From 6746e66aa8ce98bca80481edcdfc33d1dbf611b1 Mon Sep 17 00:00:00 2001 From: Westin Musser Date: Fri, 16 Jun 2023 11:57:06 -0700 Subject: [PATCH] clean up build files --- build/pipeline-releasebuild.yaml | 7 +- build/template-bootstrap-build.yaml | 13 --- ...aml => template-install-dependencies.yaml} | 27 +++++- build/template-install-dotnet-core.yaml | 18 ---- build/template-install-nuget.yaml | 6 -- build/template-nuget-pack.yaml | 18 ---- build/template-pack-and-sign-all-nugets.yaml | 15 ++++ build/template-pack-and-sign-nuget.yaml | 87 +++++++++++++++++-- build/template-prebuild-code-analysis.yaml | 2 +- ...template-publish-analysis-and-cleanup.yaml | 17 ---- ...yaml => template-publish-and-cleanup.yaml} | 20 +++-- build/template-sign-binary.yaml | 78 ----------------- .../Client/TodoListClient.csproj | 6 +- .../gRPC/grpc.csproj | 6 +- 14 files changed, 141 insertions(+), 179 deletions(-) delete mode 100644 build/template-bootstrap-build.yaml rename build/{template-install-keyvault-secrets.yaml => template-install-dependencies.yaml} (70%) delete mode 100644 build/template-install-dotnet-core.yaml delete mode 100644 build/template-install-nuget.yaml delete mode 100644 build/template-nuget-pack.yaml delete mode 100644 build/template-publish-analysis-and-cleanup.yaml rename build/{template-publish-packages-and-symbols.yaml => template-publish-and-cleanup.yaml} (67%) delete mode 100644 build/template-sign-binary.yaml diff --git a/build/pipeline-releasebuild.yaml b/build/pipeline-releasebuild.yaml index 6edfeb293..c6a1ff6c9 100644 --- a/build/pipeline-releasebuild.yaml +++ b/build/pipeline-releasebuild.yaml @@ -30,7 +30,7 @@ steps: - template: template-prebuild-code-analysis.yaml # Bootstrap the build -- template: template-bootstrap-build.yaml +- template: template-install-dependencies.yaml # Nuget Restore and Build Microsoft.Identity.Web.sln - template: template-restore-build-MSIdentityWeb.yaml @@ -46,7 +46,4 @@ steps: - template: template-pack-and-sign-all-nugets.yaml # Publish nuget packages and symbols to VSTS package manager. -- template: template-publish-packages-and-symbols.yaml - -# Publish analysis and cleanup -- template: template-publish-analysis-and-cleanup.yaml +- template: template-publish-and-cleanup.yaml diff --git a/build/template-bootstrap-build.yaml b/build/template-bootstrap-build.yaml deleted file mode 100644 index 22102ae70..000000000 --- a/build/template-bootstrap-build.yaml +++ /dev/null @@ -1,13 +0,0 @@ -# template-bootstrap-build.yaml -# Basic bootstraps for any build (nuget, dotnet, secrets) - -steps: - -# Run Dotnet Tool Installer -- template: template-install-dotnet-core.yaml - -# Run Nuget Tool Installer -- template: template-install-nuget.yaml - -# Install keyvault secrets -- template: template-install-keyvault-secrets.yaml \ No newline at end of file diff --git a/build/template-install-keyvault-secrets.yaml b/build/template-install-dependencies.yaml similarity index 70% rename from build/template-install-keyvault-secrets.yaml rename to build/template-install-dependencies.yaml index 7591c1f12..a2d77bcd8 100644 --- a/build/template-install-keyvault-secrets.yaml +++ b/build/template-install-dependencies.yaml @@ -1,7 +1,30 @@ -# template-install-keyvault-secrets.yaml -# Install all secrets needed from KeyVault onto the build machine. +#template-install-dependencies.yaml + +#install dotnet core steps: +- task: UseDotNet@2 + displayName: 'Use .Net Core SDK 3.1' + inputs: + version: 3.1.x + +- task: UseDotNet@2 + displayName: 'Use .Net Core SDK 6' + inputs: + version: 6.0.x + +- task: UseDotNet@2 + displayName: 'Use .Net Core SDK 7' + inputs: + version: 7.0.x + +# Run Nuget Tool Installer + +- task: NuGetToolInstaller@1 + displayName: 'Install NuGet latest version' + +# Install all secrets needed from KeyVault onto the build machine. + - task: AzureKeyVault@1 displayName: 'Azure Key Vault: buildautomation' inputs: diff --git a/build/template-install-dotnet-core.yaml b/build/template-install-dotnet-core.yaml deleted file mode 100644 index d9e9aaf8a..000000000 --- a/build/template-install-dotnet-core.yaml +++ /dev/null @@ -1,18 +0,0 @@ -# template-install-dotnet-core.yaml -# install the version of dotnet core we need on the machine - -steps: -- task: UseDotNet@2 - displayName: 'Use .Net Core SDK 3.1' - inputs: - version: 3.1.x - -- task: UseDotNet@2 - displayName: 'Use .Net Core SDK 6' - inputs: - version: 6.0.x - -- task: UseDotNet@2 - displayName: 'Use .Net Core SDK 7' - inputs: - version: 7.0.x \ No newline at end of file diff --git a/build/template-install-nuget.yaml b/build/template-install-nuget.yaml deleted file mode 100644 index fc3fb70e8..000000000 --- a/build/template-install-nuget.yaml +++ /dev/null @@ -1,6 +0,0 @@ -# template-install-nuget.yaml -# Run Nuget Tool Installer - -steps: -- task: NuGetToolInstaller@1 - displayName: 'Install NuGet latest version' diff --git a/build/template-nuget-pack.yaml b/build/template-nuget-pack.yaml deleted file mode 100644 index 4cc3aea8f..000000000 --- a/build/template-nuget-pack.yaml +++ /dev/null @@ -1,18 +0,0 @@ - -parameters: - BuildConfiguration: 'release' - ProjectPath: '' - NoBuild: 'true' - -steps: -- task: DotNetCoreCLI@2 - displayName: 'Pack ${{ parameters.ProjectPath }}' - inputs: - command: pack - projects: '${{ parameters.ProjectPath }}' - nobuild: '${{parameters.NoBuild}}' - packagesToPack: '${{ parameters.ProjectPath }}' - IncludeSymbols: true - verbosityPack: normal - packDirectory: - arguments: '--configuration ${{ parameters.BuildConfiguration }}' diff --git a/build/template-pack-and-sign-all-nugets.yaml b/build/template-pack-and-sign-all-nugets.yaml index 109694968..321949f4f 100644 --- a/build/template-pack-and-sign-all-nugets.yaml +++ b/build/template-pack-and-sign-all-nugets.yaml @@ -3,9 +3,17 @@ parameters: BuildConfiguration: 'release' + NugetPackagesWildcard: '$(Build.ArtifactStagingDirectory)\packages\*.nupkg' + steps: +# The signing task requires dotnet core 2.x +- task: UseDotNet@2 + displayName: 'Use .Net Core sdk 2.x' + inputs: + version: 2.x + # Pack and sign Microsoft.Identity.Web - template: template-pack-and-sign-nuget.yaml parameters: @@ -142,3 +150,10 @@ steps: SessionTimeout: 20 VerboseLogin: true timeoutInMinutes: 5 + +- task: NuGetCommand@2 + displayName: 'Verify packages are signed' + inputs: + command: custom + arguments: 'verify -Signature ${{ parameters.NugetPackagesWildcard }}' + continueOnError: true diff --git a/build/template-pack-and-sign-nuget.yaml b/build/template-pack-and-sign-nuget.yaml index 387717337..8247d28dd 100644 --- a/build/template-pack-and-sign-nuget.yaml +++ b/build/template-pack-and-sign-nuget.yaml @@ -1,18 +1,87 @@ parameters: BuildConfiguration: 'release' + HasRefAssembly: 'false' + NoBuild: 'true' ProjectRootPath: '' AssemblyName: '' - HasRefAssembly: 'false' steps: -- template: template-sign-binary.yaml - parameters: - FolderPath: '${{ parameters.ProjectRootPath }}' +# Signs a binary via ESRP +- task: SFP.build-tasks.custom-build-task-1.EsrpCodeSigning@1 + displayName: '**\bin\**\**\${{ parameters.AssemblyName }}.dll' + inputs: + ConnectedServiceName: 'IDDP Code Signing' + FolderPath: ${{ parameters.ProjectRootPath }} Pattern: '**\bin\**\**\${{ parameters.AssemblyName }}.dll' + UseMinimatch: true + signConfigType: inlineSignParams + inlineOperation: | + [ + { + "keyCode": "CP-230012", + "operationSetCode": "SigntoolSign", + "parameters": [ + { + "parameterName": "OpusName", + "parameterValue": "Microsoft.Identity.Web" + }, + { + "parameterName": "OpusInfo", + "parameterValue": "http://test" + }, + { + "parameterName": "PageHash", + "parameterValue": "/NPH" + }, + { + "parameterName": "FileDigest", + "parameterValue": "/fd sha256" + }, + { + "parameterName": "TimeStamp", + "parameterValue": "/tr \"http://rfc3161.gtm.corp.microsoft.com/TSS/HttpTspServer\" /td sha256" + } + ], + "toolName": "signtool.exe", + "toolVersion": "6.2.9304.0" + }, + { + "keyCode": "CP-230012", + "operationSetCode": "SigntoolVerify", + "parameters": [ ], + "toolName": "signtool.exe", + "toolVersion": "6.2.9304.0" + } + ] + SessionTimeout: 20 + VerboseLogin: true + timeoutInMinutes: 10 + +- task: securedevelopmentteam.vss-secure-development-tools.build-task-binskim.BinSkim@4 + displayName: '**\bin\**\**\${{ parameters.AssemblyName }}.dll' + inputs: + InputType: Basic + AnalyzeTargetGlob: '**\bin\**\**\${{ parameters.AssemblyName }}.dll' + AnalyzeVerbose: true + AnalyzeHashes: true + toolVersion: Exact + exactToolVersion: '4.0.0-rc2' + +- task: securedevelopmentteam.vss-secure-development-tools.build-task-postanalysis.PostAnalysis@2 + displayName: 'Check BinSkim Results' + inputs: + GdnBreakGdnToolBinSkim: true -- template: template-nuget-pack.yaml - parameters: - NoBuild: 'true' - BuildConfiguration: ${{ parameters.BuildConfiguration }} - ProjectPath: '${{ parameters.ProjectRootPath }}\${{ parameters.AssemblyName }}.csproj' +# Pack a nuget +- task: DotNetCoreCLI@2 + displayName: 'Pack ${{ parameters.ProjectRootPath }}\${{ parameters.AssemblyName }}.csproj' + inputs: + command: pack + projects: '${{ parameters.ProjectRootPath }}\${{ parameters.AssemblyName }}.csproj' + nobuild: '${{parameters.NoBuild}}' + packagesToPack: '${{ parameters.ProjectRootPath }}\${{ parameters.AssemblyName }}.csproj' + IncludeSymbols: true + verbosityPack: normal + packDirectory: + arguments: '--configuration ${{ parameters.BuildConfiguration }}' diff --git a/build/template-prebuild-code-analysis.yaml b/build/template-prebuild-code-analysis.yaml index ecb2ffb43..d17963bab 100644 --- a/build/template-prebuild-code-analysis.yaml +++ b/build/template-prebuild-code-analysis.yaml @@ -22,4 +22,4 @@ steps: displayName: 'Post Analysis' inputs: CredScan: true - PoliCheck: true \ No newline at end of file + PoliCheck: true diff --git a/build/template-publish-analysis-and-cleanup.yaml b/build/template-publish-analysis-and-cleanup.yaml deleted file mode 100644 index f1af176b5..000000000 --- a/build/template-publish-analysis-and-cleanup.yaml +++ /dev/null @@ -1,17 +0,0 @@ -# template-publish-analysis-and-cleanup.yaml -# Publish any security analysis logs (e.g. TSA) and perform post-build cleanup -# Should be LAST step of any build it's used in. - -steps: -- task: securedevelopmentteam.vss-secure-development-tools.build-task-publishsecurityanalysislogs.PublishSecurityAnalysisLogs@3 - displayName: 'Publish Security Analysis Logs' - -- task: securedevelopmentteam.vss-secure-development-tools.build-task-uploadtotsa.TSAUpload@2 - displayName: 'TSA upload to Codebase: Microsoft Identity Web .NET Stamp: Azure' - inputs: - GdnPublishTsaOnboard: false - GdnPublishTsaConfigFile: '$(Build.SourcesDirectory)/build/tsaConfig.json' - continueOnError: true - -- task: mspremier.PostBuildCleanup.PostBuildCleanup-task.PostBuildCleanup@3 - displayName: 'Clean Agent Directories' diff --git a/build/template-publish-packages-and-symbols.yaml b/build/template-publish-and-cleanup.yaml similarity index 67% rename from build/template-publish-packages-and-symbols.yaml rename to build/template-publish-and-cleanup.yaml index 71b9f323f..f3eefbd15 100644 --- a/build/template-publish-packages-and-symbols.yaml +++ b/build/template-publish-and-cleanup.yaml @@ -1,5 +1,6 @@ # template-publish-packages-and-symbols.yaml # Publishes all nuget packages and symbols to appropriate destinations. +# Publish any security analysis logs (e.g. TSA) and perform post-build cleanup parameters: NugetPackagesWildcard: '$(Build.ArtifactStagingDirectory)\packages\*.nupkg' @@ -8,12 +9,6 @@ parameters: DropArtifactName: 'packages' steps: -- task: NuGetCommand@2 - displayName: 'Verify packages are signed' - inputs: - command: custom - arguments: 'verify -Signature ${{ parameters.NugetPackagesWildcard }}' - continueOnError: true - task: AzureArtifacts.manifest-generator-task.manifest-generator-task.ManifestGeneratorTask@0 displayName: 'Generation Task' @@ -43,3 +38,16 @@ steps: IndexSources: false SymbolServerType: TeamServices condition: eq(variables['PublishSymbols'], 'true') + +- task: securedevelopmentteam.vss-secure-development-tools.build-task-publishsecurityanalysislogs.PublishSecurityAnalysisLogs@3 + displayName: 'Publish Security Analysis Logs' + +- task: securedevelopmentteam.vss-secure-development-tools.build-task-uploadtotsa.TSAUpload@2 + displayName: 'TSA upload to Codebase: Microsoft Identity Web .NET Stamp: Azure' + inputs: + GdnPublishTsaOnboard: false + GdnPublishTsaConfigFile: '$(Build.SourcesDirectory)/build/tsaConfig.json' + continueOnError: true + +- task: mspremier.PostBuildCleanup.PostBuildCleanup-task.PostBuildCleanup@3 + displayName: 'Clean Agent Directories' diff --git a/build/template-sign-binary.yaml b/build/template-sign-binary.yaml deleted file mode 100644 index 1b06111ad..000000000 --- a/build/template-sign-binary.yaml +++ /dev/null @@ -1,78 +0,0 @@ -# template-sign-binary.yaml -# Signs a binary via ESRP - -parameters: - FolderPath: '' - Pattern: '' - -steps: -# The signing task requires dotnet core 2.x -- task: UseDotNet@2 - displayName: 'Use .Net Core sdk 2.x' - inputs: - version: 2.x - -- task: SFP.build-tasks.custom-build-task-1.EsrpCodeSigning@1 - displayName: 'Sign Binary: ${{ parameters.Pattern }}' - inputs: - ConnectedServiceName: 'IDDP Code Signing' - FolderPath: ${{ parameters.FolderPath }} - Pattern: ${{ parameters.Pattern }} - UseMinimatch: true - signConfigType: inlineSignParams - inlineOperation: | - [ - { - "keyCode": "CP-230012", - "operationSetCode": "SigntoolSign", - "parameters": [ - { - "parameterName": "OpusName", - "parameterValue": "Microsoft.Identity.Web" - }, - { - "parameterName": "OpusInfo", - "parameterValue": "http://test" - }, - { - "parameterName": "PageHash", - "parameterValue": "/NPH" - }, - { - "parameterName": "FileDigest", - "parameterValue": "/fd sha256" - }, - { - "parameterName": "TimeStamp", - "parameterValue": "/tr \"http://rfc3161.gtm.corp.microsoft.com/TSS/HttpTspServer\" /td sha256" - } - ], - "toolName": "signtool.exe", - "toolVersion": "6.2.9304.0" - }, - { - "keyCode": "CP-230012", - "operationSetCode": "SigntoolVerify", - "parameters": [ ], - "toolName": "signtool.exe", - "toolVersion": "6.2.9304.0" - } - ] - SessionTimeout: 20 - VerboseLogin: true - timeoutInMinutes: 10 - -- task: securedevelopmentteam.vss-secure-development-tools.build-task-binskim.BinSkim@4 - displayName: 'Run BinSkim ${{ parameters.Pattern }}' - inputs: - InputType: Basic - AnalyzeTargetGlob: ${{ parameters.Pattern }} - AnalyzeVerbose: true - AnalyzeHashes: true - toolVersion: Exact - exactToolVersion: '4.0.0-rc2' - -- task: securedevelopmentteam.vss-secure-development-tools.build-task-postanalysis.PostAnalysis@2 - displayName: 'Check BinSkim Results' - inputs: - GdnBreakGdnToolBinSkim: true diff --git a/tests/DevApps/WebAppCallsWebApiCallsGraph/Client/TodoListClient.csproj b/tests/DevApps/WebAppCallsWebApiCallsGraph/Client/TodoListClient.csproj index e1b6a5d28..b5d844cb8 100644 --- a/tests/DevApps/WebAppCallsWebApiCallsGraph/Client/TodoListClient.csproj +++ b/tests/DevApps/WebAppCallsWebApiCallsGraph/Client/TodoListClient.csproj @@ -21,9 +21,9 @@ - - - + + + all runtime; build; native; contentfiles; analyzers; buildtransitive diff --git a/tests/DevApps/WebAppCallsWebApiCallsGraph/gRPC/grpc.csproj b/tests/DevApps/WebAppCallsWebApiCallsGraph/gRPC/grpc.csproj index 90ab4c78c..42816c541 100644 --- a/tests/DevApps/WebAppCallsWebApiCallsGraph/gRPC/grpc.csproj +++ b/tests/DevApps/WebAppCallsWebApiCallsGraph/gRPC/grpc.csproj @@ -1,12 +1,12 @@ - + - - + +