From fbf48cf46f3fcf994101f3a0b5d03643a45888e2 Mon Sep 17 00:00:00 2001 From: Travis Plunk Date: Wed, 3 Mar 2021 21:16:32 +0000 Subject: [PATCH 1/7] add daily build compliance template --- README.md | 5 +++-- dailyBuildCompliance.yml | 3 +++ template-compliance/skipComponentGovernanceIfCI.yml | 6 ++++++ 3 files changed, 12 insertions(+), 2 deletions(-) create mode 100644 dailyBuildCompliance.yml create mode 100644 template-compliance/skipComponentGovernanceIfCI.yml diff --git a/README.md b/README.md index 60732af..9c03db6 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,7 @@ # Compliance task library -**Contents of this repository are intended for internal Microsoft use.** +**Contents of this repository are intended for use in internal Microsoft Pipelines. +This repository is public so the community can inspect our process and for sharing amoung teams.** This repository contains Azure DevOPS YAML template for the compliance tasks needed for release products. The step templates can be included in the repository using [multi-checkout](https://docs.microsoft.com/en-us/azure/devops/pipelines/repos/multi-repo-checkout?view=azure-devops). @@ -154,7 +155,7 @@ Details can be found in the PowerShell Maintainers teams channel's Wiki tab. # If "true", use a custom JSON string for ESRP signing. Defaults to "false". useCustomEsrpJson: false # If "true", ESRP will automatically verify your files are signed properly (eg signtool /verify). - # Only supported for authenticode & nuget signing. + # Only supported for authenticode & nuget signing. # Defaults to "false". verifySignature: false # If "true", ESRP will page hash sign your files. diff --git a/dailyBuildCompliance.yml b/dailyBuildCompliance.yml new file mode 100644 index 0000000..555e798 --- /dev/null +++ b/dailyBuildCompliance.yml @@ -0,0 +1,3 @@ +steps: + - ${{ if eq(variables['Build.Reason'], 'PullRequest') }}: + - template: template-compliance/skipComponentGovernanceIfCI.yml diff --git a/template-compliance/skipComponentGovernanceIfCI.yml b/template-compliance/skipComponentGovernanceIfCI.yml new file mode 100644 index 0000000..396948d --- /dev/null +++ b/template-compliance/skipComponentGovernanceIfCI.yml @@ -0,0 +1,6 @@ +steps: +- pwsh: | + $vstsCommandString = "vso[task.setvariable variable=skipComponentGovernanceDetection]true" + Write-Verbose -Message ("sending " + $vstsCommandString) -Verbose + Write-Host "##$vstsCommandString" + displayName: Add variable to skip compontent governance From f5d7fdbb44f11c8f7b832a5de27d386ed9bf5d4d Mon Sep 17 00:00:00 2001 From: Travis Plunk Date: Wed, 3 Mar 2021 21:54:07 +0000 Subject: [PATCH 2/7] switch method --- dailyBuildCompliance.yml | 13 +++++++++++-- template-compliance/componentGovernance.yml | 12 ++++++++++++ template-compliance/skipComponentGovernanceIfCI.yml | 6 ------ 3 files changed, 23 insertions(+), 8 deletions(-) create mode 100644 template-compliance/componentGovernance.yml delete mode 100644 template-compliance/skipComponentGovernanceIfCI.yml diff --git a/dailyBuildCompliance.yml b/dailyBuildCompliance.yml index 555e798..fdfce66 100644 --- a/dailyBuildCompliance.yml +++ b/dailyBuildCompliance.yml @@ -1,3 +1,12 @@ +parameters: + - name: sourceScanPath + default: $(Build.SourcesDirectory) + - name: snapshotForceEnabled + default: true + steps: - - ${{ if eq(variables['Build.Reason'], 'PullRequest') }}: - - template: template-compliance/skipComponentGovernanceIfCI.yml + - ${{ if ne(variables['Build.Reason'], 'PullRequest') }}: + - template: template-compliance/compontentGovernance.yml + parameters: + sourceScanPath: '${{ parameters.sourceScanPath }}' + snapshotForceEnabled: '${{ parameters.snapshotForceEnabled }} diff --git a/template-compliance/componentGovernance.yml b/template-compliance/componentGovernance.yml new file mode 100644 index 0000000..305ef65 --- /dev/null +++ b/template-compliance/componentGovernance.yml @@ -0,0 +1,12 @@ +parameters: + - name: sourceScanPath + default: $(Build.SourcesDirectory) + - name: snapshotForceEnabled + default: true + +steps: +- task: ms.vss-governance-buildtask.governance-build-task-component-detection.ComponentGovernanceComponentDetection@0 + displayName: 'Component Detection' + inputs: + sourceScanPath: '${{ parameters.sourceScanPath }}' + snapshotForceEnabled: '${{ parameters.snapshotForceEnabled }} diff --git a/template-compliance/skipComponentGovernanceIfCI.yml b/template-compliance/skipComponentGovernanceIfCI.yml deleted file mode 100644 index 396948d..0000000 --- a/template-compliance/skipComponentGovernanceIfCI.yml +++ /dev/null @@ -1,6 +0,0 @@ -steps: -- pwsh: | - $vstsCommandString = "vso[task.setvariable variable=skipComponentGovernanceDetection]true" - Write-Verbose -Message ("sending " + $vstsCommandString) -Verbose - Write-Host "##$vstsCommandString" - displayName: Add variable to skip compontent governance From 895b14edef63017467bd000b3ebaebb365ec6942 Mon Sep 17 00:00:00 2001 From: Travis Plunk Date: Wed, 3 Mar 2021 22:08:54 +0000 Subject: [PATCH 3/7] remove extra quote --- dailyBuildCompliance.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dailyBuildCompliance.yml b/dailyBuildCompliance.yml index fdfce66..eb1d102 100644 --- a/dailyBuildCompliance.yml +++ b/dailyBuildCompliance.yml @@ -9,4 +9,4 @@ steps: - template: template-compliance/compontentGovernance.yml parameters: sourceScanPath: '${{ parameters.sourceScanPath }}' - snapshotForceEnabled: '${{ parameters.snapshotForceEnabled }} + snapshotForceEnabled: ${{ parameters.snapshotForceEnabled }} From 6e2eb2e5e2c38e0ea71834d3e75a743775a26c59 Mon Sep 17 00:00:00 2001 From: Travis Plunk Date: Wed, 3 Mar 2021 22:26:35 +0000 Subject: [PATCH 4/7] set build name f --- dailyBuildCompliance.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/dailyBuildCompliance.yml b/dailyBuildCompliance.yml index eb1d102..c80b318 100644 --- a/dailyBuildCompliance.yml +++ b/dailyBuildCompliance.yml @@ -10,3 +10,8 @@ steps: parameters: sourceScanPath: '${{ parameters.sourceScanPath }}' snapshotForceEnabled: ${{ parameters.snapshotForceEnabled }} + + - ${{ if ne(variables['Build.Reason'], 'PullRequest') }}: + - powershell: Write-Host "##vso[build.updatebuildnumber]$env:BUILD_SOURCEBRANCHNAME-$env:BUILD_SOURCEVERSION-$((get-date).ToString("yyyyMMddhhmmss"))" + displayName: Set Build Name for Non-PR + condition: ne(variables['Build.Reason'], 'PullRequest') From 05e694db26f3bc42c950cb4f06c30d4a2858bc13 Mon Sep 17 00:00:00 2001 From: Travis Plunk Date: Wed, 3 Mar 2021 22:40:00 +0000 Subject: [PATCH 5/7] add example --- README.md | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/README.md b/README.md index 9c03db6..f8f3056 100644 --- a/README.md +++ b/README.md @@ -365,3 +365,15 @@ This example uses a custom ESRP malware scanning (Azure DevOps) service name. scanningService: 'FactoryOrchestratorScanning' ``` + +### Daily build Compliance template + +This example add the template for a daily build. +It will automatically skip for PRs. +It should be put near the end of the job. + +```yaml + - template: dailyBuildCompliance.yml@ComplianceRepo + parameters: + sourceScanPath: '$(repoPath)' +``` From aebbbea4fe39f766b55601ae6b58f78eef293673 Mon Sep 17 00:00:00 2001 From: Travis Plunk Date: Wed, 3 Mar 2021 22:43:24 +0000 Subject: [PATCH 6/7] fix template path --- dailyBuildCompliance.yml | 5 +---- template-compliance/componentGovernance.yml | 12 ------------ 2 files changed, 1 insertion(+), 16 deletions(-) delete mode 100644 template-compliance/componentGovernance.yml diff --git a/dailyBuildCompliance.yml b/dailyBuildCompliance.yml index c80b318..fd01172 100644 --- a/dailyBuildCompliance.yml +++ b/dailyBuildCompliance.yml @@ -1,15 +1,12 @@ parameters: - name: sourceScanPath default: $(Build.SourcesDirectory) - - name: snapshotForceEnabled - default: true steps: - ${{ if ne(variables['Build.Reason'], 'PullRequest') }}: - - template: template-compliance/compontentGovernance.yml + - template: template-compliance/component-governance.yml parameters: sourceScanPath: '${{ parameters.sourceScanPath }}' - snapshotForceEnabled: ${{ parameters.snapshotForceEnabled }} - ${{ if ne(variables['Build.Reason'], 'PullRequest') }}: - powershell: Write-Host "##vso[build.updatebuildnumber]$env:BUILD_SOURCEBRANCHNAME-$env:BUILD_SOURCEVERSION-$((get-date).ToString("yyyyMMddhhmmss"))" diff --git a/template-compliance/componentGovernance.yml b/template-compliance/componentGovernance.yml deleted file mode 100644 index 305ef65..0000000 --- a/template-compliance/componentGovernance.yml +++ /dev/null @@ -1,12 +0,0 @@ -parameters: - - name: sourceScanPath - default: $(Build.SourcesDirectory) - - name: snapshotForceEnabled - default: true - -steps: -- task: ms.vss-governance-buildtask.governance-build-task-component-detection.ComponentGovernanceComponentDetection@0 - displayName: 'Component Detection' - inputs: - sourceScanPath: '${{ parameters.sourceScanPath }}' - snapshotForceEnabled: '${{ parameters.snapshotForceEnabled }} From 8bcfe5b0b17aeb35b943ee6837a84a017bc9a65b Mon Sep 17 00:00:00 2001 From: Aditya Patwardhan Date: Wed, 3 Mar 2021 15:18:55 -0800 Subject: [PATCH 7/7] Update README.md --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index f8f3056..232ccc1 100644 --- a/README.md +++ b/README.md @@ -1,7 +1,7 @@ # Compliance task library **Contents of this repository are intended for use in internal Microsoft Pipelines. -This repository is public so the community can inspect our process and for sharing amoung teams.** +This repository is public so the community can inspect our process and for sharing among teams.** This repository contains Azure DevOPS YAML template for the compliance tasks needed for release products. The step templates can be included in the repository using [multi-checkout](https://docs.microsoft.com/en-us/azure/devops/pipelines/repos/multi-repo-checkout?view=azure-devops).