-
Notifications
You must be signed in to change notification settings - Fork 8.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Enable Security and Compliance tasks in our Release pipeline #11849
Conversation
… use recycled artifacts to speed this up
… (which I was supposed to move to anyway) uses x64 by default.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
template<typename T> | ||
static bool isProfilesDefaultsOrigin(const T& profile) | ||
{ | ||
return profile && profile.Origin() != winrt::Microsoft::Terminal::Settings::Model::OriginTag::ProfilesDefaults; | ||
} | ||
|
||
template<typename T> | ||
static bool isProfilesDefaultsOriginSub(const T& sub) | ||
{ | ||
return sub && isProfilesDefaultsOrigin(sub.SourceProfile()); | ||
} | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This change was because of an internal compiler error. I have a thread out to the team to hopefully debug and fix the compiler. It couldn't handle the other form.
@@ -168,6 +168,7 @@ | |||
<IntrinsicFunctions>true</IntrinsicFunctions> | |||
<PreprocessorDefinitions>NDEBUG;%(PreprocessorDefinitions)</PreprocessorDefinitions> | |||
<RuntimeTypeInfo>false</RuntimeTypeInfo> | |||
<AdditionalOptions>%(AdditionalOptions)</AdditionalOptions> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please ignore this. It will make it easier for me to move to XFG later as more flags go here.
cancelTimeoutInMinutes: 1 | ||
steps: | ||
- checkout: self | ||
clean: true | ||
fetchDepth: 1 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
PGO can't resolve from peer branches with depth 1 here, so I'll allow it for release builds.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yea I'm fine with this. Dustin wanted it moved to another file (stages.yml or something), but like, good enough for me.
build/pipelines/release.yml
Outdated
teamId: 7105 | ||
authId: $(TouchdownAppId) | ||
authKey: $(TouchdownAppKey) | ||
resourceFilePath: >- |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't love that we've got these Resources.resw paths in here all hardcoded, kinda just begging for us to forget to update this list in the future, but ¯\_(ツ)_/¯
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That's how they were... We can maybe improve that later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yep. I learned afterwards that we can wildcard them!
Honestly doing compliance probably doesn't need loc resources.. but np
From the meeting, @DHowett wants me to pull the compliance one into a template of steps and then link it here. |
/azp run |
Azure Pipelines successfully started running 1 pipeline(s). |
Hello @miniksa! Because this pull request has the p.s. you can customize the way I help with merging this pull request, such as holding this pull request until a specific person approves. Simply @mention me (
|
Enables a series of tasks run against our release pipeline that validate the security and compliance status of our code in an automated fashion. These checks include: - Component Governance - (we had this one, it was moved to here) - Inventories open-source components used in our build - PREfast - C/C++ static analysis for common code errors and exploits - Policheck - Searches source code, comments, and text for words that could be sensitive legally, culturally, or geopolitically - Credscan - Looks for credentials left behind in the code/documents and build output files - BinSkim - Searches for common vulnerabilities in binaries - CheckCFlags - Validates that compile/link flags match the policies recommended by Windows engineering for inclusion into the OS product image - CFGCheck/XFGCheck - Validates that the CFG and/or XFG settings were enabled at compile and link time to guard against control flow attacks. We're also required to run the SBOM one, but that was done in a separate PR and we're still pending the detectors being updated. - #11948 - Move from CFG to XFG once XFG task folks get back to me on it - #11949 - Enable bug filing for SecComp tasks - #11950 - Bulk process bugs filed by SecComp tasks - #11947 - Validate SBOM when checkers come online - [x] - Fixes #10735 - [x] - Fixes #908 - [x] - I work here - [x] - If it fits, it sits.
🎉 Handy links: |
Enables a series of tasks run against our release pipeline that validate the security and compliance status of our code in an automated fashion. These checks include:
We're also required to run the SBOM one, but that was done in a separate PR and we're still pending the detectors being updated.
References
Checklist