Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

security: applies pipeline type requirements #5819

Merged
merged 2 commits into from
Nov 22, 2024
+78 −72
Merged

security: applies pipeline type requirements #5819

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
12051dd
security: applies pipeline type requirements
baywet Nov 22, 2024
228fdf3
chore: enables 1es schemas for ADO pipelines edition experience
baywet Nov 22, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
147 changes: 76 additions & 71 deletions .azure-pipelines/ci-build.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -206,12 +206,12 @@ extends:
- task: EsrpCodeSigning@5
displayName: "ESRP CodeSigning"
inputs:
ConnectedServiceName: 'Federated DevX ESRP Managed Identity Connection'
AppRegistrationClientId: '65035b7f-7357-4f29-bf25-c5ee5c3949f8'
AppRegistrationTenantId: 'cdc5aeea-15c5-4db6-b079-fcadd2505dc2'
AuthAKVName: 'akv-prod-eastus'
AuthCertName: 'ReferenceLibraryPrivateCert'
AuthSignCertName: 'ReferencePackagePublisherCertificate'
ConnectedServiceName: "Federated DevX ESRP Managed Identity Connection"
AppRegistrationClientId: "65035b7f-7357-4f29-bf25-c5ee5c3949f8"
AppRegistrationTenantId: "cdc5aeea-15c5-4db6-b079-fcadd2505dc2"
AuthAKVName: "akv-prod-eastus"
AuthCertName: "ReferenceLibraryPrivateCert"
AuthSignCertName: "ReferencePackagePublisherCertificate"
FolderPath: '$(Build.SourcesDirectory)\src'
signConfigType: inlineSignParams
UseMinimatch: true
Expand Down Expand Up @@ -281,12 +281,12 @@ extends:
- task: EsrpCodeSigning@5
displayName: "ESRP CodeSigning Nuget Packages"
inputs:
ConnectedServiceName: 'Federated DevX ESRP Managed Identity Connection'
AppRegistrationClientId: '65035b7f-7357-4f29-bf25-c5ee5c3949f8'
AppRegistrationTenantId: 'cdc5aeea-15c5-4db6-b079-fcadd2505dc2'
AuthAKVName: 'akv-prod-eastus'
AuthCertName: 'ReferenceLibraryPrivateCert'
AuthSignCertName: 'ReferencePackagePublisherCertificate'
ConnectedServiceName: "Federated DevX ESRP Managed Identity Connection"
AppRegistrationClientId: "65035b7f-7357-4f29-bf25-c5ee5c3949f8"
AppRegistrationTenantId: "cdc5aeea-15c5-4db6-b079-fcadd2505dc2"
AuthAKVName: "akv-prod-eastus"
AuthCertName: "ReferenceLibraryPrivateCert"
AuthSignCertName: "ReferencePackagePublisherCertificate"
FolderPath: "$(Build.ArtifactStagingDirectory)"
UseMinimatch: true
Pattern: "*.nupkg"
Expand Down Expand Up @@ -401,12 +401,12 @@ extends:
- task: EsrpCodeSigning@5
condition: and(succeeded(), startsWith('${{ distribution.architecture }}', 'win'))
inputs:
ConnectedServiceName: 'Federated DevX ESRP Managed Identity Connection'
AppRegistrationClientId: '65035b7f-7357-4f29-bf25-c5ee5c3949f8'
AppRegistrationTenantId: 'cdc5aeea-15c5-4db6-b079-fcadd2505dc2'
AuthAKVName: 'akv-prod-eastus'
AuthCertName: 'ReferenceLibraryPrivateCert'
AuthSignCertName: 'ReferencePackagePublisherCertificate'
ConnectedServiceName: "Federated DevX ESRP Managed Identity Connection"
AppRegistrationClientId: "65035b7f-7357-4f29-bf25-c5ee5c3949f8"
AppRegistrationTenantId: "cdc5aeea-15c5-4db6-b079-fcadd2505dc2"
AuthAKVName: "akv-prod-eastus"
AuthCertName: "ReferenceLibraryPrivateCert"
AuthSignCertName: "ReferencePackagePublisherCertificate"
FolderPath: $(Build.ArtifactStagingDirectory)/binaries/${{ distribution.architecture }}
signConfigType: inlineSignParams
UseMinimatch: true
Expand Down Expand Up @@ -469,12 +469,12 @@ extends:
timeoutInMinutes: 15
retryCountOnTaskFailure: 4
inputs:
ConnectedServiceName: 'Federated DevX ESRP Managed Identity Connection'
AppRegistrationClientId: '65035b7f-7357-4f29-bf25-c5ee5c3949f8'
AppRegistrationTenantId: 'cdc5aeea-15c5-4db6-b079-fcadd2505dc2'
AuthAKVName: 'akv-prod-eastus'
AuthCertName: 'ReferenceLibraryPrivateCert'
AuthSignCertName: 'ReferencePackagePublisherCertificate'
ConnectedServiceName: "Federated DevX ESRP Managed Identity Connection"
AppRegistrationClientId: "65035b7f-7357-4f29-bf25-c5ee5c3949f8"
AppRegistrationTenantId: "cdc5aeea-15c5-4db6-b079-fcadd2505dc2"
AuthAKVName: "akv-prod-eastus"
AuthCertName: "ReferenceLibraryPrivateCert"
AuthSignCertName: "ReferencePackagePublisherCertificate"
FolderPath: $(Build.ArtifactStagingDirectory)/binaries
signConfigType: inlineSignParams
UseMinimatch: true
Expand All @@ -501,12 +501,12 @@ extends:
timeoutInMinutes: 15
retryCountOnTaskFailure: 4
inputs:
ConnectedServiceName: 'Federated DevX ESRP Managed Identity Connection'
AppRegistrationClientId: '65035b7f-7357-4f29-bf25-c5ee5c3949f8'
AppRegistrationTenantId: 'cdc5aeea-15c5-4db6-b079-fcadd2505dc2'
AuthAKVName: 'akv-prod-eastus'
AuthCertName: 'ReferenceLibraryPrivateCert'
AuthSignCertName: 'ReferencePackagePublisherCertificate'
ConnectedServiceName: "Federated DevX ESRP Managed Identity Connection"
AppRegistrationClientId: "65035b7f-7357-4f29-bf25-c5ee5c3949f8"
AppRegistrationTenantId: "cdc5aeea-15c5-4db6-b079-fcadd2505dc2"
AuthAKVName: "akv-prod-eastus"
AuthCertName: "ReferenceLibraryPrivateCert"
AuthSignCertName: "ReferencePackagePublisherCertificate"
FolderPath: $(Build.ArtifactStagingDirectory)/binaries
signConfigType: inlineSignParams
UseMinimatch: true
Expand Down Expand Up @@ -562,12 +562,12 @@ extends:
inputs:
versionSpec: "18.x"
- ${{ each distribution in parameters.distributions }}:
- task: DownloadPipelineArtifact@2
displayName: Download ${{ distribution.jobPrefix }} binaries from artifacts
inputs:
artifact: Binaries_${{ distribution.jobPrefix }}
source: current
targetPath: $(Build.ArtifactStagingDirectory)/Binaries
- task: DownloadPipelineArtifact@2
displayName: Download ${{ distribution.jobPrefix }} binaries from artifacts
inputs:
artifact: Binaries_${{ distribution.jobPrefix }}
source: current
targetPath: $(Build.ArtifactStagingDirectory)/Binaries
- pwsh: $(Build.SourcesDirectory)/scripts/get-prerelease-version.ps1 -currentBranch $(Build.SourceBranch) -previewBranch ${{ parameters.previewBranch }}
displayName: "Set version suffix"
- pwsh: $(Build.SourcesDirectory)/scripts/get-version-from-csproj.ps1
Expand Down Expand Up @@ -599,19 +599,19 @@ extends:
workingDirectory: $(Build.SourcesDirectory)/vscode/microsoft-kiota
name: getExtensionFileName
- script: vsce generate-manifest -i $(getExtensionFileName.extensionFileName).vsix -o $(getExtensionFileName.extensionFileName).manifest
displayName: 'Generate extension manifest'
displayName: "Generate extension manifest"
workingDirectory: $(Build.SourcesDirectory)/vscode/microsoft-kiota
- script: cp $(getExtensionFileName.extensionFileName).manifest $(getExtensionFileName.extensionFileName).signature.p7s
displayName: 'Prepare manifest for signing'
displayName: "Prepare manifest for signing"
workingDirectory: $(Build.SourcesDirectory)/vscode/microsoft-kiota
- task: EsrpCodeSigning@5
inputs:
ConnectedServiceName: 'Federated DevX ESRP Managed Identity Connection'
AppRegistrationClientId: '65035b7f-7357-4f29-bf25-c5ee5c3949f8'
AppRegistrationTenantId: 'cdc5aeea-15c5-4db6-b079-fcadd2505dc2'
AuthAKVName: 'akv-prod-eastus'
AuthCertName: 'ReferenceLibraryPrivateCert'
AuthSignCertName: 'ReferencePackagePublisherCertificate'
ConnectedServiceName: "Federated DevX ESRP Managed Identity Connection"
AppRegistrationClientId: "65035b7f-7357-4f29-bf25-c5ee5c3949f8"
AppRegistrationTenantId: "cdc5aeea-15c5-4db6-b079-fcadd2505dc2"
AuthAKVName: "akv-prod-eastus"
AuthCertName: "ReferenceLibraryPrivateCert"
AuthSignCertName: "ReferencePackagePublisherCertificate"
FolderPath: $(Build.SourcesDirectory)/vscode/microsoft-kiota
UseMinimatch: true
Pattern: '**\*.signature.p7s'
Expand All @@ -630,7 +630,7 @@ extends:
MaxConcurrency: 25
MaxRetryAttempts: 5
PendingAnalysisWaitTimeoutMinutes: 5
displayName: 'Sign extension'
displayName: "Sign extension"
- task: CopyFiles@2
displayName: Prepare staging folder for upload
inputs:
Expand Down Expand Up @@ -682,7 +682,7 @@ extends:
inputs:
azureSubscription: "kiota-vscode-marketplace-publish"
scriptType: "pscore"
scriptLocation: 'inlineScript'
scriptLocation: "inlineScript"
inlineScript: |
$aadToken = az account get-access-token --query accessToken --resource 499b84ac-1321-427f-aa17-267ca6975798 -o tsv
Get-ChildItem -Path $(Pipeline.Workspace) -Filter *.vsix -Recurse | ForEach-Object {
Expand All @@ -707,6 +707,15 @@ extends:
os: linux
image: ubuntu-latest
templateContext:
type: releaseJob
isProduction: true
inputs:
- input: pipelineArtifact
artifactName: VSCode
targetPath: "$(Pipeline.Workspace)"
- input: pipelineArtifact
artifactName: Nugets
targetPath: "$(Pipeline.Workspace)"
sdl:
baseline:
baselineFile: $(Build.SourcesDirectory)/guardian/SDL/common/.gdnbaselines
Expand All @@ -723,19 +732,11 @@ extends:
clean: true
submodules: true
- ${{ each distribution in parameters.distributions }}:
- task: DownloadPipelineArtifact@2
displayName: Download ${{ distribution.jobPrefix }} binaries from artifacts
inputs:
artifact: Binaries_${{ distribution.jobPrefix }}
source: current
- task: DownloadPipelineArtifact@2
inputs:
artifact: VSCode
source: current
- task: DownloadPipelineArtifact@2
inputs:
artifact: Nugets
source: current
- task: DownloadPipelineArtifact@2
displayName: Download ${{ distribution.jobPrefix }} binaries from artifacts
inputs:
artifact: Binaries_${{ distribution.jobPrefix }}
source: current
- pwsh: $(Build.SourcesDirectory)/scripts/get-prerelease-version.ps1 -currentBranch $(Build.SourceBranch) -previewBranch ${{ parameters.previewBranch }}
displayName: "Set version suffix"
- pwsh: $(Build.SourcesDirectory)/scripts/get-version-from-csproj.ps1
Expand Down Expand Up @@ -779,6 +780,13 @@ extends:
isPreRelease: true

- deployment: deploy_kiota
templateContext:
type: releaseJob
isProduction: true
inputs:
- input: pipelineArtifact
artifactName: Nugets
targetPath: "$(Pipeline.Workspace)"
pool:
name: Azure-Pipelines-1ESPT-ExDShared
os: linux
Expand All @@ -790,23 +798,25 @@ extends:
deploy:
steps:
- download: none
- task: DownloadPipelineArtifact@2
displayName: Download nupkg from artifacts
inputs:
artifact: Nugets
source: current
- powershell: |
Remove-Item "$(Pipeline.Workspace)/Microsoft.OpenApi.Kiota.Builder.*.nupkg" -Verbose
displayName: remove other nupkgs to avoid duplication
- task: 1ES.PublishNuget@1
displayName: "NuGet push"
inputs:
packagesToPush: "$(Pipeline.Workspace)/Microsoft.OpenApi.Kiota.*.nupkg"
packageParentPath: '$(Pipeline.Workspace)'
packageParentPath: "$(Pipeline.Workspace)"
nuGetFeedType: external
publishFeedCredentials: "OpenAPI Nuget Connection"

- deployment: deploy_builder
templateContext:
type: releaseJob
isProduction: true
inputs:
- input: pipelineArtifact
artifactName: Nugets
targetPath: "$(Pipeline.Workspace)"
pool:
name: Azure-Pipelines-1ESPT-ExDShared
os: linux
Expand All @@ -818,18 +828,13 @@ extends:
deploy:
steps:
- download: none
- task: DownloadPipelineArtifact@2
displayName: Download nupkg from artifacts
inputs:
artifact: Nugets
source: current
- powershell: |
Remove-Item "$(Pipeline.Workspace)/Microsoft.OpenApi.Kiota.*.nupkg" -Verbose -Exclude "*.Builder.*"
displayName: remove other nupkgs to avoid duplication
- task: 1ES.PublishNuget@1
displayName: "NuGet push"
inputs:
packagesToPush: "$(Pipeline.Workspace)/Microsoft.OpenApi.Kiota.Builder.*.nupkg"
packageParentPath: '$(Pipeline.Workspace)'
packageParentPath: "$(Pipeline.Workspace)"
nuGetFeedType: external
publishFeedCredentials: "OpenAPI Nuget Connection"
3 changes: 2 additions & 1 deletion .vscode/settings.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -51,5 +51,6 @@
"java.configuration.updateBuildConfiguration": "automatic",
"dotnet-test-explorer.testProjectPath": "tests/**/*.Tests.csproj",
"editor.formatOnSave": true,
"dotnet.defaultSolution": "kiota.sln"
"dotnet.defaultSolution": "kiota.sln",
"azure-pipelines.1ESPipelineTemplatesSchemaFile": true
}
Loading