Azure pipelines (#104)

Author: adityapatwardhan

.config/tsaoptions.json

@@ -0,0 +1,11 @@
+{
+    "hasDynamicRouting": true,
+    "areaPath": "OS",
+    "notificationAliases": [
+        "[email protected]",
+        "[email protected]",
+        "[email protected]",
+        "[email protected]"
+    ],
+    "codebaseName":  "TFSMSAzure_powershell-native"
+}

.pipelines/release.yml

@@ -0,0 +1,181 @@
+trigger: none
+
+parameters:
+  - name: OfficialBuild
+    type: boolean
+    default: false
+  - name: disableNetworkIsolation
+    type: boolean
+    default: false
+
+variables:
+  - name: ob_outputDirectory
+    value: '$(Build.ArtifactStagingDirectory)/ONEBRANCH_ARTIFACT'
+  - name: LinuxContainerImage
+    value: mcr.microsoft.com/onebranch/azurelinux/build:3.0
+  - name: WindowsContainerImage
+    value: onebranch.azurecr.io/windows/ltsc2022/vse2022:latest
+  - name: templateFile
+    value: ${{ iif ( parameters.OfficialBuild, 'v2/OneBranch.Official.CrossPlat.yml@templates', 'v2/OneBranch.NonOfficial.CrossPlat.yml@templates' ) }}
+  - name: disableNetworkIsolation
+    value: ${{ parameters.disableNetworkIsolation }}
+
+resources:
+  repositories:
+  - repository: templates
+    type: git
+    name: OneBranch.Pipelines/GovernedTemplates
+    ref: refs/heads/main
+
+extends:
+  template: ${{ variables.templateFile }}  # The Official template may only be used by Production-classified pipelines
+
+  parameters:
+    release:
+      category: NonAzure
+    featureFlags:
+      WindowsHostVersion:
+        Disk: Large
+        Version: 2022
+        Network: KS1
+      incrementalSDLBinaryAnalysis: true
+      needExceptionForUbuntuUsage: true
+      disableNetworkIsolation: ${{ variables.disableNetworkIsolation }}
+    cloudvault:
+      enabled: false
+    globalSdl:
+      isNativeCode: true
+      prefast:
+        enabled: true
+      tsa:
+        useDynamicRouting: true
+        enabled: true
+      sbom:
+        enabled: true
+        packageName: Microsoft.PowerShell.Native
+      codeql:
+        tsaEnabled: true
+        compiled:
+          enabled: true
+      armory:
+        enabled: false
+      credscan:
+        enabled: true
+        scanFolder:  $(Build.SourcesDirectory)
+      binskim:
+        enabled: true
+        exactToolVersion: 4.4.2
+      apiscan:
+        enabled: false
+      tsaOptionsFile: .config\tsaoptions.json
+
+    stages:
+    - stage: WinBuildAndSign
+      displayName: Windows Build and Sign
+      jobs:
+      - template: .pipelines/templates/build-sign-windows.yml@self
+        parameters:
+          ARCHITECTURE: 'x64'
+
+      - template: .pipelines/templates/build-sign-windows.yml@self
+        parameters:
+          ARCHITECTURE: 'x86'
+
+      - template: .pipelines/templates/build-sign-windows.yml@self
+        parameters:
+          ARCHITECTURE: 'x64_arm64'
+
+    - stage: LinuxBuild
+      displayName: Linux Build
+      jobs:
+      - template: .pipelines/templates/build-linux.yml@self
+        parameters:
+          ARCHITECTURE: 'linux-x64'
+          Name: 'Build_Linux_x64'
+
+      - template: .pipelines/templates/build-linux.yml@self
+        parameters:
+          ARCHITECTURE: 'linux-arm64'
+          Name: 'Build_Linux_arm64'
+          hostArchitecture: 'arm64'
+
+      - template: .pipelines/templates/build-linux.yml@self
+        parameters:
+          ARCHITECTURE: 'linux-musl-x64'
+          Name: 'Build_Linux_musl_x64'
+
+      - template: .pipelines/templates/build-linux.yml@self
+        parameters:
+          ARCHITECTURE: 'osx'
+          Name: 'Build_osx'
+
+    - stage: LinuxBuildARM
+      displayName: Linux ARM Build
+      variables:
+      - name: LinuxContainerImage
+        value: onebranch.azurecr.io/linux/ubuntu-2204:latest
+
+      jobs:
+      - template: .pipelines/templates/build-linux.yml@self
+        parameters:
+          ARCHITECTURE: 'linux-arm'
+          Name: 'Build_Linux_arm'
+
+    - stage: Build_Nuget
+      dependsOn: [WinBuildAndSign, LinuxBuild, LinuxBuildARM]
+      displayName: Build NuGet
+      jobs:
+      - template: .pipelines/templates/build-nuget.yml@self
+
+    - stage: Release_NuGet
+      displayName: Release NuGet
+      dependsOn: [Build_Nuget]
+      variables:
+        - name: Version
+          value: $[ stageDependencies.Build_Nuget.Build_Nuget_Job.outputs['SetVersion.NugetPackageVersion'] ]
+        - name: ob_release_environment
+          value: ${{ iif ( parameters.OfficialBuild, 'Production', 'Test' ) }}
+      jobs:
+      - job: NuGetPublish
+        displayName: Publish to NuGet
+        condition: succeeded()
+        pool:
+          type: release
+          os: windows
+        templateContext:
+          inputs:
+            - input: pipelineArtifact
+              artifactName: drop_Build_Nuget_Build_Nuget_Job
+        steps:
+        - task: PowerShell@2
+          inputs:
+            targetType: inline
+            script: |
+              Write-Verbose -Verbose "Version: $(Version)"
+              Get-ChildItem Env:\
+          displayName: 'Capture Environment Variables'
+
+        - task: PowerShell@2
+          inputs:
+            targetType: inline
+            script: |
+              $DestPath = New-Item -ItemType Directory -Path "$(Pipeline.Workspace)\release"
+              $nupkgFile = Get-ChildItem "$(Pipeline.Workspace)\Microsoft.PowerShell.Native.*.nupkg" -Recurse
+              if (-not $nupkgFile) {
+                  throw "No nupkg files found in '$(Pipeline.Workspace)'"
+              }
+
+              Copy-Item $nupkgFile -Destination $DestPath -Recurse -Force -Verbose
+              Write-Verbose -Verbose "The .nupkgs below will be pushed:"
+              Get-ChildItem "$(Pipeline.Workspace)/release" -recurse
+          displayName: Download and capture nupkgs
+
+        - task: NuGetCommand@2
+          displayName: 'NuGet push'
+          condition: and(eq('${{ parameters.OfficialBuild }}', 'true'), succeeded())
+          inputs:
+            command: push
+            packagesToPush: '$(Pipeline.Workspace)\release\*.nupkg'
+            nuGetFeedType: external
+            publishFeedCredentials: PowerShellNuGetOrgPush
+

.pipelines/templates/build-linux.yml

@@ -0,0 +1,83 @@
+parameters:
+  - name: ARCHITECTURE
+    type: string
+    default: 'x64'
+  - name: Name
+    type: string
+    default: 'Build_Linux_x64'
+  - name: hostArchitecture
+    type: string
+    default: 'amd64'
+
+jobs:
+- job: ${{ parameters.Name }}
+  pool:
+    type: linux
+    ${{ if eq(parameters.ARCHITECTURE, 'osx') }}:
+      isCustom: true
+      name: Azure Pipelines
+      vmImage: 'macOS-latest'
+    ${{ if eq(parameters.hostArchitecture, 'arm64') }}:
+      hostArchitecture: 'arm64'
+  displayName: Linux_${{ parameters.ARCHITECTURE }}
+  variables:
+    - name: ob_outputDirectory
+      value: '$(Build.ArtifactStagingDirectory)/ONEBRANCH_ARTIFACT'
+    - name: ob_signing_setup_enabled
+      value: true
+    - name: ARCHITECTURE
+      value: ${{ parameters.ARCHITECTURE }}
+    - name: DOTNET_SYSTEM_GLOBALIZATION_INVARIANT
+      value: 1
+    - ${{ if eq(parameters.ARCHITECTURE, 'linux-arm64') }}:
+      - name: ob_sdl_binskim_enabled
+        value: false
+      - name: ob_sdl_credscan_enabled
+        value: false
+  steps:
+    - pwsh: |
+        Get-ChildItem Env:\ | Out-String -Stream | Write-Verbose -Verbose
+      displayName: Capture environment variables
+
+    - pwsh: |
+        $Arch = "$(ARCHITECTURE)"
+        $repoRoot = '$(Build.SourcesDirectory)'
+        Import-Module $repoRoot\build.psm1 -Force
+
+        if ($Arch -eq 'linux-x64' -or $Arch -eq 'linux-musl-x64' -or $Arch -eq 'osx') {
+          Start-PSBootstrap
+          Write-Verbose "Starting Start-Start-BuildNativeUnixBinaries" -Verbose
+          Start-BuildNativeUnixBinaries
+          Write-Verbose "Completed Start-BuildNativeUnixBinaries" -Verbose
+        }
+        elseif ($Arch -eq 'linux-arm64') {
+          Start-PSBootstrap -BuildLinuxArm64
+          Write-Verbose "Starting Start-BuildNativeUnixBinaries" -Verbose
+          Start-BuildNativeUnixBinaries -BuildLinuxArm64
+          Write-Verbose "Completed Start-BuildNativeUnixBinaries" -Verbose
+        }
+        elseif ($Arch -eq 'linux-arm') {
+          Start-PSBootstrap -BuildLinuxArm
+          Write-Verbose "Starting Start-BuildNativeUnixBinaries" -Verbose
+          Start-BuildNativeUnixBinaries -BuildLinuxArm
+          Write-Verbose "Completed Start-BuildNativeUnixBinaries" -Verbose
+        }
+        else {
+          throw "Unsupported architecture: $Arch"
+        }
+
+        $buildOutputPath = Join-Path $RepoRoot "src/powershell-unix"
+
+        if (-not (Test-Path $(ob_outputDirectory))) {
+            New-Item -ItemType Directory -Path $(ob_outputDirectory) -Force -Verbose
+        }
+
+        Copy-Item -Path "$buildOutputPath/libpsl-native.*" -Destination "$(ob_outputDirectory)" -Force
+
+        if ($Arch -eq 'osx') {
+          Write-Host "##vso[artifact.upload containerfolder=drop_osx;artifactname=drop_osx]$(ob_outputDirectory)"
+        }
+      displayName: 'Build'
+
+
+

.pipelines/templates/build-nuget.yml

@@ -0,0 +1,119 @@
+jobs:
+- job: Build_Nuget_Job
+  pool:
+    type: windows
+  displayName: Build NuGet
+  variables:
+    - name: ob_outputDirectory
+      value: '$(Build.ArtifactStagingDirectory)/ONEBRANCH_ARTIFACT'
+    - name: ob_signing_setup_enabled
+      value: true
+  steps:
+  - pwsh: |
+      if (-not (Test-Path -Path "$(ob_outputDirectory)")) {
+          New-Item -ItemType Directory -Path "$(ob_outputDirectory)" | Out-Null
+      }
+    displayName: 'Create output directory'
+
+  - download: current
+
+  - pwsh: |
+      Get-ChildItem -Path $(Pipeline.Workspace)
+    displayName: 'List files in workspace'
+
+  - task: NuGetToolInstaller@0
+    displayName: 'Install NuGet 5.3.1'
+    inputs:
+      versionSpec: 5.3.1
+
+  - template: setVersion.yml@self
+
+  - pwsh: |
+      Get-ChildItem Env:\ | Out-String -Stream | Write-Verbose -Verbose
+    displayName: Capture environment variables
+
+  - pwsh: |
+      $platforms = @("drop_LinuxBuild_Build_Linux_arm64",
+                     "drop_LinuxBuild_Build_Linux_musl_x64",
+                     "drop_LinuxBuild_Build_Linux_x64",
+                     "drop_LinuxBuildARM_Build_Linux_arm",
+                     "drop_WinBuildAndSign_Build_Sign_x64",
+                     "drop_WinBuildAndSign_Build_Sign_x86",
+                     "drop_WinBuildAndSign_Build_Sign_x64_arm64",
+                     "drop_osx"
+                     )
+
+      $WindowsX64ZipPath = "$(ob_outputDirectory)/drop_WinBuildAndSign_Build_Sign_x64.zip"
+      $WindowsX86ZipPath = "$(ob_outputDirectory)/drop_WinBuildAndSign_Build_Sign_x86.zip"
+      $WindowsARMZipPath = "$(ob_outputDirectory)/drop_WinBuildAndSign_Build_Sign_arm.zip"
+      $WindowsARM64ZipPath = "$(ob_outputDirectory)/drop_WinBuildAndSign_Build_Sign_x64_arm64.zip"
+      $LinuxZipPath = "$(ob_outputDirectory)/drop_LinuxBuild_Build_Linux_x64.zip"
+      $LinuxARMZipPath = "$(ob_outputDirectory)/drop_LinuxBuildARM_Build_Linux_arm.zip"
+      $LinuxARM64ZipPath = "$(ob_outputDirectory)/drop_LinuxBuild_Build_Linux_arm64.zip"
+      $LinuxAlpineZipPath = "$(ob_outputDirectory)/drop_LinuxBuild_Build_Linux_musl_x64.zip"
+      $macOSZipPath = "$(ob_outputDirectory)/drop_osx.zip"
+
+      $symbolsRoot = "$(ob_outputDirectory)/symbols"
+      New-Item -ItemType Directory -Path $symbolsRoot -Force | Out-Null
+
+      $platforms | ForEach-Object {
+          $platform = $_
+          $compressedFile = "$(ob_outputDirectory)/$platform.zip"
+          Compress-Archive -Path "$(Pipeline.Workspace)/$platform/*" -DestinationPath $compressedFile -Force
+          $DestPath = Join-Path $symbolsRoot $platform
+          New-Item -Path $DestPath -ItemType Directory -Force | Out-Null
+          Get-ChildItem -Path "$(Pipeline.Workspace)/$platform/*.pdb" -Recurse | ForEach-Object {
+              Copy-Item -Path $_.FullName -Destination $DestPath -Force -Verbose
+          }
+      }
+
+      Import-Module $(Build.SourcesDirectory)/build.psm1 -Force
+      $PackageRoot = New-Item -ItemType Directory -Path  $(ob_outputDirectory)\NugetPackageSrc
+      Start-BuildPowerShellNativePackage -PackageRoot $PackageRoot -Version $(PackageVersion) -WindowsX64ZipPath  $WindowsX64ZipPath -WindowsX86ZipPath $WindowsX86ZipPath -WindowsARM64ZipPath  $WindowsARM64ZipPath -LinuxZipPath $LinuxZipPath -LinuxARMZipPath  $LinuxARMZipPath -LinuxARM64ZipPath $LinuxARM64ZipPath -LinuxAlpineZipPath $LinuxAlpineZipPath -macOSZipPath $macOSZipPath
+
+      Write-Verbose -Verbose "Enumerating $symbolsRoot"
+      Get-ChildItem -Path $symbolsRoot -Recurse
+
+      $vstsCommandString = "vso[task.setvariable variable=SymbolsPath]$symbolsRoot"
+      Write-Verbose -Message "$vstsCommandString" -Verbose
+      Write-Host -Object "##$vstsCommandString"
+
+      Write-Verbose -Verbose "Build nupkg"
+      New-NugetPackage -PackageRoot $PackageRoot -NuGetOutputPath '$(ob_outputDirectory)\NugetPackage'
+
+      Write-Verbose -Verbose "Cleanup output folder"
+      Get-ChildItem -Path "$(ob_outputDirectory)" -Exclude "NugetPackage", "symbols" | Remove-Item -Recurse -Force -Verbose
+
+      Write-Verbose -Verbose "Enumerating $(ob_outputDirectory)"
+      Get-ChildItem -Path "$(ob_outputDirectory)" -Recurse
+    displayName: 'Build NuPkg'
+
+  - pwsh: |
+      Get-ChildItem -Path "$(ob_outputDirectory)\NugetPackage" -Recurse | ForEach-Object {
+          $file = $_
+          Write-Verbose -Message "Found NuGet package: $($file.FullName)" -Verbose
+      }
+
+      Get-ChildItem -Path "$(SymbolsPath)" -Recurse | ForEach-Object {
+          $file = $_
+          Write-Verbose -Message "Found symbol file: $($file.FullName)" -Verbose
+      }
+    displayName: 'Capture Packages'
+
+  - task: PublishSymbols@2
+    inputs:
+      symbolsFolder: '$(SymbolsPath)'
+      searchPattern: '**/*.pdb'
+      indexSources: false
+      publishSymbols: true
+      symbolServerType: teamServices
+      detailedLog: true
+
+  - task: onebranch.pipeline.signing@1
+    displayName: Sign files
+    inputs:
+      command: 'sign'
+      cp_code: 'CP-401405'
+      files_to_sign: |
+        **\*.nupkg;
+      search_root: $(ob_outputDirectory)