From 1412996e2631d6b4b42ef9e448625e9968407991 Mon Sep 17 00:00:00 2001 From: Paulo Salem Date: Fri, 18 Oct 2024 23:26:38 -0300 Subject: [PATCH] Create 1ES.Pipeline.yml Testing ADO setup. --- .ado/1ES.Pipeline.yml | 758 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 758 insertions(+) create mode 100644 .ado/1ES.Pipeline.yml diff --git a/.ado/1ES.Pipeline.yml b/.ado/1ES.Pipeline.yml new file mode 100644 index 0000000..bd0519f --- /dev/null +++ b/.ado/1ES.Pipeline.yml @@ -0,0 +1,758 @@ +parameters: + +- name: isOfficial + type: boolean + default: true + +- name: stages + type: stageList + default: [] + +- name: pool + type: object + default: {} + +- name: containers + type: object + default: {} + +# Sdl rules with the highest priority +- name: enforcedSdl + type: object + default: {} + +- name: spokeEsEnforcedSdl + type: object + default: {} + +# User specified / applied across the pipeline, can be overridden by job specific sdl setting +- name: sdl + type: object + default: {} + +- name: authenticatedContainerRegistries + type: object + default: null + +- name: settings + type: object + default: {} + +- name: customBuildTags + type: object + default: null + +- name: customLogIssues + type: object + default: null + +# This should be used for any internal configuration that can't be overriden by customers +- name: internalConfig + type: object + default: + outputTasks: + - 1ES.PublishPipelineArtifact@1 + - 1ES.PublishBuildArtifacts@1 + - 1ES.PublishArtifactsDrop@1 + - 1ES.PublishNuGet@1 + - 1ES.PublishAzureDevOpsExtension@1 + - ecdc45f6-832d-4ad9-b52b-ee49e94659be@ + - PublishPipelineArtifact@ + - PublishBuildArtifacts@ + - CopyPublishBuildArtifacts@ + - artifactDropTask@ + - ms-vscs-artifact.build-tasks.artifactDropTask-1.artifactDropTask@ + - f9d96d25-0c81-4e77-8282-1ad1f785cbb4@ + - PublishAzureDevOpsExtension@ + - 631511b4-50ab-47c8-b766-7ae2aa672733 + inputTasks: + - 1ES.DownloadPipelineArtifact@1 + - 1ES.DownloadArtifactsDrop@1 + buildJobIndicativeTasks: + - MSBuild@1 + - VSBuild@1 + - 1ES.BuildContainerImage@1 + - 1ES.MicroBuildVstsDrop@1 + - DockerCompose@ + - 6975e2d1-96d3-4afc-8a41-498b5d34ea19 + - CBTask@ + - tse-cloudbuild.tse-cloudbuild-tasks.CA671F24-CBD6-48CB-92F3-FC13396450A1.CBTask + - NuGetCommand@ + - NuGetRestore@ + - 333b11bd-d341-40d9-afcf-b32d5ce6f23b + - MicroBuildPromoteNugetPackages@ + - MicroBuildUploadVstsDropFolder@ + - 1ES.Signing@ + - AzureArtifacts.manifest-generator-task.manifest-generator-task.ManifestGeneratorTask@ + - ManifestGeneratorTask@ + releaseTasks: + - AMLModelDeploy@ + - APDeployReleaseTask@ + - AzDeployerTriggerTask@ + - AzureAppServiceManage@ + - AzureAppServiceSettings@ + - AzureCloudPowerShellDeployment@ + - AzureContainerApps@ + - AzureFileCopy@ + - AzureFunctionApp@ + - AzureFunctionOnKubernetes@ + - AzureIoTEdge@ + - AzureMysqlDeployment@ + - AzureResourceGroupDeployment@ + - AzureResourceManagerTemplateDeployment@ + - AzureRmWebAppDeployment@ + - AzureSpringCloud@ + - AzureStaticWebApp@ + - AzureVmssDeployment@ + - AzureWebApp@ + - AzureWebAppContainer@ + - DataDeployReleaseTask@ + - DataDeployTriggerTask@ + - deploynotebooks@ + - DeployUsingPowerShell@ + - DockerDeploy@ + - EsrpRelease@ + - Ev2RARollout@ + - ExpressV2Internal@ + - FalconClusterFleetDeployment@ + - GitDataDeployReleaseTask@ + - GitDataDeployTriggerTask@ + - GitHubRelease@ + - git-tag-on-release-task@ + - jabbera.git-tag-on-release-task.git-tag-on-release-task.git-tag-on-release-task@ + - HelmDeploy@ + - HockeyApp@ + - IISWebAppDeploymentOnMachineGroup@ + - Kubernetes@ + - KubernetesManifest@ + - lockbox-approval-request-prod_with_onebranch@ + - M365CdnAssetsUpload@ + - M365CdnCompliantAssetsUpload@ + - m365-airgapped-pre-release-prod@ + - MysqlDeploymentOnMachineGroup@ + - OneBranchAirGappedRelease@ + - PowerPlatformDeployPackage@ + - PowerPlatformImportSolution@ + - PowerPlatformPublishCustomizations@ + - prepare-deployment@ + - PublishToADX@ + - publish-to-kusto@ + - ServiceFabricComposeDeploy@ + - ServiceFabricDeploy@ + - SqlAzureDacpacDeployment@ + - SqlDacpacDeploymentOnMachineGroup@ + - StratusTriggerTask@ + - Synapse workspace deployment@ + - TerraformTaskV1@ + - TerraformTaskV2@ + - TerraformTaskV3@ + - TerraformTaskV4@ + # Previously we had blocked a subset of release tasks but only inside validation jobs + # As we're setting more restrictions on how release tasks can be triggered, we'll need + # to maintain a separate list for any kind of non release job before we can merge the + # two lists. Othrewise, we may end up breaking customers through an update. + releaseTasksForWarning: + - 1breleaseextension.lockbox-approval-with-onebranch.lockbox-approval_request_releasetask.lockbox-approval-request-prod_with_onebranch + - 497d490f-eea7-4f2b-ab94-48d9c1acdcb1 # AzureRmWebAppDeployment : https://github.com/microsoft/azure-pipelines-tasks/blob/master/Tasks/AzureRmWebAppDeploymentV4/task.json + - aadsharma.synapsecicd-deploy.synapse-deploy.synapse workspace deployment + - abhishekkumar.stratus-trigger-ext.b633975b-5833-4d90-a3de-e60ba81231b0.stratustriggertask + - aeroupload + - airbingxapteam.build-release-task.custom2-build-release-task-prod.deployapphosttaskprod + - appcenterdistribute + - approvaltask + - appstorerelease + - azdeployertriggertask + - azure-kusto.publishtoadx.publishtoadx.publishtoadx + - azure-synapse-toggle-triggers-json + - azureappconfiguration + - azureappconfiguration.azure-app-configuration-task-push.custom-build-release-task.azureappconfigurationpush + - azureappconfiguration.azure-app-configuration-task.custom-build-release-task.azureappconfiguration + - azureappconfigurationpush + - azureappservicemanage + - azureappservicesetappsettings + - azureappservicesettings + - azurecloudpowershelldeployment + - azurecontainerapps + - azurefilecopy + - azurefunction + - azurefunctionapp + - azurefunctiononkubernetes + - azureiotedge + - azuremysqldeployment + - azureresourcegroupdeployment + - azureresourcemanagertemplatedeployment + - azurermwebappdeployment + - azurespringcloud + - azurestaticwebapp + - azuresynapseworkspace.synapsecicd-deploy.synapse-deploy.synapse workspace deployment + - azuresynapseworkspace.synapsecicd-deploy.toggle-trigger.toggle-triggers-dev + - azurevmssdeployment + - azurewebapp + - azurewebappcontainer + - charleszipp.azure-pipelines-tasks-terraform.azure-pipelines-tasks-terraform-cli.terraformcli + - charleszipp.azure-pipelines-tasks-terraform.azure-pipelines-tasks-terraform-installer.terraforminstaller + - chef-software.vsts-chef-tasks.vsts-chef-task-exec-knife.vsts-chef-task-exec-knife + - comic_deployment_priming_prod_with_onebranch + - copyfilesoverssh + - datadeploytriggertask + - deploy-aas-db + - deploy-synapse-json + - deployapphosttaskprod + - deploymentapprovers + - deploymenthealthcheckerforutpsynthetics + - deploymenthealthcheckerforwebtests + - deploynotebooks + - enghubpush + - es365developerplatform.c7f96868-7494-4f94-9438-0d5097e35d5d.06e7cd9f-5345-4845-a0df-a39cb961763d.officepackageupdaterv2 + - esrprelease + - fabienlavocat.fabienlavocat-purgeazurecdnendpoint.purgeazurecdnendpoint.purgeazurecdnendpoint + - falcon-scd-update-upgrade-policy + - falcon-update-publish-profiles + - falcon.falcon-clusterfleet-deployment.falcon-clusterfleet-deployment.falconclusterfleetdeployment + - falconclusterfleetdeployment + - falconserviceregistry + - ftpupload + - genevaanalytics.geneva-analytics-build-tasks.publish-to-geneva-orchestrator.publish-to-geneva-orchestrator + - git-tag-on-release-task + - githubrelease + - googleplayincreaserollout + - googleplayrelease + - hboelman.azureappservicesetappsettings.hboelman-vsts-release-appsettings.azureappservicesetappsettings + - helmdeploy + - hera-gating-prod-v1 + - hera-ingestion-prod-v2 + - ic3-bicep-prod-task + - iiswebappdeploymentonmachinegroup + - intentionalyamltorusbridge + - jabbera.git-tag-on-release-task.git-tag-on-release-task.git-tag-on-release-task + - jasonbjohnson.azure-pipelines-tasks-terraform.azure-pipelines-tasks-terraform-cli.terraformcli + - kubernetes + - kubernetesmanifest + - lockbox-approval-prod + - lockbox-approval-request-prod_with_onebranch + - lockbox-credentials-prod + - lockbox-credentials-prod-signed + - m365-airgapped-pre-release-prod + - m365cdnassetsupload + - m365cdncompliantassetsupload + - microsoft-isvexptools.powerplatform-buildtools-beta.deploy-package.powerplatformdeploypackage + - microsoft-isvexptools.powerplatform-buildtools.apply-solution-upgrade.powerplatformapplysolutionupgrade + - microsoft-isvexptools.powerplatform-buildtools.deploy-package.powerplatformdeploypackage + - microsoft-isvexptools.powerplatform-buildtools.export-solution.powerplatformexportsolution + - microsoft-isvexptools.powerplatform-buildtools.import-solution.powerplatformimportsolution + - microsoft-isvexptools.powerplatform-buildtools.publish-customizations.powerplatformpublishcustomizations + - mirrorstaticcontent + - ms-devlabs.custom-terraform-tasks.custom-terraform-release-task.terraformtaskv1 + - ms-devlabs.custom-terraform-tasks.custom-terraform-release-task.terraformtaskv2 + - ms-devlabs.custom-terraform-tasks.custom-terraform-release-task.terraformtaskv3 + - ms-devlabs.custom-terraform-tasks.custom-terraform-release-task.terraformtaskv4 + - ms-devlabs.vsts-developer-tools-build-tasks.publish-extension-build-task.publishazuredevopsextension + - ms-rdx-mro.windows-store-publish-dev.flight-task.store-flight + - ms-rdx-mro.windows-store-publish-dev.publish-task.store-publish + - ms-rdx-mro.windows-store-publish-dev.rollout-task-v2.store-rollout-v2 + - ms-rdx-mro.windows-store-publish.flight-task.store-flight + - ms-vsclient.app-store.app-store-release.appstorerelease + - ms-vsclient.google-play.google-play-release.googleplayrelease + - mscrmexportsolution + - mscrmpublishcustomizations + - mysqldeploymentonmachinegroup + - oenginternal.office-vsts-tasks-extension.ba402fac-87de-433e-9d67-88e49aeb075e.mirrorstaticcontent + - officepackageupdaterv2 + - onebranchairgappedrelease + - outlookwebbuild.m365-1cdn-build-release-task.custom-build-release-task.m365cdnassetsupload + - outlookwebbuild.m365-1cdn-build-release-task.task-assets-upload.m365cdnassetsupload + - outlookwebbuild.m365-1cdn-compliant-build-release-task.task-assets-upload.m365cdncompliantassetsupload + - owaringmanager + - powerplatformdeploypackage + - powerplatformexportsolution + - powerplatformimportsolution + - powerplatformpublishcustomizations + - prepare-deployment + - publish-to-geneva-orchestrator + - publishtoadx + - purgeazurecdnendpoint + - releaseartifactupload + - releasepipeline.approvalservice-ext.a81eb944-f6e7-40bb-acb3-6f68822bc5ab.approvaltask + - releasepipeline.onebranchairgappedrelease.package-extension-onebranchairgappedrelease-task.onebranchairgappedrelease + - riserrad.azdo-databricks.azdo-databricks-deploynotebooks.deploynotebooks + - rolloutserviceagent + - rolloutservicelockbox + - servicefabriccomposedeploy + - servicefabricdeploy + - servicefabricpowershell + - servicefabricupdateappversions + - servicefabricupdatemanifests + - sezhezhe.falcon-config-deployment.falcon-scd-update-upgrade-policy.falcon-scd-update-upgrade-policy + - sezhezhe.falcon-config-deployment.falcon-update-publish-profiles.falcon-update-publish-profiles + - sfp.release-tasks.custom-build-release-task.esrprelease + - skvso.ic3-release-tasks-prod.lockbox-approval-releasetask.lockbox-approval-prod + - skvso.ic3-release-tasks-prod.lockbox-credentials-releasetask.lockbox-credentials-prod + - sqlazuredacpacdeployment + - sqldacpacdeploymentonmachinegroup + - staticcontentuploader + - store-flight + - store-publish + - stratustriggertask + - synapse workspace deployment + - terraformtaskv1 + - terraformtaskv2 + - terraformtaskv3 + - terraformtaskv4 + - uploadfiles + - vsts-chef-task-exec-knife + - waelhamze.xrm-ci-framework-build-tasks.mscrmexportsolution.mscrmexportsolution + - waelhamze.xrm-ci-framework-build-tasks.mscrmpublishcustomizations.mscrmpublishcustomizations + ev2Tasks: + - ev2agentless + - ev2rarollout + - expressv2internal + - vsrm-ev2.ev2-rollout.ev2-rollout-task.ev2rarollout + - vsrm-ev2.vss-services-ev2.adm-release-task.expressv2internal + signTasks: + - EsrpCodeSigning@ + - 1ES.Signing@ + # CODESYNC: disallowedPools @ scripts/resourceAccessConfig.json + disallowedPools: + - M365ReleasePool + - M365ReleasePipelines + - M365ComplianceTest + - M365ComplianceProd + - M365ComplianceGcc + - M365ComplianceDod + - M365ComplianceMC + - M365ComplianceLX + - M365ComplianceFR + - M365ComplianceGM + codeQLSupportedBinaryLanguages: csharp,cpp,java,go + codeQLSupportedSourceLanguages: javascript,powershell,python,ruby,tsql + spmiDisabledOrgs: + - 78a0c1d2-887b-4de2-acac-f42021467e0f # 1ESPipelineTemplates-OB, only for testing purposes + advancedSecurityPublishEnabledOrgs: + - cbad75f8-022e-4112-a6fb-e5312f755f69 # 1ESPipelineTemplates-PPE + - 0efb4611-d565-4cd1-9a64-7d6cb6d7d5f0 # mseng + - 011b8bdf-6d56-4f87-be0d-0092136884d9 # devdiv + - 3da63ab2-6a4c-484b-8c5f-9df97cc64da8 # onedrive + - cdcc3dee-d62a-41ee-aded-daf587e1851b # microsoftit + - 19422243-19b9-4d85-9ca6-bc961861d287 # msasg + - a2fba5bb-e91f-4218-8d9f-3ba6468216b4 # office + - 2ce6486e-7d3b-47bb-8e16-5f19a43015c9 # skype + - d1a8f71c-7f64-45ad-9c5c-19c2f469d620 # o365exchange + - c0cf4e79-2860-48b9-a5f4-0ffff4167045 # msazuredev + - cb55739e-4afe-46a3-970f-1b49d8ee7564 # microsoft + - c22e3f6e-2072-467d-9342-214b57c9b8fe # domoreexp + - c4cc6188-765e-44d7-b2f1-c199b15c3087 # yammer + - df21f221-97bd-4539-89b4-4cc1e465102d # aivertical + advancedSecurityPublishEnabledProjects: + incrementalSDLBinaryAnalysisEnabledOrgs: + - 0efb4611-d565-4cd1-9a64-7d6cb6d7d5f0 # mseng + incrementalSDLSourceAnalysisEnabledOrgs: + # - 0efb4611-d565-4cd1-9a64-7d6cb6d7d5f0 # mseng, enable this after getting more pilots + incrementalSDLBinaryAnalysisDisabledProjects: + - b924d696-3eae-4116-8443-9a18392d8544 # AzureDevOps + defenderForLinuxEnabledOrgs: + - cbad75f8-022e-4112-a6fb-e5312f755f69 # 1ESPipelineTemplates-PPE + - 0efb4611-d565-4cd1-9a64-7d6cb6d7d5f0 # mseng + networkIsolationEnabledOrgs: + - cbad75f8-022e-4112-a6fb-e5312f755f69 # 1ESPipelineTemplates-PPE + - 0efb4611-d565-4cd1-9a64-7d6cb6d7d5f0 # mseng + - 011b8bdf-6d56-4f87-be0d-0092136884d9 # devdiv + networkIsolationEnforceModeEnabledProjects: + - 7b6a73d1-20cd-49c4-8789-7c3c9289dffb # 1ESPipelinesTest + - 9ed2c125-1cd5-4a17-886b-9d267f3a5fab # Domino + nuGetAuthenticateEnabledOrgs: + - cbad75f8-022e-4112-a6fb-e5312f755f69 # 1ESPipelineTemplates-PPE + - 0efb4611-d565-4cd1-9a64-7d6cb6d7d5f0 # mseng + allowedSelfHostedMacPools: + # 1ES PT PPE + - org: cbad75f8-022e-4112-a6fb-e5312f755f69 + pools: + - pt-validation-ppe-mac-pool + - Apple1ESPT-validation-PPE + # Office + - org: a2fba5bb-e91f-4218-8d9f-3ba6468216b4 + pools: + - aceslab-hp-dev + - Apple Test VMs + - Apple-VM-PPE + - Apple-VM-Prod + - AppleAuto-Baseline + - AppleLabForkReleases + - AppleLabMainReleases + - AppleLabNextOS + - AppleLabNextXcode + - AppleLabParking + - AppleLabSuperPro + - AppleLabTrashcan + - AppleMonoRepo + - AppleMonoRepo-AutoInfraTest + - AppleMonoRepoArm64 + - AppleRelease + - Mac BTW + - OE Mac Pool + - MacVM Automation + - ApexInfra macOS + - SEAL Mac Staging + - SEAL Mac Kitchen + - AppleOfficeTest-dev + - AppleSynthetics-PPE + - AppleSynthetics + - AppleOfficeMonorepo + - AppleOfficeMonorepoNextVersion + - AppleForkRelease + - AppleMainRelease + - AppleOfficeNonMonorepo + # Skype + - org: 2ce6486e-7d3b-47bb-8e16-5f19a43015c9 + pools: + - vsts-mac-1201-xcode-131 + - vsts-mac-1231-xcode-1331 + - vsts-mac-131-xcode-142 + - vsts-mac-131-xcode-142-studio + - vsts-mac-1361-xcode-1431 + - vsts-mac-142-xcode-152 + - vsts-mac-142-xcode-152-studio + - vsts-mac-docker + - vsts-mac-arm64 + - vsts-mac-beta + # Microsoft + - org: cb55739e-4afe-46a3-970f-1b49d8ee7564 + pools: + - Edge-ADO-Mac-Mojave + - Edge-ADO-Mac-Mojave-Dev + - Edge-Agenci-MacOS + - Edge-Agenci-MacOS-ARM64 + - Edge-Agenci-MacOS-Catalina + - Edge-Agenci-MacOS-Mojave + - Edge-Agenci-MacOS-Mojave-Dev + - Edge-Goma-Builder-Official + - Edge-Mac-Greencamp + - Edge-Official-Ios + - Edge-Official-Mac + - Edge-Official-Mac-Greencamp + - Edge-Official-Mac-Test + - Edge-Official-Mac-Utility + - Edge-Pump-CI + - Edge-Pump-CI-Test + - EdgeCompliance + - XPlatCertificationProd + - XplatCertificationProd-ARM + # domoreexp + - org: c22e3f6e-2072-467d-9342-214b57c9b8fe + pools: + - ios-2020-mac-minis + - MAC-Test + - MSTeamsMobileMacMini + - MSTeamsMobileMacMiniTK5 + - MSTeamsMobileMacStaging + - MSTeamsMobileMacStudio + - Self-Hosted-Electron + # devdiv + - org: 011b8bdf-6d56-4f87-be0d-0092136884d9 + pools: + - electron-build-macos-test + - electron-build-macos-prod + - JEG-mac-m1 + - VSEng-VSMac-Xamarin-Shared + - VSEng-VSMac-Xamarin-Shared-Trusted + - VSEng-Xamarin-RedmondMacBuildPool-iOS-Untrusted + - VSEng-Xamarin-RedmondMacBuildPool-iOS-Trusted + - VSEng-Xamarin-RedmondMac-Android-Untrusted + - MAUI-Testing + # OneCamera + - org: 309d13cc-e01e-4116-ba05-992f8a88ae47 + pools: + - macOS + # Xamarin + - org: d0adf05a-e7d7-4b65-96fe-3f3884d42038 + pools: + - MAUI + - MAUI-Testing + # msmesh + - org: e31be0bd-21bf-4f5e-990a-03f65d42e0a2 + pools: + - agentpool-msmesh-mac + reposOptedOutOfCodeQLAutoInjection: + - dd5d0c0c-09fa-47f2-9926-004cc7be0bfb # https://dev.azure.com/1ESPipelineTemplates-OB/1ESPipelinesTest/_git/1ESPipelinesTest + deleteBaselineEntriesBeforeDate: '2024-02-29 00:00:00Z' + deleteOlderCloudBuildBaselines: false # delete baselines older than deleteBaselineEntriesBeforeDate + windowsBinaryAnalysisTools: + - advancedSecurityPublish + - antimalwareScan + - binskim + - clippy + - codeSignValidation + - credscan + - prefast + - roslyn + - spotBugs + - spmi + linuxBinaryAnalysisTools: + - advancedSecurityPublish + - antimalwareScan + - credscan + - binskim + - clippy + m365ClassicClouds: + - Public + - Gal + - Gcc + - Gcch + - Dod + m365SovereignClouds: + - USSec + - USNat + - Bleu + - Delos + supportedCloudsForNonM365Ev2Workflows: + - Public + approvalWorkflowsAllowedToOverrideConditions: + - lockbox + sdpWorkflowsAllowedToOverrideConditions: + - bedrock + m365CloudsForDividedHeraFlow: + - Gal + - Gcc + - Gcch + - Dod + releaseWorkflowsAllowedToBypassCheckoutStepCheckForSDL: + - ev2-classic + - ev2-ra + - m365-ev2-classic + - m365-ev2-ra + - m365-replication + pipelinesWithDependencyOnCheckout: + - 7b6a73d1-20cd-49c4-8789-7c3c9289dffb/3461 # 1ESPipelineTemplates-PPE/1ESPipelinesTest + - 7b6a73d1-20cd-49c4-8789-7c3c9289dffb/3466 + - 6fb8cb7d-5623-420c-946b-ca74e63ac8ba/5003 # apidrop/Content CI + - 6fb8cb7d-5623-420c-946b-ca74e63ac8ba/5008 + - 6fb8cb7d-5623-420c-946b-ca74e63ac8ba/5288 + - 6fb8cb7d-5623-420c-946b-ca74e63ac8ba/5554 + - 11ac29bc-5a99-400b-b225-01839ab0c9df/12791 # domoreexp/Teamspace + - 11ac29bc-5a99-400b-b225-01839ab0c9df/12796 + - 7b69060e-88aa-4323-9687-88cc80f6f077/235 # ghostbusters/Development + - 7b69060e-88aa-4323-9687-88cc80f6f077/237 + - 7b69060e-88aa-4323-9687-88cc80f6f077/245 + - 7b69060e-88aa-4323-9687-88cc80f6f077/274 + - 7b69060e-88aa-4323-9687-88cc80f6f077/275 + - 7b69060e-88aa-4323-9687-88cc80f6f077/276 + - 7b69060e-88aa-4323-9687-88cc80f6f077/280 + - 7b69060e-88aa-4323-9687-88cc80f6f077/283 + - 71221402-f755-4fe2-9b9a-35bee80c244f/561 # microsoftdigitallearning/PEDTsTools + - 71221402-f755-4fe2-9b9a-35bee80c244f/580 + - 3d1a556d-2042-4a45-9dae-61808ff33d3b/46254 # microsoftit/OneITVSO + - 3d1a556d-2042-4a45-9dae-61808ff33d3b/65844 + - 3d1a556d-2042-4a45-9dae-61808ff33d3b/65456 + - 3d1a556d-2042-4a45-9dae-61808ff33d3b/24074 + - 99bd1c70-ead2-4d16-85f3-5d931d0eefc8/4887 # mpsit/ScrumGitProjects1 + - 99bd1c70-ead2-4d16-85f3-5d931d0eefc8/4900 + - 99bd1c70-ead2-4d16-85f3-5d931d0eefc8/4941 + - 99bd1c70-ead2-4d16-85f3-5d931d0eefc8/5082 + - 99bd1c70-ead2-4d16-85f3-5d931d0eefc8/5103 + - 99bd1c70-ead2-4d16-85f3-5d931d0eefc8/5341 + - 99bd1c70-ead2-4d16-85f3-5d931d0eefc8/5477 + - 99bd1c70-ead2-4d16-85f3-5d931d0eefc8/5504 + - 99bd1c70-ead2-4d16-85f3-5d931d0eefc8/5561 + - 99bd1c70-ead2-4d16-85f3-5d931d0eefc8/5564 + - 99bd1c70-ead2-4d16-85f3-5d931d0eefc8/5573 + - 99bd1c70-ead2-4d16-85f3-5d931d0eefc8/5576 + - 99bd1c70-ead2-4d16-85f3-5d931d0eefc8/5578 + - 99bd1c70-ead2-4d16-85f3-5d931d0eefc8/5594 + - 99bd1c70-ead2-4d16-85f3-5d931d0eefc8/5642 + - 99bd1c70-ead2-4d16-85f3-5d931d0eefc8/5682 + - 99bd1c70-ead2-4d16-85f3-5d931d0eefc8/5683 + - db635de9-6980-4e4a-9a68-c3252d82e537/375889 # msazure/OneAgile + - 708e929f-6bd5-415a-8daf-25b1dac08dd8/15045 # mseng/1ES + - 9ed2c125-1cd5-4a17-886b-9d267f3a5fab/18587 # mseng/Domino + - 9ed2c125-1cd5-4a17-886b-9d267f3a5fab/18586 + - 9ed2c125-1cd5-4a17-886b-9d267f3a5fab/18629 + - b924d696-3eae-4116-8443-9a18392d8544/15146 # mseng/AzureDevOps + - 906d4e3c-a9ba-4056-8440-4cdd68a1d176/30308 # office/CLE + - 40af5200-1775-45d6-b64b-4c951cbb7170/39 # cmr-cap/CAP CMR Hub + - 3d7ddd91-4d8e-4438-8de0-86863a7bac54/35214 # msasg/BingDNS + - 3d7ddd91-4d8e-4438-8de0-86863a7bac54/38188 + - a321292d-4587-445a-8343-5d5460d8111e/455 # mswps/LBAM + - 959adb23-f323-4d52-8203-ff34e5cbeefa/38821 # o365exchange/O365%20Core + - 959adb23-f323-4d52-8203-ff34e5cbeefa/39249 + - 959adb23-f323-4d52-8203-ff34e5cbeefa/39250 + - 959adb23-f323-4d52-8203-ff34e5cbeefa/39269 + - 959adb23-f323-4d52-8203-ff34e5cbeefa/39272 + - 959adb23-f323-4d52-8203-ff34e5cbeefa/39287 + - 959adb23-f323-4d52-8203-ff34e5cbeefa/39312 + - 959adb23-f323-4d52-8203-ff34e5cbeefa/39365 + - 959adb23-f323-4d52-8203-ff34e5cbeefa/39370 + - 959adb23-f323-4d52-8203-ff34e5cbeefa/39374 + - 959adb23-f323-4d52-8203-ff34e5cbeefa/39546 + - c978ac10-fc79-4879-9a73-42adb531be5f/2502 # onebranch/Pipeline + - 9edb3992-8769-4242-8885-51fd5e080cac/1572 # starlightagilebi/FDnE_Plat + - 9edb3992-8769-4242-8885-51fd5e080cac/1638 + - 2d142023-d18c-4947-b848-6a22d942ccbc/2249 # worldwidelearning/WWL Reporting and Insights + - 1f524086-a280-4ac5-a5dd-690e2b444b6e/543 # cdsops + - 43d28e05-9930-4a28-9ab2-1b02a03f859e/86 # quest-cet/CEHub + - 757c53e6-6506-4367-a785-1ac4ff3973d4/3216 # 1edu/Analytics + - 757c53e6-6506-4367-a785-1ac4ff3973d4/3227 + - 939e4efb-83bb-4c75-9f9a-34bbcb86da50/7637 # vsogd/SalesForecastAndAdjustmentTool + - efd5621d-b2a7-41bd-8c11-df986ef39d83/638 # microsoftdigitallearning/LORM-CXP + - efd5621d-b2a7-41bd-8c11-df986ef39d83/919 + pipelinesWithMultipleEv2RADeploymentsPerCloud: + - 99bd1c70-ead2-4d16-85f3-5d931d0eefc8/5594 # mpsit/ScrumGitProjects1 + - 99bd1c70-ead2-4d16-85f3-5d931d0eefc8/5690 + buildJobTypes: + - agentJob + - artifactJob + - buildJob + - cloudBuildJob + - containerBuildJob + enableHeraGatingOrgs: + - a2fba5bb-e91f-4218-8d9f-3ba6468216b4 # office + - 2ce6486e-7d3b-47bb-8e16-5f19a43015c9 # skype + - 4a05b22b-56d9-4015-84eb-356e83cc96ca # intentional + - c22e3f6e-2072-467d-9342-214b57c9b8fe # domoreexp + - 4d8bb995-a53e-4bdb-877a-74fa78f6eb5e # msfast + - d1a8f71c-7f64-45ad-9c5c-19c2f469d620 # o365exchange + - 41bf5486-7392-4b7a-a7e3-a735c767e3b3 # msazure + deploymentLifeCycleHooks: + - preDeploy + - deploy + - routeTraffic + - postRouteTraffic + +- name: featureFlags + type: object + default: {} + +- name: serviceTreeId + type: string + +- name: sdp + type: object + +resources: + containers: + - ${{ each container_pair in parameters.containers }}: + - ${{ if container_pair.value.image }}: + - container: ${{ container_pair.key }} + ${{ each pair in container_pair.value }}: + ${{ if notIn(pair.key, 'tenantId', 'identityType', 'registry') }}: + ${{ pair.key }}: ${{ pair.value }} + +stages: +- template: Stages/Ev2StagesValidation.yml + parameters: + stages: ${{ parameters.stages }} + allowMultipleEv2RA: ${{ eq(coalesce(parameters.featureFlags.allowMultipleEv2RA, containsValue(parameters.internalConfig.pipelinesWithMultipleEv2RADeploymentsPerCloud, format('{0}/{1}', variables['System.TeamProjectId'], variables['System.DefinitionId'])), false), true) }} + supportedClouds: + - ${{ each cloud in parameters.internalConfig.m365ClassicClouds }}: + - ${{ cloud }} + - ${{ each cloud in parameters.internalConfig.m365SovereignClouds }}: + - ${{ cloud }} + - ${{ each cloud in parameters.internalConfig.supportedCloudsForNonM365Ev2Workflows }}: + - ${{ cloud }} + +- ${{ each stage in parameters.stages }}: + - ${{ if eq(stage.templateContext.type, 'releaseStage') }}: + - template: Stages/ReleaseStage.yml + parameters: + stage: ${{ stage }} + pool: ${{ parameters.pool }} + isOfficial: ${{ parameters.isOfficial }} + internalConfig: ${{ parameters.internalConfig }} + sdl: ${{ parameters.sdl }} + - ${{ else }}: + - template: Stages/Stage.yml + parameters: + stage: ${{ stage }} + pool: ${{ parameters.pool }} + enforcedSdl: ${{ parameters.enforcedSdl }} + spokeEsEnforcedSdl: ${{ parameters.spokeEsEnforcedSdl }} + pipelineSdl: ${{ parameters.sdl }} + containers: ${{ parameters.containers }} + hasCloudBuildJob: ${{ containsValue(parameters.stages.*.jobs.*.templateContext.type, 'cloudBuildJob') }} + authenticatedContainerRegistries: ${{ parameters.authenticatedContainerRegistries }} + settings: ${{ parameters.settings }} + isOfficial: ${{ parameters.isOfficial }} + featureFlags: ${{ parameters.featureFlags }} + serviceTreeId: ${{ parameters.serviceTreeId }} + sdp: ${{ parameters.sdp }} + ${{ if containsValue(parameters.stages.*.jobs.*.templateContext.type, 'cloudBuildJob') }}: + internalConfig: + ${{ each config in parameters.internalConfig }}: + ${{ config.key }}: ${{ config.value }} + skipCGInNonCloudBuildJobs: ${{ coalesce(parameters.settings.skipComponentGovernanceInAllJobsForCloudBuildPipeline, true) }} + ${{ else }}: + internalConfig: + ${{ each config in parameters.internalConfig }}: + ${{ config.key }}: ${{ config.value }} + skipCGInNonCloudBuildJobs: false + +# Add the worker stages associated to each distributed build stage +# These stages will only replicate build jobs +- ${{ each stage in parameters.stages }}: + - ${{ if containsValue(stage.jobs.*.templateContext.distribution.enabled, 'true') }}: + - template: Stages/DistributedWorkerStage.yml + parameters: + stage: ${{ stage }} + pool: ${{ parameters.pool }} + enforcedSdl: ${{ parameters.enforcedSdl }} + pipelineSdl: ${{ parameters.sdl }} + spokeEsEnforcedSdl: ${{ parameters.spokeEsEnforcedSdl }} + containers: ${{ parameters.containers }} + authenticatedContainerRegistries: ${{ parameters.authenticatedContainerRegistries }} + settings: ${{ parameters.settings }} + isOfficial: ${{ parameters.isOfficial }} + featureFlags: ${{ parameters.featureFlags }} + serviceTreeId: ${{ parameters.serviceTreeId }} + internalConfig: ${{ parameters.internalConfig }} + sdp: ${{ parameters.sdp }} + +- template: Stages/SDLSourcesTagStage.yml + parameters: + stages: ${{ parameters.stages }} + pool: ${{ parameters.pool }} + enforcedSdl: ${{ parameters.enforcedSdl }} + sdl: ${{ parameters.sdl }} + spokeEsEnforcedSdl: ${{ parameters.spokeEsEnforcedSdl }} + containers: ${{ parameters.containers }} + settings: ${{ parameters.settings }} + isOfficial: ${{ parameters.isOfficial }} + featureFlags: ${{ parameters.featureFlags }} + serviceTreeId: ${{ parameters.serviceTreeId }} + internalConfig: ${{ parameters.internalConfig }} + sdp: ${{ parameters.sdp }} + customBuildTags: ${{ parameters.customBuildTags }} + customLogIssues: ${{ parameters.customLogIssues }} + buildJobs: + - ${{ each stage in parameters.stages }}: + - ${{ each job in stage.jobs }}: + # A build job is one that is explicitly marked with a known build type or one that isn't but uses an agent + - ${{ if or(job.templateContext.type, not(eq(job.pool.name, 'server'))) }}: + - ${{ if containsValue(parameters.internalConfig.buildJobTypes, coalesce(job.templateContext.type, 'buildJob')) }}: + - ${{ job }} + productionReleaseJobs: + - ${{ each stage in parameters.stages }}: + - ${{ each job in stage.jobs }}: + - ${{ if and(eq(job.templateContext.type, 'releaseJob'), eq(coalesce(job.templateContext.isProduction, stage.templateContext.isProduction, 'false'), 'true')) }}: + - ${{ job }} + nonProductionReleaseJobs: + - ${{ each stage in parameters.stages }}: + - ${{ each job in stage.jobs }}: + - ${{ if and(eq(job.templateContext.type, 'releaseJob'), eq(coalesce(job.templateContext.isProduction, stage.templateContext.isProduction, 'false'), 'false')) }}: + - ${{ job }} + runSdlStage: + - ${{ if or(eq(length(parameters.stages), 0), containsValue(parameters.stages.*.templateContext.type, 'releaseStage')) }}: + - true # If no stages or contains releaseStage + - ${{ elseif or(containsValue(parameters.stages.*.jobs.*.templateContext.type, 'cloudBuildJob'), parameters.settings.skipSdlSourceScan) }}: + - false + - ${{ else }}: + - ${{ each stage in parameters.stages }}: + - ${{ each job in stage.jobs }}: + - ${{ if and(or(eq(job.pool.name, 'server'), eq(job.templateContext.type, 'artifactJob')), containsValue(parameters.stages.*.jobs.*.templateContext.type, 'releaseJob')) }}: + - false # If job is agentless or artifact job (both cannot checkout) and used with release pipelines + - ${{ elseif eq(job.templateContext.type, 'releaseJob') }}: + - ${{ if containsValue(parameters.internalConfig.releaseWorkflowsAllowedToBypassCheckoutStepCheckForSDL, job.templateContext.workflow) }}: + - false # If job is a release workflow that is known to not checkout + - ${{ elseif eq(coalesce(parameters.featureFlags.allowCheckoutInReleaseJobs, containsValue(parameters.internalConfig.pipelinesWithDependencyOnCheckout, format('{0}/{1}', variables['System.TeamProjectId'], variables['System.DefinitionId'])), false), true) }}: + - true # If customer pipeline is in the allow list or sets the allowCheckoutInReleaseJobs feature flag, checkout is enabled + - ${{ else }}: + - false # For all other release jobs, 1ES PT disables checkout + - ${{ else }}: + - true # All other jobs require SDL stage to run