-
Notifications
You must be signed in to change notification settings - Fork 32
/
azure-pipelines.yml
124 lines (114 loc) · 3.77 KB
/
azure-pipelines.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
trigger: none
pr: none
# Use an internally approved MS host for building, signing, and SBOM generation
pool:
name: '1ES-Hosted-DurableTaskFramework'
demands:
- ImageOverride -equals MMS2022TLS
steps:
- task: UseDotNet@2
displayName: 'Use the .NET Core 2.1 SDK (required for building signing)'
inputs:
packageType: 'sdk'
version: '2.1.x'
- task: UseDotNet@2
displayName: 'Use the .NET 6 SDK'
inputs:
packageType: 'sdk'
version: '6.0.x'
# Start by restoring all the dependencies. This needs to be its own task
# from what I can tell.
- task: DotNetCoreCLI@2
displayName: 'Restore nuget dependencies'
inputs:
command: restore
verbosityRestore: Minimal
projects: '**/*.csproj'
# Build the entire solution. This will also build all the tests, which
# isn't strictly necessary...
- task: VSBuild@1
displayName: 'Build'
inputs:
solution: '**/*.sln'
vsVersion: 'latest'
logFileVerbosity: minimal
configuration: Release
msbuildArgs: /p:FileVersionRevision=$(Build.BuildId) /p:ContinuousIntegrationBuild=true
# Authenticode sign all the DLLs with the Microsoft certificate.
# This appears to be an in-place signing job, which is convenient.
- task: SFP.build-tasks.custom-build-task-1.EsrpCodeSigning@1
displayName: 'ESRP CodeSigning: Authenticode'
inputs:
ConnectedServiceName: 'ESRP Service'
FolderPath: 'src'
Pattern: 'DurableTask.*.dll'
signConfigType: inlineSignParams
inlineOperation: |
[
{
"KeyCode": "CP-230012",
"OperationCode": "SigntoolSign",
"Parameters": {
"OpusName": "Microsoft",
"OpusInfo": "http://www.microsoft.com",
"FileDigest": "/fd \"SHA256\"",
"PageHash": "/NPH",
"TimeStamp": "/tr \"http://rfc3161.gtm.corp.microsoft.com/TSS/HttpTspServer\" /td sha256"
},
"ToolName": "sign",
"ToolVersion": "1.0"
},
{
"KeyCode": "CP-230012",
"OperationCode": "SigntoolVerify",
"Parameters": {},
"ToolName": "sign",
"ToolVersion": "1.0"
}
]
# SBOM generator task for additional supply chain protection
- task: AzureArtifacts.manifest-generator-task.manifest-generator-task.ManifestGeneratorTask@0
displayName: 'SBOM Manifest Generator'
inputs:
BuildDropPath: '$(System.DefaultWorkingDirectory)'
# Packaging needs to be a separate step from build.
# This will automatically pick up the signed DLLs.
- task: DotNetCoreCLI@2
displayName: Generate nuget packages
inputs:
command: pack
verbosityPack: Minimal
configuration: Release
nobuild: true
packDirectory: $(build.artifactStagingDirectory)
packagesToPack: 'src/**/*.csproj'
# Digitally sign all the nuget packages with the Microsoft certificate.
# This appears to be an in-place signing job, which is convenient.
- task: SFP.build-tasks.custom-build-task-1.EsrpCodeSigning@1
displayName: 'ESRP CodeSigning: Nupkg'
inputs:
ConnectedServiceName: 'ESRP Service'
FolderPath: $(build.artifactStagingDirectory)
Pattern: '*.nupkg'
signConfigType: inlineSignParams
inlineOperation: |
[
{
"KeyCode": "CP-401405",
"OperationCode": "NuGetSign",
"Parameters": {},
"ToolName": "sign",
"ToolVersion": "1.0"
},
{
"KeyCode": "CP-401405",
"OperationCode": "NuGetVerify",
"Parameters": {},
"ToolName": "sign",
"ToolVersion": "1.0"
}
]
# Make the nuget packages available for download in the ADO portal UI
- publish: $(build.artifactStagingDirectory)
displayName: 'Publish nuget packages to Artifacts'
artifact: PackageOutput