xamarin
/
xamarin-macios
зеркало из
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

[CI] On-board the build pipeline to 1ES. (#20735) 

Few comments:

1. Extends cannot be used on templates. So we have to do a single extend
and have duplicated code.
2. There are some common templates that we are working around using the
use1ES parameter.
3. We are reusing the configure steps on other pipelines. That step
should only be done in the build, that change is too big for this PR.
4. The governance template is not longer needed since the 1ES template
provides it.

---------

Co-authored-by: Rolf Bjarne Kvinge <rolf@xamarin.com>
This commit is contained in:
Manuel de la Pena 2024-06-19 10:53:20 -04:00 коммит произвёл GitHub
Родитель fc6ce95b52
Коммит 9255b00592
Не найден ключ, соответствующий данной подписи
Идентификатор ключа GPG: B5690EEEBB952194
24 изменённых файлов: 698 добавлений и 483 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

274
tools/devops/automation/build-pipeline.yml
Просмотреть файл

@ -4,33 +4,267 @@
# YAML build pipeline based on the Jenkins multi-stage (main branch) build workflow
# https://jenkins.internalx.com/view/Xamarin.MaciOS/job/macios/job/main/
# https://jenkins.internalx.com/view/Xamarin.MaciOS/job/macios/configure
parameters:
- name: provisionatorChannel
displayName: Provisionator channel to use
type: string
default: 'latest'
- name: macOSName # comes from the build agent demand named macOS.Name
displayName: Name of the version of macOS to use
type: string
default: 'Sonoma'
- name: pool
type: string
displayName: Bot pool to use
default: automatic
values:
- pr
- ci
- automatic
- name: runGovernanceTests
displayName: Run Governance Checks
type: boolean
default: true
- name: forceInsertion
displayName: Force Insertion
type: boolean
default: false
- name: skipESRP
displayName: Skip ESRP
type: boolean
default: false # only to be used when testing the CI and we do not need a signed pkg
- name: pushNugets
type: boolean
default: true
- name: pushNugetsToMaestro
type: boolean
default: true
- name: testConfigurations
displayName: Test configurations to run
type: object
default: []
- name: deviceTestsConfigurations
displayName: Device test configurations to run
type: object
default: [
{
testPrefix: 'iOS64',
stageName: 'ios64b_device',
displayName: 'iOS64 Device Tests',
testPool: 'VSEng-Xamarin-Mac-Devices',
testsLabels: '--label=run-ios-tests,run-non-monotouch-tests,run-monotouch-tests,run-mscorlib-tests',
statusContext: 'VSTS: device tests iOS',
makeTarget: 'vsts-device-tests',
extraBotDemands: [
'ios',
]
},
{
testPrefix: 'tvos',
stageName: 'tvos_device',
displayName: 'tvOS Device Tests',
testPool: 'VSEng-Xamarin-Mac-Devices',
testsLabels: '--label=run-tvos-tests,run-non-monotouch-tests,run-monotouch-tests,run-mscorlib-tests',
statusContext: 'VSTS: device tests tvOS',
makeTarget: 'vsts-device-tests',
extraBotDemands: [
'tvos',
]
}]
- name: macTestsConfigurations
displayName: macOS test configurations to run
type: object
default: [
{
stageName: 'mac_11_m1',
displayName: 'M1 - Mac Big Sur (11)',
macPool: 'VSEng-VSMac-Xamarin-Shared',
useImage: false,
statusContext: 'M1 - Mac Big Sur (11)',
demands: [
"Agent.OS -equals Darwin",
"macOS.Name -equals BigSur",
"macOS.Architecture -equals arm64",
"Agent.HasDevices -equals False",
"Agent.IsPaired -equals False"
]
},
{
stageName: 'mac_12_m1',
displayName: 'M1 - Mac Ventura (12)',
macPool: 'VSEng-VSMac-Xamarin-Shared',
useImage: false,
statusContext: 'M1 - Mac Monterey (12)',
demands: [
"Agent.OS -equals Darwin",
"macOS.Name -equals Monterey",
"macOS.Architecture -equals arm64",
"Agent.HasDevices -equals False",
"Agent.IsPaired -equals False"
]
},
{
stageName: 'mac_13_m1',
displayName: 'M1 - Mac Ventura (13)',
macPool: 'VSEng-VSMac-Xamarin-Shared',
useImage: false,
statusContext: 'M1 - Mac Ventura (13)',
demands: [
"Agent.OS -equals Darwin",
"macOS.Name -equals Ventura",
"macOS.Architecture -equals arm64",
"Agent.HasDevices -equals False",
"Agent.IsPaired -equals False"
]
},
{
stageName: 'mac_14_x64',
displayName: 'X64 - Mac Sonoma (14)',
macPool: 'VSEng-Xamarin-RedmondMacBuildPool-iOS-Untrusted',
useImage: false,
statusContext: 'X64 - Mac Sonoma (14)',
demands: [
"Agent.OS -equals Darwin",
"macOS.Name -equals Sonoma",
"macOS.Architecture -equals x64",
"Agent.HasDevices -equals False",
"Agent.IsPaired -equals False"
]
}]
resources:
repositories:
- repository: self
checkoutOptions:
submodules: true
- repository: yaml-templates
type: github
name: xamarin/yaml-templates
ref: refs/heads/main
endpoint: xamarin
- repository: sdk-insertions
type: github
name: xamarin/sdk-insertions
ref: refs/heads/main
endpoint: xamarin
- repository: maccore
type: github
name: xamarin/maccore
ref: refs/heads/main
endpoint: xamarin
- repository: release-scripts
type: github
name: xamarin/release-scripts
ref: refs/heads/only_codesign
endpoint: xamarin
- repository: CustomPipelineTemplates
type: git
name: 1ESPipelineTemplates/MicroBuildTemplate
variables:
- ${{ if contains(variables['Build.DefinitionName'], 'private') }}:
- template: templates/vsts-variables.yml
- template: templates/common/vs-release-vars.yml@sdk-insertions
- template: templates/variables.yml
- name: MicrobuildConnector
value: 'MicroBuild Signing Task (DevDiv)'
- name: MaciosUploadPrefix
value: ''
- name: DisablePipelineConfigDetector
value: true
trigger:
branches:
include:
- '*'
- '*'
exclude:
- refs/heads/locfiles/*
- refs/heads/dev/*
- refs/heads/locfiles/*
- refs/heads/dev/*
paths:
exclude:
- .github
- docs
- CODEOWNERS
- ISSUE_TEMPLATE.md
- LICENSE
- NOTICE.txt
- SECURITY.MD
- README.md
- src/README.md
- tools/mtouch/README.md
- msbuild/Xamarin.Localization.MSBuild/README.md
- .github
- docs
- CODEOWNERS
- ISSUE_TEMPLATE.md
- LICENSE
- NOTICE.txt
- SECURITY.MD
- README.md
- src/README.md
- tools/mtouch/README.md
- msbuild/Xamarin.Localization.MSBuild/README.md
extends:
template: templates/pipelines/build-pipeline.yml
template: azure-pipelines/MicroBuild.1ES.Official.yml@CustomPipelineTemplates
parameters:
isPR: false
signingSetupSteps:
- template: ./templates/sign-and-notarized/setup.yml
parameters:
isPR: false
pool: # default pool to be used for validation jobs
name: AzurePipelines-EO
image: 1ESPT-Windows2022
os: windows
sdl:
baseline:
baselineFile: '$(System.DefaultWorkingDirectory)\\maccore\\tools\\devops\\baselines.gdnbaselines'
suppression:
suppressionFile: '$(System.DefaultWorkingDirectory)\\maccore\\tools\\devops\\suppress.gdnsuppress'
sourceAnalysisPool:
name: AzurePipelines-EO
image: 1ESPT-Windows2022
os: windows
tsa:
configFile: '$(System.DefaultWorkingDirectory)\\maccore\\tools\\devops\\tsa_config.gdntsa'
sbom:
enabled: false # we run our on sbom generation
credscan:
suppressionsFile: '$(System.DefaultWorkingDirectory)\\maccore\\tools\\devops\\CredScanSuppressions.json'
outputFormat: sarif
debugMode: false
batchSize: 16
policheck:
exclusionsFile: '$(System.DefaultWorkingDirectory)\\maccore\\tools\\devops\\PoliCheckExclusions.xml'
sourceRepositoriesToScan:
runInSingleJob: true # run both maccore and macios in the same job
include:
- repository: maccore
exclude:
- repository: yaml-templates
- repository: sdk-insertions
- repository: release-scripts
stages:
- template: templates/main-stage.yml
parameters:
xcodeChannel: Stable
macOSName: ${{ parameters.macOSName }}
isPR: false
provisionatorChannel: ${{ parameters.provisionatorChannel }}
pool: ${{ parameters.pool }}
runGovernanceTests: ${{ parameters.runGovernanceTests }}
forceInsertion: ${{ parameters.forceInsertion }}
skipESRP: ${{ parameters.skipESRP }}
pushNugets: ${{ parameters.pushNugets }}
pushNugetsToMaestro: ${{ parameters.pushNugetsToMaestro }}
${{ if ne(length(parameters.testConfigurations), 0)}}:
testConfigurations: ${{ parameters.testConfigurations }}
deviceTestsConfigurations: ${{ parameters.deviceTestsConfigurations }}
macTestsConfigurations: ${{ parameters.macTestsConfigurations }}
azureStorage: ${{ variables['azureStorage'] }}
azureContainer: ${{ variables['azureContainer'] }}
signingSetupSteps:
- template: ./templates/sign-and-notarized/setup.yml
parameters:
isPR: false

270
tools/devops/automation/build-pull-request.yml
Просмотреть файл

@ -5,32 +5,266 @@
# https://jenkins.internalx.com/view/Xamarin.MaciOS/job/macios/job/main/
# https://jenkins.internalx.com/view/Xamarin.MaciOS/job/macios/configure
parameters:
- name: provisionatorChannel
displayName: Provisionator channel to use
type: string
default: 'latest'
- name: macOSName # comes from the build agent demand named macOS.Name
displayName: Name of the version of macOS to use
type: string
default: 'Sonoma'
- name: pool
type: string
displayName: Bot pool to use
default: automatic
values:
- pr
- ci
- automatic
- name: runGovernanceTests
displayName: Run Governance Checks
type: boolean
default: true
- name: forceInsertion
displayName: Force Insertion
type: boolean
default: false
- name: skipESRP
displayName: Skip ESRP
type: boolean
default: false # only to be used when testing the CI and we do not need a signed pkg
- name: pushNugets
type: boolean
default: true
- name: pushNugetsToMaestro
type: boolean
default: true
- name: testConfigurations
displayName: Test configurations to run
type: object
default: []
- name: deviceTestsConfigurations
displayName: Device test configurations to run
type: object
default: [
{
testPrefix: 'iOS64',
stageName: 'ios64b_device',
displayName: 'iOS64 Device Tests',
testPool: 'VSEng-Xamarin-Mac-Devices',
testsLabels: '--label=run-ios-tests,run-non-monotouch-tests,run-monotouch-tests,run-mscorlib-tests',
statusContext: 'VSTS: device tests iOS',
makeTarget: 'vsts-device-tests',
extraBotDemands: [
'ios',
]
},
{
testPrefix: 'tvos',
stageName: 'tvos_device',
displayName: 'tvOS Device Tests',
testPool: 'VSEng-Xamarin-Mac-Devices',
testsLabels: '--label=run-tvos-tests,run-non-monotouch-tests,run-monotouch-tests,run-mscorlib-tests',
statusContext: 'VSTS: device tests tvOS',
makeTarget: 'vsts-device-tests',
extraBotDemands: [
'tvos',
]
}]
- name: macTestsConfigurations
displayName: macOS test configurations to run
type: object
default: [
{
stageName: 'mac_11_m1',
displayName: 'M1 - Mac Big Sur (11)',
macPool: 'VSEng-VSMac-Xamarin-Shared',
useImage: false,
statusContext: 'M1 - Mac Big Sur (11)',
demands: [
"Agent.OS -equals Darwin",
"macOS.Name -equals BigSur",
"macOS.Architecture -equals arm64",
"Agent.HasDevices -equals False",
"Agent.IsPaired -equals False"
]
},
{
stageName: 'mac_12_m1',
displayName: 'M1 - Mac Ventura (12)',
macPool: 'VSEng-VSMac-Xamarin-Shared',
useImage: false,
statusContext: 'M1 - Mac Monterey (12)',
demands: [
"Agent.OS -equals Darwin",
"macOS.Name -equals Monterey",
"macOS.Architecture -equals arm64",
"Agent.HasDevices -equals False",
"Agent.IsPaired -equals False"
]
},
{
stageName: 'mac_13_m1',
displayName: 'M1 - Mac Ventura (13)',
macPool: 'VSEng-VSMac-Xamarin-Shared',
useImage: false,
statusContext: 'M1 - Mac Ventura (13)',
demands: [
"Agent.OS -equals Darwin",
"macOS.Name -equals Ventura",
"macOS.Architecture -equals arm64",
"Agent.HasDevices -equals False",
"Agent.IsPaired -equals False"
]
},
{
stageName: 'mac_14_x64',
displayName: 'X64 - Mac Sonoma (14)',
macPool: 'VSEng-Xamarin-RedmondMacBuildPool-iOS-Untrusted',
useImage: false,
statusContext: 'X64 - Mac Sonoma (14)',
demands: [
"Agent.OS -equals Darwin",
"macOS.Name -equals Sonoma",
"macOS.Architecture -equals x64",
"Agent.HasDevices -equals False",
"Agent.IsPaired -equals False"
]
}]
resources:
repositories:
- repository: self
checkoutOptions:
submodules: true
- repository: yaml-templates
type: github
name: xamarin/yaml-templates
ref: refs/heads/main
endpoint: xamarin
- repository: sdk-insertions
type: github
name: xamarin/sdk-insertions
ref: refs/heads/main
endpoint: xamarin
- repository: maccore
type: github
name: xamarin/maccore
ref: refs/heads/main
endpoint: xamarin
- repository: release-scripts
type: github
name: xamarin/release-scripts
ref: refs/heads/only_codesign
endpoint: xamarin
- repository: CustomPipelineTemplates
type: git
name: 1ESPipelineTemplates/MicroBuildTemplate
variables:
- template: templates/variables.yml
- template: templates/common/vs-release-vars.yml@sdk-insertions
- name: MicrobuildConnector
value: ''
- name: MaciosUploadPrefix
value: ''
- name: Packaging.EnableSBOMSigning
value: false
trigger: none
pr:
autoCancel: true
branches:
include:
- '*' # yes, you do need the quote, * has meaning in yamls
- '*' # yes, you do need the quote, * has meaning in yamls
paths:
exclude:
- .github
- docs
- CODEOWNERS
- ISSUE_TEMPLATE.md
- LICENSE
- NOTICE.txt
- SECURITY.MD
- README.md
- src/README.md
- tools/mtouch/README.md
- msbuild/Xamarin.Localization.MSBuild/README.md
- .github
- docs
- CODEOWNERS
- ISSUE_TEMPLATE.md
- LICENSE
- NOTICE.txt
- SECURITY.MD
- README.md
- src/README.md
- tools/mtouch/README.md
- msbuild/Xamarin.Localization.MSBuild/README.md
extends:
template: templates/pipelines/build-pipeline.yml
template: azure-pipelines/MicroBuild.1ES.Official.yml@CustomPipelineTemplates
parameters:
isPR: true
signingSetupSteps:
- template: ./templates/sign-and-notarized/setup.yml
parameters:
isPR: true
pool: # default pool to be used forvalidation jobs
name: AzurePipelines-EO
image: 1ESPT-Windows2022
os: windows
sdl:
baseline:
baselineFile: '$(System.DefaultWorkingDirectory)\\maccore\\tools\\devops\\baselines.gdnbaselines'
suppression:
suppressionFile: '$(System.DefaultWorkingDirectory)\\maccore\\tools\\devops\\suppress.gdnsuppress'
sourceAnalysisPool:
name: AzurePipelines-EO
image: 1ESPT-Windows2022
os: windows
tsa:
configFile: '$(System.DefaultWorkingDirectory)\\maccore\\tools\\devops\\tsa_config.gdntsa'
sbom:
enabled: false # we run our on sbom generation
credscan:
suppressionsFile: '$(System.DefaultWorkingDirectory)\\maccore\\tools\\devops\\CredScanSuppressions.json'
outputFormat: sarif
debugMode: false
batchSize: 16
policheck:
exclusionsFile: '$(System.DefaultWorkingDirectory)\\maccore\\tools\\devops\\PoliCheckExclusions.xml'
sourceRepositoriesToScan:
runInSingleJob: true # run both maccore and macios in the same job
include:
- repository: maccore
exclude:
- repository: yaml-templates
- repository: sdk-insertions
- repository: release-scripts
stages:
- template: templates/main-stage.yml
parameters:
xcodeChannel: Stable
macOSName: ${{ parameters.macOSName }}
isPR: true
provisionatorChannel: ${{ parameters.provisionatorChannel }}
pool: ${{ parameters.pool }}
runGovernanceTests: ${{ parameters.runGovernanceTests }}
forceInsertion: ${{ parameters.forceInsertion }}
skipESRP: ${{ parameters.skipESRP }}
pushNugets: ${{ parameters.pushNugets }}
pushNugetsToMaestro: ${{ parameters.pushNugetsToMaestro }}
${{ if ne(length(parameters.testConfigurations), 0)}}:
testConfigurations: ${{ parameters.testConfigurations }}
deviceTestsConfigurations: ${{ parameters.deviceTestsConfigurations }}
macTestsConfigurations: ${{ parameters.macTestsConfigurations }}
azureStorage: ${{ variables['azureStorage'] }}
azureContainer: ${{ variables['azureContainer'] }}
signingSetupSteps:
- template: ./templates/sign-and-notarized/setup.yml
parameters:
isPR: true

1
tools/devops/automation/templates/api-diff-stage.yml
Просмотреть файл

@ -83,6 +83,7 @@ stages:
testsLabels: '--label=skip-all-tests,run-ios-tests,run-ios-simulator-tests,run-tvos-tests,run-watchos-tests,run-mac-tests,run-maccatalyst-tests,run-dotnet-tests,run-system-permission-tests,run-legacy-xamarin-tests'
statusContext: 'VSTS: simulator tests'
uploadArtifacts: true
use1ES: false
- stage: generate_api_diff
displayName: 'API diff'

1
tools/devops/automation/templates/build/api-diff-build-and-detect.yml
Просмотреть файл

@ -44,6 +44,7 @@ steps:
gitHubToken: ${{ parameters.gitHubToken }}
xqaCertPass: ${{ parameters.xqaCertPass }}
makeParallelism: '4'
use1ES: false
# detect changes
- bash: $(Build.SourcesDirectory)/xamarin-macios/tools/devops/automation/scripts/bash/compare.sh

3
tools/devops/automation/templates/build/build-mac-tests-stage.yml
Просмотреть файл

@ -58,13 +58,12 @@ jobs:
RUN_MAC_TESTS: $[ stageDependencies.configure_build.configure.outputs['decisions.RUN_MAC_TESTS'] ]
condition: ne(stageDependencies.configure_build.configure.outputs['decisions.RUN_MAC_TESTS'],'')
pool:
os: macOS
name: $(AgentPoolComputed)
demands:
- Agent.OS -equals Darwin
- macOS.Name -equals ${{ parameters.macOSName }}
- XcodeChannel -equals ${{ parameters.xcodeChannel }}
workspace:
clean: all
steps:
- template: build-mac-tests.yml

6
tools/devops/automation/templates/build/build-mac-tests.yml
Просмотреть файл

@ -83,10 +83,10 @@ steps:
condition: succeededOrFailed()
# Publish all the binlogs we collected in the previous step
- task: PublishPipelineArtifact@1
- task: 1ES.PublishPipelineArtifact@1
displayName: 'Publish Artifact: All binlogs'
inputs:
targetPath: $(Build.ArtifactStagingDirectory)/mactests-binlogs
artifactName: '${{ parameters.uploadPrefix }}mactests-binlogs-$(Build.BuildId)-$(System.StageAttempt)-$(System.JobAttempt)'
path: $(Build.ArtifactStagingDirectory)/mactests-binlogs
artifact: '${{ parameters.uploadPrefix }}mactests-binlogs-$(Build.BuildId)-$(System.StageAttempt)-$(System.JobAttempt)'
continueOnError: true
condition: succeededOrFailed()

36
tools/devops/automation/templates/build/build-pkgs.yml
Просмотреть файл

@ -71,11 +71,11 @@ steps:
name: workload_file
displayName: 'Generate "WorkloadRollback.json"'
- task: PublishPipelineArtifact@1
- task: 1ES.PublishPipelineArtifact@1
displayName: 'Publish WorkloadRollback.json'
inputs:
targetPath: $(Build.SourcesDirectory)/WorkloadRollback.json
artifactName: '${{ parameters.uploadPrefix }}WorkloadRollback'
path: $(Build.SourcesDirectory)/WorkloadRollback.json
artifact: '${{ parameters.uploadPrefix }}WorkloadRollback'
continueOnError: true
- bash: |
@ -99,19 +99,19 @@ steps:
name: pkg_versions_file
displayName: 'Generate PkgsVersions.json'
- task: PublishPipelineArtifact@1
- task: 1ES.PublishPipelineArtifact@1
displayName: 'Publish PkgsVersions.json'
inputs:
targetPath: $(Build.SourcesDirectory)/PkgsVersions.json
artifactName: '${{ parameters.uploadPrefix }}PkgsVersions'
path: $(Build.SourcesDirectory)/PkgsVersions.json
artifact: '${{ parameters.uploadPrefix }}PkgsVersions'
continueOnError: true
# upload each of the pkgs into the pipeline artifacts
- task: PublishPipelineArtifact@1
- task: 1ES.PublishPipelineArtifact@1
displayName: 'Publish Build Artifacts'
inputs:
targetPath: $(Build.SourcesDirectory)/package
artifactName: '${{ parameters.uploadPrefix }}not-signed-package'
path: $(Build.SourcesDirectory)/package
artifact: '${{ parameters.uploadPrefix }}not-signed-package'
continueOnError: true
- bash: |
@ -124,18 +124,18 @@ steps:
continueOnError: true # not a terrible blocking issue
timeoutInMinutes: 60
- task: PublishPipelineArtifact@1
- task: 1ES.PublishPipelineArtifact@1
displayName: 'Publish test libraries dependencies'
inputs:
targetPath: $(Build.SourcesDirectory)/xamarin-macios/tests/package-test-libraries.zip
artifactName: '${{ parameters.uploadPrefix }}package-test-libraries'
path: $(Build.SourcesDirectory)/xamarin-macios/tests/package-test-libraries.zip
artifact: '${{ parameters.uploadPrefix }}package-test-libraries'
continueOnError: true
- task: PublishPipelineArtifact@1
- task: 1ES.PublishPipelineArtifact@1
displayName: 'Publish Build.props'
inputs:
targetPath: $(Build.SourcesDirectory)/xamarin-macios/Build.props
artifactName: '${{ parameters.uploadPrefix }}Build.props'
path: $(Build.SourcesDirectory)/xamarin-macios/Build.props
artifact: '${{ parameters.uploadPrefix }}Build.props'
continueOnError: true
- ${{ if eq(parameters.uploadBinlogs, true) }}:
@ -149,10 +149,10 @@ steps:
condition: succeededOrFailed()
# Publish all the binlogs we collected in the previous step
- task: PublishPipelineArtifact@1
- task: 1ES.PublishPipelineArtifact@1
displayName: 'Publish Artifact: All binlogs'
inputs:
targetPath: $(Build.ArtifactStagingDirectory)/all-binlogs
artifactName: '${{ parameters.uploadPrefix }}all-binlogs-$(Build.BuildId)-$(System.StageAttempt)-$(System.JobAttempt)'
path: $(Build.ArtifactStagingDirectory)/all-binlogs
artifact: '${{ parameters.uploadPrefix }}all-binlogs-$(Build.BuildId)-$(System.StageAttempt)-$(System.JobAttempt)'
continueOnError: true
condition: succeededOrFailed()

3
tools/devops/automation/templates/build/build-stage.yml
Просмотреть файл

@ -81,13 +81,12 @@ jobs:
XHARNESS_LABELS: $[ stageDependencies.configure_build.configure.outputs['labels.xharness_labels'] ]
RUN_MAC_TESTS: $[ stageDependencies.configure_build.configure.outputs['decisions.RUN_MAC_TESTS'] ]
pool:
os: macOS
name: $(AgentPoolComputed)
demands:
- Agent.OS -equals Darwin
- macOS.Name -equals ${{ parameters.macOSName }}
- XcodeChannel -equals ${{ parameters.xcodeChannel }}
workspace:
clean: all
steps:
- template: build-pkgs.yml

5
tools/devops/automation/templates/build/build.yml
Просмотреть файл

@ -39,6 +39,10 @@ parameters:
type: number
default: 3
- name: use1ES
type: boolean
default: true
steps:
- template: ../common/checkout.yml
@ -207,6 +211,7 @@ steps:
- template: ../common/teardown.yml
parameters:
keyringPass: ${{ parameters.keyringPass }}
use1ES: ${{ parameters.use1ES }}
# if we failed, write a comment and set the pipeline to failure. In this case, we do not want to hide the fact that we failed but we also want
# to write a comment.

24
tools/devops/automation/templates/common/configure.yml
Просмотреть файл

@ -7,6 +7,10 @@ parameters:
type: boolean
default: false
- name: use1ES
type: boolean
default: false
- name: repositoryAlias
type: string
default: self
@ -98,9 +102,17 @@ steps:
# upload config to be consumed later
- ${{ if eq(parameters.uploadArtifacts, true) }}:
- task: PublishPipelineArtifact@1
displayName: 'Publish Artifact: configuration.json'
inputs:
targetPath: '$(Build.ArtifactStagingDirectory)/configuration.json'
artifactName: '${{ parameters.uploadPrefix }}build-configuration'
continueOnError: true
- ${{ if eq(parameters.use1ES, true) }}:
- task: 1ES.PublishPipelineArtifact@1
displayName: 'Publish Artifact: configuration.json'
inputs:
path: '$(Build.ArtifactStagingDirectory)/configuration.json'
artifact: '${{ parameters.uploadPrefix }}build-configuration'
continueOnError: true
- ${{ else }}:
- task: PublishPipelineArtifact@1
displayName: 'Publish Artifact: configuration.json'
inputs:
targetPath: '$(Build.ArtifactStagingDirectory)/configuration.json'
artifactName: '${{ parameters.uploadPrefix }}build-configuration'
continueOnError: true

38
tools/devops/automation/templates/common/mac-agent-logs.yml
Просмотреть файл

@ -33,6 +33,10 @@ parameters:
type: string
default: '$(MaciosUploadPrefix)'
- name: use1ES
type: boolean
default: false
steps:
- pwsh: >-
@ -49,14 +53,26 @@ steps:
# only upload when told so
- ${{ if eq(parameters.uploadLogs, true) }}:
- task: PublishPipelineArtifact@1
displayName: 'Publish Artifact: Agent logs'
condition: always()
inputs:
# add or not the working dir to the upload
${{ if eq(parameters.workingDirectory, '') }}:
targetPath: ${{ parameters.outputPath }}
${{ else }}:
targetPath: ${{ parameters.workingDirectory }}/${{ parameters.outputPath }}
artifactName: '${{ parameters.uploadPrefix }}$(Agent.Name)-$(System.JobName)-$(System.JobId)-${{ parameters.outputPath }}'
continueOnError: true
- ${{ if eq(parameters.use1ES, true) }}:
- task: 1ES.PublishPipelineArtifact@1
displayName: 'Publish Artifact: Agent logs'
condition: always()
inputs:
${{ if eq(parameters.workingDirectory, '') }}:
path: ${{ parameters.outputPath }}
${{ else }}:
path: ${{ parameters.workingDirectory }}/${{ parameters.outputPath }}
artifact: '${{ parameters.uploadPrefix }}$(Agent.Name)-$(System.JobName)-$(System.JobId)-${{ parameters.outputPath }}'
continueOnError: true
- ${{ else }}:
- task: PublishPipelineArtifact@1
displayName: 'Publish Artifact: Agent logs'
condition: always()
inputs:
# add or not the working dir to the upload
${{ if eq(parameters.workingDirectory, '') }}:
targetPath: ${{ parameters.outputPath }}
${{ else }}:
targetPath: ${{ parameters.workingDirectory }}/${{ parameters.outputPath }}
artifactName: '${{ parameters.uploadPrefix }}$(Agent.Name)-$(System.JobName)-$(System.JobId)-${{ parameters.outputPath }}'
continueOnError: true

5
tools/devops/automation/templates/common/teardown.yml
Просмотреть файл

@ -5,6 +5,10 @@ parameters:
- name: keyringPass
type: string
- name: use1ES
type: boolean
default: false
steps:
- pwsh: |
@ -30,3 +34,4 @@ steps:
- template: mac-agent-logs.yml
parameters:
outputPath: agent-logs.log
use1ES: ${{ parameters.use1ES }}

6
tools/devops/automation/templates/governance/apiscan.yml
Просмотреть файл

@ -88,9 +88,9 @@ steps:
GdnBreakOutputSuppressionFile: $(Build.ArtifactStagingDirectory)\GuardianSuppressions\falsepositives.gdnsuppress
GdnBreakOutputSuppressionSet: falsepositives
- task: PublishBuildArtifacts@1
- task: 1ES.PublishPipelineArtifact@1
displayName: Publish Artifact for Guardian Supressions
inputs:
PathtoPublish: $(Build.ArtifactStagingDirectory)\GuardianSuppressions
ArtifactName: Guardian Suppressions APIScan $(PLATFORM) $(VERSION)
path: $(Build.ArtifactStagingDirectory)\GuardianSuppressions
artifact: Guardian Suppressions APIScan $(PLATFORM) $(VERSION)
condition: failed()

108
tools/devops/automation/templates/governance/general.yml
Просмотреть файл

@ -1,108 +0,0 @@
parameters:
- name: isPR
type: boolean
- name: repositoryAlias
type: string
default: self
- name: commit
type: string
default: HEAD
- name: uploadPrefix
type: string
default: '$(MaciosUploadPrefix)'
steps:
- template: ../common/checkout.yml
parameters:
isPR: ${{ parameters.isPR }}
repositoryAlias: ${{ parameters.repositoryAlias }}
commit: ${{ parameters.commit }}
- powershell: |
Write-Host 'Source dir $(Build.SourcesDirectory)'
Write-Host 'Working dir $System.DefaultWorkingDirectory)'
Dir $(Build.SourcesDirectory)
Dir $(System.DefaultWorkingDirectory)
displayName: Show directories
- powershell: |
Get-ChildItem -Recurse -Path $(Build.SourcesDirectory)/maccore
displayName: Show maccore content
- pwsh: $(System.DefaultWorkingDirectory)/xamarin-macios/tools/devops/automation/scripts/show_env.ps1
displayName: 'Show Environment'
- task: ms.vss-governance-buildtask.governance-build-task-component-detection.ComponentGovernanceComponentDetection@0
displayName: 'Component Detection'
- task: CredScan@3
displayName: "Run CredScan"
inputs:
suppressionsFile: '$(System.DefaultWorkingDirectory)/maccore/tools/devops/CredScanSuppressions.json'
outputFormat: 'sarif'
verboseOutput: true
- task: PoliCheck@2
inputs:
inputType: 'Basic'
targetType: 'F'
targetArgument: '$(Build.SourcesDirectory)'
result: '$(Build.SourcesDirectory)/PoliCheck.xml'
optionsUEPATH: '$(System.DefaultWorkingDirectory)/maccore/tools/devops/PoliCheckExclusions.xml'
- task: SdtReport@2
displayName: Create Security Analysis Report
inputs:
GdnExportAllTools: false
GdnExportGdnToolCredScan: true
GdnExportGdnToolCredScanSeverity: 'error'
GdnExportGdnToolPoliCheck: true
GdnExportGdnToolPoliCheckSeverity: 'error'
- task: PublishSecurityAnalysisLogs@3
displayName: Publish Security Analysis Logs
inputs:
ArtifactName: 'CodeAnalysisLogs - General'
ArtifactType: 'Container'
AllTools: true
ToolLogsNotFoundAction: 'Standard'
- task: TSAUpload@2
inputs:
GdnPublishTsaOnboard: true
GdnPublishTsaConfigFile: '$(System.DefaultWorkingDirectory)\\maccore\\tools\\devops\\tsa_config.gdntsa'
GdnPublishTsaExportedResultsPublishable: true
displayName: Create bugs for compliance tools results
condition: succeededOrFailed()
env:
WorkingDirectory: '$(Build.SourcesDirectory)/xamarin-macios'
- task: PublishPipelineArtifact@1
displayName: 'Publish Artifact: Policheck Results'
inputs:
targetPath: '$(Build.SourcesDirectory)/PoliCheck.xml'
artifactName: '${{ parameters.uploadPrefix }}Policheck'
continueOnError: true
condition: always()
- task: securedevelopmentteam.vss-secure-development-tools.build-task-postanalysis.PostAnalysis@2
displayName: Break on compliance issues
inputs:
GdnBreakAllTools: true
GdnBreakSuppressionFiles: $(Build.SourcesDirectory)\maccore\tools\devops\falsepositives.gdnsuppress
GdnBreakSuppressionSets: falsepositives
GdnBreakOutputSuppressionFile: $(Build.ArtifactStagingDirectory)\GuardianSuppressions\falsepositives.gdnsuppress
GdnBreakOutputSuppressionSet: falsepositives
- task: PublishBuildArtifacts@1
displayName: Publish Artifact for Guardian Supressions
inputs:
PathtoPublish: $(Build.ArtifactStagingDirectory)\GuardianSuppressions
ArtifactName: Guardian Suppressions
condition: failed()

15
tools/devops/automation/templates/governance/stage.yml
Просмотреть файл

@ -19,7 +19,7 @@ parameters:
stages:
- stage: governance_checks
displayName: '${{ parameters.stageDisplayNamePrefix }}Governance Checks'
displayName: '${{ parameters.stageDisplayNamePrefix }}API Scan'
dependsOn: [ configure_build, build_packages]
jobs:
@ -31,7 +31,6 @@ stages:
demands:
- ImageOverride -equals 1ESPT-Windows2022
condition: ne(stageDependencies.configure_build.configure.outputs['apiscan_matrix.APISCAN_MATRIX'],'')
strategy:
matrix: $[ stageDependencies.configure_build.configure.outputs['apiscan_matrix.APISCAN_MATRIX'] ]
@ -41,15 +40,3 @@ stages:
isPR: ${{ parameters.isPR }}
repositoryAlias: ${{ parameters.repositoryAlias }}
commit: ${{ parameters.commit }}
- job: general_governance
displayName: 'Governance Checks'
pool:
vmImage: windows-latest
steps:
- template: ./general.yml
parameters:
isPR: ${{ parameters.isPR }}
repositoryAlias: ${{ parameters.repositoryAlias }}
commit: ${{ parameters.commit }}

19
tools/devops/automation/templates/main-stage.yml
Просмотреть файл

@ -292,7 +292,10 @@ stages:
- job:
displayName: 'Clean comments'
pool:
vmImage: windows-latest
name: AzurePipelines-EO
demands:
- ImageOverride -equals 1ESPT-Windows2022
steps:
- template: ./common/clean.yml
@ -302,11 +305,12 @@ stages:
${{ if and(ne(parameters.dependsOn, ''), ne(parameters.dependsOnResult, '')) }}:
condition: eq(dependencies.${{ parameters.dependsOn }}.result, '${{ parameters.dependsOnResult }}')
jobs:
- ${{ if eq(parameters.pool, 'automatic') }}:
- job: AgentPoolSelector # https://docs.microsoft.com/en-us/azure/devops/pipelines/process/phases?view=azure-devops&tabs=yaml
pool: # Consider using an agentless (server) job here, but would need to host selection logic as an Azure function: https://docs.microsoft.com/en-us/azure/devops/pipelines/yaml-schema?view=azure-devops&tabs=schema#server
vmImage: ubuntu-latest
pool: # Consider using an agentless (server) job here, but would need to host selection logic as an Azure function: https://docs.microsoft.com/en-us/azure/devops/pipelines/yaml-schema?view=azure-devops&tabs=schema#server
name: AzurePipelines-EO
demands:
- ImageOverride -equals 1ESPT-Windows2022
steps:
- checkout: none # https://docs.microsoft.com/en-us/azure/devops/pipelines/yaml-schema?view=azure-devops&tabs=schema#checkout
@ -321,7 +325,9 @@ stages:
- job: configure
displayName: 'Configure build'
pool:
vmImage: windows-latest
name: AzurePipelines-EO
demands:
- ImageOverride -equals 1ESPT-Windows2022
variables:
isMain: $[eq(variables['Build.SourceBranch'], 'refs/heads/main')]
@ -338,6 +344,7 @@ stages:
testsLabels: '--label=skip-all-tests,run-ios-tests,run-ios-simulator-tests,run-tvos-tests,run-watchos-tests,run-mac-tests,run-maccatalyst-tests,run-dotnet-tests,run-system-permission-tests,run-legacy-xamarin-tests'
statusContext: 'VSTS: simulator tests'
uploadArtifacts: true
use1ES: true
- stage: build_packages
displayName: '${{ parameters.stageDisplayNamePrefix }}Build'
@ -434,4 +441,4 @@ stages:
azureContainer: ${{ parameters.azureContainer }}
packages: # flatten the pkgs for the parameter
- ${{ each pkg in parameters.legacyPackageJobs }}:
- ${{ pkg }}
- ${{ pkg }}

224
tools/devops/automation/templates/pipelines/build-pipeline.yml
Просмотреть файл

@ -1,224 +0,0 @@
# template that can be extended by pipelines that will be used to build the project. This
# allows to share te parameters and resources.
parameters:
- name: provisionatorChannel
displayName: Provisionator channel to use
type: string
default: 'latest'
- name: macOSName # comes from the build agent demand named macOS.Name
displayName: Name of the version of macOS to use
type: string
default: 'Sonoma'
- name: pool
type: string
displayName: Bot pool to use
default: automatic
values:
- pr
- ci
- automatic
- name: runGovernanceTests
displayName: Run Governance Checks
type: boolean
default: true
- name: forceInsertion
displayName: Force Insertion
type: boolean
default: false
- name: skipESRP
displayName: Skip ESRP
type: boolean
default: false # only to be used when testing the CI and we do not need a signed pkg
- name: pushNugets
type: boolean
default: true
- name: pushNugetsToMaestro
type: boolean
default: true
- name: isPR
displayName: Is PR build
type: boolean
default: false
- name: signingSetupSteps
type: stepList
default: []
- name: testConfigurations
displayName: Test configurations to run
type: object
default: []
- name: deviceTestsConfigurations
displayName: Device test configurations to run
type: object
default: [
{
testPrefix: 'iOS64',
stageName: 'ios64b_device',
displayName: 'iOS64 Device Tests',
testPool: 'VSEng-Xamarin-Mac-Devices',
testsLabels: '--label=run-ios-tests,run-non-monotouch-tests,run-monotouch-tests,run-mscorlib-tests',
statusContext: 'VSTS: device tests iOS',
makeTarget: 'vsts-device-tests',
extraBotDemands: [
'ios',
]
},
{
testPrefix: 'tvos',
stageName: 'tvos_device',
displayName: 'tvOS Device Tests',
testPool: 'VSEng-Xamarin-Mac-Devices',
testsLabels: '--label=run-tvos-tests,run-non-monotouch-tests,run-monotouch-tests,run-mscorlib-tests',
statusContext: 'VSTS: device tests tvOS',
makeTarget: 'vsts-device-tests',
extraBotDemands: [
'tvos',
]
}]
- name: macTestsConfigurations
displayName: macOS test configurations to run
type: object
default: [
{
stageName: 'mac_11_m1',
displayName: 'M1 - Mac Big Sur (11)',
macPool: 'VSEng-VSMac-Xamarin-Shared',
useImage: false,
statusContext: 'M1 - Mac Big Sur (11)',
demands: [
"Agent.OS -equals Darwin",
"macOS.Name -equals BigSur",
"macOS.Architecture -equals arm64",
"Agent.HasDevices -equals False",
"Agent.IsPaired -equals False"
]
},
{
stageName: 'mac_12_m1',
displayName: 'M1 - Mac Ventura (12)',
macPool: 'VSEng-VSMac-Xamarin-Shared',
useImage: false,
statusContext: 'M1 - Mac Monterey (12)',
demands: [
"Agent.OS -equals Darwin",
"macOS.Name -equals Monterey",
"macOS.Architecture -equals arm64",
"Agent.HasDevices -equals False",
"Agent.IsPaired -equals False"
]
},
{
stageName: 'mac_13_m1',
displayName: 'M1 - Mac Ventura (13)',
macPool: 'VSEng-VSMac-Xamarin-Shared',
useImage: false,
statusContext: 'M1 - Mac Ventura (13)',
demands: [
"Agent.OS -equals Darwin",
"macOS.Name -equals Ventura",
"macOS.Architecture -equals arm64",
"Agent.HasDevices -equals False",
"Agent.IsPaired -equals False"
]
},
{
stageName: 'mac_14_x64',
displayName: 'X64 - Mac Sonoma (14)',
macPool: 'VSEng-Xamarin-RedmondMacBuildPool-iOS-Untrusted',
useImage: false,
statusContext: 'X64 - Mac Sonoma (14)',
demands: [
"Agent.OS -equals Darwin",
"macOS.Name -equals Sonoma",
"macOS.Architecture -equals x64",
"Agent.HasDevices -equals False",
"Agent.IsPaired -equals False"
]
}]
resources:
repositories:
- repository: self
checkoutOptions:
submodules: true
- repository: yaml-templates
type: github
name: xamarin/yaml-templates
ref: refs/heads/main
endpoint: xamarin
- repository: sdk-insertions
type: github
name: xamarin/sdk-insertions
ref: refs/heads/main
endpoint: xamarin
- repository: maccore
type: github
name: xamarin/maccore
ref: refs/heads/main
endpoint: xamarin
- repository: release-scripts
type: github
name: xamarin/release-scripts
ref: refs/heads/only_codesign
endpoint: xamarin
variables:
- ${{ if eq(parameters.isPR, false) }}:
- ${{ if contains(variables['Build.DefinitionName'], 'private') }}:
- template: ../vsts-variables.yml
- template: templates/common/vs-release-vars.yml@sdk-insertions
- template: ../variables.yml
- name: MicrobuildConnector
value: 'MicroBuild Signing Task (DevDiv)'
- name: MaciosUploadPrefix
value: ''
- name: DisablePipelineConfigDetector
value: true
- ${{ else }}:
- template: ../variables.yml
- template: templates/common/vs-release-vars.yml@sdk-insertions
- name: MicrobuildConnector
value: ''
- name: MaciosUploadPrefix
value: ''
- name: Packaging.EnableSBOMSigning
value: false
stages:
- template: ../main-stage.yml
parameters:
xcodeChannel: Stable
macOSName: ${{ parameters.macOSName }}
isPR: ${{ parameters.isPR }}
provisionatorChannel: ${{ parameters.provisionatorChannel }}
pool: ${{ parameters.pool }}
runGovernanceTests: ${{ parameters.runGovernanceTests }}
forceInsertion: ${{ parameters.forceInsertion }}
skipESRP: ${{ parameters.skipESRP }}
pushNugets: ${{ parameters.pushNugets }}
pushNugetsToMaestro: ${{ parameters.pushNugetsToMaestro }}
${{ if ne(length(parameters.testConfigurations), 0)}}:
testConfigurations: ${{ parameters.testConfigurations }}
deviceTestsConfigurations: ${{ parameters.deviceTestsConfigurations }}
macTestsConfigurations: ${{ parameters.macTestsConfigurations }}
azureStorage: ${{ variables['azureStorage'] }}
azureContainer: ${{ variables['azureContainer'] }}
signingSetupSteps: ${{ parameters.signingSetupSteps }}

22
tools/devops/automation/templates/release/publish-nugets.yml
Просмотреть файл

@ -37,12 +37,15 @@ steps:
patterns: |
*.nupkg
- task: NuGetCommand@2
displayName: Publish Nugets to dotnet6
- task: 1ES.PublishNuget@1
displayName: Publish Nuget package
inputs:
command: push
packagesToPush: $(Build.SourcesDirectory)/package/*.nupkg
useDotNetTask: false # The default is false to use the NuGetCommand task. Set to true to use the DotNetCoreCLI task to publish packages.
packagesToPush: '$(Build.SourcesDirectory)/package/*.nupkg'
packageParentPath: '$(Build.SourcesDirectory)/package'
nuGetFeedType: external
allowPackageConflicts: true # Optional. NuGetCommand task only.
publishPackageMetadata: true # Optional
publishFeedCredentials: variables['nuget-feed']
- task: DownloadPipelineArtifact@2
@ -52,10 +55,13 @@ steps:
patterns: |
*.nupkg
- task: NuGetCommand@2
displayName: Publish Nugets to dotnet6
- task: 1ES.PublishNuget@1
displayName: Publish MSI Nugets package
inputs:
command: push
packagesToPush: $(Build.SourcesDirectory)/vs-msi-nugets/*.nupkg
useDotNetTask: false
packagesToPush: '$(Build.SourcesDirectory)/vs-msi-nugets/*.nupkg'
packageParentPath: '$(Build.SourcesDirectory)/vs-msi-nugets'
nuGetFeedType: external
allowPackageConflicts: true
publishPackageMetadata: true
publishFeedCredentials: variables['nuget-feed']

34
tools/devops/automation/templates/release/vs-insertion-prep.yml
Просмотреть файл

@ -52,6 +52,7 @@ stages:
# Check - "xamarin-macios (Prepare Release Sign NuGets)"
- template: sign-artifacts/jobs/v2.yml@yaml-templates
parameters:
use1ESTemplate: true
signedArtifactName: '${{ parameters.uploadPrefix }}nuget-signed'
artifactName: '${{ parameters.uploadPrefix }}not-signed-package'
signType: Real
@ -61,6 +62,7 @@ stages:
# Check - "xamarin-macios (Prepare Release Convert NuGet to MSI)"
- template: nuget-msi-convert/job/v3.yml@yaml-templates
parameters:
use1ESTemplate: true
yamlResourceName: yaml-templates
dependsOn: signing
artifactName: '${{ parameters.uploadPrefix }}nuget-signed'
@ -109,7 +111,9 @@ stages:
- ${{ if eq(parameters.isPR, false) }}:
- group: Publish-Build-Assets
pool:
vmImage: windows-latest
name: AzurePipelines-EO
demands:
- ImageOverride -equals 1ESPT-Windows2022
steps:
- task: DownloadPipelineArtifact@2
inputs:
@ -118,6 +122,17 @@ stages:
patterns: |
*.nupkg
- task: 1ES.PublishNuget@1
displayName: Publish Nugets package
inputs:
useDotNetTask: false # The default is false to use the NuGetCommand task. Set to true to use the DotNetCoreCLI task to publish packages.
packagesToPush: '$(Build.SourcesDirectory)/package/*.nupkg'
packageParentPath: '$(Build.SourcesDirectory)/package'
nuGetFeedType: external
allowPackageConflicts: true # Optional. NuGetCommand task only.
publishPackageMetadata: true # Optional
publishFeedCredentials: dnceng-dotnet8
- task: DownloadPipelineArtifact@2
inputs:
artifactName: '${{ parameters.uploadPrefix }}vs-msi-nugets'
@ -125,6 +140,17 @@ stages:
patterns: |
*.nupkg
- task: 1ES.PublishNuget@1
displayName: Publish MSI Nugets package
inputs:
useDotNetTask: false
packagesToPush: '$(Build.SourcesDirectory)/${{ parameters.uploadPrefix }}vs-msi-nugets/*.nupkg'
packageParentPath: '$(Build.SourcesDirectory)/${{ parameters.uploadPrefix }}vs-msi-nugets'
nuGetFeedType: external
allowPackageConflicts: true
publishPackageMetadata: true
publishFeedCredentials: dnceng-dotnet8
- pwsh: |
mkdir $(Build.SourcesDirectory)/nugets-blob
cp $(Build.SourcesDirectory)/package/* $(Build.SourcesDirectory)/nugets-blob
@ -205,10 +231,10 @@ stages:
workingDirectory: $(Build.SourcesDirectory)\..
condition: and(succeeded(), eq('${{ parameters.pushNugetsToMaestro }}', 'true'))
- task: PublishPipelineArtifact@1
- task: 1ES.PublishPipelineArtifact@1
displayName: 'Publish Artifact: maestro-binlogs'
inputs:
targetPath: $(Build.ArtifactStagingDirectory)/maestro-binlogs
artifactName: ${{ parameters.uploadPrefix }}maestro-binlogs-$(System.JobAttempt)
path: $(Build.ArtifactStagingDirectory)/maestro-binlogs
artifact: ${{ parameters.uploadPrefix }}maestro-binlogs-$(System.JobAttempt)
condition: and(succeededOrFailed(), eq('${{ parameters.pushNugetsToMaestro }}', 'true'))
continueOnError: true

43
tools/devops/automation/templates/sign-and-notarized/funnel.yml
Просмотреть файл

@ -29,14 +29,15 @@ jobs:
displayName: 'Collect signed artifacts'
condition: and(not(failed()), not(canceled())) # default is succeded(), but that fails if there are any skipped jobs, so change the condition to !failed && !cancelled
timeoutInMinutes: 1000
pool:
vmImage: internal-macos-11
workspace:
clean: all
variables:
AgentPoolComputed: $[ stageDependencies.configure_build.AgentPoolSelector.outputs['setAgentPool.AgentPoolComputed'] ]
${{ each pkg in parameters.packages }}:
${{ pkg.conditionVariable }}: $[ stageDependencies.configure_build.configure.outputs['configure_platforms.${{ pkg.conditionVariable }}'] ]
pool:
os: macOS
name: $(AgentPoolComputed)
steps:
# DO NOT USE THE checkout.yml template. The reason is that the template changes the hash which results in a problem with the artifacts scripts
@ -105,11 +106,11 @@ jobs:
allowFailedBuilds: true
path: $(Build.SourcesDirectory)/package-internal
- task: PublishPipelineArtifact@1
displayName: 'Publish Build Internal Artifacts'
- task: 1ES.PublishPipelineArtifact@1
displayName: 'Publish Build Artifacts (notarized)'
inputs:
targetPath: $(Build.SourcesDirectory)/package-internal
artifactName: '${{ parameters.uploadPrefix }}package-internal'
path: $(Build.SourcesDirectory)/package-internal
artifact: '${{ parameters.uploadPrefix }}package-internal'
continueOnError: true
# download msbuild.zip and bundle.zip to the 'package' dir, so that they're uploaded into the 'package' artifact,
@ -131,11 +132,11 @@ jobs:
ls -la "$BUILD_SOURCESDIRECTORY"/package
displayName: Copy msbuild.zip and bundle.zip to the package artifact
- task: PublishPipelineArtifact@1
- task: 1ES.PublishPipelineArtifact@1
displayName: 'Publish Build Artifacts (notarized)'
inputs:
targetPath: $(Build.SourcesDirectory)/package
artifactName: '${{ parameters.uploadPrefix }}package'
path: $(Build.SourcesDirectory)/package
artifact: '${{ parameters.uploadPrefix }}package'
continueOnError: true
# This job uploads the pkgs generated by the build step in the azure blob storage. This has to be done in a different job
@ -144,6 +145,16 @@ jobs:
- job: upload_azure_blob
displayName: 'Upload packages to Azure & SBOM'
timeoutInMinutes: 1000
templateContext: # disable some of the sdl tasks for this job
sdl:
credscan: # run in the sdl stage
enabled: false
binskim: # job does not compile anything
enabled: false
eslint: # no js or anything similar
enabled: false
bandit: # we have no python
enabled: false
dependsOn:
- funnel_job
condition: and(not(failed()), not(canceled())) # default is succeded(), but that fails if there are any skipped jobs, so change the condition to !failed && !cancelled
@ -157,9 +168,7 @@ jobs:
pool:
name: azurepipelines-EO
demands:
- ImageOverride -equals AzurePipelinesWindows2022compliant
workspace:
clean: all
- ImageOverride -equals 1ESPT-Windows2022
steps:
- template: upload-azure.yml
parameters:
@ -181,9 +190,9 @@ jobs:
TESTS_BOT: $[ stageDependencies.build_packages.build.outputs['build.TESTS_BOT'] ] # we build in a diff bot than the ones used for the comments
GIT_HASH: $[ stageDependencies.build_packages.build.outputs['fix_commit.GIT_HASH'] ]
pool:
vmImage: windows-latest
workspace:
clean: all
name: AzurePipelines-EO
demands:
- ImageOverride -equals 1ESPT-Windows2022
steps:
- template: artifact-github-comment.yml
parameters:

5
tools/devops/automation/templates/sign-and-notarized/prepare-pkg-stage.yml
Просмотреть файл

@ -34,9 +34,8 @@ jobs:
condition: ne(stageDependencies.configure_build.configure.outputs['configure_platforms.${{ pkg.conditionVariable }}'],'')
timeoutInMinutes: 1000
pool:
vmImage: internal-macos-11
workspace:
clean: all
name: 'VSEng-Xamarin-RedmondMacBuildPool-iOS-Trusted' # always use the trusted pool for signing.
os: macOS
steps:
- template: sign-and-notarized.yml

3
tools/devops/automation/templates/sign-and-notarized/setup.yml
Просмотреть файл

@ -53,6 +53,9 @@ steps:
version: 3.x
displayName: 'Install .NET Core SDK 3.x needed for ESRP'
- pwsh: $(System.DefaultWorkingDirectory)/xamarin-macios/tools/devops/automation/scripts/show_env.ps1
displayName: 'Show Environment'
- task: MicroBuildSigningPlugin@4
displayName: 'Install Signing Plugin'
inputs:

12
tools/devops/automation/templates/sign-and-notarized/sign-and-notarized.yml
Просмотреть файл

@ -108,11 +108,11 @@ steps:
condition: ${{ and(eq(parameters.condition, true), eq(variables['System.debug'], 'true')) }}
# Upload the esrp temp dir
- task: PublishPipelineArtifact@1
- task: 1ES.PublishPipelineArtifact@1
displayName: 'Publish Artifact: ESRP temp'
inputs:
targetPath: '$(Build.ArtifactStagingDirectory)/esrp.zip'
artifactName: '${{ parameters.uploadPrefix }}ESRP-tmp-${{ parameters.packageName }}'
path: '$(Build.ArtifactStagingDirectory)/esrp.zip'
artifact: '${{ parameters.uploadPrefix }}ESRP-tmp-${{ parameters.packageName }}'
continueOnError: true
condition: ${{ and(eq(parameters.condition, true), eq(variables['System.debug'], 'true')) }}
@ -124,9 +124,9 @@ steps:
condition: ${{ parameters.condition }}
# always upload no matter what, since if we are not signing we need the artifact in the pipeline
- task: PublishPipelineArtifact@1
- task: 1ES.PublishPipelineArtifact@1
displayName: 'Publish Notarized Classic Artifacts'
inputs:
targetPath: $(Build.SourcesDirectory)/package
artifactName: '${{ parameters.uploadPrefix }}classic-${{ parameters.packageName }}-signed'
path: $(Build.SourcesDirectory)/package
artifact: '${{ parameters.uploadPrefix }}classic-${{ parameters.packageName }}-signed'
continueOnError: true

24
tools/devops/automation/templates/sign-and-notarized/upload-azure.yml
Просмотреть файл

@ -38,6 +38,10 @@ steps:
persistCredentials: true
path: s/xamarin-macios
- checkout: maccore
clean: true
persistCredentials: true # hugely important, else there are some scripts that check a single file from maccore that will fail
# checkout an extra repo to ensure that we have the same tree structure in the working directory in all pipelines.
# if you delete this checkout the unified pipeline will have issues.
- checkout: yaml-templates
@ -88,7 +92,7 @@ steps:
name: upload
inputs:
SourcePath: $(Build.SourcesDirectory)/artifacts/${{ parameters.uploadPrefix }}package
azureSubscription: 'Xamarin - RelEng (BosStorageMirror)'
azureSubscription: 'Azure Releng (7b4817ae-218f-464a-bab1-a9df2d99e1e5)'
Destination: AzureBlob
storage: ${{ parameters.azureStorage }}
ContainerName: ${{ parameters.azureContainer }}
@ -98,7 +102,7 @@ steps:
displayName: 'Publish manifest to Azure'
inputs:
SourcePath: $(Build.SourcesDirectory)/artifacts/${{ parameters.uploadPrefix }}package/manifest
azureSubscription: 'Xamarin - RelEng (BosStorageMirror)'
azureSubscription: 'Azure Releng (7b4817ae-218f-464a-bab1-a9df2d99e1e5)'
Destination: AzureBlob
storage: ${{ parameters.azureStorage }}
ContainerName: ${{ parameters.azureContainer }}
@ -108,7 +112,7 @@ steps:
displayName: 'Publish manifest to Azure as latest'
inputs:
SourcePath: $(Build.SourcesDirectory)/artifacts/${{ parameters.uploadPrefix }}package/manifest
azureSubscription: 'Xamarin - RelEng (BosStorageMirror)'
azureSubscription: 'Azure Releng (7b4817ae-218f-464a-bab1-a9df2d99e1e5)'
Destination: AzureBlob
storage: ${{ parameters.azureStorage }}
ContainerName: ${{ parameters.azureContainer }}
@ -118,7 +122,7 @@ steps:
displayName: 'Publish manifest to Azure per commit'
inputs:
SourcePath: $(Build.SourcesDirectory)/artifacts/${{ parameters.uploadPrefix }}package/manifest
azureSubscription: 'Xamarin - RelEng (BosStorageMirror)'
azureSubscription: 'Azure Releng (7b4817ae-218f-464a-bab1-a9df2d99e1e5)'
Destination: AzureBlob
storage: ${{ parameters.azureStorage }}
ContainerName: ${{ parameters.azureContainer }}
@ -162,11 +166,11 @@ steps:
# upload the artifacts.json to the build pipeline artifacts so that it can be consumed by other jobs to
# get the required urls
- task: PublishPipelineArtifact@1
- task: 1ES.PublishPipelineArtifact@1
displayName: 'Publish Build Artifacts'
inputs:
targetPath: $(Build.SourcesDirectory)/artifacts/${{ parameters.uploadPrefix }}package/artifacts.json
artifactName: '${{ parameters.uploadPrefix }}pkg-info'
path: $(Build.SourcesDirectory)/artifacts/${{ parameters.uploadPrefix }}package/artifacts.json
artifact: '${{ parameters.uploadPrefix }}pkg-info'
continueOnError: true
- pwsh: $(System.DefaultWorkingDirectory)/xamarin-macios/tools/devops/automation/scripts/show_env.ps1
@ -393,9 +397,9 @@ steps:
}
displayName: 'SBOM: Cleanup'
- task: PublishBuildArtifacts@1
- task: 1ES.PublishPipelineArtifact@1
displayName: 'SBOM: Publish'
inputs:
artifactName: '${{ parameters.uploadPrefix }}sbom'
pathToPublish: $(Build.ArtifactStagingDirectory)/sbom
artifact: '${{ parameters.uploadPrefix }}sbom'
path: $(Build.ArtifactStagingDirectory)/sbom
condition: succeeded()