Merged PR 672509: Migrate 'Linux PR Validation' pipeline to 1es templates

almiliMSFT · almiliMSFT · commit 19d4c23faf2f · 2022-08-02T19:49:04.000Z
Migrate 'Linux PR Validation' pipeline to 1es templates
diff --git a/.azdo/linux/job-linux-runtime.yml b/.azdo/linux/job-linux-runtime.yml
diff --git a/.azdo/linux/job-selfhost.yml b/.azdo/linux/job-selfhost.yml
@@ -1,9 +1,22 @@
+parameters:
+- name: BxlCommonArgs
+  type: string
+  default: --shared-comp /ado /cacheMiss:"[Bxl.Selfhost.Linux]" /logObservedFileAccesses /cacheConfigFilePath:Out/CacheConfig.json /logoutput:FullOutputOnError /logsToRetain:10 /exp:lazysodeletion- # /p:[Sdk.BuildXL]xunitSemaphoreCount=20
+
 jobs:
 - job: Selfhost
   displayName: Build and Validate Selfhost
   pool:
     name: BuildXL-DevOpsAgents-Linux-PME
 
+  templateContext:
+    breakGlass:
+      justification: 'Because BuildXL downloads NuGet packages from the internet during the build (and there is no way to run "nuget restore" before the build because NuGet packages are specified in a BuildXL-specific way)'
+    inputs:
+    - input: checkout
+      repository: self
+      fetchDepth: 1
+
   timeoutInMinutes: 90
 
   strategy:
@@ -15,13 +28,7 @@ jobs:
         BxlMatrixName: ReleaseLinux
         BxlMatrixArgs: /q:ReleaseLinux
 
-  variables:
-    skipComponentGovernanceDetection: true # done elsewhere (in the main rolling pipeline)
-    BxlCommonArgs: --shared-comp /ado /cacheMiss:"[Bxl.Selfhost.Linux]" /logObservedFileAccesses /cacheConfigFilePath:Out/CacheConfig.json /logoutput:FullOutputOnError /logsToRetain:10 /exp:lazysodeletion- # /p:[Sdk.BuildXL]xunitSemaphoreCount=20
-
   steps:
-  - checkout: self
-    fetchDepth: 1
 
   # Azure Key Vault
   # Download Azure Key Vault secrets
@@ -37,7 +44,7 @@ jobs:
     inputs:
       version: 6.x
 
-  - template: step-nuget-config.yml
+  - template: step-install-mono.yml
 
   - bash: |
       set -euo pipefail
@@ -82,7 +89,7 @@ jobs:
 
   - bash: |
       set -eu
-      bash bxl.sh $(BxlCommonArgs) /logsDirectory:"Out/Logs/Build" --minimal --internal --deploy-dev-release
+      bash bxl.sh ${{ parameters.BxlCommonArgs }} /logsDirectory:"Out/Logs/Build" --minimal --internal --deploy-dev-release
     displayName: Build
     workingDirectory: /home/subst
     env:
@@ -91,7 +98,7 @@ jobs:
       VSTSPERSONALACCESSTOKEN: $(PAT-TseBuild-AzureDevOps-mseng-buildcache)
 
   - bash: |
-      echo "== Deleting Out/frontend/Nuget/tmp, Out/bin, Out/Boorstrap folders to reduce the size of the NuGet cache dir"
+      echo "== Deleting Out/frontend/Nuget/tmp, Out/bin, Out/Bootstrap folders to reduce the size of the NuGet cache dir"
       rm -rf Out/frontend/Nuget/tmp Out/Objects.noindex Out/bin Out/BootStrap
       echo "== Disk usage of folders in Out"
       du -sh Out/*
@@ -103,7 +110,7 @@ jobs:
       set -eu
       function run_build {
         # the disks on Azure Pipeline VMs are too small to build everything, so let's instead run tests
-        bash bxl.sh --use-dev $(BxlCommonArgs) /logsDirectory:"Out/Logs/$(BxlMatrixName)" $(BxlMatrixArgs) "/f:tag='test'"
+        bash bxl.sh --use-dev ${{ parameters.BxlCommonArgs }} /logsDirectory:"Out/Logs/$(BxlMatrixName)" $(BxlMatrixArgs) "/f:tag='test'"
       }
 
       run_build || {
diff --git a/.azdo/linux/pipeline.yml b/.azdo/linux/pipeline.yml
@@ -4,6 +4,17 @@ trigger:
     include:
     - master
 
+resources:
+  repositories:
+  - repository: 1esPipelines
+    type: git
+    name: 1ESPipelineTemplates/1ESPipelineTemplates
+    ref: refs/tags/release
+
+variables:
+  PackageArtifactName: runtime.linux-x64.BuildXL.${{ parameters.LinuxRuntimePackageVersion }}
+  PackageDir: $(Build.SourcesDirectory)/Public/Src/Sandbox/Linux/bin/$(PackageArtifactName)
+
 parameters:
 - name: BuildSelfhost
   type: boolean
@@ -16,13 +27,75 @@ parameters:
   default: false
 - name: LinuxRuntimePackageVersion
   type: string
-  default: 0.1.0-$(Build.BuildNumber)
-
-jobs:
-- ${{ if parameters.BuildSelfhost }}:
-  - template: job-selfhost.yml
-- ${{ if parameters.BuildLinuxRuntime }}:
-  - template: job-linux-runtime.yml
-    parameters:
-      PublishNuget: ${{ parameters.PublishLinuxRuntimeNuget }}
-      PackageVersion: ${{ parameters.LinuxRuntimePackageVersion }}
+  default: 0.1.0-$(Build.BuildNumber).$(System.JobAttempt)
+
+extends:
+  template: v1/1ES.Unofficial.PipelineTemplate.yml@1esPipelines
+  parameters:
+
+    # Container in which to run *all* jobs (unfortunately 1ESPipelineTemplates allows only one container for all jobs)
+    # Chosen because the Linux runtime binaries must be built for 'manylinux2014' (more precisely, against glibc 2.17);
+    # currently, all other jobs in this pipeline opt out of containerization.
+    container:
+      image: quay.io/pypa/manylinux2014_x86_64
+
+    stages:
+    - stage: Build
+      jobs:
+      # Build and test selfhost with BuildXL
+      - ${{ if parameters.BuildSelfhost }}:
+        - template: /.azdo/linux/job-selfhost.yml@self
+
+      # Build Linux native runtime libraries with make
+      - ${{ if parameters.BuildLinuxRuntime }}:
+        - job: BuildLinuxRuntime
+          displayName: Build Linux Runtime
+          pool:
+            vmImage: ubuntu-latest
+          templateContext:
+            inputs:
+            - input: checkout
+              repository: self
+              fetchDepth: 1
+          steps:
+          - bash: make cleanall && make all -j
+            workingDirectory: Public/Src/Sandbox/Linux
+            failOnStderr: true
+            displayName: Build Native
+
+          - bash: bash mknuget.sh ${{ parameters.LinuxRuntimePackageVersion }}
+            workingDirectory: Public/Src/Sandbox/Linux
+            displayName: Pack Nuget
+
+          - task: PublishPipelineArtifact@1
+            inputs:
+              targetPath: $(PackageDir)
+              artifactName: $(PackageArtifactName)
+            condition: always()
+            continueOnError: true
+            displayName: Publish Pipeline Artifact
+
+        # Publish the built runtime in a separate job
+        # TODO: this could be merged with the previous job if the container image had all the required tools preinstalled
+        - ${{ if parameters.PublishLinuxRuntimeNuget }}:
+          - job: PublishNativeRuntimeNuget
+            displayName: Publish Linux Runtime NuGet
+            dependsOn: [ BuildLinuxRuntime ]
+            pool:
+              vmImage: ubuntu-latest
+            templateContext:
+              breakGlass:
+                justification: "Because 1ESPipelineTemplates allows only a single container for all jobs, and 'quay.io/pypa/manylinux2014_x86_64' does not have some tools needed for NuGet installed"
+            steps:
+            - checkout: none
+            - task: DownloadPipelineArtifact@2
+              inputs:
+                artifact: $(PackageArtifactName)
+                path:  $(Build.ArtifactStagingDirectory)/$(PackageArtifactName)
+            - template: /.azdo/linux/step-nuget-config.yml@self
+            - bash: |
+                set -eu
+                zip -r ../$(PackageArtifactName).nupkg *
+                dotnet nuget push --skip-duplicate --api-key "AzureDevOps" --source "$(Feed-BuildXL.Selfhost)" ../$(PackageArtifactName).nupkg
+              displayName: Push NuGet
+              workingDirectory: $(Build.ArtifactStagingDirectory)/$(PackageArtifactName)
diff --git a/.azdo/linux/step-install-mono.yml b/.azdo/linux/step-install-mono.yml
@@ -0,0 +1,9 @@
+steps:
+- bash: |
+    set -eu
+
+    # install mono
+    sudo apt-get update
+    sudo apt-get install -y mono-complete mono-devel 
+    mono --version
+  displayName: Install Mono
diff --git a/.azdo/linux/step-nuget-config.yml b/.azdo/linux/step-nuget-config.yml
@@ -2,17 +2,16 @@ steps:
 - bash: |
     set -eu
 
-    # install mono
-    sudo apt-get update
-    sudo apt-get install -y mono-complete mono-devel 
-    mono --version
-  displayName: Install Prerequisites
+    function addNugetSource {
+      local source="$1"
+      local name="$2"
+      local password="$3"
 
-- bash: |
-    set -eu
-    mono Shared/Tools/NuGet.exe sources remove -Name "BuildXL.Selfhost" || true
-    mono Shared/Tools/NuGet.exe sources remove -Name "BuildXL" || true
+      dotnet nuget remove source "$name" 2>&1 > /dev/null || true
+      echo "Adding '$name' -> '$source'"
+      dotnet nuget add source "$source" --name "$name" --username tsebuild --password "$password" --store-password-in-clear-text
+    }
 
-    mono Shared/Tools/NuGet.exe sources add -Name "BuildXL.Selfhost" -Source "$(Feed-BuildXL.Selfhost)" -username tsebuild -password $(PAT-TseBuild-AzureDevOps-CloudBuild)
-    mono Shared/Tools/NuGet.exe sources add -Name "BuildXL" -Source "$(Feed-BuildXL)" -username tsebuild -password $(PAT-TseBuild-AzureDevOps-1esSharedAssets)
+    addNugetSource "$(Feed-BuildXL.Selfhost)" "BuildXL.Selfhost" "$(PAT-TseBuild-AzureDevOps-CloudBuild)"
+    addNugetSource "$(Feed-BuildXL)" "BuildXL" "$(PAT-TseBuild-AzureDevOps-1esSharedAssets)"
   displayName: Add NuGet Sources
diff --git a/Private/macOS/notarize.sh b/Private/macOS/notarize.sh
@@ -62,6 +62,7 @@ fi
 
 if [[ -z $arg_Password ]]; then
     echo "[INFO] Password not set; using the AC_PASSWORD entry from the keychain"
+    # [SuppressMessage("Microsoft.Security", "CS002:SecretInNextLine", Justification="Not a secret")]
     arg_Password="@keychain:AC_PASSWORD"
 fi
 
diff --git a/Public/Src/Sandbox/Linux/mknuget.sh b/Public/Src/Sandbox/Linux/mknuget.sh
@@ -1,17 +1,18 @@
 #!/bin/bash
 
-readonly __dir=$(cd `dirname ${BASH_SOURCE[0]}` && pwd)
-
 set -euo pipefail
 
+readonly __dir=$(cd `dirname ${BASH_SOURCE[0]}` && pwd)
 readonly version="$1"
 readonly pkgName="runtime.linux-x64.BuildXL.${version}"
+readonly binDir="${__dir}/bin"
 
-cd "${__dir}"
-make cleanall
-bash build-manylinux.sh
+if [[ ! -d "${binDir}/debug" ]] || [[ ! -d "${binDir}/release" ]]; then
+  echo "One of '$binDir/{debug,release}' folders not found.  Build the native runtime libraries first"
+  exit 1
+fi
 
-cd bin
+cd "${__dir}/bin"
 
 rm -rf "${pkgName}"
 mkdir -p "${pkgName}/ref/netstandard"
@@ -38,4 +39,9 @@ cat > "${pkgName}/runtime.linux-x64.buildxl.nuspec" <<EOF
 EOF
 
 cd "${pkgName}"
-zip -v ../${pkgName}.nupkg *
+if which zip > /dev/null 2>&1; then
+  zip -r ../${pkgName}.nupkg *
+else
+  pwd
+  find . -type f
+fi
diff --git a/RunCheckInTestsWithPAT.ps1 b/RunCheckInTestsWithPAT.ps1
@@ -15,12 +15,10 @@
 [Environment]::SetEnvironmentVariable("MSENG_GIT_PAT", $msEngGitPat, "Process")
 [Environment]::SetEnvironmentVariable("NUGET_CREDENTIALPROVIDERS_PATH", $ncPath, "Process")
 
-[Environment]::SetEnvironmentVariable("VSS_NUGET_EXTERNAL_FEED_ENDPOINTS", "
-{
-    'endpointCredentials': [
-        {'endpoint':'https://pkgs.dev.azure.com/1essharedassets/_packaging/BuildXL/nuget/v3/index.json', 'password':'$1esPat'}, 
-        {'endpoint':'https://pkgs.dev.azure.com/cloudbuild/_packaging/BuildXL.Selfhost/nuget/v3/index.json', 'password':'$cbPat'}
-    ]
-}", "Process")
+[Environment]::SetEnvironmentVariable(
+    "VSS_NUGET_EXTERNAL_FEED_ENDPOINTS",
+    <#[SuppressMessage("Microsoft.Security", "CS002:SecretInNextLine", Justification="Not a secret")]#>
+    "{ 'endpointCredentials': [ {'endpoint':'https://pkgs.dev.azure.com/1essharedassets/_packaging/BuildXL/nuget/v3/index.json', 'password':'$1esPat'}, {'endpoint':'https://pkgs.dev.azure.com/cloudbuild/_packaging/BuildXL.Selfhost/nuget/v3/index.json', 'password':'$cbPat'} ]}",
+    "Process")
 
 .\RunCheckInTests.cmd /lab $args /internal
diff --git a/bxl.sh b/bxl.sh

-Original file line number
+Diff line change
     fi
     # Download the artifacts credential provider
 -    wget -q -c https://github.com/microsoft/artifacts-credprovider/releases/download/v1.0.0/Microsoft.NuGet.CredentialProvider.tar.gz -O - | tar -xz -C $destinationFolder
 +    mkdir -p "$destinationFolder"
 +    wget -q -c https://github.com/microsoft/artifacts-credprovider/releases/download/v1.0.0/Microsoft.NuGet.CredentialProvider.tar.gz -O - | tar -xz -C "$destinationFolder"
     # Remove the .exe, since we want to replace it with a script that runs on Mac/Linux
     rm "$credentialProviderExe"
     arg_Positional+=(/generateCgManifestForNugets:"${MY_DIR}/cg/nuget/cgmanifest.json")
 fi
 -if [[ -n "$arg_UseDev" ]]; then
 -    if [[ ! -f $MY_DIR/Out/Selfhost/Dev/bxl ]]; then
 -        print_error "Error: Could not find the dev deployment. Make sure you build with --deploy-dev first."
 -        exit 1
 -    fi
+-
 -    export BUILDXL_BIN=$MY_DIR/Out/Selfhost/Dev
 -elif [[ -z "$BUILDXL_BIN" ]]; then
 -    getLkg
 -fi
+-
 # if the nuget credential provider is not configured (and the build is an internal one, which is where it is needed)
 # download and install the artifacts credential provider
 if [[ -n "$arg_Internal" ]] && [[ ! -d "${NUGET_CREDENTIALPROVIDERS_PATH:-}" ]]; then
     arg_Positional+=("/p:[Sdk.BuildXL]validateLinuxRuntime=0")
 fi
 +if [[ -n "$arg_UseDev" ]]; then
 +    if [[ ! -f $MY_DIR/Out/Selfhost/Dev/bxl ]]; then
 +        print_error "Error: Could not find the dev deployment. Make sure you build with --deploy-dev first."
 +        exit 1
 +    fi
++
 +    export BUILDXL_BIN=$MY_DIR/Out/Selfhost/Dev
 +elif [[ -z "$BUILDXL_BIN" ]]; then
 +    getLkg
 +fi
++
 compileWithBxl ${arg_Positional[@]}
 if [[ -n "$arg_DeployDev" ]]; then