Move to OneBranch for sign/release (#213)

* Initial checkin for OneBranch build. * fix search root for nupkg * put placeholder for tsacodebaseName * Add *.psm1 files for signing.
PowerShell · Jun 13, 2024 · f46ae48 · f46ae48
1 parent cdd3af0
commit f46ae48
Show file tree

Hide file tree

Showing 6 changed files with 179 additions and 12 deletions.
diff --git a/.config/suppress.json b/.config/suppress.json
@@ -0,0 +1,9 @@
+{
+    "tool": "Credential Scanner",
+    "suppressions": [
+       {
+         "file": "Experimental\\HelpParsers\\README.md",
+          "_justification": "Documentation example."
+        }
+     ]
+}
diff --git a/.config/tsaoptions.json b/.config/tsaoptions.json
@@ -0,0 +1,8 @@
+{
+    "instanceUrl": "https://msazure.visualstudio.com",
+    "projectName": "One",
+    "areaPath": "One\\MGMT\\Compute\\Powershell\\Powershell",
+    "codebaseName": "TFSMSAzure_TOBECHANGED",
+    "notificationAliases": [ "[email protected]", "[email protected]" ],
+    "tools": [ "CredScan", "PoliCheck", "BinSkim" ]
+}
diff --git a/.pipelines/Crescendo-Official.yml b/.pipelines/Crescendo-Official.yml
@@ -0,0 +1,140 @@
+name: Crescendo-ModuleBuild-$(Build.BuildId)
+trigger: none
+pr: none
+
+variables:
+  BuildConfiguration: Release
+  DOTNET_NOLOGO: true
+  DOTNET_GENERATE_ASPNET_CERTIFICATE: false
+  DOTNET_CLI_TELEMETRY_OPTOUT: 1
+  POWERSHELL_TELEMETRY_OPTOUT: 1
+  DOTNET_SKIP_FIRST_TIME_EXPERIENCE: 1
+  WindowsContainerImage: onebranch.azurecr.io/windows/ltsc2022/vse2022:latest
+
+resources:
+  repositories:
+  - repository: templates
+    type: git
+    name: OneBranch.Pipelines/GovernedTemplates
+    ref: refs/heads/main
+
+extends:
+  # https://aka.ms/obpipelines/templates
+  template: v2/OneBranch.Official.CrossPlat.yml@templates
+  parameters:
+    featureFlags:
+      WindowsHostVersion: '1ESWindows2022'
+    globalSdl: # https://aka.ms/obpipelines/sdl
+      asyncSdl:
+        enabled: true
+        forStages: [build]
+      credscan:
+        enabled: true
+        scanfolder: $(Build.SourcesDirectory)
+        suppressionsFile: $(Build.SourcesDirectory)\.config\suppress.json
+    stages:
+    - stage: build
+      jobs:
+      - job: main
+        displayName: Build package
+        pool:
+          type: windows
+        variables:
+        - name: ob_outputDirectory
+          value: $(Build.SourcesDirectory)/out
+        - name: ob_sdl_credscan_suppressionsFile
+          value: $(Build.SourcesDirectory)\.config\suppress.json
+        steps:
+          - pwsh: |
+              Write-Verbose -Verbose ((Get-Item $(Build.SourcesDirectory)).FullName)
+              # Get-ChildItem $(Build.SourcesDirectory) -Recurse -File -Name | Write-Verbose -Verbose
+              $manifestData = Import-PowerShellDataFile -Path ./Microsoft.PowerShell.Crescendo/src/Microsoft.PowerShell.Crescendo.psd1
+              $moduleVersion = $manifestData.ModuleVersion
+              Write-Output "##vso[task.setvariable variable=version;isOutput=true]$moduleVersion"
+              if ($manifestData.PrivateData.PsData.Prerelease) {
+                $prerel = $manifestData.PrivateData.PSData.Prerelease
+                $nupkgVersion = "${moduleVersion}-${prerel}"
+              } else {
+                $nupkgVersion = $moduleVersion
+              }
+              Write-Output "##vso[task.setvariable variable=nupkgversion;isOutput=true]$nupkgVersion"
+            name: package
+            displayName: Get version from project properties
+          - task: onebranch.pipeline.version@1
+            displayName: Set OneBranch version
+            inputs:
+              system: Custom
+              customVersion: $(package.version)
+          - task: UseDotNet@2
+            displayName: Use .NET SDK
+            inputs:
+              packageType: sdk
+              useGlobalJson: true
+          - pwsh: ./build.ps1 -publish
+            displayName: Build Crescendo
+          - task: onebranch.pipeline.signing@1
+            displayName: Sign 1st-party files
+            inputs:
+              command: sign
+              signing_profile: external_distribution
+              search_root: $(Build.SourcesDirectory)/out/Microsoft.PowerShell.Crescendo
+              files_to_sign: |
+                **/*.psd1;
+                **/*.psm1;
+                **/*.ps1xml;
+                **/*.ps1;
+          - task: ArchiveFiles@2
+            displayName: Zip module
+            inputs:
+              rootFolderOrFile: $(Build.SourcesDirectory)/out/Microsoft.PowerShell.Crescendo
+              includeRootFolder: false
+              archiveType: zip
+              archiveFile: out/Microsoft.PowerShell.Crescendo-v$(package.version).zip
+          - pwsh: |
+              ./build -package
+              Write-Verbose -Verbose ((Get-Item .).FullName)
+              Write-Verbose -Verbose ((Get-Item $(Build.SourcesDirectory)).FullName)
+              Get-ChildItem $(Build.SourcesDirectory) -Recurse -File -Name | Write-Verbose -Verbose
+            displayName: Package module
+          - task: onebranch.pipeline.signing@1
+            displayName: Sign NuGet package
+            inputs:
+              command: sign
+              signing_profile: external_distribution
+              search_root: $(Build.SourcesDirectory)/out
+              files_to_sign: "**/*.nupkg"
+    - stage: release
+      dependsOn: build
+      variables:
+        version: $[ stageDependencies.build.main.outputs['package.version'] ]
+        drop: $(Pipeline.Workspace)/drop_build_main
+      jobs:
+      - job: validation
+        displayName: Manual validation
+        pool:
+          type: agentless
+        timeoutInMinutes: 1440
+        steps:
+        - task: ManualValidation@0
+          displayName: Wait 24 hours for validation
+          inputs:
+            notifyUsers: $(Build.RequestedForEmail)
+            instructions: Please validate the release and then publish it!
+            timeoutInMinutes: 1440
+      - job: publish
+        dependsOn: validation
+        displayName: Publish to PowerShell Gallery
+        pool:
+          type: windows
+        variables:
+          ob_outputDirectory: $(Build.SourcesDirectory)/out
+        steps:
+        - download: current
+          displayName: Download artifacts
+        - task: NuGetCommand@2
+          displayName: Publish Crescendo to PowerShell Gallery
+          inputs:
+            command: push
+            packagesToPush: $(Build.SourcesDirectory)/Microsoft.PowerShell.Crescendo.$(package.nupkgVersion).nupkg
+            nuGetFeedType: external
+            publishFeedCredentials: PowerShellGallery
diff --git a/build.ps1 b/build.ps1
@@ -25,7 +25,8 @@ $PubBase  = "${PSScriptRoot}/out"
 $PubRoot  = "${PubBase}/${Name}"
 $SignRoot = "${PSScriptRoot}/signed/${Name}"
 $SignVersion = "${SignRoot}/${Version}"
-$PubDir   = "${PubRoot}/${Version}"
+# $PubDir   = "${PubRoot}/${Version}"
+$PubDir   = "${PubRoot}"
 $PreRelease = ${ManifestData}.PrivateData.PSData.Prerelease
 
 if (-not $test -and -not $build -and -not $publish -and -not $package -and -not $BuildTestTool) {
@@ -85,7 +86,7 @@ function Export-Module
     }
     # now constuct a nupkg by registering a local repository and calling publish module
     $repoName = [guid]::newGuid().ToString("N")
-    Register-PSRepository -Name $repoName -SourceLocation ${packageRoot} -InstallationPolicy Trusted
+    Register-PSRepository -Name $repoName -SourceLocation ${pubBase} -InstallationPolicy Trusted
     Publish-Module -Path $packageRoot -Repository $repoName
     Unregister-PSRepository -Name $repoName
     Get-ChildItem -Recurse -Name $packageRoot | Write-Verbose -Verbose
@@ -95,14 +96,14 @@ function Export-Module
     else {
         $nupkgName = "{0}.{1}.nupkg" -f ${Name},${Version}
     }
-    $nupkgPath = Join-Path $packageRoot $nupkgName
-    if ($env:TF_BUILD) {
-        # In Azure DevOps
-        Write-Host "##vso[artifact.upload containerfolder=$nupkgName;artifactname=$nupkgName;]$nupkgPath"
-    }
-    else {
+    $nupkgPath = Join-Path $pubBase $nupkgName
+    #if ($env:TF_BUILD) {
+    #    # In Azure DevOps
+    #    Write-Host "##vso[artifact.upload containerfolder=$nupkgName;artifactname=$nupkgName;]$nupkgPath"
+    #}
+    #else {
         Write-Verbose -Verbose "package path: $nupkgPath (exists:$(Test-Path $nupkgPath))"
-    }
+    #}
 }
 
 if ($publish) {

diff --git a/global.json b/global.json
@@ -1,5 +1,6 @@
 {
-  "sdk": {
-    "version": "6.0.100"
-  }
+    "sdk": {
+        "version": "8.0.100",
+        "rollForward": "latestMajor"
+    }
 }
diff --git a/nuget.config b/nuget.config
@@ -0,0 +1,8 @@
+<?xml version="1.0" encoding="utf-8"?>
+<configuration>
+  <packageSources>
+    <clear />
+    <!-- Please verify that the feed below exists for your project and replace placeholder values. You may also use another feed of your choice. -->
+    <add key="PowerShellCore_PublicPackages" value="https://pkgs.dev.azure.com/powershell/PowerShell/_packaging/powershell/nuget/v3/index.json" />
+  </packageSources>
+</configuration>