1ES Transition Items - "Extras"

[scbedd]

Discovered long tail items

• Transition azure-sdk-for-android
• Scan azure-sdk-build-tools exes with 1es-templates -> Remaining to be resolved:
  • tools/sdk-generation-pipeline/ci.yml
  • tools/oav-traffic-converter/ci.yml
  • tools/mock-service-host/ci.yml
  • tools/js-sdk-release-tools/ci.yml
  • tools/apiview/parsers/js-api-parser/ci.yml
  • tools/apiview/emitters/typespec-apiview/ci.yml
  • eng/pipelines/templates/stages/archetype-autorest-preview.yml
  • tools/tsp-client/ci.yml
• Remove download-credscan-suppression.yml in favor of disabling the SDL step on specific jobs or the like
  • We can account for the places where the clone is in a different location than the default SDL config by utilizing a templateContext argument on the deployment. Otherwise I'm not certain we can bypass this.
  • We CAN disable sdl injected steps when there is no checkout. Unfortunately during our signing stage there absolutely is checkout. Second section on this page This is for the entire SDL stage, not the injected steps during artifact publish.
  • No way to disable this. Only possible thing we could change is update to generate a blank credscan suppression file, then simply reference that via templateContext override.

    • templateContext:
        sdl:
          credscan:
            suppressionsFile: path/to/generated/file.json
      

• Eliminate warning for 1es artifact of that name already exists for matrix-ed test jobs This issue has drug on for 3 weeks with new discovered work. Going to file this as its own thing and pursue it.

yml Builds

• openapi-alps-PullRequest - One branch already compliant. Not shipped to 3rd parties.
• openapi-alps-publish -- PR
• openapi-alps-ci Not used as artifact source for release.
• public.avocado - PR
  • Will create internal build for release phase.
• public.openapi-diff - PR
  • Will create internal build for release phase.
• public.rest-api-specs-scripts
  • Deprecated repo. Likely no-op here.
• Azure.git-rest-api Build
  • This can probably be removed after we swap to releasing using ESRP task. Just going to ignore this for now.
• oav-merge-validation - PR
• regression-tests-full - PR
• AutoRest - Publish - Azure/autorest - only missing ESRP. Going to ignore for now.

Designer Builds

The following builds are designer, and will not benefit from the yml updates above.

• mgmt-netsdk-sign. Not used since 2019, can't clean up due to release. Disabled.
• mgmt-NetCore-SDK-Publish
• mgmt-netsdk-multiapi-publish
• mgmt-netsdk-sdkcommon-publish
• mgmt-netsdk-publish
• Specs Repo - Update readme.md all-api-versions tags.
• Autorest Npm Admin Task Supplanted by npm admin build
• tools - Codex - vscode.dev

Anything crossed out is deleted. Checkmark otherwise indicates merged PR.

Release Builds

• azuresdkpartnerdrops to pypi - esrp release - PR
• APIVIew UI Test instance - PR
• Release to APIView staging - PR
• APIView to Azure App Service - PR
• azuresdkpartnerdrops to npm - PR
• azure-openapi-validator to npm - PR
• azure-openapi-validator to npm - staging - PR
• azure-uamqp-python - client to pypi - PR
• Publish to npmjs.com (windowsazure) - PR
• js - tools to npm - publish (@azure)
  • Avocado
  • oad
  • public.rest-api-specs-scripts
    • We have transitioned the source of this package from the public repo here to the internal repo here.
• kebab-container-app-release -- PR
  • Feeds off of openapi-publish

Need to mark as non-production or otherwise transition each of the above builds. At the very minimum the release builds need to be transitioned to yml.

[kurtzeborn]

These designer builds are lo-pri... they existed before and they continue to exist after the transition. We should not worry about these until we get dinged on them (and then we'll probably just delete them).

[alzimmermsft]

At least in Java we're finding that in some CI runs virus scanning can take 10 to 15 minutes to run. Looking at the step running virus scanning, this could be that we're using '$(System.DefaultWorkingDirectory)' as the output parent directory, which may mean we're scanning all source code, build artifacts, and test recordings downloaded and generated during CI.

We should investigate if moving these build artifacts to a subfolder reduces the number of files that need to be virus scanned.

[scbedd]

These designer builds are lo-pri... they existed before and they continue to exist after the transition. We should not worry about these until we get dinged on them (and then we'll probably just delete them).

They were all deleted.

[scbedd]

This is all done except for one item that I am blocked on. Publishing the ADO extension from openapi-alps-publish. Have a support ticket out with the 1es folks. Holding pattern until response.