[ci] Migrate to the 1ES template (#8)

pjcollins · web-flow · commit a1c11391f4ff · 2024-02-22T09:27:54.000Z
Context: https://aka.ms/1espt The build pipeline has been updated to extend the 1ES pipeline template, which will keep the pipeline up to date with the latest compliance and security requirements. Compliance tasks and scans will run automatically as part of artifact upload steps, which are now referred to as "outputs". Template outputs have replaced all instances of the `PublishPipelineArtifact` task. The new compliance steps appear to have added ~4 hours to the build in the worst-case scenario (from 1.5 hours to 5.5 hours). This appears to mostly be a result of CodeQL.
diff --git a/.gdn/.gdnsettings b/.gdn/.gdnsettings
@@ -0,0 +1,7 @@
+{
+  "files": { },
+  "folders": { },
+  "overwriteLogs": true,
+  "telemetryFlushTimeout": 10,
+  "variables": { }
+}
diff --git a/.gdn/.gdnsuppress b/.gdn/.gdnsuppress
@@ -0,0 +1,61 @@
+{
+  "hydrated": false,
+  "properties": {
+    "helpUri": "https://eng.ms/docs/microsoft-security/security/azure-security/cloudai-security-fundamentals-engineering/security-integration/guardian-wiki/microsoft-guardian/general/suppressions",
+    "hydrationStatus": "This file does not contain identifying data. It is safe to check into your repo. To hydrate this file with identifying data, run `guardian hydrate --help` and follow the guidance."
+  },
+  "version": "1.0.0",
+  "suppressionSets": {
+    "default": {
+      "name": "default",
+      "createdDate": "2024-02-15 00:04:36Z",
+      "lastUpdatedDate": "2024-02-15 00:04:36Z"
+    }
+  },
+  "results": {
+    "56abf01a2bb694a67c82be21f03a0dd66f296b49029f3c23bf6f3f82501cd2a3": {
+      "signature": "56abf01a2bb694a67c82be21f03a0dd66f296b49029f3c23bf6f3f82501cd2a3",
+      "alternativeSignatures": [
+        "be97b4284131d0f331716c30392a1e1d25474b8694363df3eea88a91d4152094"
+      ],
+      "memberOf": [
+        "default"
+      ],
+      "justification": "Unable to resolve BA2007 identified in external LLVM CMake configuration.",
+      "createdDate": "2024-02-15 00:04:36Z"
+    },
+    "5eceb0d6d6dba608d129867a6be091ad2bae06078aa8a057dfa67331c4b98772": {
+      "signature": "5eceb0d6d6dba608d129867a6be091ad2bae06078aa8a057dfa67331c4b98772",
+      "alternativeSignatures": [
+        "23dc4e92dd0ab3635230bd466fdde746fa0be745694ba8530eab31091dc375e8"
+      ],
+      "memberOf": [
+        "default"
+      ],
+      "justification": "Unable to resolve BA2007 identified in external LLVM CMake configuration.",
+      "createdDate": "2024-02-15 00:04:36Z"
+    },
+    "fe61820f6936ba46368b182d5bbfc9576302c6c513803481bccdf0d863b966eb": {
+      "signature": "fe61820f6936ba46368b182d5bbfc9576302c6c513803481bccdf0d863b966eb",
+      "alternativeSignatures": [
+        "1868f8371a1ab6e1d82ab77b47a50f067e589870b4432ac45a2590876afd824e"
+      ],
+      "memberOf": [
+        "default"
+      ],
+      "justification": "Unable to resolve BA2007 identified in external LLVM CMake configuration.",
+      "createdDate": "2024-02-15 00:04:36Z"
+    },
+    "fbf0466272fbf02d7b438d4adc1e193bc720677a220027755f5db357559a5777": {
+      "signature": "fbf0466272fbf02d7b438d4adc1e193bc720677a220027755f5db357559a5777",
+      "alternativeSignatures": [
+        "6da9f7a139b0c80204a3573e089aa0345b453280ac942cb59c224b7c6866af43"
+      ],
+      "memberOf": [
+        "default"
+      ],
+      "justification": "Unable to resolve BA2007 identified in external LLVM CMake configuration.",
+      "createdDate": "2024-02-15 00:04:36Z"
+    }
+  }
+}
diff --git a/.gdn/.gitignore b/.gdn/.gitignore
@@ -0,0 +1,11 @@
+﻿## Ignore Guardian internal files
+.r/
+rc/
+rs/
+i/
+p/
+c/
+o/
+
+## Ignore Guardian Local settings
+LocalSettings.gdn.json
diff --git a/build-llvm.cmd b/build-llvm.cmd
@@ -12,8 +12,8 @@ set PDBS=llvm-mc.pdb llvm-strip.pdb lld.pdb llc.pdb
 set HOST_BUILD_DIR=%BUILD_DIR%\%HOST%
 set HOST_BIN_DIR=%HOST_BUILD_DIR%\Release\bin
 set HOST_ARTIFACTS_DIR=%ARTIFACTS_DIR%\%HOST%
-set LLVM_VERSION_FILE=%HOST_ARTIFACTS_DIR%\llvm-version.txtt 
-set CXXFLAGS="/Qspectre /sdl"
+set LLVM_VERSION_FILE=%HOST_ARTIFACTS_DIR%\llvm-version.txt
+set CXXFLAGS="/Qspectre /sdl /guard:cf"
 
 if exist %HOST_BUILD_DIR% (rmdir /S /Q %HOST_BUILD_DIR%)
 mkdir %HOST_BUILD_DIR%
@@ -27,7 +27,7 @@ cmake --version
 cmake --help
 
 cmake -G "Visual Studio 17 2022" -A x64 ^
- -DCMAKE_EXE_LINKER_FLAGS_INIT="/PROFILE /DYNAMICBASE /CETCOMPAT" ^
+ -DCMAKE_EXE_LINKER_FLAGS_INIT="/PROFILE /DYNAMICBASE /CETCOMPAT /guard:cf" ^
  -DBUILD_SHARED_LIBS=OFF ^
  -DCMAKE_BUILD_TYPE=Release ^
  -DCMAKE_MSVC_RUNTIME_LIBRARY="MultiThreaded" ^
diff --git a/build-tools/automation/azure-pipelines.yml b/build-tools/automation/azure-pipelines.yml
