clean up build files

build/pipeline-releasebuild.yaml

@@ -30,7 +30,7 @@ steps:
 - template: template-prebuild-code-analysis.yaml
 
 # Bootstrap the build
-- template: template-bootstrap-build.yaml
+- template: template-install-dependencies.yaml
 
 # Nuget Restore and Build Microsoft.Identity.Web.sln
 - template: template-restore-build-MSIdentityWeb.yaml
@@ -46,7 +46,4 @@ steps:
 - template: template-pack-and-sign-all-nugets.yaml
 
 # Publish nuget packages and symbols to VSTS package manager.
-- template: template-publish-packages-and-symbols.yaml
-
-# Publish analysis and cleanup
-- template: template-publish-analysis-and-cleanup.yaml
+- template: template-publish-and-cleanup.yaml

build/template-install-keyvault-secrets.yaml → build/template-install-dependencies.yaml

@@ -1,7 +1,30 @@
-# template-install-keyvault-secrets.yaml
-# Install all secrets needed from KeyVault onto the build machine.
+#template-install-dependencies.yaml
+
+#install dotnet core
 
 steps:
+- task: UseDotNet@2
+  displayName: 'Use .Net Core SDK 3.1'
+  inputs:
+    version: 3.1.x   
+
+- task: UseDotNet@2
+  displayName: 'Use .Net Core SDK 6'
+  inputs:
+    version: 6.0.x   
+
+- task: UseDotNet@2
+  displayName: 'Use .Net Core SDK 7'
+  inputs:
+    version: 7.0.x   
+
+# Run Nuget Tool Installer
+
+- task: NuGetToolInstaller@1
+  displayName: 'Install NuGet latest version'
+
+# Install all secrets needed from KeyVault onto the build machine.
+
 - task: AzureKeyVault@1
   displayName: 'Azure Key Vault: buildautomation'
   inputs:

build/template-pack-and-sign-all-nugets.yaml

@@ -3,9 +3,17 @@
 
 parameters:
   BuildConfiguration: 'release'
+  NugetPackagesWildcard: '$(Build.ArtifactStagingDirectory)\packages\*.nupkg'
+
 
 steps:
 
+# The signing task requires dotnet core 2.x
+- task: UseDotNet@2
+  displayName: 'Use .Net Core sdk 2.x'
+  inputs:
+    version: 2.x
+
 # Pack and sign Microsoft.Identity.Web
 - template: template-pack-and-sign-nuget.yaml
   parameters:
@@ -142,3 +150,10 @@ steps:
     SessionTimeout: 20
     VerboseLogin: true
   timeoutInMinutes: 5
+
+- task: NuGetCommand@2
+  displayName: 'Verify packages are signed'
+  inputs:
+    command: custom
+    arguments: 'verify -Signature ${{ parameters.NugetPackagesWildcard }}'
+  continueOnError: true

build/template-pack-and-sign-nuget.yaml

@@ -1,18 +1,87 @@
 
 parameters:
   BuildConfiguration: 'release'
+  HasRefAssembly: 'false'
+  NoBuild: 'true'
   ProjectRootPath: ''
   AssemblyName: ''
-  HasRefAssembly: 'false'
 
 steps:
-- template: template-sign-binary.yaml
-  parameters:
-    FolderPath: '${{ parameters.ProjectRootPath }}'
+# Signs a binary via ESRP
+- task: SFP.build-tasks.custom-build-task-1.EsrpCodeSigning@1
+  displayName: '**\bin\**\**\${{ parameters.AssemblyName }}.dll'
+  inputs:
+    ConnectedServiceName: 'IDDP Code Signing'
+    FolderPath: ${{ parameters.ProjectRootPath }}
     Pattern: '**\bin\**\**\${{ parameters.AssemblyName }}.dll'
+    UseMinimatch: true
+    signConfigType: inlineSignParams
+    inlineOperation: |
+     [
+       {
+         "keyCode": "CP-230012",
+         "operationSetCode": "SigntoolSign",
+         "parameters": [
+         {
+           "parameterName": "OpusName",
+           "parameterValue": "Microsoft.Identity.Web"
+         },
+         {
+           "parameterName": "OpusInfo",
+           "parameterValue": "http://test"
+         },
+         {
+           "parameterName": "PageHash",
+           "parameterValue": "/NPH"
+         },
+         {
+           "parameterName": "FileDigest",
+           "parameterValue": "/fd sha256"
+         },
+         {
+           "parameterName": "TimeStamp",
+           "parameterValue": "/tr \"http://rfc3161.gtm.corp.microsoft.com/TSS/HttpTspServer\" /td sha256"
+         }
+         ],
+         "toolName": "signtool.exe",
+         "toolVersion": "6.2.9304.0"
+       },
+       {
+         "keyCode": "CP-230012",
+         "operationSetCode": "SigntoolVerify",
+         "parameters": [ ],
+         "toolName": "signtool.exe",
+         "toolVersion": "6.2.9304.0"
+       }
+     ]
+    SessionTimeout: 20
+    VerboseLogin: true
+  timeoutInMinutes: 10
+
+- task: securedevelopmentteam.vss-secure-development-tools.build-task-binskim.BinSkim@4
+  displayName: '**\bin\**\**\${{ parameters.AssemblyName }}.dll'
+  inputs:
+    InputType: Basic
+    AnalyzeTargetGlob: '**\bin\**\**\${{ parameters.AssemblyName }}.dll'
+    AnalyzeVerbose: true
+    AnalyzeHashes: true
+    toolVersion: Exact
+    exactToolVersion: '4.0.0-rc2'
+
+- task: securedevelopmentteam.vss-secure-development-tools.build-task-postanalysis.PostAnalysis@2
+  displayName: 'Check BinSkim Results'
+  inputs:
+    GdnBreakGdnToolBinSkim: true
 
-- template: template-nuget-pack.yaml
-  parameters:
-    NoBuild: 'true'
-    BuildConfiguration: ${{ parameters.BuildConfiguration }}
-    ProjectPath: '${{ parameters.ProjectRootPath }}\${{ parameters.AssemblyName }}.csproj'
+# Pack a nuget
+- task: DotNetCoreCLI@2
+  displayName: 'Pack ${{ parameters.ProjectRootPath }}\${{ parameters.AssemblyName }}.csproj'
+  inputs:
+    command: pack
+    projects: '${{ parameters.ProjectRootPath }}\${{ parameters.AssemblyName }}.csproj'
+    nobuild: '${{parameters.NoBuild}}'
+    packagesToPack: '${{ parameters.ProjectRootPath }}\${{ parameters.AssemblyName }}.csproj'
+    IncludeSymbols: true
+    verbosityPack: normal
+    packDirectory:
+    arguments: '--configuration ${{ parameters.BuildConfiguration }}'

build/template-prebuild-code-analysis.yaml

@@ -22,4 +22,4 @@ steps:
   displayName: 'Post Analysis'
   inputs:
     CredScan: true
-    PoliCheck: true
+    PoliCheck: true

build/template-publish-packages-and-symbols.yaml → build/template-publish-and-cleanup.yaml

@@ -1,5 +1,6 @@
 # template-publish-packages-and-symbols.yaml
 # Publishes all nuget packages and symbols to appropriate destinations.
+# Publish any security analysis logs (e.g. TSA) and perform post-build cleanup
 
 parameters:
   NugetPackagesWildcard: '$(Build.ArtifactStagingDirectory)\packages\*.nupkg'
@@ -8,12 +9,6 @@ parameters:
   DropArtifactName: 'packages'
 
 steps:
-- task: NuGetCommand@2
-  displayName: 'Verify packages are signed'
-  inputs:
-    command: custom
-    arguments: 'verify -Signature ${{ parameters.NugetPackagesWildcard }}'
-  continueOnError: true
 
 - task: AzureArtifacts.manifest-generator-task.manifest-generator-task.ManifestGeneratorTask@0
   displayName: 'Generation Task'
@@ -43,3 +38,16 @@ steps:
     IndexSources: false
     SymbolServerType: TeamServices
   condition: eq(variables['PublishSymbols'], 'true')
+
+- task: securedevelopmentteam.vss-secure-development-tools.build-task-publishsecurityanalysislogs.PublishSecurityAnalysisLogs@3
+  displayName: 'Publish Security Analysis Logs'
+
+- task: securedevelopmentteam.vss-secure-development-tools.build-task-uploadtotsa.TSAUpload@2
+  displayName: 'TSA upload to Codebase: Microsoft Identity Web .NET Stamp: Azure'
+  inputs:
+    GdnPublishTsaOnboard: false 
+    GdnPublishTsaConfigFile: '$(Build.SourcesDirectory)/build/tsaConfig.json'
+  continueOnError: true
+
+- task: mspremier.PostBuildCleanup.PostBuildCleanup-task.PostBuildCleanup@3
+  displayName: 'Clean Agent Directories'

tests/DevApps/WebAppCallsWebApiCallsGraph/Client/TodoListClient.csproj

@@ -21,9 +21,9 @@
   </ItemGroup>
 
   <ItemGroup>
-    <PackageReference Include="Google.Protobuf" Version="3.21.6" />
-    <PackageReference Include="Grpc.Net.Client" Version="2.42.0" />
-    <PackageReference Include="Grpc.Tools" Version="2.44.0">
+    <PackageReference Include="Google.Protobuf" Version="3.23.4" />
+    <PackageReference Include="Grpc.Net.Client" Version="2.55.0" />
+    <PackageReference Include="Grpc.Tools" Version="2.56.0">
       <PrivateAssets>all</PrivateAssets>
       <IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>
     </PackageReference>