Skip to content

Commit

Permalink
security: applies pipeline type requirements
Browse files Browse the repository at this point in the history
Signed-off-by: Vincent Biret <[email protected]>
  • Loading branch information
baywet committed Nov 22, 2024
1 parent ca0f832 commit 12051dd
Showing 1 changed file with 76 additions and 71 deletions.
147 changes: 76 additions & 71 deletions .azure-pipelines/ci-build.yml
Original file line number Diff line number Diff line change
Expand Up @@ -206,12 +206,12 @@ extends:
- task: EsrpCodeSigning@5
displayName: "ESRP CodeSigning"
inputs:
ConnectedServiceName: 'Federated DevX ESRP Managed Identity Connection'
AppRegistrationClientId: '65035b7f-7357-4f29-bf25-c5ee5c3949f8'
AppRegistrationTenantId: 'cdc5aeea-15c5-4db6-b079-fcadd2505dc2'
AuthAKVName: 'akv-prod-eastus'
AuthCertName: 'ReferenceLibraryPrivateCert'
AuthSignCertName: 'ReferencePackagePublisherCertificate'
ConnectedServiceName: "Federated DevX ESRP Managed Identity Connection"
AppRegistrationClientId: "65035b7f-7357-4f29-bf25-c5ee5c3949f8"
AppRegistrationTenantId: "cdc5aeea-15c5-4db6-b079-fcadd2505dc2"
AuthAKVName: "akv-prod-eastus"
AuthCertName: "ReferenceLibraryPrivateCert"
AuthSignCertName: "ReferencePackagePublisherCertificate"
FolderPath: '$(Build.SourcesDirectory)\src'
signConfigType: inlineSignParams
UseMinimatch: true
Expand Down Expand Up @@ -281,12 +281,12 @@ extends:
- task: EsrpCodeSigning@5
displayName: "ESRP CodeSigning Nuget Packages"
inputs:
ConnectedServiceName: 'Federated DevX ESRP Managed Identity Connection'
AppRegistrationClientId: '65035b7f-7357-4f29-bf25-c5ee5c3949f8'
AppRegistrationTenantId: 'cdc5aeea-15c5-4db6-b079-fcadd2505dc2'
AuthAKVName: 'akv-prod-eastus'
AuthCertName: 'ReferenceLibraryPrivateCert'
AuthSignCertName: 'ReferencePackagePublisherCertificate'
ConnectedServiceName: "Federated DevX ESRP Managed Identity Connection"
AppRegistrationClientId: "65035b7f-7357-4f29-bf25-c5ee5c3949f8"
AppRegistrationTenantId: "cdc5aeea-15c5-4db6-b079-fcadd2505dc2"
AuthAKVName: "akv-prod-eastus"
AuthCertName: "ReferenceLibraryPrivateCert"
AuthSignCertName: "ReferencePackagePublisherCertificate"
FolderPath: "$(Build.ArtifactStagingDirectory)"
UseMinimatch: true
Pattern: "*.nupkg"
Expand Down Expand Up @@ -401,12 +401,12 @@ extends:
- task: EsrpCodeSigning@5
condition: and(succeeded(), startsWith('${{ distribution.architecture }}', 'win'))
inputs:
ConnectedServiceName: 'Federated DevX ESRP Managed Identity Connection'
AppRegistrationClientId: '65035b7f-7357-4f29-bf25-c5ee5c3949f8'
AppRegistrationTenantId: 'cdc5aeea-15c5-4db6-b079-fcadd2505dc2'
AuthAKVName: 'akv-prod-eastus'
AuthCertName: 'ReferenceLibraryPrivateCert'
AuthSignCertName: 'ReferencePackagePublisherCertificate'
ConnectedServiceName: "Federated DevX ESRP Managed Identity Connection"
AppRegistrationClientId: "65035b7f-7357-4f29-bf25-c5ee5c3949f8"
AppRegistrationTenantId: "cdc5aeea-15c5-4db6-b079-fcadd2505dc2"
AuthAKVName: "akv-prod-eastus"
AuthCertName: "ReferenceLibraryPrivateCert"
AuthSignCertName: "ReferencePackagePublisherCertificate"
FolderPath: $(Build.ArtifactStagingDirectory)/binaries/${{ distribution.architecture }}
signConfigType: inlineSignParams
UseMinimatch: true
Expand Down Expand Up @@ -469,12 +469,12 @@ extends:
timeoutInMinutes: 15
retryCountOnTaskFailure: 4
inputs:
ConnectedServiceName: 'Federated DevX ESRP Managed Identity Connection'
AppRegistrationClientId: '65035b7f-7357-4f29-bf25-c5ee5c3949f8'
AppRegistrationTenantId: 'cdc5aeea-15c5-4db6-b079-fcadd2505dc2'
AuthAKVName: 'akv-prod-eastus'
AuthCertName: 'ReferenceLibraryPrivateCert'
AuthSignCertName: 'ReferencePackagePublisherCertificate'
ConnectedServiceName: "Federated DevX ESRP Managed Identity Connection"
AppRegistrationClientId: "65035b7f-7357-4f29-bf25-c5ee5c3949f8"
AppRegistrationTenantId: "cdc5aeea-15c5-4db6-b079-fcadd2505dc2"
AuthAKVName: "akv-prod-eastus"
AuthCertName: "ReferenceLibraryPrivateCert"
AuthSignCertName: "ReferencePackagePublisherCertificate"
FolderPath: $(Build.ArtifactStagingDirectory)/binaries
signConfigType: inlineSignParams
UseMinimatch: true
Expand All @@ -501,12 +501,12 @@ extends:
timeoutInMinutes: 15
retryCountOnTaskFailure: 4
inputs:
ConnectedServiceName: 'Federated DevX ESRP Managed Identity Connection'
AppRegistrationClientId: '65035b7f-7357-4f29-bf25-c5ee5c3949f8'
AppRegistrationTenantId: 'cdc5aeea-15c5-4db6-b079-fcadd2505dc2'
AuthAKVName: 'akv-prod-eastus'
AuthCertName: 'ReferenceLibraryPrivateCert'
AuthSignCertName: 'ReferencePackagePublisherCertificate'
ConnectedServiceName: "Federated DevX ESRP Managed Identity Connection"
AppRegistrationClientId: "65035b7f-7357-4f29-bf25-c5ee5c3949f8"
AppRegistrationTenantId: "cdc5aeea-15c5-4db6-b079-fcadd2505dc2"
AuthAKVName: "akv-prod-eastus"
AuthCertName: "ReferenceLibraryPrivateCert"
AuthSignCertName: "ReferencePackagePublisherCertificate"
FolderPath: $(Build.ArtifactStagingDirectory)/binaries
signConfigType: inlineSignParams
UseMinimatch: true
Expand Down Expand Up @@ -562,12 +562,12 @@ extends:
inputs:
versionSpec: "18.x"
- ${{ each distribution in parameters.distributions }}:
- task: DownloadPipelineArtifact@2
displayName: Download ${{ distribution.jobPrefix }} binaries from artifacts
inputs:
artifact: Binaries_${{ distribution.jobPrefix }}
source: current
targetPath: $(Build.ArtifactStagingDirectory)/Binaries
- task: DownloadPipelineArtifact@2
displayName: Download ${{ distribution.jobPrefix }} binaries from artifacts
inputs:
artifact: Binaries_${{ distribution.jobPrefix }}
source: current
targetPath: $(Build.ArtifactStagingDirectory)/Binaries
- pwsh: $(Build.SourcesDirectory)/scripts/get-prerelease-version.ps1 -currentBranch $(Build.SourceBranch) -previewBranch ${{ parameters.previewBranch }}
displayName: "Set version suffix"
- pwsh: $(Build.SourcesDirectory)/scripts/get-version-from-csproj.ps1
Expand Down Expand Up @@ -599,19 +599,19 @@ extends:
workingDirectory: $(Build.SourcesDirectory)/vscode/microsoft-kiota
name: getExtensionFileName
- script: vsce generate-manifest -i $(getExtensionFileName.extensionFileName).vsix -o $(getExtensionFileName.extensionFileName).manifest
displayName: 'Generate extension manifest'
displayName: "Generate extension manifest"
workingDirectory: $(Build.SourcesDirectory)/vscode/microsoft-kiota
- script: cp $(getExtensionFileName.extensionFileName).manifest $(getExtensionFileName.extensionFileName).signature.p7s
displayName: 'Prepare manifest for signing'
displayName: "Prepare manifest for signing"
workingDirectory: $(Build.SourcesDirectory)/vscode/microsoft-kiota
- task: EsrpCodeSigning@5
inputs:
ConnectedServiceName: 'Federated DevX ESRP Managed Identity Connection'
AppRegistrationClientId: '65035b7f-7357-4f29-bf25-c5ee5c3949f8'
AppRegistrationTenantId: 'cdc5aeea-15c5-4db6-b079-fcadd2505dc2'
AuthAKVName: 'akv-prod-eastus'
AuthCertName: 'ReferenceLibraryPrivateCert'
AuthSignCertName: 'ReferencePackagePublisherCertificate'
ConnectedServiceName: "Federated DevX ESRP Managed Identity Connection"
AppRegistrationClientId: "65035b7f-7357-4f29-bf25-c5ee5c3949f8"
AppRegistrationTenantId: "cdc5aeea-15c5-4db6-b079-fcadd2505dc2"
AuthAKVName: "akv-prod-eastus"
AuthCertName: "ReferenceLibraryPrivateCert"
AuthSignCertName: "ReferencePackagePublisherCertificate"
FolderPath: $(Build.SourcesDirectory)/vscode/microsoft-kiota
UseMinimatch: true
Pattern: '**\*.signature.p7s'
Expand All @@ -630,7 +630,7 @@ extends:
MaxConcurrency: 25
MaxRetryAttempts: 5
PendingAnalysisWaitTimeoutMinutes: 5
displayName: 'Sign extension'
displayName: "Sign extension"
- task: CopyFiles@2
displayName: Prepare staging folder for upload
inputs:
Expand Down Expand Up @@ -682,7 +682,7 @@ extends:
inputs:
azureSubscription: "kiota-vscode-marketplace-publish"
scriptType: "pscore"
scriptLocation: 'inlineScript'
scriptLocation: "inlineScript"
inlineScript: |
$aadToken = az account get-access-token --query accessToken --resource 499b84ac-1321-427f-aa17-267ca6975798 -o tsv
Get-ChildItem -Path $(Pipeline.Workspace) -Filter *.vsix -Recurse | ForEach-Object {
Expand All @@ -707,6 +707,15 @@ extends:
os: linux
image: ubuntu-latest
templateContext:
type: releaseJob
isProduction: true
inputs:
- input: pipelineArtifact
artifactName: VSCode
targetPath: "$(Pipeline.Workspace)"
- input: pipelineArtifact
artifactName: Nugets
targetPath: "$(Pipeline.Workspace)"
sdl:
baseline:
baselineFile: $(Build.SourcesDirectory)/guardian/SDL/common/.gdnbaselines
Expand All @@ -723,19 +732,11 @@ extends:
clean: true
submodules: true
- ${{ each distribution in parameters.distributions }}:
- task: DownloadPipelineArtifact@2
displayName: Download ${{ distribution.jobPrefix }} binaries from artifacts
inputs:
artifact: Binaries_${{ distribution.jobPrefix }}
source: current
- task: DownloadPipelineArtifact@2
inputs:
artifact: VSCode
source: current
- task: DownloadPipelineArtifact@2
inputs:
artifact: Nugets
source: current
- task: DownloadPipelineArtifact@2
displayName: Download ${{ distribution.jobPrefix }} binaries from artifacts
inputs:
artifact: Binaries_${{ distribution.jobPrefix }}
source: current
- pwsh: $(Build.SourcesDirectory)/scripts/get-prerelease-version.ps1 -currentBranch $(Build.SourceBranch) -previewBranch ${{ parameters.previewBranch }}
displayName: "Set version suffix"
- pwsh: $(Build.SourcesDirectory)/scripts/get-version-from-csproj.ps1
Expand Down Expand Up @@ -779,6 +780,13 @@ extends:
isPreRelease: true

- deployment: deploy_kiota
templateContext:
type: releaseJob
isProduction: true
inputs:
- input: pipelineArtifact
artifactName: Nugets
targetPath: "$(Pipeline.Workspace)"
pool:
name: Azure-Pipelines-1ESPT-ExDShared
os: linux
Expand All @@ -790,23 +798,25 @@ extends:
deploy:
steps:
- download: none
- task: DownloadPipelineArtifact@2
displayName: Download nupkg from artifacts
inputs:
artifact: Nugets
source: current
- powershell: |
Remove-Item "$(Pipeline.Workspace)/Microsoft.OpenApi.Kiota.Builder.*.nupkg" -Verbose
displayName: remove other nupkgs to avoid duplication
- task: 1ES.PublishNuget@1
displayName: "NuGet push"
inputs:
packagesToPush: "$(Pipeline.Workspace)/Microsoft.OpenApi.Kiota.*.nupkg"
packageParentPath: '$(Pipeline.Workspace)'
packageParentPath: "$(Pipeline.Workspace)"
nuGetFeedType: external
publishFeedCredentials: "OpenAPI Nuget Connection"

- deployment: deploy_builder
templateContext:
type: releaseJob
isProduction: true
inputs:
- input: pipelineArtifact
artifactName: Nugets
targetPath: "$(Pipeline.Workspace)"
pool:
name: Azure-Pipelines-1ESPT-ExDShared
os: linux
Expand All @@ -818,18 +828,13 @@ extends:
deploy:
steps:
- download: none
- task: DownloadPipelineArtifact@2
displayName: Download nupkg from artifacts
inputs:
artifact: Nugets
source: current
- powershell: |
Remove-Item "$(Pipeline.Workspace)/Microsoft.OpenApi.Kiota.*.nupkg" -Verbose -Exclude "*.Builder.*"
displayName: remove other nupkgs to avoid duplication
- task: 1ES.PublishNuget@1
displayName: "NuGet push"
inputs:
packagesToPush: "$(Pipeline.Workspace)/Microsoft.OpenApi.Kiota.Builder.*.nupkg"
packageParentPath: '$(Pipeline.Workspace)'
packageParentPath: "$(Pipeline.Workspace)"
nuGetFeedType: external
publishFeedCredentials: "OpenAPI Nuget Connection"

0 comments on commit 12051dd

Please sign in to comment.