azure-pipelines.yml

trigger:
  tags:
    include:
      - "v*"
    exclude:
      - "v*freebsd"
  branches:
    exclude:
      - "*"
pr: none

pool:
  vmImage: windows-latest

stages:
  - stage: Build
    jobs:
      - job: Build
        displayName: "Build"
        steps:
          - task: GoTool@0
            displayName: "Install Go"
            inputs:
                version: '1.23.3'

          - pwsh: |
              choco install -y make
            displayName: "Install builds deps"
          - task: PowerShell@2
            inputs:
              targetType: 'inline'
              pwsh: true
              #we are not calling make windows_installer because we want to sign the binaries before they are added to the MSI
              script: |
                make build BUILD_RE2_WASM=1
      
          - pwsh: |
              $build_version=$env:BUILD_SOURCEBRANCHNAME
              #Override the version if it's set in the pipeline
              if ( ${env:USERBUILDVERSION} -ne "")
              {
                $build_version = ${env:USERBUILDVERSION}
              }
              if ($build_version.StartsWith("v"))
              {
                $build_version = $build_version.Substring(1)
              }
              if ($build_version.Contains("-")) 
              {
                $build_version = $build_version.Substring(0, $build_version.IndexOf("-"))
              }
              Write-Host  "##vso[task.setvariable variable=BuildVersion;isOutput=true]$build_version"
            displayName: GetCrowdsecVersion
            name: GetCrowdsecVersion
          - pwsh: |
              Get-ChildItem -Path .\cmd -Directory | ForEach-Object {
                $dirName = $_.Name
                Get-ChildItem -Path .\cmd\$dirName -File -Filter '*.exe' | ForEach-Object {
                  $fileName = $_.Name
                  $destDir = Join-Path $(Build.ArtifactStagingDirectory) cmd\$dirName
                  New-Item -ItemType Directory -Path $destDir -Force
                  Copy-Item -Path .\cmd\$dirName\$fileName -Destination $destDir
                }
              }
            displayName: "Copy binaries to staging directory"
          - task: PublishPipelineArtifact@1
            inputs:
              targetPath: '$(Build.ArtifactStagingDirectory)'
              artifact: 'unsigned_binaries'
            displayName: "Upload binaries artifact"

  - stage: Sign
    dependsOn: Build
    variables: 
      - group: 'FOSS Build Variables'
      - name: BuildVersion
        value: $[ stageDependencies.Build.Build.outputs['GetCrowdsecVersion.BuildVersion'] ]
    condition: succeeded()
    jobs:
      - job: Sign
        displayName: "Sign"
        steps:
          - download: current
            artifact: unsigned_binaries
            displayName: "Download binaries artifact"
          - task: CopyFiles@2
            inputs:
              SourceFolder: '$(Pipeline.Workspace)/unsigned_binaries'
              TargetFolder: '$(Build.SourcesDirectory)'
            displayName: "Copy binaries to workspace"
          - task: DotNetCoreCLI@2
            displayName: "Install SignTool tool"
            inputs:
              command: 'custom'
              custom: 'tool'
              arguments: install --global sign --version 0.9.0-beta.23127.3
          - task: AzureKeyVault@2
            displayName: "Get signing parameters"
            inputs:
              azureSubscription: "Azure subscription"
              KeyVaultName: "$(KeyVaultName)"
              SecretsFilter: "TenantId,ClientId,ClientSecret,Certificate,KeyVaultUrl"
          - pwsh: |
              sign code azure-key-vault `
              "**/*.exe" `
              --base-directory "$(Build.SourcesDirectory)/cmd/" `
              --publisher-name "CrowdSec" `
              --description "CrowdSec" `
              --description-url "https://github.com/crowdsecurity/crowdsec" `
              --azure-key-vault-tenant-id "$(TenantId)" `
              --azure-key-vault-client-id "$(ClientId)" `
              --azure-key-vault-client-secret "$(ClientSecret)" `
              --azure-key-vault-certificate "$(Certificate)" `
              --azure-key-vault-url "$(KeyVaultUrl)"
            displayName: "Sign crowdsec binaries"
          - pwsh: |
              .\make_installer.ps1 -version '$(BuildVersion)'
            displayName: "Build Crowdsec MSI"
            name: BuildMSI
          - pwsh: |
              .\make_chocolatey.ps1 -version '$(BuildVersion)'
            displayName: "Build Chocolatey nupkg"
          - pwsh: |
              sign code azure-key-vault `
              "*.msi" `
              --base-directory "$(Build.SourcesDirectory)" `
              --publisher-name "CrowdSec" `
              --description "CrowdSec" `
              --description-url "https://github.com/crowdsecurity/crowdsec" `
              --azure-key-vault-tenant-id "$(TenantId)" `
              --azure-key-vault-client-id "$(ClientId)" `
              --azure-key-vault-client-secret "$(ClientSecret)" `
              --azure-key-vault-certificate "$(Certificate)" `
              --azure-key-vault-url "$(KeyVaultUrl)"
            displayName: "Sign MSI package"
          - pwsh: |
              sign code azure-key-vault `
              "*.nupkg" `
              --base-directory "$(Build.SourcesDirectory)" `
              --publisher-name "CrowdSec" `
              --description "CrowdSec" `
              --description-url "https://github.com/crowdsecurity/crowdsec" `
              --azure-key-vault-tenant-id "$(TenantId)" `
              --azure-key-vault-client-id "$(ClientId)" `
              --azure-key-vault-client-secret "$(ClientSecret)" `
              --azure-key-vault-certificate "$(Certificate)" `
              --azure-key-vault-url "$(KeyVaultUrl)"
            displayName: "Sign nuget package"
          - task: PublishPipelineArtifact@1
            inputs:
              targetPath: '$(Build.SourcesDirectory)/crowdsec_$(BuildVersion).msi'
              artifact: 'signed_msi_package'
            displayName: "Upload signed MSI artifact"
          - task: PublishPipelineArtifact@1
            inputs:
              targetPath: '$(Build.SourcesDirectory)/crowdsec.$(BuildVersion).nupkg'
              artifact: 'signed_nuget_package'
            displayName: "Upload signed nuget artifact"
            
  - stage: Publish
    dependsOn: Sign
    jobs:
      - deployment: "Publish"
        displayName: "Publish to GitHub"
        environment: github
        strategy:
          runOnce:
            deploy:
              steps:
                - bash: |
                    tag=$(curl -H "Accept: application/vnd.github.v3+json"   https://api.github.com/repos/crowdsecurity/crowdsec/releases | jq -r '. | map(select(.prerelease==true)) | sort_by(.created_at) | reverse | .[0].tag_name')
                    echo "##vso[task.setvariable variable=LatestPreRelease;isOutput=true]$tag"
                  name: GetLatestPrelease
                - task: GitHubRelease@1
                  inputs:
                    gitHubConnection: "github.com_blotus"
                    repositoryName: '$(Build.Repository.Name)'
                    action: 'edit'
                    tag: '$(GetLatestPrelease.LatestPreRelease)'
                    assetUploadMode: 'replace'
                    addChangeLog: false
                    isPreRelease: true #we force prerelease because the pipeline is invoked on tag creation, which happens when we do a prerelease
                    assets: |
                      $(Pipeline.Workspace)/signed_msi_package/*.msi
                      $(Pipeline.Workspace)/signed_nuget_package/*.nupkg
                  condition: ne(variables['GetLatestPrelease.LatestPreRelease'], '')