diff --git a/azure-pipelines-public.yml b/azure-pipelines-public.yml index 7c45216e3..299db8b37 100644 --- a/azure-pipelines-public.yml +++ b/azure-pipelines-public.yml @@ -1,21 +1,3 @@ -schedules: -- cron: 0 9 * * 1 - displayName: "Run CodeQL3000 weekly, Monday at 2:00 AM PDT" - branches: - include: - - main - always: true - -parameters: -# Parameter below is ignored in public builds. -# -# Choose whether to run the CodeQL3000 tasks. -# Manual builds align w/ official builds unless this parameter is true. -- name: runCodeQL3000 - default: false - displayName: Run CodeQL3000 tasks - type: boolean - variables: - name: _BuildConfig value: Release @@ -35,8 +17,6 @@ variables: - ${{ if eq(variables['System.TeamProject'], 'public') }}: - name: _InternalRuntimeDownloadArgs value: '' - - name: runCodeQL3000 - value: ${{ and(ne(variables['System.TeamProject'], 'public'), or(eq(variables['Build.Reason'], 'Schedule'), and(eq(variables['Build.Reason'], 'Manual'), eq(parameters.runCodeQL3000, 'true')))) }} - template: /eng/common/templates/variables/pool-providers.yml trigger: @@ -55,10 +35,10 @@ stages: jobs: - template: eng/common/templates/jobs/jobs.yml parameters: - enableMicrobuild: ${{ ne(variables.runCodeQL3000, 'true') }} + enableMicrobuild: true enablePublishBuildArtifacts: true - enablePublishBuildAssets: ${{ ne(variables.runCodeQL3000, 'true') }} - enablePublishTestResults: ${{ ne(variables.runCodeQL3000, 'true') }} + enablePublishBuildAssets: true + enablePublishTestResults: true enablePublishUsingPipelines: ${{ variables._PublishUsingPipelines }} enableTelemetry: true helixRepo: dotnet/ef6 @@ -71,14 +51,7 @@ stages: ${{ if ne(variables['System.TeamProject'], 'public') }}: name: $(DncEngInternalBuildPool) demands: ImageOverride -equals 1es-windows-2019 - ${{ if eq(variables.runCodeQL3000, 'true') }}: - # Component governance and SBOM creation are not needed here. Disable what Arcade would inject. - disableComponentGovernance: true - enableSbom: false - # CodeQL3000 extends build duration. - timeoutInMinutes: 240 - ${{ else }}: - timeoutInMinutes: 180 + timeoutInMinutes: 180 variables: - _AdditionalBuildArgs: '' - _InternalBuildArgs: '' @@ -89,20 +62,6 @@ stages: /p:OfficialBuildId=$(BUILD.BUILDNUMBER) /p:DotNetPublishUsingPipelines=$(_PublishUsingPipelines) /p:DotNetArtifactsCategory=$(_DotNetArtifactsCategory) - - ${{ if eq(variables.runCodeQL3000, 'true') }}: - - _AdditionalBuildArgs: /p:Test=false /p:Sign=false /p:Pack=false /p:Publish=false /p:UseSharedCompilation=false - # Security analysis is included in normal runs. Disable its auto-injection. - - skipNugetSecurityAnalysis: true - # Do not let CodeQL3000 Extension gate scan frequency. - - Codeql.Cadence: 0 - # Enable CodeQL3000 unconditionally so it may be run on any branch. - - Codeql.Enabled: true - # Ignore test and infrastructure code. - - Codeql.SourceRoot: src - # CodeQL3000 needs this plumbed along as a variable to enable TSA. - - Codeql.TSAEnabled: ${{ eq(variables['Build.Reason'], 'Schedule') }} - # Default expects tsaoptions.json under SourceRoot. - - Codeql.TSAOptionsPath: '$(Build.SourcesDirectory)/.config/tsaoptions.json' steps: - checkout: self clean: true @@ -128,38 +87,28 @@ stages: arguments: -ConfigFile $(Build.SourcesDirectory)/NuGet.config -Password $Env:Token env: Token: $(dn-bot-dnceng-artifact-feeds-rw) - - ${{ if eq(variables.runCodeQL3000, 'true') }}: - - task: CodeQL3000Init@0 - displayName: CodeQL Initialize - - script: "echo ##vso[build.addbuildtag]CodeQL3000" - displayName: 'Set CI CodeQL3000 tag' - condition: ne(variables.CODEQL_DIST,'') - script: eng\common\cibuild.cmd -configuration $(_BuildConfig) -prepareMachine $(_InternalBuildArgs) $(_InternalRuntimeDownloadArgs) $(_AdditionalBuildArgs) name: Build - - ${{ if eq(variables.runCodeQL3000, 'true') }}: - - task: CodeQL3000Finalize@0 - displayName: CodeQL Finalize - - ${{ else }}: - - task: PublishBuildArtifacts@1 - displayName: Upload TestResults - condition: always() - continueOnError: true - inputs: - pathtoPublish: artifacts/TestResults/$(_BuildConfig)/ - artifactName: $(Agent.Os)_$(Agent.JobName) TestResults - artifactType: Container - parallel: true - - task: PublishBuildArtifacts@1 - displayName: Upload artifacts - condition: and(succeeded(), eq(variables['system.pullrequest.isfork'], false)) - inputs: - pathtoPublish: 'artifacts/packages/' - artifactName: packages - artifactType: Container - parallel: true + - task: PublishBuildArtifacts@1 + displayName: Upload TestResults + condition: always() + continueOnError: true + inputs: + pathtoPublish: artifacts/TestResults/$(_BuildConfig)/ + artifactName: $(Agent.Os)_$(Agent.JobName) TestResults + artifactType: Container + parallel: true + - task: PublishBuildArtifacts@1 + displayName: Upload artifacts + condition: and(succeeded(), eq(variables['system.pullrequest.isfork'], false)) + inputs: + pathtoPublish: 'artifacts/packages/' + artifactName: packages + artifactType: Container + parallel: true -- ${{ if and(ne(variables['System.TeamProject'], 'public'), notin(variables['Build.Reason'], 'PullRequest'), ne(variables.runCodeQL3000, 'true')) }}: +- ${{ if and(ne(variables['System.TeamProject'], 'public'), notin(variables['Build.Reason'], 'PullRequest')) }}: - template: eng\common\templates\post-build\post-build.yml parameters: # Symbol validation isn't being very reliable lately. This should be enabled back diff --git a/azure-pipelines.yml b/azure-pipelines.yml index 206f515c9..34cf66b06 100644 --- a/azure-pipelines.yml +++ b/azure-pipelines.yml @@ -32,6 +32,7 @@ extends: parameters: featureFlags: autoBaseline: false + usePrefastVersion3: true sdl: sourceAnalysisPool: name: $(DncEngInternalBuildPool) @@ -41,6 +42,7 @@ extends: baselineFile: $(Build.SourcesDirectory)\.config\guardian\.gdnbaselines binskim: scanOutputDirectoryOnly: true + preReleaseVersion: '4.3.1' policheck: enabled: true tsa: