Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Adding OneBranch pipeline YAML config file for OSS_Microsoft_PSSA-Official #1981

Merged
merged 8 commits into from
Mar 13, 2024
Merged

Adding OneBranch pipeline YAML config file for OSS_Microsoft_PSSA-Official #1981

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
0cb2a22
Adding OneBranch pipeline YAML config file for OSS_Microsoft_PSSA-Off…
Mar 11, 2024
9fa47ae
Updates to signing and TSA
adityapatwardhan Mar 12, 2024
23956e7
Fix typo
adityapatwardhan Mar 12, 2024
19bca77
Fix typo 2
adityapatwardhan Mar 12, 2024
0a887a3
Fix typo 3
adityapatwardhan Mar 12, 2024
3954ca5
Update CR feedback
adityapatwardhan Mar 12, 2024
2f56f2c
Revert back to old signing
adityapatwardhan Mar 12, 2024
c0f7819
Fix source direcctory for credscan
adityapatwardhan Mar 12, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
15 changes: 15 additions & 0 deletions .config/tsaoptions.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
{
"instanceUrl": "https://msazure.visualstudio.com",
"projectName": "One",
"areaPath": "One\\MGMT\\Compute\\Powershell\\Powershell",
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

add the PowerShell Core subpath, see

"notificationAliases": [
"[email protected]",
"[email protected]"
],
"codebaseName": "PSSA_202403",
"tools": [
"CredScan",
"PoliCheck",
"BinSkim"
]
}
140 changes: 140 additions & 0 deletions .pipelines/OSS_Microsoft_PSSA-Official.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,140 @@
# This Yaml Document has been converted by ESAI Yaml Pipeline Conversion Tool.
# Please make sure to check all the converted content, it is your team's responsibility to make sure that the pipeline is still valid and functions as expected.
# This pipeline will be extended to the OneBranch template
name: PSSA-Release-$(Build.BuildId)
trigger: none
pr:
branches:
include:
- master
- release*
variables:
- name: DOTNET_CLI_TELEMETRY_OPTOUT
value: 1
- name: POWERSHELL_TELEMETRY_OPTOUT
value: 1
- name: WindowsContainerImage
value: onebranch.azurecr.io/windows/ltsc2019/vse2022:latest
resources:
repositories:
- repository: ComplianceRepo
type: github
endpoint: ComplianceGHRepo
name: PowerShell/compliance
ref: master
- repository: onebranchTemplates
type: git
name: OneBranch.Pipelines/GovernedTemplates
ref: refs/heads/main
extends:
template: v2/OneBranch.Official.CrossPlat.yml@onebranchTemplates
parameters:
customTags: 'ES365AIMigrationTooling'
globalSdl:
runMode: stage
perStage:
stageName:
tsa:
configFile: $(Build.SourcesDirectory)/OSS_Microsoft_PSSA/.config/tsaoptions.json

stages:
- stage: Build
displayName: Build
jobs:
- job: Build_Job
displayName: Build Microsoft.PowerShell.ScriptAnalyzer
variables:
- group: ESRP
- name: ob_outputDirectory
value: '$(Build.ArtifactStagingDirectory)/ONEBRANCH_ARTIFACT'
pool:
type: windows
steps:
- checkout: self
- checkout: ComplianceRepo

- pwsh: |
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please add display names for tasks

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It is there below.

if (-not (Test-Path $(Build.SourcesDirectory)/OSS_Microsoft_PSSA/.config/tsaoptions.json)) {
Get-ChildItem $(Build.SourcesDirectory) -recurse -ErrorAction SilentlyContinue
throw "tsaoptions.json does not exist under $(Build.SourcesDirectory)/OSS_Microsoft_PSSA/.config"
}
displayName: Test if tsaoptions.json exists

- pwsh: |
New-Item -ItemType Directory -Path $(Build.SourcesDirectory)/.config -Force -Verbose
Copy-Item '$(Build.SourcesDirectory)/OSS_Microsoft_PSSA/.config/tsaoptions.json' '$(Build.SourcesDirectory)/.config/tsaoptions.json' -Force -Verbose
displayName: Copy tsaoptions

- pwsh: |
Set-Location "$(Build.SourcesDirectory)/OSS_Microsoft_PSSA"
try { ./build.ps1 -Configuration Release -All } catch { throw $_ }
displayName: Execute build
- pwsh: |
$signSrcPath = "$(Build.SourcesDirectory)/OSS_Microsoft_PSSA/out"
# Set signing src path variable
$vstsCommandString = "vso[task.setvariable variable=signSrcPath]${signSrcPath}"
Write-Host "sending $vstsCommandString"
Write-Host "##$vstsCommandString"
$signOutStep1 = "$(Build.SourcesDirectory)/OSS_Microsoft_PSSA/Step1"
$null = New-Item -ItemType Directory -Path $signOutStep1
# Set signing out path variable
$vstsCommandString = "vso[task.setvariable variable=signOutStep1]${signOutStep1}"
Write-Host "sending $vstsCommandString"
Write-Host "##$vstsCommandString"
$signOutPath = "$(Build.SourcesDirectory)/OSS_Microsoft_PSSA/signed"
$null = New-Item -ItemType Directory -Path $signOutPath
# Set signing out path variable
$vstsCommandString = "vso[task.setvariable variable=signOutPath]${signOutPath}"
Write-Host "sending $vstsCommandString"
Write-Host "##$vstsCommandString"
# Set path variable for guardian codesign validation
$vstsCommandString = "vso[task.setvariable variable=GDN_CODESIGN_TARGETDIRECTORY]${signOutPath}"
Write-Host "sending $vstsCommandString"
Write-Host "##$vstsCommandString"
# Get version and create a variable
$moduleData = Import-PowerShellDataFile "$(Build.SourcesDirectory)/OSS_Microsoft_PSSA/Engine/PSScriptAnalyzer.psd1"
$moduleVersion = $moduleData.ModuleVersion
$vstsCommandString = "vso[task.setvariable variable=moduleVersion]${moduleVersion}"
Write-Host "sending $vstsCommandString"
Write-Host "##$vstsCommandString"
displayName: Setup variables for signing

- template: EsrpSign.yml@ComplianceRepo
parameters:
buildOutputPath: $(signSrcPath)
signOutputPath: $(signOutStep1)
certificateId: "CP-230012"
useMinimatch: true
pattern: |
**\*.psd1
**\*.psm1
**\*.ps1xml
**\Microsoft*.dll
- template: EsrpSign.yml@ComplianceRepo
parameters:
buildOutputPath: $(signOutStep1)
signOutputPath: $(signOutPath)
certificateId: "CP-231522"
useMinimatch: true
pattern: |
**/Pluralize*.dll
**/Newtonsoft*.dll
- template: Sbom.yml@ComplianceRepo
parameters:
BuildDropPath: $(signOutPath)
Build_Repository_Uri: 'https://github.com/powershell/PSScriptAnalyzer'
- pwsh: |
Set-Location "$(Build.SourcesDirectory)/OSS_Microsoft_PSSA"
./build -BuildNupkg -CopyManifest -signed
displayName: Create nupkg for publishing
- task: CopyFiles@2
displayName: "Copy Files for 'publish build directory' publish task"
inputs:
SourceFolder: "$(Build.SourcesDirectory)/OSS_Microsoft_PSSA"
Contents: '**'
TargetFolder: $(Build.ArtifactStagingDirectory)/ONEBRANCH_ARTIFACT/build
- task: CopyFiles@2
displayName: "Copy Files for 'Publish module nupkg' publish task"
inputs:
Contents: "$(signOutPath)/PSScriptAnalyzer.$(moduleVersion).nupkg"
TargetFolder: $(Build.ArtifactStagingDirectory)/ONEBRANCH_ARTIFACT/nupkg