XS✔ ◾ Pipeline Compliance (#439)

## Summary ### Motivation Azure DevOps Pipelines need to inherit from fixed templates for compliance reasons. ### Technical This change updates the Azure DevOps Pipelines to perform the required inheritance. It also removes now superfluous pipeline stages that are already covered via the new templates. Note that `pr-test.yml` is used within a test environment where the templates are unavailable, hence the addition of this file. ## Testing ### Test Types - [ ] Unit tests - [X] Manual tests
microsoft · Nov 1, 2023 · 9e0f512 · 9e0f512
1 parent 8024d57
commit 9e0f512
Show file tree

Hide file tree

Showing 5 changed files with 118 additions and 80 deletions.
diff --git a/.github/azure-devops/PoliCheckExclusions.xml b/.github/azure-devops/PoliCheckExclusions.xml
diff --git a/.github/azure-devops/pr-test.yml b/.github/azure-devops/pr-test.yml
@@ -0,0 +1,22 @@
+# Copyright (c) Microsoft Corporation.
+# Licensed under the MIT License.
+
+---
+
+trigger: none
+
+pr:
+  branches:
+    include:
+      - main
+
+variables:
+  - name: tags
+    value: multi-phased
+
+stages:
+  - template: template.yml
+    parameters:
+      testInstance: true
+
+...
diff --git a/.github/azure-devops/pr.yml b/.github/azure-devops/pr.yml
@@ -14,5 +14,30 @@ variables:
   - name: tags
     value: multi-phased
 
-stages:
-  - template: template.yml
+resources:
+  repositories:
+    - repository: OfficePipelineTemplates
+      type: git
+      name: OE/OfficePipelineTemplates
+      ref: refs/heads/main
+
+extends:
+  template: v1/Office.Unofficial.PipelineTemplate.yml@OfficePipelineTemplates
+  parameters:
+    sdl:
+      sourceAnalysisPool:
+        name: Azure-Pipelines-1ESPT-ExDShared
+        os: windows
+        image: windows-latest
+      eslint:
+        environmentsEs2017: true
+        environmentsMocha: true
+        environmentsNode: true
+        parser: '@typescript-eslint/parser'
+        parserOptions: ecmaVersion:2018
+        enableExclusions: true
+        exclusionPatterns: '*.js'
+    stages:
+      - template: template.yml
+
+...
diff --git a/.github/azure-devops/prod.yml b/.github/azure-devops/prod.yml
@@ -15,22 +15,49 @@ variables:
   - name: tags
     value: production, multi-phased
 
-stages:
-  - stage: Checks
-    displayName: Checks
-    jobs:
-      - job: Checks
-        pool:
-          vmImage: ubuntu-latest
-        variables:
-          - name: skipComponentGovernanceDetection
-            value: true
-        steps:
-          - checkout: none
-            displayName: Checkout
-
-          - script: exit 1
-            displayName: Terminate on PR
-            condition: ne(variables['Build.SourceBranchName'], 'main')
-
-  - template: template.yml
+resources:
+  repositories:
+    - repository: OfficePipelineTemplates
+      type: git
+      name: OE/OfficePipelineTemplates
+      ref: refs/heads/main
+
+extends:
+  template: v1/Office.Official.PipelineTemplate.yml@OfficePipelineTemplates
+  parameters:
+    sdl:
+      sourceAnalysisPool:
+        name: Azure-Pipelines-1ESPT-ExDShared
+        os: windows
+        image: windows-latest
+      eslint:
+        environmentsEs2017: true
+        environmentsMocha: true
+        environmentsNode: true
+        parser: '@typescript-eslint/parser'
+        parserOptions: ecmaVersion:2018
+        enableExclusions: true
+        exclusionPatterns: '*.js'
+    stages:
+      - stage: Checks
+        displayName: Checks
+        jobs:
+          - job: Checks
+            pool:
+              name: Azure-Pipelines-1ESPT-ExDShared
+              os: linux
+              image: ubuntu-latest
+            variables:
+              - name: skipComponentGovernanceDetection
+                value: true
+            steps:
+              - checkout: none
+                displayName: Checkout
+
+              - script: exit 1
+                displayName: Terminate on PR
+                condition: ne(variables['Build.SourceBranchName'], 'main')
+
+      - template: template.yml
+
+...
diff --git a/.github/azure-devops/template.yml b/.github/azure-devops/template.yml
@@ -3,6 +3,11 @@
 
 ---
 
+parameters:
+  - name: testInstance
+    type: boolean
+    default: false
+
 stages:
   - stage: Build
     displayName: Build
@@ -20,7 +25,12 @@ stages:
         displayName: PR Metrics – macOS
         dependsOn: Delay
         pool:
-          vmImage: macOS-latest
+          ${{ if parameters.testInstance }}:
+            vmImage: macOS-latest
+          ${{ else }}:
+            name: Azure Pipelines
+            os: macOS
+            image: macos-latest
         variables:
           - name: skipComponentGovernanceDetection
             value: true
@@ -46,7 +56,12 @@ stages:
         displayName: PR Metrics – Ubuntu
         dependsOn: PRMetrics_macOS
         pool:
-          vmImage: ubuntu-latest
+          ${{ if parameters.testInstance }}:
+            vmImage: ubuntu-latest
+          ${{ else }}:
+            name: Azure-Pipelines-1ESPT-ExDShared
+            os: linux
+            image: ubuntu-latest
         variables:
           - name: skipComponentGovernanceDetection
             value: true
@@ -72,7 +87,12 @@ stages:
         displayName: PR Metrics – Windows
         dependsOn: PRMetrics_Ubuntu
         pool:
-          vmImage: windows-latest
+          ${{ if parameters.testInstance }}:
+            vmImage: windows-latest
+          ${{ else }}:
+            name: Azure-Pipelines-1ESPT-ExDShared
+            os: windows
+            image: windows-latest
         variables:
           - name: skipComponentGovernanceDetection
             value: true
@@ -94,54 +114,4 @@ stages:
                 !dist/*
                 !package-lock.json
 
-      - job: Compliance
-        displayName: Compliance
-        pool:
-          vmImage: windows-latest
-        steps:
-          - task: ComponentGovernanceComponentDetection@0
-            displayName: Component Detection
-            inputs:
-              failOnAlert: true
-
-          - task: AntiMalware@4
-            displayName: Anti-Malware Scanner
-            inputs:
-              ScanType: FullSystemScan
-              EnableServices: true
-              ForceSignatureUpdate: true
-              SignatureUpdateUsesMMPC: true
-              TreatSignatureUpdateFailureAs: Error
-
-          - task: CredScan@3
-            displayName: Credential Scanner
-
-          - task: ESLint@1
-            displayName: ESLint
-            inputs:
-              Configuration: recommended
-
-          - task: PoliCheck@2
-            displayName: PoliCheck
-            inputs:
-              targetType: F
-              optionsFC: 1
-              optionsUEPATH: $(Build.SourcesDirectory)/.github/azure-devops/PoliCheckExclusions.xml
-
-          - task: Semmle@1
-            displayName: CodeQL
-            inputs:
-              sourceCodeDirectory: $(Build.SourcesDirectory)/src
-              language: tsandjs
-
-          - task: PublishSecurityAnalysisLogs@3
-            displayName: Guardian – Publish Artifacts
-
-          - task: PostAnalysis@2
-            displayName: Guardian – Perform Analysis
-            inputs:
-              GdnBreakPolicyMinSev: Note
-              GdnBreakGdnToolGosecSeverity: Default
-              GdnBreakPolicy: M365
-
 ...