeededOrFailed() - # Scan for problematic terminology. Related documentation: - # - https://microsoft.sharepoint.com/sites/globalreadiness/SitePages/PoliCheck.aspx - # - https://policheck.microsoft.com/ - # Requires scanning both the source and the build artifacts: https://liquid.microsoft.com/Web/Object/Read/MS.GlobalReadiness/Requirements/01.01#Zapplicability - # YAML reference: https://eng.ms/docs/security-compliance-identity-and-management-scim/security/azure-security/cloudai-security-fundamentals-engineering/security-integration/guardian-wiki/sdl-azdo-extension/PoliCheck-build-task#v2 - - task: PoliCheck@2 - displayName: Run PoliCheck - inputs: - # F - Scan a particular file or folder (recursively) - targetType: F - targetArgument: $(Build.SourcesDirectory) - # 1 - Enable scanning of comments - optionsFC: 1 - # Scan for severity 1, 2, and 3 issues - optionsSEV: '1|2|3' - condition: succeededOrFailed() - - # Scan for credentials and other sensitive information. Related documentation: - # - https://strikecommunity.azurewebsites.net/articles/4114/credential-scanner-overview.html - # Even though it isn't explicitly stated, we scan both the source and the build artifacts. - # YAML reference: https://eng.ms/docs/security-compliance-identity-and-management-scim/security/azure-security/cloudai-security-fundamentals-engineering/security-integration/guardian-wiki/sdl-azdo-extension/credscan-azure-devops-build-task#v3-preview - - task: CredScan@3 - displayName: Run CredScan - inputs: - # Output in PREFast format so TSAUpload can consume it. - outputFormat: pre - condition: succeededOrFailed() - - # Validates compiler/linker settings and other security-related binary characteristics. - # https://github.com/Microsoft/binskim - # YAML reference: https://eng.ms/docs/security-compliance-identity-and-management-scim/security/azure-security/cloudai-security-fundamentals-engineering/security-integration/guardian-wiki/sdl-azdo-extension/binskim-build-task#v4 - - task: BinSkim@4 - displayName: Run BinSkim + # Scan for the use of undocumented APIs. + # YAML reference: https://eng.ms/docs/security-compliance-identity-and-management-scim/security/azure-security/cloudai-security-fundamentals-engineering/security-integration/guardian-wiki/sdl-azdo-extension/apiscan-build-task#v2 + - task: APIScan@2 + displayName: Run APIScan inputs: - InputType: Basic - Function: analyze - TargetPattern: binskimPattern - AnalyzeTargetBinskim: $(Build.SourcesDirectory)/artifacts/$(BuildConfiguration)/bin/Dlls/**.dll - condition: succeededOrFailed() + softwareFolder: $(Build.SourcesDirectory)/artifacts/$(BuildConfiguration)/bin/Dlls + softwareName: Dotnet-Project-System + softwareVersionNum: ${{ parameters.SoftwareVersion }} + softwareBuildNum: $(Build.BuildId) + symbolsFolder: SRV*http://symweb + noCopySymbols: true + noCopyBinaries: true + noDecompress: true + isLargeApp: true + verbosityLevel: minimal + preserveTempFiles: true + # APIScan requires an Azure Identity to run. That is provided via an Azure service principal. + # - https://microsoft.sharepoint.com/teams/apiscan/APIScan%20User%20Wiki/authentication_using_AAD_identities.aspx + # - https://microsoft.sharepoint.com/teams/apiscan/Lists/Contacts%20%20System%20Account%20and%20Wrappers/AllItems.aspx?skipSignal=true + # This value is provided from the DotNet-Project-System variable group, defined in the stage variables. + env: + AzureServicesAuthConnectionString: $(ApiScanConnectionString) ################################################################################################################################################################### # PUBLISH RESULTS @@ -117,23 +78,6 @@ jobs: displayName: === Publish Results === condition: false - # Only run this task if UploadTSAResults was specified. - - ${{ if eq(variables.UploadTSAResults, true) }}: - # Upload the output of the compliance tools to Trust Services Automation (TSA), and create Azure DevOps work items for failures. - # TSA overview: https://eng.ms/docs/cloud-ai-platform/developer-services/one-engineering-system-1es/1es-docs/trust-services-automation-tsa/tsa-overview - # YAML reference: https://eng.ms/docs/cloud-ai-platform/developer-services/one-engineering-system-1es/1es-docs/trust-services-automation-tsa/tsa-upload-build-task#yaml-reference - - task: TSAUpload@2 - displayName: Upload Results to TSA - inputs: - GdnPublishTsaOnboard: true - # Configures the compliance tool results to process. - # Configuration file format: - # - https://eng.ms/docs/security-compliance-identity-and-management-scim/security/azure-security/cloudai-security-fundamentals-engineering/security-integration/guardian-wiki/microsoft-guardian/guardian-tsa#tsa-options-file - # - https://dev.azure.com/securitytools/SecurityIntegration/_wiki/wikis/Guardian/1409/Guardian-TSA?anchor=tsa-options-file - GdnPublishTsaConfigFile: $(Build.SourcesDirectory)/eng/pipelines/configuration/TSAConfig.gdntsa - GdnPublishTsaExportedResultsPublishable: true - condition: succeededOrFailed() - # Publishes the results as artifacts to the Azure Pipeline. # YAML reference: https://eng.ms/docs/security-compliance-identity-and-management-scim/security/azure-security/cloudai-security-fundamentals-engineering/security-integration/guardian-wiki/sdl-azdo-extension/publish-security-analysis-logs#v3 - task: PublishSecurityAnalysisLogs@3 @@ -143,4 +87,15 @@ jobs: ArtifactType: Container AllTools: true ToolLogsNotFoundAction: Standard - condition: succeededOrFailed() \ No newline at end of file + condition: succeededOrFailed() + + # Publishes the results as artifacts to the Azure Pipeline. + # YAML reference: https://eng.ms/docs/security-compliance-identity-and-management-scim/security/azure-security/cloudai-security-fundamentals-engineering/security-integration/guardian-wiki/sdl-azdo-extension/publish-security-analysis-logs#v3 + - task: PublishSecurityAnalysisLogs@3 + displayName: Publish API Artifacts + inputs: + ArtifactName: Analysis-API + ArtifactType: Container + AllTools: true + ToolLogsNotFoundAction: Standard + condition: succeededOrFailed() diff --git a/eng/pipelines/templates/build-official-release.yml b/eng/pipelines/templates/build-official-release.yml index 3dadc8f7db3..6b836d9b198 100644 --- a/eng/pipelines/templates/build-official-release.yml +++ b/eng/pipelines/templates/build-official-release.yml @@ -1,10 +1,92 @@ # Licensed to the .NET Foundation under one or more agreements. The .NET Foundation licenses this file to you under the MIT license. See the LICENSE.md file in the project root for more information. - +parameters: + - name: SkipOptimize + type: boolean + - name: CreateVSInsertion + type: boolean + - name: InsertionVSBranch + type: string + - name: CreateVSGreenInsertion + type: boolean + - name: InsertionVSGreenBranch + type: string + jobs: - job: BuildOfficialRelease displayName: Build Official Release # We make this timeout more than double the normal amount of build time as signing has a highly variable amount of time to complete. - timeoutInMinutes: 90 + timeoutInMinutes: 90 # API Scan can take a long time and fail the build + templateContext: + mb: + signing: + enabled: true + # See: https://github.com/dotnet/project-system/issues/7935, signType cannot be test (fails erroneously) + signType: real + esrpSigning: true + zipSources: false + sbom: + enabled: true + outputParentDirectory: $(Build.SourcesDirectory)/artifacts + outputs: + # Publish artifacts + - output: pipelineArtifact + displayName: Publish Build Artifacts + targetPath: $(Build.SourcesDirectory)/artifacts/$(BuildConfiguration) + artifactName: $(Build.BuildNumber) + condition: succeededOrFailed() + - output: pipelineArtifact + displayName: Publish Staging Artifacts + targetPath: $(Build.StagingDirectory) + artifactName: Staging + condition: succeededOrFailed() + - output: pipelineArtifact + displayName: Publish Loc Artifacts + targetPath: $(Build.SourcesDirectory)/artifacts/$(BuildConfiguration)/bin/Dlls/ + artifactName: Loc + condition: succeededOrFailed() + + # Publish VS drop + - output: microBuildVstsDrop + dropFolder: $(Build.SourcesDirectory)/artifacts/$(BuildConfiguration)/VSSetup/Insertion + # TODO: Consider using $(GitBuildVersion) instead of $(Build.BuildNumber) as it better correlates the build of the code to the VS insertion. + # Meaning, instead of VS Insertion -> Pipeline BuildNumber -> Code BuildVersion, it would just be VS Insertion -> Code BuildVersion. + # If this is updated, VstsDropNames set in build-official-release.yml would also need to be updated. + # For GitBuildVersion: https://github.com/dotnet/Nerdbank.GitVersioning/blob/main/doc/cloudbuild.md#automatically-match-cloud-build-numbers-to-to-your-git-version + # Issue: https://github.com/dotnet/project-system/issues/8431 + # Example of current path: 'Products/[DevDiv]/[vs-resource-explorer]/[main]/[x.x]' + dropName: Products/$(System.TeamProject)/$(Build.Repository.Name)/$(Build.SourceBranchName)/$(Build.BuildNumber) + dropRetentionDays: 60 + # When this isn't provided, the tool sets the --AadAuth flag instead of using --PatAuthEnvVar. The AadAuth doesn't seem to work for this situation. + accessToken: $(System.AccessToken) + + # Publish nuget packages + - output: nuget + displayName: Publish Nuget Packages to vs-green + packagesToPush: $(Build.SourcesDirectory)/artifacts/$(BuildConfiguration)/packages/*.nupkg + packageParentPath: $(Build.SourcesDirectory)/artifacts/$(BuildConfiguration)/packages + publishVstsFeed: DevDiv/vs-green + allowPackageConflicts: true + nuGetFeedType: internal + # Publishes the NuGet packages to DevDiv/VS (https://dev.azure.com/DevDiv/DevDiv/_artifacts/feed/VS) + # A separate process will republish these packages to DevDiv/VS-CoreXtFeeds (https://dev.azure.com/DevDiv/DevDiv/_artifacts/feed/VS-CoreXtFeeds) + - output: nuget + displayName: Publish Nuget Packages to DevDiv + packagesToPush: $(Build.SourcesDirectory)/artifacts/$(BuildConfiguration)/packages/*.nupkg + packageParentPath: $(Build.SourcesDirectory)/artifacts/$(BuildConfiguration)/packages + # Feed Endpoint: https://devdiv.pkgs.visualstudio.com/_packaging/VS/nuget/v3/index.json + # Requires VssFeedId despite documentation here: https://docs.microsoft.com/azure/devops/pipelines/artifacts/nuget?view=azure-devops&tabs=yaml#publish-a-package + publishVstsFeed: 97a41293-2972-4f48-8c0e-05493ae82010 + allowPackageConflicts: true + - output: nuget + displayName: Publish Nuget Packages to azure-publish + packagesToPush: $(Build.SourcesDirectory)/artifacts/$(BuildConfiguration)/packages/*.nupkg + packageParentPath: $(Build.SourcesDirectory)/artifacts/$(BuildConfiguration)/packages + publishVstsFeed: DevDiv/vs-green + publishFeedCredentials: azure-public/vs-impl + allowPackageConflicts: true + nuGetFeedType: external + + steps: ################################################################################################################################################################### @@ -12,49 +94,18 @@ jobs: ################################################################################################################################################################### # See: https://stackoverflow.com/a/30524983/294804 - - powershell: if (-not (git ls-remote --heads https://$(System.AccessToken)@dev.azure.com/devdiv/DevDiv/_git/VS $(InsertionVSBranch))) { Write-Host "The branch name '$(InsertionVSBranch)' is not valid."; exit 1 } + - powershell: if (-not (git ls-remote --heads https://$(System.AccessToken)@dev.azure.com/devdiv/DevDiv/_git/VS ${{ parameters.InsertionVSBranch }})) { Write-Host "The branch name '${{ parameters.InsertionVSBranch }}' is not valid."; exit 1 } displayName: Validate VS Insertion Branch Name - condition: eq(variables.CreateVSInsertion, true) - - powershell: if (-not (git ls-remote --heads https://$(System.AccessToken)@dev.azure.com/devdiv/DevDiv/_git/vs-green $(InsertionVSGreenBranch))) { Write-Host "The branch name '$(InsertionVSGreenBranch)' is not valid."; exit 1 } + condition: eq(${{ parameters.CreateVSInsertion }}, true) + - powershell: if (-not (git ls-remote --heads https://$(System.AccessToken)@dev.azure.com/devdiv/DevDiv/_git/vs-green ${{ parameters.InsertionVSGreenBranch }})) { Write-Host "The branch name '${{ parameters.InsertionVSGreenBranch }}' is not valid."; exit 1 } displayName: Validate vs-green Insertion Branch Name - condition: eq(variables.CreateVSGreenInsertion, true) - - ################################################################################################################################################################### - # PLUGIN INSTALLATION - ################################################################################################################################################################### - - # Use a disabled, empty script to display the section header in the pipeline UI. - - script: - displayName: === Plugin Installation === - condition: false - - # Necessary for signing the assemblies and packages. - # YAML reference: https://devdiv.visualstudio.com/Engineering/_git/MicroBuild?path=/src/Tasks/SigningPlugin/task.json - - task: MicroBuildSigningPlugin@4 - displayName: Install Signing Plugin - inputs: - # Build fails if this is set to 'test'. - # See: https://github.com/dotnet/project-system/issues/7935 - signType: real - esrpSigning: true - - # Gets the signconfig.xml from the MicroBuild Signing plugin and sets the retry interval to 45 seconds. - # This reduces the calls to the signing API (potentially increasing signing speed) and reduces the pipeline log bloat when polling signing completion. - - powershell: . '$(Build.SourcesDirectory)/eng/scripts/SetSigningRetryInterval.ps1' -signConfigPath ((Get-ChildItem -Path '$(Build.StagingDirectory)/MicroBuild/Plugins/*/build/signconfig.xml').FullName) -intervalInSeconds 45 - displayName: Set Signing Interval - # This is not a necessary task for the build to be successful. - continueOnError: true - - # Allows creating SBOM information during the build. - # See: https://dev.azure.com/devdiv/DevDiv/_wiki/wikis/DevDiv.wiki/29786/Common-setup-authoring-recommendations?anchor=including-sbom-support - - task: MicroBuildSbomPlugin@1 - displayName: Install SBOM Plugin - - # This requires the OptimizationInputs via the 'Publish OptimizationInputs drop' step in the release pipeline. - # To generate ProfilingInputs for the first time, set this input: ShouldSkipOptimize: true - # See documentation here: https://devdiv.visualstudio.com/DevDiv/_wiki/wikis/DevDiv.wiki/2602/Build-With-Expired-(or-Without-Prior)-Optimization-Profiling-Data - # This plugin will restore MicroBuild.Plugins.OptProf which is required to create ProfilingInputs data. - # The projects include OptProf.targets which uses MicroBuild.Plugins.OptProf to run the target GenerateProfilingInputs on each project. + condition: eq(${{ parameters.CreateVSGreenInsertion }}, true) + + # This requires the OptimizationInputs via the 'Publish OptimizationInputs drop' step in the release pipeline. + # To generate ProfilingInputs for the first time, set this input: ShouldSkipOptimize: true + # See documentation here: https://devdiv.visualstudio.com/DevDiv/_wiki/wikis/DevDiv.wiki/2602/Build-With-Expired-(or-Without-Prior)-Optimization-Profiling-Data + # This plugin will restore MicroBuild.Plugins.OptProf which is required to create ProfilingInputs data. + # The projects include OptProf.targets which uses MicroBuild.Plugins.OptProf to run the target GenerateProfilingInputs on each project. - task: MicroBuildOptProfPlugin@6 displayName: Install OptProf Plugin inputs: @@ -80,7 +131,7 @@ jobs: condition: false # Runs the full build of the projects in the repository. See Build.proj for details. - - script: $(Build.SourcesDirectory)/build.cmd /v:normal /p:Configuration=$(BuildConfiguration) /p:CIBuild=true + - script: $(Build.SourcesDirectory)/build.cmd /v:normal /p:Configuration=$(BuildConfiguration) /p:CIBuild=true /p:Test=true displayName: Build All Projects env: # The Microsoft.VisualStudio.Internal.MicroBuild.SetupTooling.props assumes this value is set, which sets the ManifestPublishUrl property. @@ -139,8 +190,14 @@ jobs: # Outputting to the Insertion folder allows the bootstrapper to be published to the Products drop, along with our insertion files. # The merged .vsman (OverlaidInstallerManifest.vsman) created by the bootstrapper assumes the bootstrapper will be output to the same drop (Products) as the insertion files. outputFolder: $(Build.SourcesDirectory)/artifacts/$(BuildConfiguration)/VSSetup/Insertion + + - task: CopyFiles@2 + inputs: + SourceFolder: $(Agent.TempDirectory)\MicroBuild\Output + TargetFolder: $(Build.StagingDirectory)\MicroBuild\Output + displayName: 'Copy BootstrapperInfo.json to Staging' - # Run this task only when the pipeline was ran on a schedule. + # Run this task only when the pipeline was ran on a schedule. - ${{ if eq(variables['Build.Reason'], 'Schedule') }}: # This adds our source information to http://index (which is called Codex). # https://github.com/Ref12/Codex @@ -166,12 +223,10 @@ jobs: # This is a non-critical task, so don't fail the build if it fails. continueOnError: true - # Uploads telemetry to MicroBuild about the MicroBuild components used. - - task: MicroBuildCleanup@1 - displayName: Send MicroBuild Telemetry - condition: succeededOrFailed() - # This is a non-critical task, so don't fail the build if it fails. - continueOnError: true + - template: analyze-compliance.yml + parameters: + # For us software version is same as nuget package version + SoftwareVersion: $(NBGV_NuGetPackageVersion) ################################################################################################################################################################### # PUBLISH BUILD @@ -179,11 +234,6 @@ jobs: # https://docs.microsoft.com/azure/devops/pipelines/process/tasks?view=azure-devops&tabs=yaml#task-control-options ################################################################################################################################################################### - # Use a disabled, empty script to display the section header in the pipeline UI. - - script: - displayName: === Publish Build === - condition: false - # Publishes the test results to the Azure Pipeline itself so they can be viewed in the UI. # This needs to be ran after the build, because if the build failed due to a test failure, the test results wouldn't be published. - task: PublishTestResults@2 @@ -193,34 +243,18 @@ jobs: testResultsFiles: $(Build.SourcesDirectory)/artifacts/$(BuildConfiguration)/TestResults/**/*.trx testRunTitle: Unit Test Results condition: succeededOrFailed() - - # The .artifactignore file filters the artifacts published from a particular folder. - # This must be present in the folder we want to publish and be named '.artifactignore'. - # See: https://docs.microsoft.com/azure/devops/artifacts/reference/artifactignore?view=azure-devops - - powershell: Copy-Item -Path '$(Build.SourcesDirectory)/eng/pipelines/configuration/build.artifactignore' -Destination '$(Build.SourcesDirectory)/artifacts/$(BuildConfiguration)/.artifactignore' - displayName: Copy Build Artifact Filter - condition: succeededOrFailed() - - # Publishes the artifacts folder contents to the Azure Pipeline for use in other jobs/stages. - # This publish is filtered by the .artifactignore in the 'eng' folder. See that file for more details. - - publish: $(Build.SourcesDirectory)/artifacts/$(BuildConfiguration) - displayName: Publish Build Artifacts - # TODO: Consider using $(GitBuildVersion) instead of $(Build.BuildNumber) as it better correlates the build of the code, instead of the run of the pipeline. - # Traditionally, this artifact name was used as it was required for the prior VS insertion mechanism. - # Issue: https://github.com/dotnet/project-system/issues/8431 - artifact: $(Build.BuildNumber) - condition: succeededOrFailed() - - # The .artifactignore file filters the artifacts published from a particular folder. - # This must be present in the folder we want to publish and be named '.artifactignore'. - # See: https://docs.microsoft.com/azure/devops/artifacts/reference/artifactignore?view=azure-devops + + # The .artifactignore file filters the artifacts published from a particular folder. + # This must be present in the folder we want to publish and be named '.artifactignore'. + # See: https://docs.microsoft.com/azure/devops/artifacts/reference/artifactignore?view=azure-devops - powershell: Copy-Item -Path '$(Build.SourcesDirectory)/eng/pipelines/configuration/staging.artifactignore' -Destination '$(Build.StagingDirectory)/.artifactignore' displayName: Copy Staging Artifact Filter condition: succeededOrFailed() - # Publishes the staging folder contents to the Azure Pipeline for use in other jobs/stages. - # The Build.StagingDirectory is used by certain plugin outputs, such as MicroBuild and OptProf. - - publish: $(Build.StagingDirectory) - displayName: Publish Staging Artifacts - artifact: Staging - condition: succeededOrFailed() + # Authenticate with a service connection to be able to publish packages to external (different DevOps organization) NuGet feeds. + # See: https://docs.microsoft.com/azure/devops/pipelines/tasks/package/nuget-authenticate?view=azure-devops + # This connecction is used in the templateContext nuget outputs. + - task: NuGetAuthenticate@1 + displayName: Authenticate NuGet + inputs: + nuGetServiceConnections: azure-public/vs-impl diff --git a/eng/pipelines/templates/build-pull-request.yml b/eng/pipelines/templates/build-pull-request.yml index 14a77c1a87e..7131e1f3d0e 100644 --- a/eng/pipelines/templates/build-pull-request.yml +++ b/eng/pipelines/templates/build-pull-request.yml @@ -39,7 +39,7 @@ jobs: displayName: Authenticate NuGet # Runs the full build of the projects in the repository. See Build.proj for details. - - script: $(Build.SourcesDirectory)/build.cmd /v:normal /p:Configuration=$(BuildConfiguration) /p:CIBuild=true + - script: $(Build.SourcesDirectory)/build.cmd /v:normal /p:Configuration=$(BuildConfiguration) /p:CIBuild=true /p:Test=true displayName: Build All Projects env: # This allows NuGet to retry in situations related to "automatic retry for untrusted root failures." @@ -81,4 +81,4 @@ jobs: - publish: $(Build.SourcesDirectory)/artifacts/$(BuildConfiguration) displayName: Publish Build Artifacts artifact: $(ArtifactName) - condition: succeededOrFailed() + condition: succeededOrFailed() \ No newline at end of file diff --git a/eng/pipelines/templates/generate-localization.yml b/eng/pipelines/templates/generate-localization.yml index abf989a3923..59e0d1109f5 100644 --- a/eng/pipelines/templates/generate-localization.yml +++ b/eng/pipelines/templates/generate-localization.yml @@ -3,13 +3,17 @@ jobs: - job: GenerateLocalization displayName: Generate Localization - timeoutInMinutes: 10 + timeoutInMinutes: 25 steps: ################################################################################################################################################################### # GENERATE LOCALIZATION ################################################################################################################################################################### + - script: + displayName: === Build Repository === + condition: false + # Use a disabled, empty script to display the section header in the pipeline UI. - script: displayName: === Generate Localization === @@ -54,7 +58,10 @@ jobs: condition: false # Publishes any associated information related to the OneLocBuild process. - - publish: $(Build.StagingDirectory)/loc + - task: 1ES.PublishPipelineArtifact@1 + inputs: + path: $(Build.StagingDirectory)/loc + artifact: OneLocBuild + publish: $(Build.StagingDirectory)/loc displayName: Publish Localization Artifacts - artifact: OneLocBuild - condition: succeededOrFailed() \ No newline at end of file + condition: succeededOrFailed() diff --git a/eng/pipelines/templates/publish-assets-and-packages.yml b/eng/pipelines/templates/publish-assets-and-packages.yml index d1ac0f91872..ad71d4d9b90 100644 --- a/eng/pipelines/templates/publish-assets-and-packages.yml +++ b/eng/pipelines/templates/publish-assets-and-packages.yml @@ -1,20 +1,18 @@ # Licensed to the .NET Foundation under one or more agreements. The .NET Foundation licenses this file to you under the MIT license. See the LICENSE.md file in the project root for more information. - jobs: -- job: PublishAssetsAndPackages - displayName: Publish Assets and Packages - timeoutInMinutes: 10 +- job: PublishNpmPackages + displayName: Publish NPM Packages + timeoutInMinutes: 20 steps: - ################################################################################################################################################################### - # DOWNLOAD ARTIFACTS + # Download artifacts ################################################################################################################################################################### # Use a disabled, empty script to display the section header in the pipeline UI. - script: - displayName: === Download Artifacts === + displayName: === Download artifacts === condition: false - + # Download the build artifacts from the Build job. - download: current displayName: Download Build Artifacts @@ -23,7 +21,7 @@ jobs: patterns: | VSSetup/Insertion/** packages/** - + # Download the staging artifacts from the Build job. - download: current displayName: Download Staging Artifacts @@ -32,47 +30,19 @@ jobs: patterns: | MicroBuild/** OptProf/** - - ################################################################################################################################################################### - # PUBLISH INSERTION - ################################################################################################################################################################### - + # Use a disabled, empty script to display the section header in the pipeline UI. - script: - displayName: === Publish Insertion === + displayName: === Publish OptProf === condition: false - - # This creates the Products drop location and uploads the insertion data (.vsman files) for VS insertion. - # This also includes the bootstrapper files (.exe and .vsman) necessary for OptProf. - # YAML reference: https://dev.azure.com/devdiv/Engineering/_git/MicroBuild?path=/src/Tasks/UploadDrop/task.json - - task: MicroBuildUploadVstsDropFolder@2 - displayName: Publish Insertion Data - inputs: - DropFolder: $(Pipeline.Workspace)/$(Build.BuildNumber)/VSSetup/Insertion - # TODO: Consider using $(GitBuildVersion) instead of $(Build.BuildNumber) as it better correlates the build of the code to the VS insertion. - # Meaning, instead of VS Insertion -> Pipeline BuildNumber -> Code BuildVersion, it would just be VS Insertion -> Code BuildVersion. - # If this is updated, VstsDropNames set in build-official-release.yml would also need to be updated. - # For GitBuildVersion: https://github.com/dotnet/Nerdbank.GitVersioning/blob/main/doc/cloudbuild.md#automatically-match-cloud-build-numbers-to-to-your-git-version - # Issue: https://github.com/dotnet/project-system/issues/8431 - # Example of current path: 'Products/[DevDiv]/[dotnet/project-system]/[main]/[x.x]' - DropName: Products/$(System.TeamProject)/$(Build.Repository.Name)/$(Build.SourceBranchName)/$(Build.BuildNumber) - DropRetentionDays: 60 - # When this isn't provided, the tool sets the --AadAuth flag instead of using --PatAuthEnvVar. The AadAuth doesn't seem to work for this situation. - AccessToken: $(System.AccessToken) - + ################################################################################################################################################################### - # PUBLISH OPTPROF - # The published OptProf metadata is consumed by the Optimization pipeline that profiles the assemblies to create the optimization data. + # PUBLISH OptProf ################################################################################################################################################################### - - # Use a disabled, empty script to display the section header in the pipeline UI. - - script: - displayName: === Publish OptProf === - condition: false - + # This is required to deploy the tests to devdiv.artifacts.visualstudio.com for the 'Deploy tests' step in the release pipeline. # https://eng.ms/docs/cloud-ai-platform/developer-services/one-engineering-system-1es/1es-docs/azure-artifacts/drop-service/using-azure-devops-drop-in-devops-build - - task: artifactDropTask@1 + - task: 1ES.PublishArtifactsDrop@1 displayName: Publish ProfilingInputs inputs: dropServiceURI: https://devdiv.artifacts.visualstudio.com @@ -83,24 +53,24 @@ jobs: # detailedLog: true # This task uploads the drop metadata to the pipeline artifacts using this name. There does not seem to be an option of not uploading this metadata. dropMetadataContainerName: OptProf-ProfilingInputs - + # The current artifactDropTask seems to try making the DropMetadata folder every time it runs. After running this artifactDropTask for ProfilingInputs, we need to delete the folder so the artifactDropTask for RunSettings succeeds. # Otherwise, the error is shown as follows: # ##[warning]Can't find loc string for key: FailedToRunClientTool # ##[error]FailedToRunClientTool EEXIST: file already exists, mkdir 'D:\a\_work\1\a\DropMetadata' - powershell: Remove-Item -Path '$(Build.StagingDirectory)/DropMetadata/' -Recurse -Force displayName: Delete DropMetadata Folder - + # Using the VS bootstrapper data, update the runsettings with the appropriate information for this build. - powershell: . '$(Build.SourcesDirectory)/eng/scripts/UpdateRunSettings.ps1' -profilingInputsPath 'ProfilingInputs/$(System.TeamProject)/$(Build.Repository.Name)/$(Build.SourceBranchName)/$(Build.BuildId)' -bootstrapperInfoPath '$(Pipeline.Workspace)/Staging/MicroBuild/Output/BootstrapperInfo.json' displayName: Update RunSettings failOnStderr: true # Name is required to reference the variables created within this build step in other stages. name: UpdateRunSettings - + # The runsettings drives the test process for producing optimization data. # https://eng.ms/docs/cloud-ai-platform/developer-services/one-engineering-system-1es/1es-docs/azure-artifacts/drop-service/using-azure-devops-drop-in-devops-build - - task: artifactDropTask@1 + - task: 1ES.PublishArtifactsDrop@1 displayName: Publish RunSettings inputs: dropServiceURI: https://devdiv.artifacts.visualstudio.com @@ -111,28 +81,11 @@ jobs: # detailedLog: true # This task uploads the drop metadata to the pipeline artifacts using this name. There does not seem to be an option of not uploading this metadata. dropMetadataContainerName: OptProf-RunSettings - + ################################################################################################################################################################### - # PUBLISH PACKAGES + # PUBLISH NPM Packages ################################################################################################################################################################### - # Use a disabled, empty script to display the section header in the pipeline UI. - - script: - displayName: === Publish Packages === - condition: false - - # Downloads NuGet and adds it to the PATH. - # See: https://docs.microsoft.com/azure/devops/pipelines/tasks/tool/nuget?view=azure-devops - - task: NuGetToolInstaller@1 - displayName: Install NuGet - - # Authenticate with a service connection to be able to publish packages to external (different DevOps organization) NuGet feeds. - # See: https://docs.microsoft.com/azure/devops/pipelines/tasks/package/nuget-authenticate?view=azure-devops - - task: NuGetAuthenticate@1 - displayName: Authenticate NuGet - inputs: - nuGetServiceConnections: azure-public/vs-impl - # Authenticates the .npmrc file for publishing to the internal AzDO feed. # See: https://learn.microsoft.com/azure/devops/pipelines/tasks/package/npm-authenticate?view=azure-devops - task: npmAuthenticate@0 @@ -140,43 +93,6 @@ jobs: inputs: workingFile: $(Build.SourcesDirectory)/src/Microsoft.VisualStudio.ProjectSystem.Managed/.npmrc - # Publishes the NuGet packages to azure-public/vs-impl (https://dev.azure.com/azure-public/vside/_packaging?_a=feed&feed=vs-impl) - - task: NuGetCommand@2 - displayName: Publish Packages to azure-public - inputs: - command: push - packagesToPush: $(Pipeline.Workspace)/$(Build.BuildNumber)/packages/*.nupkg - nuGetFeedType: external - publishFeedCredentials: azure-public/vs-impl - # This allows the task to succeed if duplicate packages exist. Packages cannot be overridden in a feed. - # See: https://docs.microsoft.com/azure/devops/pipelines/tasks/package/nuget?view=azure-devops#arguments - allowPackageConflicts: true - - # Publishes the NuGet packages to DevDiv/VS (https://dev.azure.com/DevDiv/DevDiv/_artifacts/feed/VS) - # A separate process will republish these packages to DevDiv/VS-CoreXtFeeds (https://dev.azure.com/DevDiv/DevDiv/_artifacts/feed/VS-CoreXtFeeds) - - task: NuGetCommand@2 - displayName: Publish Packages to DevDiv - inputs: - command: push - packagesToPush: $(Pipeline.Workspace)/$(Build.BuildNumber)/packages/*.nupkg - # Feed Endpoint: https://devdiv.pkgs.visualstudio.com/_packaging/VS/nuget/v3/index.json - # Requires VssFeedId despite documentation here: https://docs.microsoft.com/azure/devops/pipelines/artifacts/nuget?view=azure-devops&tabs=yaml#publish-a-package - publishVstsFeed: 97a41293-2972-4f48-8c0e-05493ae82010 - # This allows the task to succeed if duplicate packages exist. Packages cannot be overridden in a feed. - # See: https://docs.microsoft.com/azure/devops/pipelines/tasks/package/nuget?view=azure-devops#arguments - allowPackageConflicts: true - - # Publishes the Managed NuGet package to DevDiv/vs-green (https://dev.azure.com/devdiv/DevDiv/_artifacts/feed/vs-green) - - task: NuGetCommand@2 - displayName: Publish NuGet Package - inputs: - command: push - packagesToPush: $(Pipeline.Workspace)/$(Build.BuildNumber)/packages/Microsoft.VisualStudio.ProjectSystem.Managed.*.nupkg;!$(Pipeline.Workspace)/$(Build.BuildNumber)/packages/Microsoft.VisualStudio.ProjectSystem.Managed.VS.*.nupkg - publishVstsFeed: DevDiv/vs-green - # This allows the task to succeed if duplicate packages exist. Packages cannot be overridden in a feed. - # See: https://docs.microsoft.com/azure/devops/pipelines/tasks/package/nuget?view=azure-devops#arguments - allowPackageConflicts: true - # Publishes the NPM package to the internal AzDO feed. # Feed: https://dev.azure.com/devdiv/DevDiv/_artifacts/feed/vs-green/Npm/@microsoft%2Fmicrosoft.visualstudio.projectsystem.managed/ # See: https://docs.npmjs.com/cli/v8/commands/npm-publish