diff --git a/Pipelines/recursive-extractor-release.yml b/Pipelines/recursive-extractor-release.yml index ae29f5d..a7852f1 100644 --- a/Pipelines/recursive-extractor-release.yml +++ b/Pipelines/recursive-extractor-release.yml @@ -1,17 +1,4 @@ -# Azure Pipelines -# https://aka.ms/yaml - name: RecursiveExtractor_Release_$(SourceBranchName)_$(Date:yyyyMMdd)$(Rev:.r) -# trigger: -# batch: true -# branches: -# include: -# - main -# paths: -# include: -# - RecursiveExtractor -# - RecursiveExtractor.Cli -# pr: none trigger: none pr: none @@ -19,13 +6,13 @@ resources: repositories: - repository: templates type: git - name: SecurityEngineering/OSS-Tools-Pipeline-Templates + name: Data/OSS-Tools-Pipeline-Templates ref: refs/tags/v2.0.0 - repository: 1esPipelines type: git name: 1ESPipelineTemplates/1ESPipelineTemplates ref: refs/tags/release - + variables: BuildConfiguration: 'Release' DotnetVersion: '8.0.x' @@ -40,6 +27,10 @@ extends: sdl: armory: enabled: false + sourceRepositoriesToScan: + exclude: + - repository: 1esPipelines + - repository: templates stages: - stage: Test dependsOn: [] @@ -87,3 +78,93 @@ extends: artifactName: 'cli-archive' preBuild: - template: nbgv-set-version-steps.yml@templates + + - stage: Release + dependsOn: + - Build + condition: succeeded() + jobs: + - job: sign_hash_release + displayName: Code Sign, Generate Hashes, Publish Public Releases + templateContext: + outputs: + - output: pipelineArtifact + path: '$(Build.StagingDirectory)' + artifact: 'Signed_Binaries_$(System.JobId)_$(System.JobAttempt)' + steps: + - task: UseDotNet@2 + inputs: + packageType: 'sdk' + version: '6.0.x' # ESRP requires a specific version. + - template: nbgv-set-version-steps.yml@templates + - task: DownloadPipelineArtifact@2 + inputs: + displayName: 'Download lib-archive' + buildType: 'current' + artifactName: 'lib-archive' + targetPath: $(Build.BinariesDirectory)\Unsigned_Binaries\ + - task: DownloadPipelineArtifact@2 + inputs: + displayName: 'Download cli-archive' + buildType: 'current' + artifactName: 'cli-archive' + targetPath: $(Build.BinariesDirectory)\Unsigned_Binaries\ + - task: ExtractFiles@1 + displayName: Extract Artifacts for Signing + inputs: + archiveFilePatterns: '$(Build.BinariesDirectory)\Unsigned_Binaries\*.zip' + destinationFolder: '$(Build.BinariesDirectory)' + cleanDestinationFolder: false + overwriteExistingFiles: true + - task: AntiMalware@4 + displayName: Anti-Malware Scan + inputs: + InputType: 'Basic' + ScanType: 'CustomScan' + FileDirPath: '$(Build.BinariesDirectory)' + EnableServices: true + SupportLogOnError: true + TreatSignatureUpdateFailureAs: 'Warning' + SignatureFreshness: 'UpToDate' + TreatStaleSignatureAs: 'Warning' + - task: EsrpCodeSigning@5 + displayName: Code Sign Nuget Packages + inputs: + ConnectedServiceName: 'oss-esrp-signing-recext-v5-connection' + AppRegistrationClientId: 'caf746ee-b288-4155-8cc0-0bedca65f230' + AppRegistrationTenantId: '33e01921-4d64-4f8c-a055-5bdaffd5e33d' + AuthAKVName: 'oss-signing-vault' + AuthCertName: 'oss-recursive-auth-cert' + AuthSignCertName: 'oss-recursive-signing-cert' + FolderPath: '$(Build.BinariesDirectory)' + Pattern: '*.nupkg, *.snupkg' + signConfigType: 'inlineSignParams' + inlineOperation: | + [ + { + "KeyCode" : "CP-401405", + "OperationCode" : "NuGetSign", + "Parameters" : {}, + "ToolName" : "sign", + "ToolVersion" : "1.0" + }, + { + "KeyCode" : "CP-401405", + "OperationCode" : "NuGetVerify", + "Parameters" : {}, + "ToolName" : "sign", + "ToolVersion" : "1.0" + } + ] + SessionTimeout: '60' + MaxConcurrency: '50' + MaxRetryAttempts: '5' + - powershell: 'Get-ChildItem -Path ''$(Build.BinariesDirectory)'' -Recurse CodeSign* | foreach { Remove-Item -Path $_.FullName }' + displayName: 'Delete Code Sign Summaries' + - task: PowerShell@2 + displayName: Move NuGet Packages + inputs: + targetType: 'inline' + script: | + mv $env:BUILD_BINARIESDIRECTORY/*.nupkg $env:BUILD_STAGINGDIRECTORY/ + mv $env:BUILD_BINARIESDIRECTORY/*.snupkg $env:BUILD_STAGINGDIRECTORY/