-
Notifications
You must be signed in to change notification settings - Fork 7.1k
/
nuget.yml
256 lines (211 loc) · 9.87 KB
/
nuget.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
parameters:
parentJobs: []
jobs:
- job: build_nuget
dependsOn:
${{ parameters.parentJobs }}
displayName: Build NuGet packages
condition: succeeded()
pool:
name: PowerShell1ES
demands:
- ImageOverride -equals MMS2019TLS
timeoutInMinutes: 90
variables:
- name: runCodesignValidationInjection
value: false
- name: NugetSecurityAnalysisWarningLevel
value: none
- name: build
value: ${{ parameters.buildName }}
- group: ESRP
- name: GenAPIToolPath
value: '$(System.ArtifactsDirectory)/GenAPI'
- name: PackagePath
value: '$(System.ArtifactsDirectory)/UnifiedPackagePath'
- name: winFxdPath
value: '$(System.ArtifactsDirectory)/winFxd'
- name: winFxdWinDesktopPath
value: '$(System.ArtifactsDirectory)/winFxdWinDesktop'
- name: linuxFxdPath
value: '$(System.ArtifactsDirectory)/linuxFxd'
steps:
- checkout: self
clean: true
- checkout: ComplianceRepo
clean: true
- template: SetVersionVariables.yml
parameters:
ReleaseTagVar: $(ReleaseTagVar)
- powershell: |
$content = Get-Content "$env:REPOROOT/global.json" -Raw | ConvertFrom-Json
$vstsCommandString = "vso[task.setvariable variable=SDKVersion]$($content.sdk.version)"
Write-Host "sending " + $vstsCommandString
Write-Host "##$vstsCommandString"
displayName: 'Find SDK version from global.json'
- task: DotNetCoreInstaller@0
displayName: 'Use .NET Core SDK from global.json'
inputs:
version: '$(SDKVersion)'
- task: DownloadBuildArtifacts@0
displayName: 'Download PowerShell build artifacts - finalResults'
inputs:
buildType: current
downloadType: single
artifactName: finalResults
downloadPath: '$(System.ArtifactsDirectory)'
- task: DownloadBuildArtifacts@0
displayName: 'Download PowerShell build artifacts - macosPkgResults'
inputs:
buildType: current
downloadType: single
artifactName: macosPkgResults
downloadPath: '$(System.ArtifactsDirectory)'
- powershell: 'Get-ChildItem $(System.ArtifactsDirectory) -recurse'
displayName: 'Capture downloaded artifacts'
- powershell: |
$packagePath = (Join-Path $(System.ArtifactsDirectory) packages)
New-Item $packagePath -ItemType Directory -Force > $null
$packages = Get-ChildItem $(System.ArtifactsDirectory) -Include *.zip, *.tar.gz -Recurse
$packages | ForEach-Object { Copy-Item $_.FullName -Destination $packagePath -Verbose }
Get-ChildItem $packagePath -Recurse
displayName: 'Conflate packages to same folder'
- task: ExtractFiles@1
displayName: 'Extract files win-fxdependent'
inputs:
archiveFilePatterns: '$(System.ArtifactsDirectory)/packages/PowerShell-*-win-fxdependent.zip'
destinationFolder: '$(winFxdPath)'
- task: ExtractFiles@1
displayName: 'Extract files win-fxdependentWinDesktop'
inputs:
archiveFilePatterns: '$(System.ArtifactsDirectory)/packages/PowerShell-*-win-fxdependentWinDesktop.zip'
destinationFolder: '$(winFxdWinDesktopPath)'
- task: ExtractFiles@1
displayName: 'Extract files linux-fxdependent'
inputs:
archiveFilePatterns: '$(System.ArtifactsDirectory)/packages/powershell-*-linux-x64-fxdependent.tar.gz'
destinationFolder: '$(linuxFxdPath)'
- task: PkgESInstallNuGetToolsPackage@10
displayName: 'Install package Microsoft.DotNet.BuildTools.GenAPI'
inputs:
packageName: Microsoft.DotNet.BuildTools.GenAPI
packageVersion: '1.0.0-beta-00081'
packageSources: 'https://nuget.org/api/v2'
installRoot: '$(GenAPIToolPath)'
- template: SetVersionVariables.yml
parameters:
ReleaseTagVar: $(ReleaseTagVar)
- template: shouldSign.yml
- task: NuGetToolInstaller@1
displayName: 'Install NuGet.exe'
- pwsh: |
Import-Module $env:REPOROOT\build.psm1
Import-Module $env:REPOROOT\tools\packaging
Find-Dotnet
New-ILNugetPackage -PackagePath "$(PackagePath)" -PackageVersion "$(Version)" -WinFxdBinPath '$(winFxdPath)' -LinuxFxdBinPath '$(linuxFxdPath)' -GenAPIToolPath "$(GenAPIToolPath)"
displayName: 'Create Nuget Package Folders'
- pwsh: |
Get-ChildItem $(linuxFxdPath)
Get-ChildItem $(winFxdPath)
Get-ChildItem $(winFxdWinDesktopPath)
displayName: Capture fxd folders
- pwsh: |
Import-Module $env:REPOROOT\build.psm1
Import-Module $env:REPOROOT\tools\packaging
Find-Dotnet
# Create unified package first
New-GlobalToolNupkg -UnifiedPackage -LinuxBinPath "$(linuxFxdPath)" -WindowsBinPath "$(winFxdPath)" -WindowsDesktopBinPath "$(winFxdWinDesktopPath)" -PackageVersion "$(Version)" -DestinationPath "$(PackagePath)\globaltool"
# Create packages for dotnet sdk
New-GlobalToolNupkg -LinuxBinPath "$(linuxFxdPath)" -WindowsBinPath "$(winFxdPath)" -WindowsDesktopBinPath "$(winFxdWinDesktopPath)" -PackageVersion "$(Version)" -DestinationPath "$(PackagePath)\globaltool"
displayName: 'Create Global tool packages'
- pwsh: |
Get-ChildItem "$(PackagePath)" -Recurse
displayName: Capture generated packages
- template: EsrpSign.yml@ComplianceRepo
parameters:
buildOutputPath: $(PackagePath)
signOutputPath: $(System.ArtifactsDirectory)\signed
certificateId: "CP-401405"
pattern: |
**\*.nupkg
useMinimatch: true
shouldSign: $(SHOULD_SIGN)
displayName: Sign NuPkg
- pwsh: |
if (-not (Test-Path '$(System.ArtifactsDirectory)\signed\')) { $null = New-Item -ItemType Directory -Path '$(System.ArtifactsDirectory)\signed\' }
Copy-Item -Path '$(PackagePath)\*.nupkg' -Destination '$(System.ArtifactsDirectory)\signed\' -Verbose -Force
Copy-Item -Path '$(PackagePath)\globaltool\*.nupkg' -Destination '$(System.ArtifactsDirectory)\signed\' -Verbose -Force
displayName: Fake copy when not signing
condition: eq(variables['SHOULD_SIGN'], 'false')
- pwsh: |
Import-Module "${env:REPOROOT}\build.psm1" -Force
Get-ChildItem -Recurse "$(System.ArtifactsDirectory)\signed\*.nupkg" -Verbose | ForEach-Object { Start-NativeExecution -sb { nuget.exe verify -All $_.FullName } }
displayName: Verify all packages are signed
condition: eq(variables['SHOULD_SIGN'], 'true')
- task: securedevelopmentteam.vss-secure-development-tools.build-task-antimalware.AntiMalware@3
displayName: 'Run MpCmdRun.exe'
inputs:
FileDirPath: '$(PackagePath)'
TreatStaleSignatureAs: Warning
- task: securedevelopmentteam.vss-secure-development-tools.build-task-publishsecurityanalysislogs.PublishSecurityAnalysisLogs@2
displayName: 'Publish Security Analysis Logs'
- template: upload-final-results.yml
parameters:
artifactPath: '$(System.ArtifactsDirectory)\signed'
- pwsh: |
if (-not (Test-Path "$(System.ArtifactsDirectory)\signed\globaltool"))
{
$null = New-Item -Path "$(System.ArtifactsDirectory)\signed\globaltool" -ItemType Directory -Force
}
Move-Item -Path "$(System.ArtifactsDirectory)\signed\PowerShell.*" -Destination "$(System.ArtifactsDirectory)\signed\globaltool" -Force
Get-ChildItem "$(System.ArtifactsDirectory)\signed\globaltool" -Recurse
displayName: Move global tool packages to subfolder and capture
- pwsh: |
$packagePath = (Join-Path $(System.ArtifactsDirectory) checksum)
New-Item $packagePath -ItemType Directory -Force > $null
$srcPaths = @("$(System.ArtifactsDirectory)\finalResults", "$(System.ArtifactsDirectory)\macosPkgResults", "$(System.ArtifactsDirectory)\signed")
$packages = Get-ChildItem -Path $srcPaths -Include *.zip, *.tar.gz, *.msi*, *.pkg, *.deb, *.rpm -Exclude "PowerShell-Symbols*" -Recurse
$packages | ForEach-Object { Copy-Item $_.FullName -Destination $packagePath -Verbose }
$packagePathList = Get-ChildItem $packagePath -Recurse | Select-Object -ExpandProperty FullName | Out-String
Write-Verbose -Verbose $packagePathList
$checksums = Get-ChildItem -Path $packagePath |
ForEach-Object {
Write-Verbose -Verbose "Generating checksum file for $($_.FullName)"
$packageName = $_.Name
$hash = (Get-FileHash -Path $_.FullName -Algorithm SHA512).Hash.ToLower()
# the '*' before the packagename signifies it is a binary
"$hash *$packageName"
}
$checksums | Out-File -FilePath "$packagePath\SHA512SUMS" -Force
$fileContent = Get-Content -Path "$packagePath\SHA512SUMS" -Raw | Out-String
Write-Verbose -Verbose -Message $fileContent
Copy-Item -Path "$packagePath\SHA512SUMS" -Destination '$(System.ArtifactsDirectory)\signed\' -verbose
Copy-Item -Path "$packagePath\SHA512SUMS" -Destination '$(System.ArtifactsDirectory)\signed\globaltool\' -verbose
displayName: Generate checksum file
- template: upload-final-results.yml
parameters:
artifactPath: '$(System.ArtifactsDirectory)\checksum'
artifactFilter: SHA512SUMS
- task: AzureFileCopy@4
displayName: 'Upload NuGet packages to Azure'
inputs:
SourcePath: '$(System.ArtifactsDirectory)\signed\*'
azureSubscription: '$(AzureFileCopySubscription)'
Destination: AzureBlob
storage: '$(StorageAccount)'
ContainerName: '$(AzureVersion)-nuget'
condition: and(succeeded(), eq(variables['SHOULD_SIGN'], 'true'))
- task: AzureFileCopy@4
displayName: 'Upload global tool packages to Azure'
inputs:
sourcePath: '$(System.ArtifactsDirectory)\signed\globaltool\*'
azureSubscription: '$(GlobalToolSubscription)'
Destination: AzureBlob
storage: '$(GlobalToolStorageAccount)'
ContainerName: 'tool'
blobPrefix: '$(Version)'
condition: and(succeeded(), eq(variables['SHOULD_SIGN'], 'true'))
- task: ms.vss-governance-buildtask.governance-build-task-component-detection.ComponentGovernanceComponentDetection@0
displayName: 'Component Detection'
inputs:
sourceScanPath: '$(repoRoot)\tools'