azure-pipelines.yml

schedules:
- cron: 0 9 * * 1
  displayName: "Run CodeQL3000 weekly, Monday at 2:00 AM PDT"
  branches:
    include:
    - main
  always: true

parameters:
# Parameter below is ignored in public builds.
#
# Choose whether to run the CodeQL3000 tasks.
# Manual builds align w/ official builds unless this parameter is true.
- name: runCodeQL3000
  default: false
  displayName: Run CodeQL3000 tasks
  type: boolean


variables:
  - name: Build.Repository.Clean
    value: true
  - name: _TeamName
    value: AspNetCore
  - name: DOTNET_SKIP_FIRST_TIME_EXPERIENCE
    value: true
  - name: _HelixType
    value: build/product
  - name: _DotNetArtifactsCategory
    value: .NETCore

  # Variables for public PR builds
  - ${{ if or(eq(variables['System.TeamProject'], 'public'), in(variables['Build.Reason'], 'PullRequest')) }}:
    - name: _HelixSource
      value: pr/aspnet/AspLabs/$(Build.SourceBranch)

  # Variables for internal Official builds
  - ${{ if and(ne(variables['System.TeamProject'], 'public'), notin(variables['Build.Reason'], 'PullRequest')) }}:
    - name: _HelixSource
      value: official/aspnet/AspLabs/$(Build.SourceBranch)

  - name: runCodeQL3000
    value: ${{ and(ne(variables['System.TeamProject'], 'public'), or(eq(variables['Build.Reason'], 'Schedule'), and(eq(variables['Build.Reason'], 'Manual'), eq(parameters.runCodeQL3000, 'true')))) }}

trigger:
- main

pr:
- "*"

stages:
- stage: build
  displayName: Build
  jobs:
  - template: /eng/common/templates/jobs/jobs.yml
    parameters:
      enablePublishBuildArtifacts: true
      enablePublishTestResults: ${{ ne(variables.runCodeQL3000, 'true') }}
      enablePublishBuildAssets: ${{ ne(variables.runCodeQL3000, 'true') }}
      enablePublishUsingPipelines: true
      helixRepo: aspnet/AspLabs
      # Align w/ Maestro++ default channel when generating software bills of materials (SBOMs).
      PackageVersion: 6.0.0
      # enableMicrobuild can't be read from a user-defined variable (Azure DevOps limitation)
      ${{ if and(ne(variables['System.TeamProject'], 'public'), notin(variables['Build.Reason'], 'PullRequest'), ne(variables.runCodeQL3000, 'true')) }}:
        enableMicrobuild: true
      jobs:
      - job: Windows
        pool:
          ${{ if eq(variables['System.TeamProject'], 'public') }}:
            name: NetCore-Public
            demands: ImageOverride -equals windows.vs2017.amd64.open
          ${{ if ne(variables['System.TeamProject'], 'public') }}:
            name: NetCore1ESPool-Internal
            demands: ImageOverride -equals windows.vs2017.amd64
        ${{ if eq(variables.runCodeQL3000, 'true') }}:
          # Component governance and SBOM creation are not needed here. Disable what Arcade would inject.
          disableComponentGovernance: true
          enableSbom: false
        variables:
        - name: _HelixBuildConfig
          value: $(_BuildConfig)
        # Rely on task Arcade injects, not auto-injected build step.
        - skipComponentGovernanceDetection: true
        - ${{ if eq(variables.runCodeQL3000, 'true') }}:
          - Codeql.SourceRoot: src
          - _AdditionalBuildArgs: /p:Test=false /p:Sign=false /p:Pack=false /p:Publish=false /p:UseSharedCompilation=false
          # Security analysis is included in normal runs. Disable its auto-injection.
          - skipNugetSecurityAnalysis: true
          # Do not let CodeQL3000 Extension gate scan frequency.
          - Codeql.Cadence: 0
          # Enable CodeQL3000 unconditionally so it may be run on any branch.
          - Codeql.Enabled: true
          # CodeQL3000 needs this plumbed along as a variable to enable TSA.
          - Codeql.TSAEnabled: ${{ eq(variables['Build.Reason'], 'Schedule') }}
          # Default expects tsaoptions.json under SourceRoot.
          - Codeql.TSAOptionsPath: '$(Build.SourcesDirectory)/.config/tsaoptions.json'
        strategy:
          matrix:
            ${{ if in(variables['Build.Reason'], 'PullRequest') }}:
              Debug:
                _BuildConfig: Debug
                _SignType: test
                _BuildArgs: /p:DotNetSignType=$(_SignType) /p:TeamName=$(_TeamName)
            Release:
              _BuildConfig: Release
              # PRs and external builds are not signed.
              ${{ if or(eq(variables['System.TeamProject'], 'public'), in(variables['Build.Reason'], 'PullRequest')) }}:
                _SignType: test
                _BuildArgs: /p:DotNetSignType=$(_SignType) /p:TeamName=$(_TeamName)
              ${{ if and(ne(variables['System.TeamProject'], 'public'), notin(variables['Build.Reason'], 'PullRequest')) }}:
                _SignType: real
                _BuildArgs: /p:DotNetSignType=$(_SignType) /p:TeamName=$(_TeamName) /p:OfficialBuildId=$(Build.BuildNumber)
                  /p:DotNetPublishUsingPipelines=true
                  /p:DotNetArtifactsCategory=$(_DotNetArtifactsCategory)
                  /p:DotNetPublishBlobFeedUrl=https://dotnetfeed.blob.core.windows.net/dotnet-core/index.json
                  /p:DotNetPublishToBlobFeed=true
        steps:
        - checkout: self
          clean: true
        - task: NodeTool@0
          inputs:
            versionSpec: '16.x'
        - task: NuGetCommand@2
          displayName: 'Clear NuGet caches'
          condition: succeeded()
          inputs:
            command: custom
            arguments: 'locals all -clear'
        - ${{ if eq(variables.runCodeQL3000, 'true') }}:
          - task: CodeQL3000Init@0
            displayName: CodeQL Initialize
          - script: "echo ##vso[build.addbuildtag]CodeQL3000"
            displayName: 'Set CI CodeQL3000 tag'
            condition: ne(variables.CODEQL_DIST,'')
        - script: eng\common\cibuild.cmd
            -configuration $(_BuildConfig)
            -prepareMachine
            $(_BuildArgs)
            $(_AdditionalBuildArgs)
          name: Build
          displayName: Build
          condition: succeeded()
        - ${{ if eq(variables.runCodeQL3000, 'true') }}:
          - task: CodeQL3000Finalize@0
            displayName: CodeQL Finalize
        - ${{ else }}:
          - task: PublishTestResults@2
            displayName: Publish xUnit Test Results
            condition: always()
            continueOnError: true
            inputs:
              testRunner: xunit
              testResultsFiles: 'artifacts/TestResults/$(_BuildConfig)/*.xml'
          - task: PublishBuildArtifacts@1
            displayName: Publish Packages
            condition: and(eq(variables['system.pullrequest.isfork'], false), eq(variables['_BuildConfig'], 'Release'))
            continueOnError: true
            inputs:
              artifactName: Packages_$(Agent.Os)_$(Agent.JobName)
              parallel: true
              pathtoPublish: '$(Build.SourcesDirectory)/artifacts/packages/$(_BuildConfig)'
              publishLocation: Container
        - task: PublishBuildArtifacts@1
          displayName: Publish Logs
          condition: always()
          continueOnError: true
          inputs:
            artifactName: Logs_$(Agent.Os)_$(Agent.JobName)
            parallel: true
            pathtoPublish: '$(Build.SourcesDirectory)/artifacts/log/$(_BuildConfig)'
            publishLocation: Container

      - ${{ if ne(variables.runCodeQL3000, 'true') }}:
        - job: macOS
          pool:
            vmImage: macOS-11
          strategy:
            matrix:
              debug:
                _BuildConfig: Debug
              release:
                _BuildConfig: Release
          variables:
          - name: _HelixBuildConfig
            value: $(_BuildConfig)
          steps:
          - checkout: self
            clean: true
          - task: NodeTool@0
            inputs:
              versionSpec: '16.x'
          - script: eng/common/cibuild.sh
              --configuration $(_BuildConfig)
              --prepareMachine
            name: Build
            displayName: Build
            condition: succeeded()
          - task: PublishTestResults@2
            displayName: Publish xUnit Test Results
            condition: always()
            continueOnError: true
            inputs:
              testRunner: xunit
              testResultsFiles: 'artifacts/TestResults/$(_BuildConfig)/*.xml'
          - task: PublishBuildArtifacts@1
            displayName: Publish Logs
            condition: always()
            continueOnError: true
            inputs:
              artifactName: Logs_$(Agent.Os)_$(Agent.JobName)
              parallel: true
              pathtoPublish: '$(Build.SourcesDirectory)/artifacts/log/$(_BuildConfig)'
              publishLocation: Container

        - job: Linux
          pool:
            vmImage: ubuntu-18.04
          strategy:
            matrix:
              debug:
                _BuildConfig: Debug
              release:
                _BuildConfig: Release
          variables:
          - name: _HelixBuildConfig
            value: $(_BuildConfig)
          steps:
          - checkout: self
            clean: true
          - script: eng/common/cibuild.sh
              --configuration $(_BuildConfig)
              --prepareMachine
            name: Build
            displayName: Build
            condition: succeeded()
          - task: PublishTestResults@2
            displayName: Publish xUnit Test Results
            condition: always()
            continueOnError: true
            inputs:
              testRunner: xunit
              testResultsFiles: 'artifacts/TestResults/$(_BuildConfig)/*.xml'
          - task: PublishBuildArtifacts@1
            displayName: Publish Logs
            condition: always()
            continueOnError: true
            inputs:
              artifactName: Logs_$(Agent.Os)_$(Agent.JobName)
              parallel: true
              pathtoPublish: '$(Build.SourcesDirectory)/artifacts/log/$(_BuildConfig)'
              publishLocation: Container

- ${{ if and(ne(variables['System.TeamProject'], 'public'), notin(variables['Build.Reason'], 'PullRequest'), ne(variables.runCodeQL3000, 'true')) }}:
  - template: eng\common\templates\post-build\post-build.yml
    parameters:
      publishingInfraVersion: 3
      # Symbol validation isn't being very reliable lately. This should be enabled back
      # once this issue is resolved: https://github.com/dotnet/arcade/issues/2871
      enableSymbolValidation: false
      # This is to enable SDL runs part of Post-Build Validation Stage
      SDLValidationParameters:
        enable: false