[release/6.0.1xx] Switch to dSAS for internal runtimes (#19938)

This commit is contained in:
Marc Paine 2024-07-03 09:35:43 -07:00 committed by GitHub
commit 039e7bd9c7
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
21 changed files with 295 additions and 36 deletions

View file

@ -19,7 +19,6 @@ variables:
- ${{ if and(ne(variables['System.TeamProject'], 'public'), notin(variables['Build.Reason'], 'PullRequest')) }}: - ${{ if and(ne(variables['System.TeamProject'], 'public'), notin(variables['Build.Reason'], 'PullRequest')) }}:
- name: Codeql.Enabled - name: Codeql.Enabled
value: true value: true
- group: DotNet-DotNetCli-Storage
- group: DotNet-Installer-SDLValidation-Params - group: DotNet-Installer-SDLValidation-Params
- name: _PublishUsingPipelines - name: _PublishUsingPipelines
value: true value: true
@ -36,7 +35,6 @@ variables:
- name: _InternalRuntimeDownloadArgs - name: _InternalRuntimeDownloadArgs
value: '' value: ''
- ${{ if eq(variables['System.TeamProject'], 'internal') }}: - ${{ if eq(variables['System.TeamProject'], 'internal') }}:
- group: DotNetBuilds storage account read tokens
- name: _InternalRuntimeDownloadArgs - name: _InternalRuntimeDownloadArgs
value: /p:DotNetRuntimeSourceFeed=https://dotnetbuilds.blob.core.windows.net/internal value: /p:DotNetRuntimeSourceFeed=https://dotnetbuilds.blob.core.windows.net/internal
/p:DotNetRuntimeSourceFeedKey=$(dotnetbuilds-internal-container-read-token-base64) /p:DotNetRuntimeSourceFeedKey=$(dotnetbuilds-internal-container-read-token-base64)
@ -412,6 +410,8 @@ extends:
_TestArg: '' _TestArg: ''
- template: /eng/common/templates-official/jobs/source-build.yml@self - template: /eng/common/templates-official/jobs/source-build.yml@self
parameters:
enableInternalSources: true
- template: /src/SourceBuild/Arcade/eng/common/templates/job/source-build-create-tarball.yml@self - template: /src/SourceBuild/Arcade/eng/common/templates/job/source-build-create-tarball.yml@self

View file

@ -17,7 +17,6 @@ variables:
- ${{ if and(ne(variables['System.TeamProject'], 'public'), notin(variables['Build.Reason'], 'PullRequest')) }}: - ${{ if and(ne(variables['System.TeamProject'], 'public'), notin(variables['Build.Reason'], 'PullRequest')) }}:
- name: Codeql.Enabled - name: Codeql.Enabled
value: true value: true
- group: DotNet-DotNetCli-Storage
- group: DotNet-Installer-SDLValidation-Params - group: DotNet-Installer-SDLValidation-Params
- name: _PublishUsingPipelines - name: _PublishUsingPipelines
value: true value: true
@ -34,7 +33,6 @@ variables:
- name: _InternalRuntimeDownloadArgs - name: _InternalRuntimeDownloadArgs
value: '' value: ''
- ${{ if eq(variables['System.TeamProject'], 'internal') }}: - ${{ if eq(variables['System.TeamProject'], 'internal') }}:
- group: DotNetBuilds storage account read tokens
- name: _InternalRuntimeDownloadArgs - name: _InternalRuntimeDownloadArgs
value: /p:DotNetRuntimeSourceFeed=https://dotnetbuilds.blob.core.windows.net/internal value: /p:DotNetRuntimeSourceFeed=https://dotnetbuilds.blob.core.windows.net/internal
/p:DotNetRuntimeSourceFeedKey=$(dotnetbuilds-internal-container-read-token-base64) /p:DotNetRuntimeSourceFeedKey=$(dotnetbuilds-internal-container-read-token-base64)
@ -364,6 +362,8 @@ stages:
_TestArg: '' _TestArg: ''
- template: /eng/common/templates/jobs/source-build.yml - template: /eng/common/templates/jobs/source-build.yml
parameters:
enableInternalSources: true
- template: /src/SourceBuild/Arcade/eng/common/templates/job/source-build-create-tarball-pr.yml - template: /src/SourceBuild/Arcade/eng/common/templates/job/source-build-create-tarball-pr.yml

View file

@ -197,19 +197,19 @@
</Dependency> </Dependency>
</ProductDependencies> </ProductDependencies>
<ToolsetDependencies> <ToolsetDependencies>
<Dependency Name="Microsoft.DotNet.Arcade.Sdk" Version="6.0.0-beta.24266.4"> <Dependency Name="Microsoft.DotNet.Arcade.Sdk" Version="6.0.0-beta.24326.2">
<Uri>https://github.com/dotnet/arcade</Uri> <Uri>https://github.com/dotnet/arcade</Uri>
<Sha>2eab07c3d7b78219d10099b19fafeef2ecae1779</Sha> <Sha>1844d819e6f33f1106083c5066ea01e0310eefa3</Sha>
<SourceBuild RepoName="arcade" ManagedOnly="true" /> <SourceBuild RepoName="arcade" ManagedOnly="true" />
</Dependency> </Dependency>
<Dependency Name="Microsoft.DotNet.CMake.Sdk" Version="6.0.0-beta.24266.4"> <Dependency Name="Microsoft.DotNet.CMake.Sdk" Version="6.0.0-beta.24326.2">
<Uri>https://github.com/dotnet/arcade</Uri> <Uri>https://github.com/dotnet/arcade</Uri>
<Sha>2eab07c3d7b78219d10099b19fafeef2ecae1779</Sha> <Sha>1844d819e6f33f1106083c5066ea01e0310eefa3</Sha>
<SourceBuild RepoName="arcade" ManagedOnly="true" /> <SourceBuild RepoName="arcade" ManagedOnly="true" />
</Dependency> </Dependency>
<Dependency Name="Microsoft.DotNet.Build.Tasks.Installers" Version="6.0.0-beta.24266.4"> <Dependency Name="Microsoft.DotNet.Build.Tasks.Installers" Version="6.0.0-beta.24326.2">
<Uri>https://github.com/dotnet/arcade</Uri> <Uri>https://github.com/dotnet/arcade</Uri>
<Sha>2eab07c3d7b78219d10099b19fafeef2ecae1779</Sha> <Sha>1844d819e6f33f1106083c5066ea01e0310eefa3</Sha>
</Dependency> </Dependency>
<Dependency Name="Microsoft.SourceBuild.Intermediate.source-build-reference-packages" Version="6.0.0-servicing.24266.3"> <Dependency Name="Microsoft.SourceBuild.Intermediate.source-build-reference-packages" Version="6.0.0-servicing.24266.3">
<Uri>https://github.com/dotnet/source-build-reference-packages</Uri> <Uri>https://github.com/dotnet/source-build-reference-packages</Uri>

View file

@ -19,7 +19,7 @@
</PropertyGroup> </PropertyGroup>
<PropertyGroup> <PropertyGroup>
<!-- Dependency from https://github.com/dotnet/arcade --> <!-- Dependency from https://github.com/dotnet/arcade -->
<MicrosoftDotNetBuildTasksInstallersPackageVersion>6.0.0-beta.24266.4</MicrosoftDotNetBuildTasksInstallersPackageVersion> <MicrosoftDotNetBuildTasksInstallersPackageVersion>6.0.0-beta.24326.2</MicrosoftDotNetBuildTasksInstallersPackageVersion>
</PropertyGroup> </PropertyGroup>
<PropertyGroup> <PropertyGroup>
<!-- Dependency from https://github.com/dotnet/winforms --> <!-- Dependency from https://github.com/dotnet/winforms -->

View file

@ -66,6 +66,7 @@ phases:
steps: steps:
- checkout: self - checkout: self
clean: true clean: true
- template: /eng/common/templates/steps/enable-internal-runtimes.yml
- ${{ if eq(parameters.agentOs, 'Windows_NT') }}: - ${{ if eq(parameters.agentOs, 'Windows_NT') }}:
- ${{ if ne(variables['System.TeamProject'], 'public') }}: - ${{ if ne(variables['System.TeamProject'], 'public') }}:
- task: PowerShell@2 - task: PowerShell@2
@ -96,7 +97,6 @@ phases:
arguments: $(Build.SourcesDirectory)/NuGet.config $Token arguments: $(Build.SourcesDirectory)/NuGet.config $Token
env: env:
Token: $(dn-bot-dnceng-artifact-feeds-rw) Token: $(dn-bot-dnceng-artifact-feeds-rw)
- ${{ if eq(parameters.agentOs, 'Linux') }}: - ${{ if eq(parameters.agentOs, 'Linux') }}:
- script: ./build.sh - script: ./build.sh
$(_TestArg) $(_PackArg) $(_TestArg) $(_PackArg)

View file

@ -66,6 +66,7 @@ phases:
steps: steps:
- checkout: self - checkout: self
clean: true clean: true
- template: /eng/common/templates/steps/enable-internal-runtimes.yml
- ${{ if eq(parameters.agentOs, 'Windows_NT') }}: - ${{ if eq(parameters.agentOs, 'Windows_NT') }}:
- ${{ if ne(variables['System.TeamProject'], 'public') }}: - ${{ if ne(variables['System.TeamProject'], 'public') }}:
- task: PowerShell@2 - task: PowerShell@2

View file

@ -31,6 +31,12 @@ parameters:
# container and pool. # container and pool.
platform: {} platform: {}
# If set to true and running on a non-public project,
# Internal blob storage locations will be enabled.
# This is not enabled by default because many repositories do not need internal sources
# and do not need to have the required service connections approved in the pipeline.
enableInternalSources: false
jobs: jobs:
- job: ${{ parameters.jobNamePrefix }}_${{ parameters.platform.name }} - job: ${{ parameters.jobNamePrefix }}_${{ parameters.platform.name }}
displayName: Source-Build (${{ parameters.platform.name }}) displayName: Source-Build (${{ parameters.platform.name }})
@ -59,6 +65,8 @@ jobs:
clean: all clean: all
steps: steps:
- ${{ if eq(parameters.enableInternalSources, true) }}:
- template: /eng/common/templates-official/steps/enable-internal-runtimes.yml
- template: /eng/common/templates-official/steps/source-build.yml - template: /eng/common/templates-official/steps/source-build.yml
parameters: parameters:
platform: ${{ parameters.platform }} platform: ${{ parameters.platform }}

View file

@ -1,6 +1,7 @@
parameters: parameters:
runAsPublic: false runAsPublic: false
sourceIndexPackageVersion: 1.0.1-20240320.1 sourceIndexUploadPackageVersion: 2.0.0-20240502.12
sourceIndexProcessBinlogPackageVersion: 1.0.1-20240129.2
sourceIndexPackageSource: https://pkgs.dev.azure.com/dnceng/public/_packaging/dotnet-tools/nuget/v3/index.json sourceIndexPackageSource: https://pkgs.dev.azure.com/dnceng/public/_packaging/dotnet-tools/nuget/v3/index.json
sourceIndexBuildCommand: powershell -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "eng/common/build.ps1 -restore -build -binarylog -ci" sourceIndexBuildCommand: powershell -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "eng/common/build.ps1 -restore -build -binarylog -ci"
preSteps: [] preSteps: []
@ -17,14 +18,14 @@ jobs:
dependsOn: ${{ parameters.dependsOn }} dependsOn: ${{ parameters.dependsOn }}
condition: ${{ parameters.condition }} condition: ${{ parameters.condition }}
variables: variables:
- name: SourceIndexPackageVersion - name: SourceIndexUploadPackageVersion
value: ${{ parameters.sourceIndexPackageVersion }} value: ${{ parameters.sourceIndexUploadPackageVersion }}
- name: SourceIndexProcessBinlogPackageVersion
value: ${{ parameters.sourceIndexProcessBinlogPackageVersion }}
- name: SourceIndexPackageSource - name: SourceIndexPackageSource
value: ${{ parameters.sourceIndexPackageSource }} value: ${{ parameters.sourceIndexPackageSource }}
- name: BinlogPath - name: BinlogPath
value: ${{ parameters.binlogPath }} value: ${{ parameters.binlogPath }}
- ${{ if and(eq(parameters.runAsPublic, 'false'), ne(variables['System.TeamProject'], 'public'), notin(variables['Build.Reason'], 'PullRequest')) }}:
- group: source-dot-net stage1 variables
pool: ${{ parameters.pool }} pool: ${{ parameters.pool }}
steps: steps:
@ -40,8 +41,8 @@ jobs:
workingDirectory: $(Agent.TempDirectory) workingDirectory: $(Agent.TempDirectory)
- script: | - script: |
$(Agent.TempDirectory)/dotnet/dotnet tool install BinLogToSln --version $(SourceIndexPackageVersion) --add-source $(SourceIndexPackageSource) --tool-path $(Agent.TempDirectory)/.source-index/tools $(Agent.TempDirectory)/dotnet/dotnet tool install BinLogToSln --version $(sourceIndexProcessBinlogPackageVersion) --add-source $(SourceIndexPackageSource) --tool-path $(Agent.TempDirectory)/.source-index/tools
$(Agent.TempDirectory)/dotnet/dotnet tool install UploadIndexStage1 --version $(SourceIndexPackageVersion) --add-source $(SourceIndexPackageSource) --tool-path $(Agent.TempDirectory)/.source-index/tools $(Agent.TempDirectory)/dotnet/dotnet tool install UploadIndexStage1 --version $(sourceIndexUploadPackageVersion) --add-source $(SourceIndexPackageSource) --tool-path $(Agent.TempDirectory)/.source-index/tools
displayName: Download Tools displayName: Download Tools
# Set working directory to temp directory so 'dotnet' doesn't try to use global.json and use the repo's sdk. # Set working directory to temp directory so 'dotnet' doesn't try to use global.json and use the repo's sdk.
workingDirectory: $(Agent.TempDirectory) workingDirectory: $(Agent.TempDirectory)
@ -53,7 +54,21 @@ jobs:
displayName: Process Binlog into indexable sln displayName: Process Binlog into indexable sln
- ${{ if and(eq(parameters.runAsPublic, 'false'), ne(variables['System.TeamProject'], 'public'), notin(variables['Build.Reason'], 'PullRequest')) }}: - ${{ if and(eq(parameters.runAsPublic, 'false'), ne(variables['System.TeamProject'], 'public'), notin(variables['Build.Reason'], 'PullRequest')) }}:
- script: $(Agent.TempDirectory)/.source-index/tools/UploadIndexStage1 -i .source-index/stage1output -n $(Build.Repository.Name) - task: AzureCLI@2
displayName: Get stage 1 auth token
inputs:
azureSubscription: 'SourceDotNet Stage1 Publish'
addSpnToEnvironment: true
scriptType: 'ps'
scriptLocation: 'inlineScript'
inlineScript: |
echo "##vso[task.setvariable variable=ARM_CLIENT_ID;issecret=true]$env:servicePrincipalId"
echo "##vso[task.setvariable variable=ARM_ID_TOKEN;issecret=true]$env:idToken"
echo "##vso[task.setvariable variable=ARM_TENANT_ID;issecret=true]$env:tenantId"
- script: |
az login --service-principal -u $(ARM_CLIENT_ID) --tenant $(ARM_TENANT_ID) --allow-no-subscriptions --federated-token $(ARM_ID_TOKEN)
displayName: "Login to Azure"
- script: $(Agent.TempDirectory)/.source-index/tools/UploadIndexStage1 -i .source-index/stage1output -n $(Build.Repository.Name) -s netsourceindexstage1 -b stage1
displayName: Upload stage1 artifacts to source index displayName: Upload stage1 artifacts to source index
env:
BLOB_CONTAINER_URL: $(source-dot-net-stage1-blob-container-url)

View file

@ -21,6 +21,12 @@ parameters:
# one job runs on 'defaultManagedPlatform'. # one job runs on 'defaultManagedPlatform'.
platforms: [] platforms: []
# If set to true and running on a non-public project,
# Internal nuget and blob storage locations will be enabled.
# This is not enabled by default because many repositories do not need internal sources
# and do not need to have the required service connections approved in the pipeline.
enableInternalSources: false
jobs: jobs:
- ${{ if ne(parameters.allCompletedJobId, '') }}: - ${{ if ne(parameters.allCompletedJobId, '') }}:
@ -38,9 +44,11 @@ jobs:
parameters: parameters:
jobNamePrefix: ${{ parameters.jobNamePrefix }} jobNamePrefix: ${{ parameters.jobNamePrefix }}
platform: ${{ platform }} platform: ${{ platform }}
enableInternalSources: ${{ parameters.enableInternalSources }}
- ${{ if eq(length(parameters.platforms), 0) }}: - ${{ if eq(length(parameters.platforms), 0) }}:
- template: /eng/common/templates-official/job/source-build.yml - template: /eng/common/templates-official/job/source-build.yml
parameters: parameters:
jobNamePrefix: ${{ parameters.jobNamePrefix }} jobNamePrefix: ${{ parameters.jobNamePrefix }}
platform: ${{ parameters.defaultManagedPlatform }} platform: ${{ parameters.defaultManagedPlatform }}
enableInternalSources: ${{ parameters.enableInternalSources }}

View file

@ -2,7 +2,6 @@ variables:
- group: AzureDevOps-Artifact-Feeds-Pats - group: AzureDevOps-Artifact-Feeds-Pats
- group: DotNet-Blob-Feed - group: DotNet-Blob-Feed
- group: DotNet-DotNetCli-Storage - group: DotNet-DotNetCli-Storage
- group: DotNet-MSRC-Storage
- group: Publish-Build-Assets - group: Publish-Build-Assets
# Whether the build is internal or not # Whether the build is internal or not

View file

@ -0,0 +1,28 @@
# Obtains internal runtime download credentials and populates the 'dotnetbuilds-internal-container-read-token-base64'
# variable with the base64-encoded SAS token, by default
parameters:
- name: federatedServiceConnection
type: string
default: 'dotnetbuilds-internal-read'
- name: outputVariableName
type: string
default: 'dotnetbuilds-internal-container-read-token-base64'
- name: expiryInHours
type: number
default: 1
- name: base64Encode
type: boolean
default: true
steps:
- ${{ if ne(variables['System.TeamProject'], 'public') }}:
- template: /eng/common/templates-official/steps/get-delegation-sas.yml
parameters:
federatedServiceConnection: ${{ parameters.federatedServiceConnection }}
outputVariableName: ${{ parameters.outputVariableName }}
expiryInHours: ${{ parameters.expiryInHours }}
base64Encode: ${{ parameters.base64Encode }}
storageAccount: dotnetbuilds
container: internal
permissions: rl

View file

@ -0,0 +1,43 @@
parameters:
- name: federatedServiceConnection
type: string
- name: outputVariableName
type: string
- name: expiryInHours
type: number
default: 1
- name: base64Encode
type: boolean
default: false
- name: storageAccount
type: string
- name: container
type: string
- name: permissions
type: string
default: 'rl'
steps:
- task: AzureCLI@2
displayName: 'Generate delegation SAS Token for ${{ parameters.storageAccount }}/${{ parameters.container }}'
inputs:
azureSubscription: ${{ parameters.federatedServiceConnection }}
scriptType: 'pscore'
scriptLocation: 'inlineScript'
inlineScript: |
# Calculate the expiration of the SAS token and convert to UTC
$expiry = (Get-Date).AddHours(${{ parameters.expiryInHours }}).ToUniversalTime().ToString("yyyy-MM-ddTHH:mm:ssZ")
$sas = az storage container generate-sas --account-name ${{ parameters.storageAccount }} --name ${{ parameters.container }} --permissions ${{ parameters.permissions }} --expiry $expiry --auth-mode login --as-user -o tsv
if ($LASTEXITCODE -ne 0) {
Write-Error "Failed to generate SAS token."
exit 1
}
if ('${{ parameters.base64Encode }}' -eq 'true') {
$sas = [Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes($sas))
}
Write-Host "Setting '${{ parameters.outputVariableName }}' with the access token value"
Write-Host "##vso[task.setvariable variable=${{ parameters.outputVariableName }};issecret=true]$sas"

View file

@ -0,0 +1,28 @@
parameters:
- name: federatedServiceConnection
type: string
- name: outputVariableName
type: string
# Resource to get a token for. Common values include:
# - '499b84ac-1321-427f-aa17-267ca6975798' for Azure DevOps
# - 'https://storage.azure.com/' for storage
# Defaults to Azure DevOps
- name: resource
type: string
default: '499b84ac-1321-427f-aa17-267ca6975798'
steps:
- task: AzureCLI@2
displayName: 'Getting federated access token for feeds'
inputs:
azureSubscription: ${{ parameters.federatedServiceConnection }}
scriptType: 'pscore'
scriptLocation: 'inlineScript'
inlineScript: |
$accessToken = az account get-access-token --query accessToken --resource ${{ parameters.resource }} --output tsv
if ($LASTEXITCODE -ne 0) {
Write-Error "Failed to get access token for resource '${{ parameters.resource }}'"
exit 1
}
Write-Host "Setting '${{ parameters.outputVariableName }}' with the access token value"
Write-Host "##vso[task.setvariable variable=${{ parameters.outputVariableName }};issecret=true]$accessToken"

View file

@ -31,6 +31,12 @@ parameters:
# container and pool. # container and pool.
platform: {} platform: {}
# If set to true and running on a non-public project,
# Internal blob storage locations will be enabled.
# This is not enabled by default because many repositories do not need internal sources
# and do not need to have the required service connections approved in the pipeline.
enableInternalSources: false
jobs: jobs:
- job: ${{ parameters.jobNamePrefix }}_${{ parameters.platform.name }} - job: ${{ parameters.jobNamePrefix }}_${{ parameters.platform.name }}
displayName: Source-Build (${{ parameters.platform.name }}) displayName: Source-Build (${{ parameters.platform.name }})
@ -58,6 +64,8 @@ jobs:
clean: all clean: all
steps: steps:
- ${{ if eq(parameters.enableInternalSources, true) }}:
- template: /eng/common/templates/steps/enable-internal-runtimes.yml
- template: /eng/common/templates/steps/source-build.yml - template: /eng/common/templates/steps/source-build.yml
parameters: parameters:
platform: ${{ parameters.platform }} platform: ${{ parameters.platform }}

View file

@ -1,6 +1,7 @@
parameters: parameters:
runAsPublic: false runAsPublic: false
sourceIndexPackageVersion: 1.0.1-20240320.1 sourceIndexUploadPackageVersion: 2.0.0-20240502.12
sourceIndexProcessBinlogPackageVersion: 1.0.1-20240129.2
sourceIndexPackageSource: https://pkgs.dev.azure.com/dnceng/public/_packaging/dotnet-tools/nuget/v3/index.json sourceIndexPackageSource: https://pkgs.dev.azure.com/dnceng/public/_packaging/dotnet-tools/nuget/v3/index.json
sourceIndexBuildCommand: powershell -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "eng/common/build.ps1 -restore -build -binarylog -ci" sourceIndexBuildCommand: powershell -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "eng/common/build.ps1 -restore -build -binarylog -ci"
preSteps: [] preSteps: []
@ -15,14 +16,14 @@ jobs:
dependsOn: ${{ parameters.dependsOn }} dependsOn: ${{ parameters.dependsOn }}
condition: ${{ parameters.condition }} condition: ${{ parameters.condition }}
variables: variables:
- name: SourceIndexPackageVersion - name: SourceIndexUploadPackageVersion
value: ${{ parameters.sourceIndexPackageVersion }} value: ${{ parameters.sourceIndexUploadPackageVersion }}
- name: SourceIndexProcessBinlogPackageVersion
value: ${{ parameters.sourceIndexProcessBinlogPackageVersion }}
- name: SourceIndexPackageSource - name: SourceIndexPackageSource
value: ${{ parameters.sourceIndexPackageSource }} value: ${{ parameters.sourceIndexPackageSource }}
- name: BinlogPath - name: BinlogPath
value: ${{ parameters.binlogPath }} value: ${{ parameters.binlogPath }}
- ${{ if and(eq(parameters.runAsPublic, 'false'), ne(variables['System.TeamProject'], 'public'), notin(variables['Build.Reason'], 'PullRequest')) }}:
- group: source-dot-net stage1 variables
pool: ${{ parameters.pool }} pool: ${{ parameters.pool }}
steps: steps:
@ -38,8 +39,8 @@ jobs:
workingDirectory: $(Agent.TempDirectory) workingDirectory: $(Agent.TempDirectory)
- script: | - script: |
$(Agent.TempDirectory)/dotnet/dotnet tool install BinLogToSln --version $(SourceIndexPackageVersion) --add-source $(SourceIndexPackageSource) --tool-path $(Agent.TempDirectory)/.source-index/tools $(Agent.TempDirectory)/dotnet/dotnet tool install BinLogToSln --version $(sourceIndexProcessBinlogPackageVersion) --add-source $(SourceIndexPackageSource) --tool-path $(Agent.TempDirectory)/.source-index/tools
$(Agent.TempDirectory)/dotnet/dotnet tool install UploadIndexStage1 --version $(SourceIndexPackageVersion) --add-source $(SourceIndexPackageSource) --tool-path $(Agent.TempDirectory)/.source-index/tools $(Agent.TempDirectory)/dotnet/dotnet tool install UploadIndexStage1 --version $(sourceIndexUploadPackageVersion) --add-source $(SourceIndexPackageSource) --tool-path $(Agent.TempDirectory)/.source-index/tools
displayName: Download Tools displayName: Download Tools
# Set working directory to temp directory so 'dotnet' doesn't try to use global.json and use the repo's sdk. # Set working directory to temp directory so 'dotnet' doesn't try to use global.json and use the repo's sdk.
workingDirectory: $(Agent.TempDirectory) workingDirectory: $(Agent.TempDirectory)
@ -51,7 +52,21 @@ jobs:
displayName: Process Binlog into indexable sln displayName: Process Binlog into indexable sln
- ${{ if and(eq(parameters.runAsPublic, 'false'), ne(variables['System.TeamProject'], 'public'), notin(variables['Build.Reason'], 'PullRequest')) }}: - ${{ if and(eq(parameters.runAsPublic, 'false'), ne(variables['System.TeamProject'], 'public'), notin(variables['Build.Reason'], 'PullRequest')) }}:
- script: $(Agent.TempDirectory)/.source-index/tools/UploadIndexStage1 -i .source-index/stage1output -n $(Build.Repository.Name) - task: AzureCLI@2
displayName: Get stage 1 auth token
inputs:
azureSubscription: 'SourceDotNet Stage1 Publish'
addSpnToEnvironment: true
scriptType: 'ps'
scriptLocation: 'inlineScript'
inlineScript: |
echo "##vso[task.setvariable variable=ARM_CLIENT_ID;issecret=true]$env:servicePrincipalId"
echo "##vso[task.setvariable variable=ARM_ID_TOKEN;issecret=true]$env:idToken"
echo "##vso[task.setvariable variable=ARM_TENANT_ID;issecret=true]$env:tenantId"
- script: |
az login --service-principal -u $(ARM_CLIENT_ID) --tenant $(ARM_TENANT_ID) --allow-no-subscriptions --federated-token $(ARM_ID_TOKEN)
displayName: "Login to Azure"
- script: $(Agent.TempDirectory)/.source-index/tools/UploadIndexStage1 -i .source-index/stage1output -n $(Build.Repository.Name) -s netsourceindexstage1 -b stage1
displayName: Upload stage1 artifacts to source index displayName: Upload stage1 artifacts to source index
env:
BLOB_CONTAINER_URL: $(source-dot-net-stage1-blob-container-url)

View file

@ -21,6 +21,12 @@ parameters:
# one job runs on 'defaultManagedPlatform'. # one job runs on 'defaultManagedPlatform'.
platforms: [] platforms: []
# If set to true and running on a non-public project,
# Internal nuget and blob storage locations will be enabled.
# This is not enabled by default because many repositories do not need internal sources
# and do not need to have the required service connections approved in the pipeline.
enableInternalSources: false
jobs: jobs:
- ${{ if ne(parameters.allCompletedJobId, '') }}: - ${{ if ne(parameters.allCompletedJobId, '') }}:
@ -38,9 +44,11 @@ jobs:
parameters: parameters:
jobNamePrefix: ${{ parameters.jobNamePrefix }} jobNamePrefix: ${{ parameters.jobNamePrefix }}
platform: ${{ platform }} platform: ${{ platform }}
enableInternalSources: ${{ parameters.enableInternalSources }}
- ${{ if eq(length(parameters.platforms), 0) }}: - ${{ if eq(length(parameters.platforms), 0) }}:
- template: /eng/common/templates/job/source-build.yml - template: /eng/common/templates/job/source-build.yml
parameters: parameters:
jobNamePrefix: ${{ parameters.jobNamePrefix }} jobNamePrefix: ${{ parameters.jobNamePrefix }}
platform: ${{ parameters.defaultManagedPlatform }} platform: ${{ parameters.defaultManagedPlatform }}
enableInternalSources: ${{ parameters.enableInternalSources }}

View file

@ -2,7 +2,6 @@ variables:
- group: AzureDevOps-Artifact-Feeds-Pats - group: AzureDevOps-Artifact-Feeds-Pats
- group: DotNet-Blob-Feed - group: DotNet-Blob-Feed
- group: DotNet-DotNetCli-Storage - group: DotNet-DotNetCli-Storage
- group: DotNet-MSRC-Storage
- group: Publish-Build-Assets - group: Publish-Build-Assets
# Whether the build is internal or not # Whether the build is internal or not

View file

@ -0,0 +1,28 @@
# Obtains internal runtime download credentials and populates the 'dotnetbuilds-internal-container-read-token-base64'
# variable with the base64-encoded SAS token, by default
parameters:
- name: federatedServiceConnection
type: string
default: 'dotnetbuilds-internal-read'
- name: outputVariableName
type: string
default: 'dotnetbuilds-internal-container-read-token-base64'
- name: expiryInHours
type: number
default: 1
- name: base64Encode
type: boolean
default: true
steps:
- ${{ if ne(variables['System.TeamProject'], 'public') }}:
- template: /eng/common/templates/steps/get-delegation-sas.yml
parameters:
federatedServiceConnection: ${{ parameters.federatedServiceConnection }}
outputVariableName: ${{ parameters.outputVariableName }}
expiryInHours: ${{ parameters.expiryInHours }}
base64Encode: ${{ parameters.base64Encode }}
storageAccount: dotnetbuilds
container: internal
permissions: rl

View file

@ -0,0 +1,43 @@
parameters:
- name: federatedServiceConnection
type: string
- name: outputVariableName
type: string
- name: expiryInHours
type: number
default: 1
- name: base64Encode
type: boolean
default: false
- name: storageAccount
type: string
- name: container
type: string
- name: permissions
type: string
default: 'rl'
steps:
- task: AzureCLI@2
displayName: 'Generate delegation SAS Token for ${{ parameters.storageAccount }}/${{ parameters.container }}'
inputs:
azureSubscription: ${{ parameters.federatedServiceConnection }}
scriptType: 'pscore'
scriptLocation: 'inlineScript'
inlineScript: |
# Calculate the expiration of the SAS token and convert to UTC
$expiry = (Get-Date).AddHours(${{ parameters.expiryInHours }}).ToUniversalTime().ToString("yyyy-MM-ddTHH:mm:ssZ")
$sas = az storage container generate-sas --account-name ${{ parameters.storageAccount }} --name ${{ parameters.container }} --permissions ${{ parameters.permissions }} --expiry $expiry --auth-mode login --as-user -o tsv
if ($LASTEXITCODE -ne 0) {
Write-Error "Failed to generate SAS token."
exit 1
}
if ('${{ parameters.base64Encode }}' -eq 'true') {
$sas = [Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes($sas))
}
Write-Host "Setting '${{ parameters.outputVariableName }}' with the access token value"
Write-Host "##vso[task.setvariable variable=${{ parameters.outputVariableName }};issecret=true]$sas"

View file

@ -0,0 +1,28 @@
parameters:
- name: federatedServiceConnection
type: string
- name: outputVariableName
type: string
# Resource to get a token for. Common values include:
# - '499b84ac-1321-427f-aa17-267ca6975798' for Azure DevOps
# - 'https://storage.azure.com/' for storage
# Defaults to Azure DevOps
- name: resource
type: string
default: '499b84ac-1321-427f-aa17-267ca6975798'
steps:
- task: AzureCLI@2
displayName: 'Getting federated access token for feeds'
inputs:
azureSubscription: ${{ parameters.federatedServiceConnection }}
scriptType: 'pscore'
scriptLocation: 'inlineScript'
inlineScript: |
$accessToken = az account get-access-token --query accessToken --resource ${{ parameters.resource }} --output tsv
if ($LASTEXITCODE -ne 0) {
Write-Error "Failed to get access token for resource '${{ parameters.resource }}'"
exit 1
}
Write-Host "Setting '${{ parameters.outputVariableName }}' with the access token value"
Write-Host "##vso[task.setvariable variable=${{ parameters.outputVariableName }};issecret=true]$accessToken"

View file

@ -11,7 +11,7 @@
"cmake": "3.16.4" "cmake": "3.16.4"
}, },
"msbuild-sdks": { "msbuild-sdks": {
"Microsoft.DotNet.Arcade.Sdk": "6.0.0-beta.24266.4", "Microsoft.DotNet.Arcade.Sdk": "6.0.0-beta.24326.2",
"Microsoft.DotNet.CMake.Sdk": "6.0.0-beta.24266.4" "Microsoft.DotNet.CMake.Sdk": "6.0.0-beta.24326.2"
} }
} }