forked from OneIdentity/safeguard-ps
-
Notifications
You must be signed in to change notification settings - Fork 0
/
build-publish.yml
108 lines (108 loc) · 5.34 KB
/
build-publish.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
variables:
- template: pipeline-templates/global-variables.yml
- name: codeSigningCertFileName
value: 'OneIdentityCodeSigning.pfx'
trigger:
branches:
include:
- master
- release-*
paths:
exclude:
- README.md
pr: none
jobs:
- job: Build_Windows
displayName: "Windows - Build module and Docker image, publish to PowerShell Gallery, and publish to Docker Hub"
pool:
vmImage: 'windows-latest'
steps:
- template: pipeline-templates/build-windows-steps.yml
- task: AzureKeyVault@1
inputs:
azureSubscription: 'OneIdentity.RD.SBox.Safeguard-ServiceConnection'
KeyVaultName: 'SafeguardBuildSecrets'
SecretsFilter: 'PowerShellGalleryApiKey'
displayName: 'Get PowerShell Gallery API key from Sandbox Azure Key Vault'
- task: AzureKeyVault@1
inputs:
azureSubscription: 'Azure.Infrastructure.CodeSigning'
KeyVaultName: 'CodeSigningCertificates'
SecretsFilter: '*'
displayName: 'Get code signing certificate from Azure Key Vault'
- task: PowerShell@2
inputs:
targetType: inline
failOnStderr: true
script: |
$kvSecretBytes = [System.Convert]::FromBase64String("$(OneIdentity-CodeSigning)")
$certCollection = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2Collection
$certCollection.Import($kvSecretBytes,$null,[System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::Exportable)
$protectedCertificateBytes = $certCollection.Export([System.Security.Cryptography.X509Certificates.X509ContentType]::Pkcs12,"$(OneIdentity-CodeSigningCertPassword)")
$certpath = '$(Build.BinariesDirectory)/$(codeSigningCertFileName)'
Write-Verbose -Verbose $certpath
[System.IO.File]::WriteAllBytes($certpath, $protectedCertificateBytes)
$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2 -ArgumentList "$certpath","$(OneIdentity-CodeSigningCertPassword)"
Write-Verbose -Verbose "Subject: $($cert.Subject)"
Write-Verbose -Verbose "Issuer: $($cert.Issuer)"
$catalogfile = (Get-Module safeguard-ps -ListAvailable)[0].Path -replace "psd1","cat"
Write-Verbose -Verbose $catalogfile
Set-AuthenticodeSignature -Certificate $cert -FilePath $catalogfile -TimestampServer "http://timestamp.comodoca.com?td=sha256"
displayName: 'Signing PowerShell module catalog file'
- task: PowerShell@2
inputs:
targetType: inline
failOnStderr: true
script: |
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
Install-PackageProvider Nuget –Force
Get-PSRepository
Publish-Module -Name safeguard-ps -NuGetApiKey "$(PowerShellGalleryApiKey)" -Verbose -SkipAutomaticTags -Force
displayName: 'Publish PowerShell module to PowerShell Gallery'
- task: AzureKeyVault@1
inputs:
azureSubscription: 'OneIdentity.RD.SBox.Safeguard-ServiceConnection'
KeyVaultName: 'SafeguardBuildSecrets'
SecretsFilter: 'DockerHubAccessToken,DockerHubPassword'
displayName: 'Get Docker Hub Access Token from Sandbox Azure Key Vault'
continueOnError: false
condition: and( succeeded(), eq( variables.shouldPublishDocker, true ) )
- task: Bash@3
inputs:
targetType: 'inline'
failOnStderr: true
script: |
docker login -u petrsnd --password-stdin <<<$(DockerHubAccessToken) 2>/dev/null
docker push oneidentity/safeguard-ps:$(VersionString)-nanoserver
docker logout
displayName: 'Pushing Docker Windows Nano Server image to Docker Hub'
condition: and( succeeded(), eq( variables.shouldPublishDocker, true ) )
- job: Build_Linux
displayName: "Linux - build module and Docker images, publish images to Docker Hub"
pool:
vmImage: 'ubuntu-latest'
steps:
- template: pipeline-templates/build-linux-steps.yml
- task: AzureKeyVault@1
inputs:
azureSubscription: 'OneIdentity.RD.SBox.Safeguard-ServiceConnection'
KeyVaultName: 'SafeguardBuildSecrets'
SecretsFilter: 'DockerHubAccessToken,DockerHubPassword'
displayName: 'Get Docker Hub Access Token from Sandbox Azure Key Vault'
condition: and( succeeded(), eq( variables.shouldPublishDocker, true ) )
- task: Bash@3
inputs:
targetType: 'inline'
failOnStderr: true
script: |
docker login -u petrsnd --password-stdin <<<$(DockerHubAccessToken) 2>/dev/null
docker push oneidentity/safeguard-ps:$(VersionString)-ubuntu18.04
docker push oneidentity/safeguard-ps:$(VersionString)-ubuntu16.04
docker push oneidentity/safeguard-ps:$(VersionString)-centos7
docker push oneidentity/safeguard-ps:$(VersionString)-alpine3.8
docker push oneidentity/safeguard-ps:$(VersionString)-opensuse42.3
docker push oneidentity/safeguard-ps:$(VersionString)-fedora28
docker push oneidentity/safeguard-ps:latest
docker logout
condition: and( succeeded(), eq(variables.shouldPublishDocker, true) )
displayName: 'Pushing Linux Docker images to Docker Hub'