SBOM: Fix for conditional logic based on signingCondition (#322)

* Attempt to evaluate signingCondition to include/exclude settings at the time the sbom stage is run

* Evaluate signingCondition as part of a condition property and not as a conditional expression

* Apply signingCondition to the stages defined for PRs and CIs

* Try using two SBOM jobs with opposing conditional logic within the same stage

* Unique names for SBOM jobs

* SBOM: Execute PR job based on unsignedCondition

* Remove closing paren from unsignedCondition

* Remove stage name as parameter to condition

* Remove succeeded() from original signingCondition

* Multi-line conditions

* Use single signingCondition

* SBOM: Unsigned PR job: Include condition for success of the windows (build) stage

* Target production support for the SBOM shared template job name & display name

* Ensure SBOM_PR job only executes if the build 'windows' job succeeds by making the SBOM stage dependent on the success of the windows stage

* Spell out acronyms in comments
This commit is contained in:
Mike Bond 2022-02-24 07:59:53 -08:00 коммит произвёл GitHub
Родитель 4e7630c90c
Коммит 4a316cbf8c
Не найден ключ, соответствующий данной подписи
Идентификатор ключа GPG: 4AEE18F83AFDEB23
1 изменённых файлов: 23 добавлений и 9 удалений

Просмотреть файл

@ -6,7 +6,11 @@ variables:
provisionator.path: '$(System.DefaultWorkingDirectory)/eng/provisioning/provisioning.csx'
provisionator.vs: '$(System.DefaultWorkingDirectory)/eng/provisioning/vs.csx'
provisionator.extraArguments: '--v'
signingCondition: and(succeeded(), or(eq(variables['Sign'], 'true'), or(eq(variables['Build.SourceBranch'], 'refs/heads/main'), or(startsWith(variables['Build.SourceBranch'],'refs/tags/'), startsWith(variables['Build.SourceBranch'],'refs/heads/release/') ))))
signingCondition: or(eq(variables['Sign'], 'true'),
or(eq(variables['Build.SourceBranch'], 'refs/heads/main'),
or(startsWith(variables['Build.SourceBranch'],'refs/tags/'), startsWith(variables['Build.SourceBranch'],'refs/heads/release/') )
)
)
parameters:
- name: BuildConfigurations
@ -62,7 +66,7 @@ resources:
type: github
name: xamarin/yaml-templates
endpoint: xamarin
ref: refs/heads/main # still defaults to master even though main is the main branch
ref: refs/heads/main
stages:
- stage: windows
@ -203,19 +207,29 @@ stages:
signedArtifactName: nuget
signedArtifactPath: signed
displayName: Sign Phase
condition: ${{ variables['signingCondition'] }}
condition: and(succeeded(), ${{ variables['signingCondition'] }} )
- stage: sbom
displayName: 'Software Bill of Materials'
${{ if not(variables['signingCondition']) }}:
dependsOn: [ 'windows' ]
${{ if variables['signingCondition'] }}:
dependsOn: [ 'nuget_signing' ]
dependsOn: [ 'windows', 'nuget_signing' ]
condition: succeeded('windows')
jobs:
- template: compliance/sbom/job.v1.yml@xamarin-templates
parameters:
jobName: SBOM_PR
jobDisplayName: 'Software Bill of Materials (PR)'
artifactNames: ['nuget']
artifactMap: ['nuget/Release']
packageName: 'Microsoft Maui Graphics'
packageFilter: '*.nupkg'
condition: not(${{ variables['signingCondition'] }}) # Executed when signing is not enabled such as for pull request builds (PRs)
- template: compliance/sbom/job.v1.yml@xamarin-templates
parameters:
jobName: SBOM_CI
jobDisplayName: 'Software Bill of Materials (CI)'
artifactNames: ['nuget']
${{ if variables['signingCondition'] }}:
artifactMap: ['nuget/signed']
packageName: 'Microsoft Maui Graphics'
packageFilter: '*.nupkg'
condition: and(succeeded(), ${{ variables['signingCondition'] }} ) # Executed when signing is enabled such as for continuous integration builds (CIs)