From 1ed48b18fb196bae0c8d4c7e9a0e5d3cb47d822c Mon Sep 17 00:00:00 2001 From: Aditya Patwardhan Date: Tue, 12 Mar 2024 11:05:27 -0700 Subject: [PATCH 01/33] Updates to signing --- .pipelines/OSS_Microsoft_PSSA-Official.yml | 56 ++++++++++++++-------- 1 file changed, 36 insertions(+), 20 deletions(-) diff --git a/.pipelines/OSS_Microsoft_PSSA-Official.yml b/.pipelines/OSS_Microsoft_PSSA-Official.yml index 7500f4050..377818512 100644 --- a/.pipelines/OSS_Microsoft_PSSA-Official.yml +++ b/.pipelines/OSS_Microsoft_PSSA-Official.yml @@ -114,27 +114,43 @@ extends: Write-Host "##$vstsCommandString" displayName: Setup variables for signing - - template: EsrpSign.yml@ComplianceRepo - parameters: - buildOutputPath: $(signSrcPath) - signOutputPath: $(signOutStep1) - certificateId: "CP-230012" - useMinimatch: true - pattern: | - **\*.psd1 - **\*.psm1 - **\*.ps1xml - **\Microsoft*.dll + - task: onebranch.pipeline.signing@1 + displayName: 'Sign the build output' + inputs: + command: 'sign' + cp_code: 'CP-230012' + files_to_sign: '**\*.psd1;**\*.psm1','**\*.ps1xml','**\Microsoft*.dll' + search_root: $(signSrcPath) - - template: EsrpSign.yml@ComplianceRepo - parameters: - buildOutputPath: $(signOutStep1) - signOutputPath: $(signOutPath) - certificateId: "CP-231522" - useMinimatch: true - pattern: | - **/Pluralize*.dll - **/Newtonsoft*.dll + - task: onebranch.pipeline.signing@1 + displayName: 'Sign the build output' + inputs: + command: 'sign' + cp_code: 'CP-231522' + files_to_sign: '**/Pluralize*.dll', '**/Newtonsoft*.dll' + search_root: $(signSrcPath) + + # - template: EsrpSign.yml@ComplianceRepo + # parameters: + # buildOutputPath: $(signSrcPath) + # signOutputPath: $(signOutStep1) + # certificateId: "CP-230012" + # useMinimatch: true + # pattern: | + # **\*.psd1 + # **\*.psm1 + # **\*.ps1xml + # **\Microsoft*.dll + + # - template: EsrpSign.yml@ComplianceRepo + # parameters: + # buildOutputPath: $(signOutStep1) + # signOutputPath: $(signOutPath) + # certificateId: "CP-231522" + # useMinimatch: true + # pattern: | + # **/Pluralize*.dll + # **/Newtonsoft*.dll - template: Sbom.yml@ComplianceRepo parameters: From b74f20274ce3301fe82716d8e398b14060037d84 Mon Sep 17 00:00:00 2001 From: Travis Plunk Date: Wed, 13 Mar 2024 10:47:02 -0700 Subject: [PATCH 02/33] fix files to sign --- .pipelines/OSS_Microsoft_PSSA-Official.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.pipelines/OSS_Microsoft_PSSA-Official.yml b/.pipelines/OSS_Microsoft_PSSA-Official.yml index 377818512..1b993c5b6 100644 --- a/.pipelines/OSS_Microsoft_PSSA-Official.yml +++ b/.pipelines/OSS_Microsoft_PSSA-Official.yml @@ -119,7 +119,7 @@ extends: inputs: command: 'sign' cp_code: 'CP-230012' - files_to_sign: '**\*.psd1;**\*.psm1','**\*.ps1xml','**\Microsoft*.dll' + files_to_sign: '**\*.psd1;**\*.psm1;**\*.ps1xml;**\Microsoft*.dll' search_root: $(signSrcPath) - task: onebranch.pipeline.signing@1 @@ -127,7 +127,7 @@ extends: inputs: command: 'sign' cp_code: 'CP-231522' - files_to_sign: '**/Pluralize*.dll', '**/Newtonsoft*.dll' + files_to_sign: '**/Pluralize*.dll;**/Newtonsoft*.dll' search_root: $(signSrcPath) # - template: EsrpSign.yml@ComplianceRepo From 9a24c68670f57cdaf337984adaad292600edad53 Mon Sep 17 00:00:00 2001 From: Travis Plunk Date: Wed, 13 Mar 2024 11:51:52 -0700 Subject: [PATCH 03/33] sbom changes --- .pipelines/OSS_Microsoft_PSSA-Official.yml | 94 ++++++++++++---------- 1 file changed, 53 insertions(+), 41 deletions(-) diff --git a/.pipelines/OSS_Microsoft_PSSA-Official.yml b/.pipelines/OSS_Microsoft_PSSA-Official.yml index 1b993c5b6..64a171aed 100644 --- a/.pipelines/OSS_Microsoft_PSSA-Official.yml +++ b/.pipelines/OSS_Microsoft_PSSA-Official.yml @@ -31,8 +31,10 @@ extends: parameters: customTags: 'ES365AIMigrationTooling' globalSdl: + disableLegacyManifest: true sbom: - enabled: false + enabled: true + packageName: Microsoft.PowerShell.ScriptAnalyzer codeql: compiled: enabled: true @@ -48,13 +50,12 @@ extends: enabled: false stages: - - stage: Build - displayName: Build + - stage: stagebuild + displayName: Build Files jobs: - - job: Build_Job - displayName: Build Microsoft.PowerShell.ScriptAnalyzer + - job: jobbuild + displayName: Build Microsoft.PowerShell.ScriptAnalyzer Files variables: - - group: ESRP - name: ob_outputDirectory value: '$(Build.ArtifactStagingDirectory)/ONEBRANCH_ARTIFACT' - name: repoRoot @@ -110,6 +111,8 @@ extends: $moduleData = Import-PowerShellDataFile "$(Build.SourcesDirectory)/OSS_Microsoft_PSSA/Engine/PSScriptAnalyzer.psd1" $moduleVersion = $moduleData.ModuleVersion $vstsCommandString = "vso[task.setvariable variable=moduleVersion]${moduleVersion}" + $vstsCommandString = "vso[task.setvariable variable=ob_sdl_sbom_packageversion]${moduleVersion}" + Write-Host "sending $vstsCommandString" Write-Host "##$vstsCommandString" displayName: Setup variables for signing @@ -118,7 +121,7 @@ extends: displayName: 'Sign the build output' inputs: command: 'sign' - cp_code: 'CP-230012' + signing_profile: external_distribution files_to_sign: '**\*.psd1;**\*.psm1;**\*.ps1xml;**\Microsoft*.dll' search_root: $(signSrcPath) @@ -126,51 +129,60 @@ extends: displayName: 'Sign the build output' inputs: command: 'sign' - cp_code: 'CP-231522' + signing_profile: 135020002 files_to_sign: '**/Pluralize*.dll;**/Newtonsoft*.dll' search_root: $(signSrcPath) - # - template: EsrpSign.yml@ComplianceRepo - # parameters: - # buildOutputPath: $(signSrcPath) - # signOutputPath: $(signOutStep1) - # certificateId: "CP-230012" - # useMinimatch: true - # pattern: | - # **\*.psd1 - # **\*.psm1 - # **\*.ps1xml - # **\Microsoft*.dll + - task: CopyFiles@2 + displayName: "Copy Files for 'publish build directory' publish task" + inputs: + SourceFolder: "$(Build.SourcesDirectory)/OSS_Microsoft_PSSA" + Contents: '**' + TargetFolder: $(Build.ArtifactStagingDirectory)/ONEBRANCH_ARTIFACT - # - template: EsrpSign.yml@ComplianceRepo - # parameters: - # buildOutputPath: $(signOutStep1) - # signOutputPath: $(signOutPath) - # certificateId: "CP-231522" - # useMinimatch: true - # pattern: | - # **/Pluralize*.dll - # **/Newtonsoft*.dll + - job: nupkg + displayName: Package Microsoft.PowerShell.ScriptAnalyzer + variables: + - name: ob_outputDirectory + value: '$(Build.ArtifactStagingDirectory)/ONEBRANCH_ARTIFACT' + - name: repoRoot + value: $(Build.SourcesDirectory)\OSS_Microsoft_PSSA + - name: ob_sdl_tsa_configFile + value: $(Build.SourcesDirectory)\OSS_Microsoft_PSSA\.config\tsaoptions.json + - name: ob_sdl_sbom_enabled + value: false + - name: ob_sdl_codeql_compiled_enabled + value: false + pool: + type: windows + steps: + - checkout: self + - checkout: ComplianceRepo - - template: Sbom.yml@ComplianceRepo - parameters: - BuildDropPath: $(signOutPath) - Build_Repository_Uri: 'https://github.com/powershell/PSScriptAnalyzer' + - pwsh: | + if (-not (Test-Path $(repoRoot)/.config/tsaoptions.json)) { + Get-ChildItem $(Build.SourcesDirectory) -recurse -ErrorAction SilentlyContinue + throw "tsaoptions.json does not exist under $(Build.SourcesDirectory)/OSS_Microsoft_PSSA/.config" + } + displayName: Test if tsaoptions.json exists + - task: DownloadPipelineArtifact@2 + displayName: 'Download build files' + inputs: + targetPath: $(Build.SourcesDirectory)/artifacts/build + ## download - pwsh: | - Set-Location "$(Build.SourcesDirectory)/OSS_Microsoft_PSSA" + Set-Location "$(Build.SourcesDirectory)/artifacts/" + dir -recurse * + displayName: Capture artifacts + + - pwsh: | + Set-Location "$(Build.SourcesDirectory)/artifacts/build" ./build -BuildNupkg -CopyManifest -signed displayName: Create nupkg for publishing - - task: CopyFiles@2 - displayName: "Copy Files for 'publish build directory' publish task" - inputs: - SourceFolder: "$(Build.SourcesDirectory)/OSS_Microsoft_PSSA" - Contents: '**' - TargetFolder: $(Build.ArtifactStagingDirectory)/ONEBRANCH_ARTIFACT/build - - task: CopyFiles@2 displayName: "Copy Files for 'Publish module nupkg' publish task" inputs: Contents: "$(signOutPath)/PSScriptAnalyzer.$(moduleVersion).nupkg" - TargetFolder: $(Build.ArtifactStagingDirectory)/ONEBRANCH_ARTIFACT/nupkg + TargetFolder: $(Build.ArtifactStagingDirectory)/ONEBRANCH_ARTIFACT From b9cdd49473a00604e5a3763b62e20f5fbc7c8c32 Mon Sep 17 00:00:00 2001 From: Travis Plunk Date: Wed, 13 Mar 2024 11:52:12 -0700 Subject: [PATCH 04/33] format changes --- .pipelines/OSS_Microsoft_PSSA-Official.yml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/.pipelines/OSS_Microsoft_PSSA-Official.yml b/.pipelines/OSS_Microsoft_PSSA-Official.yml index 64a171aed..fb16f22b9 100644 --- a/.pipelines/OSS_Microsoft_PSSA-Official.yml +++ b/.pipelines/OSS_Microsoft_PSSA-Official.yml @@ -9,12 +9,12 @@ pr: - master - release* variables: -- name: DOTNET_CLI_TELEMETRY_OPTOUT - value: 1 -- name: POWERSHELL_TELEMETRY_OPTOUT - value: 1 -- name: WindowsContainerImage - value: onebranch.azurecr.io/windows/ltsc2019/vse2022:latest + - name: DOTNET_CLI_TELEMETRY_OPTOUT + value: 1 + - name: POWERSHELL_TELEMETRY_OPTOUT + value: 1 + - name: WindowsContainerImage + value: onebranch.azurecr.io/windows/ltsc2019/vse2022:latest resources: repositories: - repository: ComplianceRepo From 83cc6906eae7ca5b7d2c235b7e1c64ec6f9776f5 Mon Sep 17 00:00:00 2001 From: Travis Plunk Date: Wed, 13 Mar 2024 12:17:53 -0700 Subject: [PATCH 05/33] Make packaging wait on build --- .pipelines/OSS_Microsoft_PSSA-Official.yml | 10 ++-------- 1 file changed, 2 insertions(+), 8 deletions(-) diff --git a/.pipelines/OSS_Microsoft_PSSA-Official.yml b/.pipelines/OSS_Microsoft_PSSA-Official.yml index fb16f22b9..6a634da66 100644 --- a/.pipelines/OSS_Microsoft_PSSA-Official.yml +++ b/.pipelines/OSS_Microsoft_PSSA-Official.yml @@ -17,11 +17,6 @@ variables: value: onebranch.azurecr.io/windows/ltsc2019/vse2022:latest resources: repositories: - - repository: ComplianceRepo - type: github - endpoint: ComplianceGHRepo - name: PowerShell/compliance - ref: master - repository: onebranchTemplates type: git name: OneBranch.Pipelines/GovernedTemplates @@ -51,7 +46,7 @@ extends: stages: - stage: stagebuild - displayName: Build Files + displayName: Build and Package Microsoft.PowerShell.ScriptAnalyzer jobs: - job: jobbuild displayName: Build Microsoft.PowerShell.ScriptAnalyzer Files @@ -66,7 +61,6 @@ extends: type: windows steps: - checkout: self - - checkout: ComplianceRepo - pwsh: | if (-not (Test-Path $(repoRoot)/.config/tsaoptions.json)) { @@ -141,6 +135,7 @@ extends: TargetFolder: $(Build.ArtifactStagingDirectory)/ONEBRANCH_ARTIFACT - job: nupkg + dependsOn: jobbuild displayName: Package Microsoft.PowerShell.ScriptAnalyzer variables: - name: ob_outputDirectory @@ -157,7 +152,6 @@ extends: type: windows steps: - checkout: self - - checkout: ComplianceRepo - pwsh: | if (-not (Test-Path $(repoRoot)/.config/tsaoptions.json)) { From ed91b82b79113007c8f9f5986235a82b9664ff46 Mon Sep 17 00:00:00 2001 From: Travis Plunk Date: Wed, 13 Mar 2024 12:39:02 -0700 Subject: [PATCH 06/33] clarify task display names --- .pipelines/OSS_Microsoft_PSSA-Official.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.pipelines/OSS_Microsoft_PSSA-Official.yml b/.pipelines/OSS_Microsoft_PSSA-Official.yml index 6a634da66..0fed5f9dc 100644 --- a/.pipelines/OSS_Microsoft_PSSA-Official.yml +++ b/.pipelines/OSS_Microsoft_PSSA-Official.yml @@ -112,7 +112,7 @@ extends: displayName: Setup variables for signing - task: onebranch.pipeline.signing@1 - displayName: 'Sign the build output' + displayName: Sign 1st party files inputs: command: 'sign' signing_profile: external_distribution @@ -120,7 +120,7 @@ extends: search_root: $(signSrcPath) - task: onebranch.pipeline.signing@1 - displayName: 'Sign the build output' + displayName: Sign 3rd Party files inputs: command: 'sign' signing_profile: 135020002 From 80473e29afe3c459eece945eae14230a1c70ce2f Mon Sep 17 00:00:00 2001 From: Travis Plunk Date: Wed, 13 Mar 2024 12:48:53 -0700 Subject: [PATCH 07/33] Make sure signing is setup --- .pipelines/OSS_Microsoft_PSSA-Official.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.pipelines/OSS_Microsoft_PSSA-Official.yml b/.pipelines/OSS_Microsoft_PSSA-Official.yml index 0fed5f9dc..71d7811e7 100644 --- a/.pipelines/OSS_Microsoft_PSSA-Official.yml +++ b/.pipelines/OSS_Microsoft_PSSA-Official.yml @@ -110,6 +110,9 @@ extends: Write-Host "sending $vstsCommandString" Write-Host "##$vstsCommandString" displayName: Setup variables for signing + # make sure signing is still setup + env: + ob_restore_phase: true - task: onebranch.pipeline.signing@1 displayName: Sign 1st party files From 18232e3db3b59ed169ca66172f95db21a24c7a0c Mon Sep 17 00:00:00 2001 From: Travis Plunk Date: Wed, 13 Mar 2024 12:57:03 -0700 Subject: [PATCH 08/33] move other tasks to restore phase --- .pipelines/OSS_Microsoft_PSSA-Official.yml | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/.pipelines/OSS_Microsoft_PSSA-Official.yml b/.pipelines/OSS_Microsoft_PSSA-Official.yml index 71d7811e7..70d488219 100644 --- a/.pipelines/OSS_Microsoft_PSSA-Official.yml +++ b/.pipelines/OSS_Microsoft_PSSA-Official.yml @@ -68,16 +68,17 @@ extends: throw "tsaoptions.json does not exist under $(Build.SourcesDirectory)/OSS_Microsoft_PSSA/.config" } displayName: Test if tsaoptions.json exists - - #- pwsh: | - # New-Item -ItemType Directory -Path $(Build.SourcesDirectory)/.config -Force -Verbose - # Copy-Item '$(Build.SourcesDirectory)/OSS_Microsoft_PSSA/.config/tsaoptions.json' '$(Build.SourcesDirectory)/.config/tsaoptions.json' -Force -Verbose - # displayName: Copy tsaoptions + # make sure this happens before signing setup + env: + ob_restore_phase: true - pwsh: | Set-Location "$(Build.SourcesDirectory)/OSS_Microsoft_PSSA" try { ./build.ps1 -Configuration Release -All } catch { throw $_ } displayName: Execute build + # make sure this happens before signing setup + env: + ob_restore_phase: true - pwsh: | $signSrcPath = "$(Build.SourcesDirectory)/OSS_Microsoft_PSSA/out" @@ -110,7 +111,7 @@ extends: Write-Host "sending $vstsCommandString" Write-Host "##$vstsCommandString" displayName: Setup variables for signing - # make sure signing is still setup + # make sure this happens before signing setup env: ob_restore_phase: true From a570c56f32ae98a293bb0cd2ee43a7cdcf414def Mon Sep 17 00:00:00 2001 From: Travis Plunk Date: Wed, 13 Mar 2024 12:58:09 -0700 Subject: [PATCH 09/33] move checkout to restore phase --- .pipelines/OSS_Microsoft_PSSA-Official.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.pipelines/OSS_Microsoft_PSSA-Official.yml b/.pipelines/OSS_Microsoft_PSSA-Official.yml index 70d488219..c5952b8c5 100644 --- a/.pipelines/OSS_Microsoft_PSSA-Official.yml +++ b/.pipelines/OSS_Microsoft_PSSA-Official.yml @@ -61,6 +61,9 @@ extends: type: windows steps: - checkout: self + # make sure this happens before signing setup + env: + ob_restore_phase: true - pwsh: | if (-not (Test-Path $(repoRoot)/.config/tsaoptions.json)) { From 4331d7beda343b9cf636aad61e226e3b33c6ea0f Mon Sep 17 00:00:00 2001 From: Travis Plunk Date: Wed, 13 Mar 2024 13:38:22 -0700 Subject: [PATCH 10/33] update container --- .pipelines/OSS_Microsoft_PSSA-Official.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.pipelines/OSS_Microsoft_PSSA-Official.yml b/.pipelines/OSS_Microsoft_PSSA-Official.yml index c5952b8c5..07091d53c 100644 --- a/.pipelines/OSS_Microsoft_PSSA-Official.yml +++ b/.pipelines/OSS_Microsoft_PSSA-Official.yml @@ -14,7 +14,7 @@ variables: - name: POWERSHELL_TELEMETRY_OPTOUT value: 1 - name: WindowsContainerImage - value: onebranch.azurecr.io/windows/ltsc2019/vse2022:latest + value: onebranch.azurecr.io/windows/ltsc2022/vse2022:latest resources: repositories: - repository: onebranchTemplates From 473498e9f20d2ad794e798b0ea045413e07d3257 Mon Sep 17 00:00:00 2001 From: Travis Plunk Date: Wed, 13 Mar 2024 13:39:17 -0700 Subject: [PATCH 11/33] move signing to it's own job --- .pipelines/OSS_Microsoft_PSSA-Official.yml | 87 +++++++++++++++------- 1 file changed, 59 insertions(+), 28 deletions(-) diff --git a/.pipelines/OSS_Microsoft_PSSA-Official.yml b/.pipelines/OSS_Microsoft_PSSA-Official.yml index 07091d53c..82c634259 100644 --- a/.pipelines/OSS_Microsoft_PSSA-Official.yml +++ b/.pipelines/OSS_Microsoft_PSSA-Official.yml @@ -55,47 +55,39 @@ extends: value: '$(Build.ArtifactStagingDirectory)/ONEBRANCH_ARTIFACT' - name: repoRoot value: $(Build.SourcesDirectory)\OSS_Microsoft_PSSA + - name: ob_sdl_sbom_enabled + value: false - name: ob_sdl_tsa_configFile value: $(Build.SourcesDirectory)\OSS_Microsoft_PSSA\.config\tsaoptions.json + - name: signSrcPath + value: $(repoRoot)/out pool: type: windows steps: - checkout: self - # make sure this happens before signing setup - env: - ob_restore_phase: true - pwsh: | if (-not (Test-Path $(repoRoot)/.config/tsaoptions.json)) { Get-ChildItem $(Build.SourcesDirectory) -recurse -ErrorAction SilentlyContinue - throw "tsaoptions.json does not exist under $(Build.SourcesDirectory)/OSS_Microsoft_PSSA/.config" + throw "tsaoptions.json does not exist under $(repoRoot)/.config" } displayName: Test if tsaoptions.json exists - # make sure this happens before signing setup - env: - ob_restore_phase: true + # this is installing .NET - pwsh: | - Set-Location "$(Build.SourcesDirectory)/OSS_Microsoft_PSSA" + Set-Location "$(repoRoot)" try { ./build.ps1 -Configuration Release -All } catch { throw $_ } displayName: Execute build - # make sure this happens before signing setup - env: - ob_restore_phase: true - pwsh: | - $signSrcPath = "$(Build.SourcesDirectory)/OSS_Microsoft_PSSA/out" - # Set signing src path variable - $vstsCommandString = "vso[task.setvariable variable=signSrcPath]${signSrcPath}" - Write-Host "sending $vstsCommandString" - Write-Host "##$vstsCommandString" - $signOutStep1 = "$(Build.SourcesDirectory)/OSS_Microsoft_PSSA/Step1" + $signSrcPath = $env:SIGNSRCPATH + $signOutStep1 = "$(repoRoot)/Step1" $null = New-Item -ItemType Directory -Path $signOutStep1 # Set signing out path variable $vstsCommandString = "vso[task.setvariable variable=signOutStep1]${signOutStep1}" Write-Host "sending $vstsCommandString" Write-Host "##$vstsCommandString" - $signOutPath = "$(Build.SourcesDirectory)/OSS_Microsoft_PSSA/signed" + $signOutPath = "$(repoRoot)/signed" $null = New-Item -ItemType Directory -Path $signOutPath # Set signing out path variable $vstsCommandString = "vso[task.setvariable variable=signOutPath]${signOutPath}" @@ -106,7 +98,7 @@ extends: Write-Host "sending $vstsCommandString" Write-Host "##$vstsCommandString" # Get version and create a variable - $moduleData = Import-PowerShellDataFile "$(Build.SourcesDirectory)/OSS_Microsoft_PSSA/Engine/PSScriptAnalyzer.psd1" + $moduleData = Import-PowerShellDataFile "$(repoRoot)/Engine/PSScriptAnalyzer.psd1" $moduleVersion = $moduleData.ModuleVersion $vstsCommandString = "vso[task.setvariable variable=moduleVersion]${moduleVersion}" $vstsCommandString = "vso[task.setvariable variable=ob_sdl_sbom_packageversion]${moduleVersion}" @@ -114,9 +106,45 @@ extends: Write-Host "sending $vstsCommandString" Write-Host "##$vstsCommandString" displayName: Setup variables for signing - # make sure this happens before signing setup - env: - ob_restore_phase: true + + - task: CopyFiles@2 + displayName: "Copy Files for 'publish build directory' publish task" + inputs: + SourceFolder: "$(signSrcPath)" + Contents: '**' + TargetFolder: $(Build.ArtifactStagingDirectory)/ONEBRANCH_ARTIFACT + + - job: jobsign + dependsOn: jobbuild + displayName: Sign Microsoft.PowerShell.ScriptAnalyzer Files + variables: + - name: ob_outputDirectory + value: '$(Build.ArtifactStagingDirectory)/ONEBRANCH_ARTIFACT' + - name: repoRoot + value: $(Build.SourcesDirectory)\OSS_Microsoft_PSSA + - name: ob_sdl_tsa_configFile + value: $(Build.SourcesDirectory)\OSS_Microsoft_PSSA\.config\tsaoptions.json + - name: ob_sdl_sbom_enabled + value: true + - name: ob_sdl_codeql_compiled_enabled + value: false + - name: signSrcPath + value: $(repoRoot)/out + pool: + type: windows + steps: + - checkout: self + + - task: DownloadPipelineArtifact@2 + displayName: 'Download build files' + inputs: + targetPath: $(signSrcPath) + artifact: drop_stagebuild_jobbuild + + - pwsh: | + Set-Location "$(signSrcPath)" + dir -recurse * + displayName: Capture artifacts - task: onebranch.pipeline.signing@1 displayName: Sign 1st party files @@ -137,12 +165,12 @@ extends: - task: CopyFiles@2 displayName: "Copy Files for 'publish build directory' publish task" inputs: - SourceFolder: "$(Build.SourcesDirectory)/OSS_Microsoft_PSSA" + SourceFolder: "$(signSrcPath)" Contents: '**' TargetFolder: $(Build.ArtifactStagingDirectory)/ONEBRANCH_ARTIFACT - job: nupkg - dependsOn: jobbuild + dependsOn: jobsign displayName: Package Microsoft.PowerShell.ScriptAnalyzer variables: - name: ob_outputDirectory @@ -155,6 +183,8 @@ extends: value: false - name: ob_sdl_codeql_compiled_enabled value: false + - name: signSrcPath + value: $(repoRoot)/out pool: type: windows steps: @@ -163,22 +193,23 @@ extends: - pwsh: | if (-not (Test-Path $(repoRoot)/.config/tsaoptions.json)) { Get-ChildItem $(Build.SourcesDirectory) -recurse -ErrorAction SilentlyContinue - throw "tsaoptions.json does not exist under $(Build.SourcesDirectory)/OSS_Microsoft_PSSA/.config" + throw "tsaoptions.json does not exist under $(repoRoot)/.config" } displayName: Test if tsaoptions.json exists - task: DownloadPipelineArtifact@2 displayName: 'Download build files' inputs: - targetPath: $(Build.SourcesDirectory)/artifacts/build + targetPath: $(signSrcPath) + artifact: drop_stagebuild_jobsign ## download - pwsh: | - Set-Location "$(Build.SourcesDirectory)/artifacts/" + Set-Location "$(signSrcPath)" dir -recurse * displayName: Capture artifacts - pwsh: | - Set-Location "$(Build.SourcesDirectory)/artifacts/build" + Set-Location "$(repoRoot)" ./build -BuildNupkg -CopyManifest -signed displayName: Create nupkg for publishing From 4330f123b7d455b5c395796b91f81c6f5926ed65 Mon Sep 17 00:00:00 2001 From: Travis Plunk Date: Wed, 13 Mar 2024 13:46:39 -0700 Subject: [PATCH 12/33] add flag required for newest container --- .pipelines/OSS_Microsoft_PSSA-Official.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.pipelines/OSS_Microsoft_PSSA-Official.yml b/.pipelines/OSS_Microsoft_PSSA-Official.yml index 82c634259..a0e709b92 100644 --- a/.pipelines/OSS_Microsoft_PSSA-Official.yml +++ b/.pipelines/OSS_Microsoft_PSSA-Official.yml @@ -24,6 +24,8 @@ resources: extends: template: v2/OneBranch.Official.CrossPlat.yml@onebranchTemplates parameters: + featureFlags: + WindowsHostVersion: '1ESWindows2022' customTags: 'ES365AIMigrationTooling' globalSdl: disableLegacyManifest: true From 1bdc12331318fa37bc6041ab9b4d7d222e72ee98 Mon Sep 17 00:00:00 2001 From: Travis Plunk Date: Wed, 13 Mar 2024 14:24:32 -0700 Subject: [PATCH 13/33] clarify copy files task displaynames --- .pipelines/OSS_Microsoft_PSSA-Official.yml | 59 ++++++---------------- 1 file changed, 15 insertions(+), 44 deletions(-) diff --git a/.pipelines/OSS_Microsoft_PSSA-Official.yml b/.pipelines/OSS_Microsoft_PSSA-Official.yml index a0e709b92..f0d740468 100644 --- a/.pipelines/OSS_Microsoft_PSSA-Official.yml +++ b/.pipelines/OSS_Microsoft_PSSA-Official.yml @@ -75,6 +75,16 @@ extends: } displayName: Test if tsaoptions.json exists + - task: UseDotNet@2 + displayName: 'Install .NET dependencies' + inputs: + packageType: 'sdk' + useGlobalJson: true + # this is to ensure that we are installing the dotnet at the same location as container by default install the dotnet sdks + # This prevents signing from breaking + installationPath: 'C:\Program Files\dotnet\' + workingDirectory: $(repoRoot) + # this is installing .NET - pwsh: | Set-Location "$(repoRoot)" @@ -109,45 +119,6 @@ extends: Write-Host "##$vstsCommandString" displayName: Setup variables for signing - - task: CopyFiles@2 - displayName: "Copy Files for 'publish build directory' publish task" - inputs: - SourceFolder: "$(signSrcPath)" - Contents: '**' - TargetFolder: $(Build.ArtifactStagingDirectory)/ONEBRANCH_ARTIFACT - - - job: jobsign - dependsOn: jobbuild - displayName: Sign Microsoft.PowerShell.ScriptAnalyzer Files - variables: - - name: ob_outputDirectory - value: '$(Build.ArtifactStagingDirectory)/ONEBRANCH_ARTIFACT' - - name: repoRoot - value: $(Build.SourcesDirectory)\OSS_Microsoft_PSSA - - name: ob_sdl_tsa_configFile - value: $(Build.SourcesDirectory)\OSS_Microsoft_PSSA\.config\tsaoptions.json - - name: ob_sdl_sbom_enabled - value: true - - name: ob_sdl_codeql_compiled_enabled - value: false - - name: signSrcPath - value: $(repoRoot)/out - pool: - type: windows - steps: - - checkout: self - - - task: DownloadPipelineArtifact@2 - displayName: 'Download build files' - inputs: - targetPath: $(signSrcPath) - artifact: drop_stagebuild_jobbuild - - - pwsh: | - Set-Location "$(signSrcPath)" - dir -recurse * - displayName: Capture artifacts - - task: onebranch.pipeline.signing@1 displayName: Sign 1st party files inputs: @@ -165,14 +136,14 @@ extends: search_root: $(signSrcPath) - task: CopyFiles@2 - displayName: "Copy Files for 'publish build directory' publish task" + displayName: "Copy signed module files to ob_outputDirectory" inputs: SourceFolder: "$(signSrcPath)" Contents: '**' TargetFolder: $(Build.ArtifactStagingDirectory)/ONEBRANCH_ARTIFACT - job: nupkg - dependsOn: jobsign + dependsOn: jobbuild displayName: Package Microsoft.PowerShell.ScriptAnalyzer variables: - name: ob_outputDirectory @@ -203,8 +174,8 @@ extends: displayName: 'Download build files' inputs: targetPath: $(signSrcPath) - artifact: drop_stagebuild_jobsign - ## download + artifact: drop_stagebuild_jobbuild + - pwsh: | Set-Location "$(signSrcPath)" dir -recurse * @@ -216,7 +187,7 @@ extends: displayName: Create nupkg for publishing - task: CopyFiles@2 - displayName: "Copy Files for 'Publish module nupkg' publish task" + displayName: "Copy Files nupkg to ob_outputDirectory" inputs: Contents: "$(signOutPath)/PSScriptAnalyzer.$(moduleVersion).nupkg" TargetFolder: $(Build.ArtifactStagingDirectory)/ONEBRANCH_ARTIFACT From 3d2c9dd7de046979035795d58497260943439691 Mon Sep 17 00:00:00 2001 From: Travis Plunk Date: Wed, 13 Mar 2024 14:24:49 -0700 Subject: [PATCH 14/33] reuse existing variable --- .pipelines/OSS_Microsoft_PSSA-Official.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.pipelines/OSS_Microsoft_PSSA-Official.yml b/.pipelines/OSS_Microsoft_PSSA-Official.yml index f0d740468..1a55f640b 100644 --- a/.pipelines/OSS_Microsoft_PSSA-Official.yml +++ b/.pipelines/OSS_Microsoft_PSSA-Official.yml @@ -140,7 +140,7 @@ extends: inputs: SourceFolder: "$(signSrcPath)" Contents: '**' - TargetFolder: $(Build.ArtifactStagingDirectory)/ONEBRANCH_ARTIFACT + TargetFolder: $(ob_outputDirectory) - job: nupkg dependsOn: jobbuild @@ -190,4 +190,4 @@ extends: displayName: "Copy Files nupkg to ob_outputDirectory" inputs: Contents: "$(signOutPath)/PSScriptAnalyzer.$(moduleVersion).nupkg" - TargetFolder: $(Build.ArtifactStagingDirectory)/ONEBRANCH_ARTIFACT + TargetFolder: $(ob_outputDirectory) From a9cadb3f1fa4f755019594b6586b1f3522eece41 Mon Sep 17 00:00:00 2001 From: Travis Plunk Date: Wed, 13 Mar 2024 14:29:01 -0700 Subject: [PATCH 15/33] removed unneeded code --- .pipelines/OSS_Microsoft_PSSA-Official.yml | 28 ---------------------- 1 file changed, 28 deletions(-) diff --git a/.pipelines/OSS_Microsoft_PSSA-Official.yml b/.pipelines/OSS_Microsoft_PSSA-Official.yml index 1a55f640b..6e4b72b75 100644 --- a/.pipelines/OSS_Microsoft_PSSA-Official.yml +++ b/.pipelines/OSS_Microsoft_PSSA-Official.yml @@ -91,34 +91,6 @@ extends: try { ./build.ps1 -Configuration Release -All } catch { throw $_ } displayName: Execute build - - pwsh: | - $signSrcPath = $env:SIGNSRCPATH - $signOutStep1 = "$(repoRoot)/Step1" - $null = New-Item -ItemType Directory -Path $signOutStep1 - # Set signing out path variable - $vstsCommandString = "vso[task.setvariable variable=signOutStep1]${signOutStep1}" - Write-Host "sending $vstsCommandString" - Write-Host "##$vstsCommandString" - $signOutPath = "$(repoRoot)/signed" - $null = New-Item -ItemType Directory -Path $signOutPath - # Set signing out path variable - $vstsCommandString = "vso[task.setvariable variable=signOutPath]${signOutPath}" - Write-Host "sending $vstsCommandString" - Write-Host "##$vstsCommandString" - # Set path variable for guardian codesign validation - $vstsCommandString = "vso[task.setvariable variable=GDN_CODESIGN_TARGETDIRECTORY]${signOutPath}" - Write-Host "sending $vstsCommandString" - Write-Host "##$vstsCommandString" - # Get version and create a variable - $moduleData = Import-PowerShellDataFile "$(repoRoot)/Engine/PSScriptAnalyzer.psd1" - $moduleVersion = $moduleData.ModuleVersion - $vstsCommandString = "vso[task.setvariable variable=moduleVersion]${moduleVersion}" - $vstsCommandString = "vso[task.setvariable variable=ob_sdl_sbom_packageversion]${moduleVersion}" - - Write-Host "sending $vstsCommandString" - Write-Host "##$vstsCommandString" - displayName: Setup variables for signing - - task: onebranch.pipeline.signing@1 displayName: Sign 1st party files inputs: From dd9e7a62d51499a10604f1b42cb3bf7269772826 Mon Sep 17 00:00:00 2001 From: Travis Plunk Date: Wed, 13 Mar 2024 14:30:13 -0700 Subject: [PATCH 16/33] Use correct path is signing job --- .pipelines/OSS_Microsoft_PSSA-Official.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.pipelines/OSS_Microsoft_PSSA-Official.yml b/.pipelines/OSS_Microsoft_PSSA-Official.yml index 6e4b72b75..979f05181 100644 --- a/.pipelines/OSS_Microsoft_PSSA-Official.yml +++ b/.pipelines/OSS_Microsoft_PSSA-Official.yml @@ -128,8 +128,8 @@ extends: value: false - name: ob_sdl_codeql_compiled_enabled value: false - - name: signSrcPath - value: $(repoRoot)/out + - name: signOutPath + value: $(repoRoot)/signed pool: type: windows steps: @@ -145,11 +145,11 @@ extends: - task: DownloadPipelineArtifact@2 displayName: 'Download build files' inputs: - targetPath: $(signSrcPath) + targetPath: $(signOutPath) artifact: drop_stagebuild_jobbuild - pwsh: | - Set-Location "$(signSrcPath)" + Set-Location "$(signOutPath)" dir -recurse * displayName: Capture artifacts From 5062efd3dc3618fcffee83207148dff833c233fd Mon Sep 17 00:00:00 2001 From: Travis Plunk Date: Wed, 13 Mar 2024 14:30:32 -0700 Subject: [PATCH 17/33] sign the nupkg --- .pipelines/OSS_Microsoft_PSSA-Official.yml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/.pipelines/OSS_Microsoft_PSSA-Official.yml b/.pipelines/OSS_Microsoft_PSSA-Official.yml index 979f05181..ef4af93b6 100644 --- a/.pipelines/OSS_Microsoft_PSSA-Official.yml +++ b/.pipelines/OSS_Microsoft_PSSA-Official.yml @@ -158,6 +158,14 @@ extends: ./build -BuildNupkg -CopyManifest -signed displayName: Create nupkg for publishing + - task: onebranch.pipeline.signing@1 + displayName: Sign nupkg + inputs: + command: 'sign' + signing_profile: external_distribution + files_to_sign: '**\*.nupkg' + search_root: $(signOutPath) + - task: CopyFiles@2 displayName: "Copy Files nupkg to ob_outputDirectory" inputs: From 1465ca966ab549642a74e860e6bfbe49bdfb443b Mon Sep 17 00:00:00 2001 From: Travis Plunk Date: Wed, 13 Mar 2024 14:31:20 -0700 Subject: [PATCH 18/33] fix syntax --- .pipelines/OSS_Microsoft_PSSA-Official.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.pipelines/OSS_Microsoft_PSSA-Official.yml b/.pipelines/OSS_Microsoft_PSSA-Official.yml index ef4af93b6..39917d057 100644 --- a/.pipelines/OSS_Microsoft_PSSA-Official.yml +++ b/.pipelines/OSS_Microsoft_PSSA-Official.yml @@ -77,7 +77,7 @@ extends: - task: UseDotNet@2 displayName: 'Install .NET dependencies' - inputs: + inputs: packageType: 'sdk' useGlobalJson: true # this is to ensure that we are installing the dotnet at the same location as container by default install the dotnet sdks From fa48f5d7066894fa4888eb53fc19e474907db41b Mon Sep 17 00:00:00 2001 From: Travis Plunk Date: Wed, 13 Mar 2024 14:43:15 -0700 Subject: [PATCH 19/33] Revert "clarify copy files task displaynames" This reverts commit 1bdc12331318fa37bc6041ab9b4d7d222e72ee98. --- .pipelines/OSS_Microsoft_PSSA-Official.yml | 45 ++++++++++++++++++++-- 1 file changed, 42 insertions(+), 3 deletions(-) diff --git a/.pipelines/OSS_Microsoft_PSSA-Official.yml b/.pipelines/OSS_Microsoft_PSSA-Official.yml index 39917d057..cc3102395 100644 --- a/.pipelines/OSS_Microsoft_PSSA-Official.yml +++ b/.pipelines/OSS_Microsoft_PSSA-Official.yml @@ -91,6 +91,45 @@ extends: try { ./build.ps1 -Configuration Release -All } catch { throw $_ } displayName: Execute build + - task: CopyFiles@2 + displayName: "Copy Files for 'publish build directory' publish task" + inputs: + SourceFolder: "$(signSrcPath)" + Contents: '**' + TargetFolder: $(Build.ArtifactStagingDirectory)/ONEBRANCH_ARTIFACT + + - job: jobsign + dependsOn: jobbuild + displayName: Sign Microsoft.PowerShell.ScriptAnalyzer Files + variables: + - name: ob_outputDirectory + value: '$(Build.ArtifactStagingDirectory)/ONEBRANCH_ARTIFACT' + - name: repoRoot + value: $(Build.SourcesDirectory)\OSS_Microsoft_PSSA + - name: ob_sdl_tsa_configFile + value: $(Build.SourcesDirectory)\OSS_Microsoft_PSSA\.config\tsaoptions.json + - name: ob_sdl_sbom_enabled + value: true + - name: ob_sdl_codeql_compiled_enabled + value: false + - name: signSrcPath + value: $(repoRoot)/out + pool: + type: windows + steps: + - checkout: self + + - task: DownloadPipelineArtifact@2 + displayName: 'Download build files' + inputs: + targetPath: $(signSrcPath) + artifact: drop_stagebuild_jobbuild + + - pwsh: | + Set-Location "$(signSrcPath)" + dir -recurse * + displayName: Capture artifacts + - task: onebranch.pipeline.signing@1 displayName: Sign 1st party files inputs: @@ -108,14 +147,14 @@ extends: search_root: $(signSrcPath) - task: CopyFiles@2 - displayName: "Copy signed module files to ob_outputDirectory" + displayName: "Copy Files for 'publish build directory' publish task" inputs: SourceFolder: "$(signSrcPath)" Contents: '**' TargetFolder: $(ob_outputDirectory) - job: nupkg - dependsOn: jobbuild + dependsOn: jobsign displayName: Package Microsoft.PowerShell.ScriptAnalyzer variables: - name: ob_outputDirectory @@ -167,7 +206,7 @@ extends: search_root: $(signOutPath) - task: CopyFiles@2 - displayName: "Copy Files nupkg to ob_outputDirectory" + displayName: "Copy Files for 'Publish module nupkg' publish task" inputs: Contents: "$(signOutPath)/PSScriptAnalyzer.$(moduleVersion).nupkg" TargetFolder: $(ob_outputDirectory) From 9c1cfad4ae8443da588545a24d808ae382b7bf7a Mon Sep 17 00:00:00 2001 From: Travis Plunk Date: Wed, 13 Mar 2024 14:55:23 -0700 Subject: [PATCH 20/33] Disable code sign validation on first job --- .pipelines/OSS_Microsoft_PSSA-Official.yml | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/.pipelines/OSS_Microsoft_PSSA-Official.yml b/.pipelines/OSS_Microsoft_PSSA-Official.yml index cc3102395..72ee9f10c 100644 --- a/.pipelines/OSS_Microsoft_PSSA-Official.yml +++ b/.pipelines/OSS_Microsoft_PSSA-Official.yml @@ -57,12 +57,15 @@ extends: value: '$(Build.ArtifactStagingDirectory)/ONEBRANCH_ARTIFACT' - name: repoRoot value: $(Build.SourcesDirectory)\OSS_Microsoft_PSSA - - name: ob_sdl_sbom_enabled - value: false - name: ob_sdl_tsa_configFile value: $(Build.SourcesDirectory)\OSS_Microsoft_PSSA\.config\tsaoptions.json - name: signSrcPath value: $(repoRoot)/out + # the next job signs, so skip sbom generation, and signing validation + - name: ob_sdl_codeSignValidation_excludes + value: -|**\* + - name: ob_sdl_sbom_enabled + value: false pool: type: windows steps: From d5d03f067df5f11b9af5634a4b26f7dc2a499978 Mon Sep 17 00:00:00 2001 From: Travis Plunk Date: Wed, 13 Mar 2024 14:57:22 -0700 Subject: [PATCH 21/33] search for where OBP put dotnet.exe --- .pipelines/OSS_Microsoft_PSSA-Official.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.pipelines/OSS_Microsoft_PSSA-Official.yml b/.pipelines/OSS_Microsoft_PSSA-Official.yml index 72ee9f10c..e57832d0f 100644 --- a/.pipelines/OSS_Microsoft_PSSA-Official.yml +++ b/.pipelines/OSS_Microsoft_PSSA-Official.yml @@ -71,6 +71,10 @@ extends: steps: - checkout: self + - pwsh: | + dir C:\dotnet.exe -recurse -erroraction:silentlycontinue + displayName: Search for dotnet.exet + - pwsh: | if (-not (Test-Path $(repoRoot)/.config/tsaoptions.json)) { Get-ChildItem $(Build.SourcesDirectory) -recurse -ErrorAction SilentlyContinue From f3ef9e7614ee316809a3bbac93cc032bdaf2eb83 Mon Sep 17 00:00:00 2001 From: Travis Plunk Date: Wed, 13 Mar 2024 14:59:36 -0700 Subject: [PATCH 22/33] Move SDK search to it's own job --- .pipelines/OSS_Microsoft_PSSA-Official.yml | 25 ++++++++++++++++++++-- 1 file changed, 23 insertions(+), 2 deletions(-) diff --git a/.pipelines/OSS_Microsoft_PSSA-Official.yml b/.pipelines/OSS_Microsoft_PSSA-Official.yml index e57832d0f..7955a356f 100644 --- a/.pipelines/OSS_Microsoft_PSSA-Official.yml +++ b/.pipelines/OSS_Microsoft_PSSA-Official.yml @@ -50,8 +50,8 @@ extends: - stage: stagebuild displayName: Build and Package Microsoft.PowerShell.ScriptAnalyzer jobs: - - job: jobbuild - displayName: Build Microsoft.PowerShell.ScriptAnalyzer Files + - job: sdksearch + displayName: SDK search variables: - name: ob_outputDirectory value: '$(Build.ArtifactStagingDirectory)/ONEBRANCH_ARTIFACT' @@ -75,6 +75,27 @@ extends: dir C:\dotnet.exe -recurse -erroraction:silentlycontinue displayName: Search for dotnet.exet + - job: jobbuild + displayName: Build Microsoft.PowerShell.ScriptAnalyzer Files + variables: + - name: ob_outputDirectory + value: '$(Build.ArtifactStagingDirectory)/ONEBRANCH_ARTIFACT' + - name: repoRoot + value: $(Build.SourcesDirectory)\OSS_Microsoft_PSSA + - name: ob_sdl_tsa_configFile + value: $(Build.SourcesDirectory)\OSS_Microsoft_PSSA\.config\tsaoptions.json + - name: signSrcPath + value: $(repoRoot)/out + # the next job signs, so skip sbom generation, and signing validation + - name: ob_sdl_codeSignValidation_excludes + value: -|**\* + - name: ob_sdl_sbom_enabled + value: false + pool: + type: windows + steps: + - checkout: self + - pwsh: | if (-not (Test-Path $(repoRoot)/.config/tsaoptions.json)) { Get-ChildItem $(Build.SourcesDirectory) -recurse -ErrorAction SilentlyContinue From ac44341cf50ec2049180e11717fc5b18fc4c6161 Mon Sep 17 00:00:00 2001 From: Travis Plunk Date: Wed, 13 Mar 2024 15:36:51 -0700 Subject: [PATCH 23/33] delete SDK search --- .pipelines/OSS_Microsoft_PSSA-Official.yml | 25 ---------------------- 1 file changed, 25 deletions(-) diff --git a/.pipelines/OSS_Microsoft_PSSA-Official.yml b/.pipelines/OSS_Microsoft_PSSA-Official.yml index 7955a356f..72ee9f10c 100644 --- a/.pipelines/OSS_Microsoft_PSSA-Official.yml +++ b/.pipelines/OSS_Microsoft_PSSA-Official.yml @@ -50,31 +50,6 @@ extends: - stage: stagebuild displayName: Build and Package Microsoft.PowerShell.ScriptAnalyzer jobs: - - job: sdksearch - displayName: SDK search - variables: - - name: ob_outputDirectory - value: '$(Build.ArtifactStagingDirectory)/ONEBRANCH_ARTIFACT' - - name: repoRoot - value: $(Build.SourcesDirectory)\OSS_Microsoft_PSSA - - name: ob_sdl_tsa_configFile - value: $(Build.SourcesDirectory)\OSS_Microsoft_PSSA\.config\tsaoptions.json - - name: signSrcPath - value: $(repoRoot)/out - # the next job signs, so skip sbom generation, and signing validation - - name: ob_sdl_codeSignValidation_excludes - value: -|**\* - - name: ob_sdl_sbom_enabled - value: false - pool: - type: windows - steps: - - checkout: self - - - pwsh: | - dir C:\dotnet.exe -recurse -erroraction:silentlycontinue - displayName: Search for dotnet.exet - - job: jobbuild displayName: Build Microsoft.PowerShell.ScriptAnalyzer Files variables: From 440ceb645020ec06ad2c5c4420d28cbd4e16f354 Mon Sep 17 00:00:00 2001 From: Travis Plunk Date: Wed, 13 Mar 2024 15:37:12 -0700 Subject: [PATCH 24/33] make nupkg signing a todo --- .pipelines/OSS_Microsoft_PSSA-Official.yml | 17 ++++++++++------- 1 file changed, 10 insertions(+), 7 deletions(-) diff --git a/.pipelines/OSS_Microsoft_PSSA-Official.yml b/.pipelines/OSS_Microsoft_PSSA-Official.yml index 72ee9f10c..51e51be57 100644 --- a/.pipelines/OSS_Microsoft_PSSA-Official.yml +++ b/.pipelines/OSS_Microsoft_PSSA-Official.yml @@ -200,13 +200,16 @@ extends: ./build -BuildNupkg -CopyManifest -signed displayName: Create nupkg for publishing - - task: onebranch.pipeline.signing@1 - displayName: Sign nupkg - inputs: - command: 'sign' - signing_profile: external_distribution - files_to_sign: '**\*.nupkg' - search_root: $(signOutPath) + # same problem as build, the previous step breaks signing + # this is not required at this point. + # So, we'll leave this for future work. + # - task: onebranch.pipeline.signing@1 + # displayName: Sign nupkg + # inputs: + # command: 'sign' + # signing_profile: external_distribution + # files_to_sign: '**\*.nupkg' + # search_root: $(signOutPath) - task: CopyFiles@2 displayName: "Copy Files for 'Publish module nupkg' publish task" From 9c65c5b48c8812c5f6f42828b69fbfa025a4626e Mon Sep 17 00:00:00 2001 From: Travis Plunk Date: Wed, 13 Mar 2024 16:11:56 -0700 Subject: [PATCH 25/33] fix nupkg publishing --- .pipelines/OSS_Microsoft_PSSA-Official.yml | 19 ++++++++++++------- 1 file changed, 12 insertions(+), 7 deletions(-) diff --git a/.pipelines/OSS_Microsoft_PSSA-Official.yml b/.pipelines/OSS_Microsoft_PSSA-Official.yml index 51e51be57..1c5e54132 100644 --- a/.pipelines/OSS_Microsoft_PSSA-Official.yml +++ b/.pipelines/OSS_Microsoft_PSSA-Official.yml @@ -130,8 +130,8 @@ extends: - pwsh: | Set-Location "$(signSrcPath)" - dir -recurse * - displayName: Capture artifacts + dir -dir -recurse * + displayName: Capture artifacts structure - task: onebranch.pipeline.signing@1 displayName: Sign 1st party files @@ -150,7 +150,7 @@ extends: search_root: $(signSrcPath) - task: CopyFiles@2 - displayName: "Copy Files for 'publish build directory' publish task" + displayName: "Copy signed files to ob_outputDirectory" inputs: SourceFolder: "$(signSrcPath)" Contents: '**' @@ -192,8 +192,8 @@ extends: - pwsh: | Set-Location "$(signOutPath)" - dir -recurse * - displayName: Capture artifacts + dir -dir -recurse * + displayName: Capture artifacts structure - pwsh: | Set-Location "$(repoRoot)" @@ -211,8 +211,13 @@ extends: # files_to_sign: '**\*.nupkg' # search_root: $(signOutPath) + - pwsh: | + Set-Location "$(repoRoot)" + dir -file -recurse *.nupkg + displayName: Find Nupkg + - task: CopyFiles@2 - displayName: "Copy Files for 'Publish module nupkg' publish task" + displayName: "Copy nupkg to ob_outputDirectory" inputs: - Contents: "$(signOutPath)/PSScriptAnalyzer.$(moduleVersion).nupkg" + Contents: "$(repoRoot)/**/PSScriptAnalyzer.*.nupkg" TargetFolder: $(ob_outputDirectory) From 663f093aac4f1ea740f8f7d52298a1fb07847bf4 Mon Sep 17 00:00:00 2001 From: Travis Plunk Date: Wed, 13 Mar 2024 16:19:55 -0700 Subject: [PATCH 26/33] try disabling codeql to get signing working per docs --- .pipelines/OSS_Microsoft_PSSA-Official.yml | 19 ++++++++++++------- 1 file changed, 12 insertions(+), 7 deletions(-) diff --git a/.pipelines/OSS_Microsoft_PSSA-Official.yml b/.pipelines/OSS_Microsoft_PSSA-Official.yml index 1c5e54132..0b3504c5b 100644 --- a/.pipelines/OSS_Microsoft_PSSA-Official.yml +++ b/.pipelines/OSS_Microsoft_PSSA-Official.yml @@ -172,6 +172,11 @@ extends: value: false - name: signOutPath value: $(repoRoot)/signed + - name: ob_signing_setup_enabled + value: true + - name: ob_codeql_compiled_enabled + value: false + pool: type: windows steps: @@ -203,13 +208,13 @@ extends: # same problem as build, the previous step breaks signing # this is not required at this point. # So, we'll leave this for future work. - # - task: onebranch.pipeline.signing@1 - # displayName: Sign nupkg - # inputs: - # command: 'sign' - # signing_profile: external_distribution - # files_to_sign: '**\*.nupkg' - # search_root: $(signOutPath) + - task: onebranch.pipeline.signing@1 + displayName: Sign nupkg + inputs: + command: 'sign' + signing_profile: external_distribution + files_to_sign: '**\*.nupkg' + search_root: $(signOutPath) - pwsh: | Set-Location "$(repoRoot)" From 1ed8039355f0e2d97ffad4d2b584c70d591428a2 Mon Sep 17 00:00:00 2001 From: Travis Plunk Date: Wed, 13 Mar 2024 16:21:46 -0700 Subject: [PATCH 27/33] don't setup signing where not needed --- .pipelines/OSS_Microsoft_PSSA-Official.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.pipelines/OSS_Microsoft_PSSA-Official.yml b/.pipelines/OSS_Microsoft_PSSA-Official.yml index 0b3504c5b..2ec89734a 100644 --- a/.pipelines/OSS_Microsoft_PSSA-Official.yml +++ b/.pipelines/OSS_Microsoft_PSSA-Official.yml @@ -66,6 +66,9 @@ extends: value: -|**\* - name: ob_sdl_sbom_enabled value: false + - name: ob_signing_setup_enabled + value: false + pool: type: windows steps: From a03237d8e041e3c1886df878f26ae0b6894ccaeb Mon Sep 17 00:00:00 2001 From: Travis Plunk Date: Wed, 13 Mar 2024 17:33:25 -0700 Subject: [PATCH 28/33] combine sign and build job --- .pipelines/OSS_Microsoft_PSSA-Official.yml | 62 ++++++++-------------- 1 file changed, 23 insertions(+), 39 deletions(-) diff --git a/.pipelines/OSS_Microsoft_PSSA-Official.yml b/.pipelines/OSS_Microsoft_PSSA-Official.yml index 2ec89734a..a89be866e 100644 --- a/.pipelines/OSS_Microsoft_PSSA-Official.yml +++ b/.pipelines/OSS_Microsoft_PSSA-Official.yml @@ -67,12 +67,16 @@ extends: - name: ob_sdl_sbom_enabled value: false - name: ob_signing_setup_enabled + value: true + - name: ob_codeql_compiled_enabled value: false pool: type: windows steps: - checkout: self + env: + ob_restore_phase: true # Set ob_restore_phase to run this step before '🔒 Setup Signing' step. - pwsh: | if (-not (Test-Path $(repoRoot)/.config/tsaoptions.json)) { @@ -80,9 +84,13 @@ extends: throw "tsaoptions.json does not exist under $(repoRoot)/.config" } displayName: Test if tsaoptions.json exists + env: + ob_restore_phase: true # Set ob_restore_phase to run this step before '🔒 Setup Signing' step. - task: UseDotNet@2 displayName: 'Install .NET dependencies' + env: + ob_restore_phase: true # Set ob_restore_phase to run this step before '🔒 Setup Signing' step. inputs: packageType: 'sdk' useGlobalJson: true @@ -91,50 +99,26 @@ extends: installationPath: 'C:\Program Files\dotnet\' workingDirectory: $(repoRoot) + - task: CodeQL3000Init@0 # Add CodeQL Init task right before your 'Build' step. + env: + ob_restore_phase: true # Set ob_restore_phase to run this step before '🔒 Setup Signing' step. + inputs: + Enabled: true + AnalyzeInPipeline: true + Language: csharp + # this is installing .NET - pwsh: | Set-Location "$(repoRoot)" try { ./build.ps1 -Configuration Release -All } catch { throw $_ } displayName: Execute build + env: + ob_restore_phase: true # Set ob_restore_phase to run this step before '🔒 Setup Signing' step. - - task: CopyFiles@2 - displayName: "Copy Files for 'publish build directory' publish task" - inputs: - SourceFolder: "$(signSrcPath)" - Contents: '**' - TargetFolder: $(Build.ArtifactStagingDirectory)/ONEBRANCH_ARTIFACT - - - job: jobsign - dependsOn: jobbuild - displayName: Sign Microsoft.PowerShell.ScriptAnalyzer Files - variables: - - name: ob_outputDirectory - value: '$(Build.ArtifactStagingDirectory)/ONEBRANCH_ARTIFACT' - - name: repoRoot - value: $(Build.SourcesDirectory)\OSS_Microsoft_PSSA - - name: ob_sdl_tsa_configFile - value: $(Build.SourcesDirectory)\OSS_Microsoft_PSSA\.config\tsaoptions.json - - name: ob_sdl_sbom_enabled - value: true - - name: ob_sdl_codeql_compiled_enabled - value: false - - name: signSrcPath - value: $(repoRoot)/out - pool: - type: windows - steps: - - checkout: self - - - task: DownloadPipelineArtifact@2 - displayName: 'Download build files' - inputs: - targetPath: $(signSrcPath) - artifact: drop_stagebuild_jobbuild - - - pwsh: | - Set-Location "$(signSrcPath)" - dir -dir -recurse * - displayName: Capture artifacts structure + - task: CodeQL3000Finalize@0 # Add CodeQL Finalize task right after your 'Build' step. + condition: always() + env: + ob_restore_phase: true # Set ob_restore_phase to run this step before '🔒 Setup Signing' step. - task: onebranch.pipeline.signing@1 displayName: Sign 1st party files @@ -160,7 +144,7 @@ extends: TargetFolder: $(ob_outputDirectory) - job: nupkg - dependsOn: jobsign + dependsOn: jobbuild displayName: Package Microsoft.PowerShell.ScriptAnalyzer variables: - name: ob_outputDirectory From 504c5dfb725df487cfb1a46e318ff53743658734 Mon Sep 17 00:00:00 2001 From: Travis Plunk Date: Wed, 13 Mar 2024 18:04:19 -0700 Subject: [PATCH 29/33] set version for SBOM --- .pipelines/OSS_Microsoft_PSSA-Official.yml | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/.pipelines/OSS_Microsoft_PSSA-Official.yml b/.pipelines/OSS_Microsoft_PSSA-Official.yml index a89be866e..1bdf2ddea 100644 --- a/.pipelines/OSS_Microsoft_PSSA-Official.yml +++ b/.pipelines/OSS_Microsoft_PSSA-Official.yml @@ -61,13 +61,11 @@ extends: value: $(Build.SourcesDirectory)\OSS_Microsoft_PSSA\.config\tsaoptions.json - name: signSrcPath value: $(repoRoot)/out - # the next job signs, so skip sbom generation, and signing validation - - name: ob_sdl_codeSignValidation_excludes - value: -|**\* - name: ob_sdl_sbom_enabled - value: false + value: true - name: ob_signing_setup_enabled value: true + #CodeQL tasks added manually to workaround signing failures - name: ob_codeql_compiled_enabled value: false @@ -143,6 +141,15 @@ extends: Contents: '**' TargetFolder: $(ob_outputDirectory) + - pwsh: | + $moduleData = Import-PowerShellDataFile "$(repoRoot)/Engine/PSScriptAnalyzer.psd1" + $moduleVersion = $moduleData.ModuleVersion + $vstsCommandString = "vso[task.setvariable variable=ob_sdl_sbom_packageversion]${moduleVersion}" + + Write-Host "sending $vstsCommandString" + Write-Host "##$vstsCommandString" + displayName: Setup SBOM Package Version + - job: nupkg dependsOn: jobbuild displayName: Package Microsoft.PowerShell.ScriptAnalyzer From dd8c1362d154c69229d5263c14159a0fceb67c4c Mon Sep 17 00:00:00 2001 From: Travis Plunk Date: Wed, 13 Mar 2024 18:29:40 -0700 Subject: [PATCH 30/33] make comments more accurate --- .pipelines/OSS_Microsoft_PSSA-Official.yml | 4 ---- 1 file changed, 4 deletions(-) diff --git a/.pipelines/OSS_Microsoft_PSSA-Official.yml b/.pipelines/OSS_Microsoft_PSSA-Official.yml index 1bdf2ddea..718662894 100644 --- a/.pipelines/OSS_Microsoft_PSSA-Official.yml +++ b/.pipelines/OSS_Microsoft_PSSA-Official.yml @@ -93,7 +93,6 @@ extends: packageType: 'sdk' useGlobalJson: true # this is to ensure that we are installing the dotnet at the same location as container by default install the dotnet sdks - # This prevents signing from breaking installationPath: 'C:\Program Files\dotnet\' workingDirectory: $(repoRoot) @@ -199,9 +198,6 @@ extends: ./build -BuildNupkg -CopyManifest -signed displayName: Create nupkg for publishing - # same problem as build, the previous step breaks signing - # this is not required at this point. - # So, we'll leave this for future work. - task: onebranch.pipeline.signing@1 displayName: Sign nupkg inputs: From 9a68ea5c368a4ec1f9477804d57c25530e613fa1 Mon Sep 17 00:00:00 2001 From: Travis Plunk Date: Thu, 14 Mar 2024 09:09:07 -0700 Subject: [PATCH 31/33] Apply suggestions from code review --- .pipelines/OSS_Microsoft_PSSA-Official.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.pipelines/OSS_Microsoft_PSSA-Official.yml b/.pipelines/OSS_Microsoft_PSSA-Official.yml index 718662894..a38dc9f0d 100644 --- a/.pipelines/OSS_Microsoft_PSSA-Official.yml +++ b/.pipelines/OSS_Microsoft_PSSA-Official.yml @@ -159,14 +159,14 @@ extends: value: $(Build.SourcesDirectory)\OSS_Microsoft_PSSA - name: ob_sdl_tsa_configFile value: $(Build.SourcesDirectory)\OSS_Microsoft_PSSA\.config\tsaoptions.json + # Disable because SBOM was already built in the previous job - name: ob_sdl_sbom_enabled value: false - - name: ob_sdl_codeql_compiled_enabled - value: false - name: signOutPath value: $(repoRoot)/signed - name: ob_signing_setup_enabled value: true + # This job is not compiling code, so disable codeQL - name: ob_codeql_compiled_enabled value: false From 49d6365d091e03df02d8afc2141a06f9c520fa80 Mon Sep 17 00:00:00 2001 From: Travis Plunk Date: Thu, 14 Mar 2024 09:18:58 -0700 Subject: [PATCH 32/33] fix variable name --- .pipelines/OSS_Microsoft_PSSA-Official.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.pipelines/OSS_Microsoft_PSSA-Official.yml b/.pipelines/OSS_Microsoft_PSSA-Official.yml index a38dc9f0d..39d46b433 100644 --- a/.pipelines/OSS_Microsoft_PSSA-Official.yml +++ b/.pipelines/OSS_Microsoft_PSSA-Official.yml @@ -66,7 +66,7 @@ extends: - name: ob_signing_setup_enabled value: true #CodeQL tasks added manually to workaround signing failures - - name: ob_codeql_compiled_enabled + - name: ob_sdl_codeql_compiled_enabled value: false pool: @@ -167,7 +167,7 @@ extends: - name: ob_signing_setup_enabled value: true # This job is not compiling code, so disable codeQL - - name: ob_codeql_compiled_enabled + - name: ob_sdl_codeql_compiled_enabled value: false pool: From 368a7e817833714f6a34994991bbbf29cb9db956 Mon Sep 17 00:00:00 2001 From: Travis Plunk Date: Thu, 14 Mar 2024 11:16:08 -0700 Subject: [PATCH 33/33] address pr comments --- .pipelines/OSS_Microsoft_PSSA-Official.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.pipelines/OSS_Microsoft_PSSA-Official.yml b/.pipelines/OSS_Microsoft_PSSA-Official.yml index 39d46b433..e8e6cc89f 100644 --- a/.pipelines/OSS_Microsoft_PSSA-Official.yml +++ b/.pipelines/OSS_Microsoft_PSSA-Official.yml @@ -134,7 +134,7 @@ extends: search_root: $(signSrcPath) - task: CopyFiles@2 - displayName: "Copy signed files to ob_outputDirectory" + displayName: "Copy signed files to ob_outputDirectory - '$(ob_outputDirectory)'" inputs: SourceFolder: "$(signSrcPath)" Contents: '**' @@ -212,7 +212,7 @@ extends: displayName: Find Nupkg - task: CopyFiles@2 - displayName: "Copy nupkg to ob_outputDirectory" + displayName: "Copy nupkg to ob_outputDirectory - '$(ob_outputDirectory)'" inputs: Contents: "$(repoRoot)/**/PSScriptAnalyzer.*.nupkg" TargetFolder: $(ob_outputDirectory)