From 930597df810cb22c830cd8b3028244a9238bb199 Mon Sep 17 00:00:00 2001 From: Mike Bond Date: Wed, 9 Feb 2022 15:02:03 -0800 Subject: [PATCH 1/5] Software Bill of Materials (SBOM) manifest generation --- azure-pipelines.yml | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/azure-pipelines.yml b/azure-pipelines.yml index 9ace2f69c..64fe28879 100644 --- a/azure-pipelines.yml +++ b/azure-pipelines.yml @@ -27,8 +27,25 @@ jobs: cakeExtraArgs: '--names=$(SdksNames)' windowsImage: '' xcode: '13.1' + + - ${{ if ne(variables['System.TeamProject'], 'devdiv') }}: + - template: compliance/sbom/job.v1.yml@internal-templates + parameters: + artifactNames: ['nuget'] + packageName: 'Xamarin Google APIs Components for iOS' + packageFilter: '*.nupkg' + dependsOn: [ 'build' ] + - ${{ if eq(variables['System.TeamProject'], 'devdiv') }}: - template: sign-artifacts/jobs/v2.yml@internal-templates parameters: dependsOn: [ 'build' ] condition: startsWith(variables['Build.SourceBranch'], 'refs/tags/') + + - template: compliance/sbom/job.v1.yml@internal-templates + parameters: + artifactNames: ['nuget-signed'] + packageName: 'Xamarin Google APIs Components for iOS' + packageFilter: '*.nupkg' + dependsOn: [ 'signing' ] + condition: startsWith(variables['Build.SourceBranch'], 'refs/tags/') From afc7ef3ca1cb5902f5cd9c21d2c4e0d192356576 Mon Sep 17 00:00:00 2001 From: Mike Bond Date: Wed, 9 Feb 2022 17:14:53 -0800 Subject: [PATCH 2/5] Produce SBOM for DevDiv builds in case where artifacts are not signed --- azure-pipelines.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/azure-pipelines.yml b/azure-pipelines.yml index 64fe28879..7708d2e01 100644 --- a/azure-pipelines.yml +++ b/azure-pipelines.yml @@ -28,7 +28,7 @@ jobs: windowsImage: '' xcode: '13.1' - - ${{ if ne(variables['System.TeamProject'], 'devdiv') }}: + - ${{ if and(eq(variables['System.TeamProject'], 'devdiv'), not(startsWith(variables['Build.SourceBranch'], 'refs/tags/'))) }}: - template: compliance/sbom/job.v1.yml@internal-templates parameters: artifactNames: ['nuget'] From 5a049c05ee8640b2a9f7672f6348fd3b8799e975 Mon Sep 17 00:00:00 2001 From: Mike Bond Date: Wed, 9 Feb 2022 17:18:02 -0800 Subject: [PATCH 3/5] Prevent the SBOM job from getting included twice by using opposing conditional logic --- azure-pipelines.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/azure-pipelines.yml b/azure-pipelines.yml index 7708d2e01..42332b279 100644 --- a/azure-pipelines.yml +++ b/azure-pipelines.yml @@ -42,10 +42,10 @@ jobs: dependsOn: [ 'build' ] condition: startsWith(variables['Build.SourceBranch'], 'refs/tags/') + - ${{ if and(eq(variables['System.TeamProject'], 'devdiv'), startsWith(variables['Build.SourceBranch'], 'refs/tags/')) }}: - template: compliance/sbom/job.v1.yml@internal-templates parameters: artifactNames: ['nuget-signed'] packageName: 'Xamarin Google APIs Components for iOS' packageFilter: '*.nupkg' dependsOn: [ 'signing' ] - condition: startsWith(variables['Build.SourceBranch'], 'refs/tags/') From 2fd637c0f0f2e8256d3e27d4ee59f0de87339d7d Mon Sep 17 00:00:00 2001 From: Mike Bond Date: Tue, 15 Feb 2022 11:21:08 -0800 Subject: [PATCH 4/5] Consolidate SBOM generation to a single step --- azure-pipelines.yml | 17 ++++++----------- 1 file changed, 6 insertions(+), 11 deletions(-) diff --git a/azure-pipelines.yml b/azure-pipelines.yml index 42332b279..002a5f511 100644 --- a/azure-pipelines.yml +++ b/azure-pipelines.yml @@ -28,24 +28,19 @@ jobs: windowsImage: '' xcode: '13.1' - - ${{ if and(eq(variables['System.TeamProject'], 'devdiv'), not(startsWith(variables['Build.SourceBranch'], 'refs/tags/'))) }}: - - template: compliance/sbom/job.v1.yml@internal-templates - parameters: - artifactNames: ['nuget'] - packageName: 'Xamarin Google APIs Components for iOS' - packageFilter: '*.nupkg' - dependsOn: [ 'build' ] - - ${{ if eq(variables['System.TeamProject'], 'devdiv') }}: - template: sign-artifacts/jobs/v2.yml@internal-templates parameters: dependsOn: [ 'build' ] condition: startsWith(variables['Build.SourceBranch'], 'refs/tags/') - - ${{ if and(eq(variables['System.TeamProject'], 'devdiv'), startsWith(variables['Build.SourceBranch'], 'refs/tags/')) }}: - template: compliance/sbom/job.v1.yml@internal-templates parameters: - artifactNames: ['nuget-signed'] packageName: 'Xamarin Google APIs Components for iOS' packageFilter: '*.nupkg' - dependsOn: [ 'signing' ] + ${{ if not(startsWith(variables['Build.SourceBranch'], 'refs/tags/')) }}: + artifactNames: ['nuget'] + dependsOn: [ 'build' ] + ${{ if startsWith(variables['Build.SourceBranch'], 'refs/tags/') }}: + artifactNames: ['nuget-signed'] + dependsOn: [ 'signing' ] From f27c4d84e203ac76f09a50033418fec458e64dbb Mon Sep 17 00:00:00 2001 From: Mike Bond Date: Tue, 15 Feb 2022 11:21:46 -0800 Subject: [PATCH 5/5] Comment with link to SBOM documentation --- azure-pipelines.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/azure-pipelines.yml b/azure-pipelines.yml index 002a5f511..c6c45a891 100644 --- a/azure-pipelines.yml +++ b/azure-pipelines.yml @@ -34,7 +34,7 @@ jobs: dependsOn: [ 'build' ] condition: startsWith(variables['Build.SourceBranch'], 'refs/tags/') - - template: compliance/sbom/job.v1.yml@internal-templates + - template: compliance/sbom/job.v1.yml@internal-templates # Software Bill of Materials (SBOM): https://eng.ms/docs/cloud-ai-platform/devdiv/one-engineering-system-1es/1es-docs/secure-supply-chain/ado-sbom-generator parameters: packageName: 'Xamarin Google APIs Components for iOS' packageFilter: '*.nupkg'