diff --git a/.ci/releaseBuild.yml b/.ci/releaseBuild.yml new file mode 100644 index 00000000..b4fafe68 --- /dev/null +++ b/.ci/releaseBuild.yml @@ -0,0 +1,143 @@ +# The name of the build that will be seen in mscodehub +name: PowerShellGetv2-Release-$(Build.BuildId) +# how is the build triggered +# since this is a release build, no trigger as it's a manual release +trigger: none + +pr: + branches: + include: + - master + +# variables to set in the build environment +variables: + DOTNET_CLI_TELEMETRY_OPTOUT: 1 + POWERSHELL_TELEMETRY_OPTOUT: 1 + +# since this build relies on templates, we need access to those +# This needs a service connection in the build to work +# the *name* of the service connection must be the same as the endpoint +resources: + repositories: + - repository: ComplianceRepo + type: github + endpoint: ComplianceGHRepo + name: PowerShell/compliance + # this can be any branch of your choosing + ref: master + +# the stages in this build. There are 2 +# the assumption for PowerShellGetv2 is that test is done as part of +# CI so we needn't do it here +stages: +- stage: Build + displayName: Build + pool: + name: Package ES CodeHub Lab E + jobs: + - job: Build_Job + displayName: Build Microsoft.PowerShell.PowerShellGetv2 + # note the variable reference to ESRP. + # this must be created in Project -> Pipelines -> Library -> VariableGroups + # where it describes the link to the SigningServer + variables: + - group: ESRP + steps: + - checkout: self + + # the steps for building the module go here + - pwsh: | + Set-Location "$(Build.SourcesDirectory)/PowerShellGetv2" + Import-Module ./tools/build.psm1 -Force + Install-Dependencies + Update-ModuleManifestFunctions + Publish-ModuleArtifacts + displayName: Execute build + + # these are setting vso variables which will be persisted between stages + - pwsh: | + $signSrcPath = "$(Build.SourcesDirectory)/PowerShellGetv2/dist/PowerShellGet" + dir + # Set signing src path variable + $vstsCommandString = "vso[task.setvariable variable=signSrcPath]${signSrcPath}" + Write-Host "sending " + $vstsCommandString + Write-Host "##$vstsCommandString" + + $signOutPath = "$(Build.SourcesDirectory)/OSS_Microsoft_PowerShellGetv2/signed/PowerShellGet" + $null = New-Item -ItemType Directory -Path $signOutPath -force + # Set signing out path variable + $vstsCommandString = "vso[task.setvariable variable=signOutPath]${signOutPath}" + Write-Host "sending " + $vstsCommandString + Write-Host "##$vstsCommandString" + + # Set path variable for guardian codesign validation + $vstsCommandString = "vso[task.setvariable variable=GDN_CODESIGN_TARGETDIRECTORY]${signOutPath}" + Write-Host "sending " + $vstsCommandString + Write-Host "##$vstsCommandString" + + # Get version and create a variable + $moduleData = Import-PowerShellDataFile "$(Build.SourcesDirectory)/PowerShellGetv2/dist/PowerShellGet/PowerShellGet.psd1" + $moduleVersion = $moduleData.ModuleVersion + $vstsCommandString = "vso[task.setvariable variable=moduleVersion]${moduleVersion}" + Write-Host "sending " + $vstsCommandString + Write-Host "##$vstsCommandString" + displayName: Setup variables for signing + + # checkout the Compliance repository so it can be used to do the actual signing + - checkout: ComplianceRepo + + # this the MS authored step This cert covers MS autored items + # note that the buildOutputPath (where we get the files to sign) + # is the same as the signOutputPath in the previous step + # at the end of this step we will have all the files signed that should be + # signOutPath is the location which contains the files we will use to make the module + - template: EsrpSign.yml@ComplianceRepo + parameters: + # the folder which contains the binaries to sign + buildOutputPath: $(signSrcPath) + # the location to put the signed output + signOutputPath: $(signOutPath) + # the certificate ID to use (Authenticode) + certificateId: "CP-230012" + pattern: | + **\*.psd1 + **\*.psm1 + **\*.ps1xml + **\*.mof + + # finally publish the parts of the build which will be used in the next stages + # if it's not published, the subsequent stages will not be able to access it. + # This is the build directory (it contains all of the dll/pdb files) + - publish: "$(Build.SourcesDirectory)/OSS_Microsoft_PowerShellGetv2" + artifact: build + displayName: publish build directory + +# Now on to the compliance stage +- stage: compliance + displayName: Compliance + dependsOn: Build + jobs: + - job: Compliance_Job + pool: + name: Package ES CodeHub Lab E + steps: + - checkout: self + - checkout: ComplianceRepo + - download: current + artifact: build + + # use the templates in the compliance repo + # since script analyzer has modules, we're using the assembly-module-compliance template + # if you don't have assemblies, you should use script-module-compliance template + - template: script-module-compliance.yml@ComplianceRepo + parameters: + # component-governance - the path to sources + sourceScanPath: '$(Build.SourcesDirectory)' + # TermCheck + optionsRulesDBPath: '' + optionsFTPath: '' + # tsa-upload + # the compliance scanning must be uploaded, which you need to request + codeBaseName: 'PowerShellGetv2_20200129' + # selections + APIScan: false # set to false when not using Windows APIs.