[Build] Switch the release pipeline to use the 1ES governed template (#29014)

.github/actions/spell-check/allow/allow.txt

@@ -1,8 +1,11 @@
+cloudai
 bkmeneguello
 FWest
+gdnbaselines
 github
 https
 obairka
+sdl
 ssh
 ubuntu
 unuing

.pipelines/installer-steps.yml

@@ -24,7 +24,7 @@ steps:
       clean: true
       maximumCpuCount: true
 
-  - task: SFP.build-tasks.custom-build-task-1.EsrpCodeSigning@1
+  - task: SFP.build-tasks.custom-build-task-1.EsrpCodeSigning@3
     displayName: Sign PowerToysSetupCustomActions DLL
     inputs:
       ConnectedServiceName: "Terminal/Console/WinAppDriver Team Code Signing Connection"
@@ -74,7 +74,7 @@ steps:
       scriptName: .pipelines/versionAndSignCheck.ps1
       arguments: -targetDir '$(build.sourcesdirectory)\extractedMsi\Binary'
 
-  - task: SFP.build-tasks.custom-build-task-1.EsrpCodeSigning@1
+  - task: SFP.build-tasks.custom-build-task-1.EsrpCodeSigning@3
     displayName: Sign MSI
     inputs:
       ConnectedServiceName: "Terminal/Console/WinAppDriver Team Code Signing Connection"
@@ -101,7 +101,7 @@ steps:
     inputs:
       script: '"C:\Program Files (x86)\WiX Toolset v3.14\bin\insignia.exe" -ib installer\PowerToysSetup\$(BuildPlatform)\$(BuildConfiguration)\${{parameters.buildSubDir}}\${{parameters.installerPrefix}}-${{ parameters.versionNumber }}-$(BuildPlatform).exe -o installer\engine.exe'
 
-  - task: SFP.build-tasks.custom-build-task-1.EsrpCodeSigning@1
+  - task: SFP.build-tasks.custom-build-task-1.EsrpCodeSigning@3
     displayName: "ESRP CodeSigning (Engine)"
     inputs:
       ConnectedServiceName: "Terminal/Console/WinAppDriver Team Code Signing Connection"
@@ -137,7 +137,7 @@ steps:
     inputs:
       script: '"C:\Program Files (x86)\WiX Toolset v3.14\bin\insignia.exe" -ab installer\engine.exe installer\PowerToysSetup\$(BuildPlatform)\$(BuildConfiguration)\${{parameters.buildSubDir}}\${{parameters.installerPrefix}}-${{ parameters.versionNumber }}-$(BuildPlatform).exe -o installer\PowerToysSetup\$(BuildPlatform)\$(BuildConfiguration)\${{parameters.buildSubDir}}\${{parameters.installerPrefix}}-${{ parameters.versionNumber }}-$(BuildPlatform).exe'
 
-  - task: SFP.build-tasks.custom-build-task-1.EsrpCodeSigning@1
+  - task: SFP.build-tasks.custom-build-task-1.EsrpCodeSigning@3
     displayName: Sign Bootstrapper
     inputs:
       ConnectedServiceName: "Terminal/Console/WinAppDriver Team Code Signing Connection"

.pipelines/release.yml

@@ -1,10 +1,13 @@
 # This build should never run as CI or against a pull request.
+name: $(BuildDefinitionName)_$(date:yyMM).$(date:dd)$(rev:rrr)
 trigger: none
-pr: none
 
-pool: 
-  name: SHINE-INT-L
-  demands: ImageOverride -equals SHINE-VS17-Latest
+resources:
+  repositories:
+  - repository: 1ESPipelineTemplates
+    type: git
+    name: 1ESPipelineTemplates/1ESPipelineTemplates
+    ref: refs/tags/release
 
 parameters:
   - name: buildConfigurations
@@ -20,17 +23,23 @@ parameters:
     type: string
     default: '0.0.1'
 
-variables:
-  IsPipeline: 1 # The installer uses this to detect whether it should pick up localizations
-  SkipCppCodeAnalysis: 1 # Skip the code analysis to speed up release CI. It runs on PR CI, anyway
-  IsExperimentationLive: 1 # The build and installer use this to turn on experimentation
+extends:
+  template: v1/1ES.Official.PipelineTemplate.yml@1ESPipelineTemplates
+  parameters:
+    customBuildTags:
+    - 1ES.PT.ViaStartRight
+    pool:
+      name: SHINE-INT-S
+      image: SHINE-VS17-Latest
+      os: windows
 
-name: $(BuildDefinitionName)_$(date:yyMM).$(date:dd)$(rev:rrr)
-resources:
-  repositories:
-  - repository: self
-    type: git
-    ref: main
+    stages:
+    - stage: build
+      displayName: Build (Complete)
+      pool:
+        name: SHINE-INT-L
+        image: SHINE-VS17-Latest
+        os: windows
       jobs:
       - job: Build
         strategy:
@@ -40,11 +49,23 @@ jobs:
                 ${{ config }}_${{ platform }}:
                   BuildConfiguration: ${{ config }}
                   BuildPlatform: ${{ platform }}
-            NUGET_RESTORE_MSBUILD_ARGS: /p:Platform=${{ platform }} # Required for nuget to work due to self contained
-            NODE_OPTIONS: --max_old_space_size=16384
+        templateContext:
+          outputs:
+          - output: pipelineArtifact
+            artifactName: setup-$(BuildPlatform)
+            targetPath: $(Build.ArtifactStagingDirectory)
+          sdl:
+            baseline:
+              baselineFile: $(Build.SourcesDirectory)\.pipelines\sdl.gdnbaselines
         displayName: Build
-  timeoutInMinutes: 120 # Some of the loc stuff adds quite a bit of time.
+        timeoutInMinutes: 240 # Some of the 1ES Pipeline stuff and Loc take a very long time
         cancelTimeoutInMinutes: 1
+        variables:
+          NUGET_RESTORE_MSBUILD_ARGS: /p:Platform=$(BuildPlatform) # Required for nuget to work due to self contained
+          NODE_OPTIONS: --max_old_space_size=16384
+          IsPipeline: 1 # The installer uses this to detect whether it should pick up localizations
+          SkipCppCodeAnalysis: 1 # Skip the code analysis to speed up release CI. It runs on PR CI, anyway
+          IsExperimentationLive: 1 # The build and installer use this to turn on experimentation
         steps:
         - checkout: self
           clean: true
@@ -58,12 +79,12 @@ jobs:
             scriptName: .pipelines/versionSetting.ps1
             arguments: -versionNumber '${{ parameters.versionNumber }}' -DevEnvironment ''
 
-# Guardian tool needs 'Microsoft.NETCore.App', version '2.1.0' (x64)
+      # ESRP needs 'Microsoft.NETCore.App', version '6.0.0' (x64)
         - task: UseDotNet@2
-    displayName: 'Use .NET Core 2.1 SDK'
+          displayName: 'Use .NET 6 SDK'
           inputs:
             packageType: sdk
-      version: '2.1.x'
+            version: '6.x'
 
         - task: UseDotNet@2
           displayName: 'Use .NET 7 SDK'
@@ -305,7 +326,7 @@ jobs:
       # reference https://dev.azure.com/microsoft/Dart/_git/AppDriver?path=/ESRPSigning.json&version=GBarm64-netcore&_a=contents for winappdriver
       # https://dev.azure.com/microsoft/Dart/_git/AppDriver?path=/CIPolicy.xml&version=GBarm64-netcore&_a=contents
 
-  - task: SFP.build-tasks.custom-build-task-1.EsrpCodeSigning@1
+        - task: SFP.build-tasks.custom-build-task-1.EsrpCodeSigning@3
           displayName: Sign Core PT
           inputs:
             ConnectedServiceName: 'Terminal/Console/WinAppDriver Team Code Signing Connection'
@@ -314,7 +335,7 @@ jobs:
             batchSignPolicyFile: '$(build.sourcesdirectory)\.pipelines\ESRPSigning_core.json'
             ciPolicyFile: '$(build.sourcesdirectory)\.pipelines\CIPolicy.xml'
 
-  - task: SFP.build-tasks.custom-build-task-1.EsrpCodeSigning@1
+        - task: SFP.build-tasks.custom-build-task-1.EsrpCodeSigning@3
           displayName: Sign x86 directshow VCM
           inputs:
             ConnectedServiceName: 'Terminal/Console/WinAppDriver Team Code Signing Connection'
@@ -325,13 +346,10 @@ jobs:
       #### END SIGNING 
       ## END MAIN
 
-  - task: PublishBuildArtifacts@1
-    displayName: 'Publish Artifact: binlog'
-    condition: failed()
-    continueOnError: True
-    inputs:
-      PathtoPublish: $(Build.SourcesDirectory)\msbuild.binlog
-      ArtifactName: binlog-$(BuildPlatform)
+        - pwsh: |-
+            Move-Item msbuild.binlog "$(Build.ArtifactStagingDirectory)/"
+          displayName: Stage binlog into artifact directory
+          condition: always()
 
         - task: ComponentGovernanceComponentDetection@0
           displayName: Component Detection
@@ -362,20 +380,7 @@ jobs:
             IndexSources: false
             SymbolServerType: TeamServices
             
-  - task: PublishBuildArtifacts@1
-    displayName: 'Publish Artifact: Symbols'
-    inputs:
-      PathtoPublish: $(System.ArtifactsDirectory)/Symbols-$(BuildPlatform)/
-      ArtifactName: Symbols-${{ parameters.versionNumber }}-$(BuildPlatform)
-
-  - task: DeleteFiles@1
-    displayName: 'Remove symbols from ArtifactStagingDirectory'
-    inputs:
-      Contents: '*'
-      SourceFolder: $(Build.ArtifactStagingDirectory)/Symbols-$(BuildPlatform)/
-      RemoveSourceFolder: True
-
-  - template: installer-steps.yml
+        - template: .pipelines/installer-steps.yml@self
           parameters:
             versionNumber: ${{ parameters.versionNumber }}
             perUserArg: "false"
@@ -389,7 +394,7 @@ jobs:
             script: git clean -xfd  -e *exe -- .\installer\
             pwsh: true
 
-  - template: installer-steps.yml
+        - template: .pipelines/installer-steps.yml@self
           parameters:
             versionNumber: ${{ parameters.versionNumber }}
             perUserArg: "true"
@@ -431,18 +436,10 @@ jobs:
               $machineHash | out-file -filepath $combinedMachinePath
             pwsh: true
 
-  - task: PublishBuildArtifacts@1
-    displayName: "Publish Artifact: PowerToySetup"
-    inputs:
-      PathtoPublish: $(System.ArtifactsDirectory)
-      ArtifactName: setup-$(BuildPlatform)
-
-# Publishing the GPO files with a version number
-  - task: PublishBuildArtifacts@1
-    displayName: 'Publish Artifact: GPO Files'
-    inputs:
-      PathtoPublish: src\gpo\assets
-      ArtifactName: GroupPolicyObjectsFiles-${{ parameters.versionNumber }}
-
+        # Publishing the GPO files
+        - pwsh: |-
+            New-Item "$(Build.ArtifactStagingDirectory)/gpo" -Type Directory
+            Copy-Item src\gpo\assets\* "$(Build.ArtifactStagingDirectory)/gpo" -Recurse
+          displayName: Stage the GPO files
 
 ...