Scan the VMR for binaries and cloaked files (#15299)

2023-01-19 15:41:51 +01:00 · 2023-01-19 15:41:51 +01:00 · 49a3f70c29
commit 49a3f70c29
parent f71904833c
5 changed files with 54 additions and 6 deletions
--- a/src/SourceBuild/content/eng/pipelines/ci.yml
+++ b/src/SourceBuild/content/eng/pipelines/ci.yml
@ -16,6 +16,9 @@ pr:
    - internal/release/*

 stages:
+- ${{ if and(ne(variables['System.TeamProject'], 'public'), notin(variables['Build.Reason'], 'PullRequest')) }}:
+  - template: templates/stages/vmr-scan.yml
+
 # For rolling builds we want to build the MSFT SDK first so that we can
 # compare the contents with the source-built one later.
 # This only works because we don't run this test in PRs. If we decided
--- a/src/SourceBuild/content/eng/pipelines/templates/stages/vmr-scan.yml
+++ b/src/SourceBuild/content/eng/pipelines/templates/stages/vmr-scan.yml
@ -0,0 +1,45 @@
+stages:
+- stage: VMR_Scan
+  displayName: VMR Scan
+  dependsOn: []
+  variables:
+  - template: /eng/common/templates/variables/pool-providers.yml
+  jobs:
+  - job: Scan
+    displayName: VMR Scan
+    pool:
+      ${{ if eq(variables['System.TeamProject'], 'public') }}:
+        name: $(DncEngPublicBuildPool)
+        demands: ImageOverride -equals Build.Ubuntu.2004.Amd64.Open
+      ${{ if eq(variables['System.TeamProject'], 'internal') }}:
+        name: $(DncEngInternalBuildPool)
+        demands: ImageOverride -equals Build.Ubuntu.2004.Amd64
+
+    steps:
+    - checkout: self
+
+    - script: |
+        source ./eng/common/tools.sh
+        InitializeDotNetCli true
+        dotnet='./.dotnet/dotnet'
+        "$dotnet" tool restore
+      displayName: Initialize tooling
+      workingDirectory: $(Build.SourcesDirectory)/src/installer
+
+    - script: >
+        ./.dotnet/dotnet darc vmr scan-binary-files
+        --vmr "$(Build.SourcesDirectory)"
+        --tmp "$(Agent.TempDirectory)"
+        || (echo '##[error]Found binaries in the VMR' && exit 1)
+      displayName: Scan for binaries
+      workingDirectory: $(Build.SourcesDirectory)/src/installer
+      continueOnError: true
+
+    - script: >
+        ./.dotnet/dotnet darc vmr scan-cloaked-files
+        --vmr "$(Build.SourcesDirectory)"
+        --tmp "$(Agent.TempDirectory)"
+        || (echo '##[error]Found cloaked files in the VMR' && exit 1)
+      displayName: Scan for cloaked files
+      workingDirectory: $(Build.SourcesDirectory)/src/installer
+      continueOnError: true