From cf1b55e9735de4935c764e97a95c8fb87b87ebdc Mon Sep 17 00:00:00 2001 From: Logan Bussell Date: Thu, 17 Nov 2022 14:54:43 -0800 Subject: [PATCH] [release/7.0.1xx] Add CI for security-partners-dotnet (#15007) * Add CI for dotnet-security-partners Remove nuget configs from all repo submodules Address code review Move security-partners ci to tarball/eng dir Copy out installer NuGet config before build Fix relative path for installer template Switch to 20.04 image * Add nuget-client patch to avoid nuget security scan errors * Revert "Add nuget-client patch to avoid nuget security scan errors" This reverts commit 6eca00a41813171019b24597386a9074e2faa07b. * Remove NuGet.config workaround for security-partners ci --- .../job/source-build-build-tarball.yml | 70 +++++++++++-------- .../pipelines/security-partners-dotnet.yml | 18 +++++ 2 files changed, 57 insertions(+), 31 deletions(-) create mode 100644 src/SourceBuild/tarball/content/eng/pipelines/security-partners-dotnet.yml diff --git a/src/SourceBuild/Arcade/eng/common/templates/job/source-build-build-tarball.yml b/src/SourceBuild/Arcade/eng/common/templates/job/source-build-build-tarball.yml index 9de76621f..9ae170d1c 100644 --- a/src/SourceBuild/Arcade/eng/common/templates/job/source-build-build-tarball.yml +++ b/src/SourceBuild/Arcade/eng/common/templates/job/source-build-build-tarball.yml @@ -43,7 +43,15 @@ jobs: - name: additionalBuildArgs value: --with-sdk /tarball/.dotnet - name: tarballDir - value: $(Build.StagingDirectory)/tarball + ${{ if eq(parameters.installerBuildResourceId, '') }}: + value: $(Build.SourcesDirectory) + ${{ else }}: + value: $(Build.StagingDirectory)/tarball + - name: installerSrcDir + ${{ if eq(parameters.installerBuildResourceId, '') }}: + value: $(Build.SourcesDirectory)/src/installer + ${{ else }}: + value: $(Build.SourcesDirectory) workspace: clean: all @@ -51,19 +59,28 @@ jobs: - checkout: self clean: true - - ${{ if ne(variables['System.TeamProject'], 'public') }}: - - task: Bash@3 - displayName: Setup Private Feeds Credentials - inputs: - filePath: $(Build.SourcesDirectory)/eng/common/SetupNugetSources.sh - arguments: $(Build.SourcesDirectory)/NuGet.config $Token - env: - Token: $(dn-bot-dnceng-artifact-feeds-rw) + - ${{ if ne(parameters.installerBuildResourceId, '') }}: + - download: ${{ parameters.installerBuildResourceId }} + artifact: BlobArtifacts + patterns: '**/dotnet-sdk-source*.tar.gz' + displayName: Download Source Tarball - - download: ${{ parameters.installerBuildResourceId }} - artifact: BlobArtifacts - patterns: '**/dotnet-sdk-source*.tar.gz' - displayName: Download Source Tarball + - script: | + set -x + + resourceIdPathSegment= + if [[ '${{ parameters.installerBuildResourceId }}' != 'current' ]]; then + resourceIdPathSegment='${{ parameters.installerBuildResourceId }}/' + fi + + mkdir -p "$(tarballDir)" + tarballFilePath="$(PIPELINE.WORKSPACE)/${resourceIdPathSegment}BlobArtifacts/dotnet-sdk-source*.tar.gz" + eval tar -ozxf "$tarballFilePath" -C "$(tarballDir)" + eval rm -f "$tarballFilePath" + displayName: Extract Tarball + + - script: cp $(installerSrcDir)/NuGet.config $(tarballDir)/test/Microsoft.DotNet.SourceBuild.SmokeTests/assets/online.NuGet.Config + displayName: Copy Test NuGet Config - ${{ if ne(parameters.excludeSdkContentTests, 'true') }}: - download: ${{ parameters.installerBuildResourceId }} @@ -84,20 +101,6 @@ jobs: Contents: '*.tar.gz' TargetFolder: $(tarballDir)/packages/archive/ - - script: | - set -x - - resourceIdPathSegment= - if [[ '${{ parameters.installerBuildResourceId }}' != 'current' ]]; then - resourceIdPathSegment='${{ parameters.installerBuildResourceId }}/' - fi - - mkdir -p "$(tarballDir)" - tarballFilePath="$(PIPELINE.WORKSPACE)/${resourceIdPathSegment}BlobArtifacts/dotnet-sdk-source*.tar.gz" - eval tar -ozxf "$tarballFilePath" -C "$(tarballDir)" - eval rm -f "$tarballFilePath" - displayName: Extract Tarball - - script: | set -x @@ -135,13 +138,18 @@ jobs: docker run --rm -v $(tarballDir):/tarball -w /tarball ${networkArgs} $(_Container) ./build.sh --clean-while-building ${customBuildArgs} $(additionalBuildArgs) displayName: Build Tarball + - ${{ if ne(variables['System.TeamProject'], 'public') }}: + - task: Bash@3 + displayName: Setup Private Feeds Credentials + inputs: + filePath: $(installerSrcDir)/eng/common/SetupNugetSources.sh + arguments: $(tarballDir)/test/Microsoft.DotNet.SourceBuild.SmokeTests/assets/online.NuGet.Config $Token + env: + Token: $(dn-bot-dnceng-artifact-feeds-rw) + - script: | set -x - # Use installer repo's NuGet.config during online testing to utilize internal feeds - rm -f $(tarballDir)/test/Microsoft.DotNet.SourceBuild.SmokeTests/assets/online.NuGet.Config - cp $(Build.SourcesDirectory)/NuGet.config $(tarballDir)/test/Microsoft.DotNet.SourceBuild.SmokeTests/assets/online.NuGet.Config - dockerVolumeArgs="-v $(tarballDir):/tarball" dockerEnvArgs="-e SMOKE_TESTS_EXCLUDE_OMNISHARP=$(_ExcludeOmniSharpTests) -e SMOKE_TESTS_WARN_SDK_CONTENT_DIFFS=true" poisonArg='' diff --git a/src/SourceBuild/tarball/content/eng/pipelines/security-partners-dotnet.yml b/src/SourceBuild/tarball/content/eng/pipelines/security-partners-dotnet.yml new file mode 100644 index 000000000..69bef21e9 --- /dev/null +++ b/src/SourceBuild/tarball/content/eng/pipelines/security-partners-dotnet.yml @@ -0,0 +1,18 @@ +trigger: none + +jobs: +- template: ../../src/installer/src/SourceBuild/Arcade/eng/common/templates/job/source-build-build-tarball.yml + parameters: + architecture: x64 + excludeSdkContentTests: true + matrix: + Ubuntu2004-Offline: + _BootstrapPrep: false + _Container: mcr.microsoft.com/dotnet-buildtools/prereqs:ubuntu-20.04-20220813234344-4c008dd + _EnablePoison: false + _ExcludeOmniSharpTests: false + _RunOnline: false + name: Build_Tarball_x64 + pool: + name: NetCore1ESPool-Svc-Internal + demands: ImageOverride -equals Build.Ubuntu.1804.Amd64