[Build] Switch the release pipeline to use the 1ES governed template (#29014)

2025-12-15 11:17:53 +01:00 · 2023-10-05 18:25:16 -05:00
parent 45150067b3
commit 03ad83836d
4 changed files with 7851 additions and 394 deletions
--- a/.github/actions/spell-check/allow/allow.txt
+++ b/.github/actions/spell-check/allow/allow.txt
@@ -1,8 +1,11 @@
+cloudai
 bkmeneguello
 FWest
+gdnbaselines
 github
 https
 obairka
+sdl
 ssh
 ubuntu
 unuing
--- a/.pipelines/installer-steps.yml
+++ b/.pipelines/installer-steps.yml
@@ -24,7 +24,7 @@ steps:
      clean: true
      maximumCpuCount: true

-  - task: SFP.build-tasks.custom-build-task-1.EsrpCodeSigning@1
+  - task: SFP.build-tasks.custom-build-task-1.EsrpCodeSigning@3
    displayName: Sign PowerToysSetupCustomActions DLL
    inputs:
      ConnectedServiceName: "Terminal/Console/WinAppDriver Team Code Signing Connection"
@@ -74,7 +74,7 @@ steps:
      scriptName: .pipelines/versionAndSignCheck.ps1
      arguments: -targetDir '$(build.sourcesdirectory)\extractedMsi\Binary'

-  - task: SFP.build-tasks.custom-build-task-1.EsrpCodeSigning@1
+  - task: SFP.build-tasks.custom-build-task-1.EsrpCodeSigning@3
    displayName: Sign MSI
    inputs:
      ConnectedServiceName: "Terminal/Console/WinAppDriver Team Code Signing Connection"
@@ -101,7 +101,7 @@ steps:
    inputs:
      script: '"C:\Program Files (x86)\WiX Toolset v3.14\bin\insignia.exe" -ib installer\PowerToysSetup\$(BuildPlatform)\$(BuildConfiguration)\${{parameters.buildSubDir}}\${{parameters.installerPrefix}}-${{ parameters.versionNumber }}-$(BuildPlatform).exe -o installer\engine.exe'

-  - task: SFP.build-tasks.custom-build-task-1.EsrpCodeSigning@1
+  - task: SFP.build-tasks.custom-build-task-1.EsrpCodeSigning@3
    displayName: "ESRP CodeSigning (Engine)"
    inputs:
      ConnectedServiceName: "Terminal/Console/WinAppDriver Team Code Signing Connection"
@@ -137,7 +137,7 @@ steps:
    inputs:
      script: '"C:\Program Files (x86)\WiX Toolset v3.14\bin\insignia.exe" -ab installer\engine.exe installer\PowerToysSetup\$(BuildPlatform)\$(BuildConfiguration)\${{parameters.buildSubDir}}\${{parameters.installerPrefix}}-${{ parameters.versionNumber }}-$(BuildPlatform).exe -o installer\PowerToysSetup\$(BuildPlatform)\$(BuildConfiguration)\${{parameters.buildSubDir}}\${{parameters.installerPrefix}}-${{ parameters.versionNumber }}-$(BuildPlatform).exe'

-  - task: SFP.build-tasks.custom-build-task-1.EsrpCodeSigning@1
+  - task: SFP.build-tasks.custom-build-task-1.EsrpCodeSigning@3
    displayName: Sign Bootstrapper
    inputs:
      ConnectedServiceName: "Terminal/Console/WinAppDriver Team Code Signing Connection"
--- a/.pipelines/release.yml
+++ b/.pipelines/release.yml
@@ -1,10 +1,13 @@
 # This build should never run as CI or against a pull request.
+name: $(BuildDefinitionName)_$(date:yyMM).$(date:dd)$(rev:rrr)
 trigger: none
-pr: none

-pool: 
-  name: SHINE-INT-L
-  demands: ImageOverride -equals SHINE-VS17-Latest
+resources:
+  repositories:
+  - repository: 1ESPipelineTemplates
+    type: git
+    name: 1ESPipelineTemplates/1ESPipelineTemplates
+    ref: refs/tags/release

 parameters:
  - name: buildConfigurations
@@ -20,19 +23,25 @@ parameters:
    type: string
    default: '0.0.1'

-variables:
-  IsPipeline: 1 # The installer uses this to detect whether it should pick up localizations
-  SkipCppCodeAnalysis: 1 # Skip the code analysis to speed up release CI. It runs on PR CI, anyway
-  IsExperimentationLive: 1 # The build and installer use this to turn on experimentation
+extends:
+  template: v1/1ES.Official.PipelineTemplate.yml@1ESPipelineTemplates
+  parameters:
+    customBuildTags:
+    - 1ES.PT.ViaStartRight
+    pool:
+      name: SHINE-INT-S
+      image: SHINE-VS17-Latest
+      os: windows

-name: $(BuildDefinitionName)_$(date:yyMM).$(date:dd)$(rev:rrr)
-resources:
-  repositories:
-  - repository: self
-    type: git
-    ref: main
-jobs:
- job: Build
+    stages:
+    - stage: build
+      displayName: Build (Complete)
+      pool:
+        name: SHINE-INT-L
+        image: SHINE-VS17-Latest
+        os: windows
+      jobs:
+      - job: Build
        strategy:
          matrix:
            ${{ each config in parameters.buildConfigurations }}:
@@ -40,30 +49,42 @@ jobs:
                ${{ config }}_${{ platform }}:
                  BuildConfiguration: ${{ config }}
                  BuildPlatform: ${{ platform }}
-            NUGET_RESTORE_MSBUILD_ARGS: /p:Platform=${{ platform }} # Required for nuget to work due to self contained
-            NODE_OPTIONS: --max_old_space_size=16384
+        templateContext:
+          outputs:
+          - output: pipelineArtifact
+            artifactName: setup-$(BuildPlatform)
+            targetPath: $(Build.ArtifactStagingDirectory)
+          sdl:
+            baseline:
+              baselineFile: $(Build.SourcesDirectory)\.pipelines\sdl.gdnbaselines
        displayName: Build
-  timeoutInMinutes: 120 # Some of the loc stuff adds quite a bit of time.
+        timeoutInMinutes: 240 # Some of the 1ES Pipeline stuff and Loc take a very long time
        cancelTimeoutInMinutes: 1
+        variables:
+          NUGET_RESTORE_MSBUILD_ARGS: /p:Platform=$(BuildPlatform) # Required for nuget to work due to self contained
+          NODE_OPTIONS: --max_old_space_size=16384
+          IsPipeline: 1 # The installer uses this to detect whether it should pick up localizations
+          SkipCppCodeAnalysis: 1 # Skip the code analysis to speed up release CI. It runs on PR CI, anyway
+          IsExperimentationLive: 1 # The build and installer use this to turn on experimentation
        steps:
        - checkout: self
          clean: true
          submodules: true
          persistCredentials: True

-# Sets versions for all PowerToy created DLLs
+      # Sets versions for all PowerToy created DLLs
        - task: PowerShell@1
          displayName: Set Versions.Prop
          inputs:
            scriptName: .pipelines/versionSetting.ps1
            arguments: -versionNumber '${{ parameters.versionNumber }}' -DevEnvironment ''

-# Guardian tool needs 'Microsoft.NETCore.App', version '2.1.0' (x64)
+      # ESRP needs 'Microsoft.NETCore.App', version '6.0.0' (x64)
        - task: UseDotNet@2
-    displayName: 'Use .NET Core 2.1 SDK'
+          displayName: 'Use .NET 6 SDK'
          inputs:
            packageType: sdk
-      version: '2.1.x'
+            version: '6.x'

        - task: UseDotNet@2
          displayName: 'Use .NET 7 SDK'
@@ -76,12 +97,12 @@ jobs:
        - task: NuGetToolInstaller@1
          displayName: Use NuGet Installer latest

-# this will restore the following nugets:
-# - main solution
-# - Bug report tool
-# - Webcam report tool
-# - Installer
-# - Bootstrapper Installer
+      # this will restore the following nugets:
+      # - main solution
+      # - Bug report tool
+      # - Webcam report tool
+      # - Installer
+      # - Bootstrapper Installer
        - task: PowerShell@2
          displayName: Download and install WiX 3.14 development build
          inputs:
@@ -122,7 +143,7 @@ jobs:
              move /Y "Microsoft.PowerToys.Telemetry.2.0.0\build\include\TraceLoggingDefines.h" "src\common\Telemetry\TraceLoggingDefines.h" || exit /b 1
              move /Y "Microsoft.PowerToys.Telemetry.2.0.0\build\include\TelemetryBase.cs" "src\common\Telemetry\TelemetryBase.cs" || exit /b 1

-## ALL BUT INSTALLER BUILDING
+      ## ALL BUT INSTALLER BUILDING
        - task: VSBuild@1
          displayName: Build PowerToys main project
          inputs:
@@ -301,11 +322,11 @@ jobs:
            arguments: -targetDir '$(build.sourcesdirectory)\$(BuildPlatform)\$(BuildConfiguration)\WinUI3Apps'
            pwsh: true

-#### MAIN SIGNING AREA
-# reference https://dev.azure.com/microsoft/Dart/_git/AppDriver?path=/ESRPSigning.json&version=GBarm64-netcore&_a=contents for winappdriver
-# https://dev.azure.com/microsoft/Dart/_git/AppDriver?path=/CIPolicy.xml&version=GBarm64-netcore&_a=contents
+      #### MAIN SIGNING AREA
+      # reference https://dev.azure.com/microsoft/Dart/_git/AppDriver?path=/ESRPSigning.json&version=GBarm64-netcore&_a=contents for winappdriver
+      # https://dev.azure.com/microsoft/Dart/_git/AppDriver?path=/CIPolicy.xml&version=GBarm64-netcore&_a=contents

-  - task: SFP.build-tasks.custom-build-task-1.EsrpCodeSigning@1
+        - task: SFP.build-tasks.custom-build-task-1.EsrpCodeSigning@3
          displayName: Sign Core PT
          inputs:
            ConnectedServiceName: 'Terminal/Console/WinAppDriver Team Code Signing Connection'
@@ -314,7 +335,7 @@ jobs:
            batchSignPolicyFile: '$(build.sourcesdirectory)\.pipelines\ESRPSigning_core.json'
            ciPolicyFile: '$(build.sourcesdirectory)\.pipelines\CIPolicy.xml'

-  - task: SFP.build-tasks.custom-build-task-1.EsrpCodeSigning@1
+        - task: SFP.build-tasks.custom-build-task-1.EsrpCodeSigning@3
          displayName: Sign x86 directshow VCM
          inputs:
            ConnectedServiceName: 'Terminal/Console/WinAppDriver Team Code Signing Connection'
@@ -322,16 +343,13 @@ jobs:
            signType: batchSigning
            batchSignPolicyFile: '$(build.sourcesdirectory)\.pipelines\ESRPSigning_vcm.json'
            ciPolicyFile: '$(build.sourcesdirectory)\.pipelines\CIPolicy.xml'
-#### END SIGNING 
-## END MAIN
+      #### END SIGNING 
+      ## END MAIN

-  - task: PublishBuildArtifacts@1
-    displayName: 'Publish Artifact: binlog'
-    condition: failed()
-    continueOnError: True
-    inputs:
-      PathtoPublish: $(Build.SourcesDirectory)\msbuild.binlog
-      ArtifactName: binlog-$(BuildPlatform)
+        - pwsh: |-
+            Move-Item msbuild.binlog "$(Build.ArtifactStagingDirectory)/"
+          displayName: Stage binlog into artifact directory
+          condition: always()

        - task: ComponentGovernanceComponentDetection@0
          displayName: Component Detection
@@ -362,20 +380,7 @@ jobs:
            IndexSources: false
            SymbolServerType: TeamServices
            
-  - task: PublishBuildArtifacts@1
-    displayName: 'Publish Artifact: Symbols'
-    inputs:
-      PathtoPublish: $(System.ArtifactsDirectory)/Symbols-$(BuildPlatform)/
-      ArtifactName: Symbols-${{ parameters.versionNumber }}-$(BuildPlatform)
-
-  - task: DeleteFiles@1
-    displayName: 'Remove symbols from ArtifactStagingDirectory'
-    inputs:
-      Contents: '*'
-      SourceFolder: $(Build.ArtifactStagingDirectory)/Symbols-$(BuildPlatform)/
-      RemoveSourceFolder: True
-
-  - template: installer-steps.yml
+        - template: .pipelines/installer-steps.yml@self
          parameters:
            versionNumber: ${{ parameters.versionNumber }}
            perUserArg: "false"
@@ -389,7 +394,7 @@ jobs:
            script: git clean -xfd  -e *exe -- .\installer\
            pwsh: true

-  - template: installer-steps.yml
+        - template: .pipelines/installer-steps.yml@self
          parameters:
            versionNumber: ${{ parameters.versionNumber }}
            perUserArg: "true"
@@ -431,18 +436,10 @@ jobs:
              $machineHash | out-file -filepath $combinedMachinePath
            pwsh: true

-  - task: PublishBuildArtifacts@1
-    displayName: "Publish Artifact: PowerToySetup"
-    inputs:
-      PathtoPublish: $(System.ArtifactsDirectory)
-      ArtifactName: setup-$(BuildPlatform)
-
-# Publishing the GPO files with a version number
-  - task: PublishBuildArtifacts@1
-    displayName: 'Publish Artifact: GPO Files'
-    inputs:
-      PathtoPublish: src\gpo\assets
-      ArtifactName: GroupPolicyObjectsFiles-${{ parameters.versionNumber }}
-
+        # Publishing the GPO files
+        - pwsh: |-
+            New-Item "$(Build.ArtifactStagingDirectory)/gpo" -Type Directory
+            Copy-Item src\gpo\assets\* "$(Build.ArtifactStagingDirectory)/gpo" -Recurse
+          displayName: Stage the GPO files

 ...
--- a/.pipelines/sdl.gdnbaselines
+++ b/.pipelines/sdl.gdnbaselines