Release pipeline updates and package upgrades (#502)

2022-05-03 08:35:07 -07:00 · 2022-05-03 08:35:07 -07:00 · 0d007f5e5f
--- a/.artifactignore
+++ b/.artifactignore
@ -2,3 +2,4 @@
 !*.msi
 !*.dmg
 !*.deb
+!manifest.*
--- a/.config/CredScanSuppressions.json
+++ b/.config/CredScanSuppressions.json
@ -0,0 +1,9 @@
+{
+    "tool": "Credential Scanner",
+    "suppressions": [
+      {
+        "placeholder": "mock_key_?",
+        "_justification": "Secret placeholder for fake key credentials"
+      }
+    ]
+  }
--- a/.github/workflows/nodejs.yml
+++ b/.github/workflows/nodejs.yml
@ -25,6 +25,6 @@ jobs:
        - name: npm install, build, and test
          timeout-minutes: 15
          run: |
-              npm install
+              npm ci
              npm run build --if-present
              npm test
--- a/azure-pipelines.yml
+++ b/azure-pipelines.yml
@ -1,16 +0,0 @@
-trigger:
- main
-
-jobs:
-  - job: Build_and_Test
-    pool:
-      vmImage: 'ubuntu-latest'
-    steps:
-    - template: ./pipelines/build-and-test-template.yml
-
-    - task: ComponentGovernanceComponentDetection@0
-      inputs:
-        scanType: 'Register'
-        verbosity: 'Verbose'
-        alertWarningLevel: 'High'
-        failOnAlert: true
--- a/package-lock.json
+++ b/package-lock.json
--- a/package.json
+++ b/package.json
@ -71,8 +71,8 @@
  "dependencies": {
    "@azure/event-hubs": "5.6.0",
    "@fluentui/react": "8.20.2",
-    "azure-iot-common": "1.10.3",
-    "azure-iothub": "1.8.1",
+    "azure-iot-common": "1.12.14",
+    "azure-iothub": "1.14.7",
    "body-parser": "1.18.3",
    "brace": "0.11.1",
    "cors": "2.8.5",
@ -124,7 +124,7 @@
    "css-loader": "6.7.1",
    "css-minimizer-webpack-plugin": "3.4.1",
    "electron": "18.0.0",
-    "electron-builder": "22.14.13",
+    "electron-builder": "23.0.4",
    "enzyme": "3.11.0",
    "enzyme-adapter-react-16": "1.15.1",
    "enzyme-to-json": "3.3.5",
@ -140,7 +140,7 @@
    "nodemon": "2.0.4",
    "sass": "1.35.2",
    "sass-loader": "7.2.0",
-    "source-map-loader": "0.2.4",
+    "source-map-loader": "3.0.1",
    "ssri": "8.0.1",
    "style-loader": "0.23.1",
    "ts-jest": "26.2.0",
@ -151,9 +151,9 @@
    "tslint-react": "3.6.0",
    "typescript": "4.6.3",
    "webpack": "5.70.0",
-    "webpack-bundle-analyzer": "3.3.2",
+    "webpack-bundle-analyzer": "4.5.0",
    "webpack-cli": "4.9.2",
-    "webpack-dev-server": "4.7.4",
+    "webpack-dev-server": "4.8.1",
    "webpack-merge": "5.8.0",
    "webpack-shell-plugin": "0.5.0"
  },
--- a/pipelines/build-and-test-template.yml
+++ b/pipelines/build-and-test-template.yml
@ -1,6 +1,6 @@
 steps:
 - template: '.\common\install-node.yml'
- script: 'npm install'
+- script: 'npm ci'
  displayName: Install dependencies
 - script: 'npm run build'
  displayName: Build source
--- a/pipelines/build-windows.yml
+++ b/pipelines/build-windows.yml
@ -1,5 +1,5 @@
 steps:
- script: 'npm install'
+- script: 'npm ci'
  displayName: 'Install packages'

 - script: 'npm run build'
--- a/pipelines/common/sdl-checks.yml
+++ b/pipelines/common/sdl-checks.yml
@ -0,0 +1,40 @@
+steps:
+  # cred scan
+  - task: securedevelopmentteam.vss-secure-development-tools.build-task-credscan.CredScan@3
+    displayName: 'Run CredScan'
+    inputs:
+      outputFormat: 'pre'
+      scanFolder: '$(Build.SourcesDirectory)'
+      suppressionsFile: '$(Build.SourcesDirectory)/.config/CredScanSuppressions.json'
+
+  # policheck
+  - task: securedevelopmentteam.vss-secure-development-tools.build-task-policheck.PoliCheck@1
+    displayName: 'Run PoliCheck'
+    inputs:
+      targetType: F
+
+  - task: ComponentGovernanceComponentDetection@0
+    displayName: 'Component Detection'
+    inputs:
+      scanType: 'Register'
+      verbosity: 'Verbose'
+      alertWarningLevel: 'High'
+      failOnAlert: true
+
+  - task: PostAnalysis@1
+    displayName: 'Process Results'
+    inputs:
+      AllTools: false
+      APIScan: false
+      BinSkim: false
+      CodesignValidation: false
+      CredScan: true
+      FortifySCA: false
+      FxCop: false
+      ModernCop: false
+      PoliCheck: true
+      RoslynAnalyzers: false
+      SDLNativeRules: false
+      Semmle: false
+      TSLint: false
+      ToolLogsNotFoundAction: 'Standard'
--- a/pipelines/release-pipeline.yml
+++ b/pipelines/release-pipeline.yml
@ -1,59 +1,95 @@
 trigger: none

 parameters:
- name: linuxImage
+- name: buildAgentPoolVar
+  displayName: 'Build agent pool'
  type: string
-  default: 'ubuntu-18.04'
+  default: 'BuildAgentPool'
+- name: windowsBuildAgentVmImageVar
+  displayName: 'Windows build agent image'
+  type: string
+  default: 'WindowsBuildAgentImage'
+- name: linuxBuildAgentVmImageVar
+  displayName: 'Linux build agent image'
+  type: string
+  default: 'LinuxBuildAgentImage'
+- name: linuxTestImage
+  displayName: 'Linux test agent image'
+  type: string
+  default: 'ubuntu-latest'
  values:
  - 'ubuntu-18.04'
+  - 'ubuntu-20.04'
  - 'ubuntu-latest'
- name: windowsImage
+- name: windowsTestImage
+  displayName: 'Windows test agent image'
  type: string
-  default: 'windows-2019'
+  default: 'windows-latest'
  values:
  - 'windows-2019'
+  - 'windows-2022'
  - 'windows-latest'
- name: macImage
+- name: macBuildImage
+  displayName: 'MacOS test agent image'
  type: string
-  default: 'macOS-10.15'
+  default: 'macOS-latest'
  values:
  - 'macOS-10.15'
+  - 'macOS-11'
  - 'macOS-latest'
+- name: release
+  displayName: 'Publish Release'
+  type: boolean
+  default: false
+
+variables:
+  - name: winVmImage
+    value: $[variables.${{ parameters.windowsBuildAgentVmImageVar }}]
+  - name: linuxVmImage
+    value: $[variables.${{ parameters.linuxBuildAgentVmImageVar }}]

 stages:
-  - stage: 'build'
+  - stage: 'SDL'
+    displayName: 'SDL Stage'
+    jobs:
+    - job: SDL_checks
+      displayName: 'SDL checks'
+      pool:
+        vmImage: ${{ parameters.windowsTestImage }}
+      steps:
+        - template: 'common/sdl-checks.yml'
+  - stage: 'Test'
    displayName: 'Build and Test'
+    dependsOn: [SDL]
    pool:
-      vmImage: ${{ parameters.linuxImage }}
+      vmImage: ${{ parameters.linuxTestImage }}
    jobs:
    - job: build_and_test
      displayName: 'Build and Test Source'
      steps:
      - template: .\build-and-test-template.yml
-    - job: scan
-      pool:
-        vmImage: ${{ parameters.windowsImage }}
-      steps:
-      - task: ea576cd4-c61f-48f8-97e7-a3cb07b90a6f@2
-        displayName: 'CredScan V2'
-        inputs:
-          toolMajorVersion: 'V2'
-
-  - stage: 'package'
+  - stage: 'Package'
    displayName: 'Package for all platforms'
-    dependsOn: 'build'
+    dependsOn: [SDL, Test]
    jobs:
    - job: packageWindows
      displayName: "Package for Windows"
-
      pool:
-        vmImage: ${{ parameters.windowsImage }}
+        name: $[variables.${{ parameters.buildAgentPoolVar }}]
+        vmImage: $(winVmImage)
+        demands:
+          - ImageOverride -equals $(winVmImage)

      steps:
      - template: '.\common\install-node.yml'
          
      - template: '.\build-windows.yml'

+      - task: AzureArtifacts.manifest-generator-task.manifest-generator-task.ManifestGeneratorTask@0
+        displayName: 'Generate Software Manifest'
+        inputs:
+          BuildDropPath: '$(Build.SourcesDirectory)/dist/'
+
      - task: CopyFiles@2
        displayName: 'ArtifactIgnore'
        inputs:
@ -69,13 +105,18 @@ stages:
      displayName: "Package for MacOS"

      pool:
-        vmImage: ${{ parameters.macImage }}
+        vmImage: ${{ parameters.macBuildImage }}
      
      steps:
      - template: '.\common\install-node.yml'
          
      - template: '.\build-mac.yml'

+      - task: AzureArtifacts.manifest-generator-task.manifest-generator-task.ManifestGeneratorTask@0
+        displayName: 'Generate Software Manifest'
+        inputs:
+          BuildDropPath: '$(Build.SourcesDirectory)/dist/'
+
      - task: CopyFiles@2
        displayName: 'ArtifactIgnore'
        inputs:
@ -90,13 +131,20 @@ stages:
    - job: packageLinux
      displayName: "Package for Linux"
      pool:
-          vmImage: ${{ parameters.linuxImage }}
-
+        name: $[variables.${{ parameters.buildAgentPoolVar }}]
+        vmImage: $(linuxVmImage)
+        demands:
+        - ImageOverride -equals $(linuxVmImage)
      steps:
      - template: '.\common\install-node.yml'
          
      - template: '.\build-linux.yml'

+      - task: AzureArtifacts.manifest-generator-task.manifest-generator-task.ManifestGeneratorTask@0
+        displayName: 'Generate Software Manifest'
+        inputs:
+          BuildDropPath: '$(Build.SourcesDirectory)/dist/'
+
      - task: CopyFiles@2
        displayName: 'ArtifactIgnore'
        inputs:
@ -107,12 +155,14 @@ stages:
      - publish: $(Build.SourcesDirectory)/dist/
        displayName: 'Staging artifact for signing'
        artifact: Linux
-
-  - stage: 'codeSign'
-    displayName: 'CodeSign and Release'
-    dependsOn: 'package'
+  - stage: 'CodeSign'
+    displayName: 'CodeSign Packages'
+    dependsOn: [SDL, Test, Package]
    pool:
-      vmImage: ${{ parameters.linuxImage }}
+      name: $[variables.${{ parameters.buildAgentPoolVar }}]
+      vmImage: $(linuxVmImage)
+      demands:
+      - ImageOverride -equals $(linuxVmImage)
    jobs:

    - job: signWindows
@ -269,12 +319,22 @@ stages:
        displayName: 'Staging signed artifact for release'
        artifact: Linux_Signed

+  - stage: 'Release'
+    displayName: 'Publish Release'
+    condition: ${{ parameters.release }}
+    dependsOn: [SDL, Test, Package, CodeSign]
+    pool:
+      name: $[variables.${{ parameters.buildAgentPoolVar }}]
+      vmImage: $(linuxVmImage)
+      demands:
+      - ImageOverride -equals $(linuxVmImage)
+    jobs:
+    - deployment: 'StageRelease'
+      displayName: 'Stage GitHub Release'
+      environment: 'production'
+
    - job: publishRelease
      displayName: 'Publish artifacts and draft GitHub Release'
-      dependsOn:
-      - signWindows
-      - signMac
-      - signLinux
      steps:
      - download: current
        artifact: Windows_Signed
--- a/src/app/devices/module/moduleIndentityDetail/components/snapshots/moduleIdentityDetail.spec.tsx.snap
+++ b/src/app/devices/module/moduleIndentityDetail/components/snapshots/moduleIdentityDetail.spec.tsx.snap
@ -137,7 +137,7 @@ exports[`ModuleIdentityDetail snapshot matches snapshot after sas module identit
      label="moduleIdentity.authenticationType.symmetricKey.primaryKey"
      labelCallout="moduleIdentity.authenticationType.symmetricKey.primaryKeyTooltip"
      readOnly={true}
-      value="key1"
+      value="mock_key_1"
    />
    <MaskedCopyableTextField
      allowMask={true}
@ -145,21 +145,21 @@ exports[`ModuleIdentityDetail snapshot matches snapshot after sas module identit
      label="moduleIdentity.authenticationType.symmetricKey.secondaryKey"
      labelCallout="moduleIdentity.authenticationType.symmetricKey.secondaryKeyTooltip"
      readOnly={true}
-      value="key2"
+      value="mock_key_2"
    />
    <MaskedCopyableTextField
      allowMask={true}
      ariaLabel="moduleIdentity.authenticationType.symmetricKey.primaryConnectionString"
      label="moduleIdentity.authenticationType.symmetricKey.primaryConnectionString"
      readOnly={true}
-      value="HostName=hostName;DeviceId=newdevice;ModuleId=moduleId;SharedAccessKey=key1"
+      value="HostName=hostName;DeviceId=newdevice;ModuleId=moduleId;SharedAccessKey=mock_key_1"
    />
    <MaskedCopyableTextField
      allowMask={true}
      ariaLabel="moduleIdentity.authenticationType.symmetricKey.secondaryConnectionString"
      label="moduleIdentity.authenticationType.symmetricKey.secondaryConnectionString"
      readOnly={true}
-      value="HostName=hostName;DeviceId=newdevice;ModuleId=moduleId;SharedAccessKey=key2"
+      value="HostName=hostName;DeviceId=newdevice;ModuleId=moduleId;SharedAccessKey=mock_key_2"
    />
    <SasTokenGenerationView
      activeAzureResourceHostName="hostName"
@ -167,8 +167,8 @@ exports[`ModuleIdentityDetail snapshot matches snapshot after sas module identit
        Object {
          "authentication": Object {
            "symmetricKey": Object {
-              "primaryKey": "key1",
-              "secondaryKey": "key2",
+              "primaryKey": "mock_key_1",
+              "secondaryKey": "mock_key_2",
            },
            "type": "sas",
            "x509Thumbprint": null,
--- a/src/app/devices/module/moduleIndentityDetail/components/moduleIdentityDetail.spec.tsx
+++ b/src/app/devices/module/moduleIndentityDetail/components/moduleIdentityDetail.spec.tsx
@ -26,8 +26,8 @@ const moduleIdentityWithoutAuth = {
 const moduleIdentityWithSasAuth = {
    authentication: {
        symmetricKey: {
-            primaryKey: 'key1',
-            secondaryKey: 'key2'
+            primaryKey: 'mock_key_1',
+            secondaryKey: 'mock_key_2'
        },
        type: 'sas',
        x509Thumbprint: null
--- a/src/app/devices/shared/components/snapshots/sasTokenGenerationView.spec.tsx.snap
+++ b/src/app/devices/shared/components/snapshots/sasTokenGenerationView.spec.tsx.snap
@ -72,11 +72,11 @@ exports[`devices/components/moduleIdentityTwin snapshot matches snapshot when no
      options={
        Array [
          Object {
-            "key": "key1",
+            "key": "mock_key_1",
            "text": "deviceIdentity.authenticationType.symmetricKey.primaryKey",
          },
          Object {
-            "key": "key2",
+            "key": "mock_key_2",
            "text": "deviceIdentity.authenticationType.symmetricKey.secondaryKey",
          },
        ]
--- a/src/app/devices/shared/components/sasTokenGenerationView.spec.tsx
+++ b/src/app/devices/shared/components/sasTokenGenerationView.spec.tsx
@ -26,8 +26,8 @@ const moduleId = 'testModule';
 const moduleIdentity: ModuleIdentity = {
    authentication: {
        symmetricKey: {
-            primaryKey: 'key1',
-            secondaryKey: 'key2'
+            primaryKey: 'mock_key_1',
+            secondaryKey: 'mock_key_2'
        },
        type: 'sas',
        x509Thumbprint: null