diff --git a/.azure-devops/nova-facade-release.yml b/.azure-devops/nova-facade-release.yml index 6f573a0..e3eae86 100644 --- a/.azure-devops/nova-facade-release.yml +++ b/.azure-devops/nova-facade-release.yml @@ -1,3 +1,10 @@ +resources: + repositories: + - repository: 1ESPipelineTemplates + type: git + name: 1ESPipelineTemplates/1ESPipelineTemplates + ref: refs/tags/release + pr: none trigger: - main @@ -14,52 +21,56 @@ variables: - name: tags value: production,externalfacing - name: serviceTreeID - value: 6F8CD842-E117-412F-BAE4-56A3B6166594 + value: ade7d667-42f5-485a-91a9-f1dc6482a9b0 - name: adoNpmFeedBaseUrl value: https://pkgs.dev.azure.com/domoreexp/_apis/packaging/feeds/npm-mirror -jobs: - - job: compliance - displayName: Compliance checks - pool: - name: 1ES-Teams-Windows-2022-DomoreexpGithub - steps: - - template: ./steps/service-tree.yml - parameters: - serviceTreeID: $(serviceTreeID) - - template: ./steps/compliance-steps.yml +extends: + template: v1/1ES.Official.PipelineTemplate.yml@1ESPipelineTemplates - - job: Release - variables: - - group: oss-secrets - dependsOn: Compliance - pool: "1ES-Teams-Ubuntu-Latest-Compliant-NCUS" - steps: - - template: ./steps/service-tree.yml - parameters: - serviceTreeID: $(serviceTreeID) - - script: yarn - displayName: yarn - - script: | - yarn ci - displayName: build and test [test] - - script: | - git config user.email "gql-svc@microsoft.com" - git config user.name "Graphitation Service Account" - git remote set-url origin https://gql-svc:$(ossGithubPAT)@github.com/microsoft/nova-facade.git - displayName: Configure git for release - - script: yarn release -y -n $(ossNpmToken) --access public - displayName: Release - - task: AzureArtifacts.manifest-generator-task.manifest-generator-task.ManifestGeneratorTask@0 - displayName: 📒 Generate Manifest - inputs: - BuildDropPath: $(System.DefaultWorkingDirectory) - - task: PublishPipelineArtifact@1 - displayName: 📒 Publish Manifest - inputs: - artifactName: SBom-$(System.JobAttempt) - targetPath: $(System.DefaultWorkingDirectory)/_manifest - - template: ./steps/pierce-ado-npm-mirror-cache.yml - parameters: - adoNpmFeedPat: $(adoNpmFeedPat) - adoNpmFeedBaseUrl: $(adoNpmFeedBaseUrl) + parameters: + sdl: + sourceAnalysisPool: + name: Azure-Pipelines-1ESPT-ExDShared + image: windows-2022 + os: windows + stages: + - stage: release + variables: + # OPTIONAL: Set this varibale to 'true' to enable signing in a target stage. + # Remove if signing is not required. + Build.ESRP.CodeSign.Enabled: true + # OPTIONAL: To disable required tools not applicable in the pipeline set to false. + # Supported values: BinSkim, Roslyn, ESLint, PREFast. + Build.SDL..Enabled: false + Build.SDL..Enabled: true + jobs: + - job: Release + variables: + - group: oss-secrets + pool: + name: Azure-Pipelines-1ESPT-ExDShared + image: ubuntu-latest + os: linux + steps: + - script: yarn + displayName: yarn + - script: | + yarn ci + displayName: build and test [test] + - script: | + git config user.email "gql-svc@microsoft.com" + git config user.name "Graphitation Service Account" + git remote set-url origin https://gql-svc:$(ossGithubPAT)@github.com/microsoft/nova-facade.git + displayName: Configure git for release + - script: yarn release -y -n $(ossNpmToken) --access public + displayName: Release + - task: 1ES.PublishPipelineArtifact@1 + displayName: 📒 Publish Manifest + inputs: + artifactName: SBom-$(System.JobAttempt) + targetPath: $(System.DefaultWorkingDirectory)/_manifest + - template: .azure-devops/steps/pierce-ado-npm-mirror-cache.yml@self + parameters: + adoNpmFeedPat: $(adoNpmFeedPat) + adoNpmFeedBaseUrl: $(adoNpmFeedBaseUrl) \ No newline at end of file diff --git a/.azure-devops/steps/compliance-steps.yml b/.azure-devops/steps/compliance-steps.yml deleted file mode 100644 index 5261317..0000000 --- a/.azure-devops/steps/compliance-steps.yml +++ /dev/null @@ -1,46 +0,0 @@ -# These steps have to run on a windows machine, -# and therefore unfortunately can't be integrated in the regular steps - -steps: - - task: UseDotNet@2 - condition: succeededOrFailed() - displayName: "Use .NET Core sdk 3.x" - inputs: - version: 3.x - steps: - - - task: securedevelopmentteam.vss-secure-development-tools.build-task-credscan.CredScan@3 - condition: succeededOrFailed() - displayName: "🧭 Run Credential Scanner" - inputs: - debugMode: false - - - task: securedevelopmentteam.vss-secure-development-tools.build-task-eslint.ESLint@1 - condition: succeededOrFailed() - displayName: "🧭 Run ESLint" - - - task: securedevelopmentteam.vss-secure-development-tools.build-task-publishsecurityanalysislogs.PublishSecurityAnalysisLogs@3 - displayName: "🧭 Publish Guardian Artifacts - All Tools" - inputs: - ArtifactType: M365 - condition: succeededOrFailed() - - - task: AssetRetention@3 - displayName: 🧭 Arrow Retention - inputs: - ArrowServiceConnection: "Arrow_Domoreexpgithub_PROD" - AssetGroupName: "$(System.TeamProject)_$(Build.DefinitionName)" - AssetNumber: "$(Build.BuildId)" - IsShipped: false - DropsToRetain: "CodeAnalysisLogs" - condition: and(succeeded(), eq(variables['Build.SourceBranch'], 'refs/heads/main')) - - - task: securedevelopmentteam.vss-secure-development-tools.build-task-postanalysis.PostAnalysis@2 - displayName: "🧭 Guardian Break" - inputs: - GdnBreakPolicyMinSev: Warning - GdnBreakAllTools: true - GdnBreakGdnToolESLint: true - GdnBreakGdnToolESLintSeverity: Warning - GdnBreakPolicy: M365 - condition: succeededOrFailed() diff --git a/.azure-devops/steps/service-tree.yml b/.azure-devops/steps/service-tree.yml deleted file mode 100644 index fe96400..0000000 --- a/.azure-devops/steps/service-tree.yml +++ /dev/null @@ -1,12 +0,0 @@ -parameters: - - name: serviceTreeID - type: string - default: "PLEASE USE YOUR SERVICE TREE ID FOR THE REPO" - -steps: - - task: skvso.servicetree-build-tasks.servicetree-link-build-task.servicetree-link-build-task@1 - displayName: "ServiceTree Integration" - inputs: - ServiceTreeGateway: "ServiceTree Gateway" - Service: ${{ parameters.serviceTreeID }} - BuildOutputUsage: production