PowerShell · PaulHigin · Dec 1, 2020 · Dec 1, 2020
diff --git a/.ci/ci.yml b/.ci/ci.yml
@@ -12,8 +12,12 @@ pr:
     #- master
     - development
 
-variables:
-  - group: ESRP
+resources:
+  repositories:
+  - repository: ComplianceRepo
+    type: github
+    endpoint: ComplianceGHRepo
+    name: PowerShell/compliance
 
 stages:
 - stage: Build
@@ -22,7 +26,7 @@ stages:
   - job: BuildPkg
     displayName: Build Package
     pool:
-      vmImage: windows-2019
+      vmImage: windows-latest
 
     steps:
     - powershell: |
@@ -96,196 +100,14 @@ stages:
         $modPath = Join-Path -Path $modulePath -ChildPath PSPackageProject
         Write-Verbose -Verbose "Importing PSPackageProject from: $modPath"
         Import-Module -Name $modPath -Force
-
-        $config = Get-PSPackageProjectConfiguration
-
-        # Created files signing directory
-        $srcPath = "$($config.BuildOutputPath)\$($config.ModuleName)"
-        $createdSignSrcPath = "$($config.BuildOutputPath)\CreatedFiles"
-        if (! (Test-Path -Path $createdSignSrcPath)) {
-          $null = New-Item -Path $createdSignSrcPath -ItemType Directory -Verbose
-        }
-        Copy-Item -Path (Join-Path -Path $srcPath -ChildPath "PowerShellGet.psd1") -Dest $createdSignSrcPath -Force -Verbose
-        Copy-Item -Path (Join-Path -Path $srcPath -ChildPath "PSModule.psm1") -Dest $createdSignSrcPath -Force -Verbose
-        Copy-Item -Path (Join-Path -Path $srcPath -ChildPath "DscResources") -Dest $createdSignSrcPath -Recurse -Force -Verbose
-        Copy-Item -Path (Join-Path -Path $srcPath -ChildPath "Modules") -Dest $createdSignSrcPath -Recurse -Force -Verbose
-
-        $net472Path = Join-Path -Path $createdSignSrcPath -ChildPath "net472"
-        if (! (Test-Path -Path $net472Path)) {
-          $null = New-Item -Path $net472Path -ItemType Directory -Verbose
-        }
-        Copy-Item -Path (Join-Path -Path $srcPath -ChildPath "net472\PowerShellGet.*") -Dest $net472Path -Force -Verbose
-
-        $netStandardPath = Join-Path -Path $createdSignSrcPath -ChildPath "netstandard2.0"
-        if (! (Test-Path -Path $netStandardPath)) {
-          $null = New-Item -Path $netStandardPath -ItemType Directory -Verbose
-        }
-        Copy-Item -Path (Join-Path -Path $srcPath -ChildPath "netstandard2.0\PowerShellGet.*") -Dest $netStandardPath -Force -Verbose
-
-        $signOutPath = "$($config.SignedOutputPath)\$($config.ModuleName)"
-        if (! (Test-Path -Path $signOutPath)) {
-          $null = New-Item -Path $signOutPath -ItemType Directory
-        }
-
-        # Set signing src path variable
-        $vstsCommandString = "vso[task.setvariable variable=signSrcPath]${createdSignSrcPath}"
-        Write-Host "sending " + $vstsCommandString
-        Write-Host "##$vstsCommandString"
-
-        $outSignPath = "$($config.SignedOutputPath)\$($config.ModuleName)"
-        if (! (Test-Path -Path $outSignPath)) {
-          $null = New-Item -Path $outSignPath -ItemType Directory -Verbose
-        }
-
-        # Set signing out path variable
-        $vstsCommandString = "vso[task.setvariable variable=signOutPath]${outSignPath}"
-        Write-Host "sending " + $vstsCommandString
-        Write-Host "##$vstsCommandString"
-      displayName: Set up for module created files code signing
-      condition: and(and(succeeded(), eq(variables['Build.Reason'], 'Manual')), ne(variables['SkipSigning'], 'True'))
-
-    - template: ./templates/sign.yml
-      parameters:
-        buildOutputPath: $(signSrcPath)
-        signOutputPath: $(signOutPath)
-        certificateId: "CP-230012"
-        pattern: '*.dll,*.psd1,*.psm1,*.ps1xml,*.mof'
-
-    - pwsh: |
-        $modulePath = Join-Path -Path $env:AGENT_TEMPDIRECTORY -ChildPath 'TempModules'
-        $env:PSModulePath = $modulePath + [System.IO.Path]::PathSeparator + $env:PSModulePath
-        $modPath = Join-Path -Path $modulePath -ChildPath PSPackageProject
-        Write-Verbose -Verbose "Importing PSPackageProject from: $modPath"
-        Import-Module -Name $modPath -Force
-
         $config = Get-PSPackageProjectConfiguration
-
-        $signOutPath = "$($config.SignedOutputPath)\$($config.ModuleName)"
-        if (! (Test-Path -Path $signOutPath)) {
-          $null = New-Item -Path $signOutPath -ItemType Directory
-        }
-
-        # Third party files signing directory
-        $srcPath = "$($config.BuildOutputPath)\$($config.ModuleName)"
-        $thirdPartySignSrcPath = "$($config.BuildOutputPath)\ThirdParty"
-        if (! (Test-Path -Path $thirdPartySignSrcPath)) {
-          $null = New-Item -Path $thirdPartySignSrcPath -ItemType Directory -Verbose
-        }
-
-        # Net472 directory
-        $net472Path = Join-Path -Path $thirdPartySignSrcPath -ChildPath "net472"
-        if (! (Test-Path -Path $net472Path)) {
-          $null = New-Item -Path $net472Path -ItemType Directory -Verbose
-        }
-        Get-ChildItem -Path (Join-Path -Path $srcPath -ChildPath "net472") -Filter '*.dll' | Foreach-Object {
-          if ($_.Name -ne 'PowerShellGet.dll') {
-            $sig = Get-AuthenticodeSignature -FilePath $_.FullName
-            if ($sig.Status -ne 'Valid' -or $sig.SignerCertificate.Subject -notlike '*Microsoft*' -or $sig.SignerCertificate.Issuer -notlike '*Microsoft Code Signing PCA*') {
-              # Copy for third party signing
-              Copy-Item -Path $_.FullName -Dest $net472Path -Force -Verbose
-            }
-          }
-        }
-
-        # NetStandard directory
-        $netStandardPath = Join-Path -Path $thirdPartySignSrcPath -ChildPath "netstandard2.0"
-        if (! (Test-Path -Path $netStandardPath)) {
-          $null = New-Item -Path $netStandardPath -ItemType Directory -Verbose
-        }
-        Get-ChildItem -Path (Join-Path -Path $srcPath -ChildPath "netstandard2.0") -Filter '*.dll' | Foreach-Object {
-          if ($_.Name -ne 'PowerShellGet.dll') {
-            $sig = Get-AuthenticodeSignature -FilePath $_.FullName
-            if ($sig.Status -ne 'Valid' -or $sig.SignerCertificate.Subject -notlike '*Microsoft*' -or $sig.SignerCertificate.Issuer -notlike '*Microsoft Code Signing PCA*') {
-              # Copy for third party signing
-              Copy-Item -Path $_.FullName -Dest $netStandardPath -Force -Verbose
-            }
-          }
-        }
-
-        # Set signing src path variable
-        $vstsCommandString = "vso[task.setvariable variable=signSrcPath]${thirdPartySignSrcPath}"
-        Write-Host "sending " + $vstsCommandString
-        Write-Host "##$vstsCommandString"
-
-        # Set signing out path variable
-        $vstsCommandString = "vso[task.setvariable variable=signOutPath]${signOutPath}"
-        Write-Host "sending " + $vstsCommandString
-        Write-Host "##$vstsCommandString"
-      displayName: Set up for module third party files code signing
-      condition: and(and(succeeded(), eq(variables['Build.Reason'], 'Manual')), ne(variables['SkipSigning'], 'True'))
-
-    - template: ./templates/sign.yml
-      parameters:
-        buildOutputPath: $(signSrcPath)
-        signOutputPath: $(signOutPath)
-        certificateId: "CP-231522"
-        pattern: '*.dll'
-
-    - pwsh: |
-        $modulePath = Join-Path -Path $env:AGENT_TEMPDIRECTORY -ChildPath 'TempModules'
-        $env:PSModulePath = $modulePath + [System.IO.Path]::PathSeparator + $env:PSModulePath
-        $modPath = Join-Path -Path $modulePath -ChildPath PSPackageProject
-        Write-Verbose -Verbose "Importing PSPackageProject from: $modPath"
-        Import-Module -Name $modPath -Force
-
-        $config = Get-PSPackageProjectConfiguration
-
-        $srcPath = "$($config.BuildOutputPath)\$($config.ModuleName)"
-        $signOutPath = "$($config.SignedOutputPath)\$($config.ModuleName)"
-        if (! (Test-Path -Path $signOutPath)) {
-          $null = New-Item -Path $signOutPath -ItemType Directory
-        }
-
-        # en-US
-        Copy-Item -Path (Join-Path -Path $srcPath -ChildPath "en-US") -Dest $signOutPath -Recurse
-
-        # Net472 directory
-        $net472SignedOutPath = Join-Path -Path $signOutPath -ChildPath "net472"
-        if (! (Test-Path -Path $net472SignedOutPath)) {
-          $null = New-Item -Path $net472SignedOutPath -ItemType Directory -Verbose
-        }
-        Get-ChildItem -Path (Join-Path -Path $srcPath -ChildPath "net472") -Filter '*.dll' | Foreach-Object {
-          if ($_.Name -ne 'PowerShellGet.dll') {
-            $sig = Get-AuthenticodeSignature -FilePath $_.FullName
-            if ($sig.Status -eq 'Valid' -and ($sig.SignerCertificate.Subject -like '*Microsoft*' -and $sig.SignerCertificate.Issuer -like '*Microsoft Code Signing PCA*')) {
-              # Copy already signed files directly to output
-              Copy-Item -Path $_.FullName -Dest $net472SignedOutPath -Force -Verbose
-            }
-          }
-        }
-
-        # NetStandard directory
-        $netStandardSignedOutPath = Join-Path -Path $signOutPath -ChildPath "netstandard2.0"
-        if (! (Test-Path -Path $netStandardSignedOutPath)) {
-          $null = New-Item -Path $netStandardSignedOutPath -ItemType Directory -Verbose
-        }
-        Get-ChildItem -Path (Join-Path -Path $srcPath -ChildPath "netstandard2.0") -Filter '*.dll' | Foreach-Object {
-          if ($_.Name -ne 'PowerShellGet.dll') {
-            $sig = Get-AuthenticodeSignature -FilePath $_.FullName
-            if ($sig.Status -eq 'Valid' -and ($sig.SignerCertificate.Subject -like '*Microsoft*' -and $sig.SignerCertificate.Issuer -like '*Microsoft Code Signing PCA*')) {
-              # Copy already signed files directly to output
-              Copy-Item -Path $_.FullName -Dest $netStandardSignedOutPath -Force -Verbose
-            }
-          }
-        }
-      displayName: Copy already properly signed third party files
-      condition: and(and(succeeded(), eq(variables['Build.Reason'], 'Manual')), ne(variables['SkipSigning'], 'True'))
-
-    - pwsh: |
-        $modulePath = Join-Path -Path $env:AGENT_TEMPDIRECTORY -ChildPath 'TempModules'
-        $env:PSModulePath = $modulePath + [System.IO.Path]::PathSeparator + $env:PSModulePath
-        $modPath = Join-Path -Path $modulePath -ChildPath PSPackageProject
-        Write-Verbose -Verbose "Importing PSPackageProject from: $modPath"
-        Import-Module -Name $modPath -Force
         #
-        if ($env:SkipSigning -eq 'True')
-        {
-          $(Build.SourcesDirectory)/build.ps1 -Publish
-        }
-        else
-        {
-          $(Build.SourcesDirectory)/build.ps1 -Publish -Signed
-        }
+        $srcModulePath = Resolve-Path -Path "$($config.BuildOutputPath)/$($config.ModuleName)"
+        Get-ChildItem $srcModulePath
+        $artifactName = "$($config.ModuleName)"
+        Write-Host "##vso[artifact.upload containerfolder=$artifactName;artifactname=$artifactName;]$srcModulePath"
+        #
+        $(Build.SourcesDirectory)/build.ps1 -Publish
       displayName: Create module artifact
 
 - stage: Compliance
@@ -294,9 +116,18 @@ stages:
   jobs:
   - job: ComplianceJob
     pool:
-      vmImage: windows-2019
+      vmImage: windows-latest
     steps:
-    - template: compliance.yml
+    - checkout: self
+      clean: true
+    - checkout: ComplianceRepo
+      clean: true
+    - download: current
+      artifact: 'PowerShellGet'
+    - template: ci-compliance.yml@ComplianceRepo
+      parameters:
+        # credscan
+        suppressionsFile: ''
 
 - stage: Test
   displayName: Test Package
@@ -306,13 +137,13 @@ stages:
     parameters:
       jobName: TestPkgWin
       displayName: PowerShell Core on Windows
-      imageName: windows-2019
+      imageName: windows-latest
 
   - template: test.yml
     parameters:
       jobName: TestPkgWinPS
       displayName: Windows PowerShell on Windows
-      imageName: windows-2019
+      imageName: windows-latest
       powershellExecutable: powershell
 
 #  - template: test.yml
@@ -326,9 +157,3 @@ stages:
 #      jobName: TestPkgWinMacOS
 #      displayName: PowerShell Core on macOS
 #      imageName: macOS-10.14
-
-- stage: Release
-  displayName: Release Package
-  condition: and(and(succeeded(), eq(variables['Build.Reason'], 'Manual')), eq(variables['Publish'], 'True'))
-  jobs:
-  - template: release.yml
diff --git a/.ci/compliance.yml b/.ci/compliance.yml