diff --git a/.azure-pipelines/ci-build.yml b/.azure-pipelines/ci-build.yml index 1187d61f..f8eb329f 100644 --- a/.azure-pipelines/ci-build.yml +++ b/.azure-pipelines/ci-build.yml @@ -4,265 +4,271 @@ name: $(BuildDefinitionName)_$(SourceBranchName)_$(Date:yyyyMMdd)$(Rev:.r) trigger: - branches: - include: - - main + branches: + include: + - main pr: none pool: - name: Azure Pipelines - vmImage: windows-latest + name: Azure Pipelines + vmImage: windows-latest variables: - buildPlatform: "Any CPU" - buildConfiguration: "Release" - ProductBinPath: '$(Build.SourcesDirectory)\src\Microsoft.Graph.Cli.Core\bin\$(BuildConfiguration)' - ProjectFile: "$(Build.SourcesDirectory)/src/Microsoft.Graph.Cli.Core/Microsoft.Graph.Cli.Core.csproj" - PublicKey: 0024000004800000940000000602000000240000525341310004000001000100b5fc90e7027f67871e773a8fde8938c81dd402ba65b9201d60593e96c492651e889cc13f1415ebb53fac1131ae0bd333c5ee6021672d9718ea31a8aebd0da0072f25d87dba6fc90ffd598ed4da35e44c398c454307e8e33b8426143daec9f596836f97c8f74750e5975c64e2189f45def46b2a2b1247adc3652bf5c308055da9 + buildPlatform: "Any CPU" + buildConfiguration: "Release" + ProductBinPath: '$(Build.SourcesDirectory)\src\Microsoft.Graph.Cli.Core\bin\$(BuildConfiguration)' + ProjectFile: "$(Build.SourcesDirectory)/src/Microsoft.Graph.Cli.Core/Microsoft.Graph.Cli.Core.csproj" + PublicKey: 0024000004800000940000000602000000240000525341310004000001000100b5fc90e7027f67871e773a8fde8938c81dd402ba65b9201d60593e96c492651e889cc13f1415ebb53fac1131ae0bd333c5ee6021672d9718ea31a8aebd0da0072f25d87dba6fc90ffd598ed4da35e44c398c454307e8e33b8426143daec9f596836f97c8f74750e5975c64e2189f45def46b2a2b1247adc3652bf5c308055da9 stages: - - stage: build - jobs: - - job: build - steps: - - checkout: self - submodules: true + - stage: build + jobs: + - job: build + steps: + - checkout: self + submodules: true - - task: UseDotNet@2 - displayName: "Use .NET 7" - inputs: - version: 7.x + - task: UseDotNet@2 + displayName: "Use .NET 7" + inputs: + version: 7.x - - task: PoliCheck@1 - displayName: 'Run PoliCheck "/src"' - inputs: - inputType: CmdLine - cmdLineArgs: '/F:$(Build.SourcesDirectory)/src /T:9 /Sev:"1|2" /PE:2 /O:poli_result_src.xml' + - task: PoliCheck@2 + displayName: 'Run PoliCheck "/src"' + enabled: true + inputs: + termTypeT: 0001aCustom + termTypeTCustom: 9 + targetArgument: $(Build.SourcesDirectory)/src + optionsUEPATH: $(System.DefaultWorkingDirectory)/.azure-pipelines/config/PoliCheckExclusions.xml + optionsSEV: "1|2" + optionsPE: 2 + result: poli_result_src.xml - # Install the nuget tool. - - task: NuGetToolInstaller@1 - displayName: "Install Nuget dependency manager" - inputs: - versionSpec: ">=5.2.0" - checkLatest: true + # Install the nuget tool. + - task: NuGetToolInstaller@1 + displayName: "Install Nuget dependency manager" + inputs: + versionSpec: ">=5.2.0" + checkLatest: true - # Build the Product project - - task: DotNetCoreCLI@2 - displayName: "Build Microsoft.Graph.Cli.Core" - inputs: - projects: '$(Build.SourcesDirectory)\msgraph-cli-core.sln' - arguments: "--configuration $(BuildConfiguration) --no-incremental -p:DelaySign=true -p:SignAssembly=true -p:PublicKey=$(PublicKey)" + # Build the Product project + - task: DotNetCoreCLI@2 + displayName: "Build Microsoft.Graph.Cli.Core" + inputs: + projects: '$(Build.SourcesDirectory)\msgraph-cli-core.sln' + arguments: "--configuration $(BuildConfiguration) --no-incremental -p:DelaySign=true -p:SignAssembly=true -p:PublicKey=$(PublicKey)" - # Run the Unit test - - task: DotNetCoreCLI@2 - displayName: "Test Microsoft.Graph.Cli.Core" - inputs: - command: test - projects: '$(Build.SourcesDirectory)\msgraph-cli-core.sln' - arguments: "--configuration $(BuildConfiguration) --no-build" + # Run the Unit test + - task: DotNetCoreCLI@2 + displayName: "Test Microsoft.Graph.Cli.Core" + inputs: + command: test + projects: '$(Build.SourcesDirectory)\msgraph-cli-core.sln' + arguments: "--configuration $(BuildConfiguration) --no-build" - # CredScan - - task: securedevelopmentteam.vss-secure-development-tools.build-task-credscan.CredScan@2 - displayName: "Run CredScan - Src" - inputs: - toolMajorVersion: "V2" - scanFolder: "$(Build.SourcesDirectory)" - debugMode: false + # CredScan + - task: CredScan@3 + displayName: "Run CredScan - Src" + inputs: + scanFolder: "$(Build.SourcesDirectory)" + suppressionsFile: $(System.DefaultWorkingDirectory)/.azure-pipelines/config/CredScanSuppressions.json + debugMode: false - - task: AntiMalware@3 - displayName: "Run MpCmdRun.exe - ProductBinPath" - inputs: - FileDirPath: "$(ProductBinPath)" - enabled: false + - task: AntiMalware@3 + displayName: "Run MpCmdRun.exe - ProductBinPath" + inputs: + FileDirPath: "$(ProductBinPath)" + enabled: false - - task: BinSkim@4 - displayName: "Run BinSkim - Product Binaries" - inputs: - InputType: Basic - AnalyzeTargetGlob: '$(ProductBinPath)\**\*.dll' - AnalyzeSymPath: "$(ProductBinPath)" - AnalyzeVerbose: true - AnalyzeHashes: true - AnalyzeEnvironment: true + - task: BinSkim@4 + displayName: "Run BinSkim - Product Binaries" + inputs: + InputType: Basic + AnalyzeTargetGlob: '$(ProductBinPath)\**\*.dll' + AnalyzeSymPath: "$(ProductBinPath)" + AnalyzeVerbose: true + AnalyzeHashes: true + AnalyzeEnvironment: true - - task: PublishSecurityAnalysisLogs@2 - displayName: "Publish Security Analysis Logs" - inputs: - ArtifactName: SecurityLogs + - task: PublishSecurityAnalysisLogs@2 + displayName: "Publish Security Analysis Logs" + inputs: + ArtifactName: SecurityLogs - - task: PostAnalysis@1 - displayName: "Post Analysis" - inputs: - BinSkim: true - CredScan: true - PoliCheck: true + - task: PostAnalysis@1 + displayName: "Post Analysis" + inputs: + BinSkim: true + CredScan: true + PoliCheck: true - - task: UseDotNet@2 - displayName: "Add .NET 2" - condition: and(contains(variables['build.sourceBranch'], 'refs/heads/main'), succeeded()) - inputs: - version: 2.x + - task: UseDotNet@2 + displayName: "Add .NET 2" + condition: and(contains(variables['build.sourceBranch'], 'refs/heads/main'), succeeded()) + inputs: + version: 2.x - - task: SFP.build-tasks.custom-build-task-1.EsrpCodeSigning@1 - displayName: "ESRP DLL Strong Name" - condition: and(contains(variables['build.sourceBranch'], 'refs/heads/main'), succeeded()) - inputs: - ConnectedServiceName: "microsoftgraph ESRP CodeSign DLL and NuGet (AKV)" - FolderPath: $(ProductBinPath) - Pattern: Microsoft.Graph.Cli.Core.dll - signConfigType: inlineSignParams - inlineOperation: | - [ - { - "keyCode": "CP-233863-SN", - "operationSetCode": "StrongNameSign", - "parameters": [], - "toolName": "sign", - "toolVersion": "1.0" - }, - { - "keyCode": "CP-233863-SN", - "operationSetCode": "StrongNameVerify", - "parameters": [], - "toolName": "sign", - "toolVersion": "1.0" - } - ] - SessionTimeout: 20 + - task: SFP.build-tasks.custom-build-task-1.EsrpCodeSigning@1 + displayName: "ESRP DLL Strong Name" + condition: and(contains(variables['build.sourceBranch'], 'refs/heads/main'), succeeded()) + inputs: + ConnectedServiceName: "microsoftgraph ESRP CodeSign DLL and NuGet (AKV)" + FolderPath: $(ProductBinPath) + Pattern: Microsoft.Graph.Cli.Core.dll + signConfigType: inlineSignParams + inlineOperation: | + [ + { + "keyCode": "CP-233863-SN", + "operationSetCode": "StrongNameSign", + "parameters": [], + "toolName": "sign", + "toolVersion": "1.0" + }, + { + "keyCode": "CP-233863-SN", + "operationSetCode": "StrongNameVerify", + "parameters": [], + "toolName": "sign", + "toolVersion": "1.0" + } + ] + SessionTimeout: 20 - - task: SFP.build-tasks.custom-build-task-1.EsrpCodeSigning@1 - displayName: "ESRP DLL CodeSigning" - condition: and(contains(variables['build.sourceBranch'], 'refs/heads/main'), succeeded()) - inputs: - ConnectedServiceName: "microsoftgraph ESRP CodeSign DLL and NuGet (AKV)" - FolderPath: src - signConfigType: inlineSignParams - inlineOperation: | - [ - { - "keyCode": "CP-230012", - "operationSetCode": "SigntoolSign", - "parameters": [ - { - "parameterName": "OpusName", - "parameterValue": "Microsoft" - }, - { - "parameterName": "OpusInfo", - "parameterValue": "http://www.microsoft.com" - }, - { - "parameterName": "FileDigest", - "parameterValue": "/fd \"SHA256\"" - }, - { - "parameterName": "PageHash", - "parameterValue": "/NPH" - }, - { - "parameterName": "TimeStamp", - "parameterValue": "/tr \"http://rfc3161.gtm.corp.microsoft.com/TSS/HttpTspServer\" /td sha256" - } - ], - "toolName": "sign", - "toolVersion": "1.0" - }, - { - "keyCode": "CP-230012", - "operationSetCode": "SigntoolVerify", - "parameters": [ ], - "toolName": "sign", - "toolVersion": "1.0" - } - ] - SessionTimeout: 20 + - task: SFP.build-tasks.custom-build-task-1.EsrpCodeSigning@1 + displayName: "ESRP DLL CodeSigning" + condition: and(contains(variables['build.sourceBranch'], 'refs/heads/main'), succeeded()) + inputs: + ConnectedServiceName: "microsoftgraph ESRP CodeSign DLL and NuGet (AKV)" + FolderPath: src + signConfigType: inlineSignParams + inlineOperation: | + [ + { + "keyCode": "CP-230012", + "operationSetCode": "SigntoolSign", + "parameters": [ + { + "parameterName": "OpusName", + "parameterValue": "Microsoft" + }, + { + "parameterName": "OpusInfo", + "parameterValue": "http://www.microsoft.com" + }, + { + "parameterName": "FileDigest", + "parameterValue": "/fd \"SHA256\"" + }, + { + "parameterName": "PageHash", + "parameterValue": "/NPH" + }, + { + "parameterName": "TimeStamp", + "parameterValue": "/tr \"http://rfc3161.gtm.corp.microsoft.com/TSS/HttpTspServer\" /td sha256" + } + ], + "toolName": "sign", + "toolVersion": "1.0" + }, + { + "keyCode": "CP-230012", + "operationSetCode": "SigntoolVerify", + "parameters": [ ], + "toolName": "sign", + "toolVersion": "1.0" + } + ] + SessionTimeout: 20 - # arguments are not parsed in DotNetCoreCLI@2 task for `pack` command, that's why we have a custom pack command here - - pwsh: dotnet pack "$(ProjectFile)" /p:IncludeSymbols=true /p:SymbolPackageFormat=snupkg --no-build --output $env:BUILD_ARTIFACTSTAGINGDIRECTORY/Nugets --configuration $env:BUILD_CONFIGURATION - condition: and(contains(variables['build.sourceBranch'], 'refs/heads/main'), succeeded()) - env: - BUILD_CONFIGURATION: $(BuildConfiguration) - displayName: Dotnet pack + # arguments are not parsed in DotNetCoreCLI@2 task for `pack` command, that's why we have a custom pack command here + - pwsh: dotnet pack "$(ProjectFile)" /p:IncludeSymbols=true /p:SymbolPackageFormat=snupkg --no-build --output $env:BUILD_ARTIFACTSTAGINGDIRECTORY/Nugets --configuration $env:BUILD_CONFIGURATION + condition: and(contains(variables['build.sourceBranch'], 'refs/heads/main'), succeeded()) + env: + BUILD_CONFIGURATION: $(BuildConfiguration) + displayName: Dotnet pack - - task: PowerShell@2 - displayName: "Validate project version has been incremented" - condition: and(contains(variables['build.sourceBranch'], 'refs/heads/main'), succeeded()) - inputs: - targetType: "filePath" - filePath: $(System.DefaultWorkingDirectory)\scripts\ValidateProjectVersionUpdated.ps1 - arguments: '-projectPath "$(ProjectFile)" -packageName "Microsoft.Graph.Cli.Core"' - pwsh: true + - task: PowerShell@2 + displayName: "Validate project version has been incremented" + condition: and(contains(variables['build.sourceBranch'], 'refs/heads/main'), succeeded()) + inputs: + targetType: "filePath" + filePath: $(System.DefaultWorkingDirectory)\scripts\ValidateProjectVersionUpdated.ps1 + arguments: '-projectPath "$(ProjectFile)" -packageName "Microsoft.Graph.Cli.Core"' + pwsh: true - - task: SFP.build-tasks.custom-build-task-1.EsrpCodeSigning@1 - displayName: "ESRP CodeSigning Nuget Packages" - condition: and(contains(variables['build.sourceBranch'], 'refs/heads/main'), succeeded()) - inputs: - ConnectedServiceName: "microsoftgraph ESRP CodeSign DLL and NuGet (AKV)" - FolderPath: "$(Build.ArtifactStagingDirectory)/Nugets" - Pattern: "*.nupkg" - signConfigType: inlineSignParams - inlineOperation: | - [ - { - "keyCode": "CP-401405", - "operationSetCode": "NuGetSign", - "parameters": [ ], - "toolName": "sign", - "toolVersion": "1.0" - }, - { - "keyCode": "CP-401405", - "operationSetCode": "NuGetVerify", - "parameters": [ ], - "toolName": "sign", - "toolVersion": "1.0" - } - ] - SessionTimeout: 20 + - task: SFP.build-tasks.custom-build-task-1.EsrpCodeSigning@1 + displayName: "ESRP CodeSigning Nuget Packages" + condition: and(contains(variables['build.sourceBranch'], 'refs/heads/main'), succeeded()) + inputs: + ConnectedServiceName: "microsoftgraph ESRP CodeSign DLL and NuGet (AKV)" + FolderPath: "$(Build.ArtifactStagingDirectory)/Nugets" + Pattern: "*.nupkg" + signConfigType: inlineSignParams + inlineOperation: | + [ + { + "keyCode": "CP-401405", + "operationSetCode": "NuGetSign", + "parameters": [ ], + "toolName": "sign", + "toolVersion": "1.0" + }, + { + "keyCode": "CP-401405", + "operationSetCode": "NuGetVerify", + "parameters": [ ], + "toolName": "sign", + "toolVersion": "1.0" + } + ] + SessionTimeout: 20 - - task: CopyFiles@2 - displayName: "Copy release scripts to artifact staging directory" - condition: and(contains(variables['build.sourceBranch'], 'refs/heads/main'), succeeded()) - inputs: - SourceFolder: "$(Build.SourcesDirectory)" - Contents: 'scripts\**' - TargetFolder: "$(Build.ArtifactStagingDirectory)/Nugets" + - task: CopyFiles@2 + displayName: "Copy release scripts to artifact staging directory" + condition: and(contains(variables['build.sourceBranch'], 'refs/heads/main'), succeeded()) + inputs: + SourceFolder: "$(Build.SourcesDirectory)" + Contents: 'scripts\**' + TargetFolder: "$(Build.ArtifactStagingDirectory)/Nugets" - - task: PublishPipelineArtifact@1 - displayName: "Upload Artifact: Nugets" - condition: and(contains(variables['build.sourceBranch'], 'refs/heads/main'), succeeded()) - inputs: - artifactName: Nugets - targetPath: $(Build.ArtifactStagingDirectory)/Nugets + - task: PublishPipelineArtifact@1 + displayName: "Upload Artifact: Nugets" + condition: and(contains(variables['build.sourceBranch'], 'refs/heads/main'), succeeded()) + inputs: + artifactName: Nugets + targetPath: $(Build.ArtifactStagingDirectory)/Nugets - - stage: deploy - condition: and(contains(variables['build.sourceBranch'], 'refs/heads/main'), succeeded()) - dependsOn: build - jobs: - - deployment: deploy_cli_core - environment: nuget-org - strategy: - runOnce: - deploy: - pool: - vmImage: ubuntu-latest - steps: - - task: DownloadPipelineArtifact@2 - displayName: Download nupkg from artifacts - inputs: - artifact: Nugets - source: current - - task: PowerShell@2 - displayName: "Extract release information to pipeline" - inputs: - targetType: "filePath" - filePath: $(Pipeline.Workspace)\Nugets\scripts\GetNugetPackageVersion.ps1 - pwsh: true - arguments: '-packageDirPath "$(Pipeline.Workspace)/Nugets/"' - - task: NuGetCommand@2 - displayName: "NuGet push" - inputs: - command: push - packagesToPush: "$(Pipeline.Workspace)/Nugets/Microsoft.Graph.Cli.Core.*.nupkg" - nuGetFeedType: external - publishFeedCredentials: "microsoftgraph NuGet connection" + - stage: deploy + condition: and(contains(variables['build.sourceBranch'], 'refs/heads/main'), succeeded()) + dependsOn: build + jobs: + - deployment: deploy_cli_core + environment: nuget-org + strategy: + runOnce: + deploy: + pool: + vmImage: ubuntu-latest + steps: + - task: DownloadPipelineArtifact@2 + displayName: Download nupkg from artifacts + inputs: + artifact: Nugets + source: current + - task: PowerShell@2 + displayName: "Extract release information to pipeline" + inputs: + targetType: "filePath" + filePath: $(Pipeline.Workspace)\Nugets\scripts\GetNugetPackageVersion.ps1 + pwsh: true + arguments: '-packageDirPath "$(Pipeline.Workspace)/Nugets/"' + - task: NuGetCommand@2 + displayName: "NuGet push" + inputs: + command: push + packagesToPush: "$(Pipeline.Workspace)/Nugets/Microsoft.Graph.Cli.Core.*.nupkg" + nuGetFeedType: external + publishFeedCredentials: "microsoftgraph NuGet connection" diff --git a/.azure-pipelines/config/CredScanSuppressions.json b/.azure-pipelines/config/CredScanSuppressions.json new file mode 100644 index 00000000..b2add737 --- /dev/null +++ b/.azure-pipelines/config/CredScanSuppressions.json @@ -0,0 +1,9 @@ +{ + "tool": "Credential Scanner", + "suppressions": [ + { + "file": "SynchronizationSecret.cs", + "_justification": "False positive." + } + ] +} diff --git a/.azure-pipelines/config/PoliCheckExclusions.xml b/.azure-pipelines/config/PoliCheckExclusions.xml new file mode 100644 index 00000000..ba584fb6 --- /dev/null +++ b/.azure-pipelines/config/PoliCheckExclusions.xml @@ -0,0 +1,12 @@ + + + + + + + + + + + SRC\GENERATED +