[CI] On-board the build pipeline to 1ES. (#20735)

Few comments: 1. Extends cannot be used on templates. So we have to do a single extend and have duplicated code. 2. There are some common templates that we are working around using the use1ES parameter. 3. We are reusing the configure steps on other pipelines. That step should only be done in the build, that change is too big for this PR. 4. The governance template is not longer needed since the 1ES template provides it. --------- Co-authored-by: Rolf Bjarne Kvinge <rolf@xamarin.com>
xamarin · Jun 19, 2024 · 9255b00 · 9255b00
1 parent fc6ce95
commit 9255b00
Show file tree

Hide file tree

Showing 24 changed files with 698 additions and 483 deletions.
diff --git a/tools/devops/automation/build-pipeline.yml b/tools/devops/automation/build-pipeline.yml
@@ -4,33 +4,267 @@
 # YAML build pipeline based on the Jenkins multi-stage (main branch) build workflow
 # https://jenkins.internalx.com/view/Xamarin.MaciOS/job/macios/job/main/
 # https://jenkins.internalx.com/view/Xamarin.MaciOS/job/macios/configure
+parameters:
+
+- name: provisionatorChannel
+  displayName: Provisionator channel to use 
+  type: string
+  default: 'latest'
+
+- name: macOSName # comes from the build agent demand named macOS.Name
+  displayName: Name of the version of macOS to use
+  type: string
+  default: 'Sonoma'
+
+- name: pool
+  type: string
+  displayName: Bot pool to use
+  default: automatic
+  values:
+  - pr
+  - ci
+  - automatic
+
+- name: runGovernanceTests
+  displayName: Run Governance Checks
+  type: boolean
+  default: true
+
+- name: forceInsertion
+  displayName: Force Insertion 
+  type: boolean
+  default: false 
+
+- name: skipESRP
+  displayName: Skip ESRP
+  type: boolean
+  default: false # only to be used when testing the CI and we do not need a signed pkg
+
+- name: pushNugets
+  type: boolean
+  default: true
+
+- name: pushNugetsToMaestro
+  type: boolean
+  default: true
+
+- name: testConfigurations
+  displayName: Test configurations to run
+  type: object
+  default: []
+
+- name: deviceTestsConfigurations
+  displayName: Device test configurations to run
+  type: object
+  default: [
+    {
+      testPrefix: 'iOS64',
+      stageName: 'ios64b_device',
+      displayName: 'iOS64 Device Tests',
+      testPool: 'VSEng-Xamarin-Mac-Devices',
+      testsLabels: '--label=run-ios-tests,run-non-monotouch-tests,run-monotouch-tests,run-mscorlib-tests',
+      statusContext: 'VSTS: device tests iOS',
+      makeTarget: 'vsts-device-tests',
+      extraBotDemands: [
+        'ios',
+      ]
+    },
+    {
+      testPrefix: 'tvos',
+      stageName: 'tvos_device',
+      displayName: 'tvOS Device Tests',
+      testPool: 'VSEng-Xamarin-Mac-Devices',
+      testsLabels: '--label=run-tvos-tests,run-non-monotouch-tests,run-monotouch-tests,run-mscorlib-tests',
+      statusContext: 'VSTS: device tests tvOS',
+      makeTarget: 'vsts-device-tests',
+      extraBotDemands: [
+        'tvos',
+      ]
+    }]
+
+- name: macTestsConfigurations
+  displayName: macOS test configurations to run
+  type: object
+  default: [
+    {
+      stageName: 'mac_11_m1',
+      displayName: 'M1 - Mac Big Sur (11)',
+      macPool: 'VSEng-VSMac-Xamarin-Shared',
+      useImage: false,
+      statusContext: 'M1 - Mac Big Sur (11)',
+      demands: [
+        "Agent.OS -equals Darwin",
+        "macOS.Name -equals BigSur",
+        "macOS.Architecture -equals arm64",
+        "Agent.HasDevices -equals False",
+        "Agent.IsPaired -equals False"
+      ]
+    },
+    {
+      stageName: 'mac_12_m1',
+      displayName: 'M1 - Mac Ventura (12)',
+      macPool: 'VSEng-VSMac-Xamarin-Shared',
+      useImage: false,
+      statusContext: 'M1 - Mac Monterey (12)',
+      demands: [
+        "Agent.OS -equals Darwin",
+        "macOS.Name -equals Monterey",
+        "macOS.Architecture -equals arm64",
+        "Agent.HasDevices -equals False",
+        "Agent.IsPaired -equals False"
+      ]
+    },
+    {
+      stageName: 'mac_13_m1',
+      displayName: 'M1 - Mac Ventura (13)',
+      macPool: 'VSEng-VSMac-Xamarin-Shared',
+      useImage: false,
+      statusContext: 'M1 - Mac Ventura (13)',
+      demands: [
+        "Agent.OS -equals Darwin",
+        "macOS.Name -equals Ventura",
+        "macOS.Architecture -equals arm64",
+        "Agent.HasDevices -equals False",
+        "Agent.IsPaired -equals False"
+      ]
+    },
+    {
+      stageName: 'mac_14_x64',
+      displayName: 'X64 - Mac Sonoma (14)',
+      macPool: 'VSEng-Xamarin-RedmondMacBuildPool-iOS-Untrusted',
+      useImage: false,
+      statusContext: 'X64 - Mac Sonoma (14)',
+      demands: [
+        "Agent.OS -equals Darwin",
+        "macOS.Name -equals Sonoma",
+        "macOS.Architecture -equals x64",
+        "Agent.HasDevices -equals False",
+        "Agent.IsPaired -equals False"
+      ]
+    }]
+
+resources:
+  repositories:
+  - repository: self
+    checkoutOptions:
+      submodules: true
+
+  - repository: yaml-templates
+    type: github
+    name: xamarin/yaml-templates
+    ref: refs/heads/main
+    endpoint: xamarin
+
+  - repository: sdk-insertions
+    type: github
+    name: xamarin/sdk-insertions
+    ref: refs/heads/main
+    endpoint: xamarin
+
+  - repository: maccore
+    type: github
+    name: xamarin/maccore
+    ref: refs/heads/main
+    endpoint: xamarin
+
+  - repository: release-scripts
+    type: github
+    name: xamarin/release-scripts
+    ref: refs/heads/only_codesign
+    endpoint: xamarin
+
+  - repository: CustomPipelineTemplates
+    type: git
+    name: 1ESPipelineTemplates/MicroBuildTemplate
+
+variables:
+- ${{ if contains(variables['Build.DefinitionName'], 'private') }}:
+  - template: templates/vsts-variables.yml
+- template: templates/common/vs-release-vars.yml@sdk-insertions
+- template: templates/variables.yml
+- name: MicrobuildConnector
+  value: 'MicroBuild Signing Task (DevDiv)'
+- name: MaciosUploadPrefix
+  value: ''
+- name: DisablePipelineConfigDetector
+  value: true
 
 trigger:
   branches:
     include:
-      - '*'
+    - '*'
     exclude:
-      - refs/heads/locfiles/*
-      - refs/heads/dev/*
+    - refs/heads/locfiles/*
+    - refs/heads/dev/*
   paths:
     exclude:
-      - .github
-      - docs
-      - CODEOWNERS
-      - ISSUE_TEMPLATE.md
-      - LICENSE
-      - NOTICE.txt
-      - SECURITY.MD
-      - README.md
-      - src/README.md
-      - tools/mtouch/README.md
-      - msbuild/Xamarin.Localization.MSBuild/README.md
+    - .github
+    - docs
+    - CODEOWNERS
+    - ISSUE_TEMPLATE.md
+    - LICENSE
+    - NOTICE.txt
+    - SECURITY.MD
+    - README.md
+    - src/README.md
+    - tools/mtouch/README.md
+    - msbuild/Xamarin.Localization.MSBuild/README.md
 
 extends:
-  template: templates/pipelines/build-pipeline.yml
+  template: azure-pipelines/MicroBuild.1ES.Official.yml@CustomPipelineTemplates
   parameters:
-    isPR: false
-    signingSetupSteps: 
-      - template: ./templates/sign-and-notarized/setup.yml
-        parameters:
-          isPR: false
+    pool:  # default pool to be used for validation jobs
+      name: AzurePipelines-EO
+      image: 1ESPT-Windows2022
+      os: windows
+    sdl:
+      baseline:
+        baselineFile: '$(System.DefaultWorkingDirectory)\\maccore\\tools\\devops\\baselines.gdnbaselines'
+      suppression:
+        suppressionFile: '$(System.DefaultWorkingDirectory)\\maccore\\tools\\devops\\suppress.gdnsuppress'
+      sourceAnalysisPool:
+        name: AzurePipelines-EO
+        image: 1ESPT-Windows2022
+        os: windows
+      tsa:
+        configFile: '$(System.DefaultWorkingDirectory)\\maccore\\tools\\devops\\tsa_config.gdntsa'
+      sbom:
+        enabled: false  # we run our on sbom generation
+      credscan:
+        suppressionsFile: '$(System.DefaultWorkingDirectory)\\maccore\\tools\\devops\\CredScanSuppressions.json'
+        outputFormat: sarif
+        debugMode: false
+        batchSize: 16
+      policheck:
+        exclusionsFile: '$(System.DefaultWorkingDirectory)\\maccore\\tools\\devops\\PoliCheckExclusions.xml'
+      sourceRepositoriesToScan:
+        runInSingleJob: true # run both maccore and macios in the same job
+        include:
+        - repository: maccore
+        exclude:
+        - repository: yaml-templates
+        - repository: sdk-insertions
+        - repository: release-scripts
+    stages:
+    - template: templates/main-stage.yml
+      parameters:
+        xcodeChannel: Stable
+        macOSName: ${{ parameters.macOSName }}
+        isPR: false
+        provisionatorChannel: ${{ parameters.provisionatorChannel }}
+        pool: ${{ parameters.pool }}
+        runGovernanceTests: ${{ parameters.runGovernanceTests }}
+        forceInsertion: ${{ parameters.forceInsertion }}
+        skipESRP: ${{ parameters.skipESRP }}
+        pushNugets: ${{ parameters.pushNugets }}
+        pushNugetsToMaestro: ${{ parameters.pushNugetsToMaestro }}
+        ${{ if ne(length(parameters.testConfigurations), 0)}}:
+          testConfigurations: ${{ parameters.testConfigurations }}
+        deviceTestsConfigurations: ${{ parameters.deviceTestsConfigurations }}
+        macTestsConfigurations: ${{ parameters.macTestsConfigurations }}
+        azureStorage: ${{ variables['azureStorage'] }}
+        azureContainer: ${{ variables['azureContainer'] }}
+        signingSetupSteps:
+        - template: ./templates/sign-and-notarized/setup.yml
+          parameters:
+            isPR: false