[release/2.1] Onboard the official build to 1ES pipeline templates (#…

…33567)

azure-pipelines-public.yml

@@ -1,7 +1,3 @@
-#
-# See https://learn.microsoft.com/en-us/azure/devops/pipelines/yaml-schema/?view=azure-pipelines for details
-#
-
 parameters:
 # Parameter below is ignored in public builds.
 #
@@ -12,10 +8,6 @@ parameters:
   displayName: Run CodeQL3000 tasks
   type: boolean
 
-variables:
-- name: runCodeQL3000
-  value: ${{ and(ne(variables['System.TeamProject'], 'public'), or(eq(variables['Build.Reason'], 'Schedule'), and(eq(variables['Build.Reason'], 'Manual'), eq(parameters.runCodeQL3000, 'true')))) }}
-
 # Only run CI builds for these branches
 trigger:
   branches:
@@ -34,46 +26,19 @@ jobs:
 - template: build/templates/default-build.yml
   parameters:
     agentOs: Windows
-    codeSign: ${{ ne(variables.runCodeQL3000, 'true') }}
+    codeSign: true
     configuration: Release
-    ${{ if eq(variables.runCodeQL3000, 'true') }}:
-      variables:
-        # Security analysis is included in normal runs. Disable its auto-injection.
-        skipNugetSecurityAnalysis: true
-        # Do not let CodeQL3000 Extension gate scan frequency.
-        Codeql.Cadence: 0
-        # Enable CodeQL3000 unconditionally so it may be run on any branch.
-        Codeql.Enabled: true
-        # Ignore test and infrastructure code.
-        Codeql.SourceRoot: src
-        # CodeQL3000 needs this plumbed along as a variable to enable TSA.
-        Codeql.TSAEnabled: ${{ eq(variables['Build.Reason'], 'Schedule') }}
-        # Default expects tsaoptions.json under SourceRoot.
-        Codeql.TSAOptionsPath: '$(Build.SourcesDirectory)/.config/tsaoptions.json'
-      beforeBuild:
-      - task: CodeQL3000Init@0
-        displayName: CodeQL Initialize
-      - script: "echo ##vso[build.addbuildtag]CodeQL3000"
-        displayName: 'Set CI CodeQL3000 tag'
-        condition: ne(variables.CODEQL_DIST,'')
-      # Note packages are produced, just not signed, verified, or uploaded. No way to turn off production.
-      buildArgs: /p:UseSharedCompilation=false /p:SkipTests=true /p:DisableCodeSigning=true /p:SkipArtifactVerification=true
-      afterBuild:
-      - task: CodeQL3000Finalize@0
-        displayName: CodeQL Finalize
-    ${{ else }}:
-      artifacts:
-        publish: true
-        name: packages
-        path: 'artifacts/build/'
+    artifacts:
+      publish: true
+      name: packages
+      path: 'artifacts/build/'
 
-- ${{ if ne(variables.runCodeQL3000, 'true') }}:
-  - template: build/templates/default-build.yml
-    parameters:
-      agentOs: macOS
-      configuration: Release
+- template: build/templates/default-build.yml
+  parameters:
+    agentOs: macOS
+    configuration: Release
 
-  - template: build/templates/default-build.yml
-    parameters:
-      agentOs: Linux
-      configuration: Release
+- template: build/templates/default-build.yml
+  parameters:
+    agentOs: Linux
+    configuration: Release

azure-pipelines.yml

@@ -1,27 +1,10 @@
-#
-# See https://learn.microsoft.com/en-us/azure/devops/pipelines/yaml-schema/?view=azure-pipelines for details
-#
-
-parameters:
-# Parameter below is ignored in public builds.
-#
-# Choose whether to run the CodeQL3000 tasks.
-# Manual builds align w/ official builds unless this parameter is true.
-- name: runCodeQL3000
-  default: false
-  displayName: Run CodeQL3000 tasks
-  type: boolean
-
-variables:
-- name: runCodeQL3000
-  value: ${{ and(ne(variables['System.TeamProject'], 'public'), or(eq(variables['Build.Reason'], 'Schedule'), and(eq(variables['Build.Reason'], 'Manual'), eq(parameters.runCodeQL3000, 'true')))) }}
-
 # Only run CI builds for these branches
 trigger:
   branches:
     include:
     - 'main'
     - 'release/*'
+
 # Run PR validation on all branches
 pr:
   branches:
@@ -30,50 +13,41 @@ pr:
 
 name: $(Date:yyyyMMdd)-$(Rev:rr)
 
-jobs:
-- template: build/templates/default-build.yml
-  parameters:
-    agentOs: Windows
-    codeSign: ${{ ne(variables.runCodeQL3000, 'true') }}
-    configuration: Release
-    ${{ if eq(variables.runCodeQL3000, 'true') }}:
-      variables:
-        # Security analysis is included in normal runs. Disable its auto-injection.
-        skipNugetSecurityAnalysis: true
-        # Do not let CodeQL3000 Extension gate scan frequency.
-        Codeql.Cadence: 0
-        # Enable CodeQL3000 unconditionally so it may be run on any branch.
-        Codeql.Enabled: true
-        # Ignore test and infrastructure code.
-        Codeql.SourceRoot: src
-        # CodeQL3000 needs this plumbed along as a variable to enable TSA.
-        Codeql.TSAEnabled: ${{ eq(variables['Build.Reason'], 'Schedule') }}
-        # Default expects tsaoptions.json under SourceRoot.
-        Codeql.TSAOptionsPath: '$(Build.SourcesDirectory)/.config/tsaoptions.json'
-      beforeBuild:
-      - task: CodeQL3000Init@0
-        displayName: CodeQL Initialize
-      - script: "echo ##vso[build.addbuildtag]CodeQL3000"
-        displayName: 'Set CI CodeQL3000 tag'
-        condition: ne(variables.CODEQL_DIST,'')
-      # Note packages are produced, just not signed, verified, or uploaded. No way to turn off production.
-      buildArgs: /p:UseSharedCompilation=false /p:SkipTests=true /p:DisableCodeSigning=true /p:SkipArtifactVerification=true
-      afterBuild:
-      - task: CodeQL3000Finalize@0
-        displayName: CodeQL Finalize
-    ${{ else }}:
-      artifacts:
-        publish: true
-        name: packages
-        path: 'artifacts/build/'
-
-- ${{ if ne(variables.runCodeQL3000, 'true') }}:
-  - template: build/templates/default-build.yml
-    parameters:
-      agentOs: macOS
-      configuration: Release
+resources:
+  repositories:
+  - repository: 1ESPipelineTemplates
+    type: git
+    name: 1ESPipelineTemplates/1ESPipelineTemplates
+    ref: refs/tags/release
 
-  - template: build/templates/default-build.yml
-    parameters:
-      agentOs: Linux
-      configuration: Release
+extends:
+  template: v1/1ES.Official.PipelineTemplate.yml@1ESPipelineTemplates
+  parameters:
+    featureFlags:
+      autoBaseline: false
+    sdl:
+      sourceAnalysisPool:
+        name: NetCore1ESPool-Svc-Internal
+        image: 1es-windows-2022
+        os: windows
+      baseline:
+        baselineFile: $(Build.SourcesDirectory)\.config\guardian\.gdnbaselines
+      binskim:
+        scanOutputDirectoryOnly: true
+    stages:
+    - stage: build
+      displayName: Build
+      jobs:
+      - template: build/templates/default-build.yml@self
+        parameters:
+          agentOs: Windows
+          codeSign: true
+          configuration: Release
+      - template: build/templates/default-build.yml@self
+        parameters:
+          agentOs: macOS
+          configuration: Release
+      - template: build/templates/default-build.yml@self
+        parameters:
+          agentOs: Linux
+          configuration: Release

build/dependencies.props

@@ -33,16 +33,16 @@
     <MicrosoftCSharpPackageVersion>4.5.0</MicrosoftCSharpPackageVersion>
     <MicrosoftNETTestSdkPackageVersion>15.9.2</MicrosoftNETTestSdkPackageVersion>
     <NewtonsoftJsonPackageVersion>11.0.2</NewtonsoftJsonPackageVersion>
-    <OracleManagedDataAccessPackageVersion>12.2.1100</OracleManagedDataAccessPackageVersion>
+    <OracleManagedDataAccessPackageVersion>12.2.20230118</OracleManagedDataAccessPackageVersion>
     <RemotionLinqPackageVersion>2.2.0</RemotionLinqPackageVersion>
     <SQLitePCLRawBundleGreenPackageVersion>1.1.15</SQLitePCLRawBundleGreenPackageVersion>
     <SQLitePCLRawBundleSqlcipherPackageVersion>1.1.14</SQLitePCLRawBundleSqlcipherPackageVersion>
     <SQLitePCLRawCorePackageVersion>1.1.14</SQLitePCLRawCorePackageVersion>
     <StyleCopAnalyzersPackageVersion>1.0.0</StyleCopAnalyzersPackageVersion>
     <SystemCollectionsImmutablePackageVersion>1.5.0</SystemCollectionsImmutablePackageVersion>
     <SystemComponentModelAnnotationsPackageVersion>4.5.0</SystemComponentModelAnnotationsPackageVersion>
-    <SystemDataSqlClientPackageVersion>4.5.3</SystemDataSqlClientPackageVersion>
-    <SystemDiagnosticsDiagnosticSourcePackageVersion>4.5.1</SystemDiagnosticsDiagnosticSourcePackageVersion>
+    <SystemDataSqlClientPackageVersion>4.8.6</SystemDataSqlClientPackageVersion>
+    <SystemDiagnosticsDiagnosticSourcePackageVersion>4.7.1</SystemDiagnosticsDiagnosticSourcePackageVersion>
     <SystemInteractiveAsyncPackageVersion>3.1.1</SystemInteractiveAsyncPackageVersion>
     <XunitAnalyzersPackageVersion>0.10.0</XunitAnalyzersPackageVersion>
     <XunitAssertPackageVersion>2.4.1</XunitAssertPackageVersion>

build/templates/default-build.yml

@@ -69,16 +69,27 @@ jobs:
     ${{ if ne(parameters.poolName, '') }}:
       name: ${{ parameters.poolName }}
     ${{ if and(eq(parameters.poolName, ''), eq(parameters.agentOs, 'macOS')) }}:
-      vmImage: macOS-11
+      ${{ if eq(variables['System.TeamProject'], 'public') }}:
+        vmImage: macOS-11
+      ${{ if ne(variables['System.TeamProject'], 'public') }}:
+        name: Azure Pipelines
+        image: macOS-11
+        os: macOS
     ${{ if and(eq(parameters.poolName, ''), eq(parameters.agentOs, 'Linux')) }}:
-      vmImage: ubuntu-20.04
+      ${{ if eq(variables['System.TeamProject'], 'public') }}:
+        vmImage: ubuntu-22.04
+      ${{ if ne(variables['System.TeamProject'], 'public') }}:
+        name: NetCore1ESPool-Svc-Internal
+        demands: ImageOverride -equals 1es-ubuntu-2204
+        os: linux
     ${{ if and(eq(parameters.poolName, ''), eq(parameters.agentOs, 'Windows')) }}:
       ${{ if eq(variables['System.TeamProject'], 'public') }}:
         name: NetCore-Svc-Public
         demands: ImageOverride -equals 1es-windows-2019-open
       ${{ if ne(variables['System.TeamProject'], 'public') }}:
         name: NetCore1ESPool-Svc-Internal
-        demands: ImageOverride -equals 1es-windows-2019
+        image: 1es-windows-2019
+        os: windows
   variables:
     AgentOsName: ${{ parameters.agentOs }}
     DOTNET_HOME: $(Agent.WorkFolder)/.dotnet
@@ -105,12 +116,13 @@ jobs:
         command: custom
         arguments: 'locals all -clear'
   - ${{ if and(eq(variables['System.TeamProject'], 'internal'), eq(parameters.agentOs, 'Windows'), eq(parameters.codeSign, 'true')) }}:
-    - task: MicroBuildSigningPlugin@1
+    - task: MicroBuildSigningPlugin@2
       displayName: Install MicroBuild Signing plugin
       condition: and(succeeded(), in(variables['_SignType'], 'test', 'real'))
       inputs:
         signType: $(_SignType)
         zipSources: false
+        feedSource: https://dnceng.pkgs.visualstudio.com/_packaging/MicroBuildToolset/nuget/v3/index.json
   - ${{ parameters.beforeBuild }}
   - ${{ if eq(parameters.buildSteps, '') }}:
     - ${{ if eq(parameters.agentOs, 'Windows') }}:
@@ -130,7 +142,7 @@ jobs:
       testRunner: vstest
       testResultsFiles: 'artifacts/logs/**/*.trx'
       mergeTestResults: true
-  - ${{ if eq(parameters.artifacts.publish, 'true') }}:
+  - ${{ if and(ne(variables['System.TeamProject'], 'internal'), eq(parameters.artifacts.publish, 'true')) }}:
     - task: PublishBuildArtifacts@1
       displayName: Upload artifacts
       condition: eq(variables['system.pullrequest.isfork'], false)
@@ -142,6 +154,18 @@ jobs:
           artifactName: ${{ parameters.artifacts.name }}
         artifactType: Container
         parallel: true
+  - ${{ if and(eq(variables['System.TeamProject'], 'internal'), eq(parameters.artifacts.publish, 'true')) }}:
+    - task: 1ES.PublishPipelineArtifact@1
+      displayName: Upload artifacts
+      condition: eq(variables['system.pullrequest.isfork'], false)
+      inputs:
+        path: ${{ parameters.artifacts.path }}
+        ${{ if eq(parameters.artifacts.name, '') }}:
+          artifactName: artifacts-$(AgentOsName)-$(BuildConfiguration)
+        ${{ if ne(parameters.artifacts.name, '') }}:
+          artifactName: ${{ parameters.artifacts.name }}
+        artifactType: Container
+        parallel: true
   - ${{ parameters.afterBuild }}
   - ${{ if and(eq(variables['System.TeamProject'], 'internal'), eq(parameters.agentOs, 'Windows')) }}:
     - task: MicroBuildCleanup@1