Skip to content

Commit

Permalink
Migrate PSReadLine release build pipeline to OneBranch (#3975)
Browse files Browse the repository at this point in the history
  • Loading branch information
@daxian-dbw
daxian-dbw authored Mar 20, 2024
1 parent 5efe2ef commit 5e63f14
Show file tree
Hide file tree
Showing 3 changed files with 246 additions and 192 deletions.
9 changes: 9 additions & 0 deletions .config/tsaoptions.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
{
"instanceUrl": "https://msazure.visualstudio.com",
"projectName": "One",
"areaPath": "One\\MGMT\\Compute\\Powershell\\Powershell\\PowerShell Core",
"notificationAliases": [
"dongbow@microsoft.com",
"slee@microsoft.com"
]
}
237 changes: 237 additions & 0 deletions .pipelines/PSReadLine-Official.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,237 @@
#################################################################################
# OneBranch Pipelines #
# This pipeline was created by EasyStart from a sample located at: #
# https://aka.ms/obpipelines/easystart/samples #
# Documentation: https://aka.ms/obpipelines #
# Yaml Schema: https://aka.ms/obpipelines/yaml/schema #
# Retail Tasks: https://aka.ms/obpipelines/tasks #
# Support: https://aka.ms/onebranchsup #
#################################################################################

name: PSReadLine-ModuleBuild-$(Build.BuildId)
trigger: none
pr: none

variables:
DOTNET_CLI_TELEMETRY_OPTOUT: 1
POWERSHELL_TELEMETRY_OPTOUT: 1
DOTNET_SKIP_FIRST_TIME_EXPERIENCE: 1
WindowsContainerImage: onebranch.azurecr.io/windows/ltsc2022/vse2022:latest

resources:
repositories:
- repository: onebranchTemplates
type: git
name: OneBranch.Pipelines/GovernedTemplates
ref: refs/heads/main

extends:
template: v2/OneBranch.Official.CrossPlat.yml@onebranchTemplates
parameters:
featureFlags:
WindowsHostVersion: '1ESWindows2022'
globalSdl:
disableLegacyManifest: true
sbom:
enabled: true
packageName: PSReadLine
codeql:
compiled:
enabled: true
asyncSdl: # https://aka.ms/obpipelines/asyncsdl
enabled: true
forStages: [Build]
credscan:
enabled: true
scanFolder: $(Build.SourcesDirectory)\PSReadLine\PSReadLine
binskim:
enabled: true
apiscan:
enabled: false

stages:
- stage: buildstage
displayName: Build and Sign PSReadLine
jobs:
- job: buildjob
displayName: Build PSReadLine Files
variables:
- name: ob_outputDirectory
value: '$(Build.ArtifactStagingDirectory)/ONEBRANCH_ARTIFACT'
- name: repoRoot
value: $(Build.SourcesDirectory)\PSReadLine
- name: ob_sdl_tsa_configFile
value: $(repoRoot)\.config\tsaoptions.json
- name: signSrcPath
value: $(repoRoot)\bin\Release\PSReadLine
- name: ob_sdl_sbom_enabled
value: true
- name: ob_signing_setup_enabled
value: true
#CodeQL tasks added manually to workaround signing failures
- name: ob_sdl_codeql_compiled_enabled
value: false

pool:
type: windows
steps:
- checkout: self
env:
# Set ob_restore_phase to run this step before '🔒 Setup Signing' step.
ob_restore_phase: true

- pwsh: |
if (-not (Test-Path $(repoRoot)/.config/tsaoptions.json)) {
throw "tsaoptions.json does not exist under $(repoRoot)/.config"
}
displayName: Test if tsaoptions.json exists
env:
# Set ob_restore_phase to run this step before '🔒 Setup Signing' step.
ob_restore_phase: true
- pwsh: |
Write-Host "PS Version: $($PSVersionTable.PSVersion)"
Set-Location -Path '$(repoRoot)'
.\build.ps1 -Bootstrap
displayName: Bootstrap
env:
# Set ob_restore_phase to run this step before '🔒 Setup Signing' step.
ob_restore_phase: true
# Add CodeQL Init task right before your 'Build' step.
- task: CodeQL3000Init@0
env:
# Set ob_restore_phase to run this step before '🔒 Setup Signing' step.
ob_restore_phase: true
inputs:
Enabled: true
AnalyzeInPipeline: true
Language: csharp

- pwsh: |
Write-Host "PS Version: $($($PSVersionTable.PSVersion))"
Set-Location -Path '$(repoRoot)'
.\build.ps1 -Configuration Release -Framework net462
displayName: Build
env:
# Set ob_restore_phase to run this step before '🔒 Setup Signing' step.
ob_restore_phase: true
# Add CodeQL Finalize task right after your 'Build' step.
- task: CodeQL3000Finalize@0
condition: always()
env:
# Set ob_restore_phase to run this step before '🔒 Setup Signing' step.
ob_restore_phase: true

- task: onebranch.pipeline.signing@1
displayName: Sign 1st party files
inputs:
command: 'sign'
signing_profile: external_distribution
files_to_sign: '*.psd1;*.psm1;*.ps1;*.ps1xml;**\Microsoft*.dll;!Microsoft.PowerShell.Pager.dll'
search_root: $(signSrcPath)

# Verify the signatures
- pwsh: |
$HasInvalidFiles = $false
$WrongCert = @{}
Get-ChildItem -Path $(signSrcPath) -Recurse -Include "*.dll","*.ps*1*" | `
Get-AuthenticodeSignature | ForEach-Object {
Write-Host "$($_.Path): $($_.Status)"
if ($_.Status -ne 'Valid') { $HasInvalidFiles = $true }
if ($_.SignerCertificate.Subject -notmatch 'CN=Microsoft Corporation.*') {
$WrongCert.Add($_.Path, $_.SignerCertificate.Subject)
}
}
if ($HasInvalidFiles) { throw "Authenticode verification failed. There is one or more invalid files." }
if ($WrongCert.Count -gt 0) {
$WrongCert
throw "Certificate should have the subject starts with 'Microsoft Corporation'"
}
Write-Host "Display files in the folder ..." -ForegroundColor Yellow
Get-ChildItem -Path $(signSrcPath) -Recurse | Out-String -Width 120
displayName: 'Verify the signed files'
- task: CopyFiles@2
displayName: "Copy signed files to ob_outputDirectory - '$(ob_outputDirectory)'"
inputs:
SourceFolder: $(signSrcPath)
Contents: '**\*'
TargetFolder: $(ob_outputDirectory)

- pwsh: |
$versionInfo = Get-Item "$(signSrcPath)\Microsoft.PowerShell.PSReadLine2.dll" | ForEach-Object VersionInfo
$moduleVersion = $versionInfo.ProductVersion.Split('+')[0]
$vstsCommandString = "vso[task.setvariable variable=ob_sdl_sbom_packageversion]${moduleVersion}"
Write-Host "sending $vstsCommandString"
Write-Host "##$vstsCommandString"
displayName: Setup SBOM Package Version
- job: nupkg
dependsOn: buildjob
displayName: Package PSReadLine module
variables:
- name: ob_outputDirectory
value: '$(Build.ArtifactStagingDirectory)/ONEBRANCH_ARTIFACT'
- name: repoRoot
value: $(Build.SourcesDirectory)\PSReadLine
- name: ob_sdl_tsa_configFile
value: $(repoRoot)\.config\tsaoptions.json
# Disable because SBOM was already built in the previous job
- name: ob_sdl_sbom_enabled
value: false
- name: signOutPath
value: $(repoRoot)\signed\PSReadLine
- name: nugetPath
value: $(repoRoot)\signed\NuGetPackage
- name: ob_signing_setup_enabled
value: true
# This job is not compiling code, so disable codeQL
- name: ob_sdl_codeql_compiled_enabled
value: false

pool:
type: windows
steps:
- checkout: self

- task: DownloadPipelineArtifact@2
displayName: 'Download build files'
inputs:
targetPath: $(signOutPath)
artifact: drop_buildstage_buildjob

- pwsh: |
Get-ChildItem $(signOutPath) -Recurse
New-Item -Path $(nugetPath) -ItemType Directory > $null
displayName: Capture artifacts structure
- pwsh: |
try {
$RepoName = "PSRLLocal"
Register-PSRepository -Name $RepoName -SourceLocation $(nugetPath) -PublishLocation $(nugetPath) -InstallationPolicy Trusted
Publish-Module -Repository $RepoName -Path $(signOutPath)
} finally {
Unregister-PSRepository -Name $RepoName -ErrorAction SilentlyContinue
}
Get-ChildItem -Path $(nugetPath)
displayName: 'Create the NuGet package'
- task: onebranch.pipeline.signing@1
displayName: Sign nupkg
inputs:
command: 'sign'
signing_profile: external_default
files_to_sign: '*.nupkg'
search_root: $(nugetPath)

- task: CopyFiles@2
displayName: "Copy nupkg to ob_outputDirectory - '$(ob_outputDirectory)'"
inputs:
SourceFolder: $(nugetPath)
Contents: '**\*'
TargetFolder: $(ob_outputDirectory)
Loading

0 comments on commit 5e63f14

Please sign in to comment.