From 4a316cbf8c3f6b92bbe82eddb3eb10f82305b4e1 Mon Sep 17 00:00:00 2001 From: Mike Bond Date: Thu, 24 Feb 2022 07:59:53 -0800 Subject: [PATCH] SBOM: Fix for conditional logic based on signingCondition (#322) * Attempt to evaluate signingCondition to include/exclude settings at the time the sbom stage is run * Evaluate signingCondition as part of a condition property and not as a conditional expression * Apply signingCondition to the stages defined for PRs and CIs * Try using two SBOM jobs with opposing conditional logic within the same stage * Unique names for SBOM jobs * SBOM: Execute PR job based on unsignedCondition * Remove closing paren from unsignedCondition * Remove stage name as parameter to condition * Remove succeeded() from original signingCondition * Multi-line conditions * Use single signingCondition * SBOM: Unsigned PR job: Include condition for success of the windows (build) stage * Target production support for the SBOM shared template job name & display name * Ensure SBOM_PR job only executes if the build 'windows' job succeeds by making the SBOM stage dependent on the success of the windows stage * Spell out acronyms in comments --- azure-pipelines.yml | 32 +++++++++++++++++++++++--------- 1 file changed, 23 insertions(+), 9 deletions(-) diff --git a/azure-pipelines.yml b/azure-pipelines.yml index 544ba58..e026089 100644 --- a/azure-pipelines.yml +++ b/azure-pipelines.yml @@ -6,7 +6,11 @@ variables: provisionator.path: '$(System.DefaultWorkingDirectory)/eng/provisioning/provisioning.csx' provisionator.vs: '$(System.DefaultWorkingDirectory)/eng/provisioning/vs.csx' provisionator.extraArguments: '--v' - signingCondition: and(succeeded(), or(eq(variables['Sign'], 'true'), or(eq(variables['Build.SourceBranch'], 'refs/heads/main'), or(startsWith(variables['Build.SourceBranch'],'refs/tags/'), startsWith(variables['Build.SourceBranch'],'refs/heads/release/') )))) + signingCondition: or(eq(variables['Sign'], 'true'), + or(eq(variables['Build.SourceBranch'], 'refs/heads/main'), + or(startsWith(variables['Build.SourceBranch'],'refs/tags/'), startsWith(variables['Build.SourceBranch'],'refs/heads/release/') ) + ) + ) parameters: - name: BuildConfigurations @@ -62,7 +66,7 @@ resources: type: github name: xamarin/yaml-templates endpoint: xamarin - ref: refs/heads/main # still defaults to master even though main is the main branch + ref: refs/heads/main stages: - stage: windows @@ -203,19 +207,29 @@ stages: signedArtifactName: nuget signedArtifactPath: signed displayName: Sign Phase - condition: ${{ variables['signingCondition'] }} + condition: and(succeeded(), ${{ variables['signingCondition'] }} ) - stage: sbom displayName: 'Software Bill of Materials' - ${{ if not(variables['signingCondition']) }}: - dependsOn: [ 'windows' ] - ${{ if variables['signingCondition'] }}: - dependsOn: [ 'nuget_signing' ] + dependsOn: [ 'windows', 'nuget_signing' ] + condition: succeeded('windows') jobs: - template: compliance/sbom/job.v1.yml@xamarin-templates parameters: + jobName: SBOM_PR + jobDisplayName: 'Software Bill of Materials (PR)' artifactNames: ['nuget'] - ${{ if variables['signingCondition'] }}: - artifactMap: ['nuget/signed'] + artifactMap: ['nuget/Release'] packageName: 'Microsoft Maui Graphics' packageFilter: '*.nupkg' + condition: not(${{ variables['signingCondition'] }}) # Executed when signing is not enabled such as for pull request builds (PRs) + + - template: compliance/sbom/job.v1.yml@xamarin-templates + parameters: + jobName: SBOM_CI + jobDisplayName: 'Software Bill of Materials (CI)' + artifactNames: ['nuget'] + artifactMap: ['nuget/signed'] + packageName: 'Microsoft Maui Graphics' + packageFilter: '*.nupkg' + condition: and(succeeded(), ${{ variables['signingCondition'] }} ) # Executed when signing is enabled such as for continuous integration builds (CIs) \ No newline at end of file