-
Notifications
You must be signed in to change notification settings - Fork 627
Expand file tree
/
Copy pathazure-pipelines-package.yml
More file actions
148 lines (142 loc) · 5.41 KB
/
azure-pipelines-package.yml
File metadata and controls
148 lines (142 loc) · 5.41 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
trigger: none
pr: none
schedules:
- cron: "0 0 * * *"
displayName: Daily midnight build for main
branches:
include:
- main
always: true
parameters:
- name: buildAgentHost
displayName: 'The generic host build agent configuration:'
type: object
default:
pool:
name: Maui-1ESPT
image: 1ESPT-Windows2022
os: windows
- name: buildAgentWindows
displayName: 'The Windows build agent configuration:'
type: object
default:
pool:
name: Maui-1ESPT
image: 1ESPT-Windows2022
os: windows
- name: buildAgentMac
displayName: 'The macOS build agent configuration:'
type: object
default:
pool:
name: Azure Pipelines
vmImage: macos-15
os: macos
- name: buildAgentLinux
displayName: 'The Linux build agent configuration:'
type: object
default:
pool:
name: Maui-1ESPT
image: 1ESPT-Ubuntu22.04
os: linux
- name: runApiScan
displayName: 'Run API Scan'
type: boolean
default: false
- name: forceRealSigning
displayName: 'Ignore all logic and force Real signing on binaries'
type: boolean
default: false
variables:
- template: /scripts/azure-templates-variables.yml@self
resources:
repositories:
- repository: yaml-templates
type: git
name: DevDiv/Xamarin.yaml-templates
ref: refs/heads/main
- repository: 1ESTemplates
type: git
name: 1ESPipelineTemplates/MicroBuildTemplate
pipelines:
- pipeline: SkiaSharp
source: SkiaSharp-Native
trigger: true
extends:
template: azure-pipelines/MicroBuild.1ES.Official.yml@1ESTemplates
parameters:
pool: ${{ parameters.buildAgentHost.pool }}
customBuildTags:
- ES365AIMigrationTooling
sdl:
sourceRepositoriesToScan:
exclude:
- repository: yaml-templates
binskim:
enabled: true
break: false
codeInspector:
enabled: true
credscan:
enabled: true
# suppressionsFile: $(Build.SourcesDirectory)/scripts/guardian/CredScanSuppressions.json
policheck:
enabled: true
exclusionsFile: $(Build.SourcesDirectory)/scripts/guardian/PoliCheckExclusions.xml
spotBugs:
enabled: false
suppression:
suppressionFile: $(Build.SourcesDirectory)/scripts/guardian/source.gdnsuppress
tsa:
enabled: true
configFile: $(Build.SourcesDirectory)/scripts/guardian/tsaoptions-v2.json
stages:
- template: /scripts/azure-templates-stages.yml@self
parameters:
buildPipelineType: 'package'
${{ if and(eq(variables['System.TeamProject'], 'devdiv'), ne(variables['System.PullRequest.IsFork'], 'true')) }}:
enableSigning: true
forceRealSigning: ${{ parameters.forceRealSigning }}
use1ESPipelineTemplates: true
buildAgentHost: ${{ parameters.buildAgentHost }}
buildAgentWindows: ${{ parameters.buildAgentWindows }}
buildAgentMac: ${{ parameters.buildAgentMac }}
buildAgentLinux: ${{ parameters.buildAgentLinux }}
- ${{ if or(eq(parameters.runApiScan, 'true'), and(eq(variables['Build.Reason'], 'Schedule'), or(eq(variables['Build.SourceBranch'], 'refs/heads/main'), startsWith(variables['Build.SourceBranch'], 'refs/heads/release/')))) }}:
- template: security/apiscan/v0.yml@yaml-templates
parameters:
windowsPoolName: ${{ parameters.buildAgentHost.pool.name }}
windowsImageOverride: ${{ parameters.buildAgentHost.pool.image }}
timeoutInMinutes: 480
stageDependsOn:
- package
scanArtifacts:
- nuget
- nuget_symbols
- native_msvc
sourceGdnSuppressionFile: $(Build.SourcesDirectory)/scripts/guardian/source.gdnsuppress
tsaConfigFile: $(Build.SourcesDirectory)/scripts/guardian/tsaoptions-v2.json
tsaUploadEnabled: true
apiScanSoftwareName: 'SkiaSharp'
apiScanSoftwareVersionNum: $(SKIASHARP_MAJOR_VERSION)
apiScanPreserveLogsFolder: true
apiScanAuthConnectionString: 'runAs=App;AppId=$(ApiScanClientId)'
apiScanSurrogateConfigurationFolder: $(Build.ArtifactStagingDirectory)\APIScanSurrogates
preScanSteps:
- pwsh: |
$softwareFolder = "$(Build.ArtifactStagingDirectory)\binaries-to-scan"
$surrogateFile = "$(Build.SourcesDirectory)\scripts\guardian\APIScanSurrogates.in.xml"
$destFolder = "$(Build.ArtifactStagingDirectory)\APIScanSurrogates"
$destFile = "$destFolder\APIScanSurrogates.xml"
New-Item -ItemType Directory -Force -Path $destFolder | Out-Null
$surrogateContents = (Get-Content $surrogateFile)
$surrogateContents = $surrogateContents.Replace("{SOFTWARE_FOLDER}", $softwareFolder)
$surrogateContents | Set-Content $destFile
displayName: Generate the surrogate files
- pwsh: |
./scripts/extract-nupkg-files.ps1 `
-SourcePath "$(Build.ArtifactStagingDirectory)\binaries-to-scan\*\*.*nupkg" `
-DestinationPath "$(Build.ArtifactStagingDirectory)\binaries-to-scan\nuget_symbols-extracted" `
-RemoveOriginal
displayName: Extract all the .nupkg files