Skip to content

Commit

Permalink
Update Nuget publishing jobs (#18851)
Browse files Browse the repository at this point in the history
### Description
1. Add a CodeSign validation task before the binaries are published, to
make sure all DLL files are signed.
2. Auto-trigger the CUDA 12 pipeline's publishing job.
  • Loading branch information
snnn authored Dec 20, 2023
1 parent ffa6602 commit 535a240
Show file tree
Hide file tree
Showing 3 changed files with 96 additions and 49 deletions.
Original file line number Diff line number Diff line change
@@ -1,24 +1,22 @@
resources:
pipelines:
- pipeline: build
source: 'Nuget-CUDA-Packaging-Pipeline'
trigger:
branches:
include:
- main
branch: main

parameters:
- name: nightly
type: string
default: '1'
- name: build_id
type: string
default: 'latest'
- name: project
type: string
default: 'Lotus'
- name: pipeline
type: string
default: 'Nuget-CUDA-Packaging-Pipeline'
type: boolean
default: true

stages:
- template: stages/nuget-cuda-publishing-stage.yml
parameters:
build_id: ${{ parameters.build_id }}
project: ${{ parameters.project }}
pipeline: ${{ parameters.pipeline }}
${{ if ne(parameters.nightly, '1') }}:
${{ if ne(parameters.nightly, true) }}:
artifact_feed: onnxruntime-cuda-12
${{ else }}:
artifact_feed: ort-cuda-12-nightly
41 changes: 39 additions & 2 deletions tools/ci_build/github/azure-pipelines/publish-nuget.yml
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,10 @@ resources:
pipelines:
- pipeline: build
source: 'Zip-Nuget-Java-Nodejs Packaging Pipeline'
trigger: true
trigger:
branches:
include:
- main
branch: main

stages:
Expand All @@ -13,7 +16,7 @@ stages:
clean: all
variables:
- name: GDN_CODESIGN_TARGETDIRECTORY
value: '$(Build.BinariesDirectory)/nuget-artifact/final-package'
value: '$(Agent.TempDirectory)\binfiles'
pool: 'onnxruntime-Win-CPU-2022'

steps:
Expand Down Expand Up @@ -92,6 +95,40 @@ stages:
artifact: 'drop-signed-nuget-ROCm'
- script: move "$(Pipeline.Workspace)\build\drop-signed-nuget-ROCm\*" $(Build.BinariesDirectory)\nuget-artifact\final-package

- script: |
dir $(Build.BinariesDirectory)\nuget-artifact\final-package
cd $(Build.BinariesDirectory)\nuget-artifact\final-package
nuget verify -Signatures *.nupkg
displayName: List Downloaded Package
- powershell: |
New-Item -Path $(Agent.TempDirectory) -Name "binfiles" -ItemType "directory"
$base_path_name = Join-Path -Path $(Agent.TempDirectory) -ChildPath "binfiles"
Get-ChildItem $Env:BUILD_BINARIESDIRECTORY\nuget-artifact\final-package -Filter *.nupkg |
Foreach-Object {
$dir_name = Join-Path -Path $base_path_name -ChildPath $_.Basename
$cmd = "7z.exe x $($_.FullName) -y -o$dir_name"
Write-Output $cmd
Invoke-Expression -Command $cmd
}
dir $(Agent.TempDirectory)
tree $(Agent.TempDirectory)
workingDirectory: '$(Agent.TempDirectory)'
- task: CodeSign@1
displayName: 'Run Codesign Validation'


- task: PublishSecurityAnalysisLogs@3
displayName: 'Publish Security Analysis Logs'
continueOnError: true

- task: PostAnalysis@2
inputs:
GdnBreakAllTools: true
GdnBreakPolicy: M365
GdnBreakPolicyMinSev: Error

#TODO: allow choosing different feeds
- task: NuGetCommand@2
displayName: 'Copy Signed Native NuGet Package to ORT-NIGHTLY'
Expand Down
Original file line number Diff line number Diff line change
@@ -1,48 +1,60 @@
parameters:
- name: build_id
type: string
- name: project
type: string
- name: pipeline
type: string
- name: artifact_feed
type: string
default: 'onnxruntime-cuda-12'
- name: dependencies
type: string
default: 'none'

stages:
- stage: NuGet_Publishing_GPU
${{ if ne(parameters.dependencies, 'none') }}:
dependsOn:
${{ if eq(parameters.dependencies, 'none') }}:
dependsOn: []
jobs:
- job:
workspace:
clean: all
variables:
- name: GDN_CODESIGN_TARGETDIRECTORY
value: '$(Build.BinariesDirectory)/nuget-artifact/final-package'
pool: 'onnxruntime-Win-CPU-2022'
steps:
- checkout: none
- script: |
echo "Project: ${{ parameters.project }}"
echo "Build ID: ${{ parameters.build_id }}"
echo "Pipeline: ${{ parameters.pipeline }}"
echo "Artifact Feed: ${{ parameters.artifact_feed }}"
displayName: 'Print Parameters'
- task: DownloadPipelineArtifact@2
displayName: 'Download NuGet artifact drop-signed-nuget-GPU'

- task: NuGetToolInstaller@1
inputs:
artifact: drop-signed-nuget-GPU
targetPath: $(Build.BinariesDirectory)/nuget-artifact/final-package
${{ if ne(parameters.build_id, 'latest') }}:
buildType: 'specific'
project: '${{ parameters.project }}'
pipeline: '${{ parameters.pipeline }}'
buildVersionToDownload: 'specific'
buildId: '${{ parameters.build_id }}'
- script: |
ls $(Build.BinariesDirectory)/nuget-artifact/final-package
displayName: List Downloaded Package
versionSpec: 6.8.x

- script: mkdir "$(Build.BinariesDirectory)\nuget-artifact\final-package"

- download: build
displayName: 'Download Pipeline Artifact - Signed NuGet Package'
artifact: 'drop-signed-nuget-GPU'

- script: move "$(Pipeline.Workspace)\build\drop-signed-nuget-GPU\*" "$(Build.BinariesDirectory)\nuget-artifact\final-package"

- powershell: |
New-Item -Path $(Agent.TempDirectory) -Name "binfiles" -ItemType "directory"
$base_path_name = Join-Path -Path $(Agent.TempDirectory) -ChildPath "binfiles"
Get-ChildItem $Env:BUILD_BINARIESDIRECTORY\nuget-artifact\final-package -Filter *.nupkg |
Foreach-Object {
$dir_name = Join-Path -Path $base_path_name -ChildPath $_.Basename
$cmd = "7z.exe x $($_.FullName) -y -o$dir_name"
Write-Output $cmd
Invoke-Expression -Command $cmd
}
dir $(Agent.TempDirectory)
tree $(Agent.TempDirectory)
workingDirectory: '$(Agent.TempDirectory)'
- task: CodeSign@1
displayName: 'Run Codesign Validation'

- task: PublishSecurityAnalysisLogs@3
displayName: 'Publish Security Analysis Logs'
continueOnError: true

- task: PostAnalysis@2
inputs:
GdnBreakAllTools: true
GdnBreakPolicy: M365
GdnBreakPolicyMinSev: Error

- template: ../nuget/templates/get-nuget-package-version-as-variable.yml
parameters:
packageFolder: '$(Build.BinariesDirectory)/nuget-artifact/final-package'
Expand Down

0 comments on commit 535a240

Please sign in to comment.