[ci] Add API Scan job (#1178)

Context: https://devdiv.visualstudio.com/DevDiv/_wiki/wikis/DevDiv.wiki/25351/APIScan-step-by-step-guide-to-setting-up-a-Pipeline

The ApiScan task has been added to pipeline runs against `main`.  This
task should help us identify related issues earlier, rather than having
to wait for a full scan of VS.

build-tools/automation/azure-pipelines.yaml

@@ -16,6 +16,10 @@ pr:
     - README.md
     - Documentation/*
 
+parameters:
+- name: ApiScanSourceBranch
+  default: 'refs/heads/main'
+
 # Global variables
 variables:
   RunningOnCI: true
@@ -57,19 +61,11 @@ jobs:
 
   - template: templates\fail-on-issue.yaml
 
-  - task: ArchiveFiles@2
+  - task: PublishPipelineArtifact@1
-    displayName: 'Archive build outputs'
+    displayName: Publish build artifacts
     inputs:
-      rootFolderOrFile: 'bin'
+      artifactName: artifacts
-      archiveType: 'zip'
+      targetPath: bin
-      archiveFile: '$(Build.ArtifactStagingDirectory)/bin-dotnet.zip'
-      replaceExistingArchive: true
-    condition: succeededOrFailed()
-
-  - task: PublishBuildArtifacts@1
-    displayName: 'Publish Artifact: debug'
-    inputs:
-      ArtifactName: debug
     condition: succeededOrFailed()
 
 - job: mac_dotnet_build
@@ -96,6 +92,72 @@ jobs:
   - template: templates\fail-on-issue.yaml
 
 
+- job: api_scan
+  displayName: API Scan
+  dependsOn: windows_dotnet_build
+  condition: and(eq(dependencies.windows_dotnet_build.result, 'Succeeded'), eq(variables['Build.SourceBranch'], '${{ parameters.ApiScanSourceBranch }}'))
+  pool:
+    name: Azure Pipelines
+    vmImage: windows-2022
+  timeoutInMinutes: 480
+  workspace:
+    clean: all
+  steps:
+  - task: DownloadPipelineArtifact@2
+    displayName: Download build artifacts
+    inputs:
+      artifactName: artifacts
+      downloadPath: $(Build.SourcesDirectory)
+
+    ### Copy .dll, .exe, .pdb files for APIScan
+  - task: CopyFiles@2
+    displayName: Collect Files for APIScan
+    inputs:
+      Contents: |
+        $(Build.SourcesDirectory)\$(Build.Configuration)$(NetCoreTargetFrameworkPathSuffix)\**\?(*.dll|*.exe|*.pdb)
+        !$(Build.SourcesDirectory)\**\jnimarshalmethod-gen.*
+        !$(Build.SourcesDirectory)\**\Mono.CSharp.dll
+        !$(Build.SourcesDirectory)\**\SgmlReader.exe
+        !$(Build.SourcesDirectory)\**\win-*\java-interop.dll
+      TargetFolder: $(Build.StagingDirectory)\apiscan
+      OverWrite: true
+      flattenFolders: true
+
+  - task: APIScan@2
+    displayName: Run APIScan
+    inputs:
+      softwareFolder: $(Build.StagingDirectory)\apiscan
+      symbolsFolder: 'SRV*http://symweb;$(Build.StagingDirectory)\apiscan'
+      softwareName: $(ApiScanName)
+      softwareVersionNum: $(Build.SourceBranchName)-$(Build.SourceVersion)$(System.JobAttempt)
+      isLargeApp: true
+      toolVersion: Latest
+    env:
+      AzureServicesAuthConnectionString: runAs=App;AppId=$(ApiScanClientId);TenantId=$(ApiScanTenant);AppKey=$(ApiScanSecret)
+
+  - task: SdtReport@2
+    displayName: Guardian Export - Security Report
+    inputs:
+      GdnExportAllTools: false
+      GdnExportGdnToolApiScan: true
+      GdnExportOutputSuppressionFile: source.gdnsuppress
+
+  - task: PublishSecurityAnalysisLogs@3
+    displayName: Publish Guardian Artifacts
+    inputs:
+      ArtifactName: APIScan Logs
+      ArtifactType: Container
+      AllTools: false
+      APIScan: true
+      ToolLogsNotFoundAction: Warning
+
+  - task: PostAnalysis@2
+    displayName: Fail Build on Guardian Issues
+    inputs:
+      GdnBreakAllTools: false
+      GdnBreakGdnToolApiScan: true
+
+
 - job: OneLocBuild
   displayName: OneLocBuild
   condition: and(eq(variables['System.TeamProject'], 'DevDiv'), eq(variables['Build.SourceBranch'], 'refs/heads/main'))