Add 1es pt pipeline to web-components-v3 (#29713)

microsoft · Oct 31, 2023 · 177242e · 177242e
1 parent c991463
commit 177242e
Show file tree

Hide file tree

Showing 3 changed files with 95 additions and 53 deletions.
diff --git a/CredScanSuppressions.json b/CredScanSuppressions.json
@@ -0,0 +1,41 @@
+{
+  "tool": "Credential Scanner",
+  "suppressions": [
+    {
+      "file": ".git/config",
+      "_justification": "Standard token for CI pipeline"
+    },
+    {
+      "file": "node_modules/node-ipc/local-node-ipc-certs/private/oldclient.key",
+      "_justification": "External dependency node-ipc, not shipping these files"
+    },
+    {
+      "file": "node_modules/node-ipc/local-node-ipc-certs/private/server.key",
+      "_justification": "External dependency node-ipc, not shipping these files"
+    },
+    {
+      "file": "node_modules/node-ipc/local-node-ipc-certs/private/oldserver.key",
+      "_justification": "External dependency node-ipc, not shipping these files"
+    },
+    {
+      "file": "node_modules/node-ipc/local-node-ipc-certs/private/client.key",
+      "_justification": "External dependency node-ipc, not shipping these files"
+    },
+    {
+      "file": "node_modules/flamegrill/node_modules/agent-base/test/ssl-cert-snakeoil.key",
+      "_justification": "External dependency flamegrill, not shipping these files"
+    },
+    {
+      "file": "node_modules/danger/node_modules/agent-base/test/ssl-cert-snakeoil.key",
+      "_justification": "External dependency danger has dependency agent-base with test certs, not shipping these files"
+    },
+    {
+      "file": "node_modules/danger/node_modules/http-proxy-agent/test/ssl-cert-snakeoil.key",
+      "_justification": "External dependency danger has dependency http-proxy-agent with test certs, not shipping these files"
+    },
+    {
+      "file": "node_modules/rollup-plugin-filesize/node_modules/node-gyp/test/fixtures/server.key",
+      "_justification": "External dependency rollup-plugin-filesize has dependency node-gyp with test certs, not shipping these files"
+    }
+  ]
+}
diff --git a/azure-pipelines.yml → azure-pipelines-pr.yml b/azure-pipelines.yml → azure-pipelines-pr.yml
diff --git a/azure-pipelines.release.web-components.yml b/azure-pipelines.release.web-components.yml
@@ -12,10 +12,16 @@ variables:
       skipComponentGovernanceDetection: false
   - name: release.web_components # Used to scope beachball to release only vnext packages
     value: true
-  - group: InfoSec-SecurityResults
   - name: tags
     value: production,externalfacing
 
+resources:
+  repositories:
+    - repository: 1esPipelines
+      type: git
+      name: 1ESPipelineTemplates/1ESPipelineTemplates
+      ref: refs/tags/release
+
 schedules:
   # Triggers the nightly release
   # minute 0, hour 4 in UTC (5am in UTC+1), any day of month, any month, days 1-5 of week (M-F)
@@ -26,60 +32,55 @@ schedules:
       include:
         - web-components-v3
 
-jobs:
-  - template: .devops/templates/compliance-job.yml
-
-  - job: Release
-    dependsOn: Compliance
-    pool: '1ES-Host-Ubuntu'
-    workspace:
-      clean: all
-    steps:
-      - template: .devops/templates/tools.yml
-
-      - script: |
-          git config user.name "Fluent UI Build"
-          git config user.email "fluentui-internal@service.microsoft.com"
-          git remote set-url origin https://$(githubUser):$(githubPAT)@github.com/microsoft/fluentui.git
-        displayName: Authenticate git for pushes
-
-      - task: Bash@3
-        inputs:
-          filePath: yarn-ci.sh
-        displayName: yarn
-
-      # --only makes it only run tests (otherwise due to the missing --production arg, lage would re-run the build)
-      # https://github.com/microsoft/fluentui/issues/21686
-      - script: |
-          yarn lage format:check lint test build --to @fluentui/web-components
-        displayName: Build, Test, Lint
+extends:
+  template: v1/1ES.Official.PipelineTemplate.yml@1esPipelines
+  parameters:
+    pool:
+      name: Azure-Pipelines-1ESPT-ExDShared
+      image: windows-latest
+      os: windows # We need windows because compliance task only run on windows.
+    stages:
+      - stage: main
+        jobs:
+          - job: Release
+            pool:
+              name: '1ES-Host-Ubuntu'
+              image: '1ES-PT-Ubuntu-20.04'
+              os: linux
+            workspace:
+              clean: all
+            templateContext:
+              outputs:
+                - output: pipelineArtifact
+                  targetPath: $(System.DefaultWorkingDirectory)
+                  artifactName: output
+            steps:
+              - template: .devops/templates/tools.yml@self
 
-      - script: |
-          yarn beachball publish -b origin/web-components-v3 --access public -y -n $(npmToken) --config scripts/beachball/release-web-components.config.js
-          git reset --hard origin/web-components-v3
-        env:
-          GITHUB_PAT: $(githubPAT)
-        displayName: Publish changes and bump versions
+              - script: |
+                  git config user.name "Fluent UI Build"
+                  git config user.email "fluentui-internal@service.microsoft.com"
+                  git remote set-url origin https://$(githubUser):$(githubPAT)@github.com/microsoft/fluentui.git
+                displayName: Authenticate git for pushes
 
-      - task: AzureArtifacts.manifest-generator-task.manifest-generator-task.ManifestGeneratorTask@0
-        displayName: 📒 Generate Manifest
-        inputs:
-          BuildDropPath: $(System.DefaultWorkingDirectory)
+              - task: Bash@3
+                inputs:
+                  filePath: yarn-ci.sh
+                displayName: yarn
 
-      - task: PublishPipelineArtifact@1
-        displayName: 📒 Publish Manifest
-        inputs:
-          artifactName: SBom-$(System.JobAttempt)
-          targetPath: $(System.DefaultWorkingDirectory)/_manifest
+              # --only makes it only run tests (otherwise due to the missing --production arg, lage would re-run the build)
+              # https://github.com/microsoft/fluentui/issues/21686
+              - script: |
+                  yarn lage format:check lint test build --to @fluentui/web-components
+                displayName: Build, [test], Lint
 
-      - task: ComponentGovernanceComponentDetection@0
-        displayName: 'Component governance detection'
-        inputs:
-          sourceScanPath: $(Agent.BuildDirectory)
-        condition: succeeded()
-        timeoutInMinutes: 5
-        continueOnError: true
+              - script: |
+                  yarn beachball publish -b origin/web-components-v3 --access public -y -n $(npmToken) --config scripts/beachball/release-web-components.config.js
+                  git reset --hard origin/web-components-v3
+                env:
+                  GITHUB_PAT: $(githubPAT)
+                displayName: Publish changes and bump versions
 
-      - template: .devops/templates/cleanup.yml
-        parameters:
-          checkForModifiedFiles: false
+              - template: .devops/templates/cleanup.yml@self
+                parameters:
+                  checkForModifiedFiles: false