From 6d0971bc4cf8235907b784439374db03354e89a8 Mon Sep 17 00:00:00 2001 From: Billy Robert O'Neal III Date: Mon, 25 Mar 2024 22:44:52 -0700 Subject: [PATCH 01/12] Attempt onboarding 1ESPT. --- azure-pipelines/signing.yml | 989 ++++++++++++++++++------------------ 1 file changed, 491 insertions(+), 498 deletions(-) diff --git a/azure-pipelines/signing.yml b/azure-pipelines/signing.yml index 79325903ae..be36eeb3ed 100644 --- a/azure-pipelines/signing.yml +++ b/azure-pipelines/signing.yml @@ -26,509 +26,502 @@ parameters: - 'NuGet Only' - 'None' variables: - - group: vcpkg Terrapin URLs - - name: TeamName - value: vcpkg - - name: Codeql.Enabled - value: true +- group: vcpkg Terrapin URLs +- name: TeamName + value: vcpkg +- name: Codeql.Enabled + value: true # If the user didn't override the signing type, then only real-sign on main. - - ${{ if ne(parameters.SignTypeOverride, 'default') }}: - - name: SignType - value: ${{ parameters.SignTypeOverride }} - - ${{ if and(eq(parameters.SignTypeOverride, 'default'), or(eq(variables['Build.SourceBranchName'], 'main'), startsWith(variables['Build.SourceBranch'], 'refs/tags'))) }}: - - name: SignType - value: real - - ${{ if and(eq(parameters.SignTypeOverride, 'default'), not(or(eq(variables['Build.SourceBranchName'], 'main'), startsWith(variables['Build.SourceBranch'], 'refs/tags')))) }}: - - name: SignType - value: test -jobs: - - job: arch_independent - displayName: 'Build and Sign Arch-Independent Scripts and vcpkg-artifacts' - # The first job records VCPKG_INITIAL_BASE_VERSION as VCPKG_BASE_VERSION so that all subsequent stages agree - # on the value; AzureDevOps appears to repeat evaluation of variables such that crossing UTC's day start - # would make subsequent pipeline stages use a different day producing a broken build. - # Note that pipeline.startTime seems to refer to the start of the *job*, not the overall pipeline run. - timeoutInMinutes: 120 - variables: - - ${{ if eq(parameters.VcpkgBaseVersionOverride, 'default') }}: - - name: VCPKG_INITIAL_BASE_VERSION - value: $[format('{0:yyyy}-{0:MM}-{0:dd}', pipeline.startTime)] - - ${{ if ne(parameters.VcpkgBaseVersionOverride, 'default') }}: - - name: VCPKG_INITIAL_BASE_VERSION - value: ${{parameters.VcpkgBaseVersionOverride}} - - name: Codeql.BuildIdentifier - value: vcpkg_ECMAScript - - name: Codeql.Language - value: javascript - pool: - name: 'VSEngSS-MicroBuild2022-1ES' - steps: - - task: Powershell@2 - displayName: 'Lock VCPKG_BASE_VERSION' - name: versions - inputs: - pwsh: true - targetType: 'inline' - script: | - $headSha = &git rev-parse HEAD - Write-Host "##vso[task.setvariable variable=VCPKG_BASE_VERSION;isOutput=true]$env:VCPKG_INITIAL_BASE_VERSION" - Write-Host "##vso[task.setvariable variable=VCPKG_FULL_VERSION;isOutput=true]$env:VCPKG_INITIAL_BASE_VERSION-$headSha" - - task: Powershell@2 - displayName: 'Lock Installer Scripts Versions' - inputs: - pwsh: true - filePath: vcpkg-init/lock-versions.ps1 - arguments: '-Destination "$(Build.BinariesDirectory)" -VcpkgBaseVersion $(VCPKG_INITIAL_BASE_VERSION)' - - task: UseNode@1 - displayName: Use Node 18 or later - inputs: - version: "18.x" - - task: Npm@1 - inputs: - command: 'custom' - workingDir: 'vcpkg-artifacts' - customCommand: 'ci' - customRegistry: 'useFeed' - customFeed: '0bdbc590-a062-4c3f-b0f6-9383f67865ee/105b4584-173c-41aa-8061-612294abe099' - displayName: Restore vcpkg-artifacts Dev Dependencies - - task: ComponentGovernanceComponentDetection@0 - displayName: Detect Components - inputs: - sourceScanPath: vcpkg-artifacts - - task: CodeQL3000Init@0 - displayName: CodeQL Initialize - - script: | - mkdir "$(Build.BinariesDirectory)" - mkdir "$(Build.BinariesDirectory)\vcpkg-artifacts" - node "$(Build.SourcesDirectory)\vcpkg-artifacts\node_modules\typescript\bin\tsc" -p "$(Build.SourcesDirectory)\vcpkg-artifacts" --outDir "$(Build.BinariesDirectory)\vcpkg-artifacts" - displayName: Build TypeScript - - task: CodeQL3000Finalize@0 - displayName: CodeQL Finalize - - task: Npm@1 - inputs: - command: 'custom' - workingDir: 'vcpkg-artifacts' - customCommand: 'ci --omit=dev' - customRegistry: 'useFeed' - customFeed: '0bdbc590-a062-4c3f-b0f6-9383f67865ee/105b4584-173c-41aa-8061-612294abe099' - displayName: Restore vcpkg-artifacts Prod Dependencies - - script: | # This script must be kept in sync with vcpkg-artifacts-target in CMakeLists.txt - rmdir /s /q "$(Build.BinariesDirectory)\vcpkg-artifacts\test" - rmdir /s /q "$(Build.BinariesDirectory)\vcpkg-artifacts\test_resources" - mkdir "$(Build.BinariesDirectory)\vcpkg-artifacts\locales" - mkdir "$(Build.BinariesDirectory)\vcpkg-artifacts\node_modules" - xcopy /F /E "$(Build.SourcesDirectory)\vcpkg-artifacts\node_modules" "$(Build.BinariesDirectory)\vcpkg-artifacts\node_modules" - :: to avoid signing 'semver' .ps1s - rmdir /s /q "$(Build.BinariesDirectory)\vcpkg-artifacts\node_modules\.bin" - copy "$(Build.SourcesDirectory)\vcpkg-artifacts\package.json" "$(Build.BinariesDirectory)\vcpkg-artifacts\package.json" - copy "$(Build.SourcesDirectory)\vcpkg-artifacts\package-lock.json" "$(Build.BinariesDirectory)\vcpkg-artifacts\package-lock.json" - copy "$(Build.SourcesDirectory)\vcpkg-artifacts\.npmrc" "$(Build.BinariesDirectory)\vcpkg-artifacts\.npmrc" - copy "$(Build.SourcesDirectory)\vcpkg-artifacts\locales\messages.json" "$(Build.BinariesDirectory)\vcpkg-artifacts\locales\messages.json" - displayName: Delete Tests, Store Dependencies and Static Components for Signing - - script: | - mkdir "$(Build.BinariesDirectory)\scripts" - xcopy /F /E "$(Build.SourcesDirectory)\scripts" "$(Build.BinariesDirectory)\scripts" - displayName: Collect PowerShell Scripts for Signing - - task: MicroBuildSigningPlugin@4 - displayName: Install MicroBuild Signing - inputs: - signType: $(SignType) - zipSources: false - feedSource: 'https://devdiv.pkgs.visualstudio.com/DefaultCollection/_packaging/MicroBuildToolset/nuget/v3/index.json' - - task: NuGetToolInstaller@1 - inputs: - versionSpec: 5.7 - - task: NuGetCommand@2 - displayName: 'NuGet Restore MicroBuild Signing Extension' - inputs: - command: 'restore' - restoreSolution: 'azure-pipelines/arch-independent-signing.signproj' - feedsToUse: 'config' - restoreDirectory: '$(Build.SourcesDirectory)\packages' - - task: MSBuild@1 - displayName: 'Sign Architecture Independent Files' - inputs: - solution: 'azure-pipelines\arch-independent-signing.signproj' - msbuildArguments: '/p:OutDir=$(Build.BinariesDirectory)\ /p:IntermediateOutputPath=$(Build.BinariesDirectory)\' - # Note that signing must happen before packing steps because the packs contain files that are themselves signed. - - script: | - copy "$(Build.BinariesDirectory)\vcpkg-init.ps1" "$(Build.BinariesDirectory)\vcpkg-init.cmd" - displayName: 'Duplicate Install Scripts' - - task: Powershell@2 - displayName: 'Build One-Liner vcpkg-standalone-bundle.tar.gz' - inputs: - pwsh: true - filePath: vcpkg-init/mint-standalone-bundle.ps1 - arguments: '-DestinationTarball "$(Build.BinariesDirectory)\vcpkg-standalone-bundle.tar.gz" -TempDir standalone-temp -SignedFilesRoot "$(Build.BinariesDirectory)" -Deployment OneLiner -VcpkgBaseVersion "$(VCPKG_INITIAL_BASE_VERSION)"' - - script: | - mkdir "$(Build.ArtifactStagingDirectory)\staging" - mkdir "$(Build.ArtifactStagingDirectory)\staging\scripts" - move "$(Build.BinariesDirectory)\vcpkg-standalone-bundle.tar.gz" "$(Build.ArtifactStagingDirectory)\staging\vcpkg-standalone-bundle.tar.gz" - move "$(Build.BinariesDirectory)\vcpkg-init" "$(Build.ArtifactStagingDirectory)\staging\vcpkg-init" - move "$(Build.BinariesDirectory)\vcpkg-init.ps1" "$(Build.ArtifactStagingDirectory)\staging\vcpkg-init.ps1" - move "$(Build.BinariesDirectory)\vcpkg-init.cmd" "$(Build.ArtifactStagingDirectory)\staging\vcpkg-init.cmd" - move "$(Build.BinariesDirectory)\scripts\applocal.ps1" "$(Build.ArtifactStagingDirectory)\staging\scripts\applocal.ps1" - move "$(Build.BinariesDirectory)\scripts\addPoshVcpkgToPowershellProfile.ps1" "$(Build.ArtifactStagingDirectory)\staging\scripts\addPoshVcpkgToPowershellProfile.ps1" - move "$(Build.BinariesDirectory)\scripts\posh-vcpkg.psm1" "$(Build.ArtifactStagingDirectory)\staging\scripts\posh-vcpkg.psm1" - move "$(Build.BinariesDirectory)\vcpkg-artifacts" "$(Build.ArtifactStagingDirectory)\staging\vcpkg-artifacts" - displayName: 'Arrange Architecture-independent Files for Staging' - - task: Powershell@2 - displayName: Generate Arch-independent SHA512s - name: shas - inputs: - pwsh: true - targetType: 'inline' - script: | - $standaloneBundleSha = (Get-FileHash "$(Build.ArtifactStagingDirectory)\staging\vcpkg-standalone-bundle.tar.gz" -Algorithm SHA512).Hash.ToLowerInvariant() - Write-Host "##vso[task.setvariable variable=VCPKG_STANDALONE_BUNDLE_SHA;isOutput=true]$standaloneBundleSha" - - task: PublishBuildArtifacts@1 - displayName: "Publish Architecture Independent Staging" - inputs: - PathtoPublish: '$(Build.ArtifactStagingDirectory)\staging' - ArtifactName: 'staging' - publishLocation: 'Container' - - job: macos_build - displayName: 'MacOS Build' - dependsOn: - - arch_independent - pool: - vmImage: macOS-12 - variables: - VCPKG_STANDALONE_BUNDLE_SHA: $[ dependencies.arch_independent.outputs['shas.VCPKG_STANDALONE_BUNDLE_SHA'] ] - VCPKG_BASE_VERSION: $[ dependencies.arch_independent.outputs['versions.VCPKG_BASE_VERSION'] ] - steps: - - task: CmdLine@2 - displayName: "Build vcpkg with CMake" - inputs: - failOnStderr: true - script: | - cmake -DCMAKE_CXX_COMPILER=clang++ -DCMAKE_BUILD_TYPE=Release -DBUILD_TESTING=OFF -DVCPKG_DEVELOPMENT_WARNINGS=ON -DVCPKG_WARNINGS_AS_ERRORS=ON -DVCPKG_BUILD_FUZZING=OFF -DVCPKG_EMBED_GIT_SHA=ON -DVCPKG_OFFICIAL_BUILD=ON -DCMAKE_OSX_DEPLOYMENT_TARGET=10.13 -DCMAKE_OSX_ARCHITECTURES="arm64;x86_64" "-DVCPKG_FMT_URL=$(fmt-tarball-url)" "-DVCPKG_CMAKERC_URL=$(cmakerc-tarball-url)" "-DVCPKG_BASE_VERSION=$VCPKG_BASE_VERSION" "-DVCPKG_VERSION=$(Build.SourceVersion)" "-DVCPKG_STANDALONE_BUNDLE_SHA=$VCPKG_STANDALONE_BUNDLE_SHA" -B "$(Build.BinariesDirectory)/build" 2>&1 - make -j 8 -C "$(Build.BinariesDirectory)/build" - zip -j "$(Build.ArtifactStagingDirectory)/vcpkg-macos.zip" "$(Build.BinariesDirectory)/build/vcpkg" - - task: PublishBuildArtifacts@1 - displayName: "Publish Unsigned MacOS Binary" - inputs: - ArtifactName: 'staging' - publishLocation: 'Container' - - job: glibc_build - displayName: 'glibc Build' - dependsOn: - - arch_independent - pool: - name: 'vcpkg-mariner-1espt' - variables: - VCPKG_STANDALONE_BUNDLE_SHA: $[ dependencies.arch_independent.outputs['shas.VCPKG_STANDALONE_BUNDLE_SHA'] ] - VCPKG_BASE_VERSION: $[ dependencies.arch_independent.outputs['versions.VCPKG_BASE_VERSION'] ] - steps: - - bash: | - az login --identity --username 29a4d3e7-c7d5-41c7-b5a0-fee8cf466371 - az acr login --name vcpkgdockercontainers - displayName: 'Set up managed identity' - - task: CmdLine@2 - displayName: "Build vcpkg in Mariner with Ubuntu 16.04 Libraries" - inputs: - failOnStderr: false - script: | - mkdir -p "$(Agent.TempDirectory)/build" - docker run --rm --mount "type=bind,source=$(Build.Repository.LocalPath),target=/source,readonly" --mount "type=bind,source=$(Agent.TempDirectory)/build,target=/build" vcpkgdockercontainers.azurecr.io/vcpkg/vcpkg-linux:2024-03-21 sh -c "cmake -G Ninja -DCMAKE_TOOLCHAIN_FILE=/source/azure-pipelines/vcpkg-linux/toolchain.cmake -DCMAKE_BUILD_TYPE=Release -DBUILD_TESTING=OFF -DVCPKG_DEVELOPMENT_WARNINGS=ON -DVCPKG_WARNINGS_AS_ERRORS=ON -DVCPKG_BUILD_FUZZING=OFF -DVCPKG_EMBED_GIT_SHA=ON -DVCPKG_OFFICIAL_BUILD=ON -DVCPKG_CMAKERC_URL=$(cmakerc-tarball-url) -DVCPKG_FMT_URL=$(fmt-tarball-url) -DVCPKG_STANDALONE_BUNDLE_SHA=$(VCPKG_STANDALONE_BUNDLE_SHA) -DVCPKG_BASE_VERSION=$(VCPKG_BASE_VERSION) -DVCPKG_VERSION=$(Build.SourceVersion) -S /source -B /build 2>&1 && ninja -C /build" - mv "$(Agent.TempDirectory)/build/vcpkg" "$(Build.ArtifactStagingDirectory)/vcpkg-glibc" - - task: PublishBuildArtifacts@1 - displayName: "Publish Unsigned glibc Binary" - inputs: - ArtifactName: 'staging' - publishLocation: 'Container' - - job: muslc_build - displayName: 'muslc (Alpine) Build' - pool: - name: 'vcpkg-mariner-1espt' - dependsOn: - - arch_independent - variables: - VCPKG_STANDALONE_BUNDLE_SHA: $[ dependencies.arch_independent.outputs['shas.VCPKG_STANDALONE_BUNDLE_SHA'] ] - VCPKG_BASE_VERSION: $[ dependencies.arch_independent.outputs['versions.VCPKG_BASE_VERSION'] ] - steps: - - bash: | - az login --identity --username 29a4d3e7-c7d5-41c7-b5a0-fee8cf466371 - az acr login --name vcpkgdockercontainers - displayName: 'Set up managed identity' - - task: CmdLine@2 - displayName: "Build vcpkg in Alpine" - inputs: - failOnStderr: false - script: | - mkdir -p "$(Agent.TempDirectory)/build" - docker run --rm --mount "type=bind,source=$(Build.Repository.LocalPath),target=/source,readonly" --mount "type=bind,source=$(Agent.TempDirectory)/build,target=/build" vcpkgdockercontainers.azurecr.io/vcpkg/vcpkg-alpine:3.16 sh -c "cmake -G Ninja -DCMAKE_BUILD_TYPE=Release -DBUILD_TESTING=OFF -DVCPKG_DEVELOPMENT_WARNINGS=ON -DVCPKG_WARNINGS_AS_ERRORS=ON -DVCPKG_BUILD_FUZZING=OFF -DVCPKG_EMBED_GIT_SHA=ON -DVCPKG_OFFICIAL_BUILD=ON -DCMAKE_CXX_FLAGS=\"-static -s -static-libgcc -static-libstdc++\" -DVCPKG_CMAKERC_URL=$(cmakerc-tarball-url) -DVCPKG_FMT_URL=$(fmt-tarball-url) -DVCPKG_STANDALONE_BUNDLE_SHA=$(VCPKG_STANDALONE_BUNDLE_SHA) -DVCPKG_BASE_VERSION=$(VCPKG_BASE_VERSION) -DVCPKG_VERSION=$(Build.SourceVersion) -S /source -B /build 2>&1 && ninja -C /build" - mv "$(Agent.TempDirectory)/build/vcpkg" "$(Build.ArtifactStagingDirectory)/vcpkg-muslc" - - task: PublishBuildArtifacts@1 - displayName: "Publish Unsigned muslc Binary" - inputs: - ArtifactName: 'staging' - publishLocation: 'Container' - - job: windows_and_sign - displayName: 'Build Windows binaries and Sign' - timeoutInMinutes: 120 - dependsOn: - - arch_independent - - macos_build - - glibc_build - - muslc_build - pool: - name: 'VSEngSS-MicroBuild2022-1ES' - variables: - VCPKG_STANDALONE_BUNDLE_SHA: $[ dependencies.arch_independent.outputs['shas.VCPKG_STANDALONE_BUNDLE_SHA'] ] - VCPKG_BASE_VERSION: $[ dependencies.arch_independent.outputs['versions.VCPKG_BASE_VERSION'] ] - VCPKG_FULL_VERSION: $[ dependencies.arch_independent.outputs['versions.VCPKG_FULL_VERSION'] ] - Codeql.BuildIdentifier: vcpkg_cpp - Codeql.Language: cpp - steps: - - task: CodeQL3000Init@0 - displayName: 'CodeQL Initialize' - - task: CmdLine@2 - displayName: "Build vcpkg amd64 with CMake" - inputs: - failOnStderr: true - script: | - call "C:\Program Files\Microsoft Visual Studio\2022\Enterprise\Common7\Tools\VsDevCmd.bat" -arch=amd64 -host_arch=amd64 - cmake.exe --version - cmake.exe -G Ninja -DCMAKE_BUILD_TYPE=Release -DBUILD_TESTING=OFF -DVCPKG_DEVELOPMENT_WARNINGS=ON -DVCPKG_WARNINGS_AS_ERRORS=ON -DVCPKG_BUILD_FUZZING=OFF -DVCPKG_BUILD_TLS12_DOWNLOADER=ON -DVCPKG_EMBED_GIT_SHA=ON -DVCPKG_OFFICIAL_BUILD=ON "-DVCPKG_FMT_URL=$(fmt-tarball-url)" "-DVCPKG_CMAKERC_URL=$(cmakerc-tarball-url)" "-DVCPKG_BASE_VERSION=$(VCPKG_BASE_VERSION)" "-DVCPKG_VERSION=$(Build.SourceVersion)" "-DVCPKG_STANDALONE_BUNDLE_SHA=$(VCPKG_STANDALONE_BUNDLE_SHA)" -B "$(Build.BinariesDirectory)\amd64" - ninja.exe -C "$(Build.BinariesDirectory)\amd64" - - task: CmdLine@2 - displayName: "Build vcpkg arm64 with CMake" - inputs: - failOnStderr: true - script: | - call "C:\Program Files\Microsoft Visual Studio\2022\Enterprise\Common7\Tools\VsDevCmd.bat" -arch=arm64 -host_arch=amd64 - cmake.exe --version - cmake.exe -G Ninja -DCMAKE_BUILD_TYPE=Release -DBUILD_TESTING=OFF -DVCPKG_DEVELOPMENT_WARNINGS=ON -DVCPKG_WARNINGS_AS_ERRORS=ON -DVCPKG_BUILD_FUZZING=OFF -DVCPKG_BUILD_TLS12_DOWNLOADER=ON -DVCPKG_EMBED_GIT_SHA=ON -DVCPKG_OFFICIAL_BUILD=ON -DVCPKG_PDB_SUFFIX="-arm64" "-DVCPKG_FMT_URL=$(fmt-tarball-url)" "-DVCPKG_CMAKERC_URL=$(cmakerc-tarball-url)" "-DVCPKG_BASE_VERSION=$(VCPKG_BASE_VERSION)" "-DVCPKG_VERSION=$(Build.SourceVersion)" "-DVCPKG_STANDALONE_BUNDLE_SHA=$(VCPKG_STANDALONE_BUNDLE_SHA)" -B "$(Build.BinariesDirectory)\arm64" - ninja.exe -C "$(Build.BinariesDirectory)\arm64" - - task: CodeQL3000Finalize@0 - displayName: 'CodeQL Finalize' - - task: MicroBuildSigningPlugin@4 - displayName: Install MicroBuild Signing - inputs: - signType: $(SignType) - zipSources: false - feedSource: 'https://devdiv.pkgs.visualstudio.com/DefaultCollection/_packaging/MicroBuildToolset/nuget/v3/index.json' - - task: NuGetToolInstaller@1 - inputs: - versionSpec: 5.7 - - task: NuGetCommand@2 - displayName: 'NuGet Restore MicroBuild Signing Extension' - inputs: - command: 'restore' - restoreSolution: 'azure-pipelines/binary-signing.signproj' - feedsToUse: 'config' - restoreDirectory: '$(Build.SourcesDirectory)\packages' - - task: DownloadBuildArtifacts@0 - displayName: 'Download Staging' - inputs: - artifactName: staging - - task: CmdLine@2 - displayName: 'Copy Linux Binaries to BinariesDirectory' - inputs: - failOnStderr: true - script: | - mkdir "$(Build.BinariesDirectory)\build" - copy /Y "$(Build.ArtifactStagingDirectory)\staging\vcpkg-init" "$(Build.BinariesDirectory)\vcpkg-init" - copy /Y "$(Build.ArtifactStagingDirectory)\staging\vcpkg-glibc" "$(Build.BinariesDirectory)\vcpkg-glibc" - copy /Y "$(Build.ArtifactStagingDirectory)\staging\vcpkg-muslc" "$(Build.BinariesDirectory)\vcpkg-muslc" - - task: MSBuild@1 - displayName: 'Sign Binaries' - inputs: - solution: 'azure-pipelines\binary-signing.signproj' - msbuildArguments: '/p:OutDir=$(Build.BinariesDirectory)\ /p:IntermediateOutputPath=$(Build.BinariesDirectory)\' - - task: MicroBuildSignMacFiles@1 - displayName: 'Developer Sign Mac Binaries' - condition: and(eq(variables.SignType, 'test'), succeeded()) - inputs: - SigningTarget: '$(Build.ArtifactStagingDirectory)\staging\vcpkg-macos.zip' - SigningCert: '8005' - SigningPluginSource: 'https://devdiv.pkgs.visualstudio.com/DefaultCollection/_packaging/MicroBuildToolset/nuget/v3/index.json' - SigningPluginVersion: 'latest' - - task: MicroBuildSignMacFiles@1 - displayName: 'Sign and Harden Mac Binaries' - condition: and(eq(variables.SignType, 'real'), succeeded()) - inputs: - SigningTarget: '$(Build.ArtifactStagingDirectory)\staging\vcpkg-macos.zip' - SigningCert: '8025' - SigningPluginSource: 'https://devdiv.pkgs.visualstudio.com/DefaultCollection/_packaging/MicroBuildToolset/nuget/v3/index.json' - SigningPluginVersion: 'latest' - - task: MicroBuildSignMacFiles@1 - displayName: 'Notarize Mac Binaries' - condition: and(eq(variables.SignType, 'real'), succeeded()) - inputs: - SigningTarget: '$(Build.ArtifactStagingDirectory)\staging\vcpkg-macos.zip' - SigningCert: '8020' - MacAppName: 'vcpkg' - SigningPluginSource: 'https://devdiv.pkgs.visualstudio.com/DefaultCollection/_packaging/MicroBuildToolset/nuget/v3/index.json' - SigningPluginVersion: 'latest' - - task: Powershell@2 - displayName: 'Mint VS Insertion standalone bundle' - inputs: - pwsh: true - filePath: vcpkg-init/mint-standalone-bundle.ps1 - arguments: '-DestinationDir "$(Build.ArtifactStagingDirectory)/vs-insertion/staging" -TempDir standalone-temp -SignedFilesRoot "$(Build.ArtifactStagingDirectory)\staging" -Deployment "VisualStudio" -VcpkgBaseVersion "$(VCPKG_BASE_VERSION)"' - - task: CmdLine@2 - displayName: 'Arrange Drop and Symbols' - inputs: - failOnStderr: true - script: | - mkdir "$(Build.ArtifactStagingDirectory)\drop" +- ${{ if ne(parameters.SignTypeOverride, 'default') }}: + - name: SignType + value: ${{ parameters.SignTypeOverride }} +- ${{ if and(eq(parameters.SignTypeOverride, 'default'), or(eq(variables['Build.SourceBranchName'], 'main'), startsWith(variables['Build.SourceBranch'], 'refs/tags'))) }}: + - name: SignType + value: real +- ${{ if and(eq(parameters.SignTypeOverride, 'default'), not(or(eq(variables['Build.SourceBranchName'], 'main'), startsWith(variables['Build.SourceBranch'], 'refs/tags')))) }}: + - name: SignType + value: test +resources: + repositories: + - repository: MicroBuildTemplate + type: git + name: 1ESPipelineTemplates/MicroBuildTemplate + ref: refs/tags/release +extends: + template: azure-pipelines/MicroBuild.1ES.Official.yml@MicroBuildTemplate + parameters: + sdl: + sourceAnalysisPool: + name: AzurePipelines-EO + image: 1ESPT-Windows2022 + stages: + - stage: stage + jobs: + - job: arch_independent + displayName: 'Build and Sign Arch-Independent Scripts and vcpkg-artifacts' + # The first job records VCPKG_INITIAL_BASE_VERSION as VCPKG_BASE_VERSION so that all subsequent stages agree + # on the value; AzureDevOps appears to repeat evaluation of variables such that crossing UTC's day start + # would make subsequent pipeline stages use a different day producing a broken build. + # Note that pipeline.startTime seems to refer to the start of the *job*, not the overall pipeline run. + timeoutInMinutes: 120 + variables: + - ${{ if eq(parameters.VcpkgBaseVersionOverride, 'default') }}: + - name: VCPKG_INITIAL_BASE_VERSION + value: $[format('{0:yyyy}-{0:MM}-{0:dd}', pipeline.startTime)] + - ${{ if ne(parameters.VcpkgBaseVersionOverride, 'default') }}: + - name: VCPKG_INITIAL_BASE_VERSION + value: ${{parameters.VcpkgBaseVersionOverride}} + - name: Codeql.BuildIdentifier + value: vcpkg_ECMAScript + - name: Codeql.Language + value: javascript + pool: + name: 'VSEngSS-MicroBuild2022-1ES' + templateContext: + mb: + signing: + enabled: true + feedSource: 'https://devdiv.pkgs.visualstudio.com/DefaultCollection/_packaging/MicroBuildToolset/nuget/v3/index.json' + signType: $(SignType) + zipSources: false + outputs: + - output: pipelineArtifact + displayName: 'Publish Architecture Independent Staging' + targetPath: '$(Build.ArtifactStagingDirectory)\staging' + artifactName: 'staging' + publishLocation: 'Container' + steps: + - task: Powershell@2 + displayName: 'Lock VCPKG_BASE_VERSION' + name: versions + inputs: + pwsh: true + targetType: 'inline' + script: | + $headSha = &git rev-parse HEAD + Write-Host "##vso[task.setvariable variable=VCPKG_BASE_VERSION;isOutput=true]$env:VCPKG_INITIAL_BASE_VERSION" + Write-Host "##vso[task.setvariable variable=VCPKG_FULL_VERSION;isOutput=true]$env:VCPKG_INITIAL_BASE_VERSION-$headSha" + - task: Powershell@2 + displayName: 'Lock Installer Scripts Versions' + inputs: + pwsh: true + filePath: vcpkg-init/lock-versions.ps1 + arguments: '-Destination "$(Build.BinariesDirectory)" -VcpkgBaseVersion $(VCPKG_INITIAL_BASE_VERSION)' + - task: UseNode@1 + displayName: Use Node 18 or later + inputs: + version: "18.x" + - task: Npm@1 + inputs: + command: 'custom' + workingDir: 'vcpkg-artifacts' + customCommand: 'ci' + customRegistry: 'useFeed' + customFeed: '0bdbc590-a062-4c3f-b0f6-9383f67865ee/105b4584-173c-41aa-8061-612294abe099' + displayName: Restore vcpkg-artifacts Dev Dependencies + - task: ComponentGovernanceComponentDetection@0 + displayName: Detect Components + inputs: + sourceScanPath: vcpkg-artifacts + - task: CodeQL3000Init@0 + displayName: CodeQL Initialize + - script: | + mkdir "$(Build.BinariesDirectory)" + mkdir "$(Build.BinariesDirectory)\vcpkg-artifacts" + node "$(Build.SourcesDirectory)\vcpkg-artifacts\node_modules\typescript\bin\tsc" -p "$(Build.SourcesDirectory)\vcpkg-artifacts" --outDir "$(Build.BinariesDirectory)\vcpkg-artifacts" + displayName: Build TypeScript + - task: CodeQL3000Finalize@0 + displayName: CodeQL Finalize + - task: Npm@1 + inputs: + command: 'custom' + workingDir: 'vcpkg-artifacts' + customCommand: 'ci --omit=dev' + customRegistry: 'useFeed' + customFeed: '0bdbc590-a062-4c3f-b0f6-9383f67865ee/105b4584-173c-41aa-8061-612294abe099' + displayName: Restore vcpkg-artifacts Prod Dependencies + - script: | # This script must be kept in sync with vcpkg-artifacts-target in CMakeLists.txt + rmdir /s /q "$(Build.BinariesDirectory)\vcpkg-artifacts\test" + rmdir /s /q "$(Build.BinariesDirectory)\vcpkg-artifacts\test_resources" + mkdir "$(Build.BinariesDirectory)\vcpkg-artifacts\locales" + mkdir "$(Build.BinariesDirectory)\vcpkg-artifacts\node_modules" + xcopy /F /E "$(Build.SourcesDirectory)\vcpkg-artifacts\node_modules" "$(Build.BinariesDirectory)\vcpkg-artifacts\node_modules" + :: to avoid signing 'semver' .ps1s + rmdir /s /q "$(Build.BinariesDirectory)\vcpkg-artifacts\node_modules\.bin" + copy "$(Build.SourcesDirectory)\vcpkg-artifacts\package.json" "$(Build.BinariesDirectory)\vcpkg-artifacts\package.json" + copy "$(Build.SourcesDirectory)\vcpkg-artifacts\package-lock.json" "$(Build.BinariesDirectory)\vcpkg-artifacts\package-lock.json" + copy "$(Build.SourcesDirectory)\vcpkg-artifacts\.npmrc" "$(Build.BinariesDirectory)\vcpkg-artifacts\.npmrc" + copy "$(Build.SourcesDirectory)\vcpkg-artifacts\locales\messages.json" "$(Build.BinariesDirectory)\vcpkg-artifacts\locales\messages.json" + displayName: Delete Tests, Store Dependencies and Static Components for Signing + - script: | + mkdir "$(Build.BinariesDirectory)\scripts" + xcopy /F /E "$(Build.SourcesDirectory)\scripts" "$(Build.BinariesDirectory)\scripts" + displayName: Collect PowerShell Scripts for Signing + - task: NuGetToolInstaller@1 + inputs: + versionSpec: 5.7 + - task: NuGetCommand@2 + displayName: 'NuGet Restore MicroBuild Signing Extension' + inputs: + command: 'restore' + restoreSolution: 'azure-pipelines/arch-independent-signing.signproj' + feedsToUse: 'config' + restoreDirectory: '$(Build.SourcesDirectory)\packages' + - task: MSBuild@1 + displayName: 'Sign Architecture Independent Files' + inputs: + solution: 'azure-pipelines\arch-independent-signing.signproj' + msbuildArguments: '/p:OutDir=$(Build.BinariesDirectory)\ /p:IntermediateOutputPath=$(Build.BinariesDirectory)\' + # Note that signing must happen before packing steps because the packs contain files that are themselves signed. + - script: | + copy "$(Build.BinariesDirectory)\vcpkg-init.ps1" "$(Build.BinariesDirectory)\vcpkg-init.cmd" + displayName: 'Duplicate Install Scripts' + - task: Powershell@2 + displayName: 'Build One-Liner vcpkg-standalone-bundle.tar.gz' + inputs: + pwsh: true + filePath: vcpkg-init/mint-standalone-bundle.ps1 + arguments: '-DestinationTarball "$(Build.BinariesDirectory)\vcpkg-standalone-bundle.tar.gz" -TempDir standalone-temp -SignedFilesRoot "$(Build.BinariesDirectory)" -Deployment OneLiner -VcpkgBaseVersion "$(VCPKG_INITIAL_BASE_VERSION)"' + - script: | + mkdir "$(Build.ArtifactStagingDirectory)\staging" + mkdir "$(Build.ArtifactStagingDirectory)\staging\scripts" + move "$(Build.BinariesDirectory)\vcpkg-standalone-bundle.tar.gz" "$(Build.ArtifactStagingDirectory)\staging\vcpkg-standalone-bundle.tar.gz" + move "$(Build.BinariesDirectory)\vcpkg-init" "$(Build.ArtifactStagingDirectory)\staging\vcpkg-init" + move "$(Build.BinariesDirectory)\vcpkg-init.ps1" "$(Build.ArtifactStagingDirectory)\staging\vcpkg-init.ps1" + move "$(Build.BinariesDirectory)\vcpkg-init.cmd" "$(Build.ArtifactStagingDirectory)\staging\vcpkg-init.cmd" + move "$(Build.BinariesDirectory)\scripts\applocal.ps1" "$(Build.ArtifactStagingDirectory)\staging\scripts\applocal.ps1" + move "$(Build.BinariesDirectory)\scripts\addPoshVcpkgToPowershellProfile.ps1" "$(Build.ArtifactStagingDirectory)\staging\scripts\addPoshVcpkgToPowershellProfile.ps1" + move "$(Build.BinariesDirectory)\scripts\posh-vcpkg.psm1" "$(Build.ArtifactStagingDirectory)\staging\scripts\posh-vcpkg.psm1" + move "$(Build.BinariesDirectory)\vcpkg-artifacts" "$(Build.ArtifactStagingDirectory)\staging\vcpkg-artifacts" + displayName: 'Arrange Architecture-independent Files for Staging' + - task: Powershell@2 + displayName: Generate Arch-independent SHA512s + name: shas + inputs: + pwsh: true + targetType: 'inline' + script: | + $standaloneBundleSha = (Get-FileHash "$(Build.ArtifactStagingDirectory)\staging\vcpkg-standalone-bundle.tar.gz" -Algorithm SHA512).Hash.ToLowerInvariant() + Write-Host "##vso[task.setvariable variable=VCPKG_STANDALONE_BUNDLE_SHA;isOutput=true]$standaloneBundleSha" + - job: macos_build + displayName: 'MacOS Build' + dependsOn: + - arch_independent + pool: + vmImage: macOS-12 + variables: + VCPKG_STANDALONE_BUNDLE_SHA: $[ dependencies.arch_independent.outputs['shas.VCPKG_STANDALONE_BUNDLE_SHA'] ] + VCPKG_BASE_VERSION: $[ dependencies.arch_independent.outputs['versions.VCPKG_BASE_VERSION'] ] + templateContext: + outputs: + - output: pipelineArtifact + displayName: 'Publish Unsigned MacOS Binary' + artifactName: 'staging' + publishLocation: 'Container' + steps: + - task: CmdLine@2 + displayName: "Build vcpkg with CMake" + inputs: + failOnStderr: true + script: | + cmake -DCMAKE_CXX_COMPILER=clang++ -DCMAKE_BUILD_TYPE=Release -DBUILD_TESTING=OFF -DVCPKG_DEVELOPMENT_WARNINGS=ON -DVCPKG_WARNINGS_AS_ERRORS=ON -DVCPKG_BUILD_FUZZING=OFF -DVCPKG_EMBED_GIT_SHA=ON -DVCPKG_OFFICIAL_BUILD=ON -DCMAKE_OSX_DEPLOYMENT_TARGET=10.13 -DCMAKE_OSX_ARCHITECTURES="arm64;x86_64" "-DVCPKG_FMT_URL=$(fmt-tarball-url)" "-DVCPKG_CMAKERC_URL=$(cmakerc-tarball-url)" "-DVCPKG_BASE_VERSION=$VCPKG_BASE_VERSION" "-DVCPKG_VERSION=$(Build.SourceVersion)" "-DVCPKG_STANDALONE_BUNDLE_SHA=$VCPKG_STANDALONE_BUNDLE_SHA" -B "$(Build.BinariesDirectory)/build" 2>&1 + make -j 8 -C "$(Build.BinariesDirectory)/build" + zip -j "$(Build.ArtifactStagingDirectory)/vcpkg-macos.zip" "$(Build.BinariesDirectory)/build/vcpkg" + - job: glibc_build + displayName: 'glibc Build' + dependsOn: + - arch_independent + pool: + name: 'vcpkg-mariner-1espt' + variables: + VCPKG_STANDALONE_BUNDLE_SHA: $[ dependencies.arch_independent.outputs['shas.VCPKG_STANDALONE_BUNDLE_SHA'] ] + VCPKG_BASE_VERSION: $[ dependencies.arch_independent.outputs['versions.VCPKG_BASE_VERSION'] ] + templateContext: + outputs: + - output: pipelineArtifact + displayName: 'Publish Unsigned glibc Binary' + artifactName: 'staging' + publishLocation: 'Container' + steps: + - bash: | + az login --identity --username 29a4d3e7-c7d5-41c7-b5a0-fee8cf466371 + az acr login --name vcpkgdockercontainers + displayName: 'Set up managed identity' + - task: CmdLine@2 + displayName: "Build vcpkg in Mariner with Ubuntu 16.04 Libraries" + inputs: + failOnStderr: false + script: | + mkdir -p "$(Agent.TempDirectory)/build" + docker run --rm --mount "type=bind,source=$(Build.Repository.LocalPath),target=/source,readonly" --mount "type=bind,source=$(Agent.TempDirectory)/build,target=/build" vcpkgdockercontainers.azurecr.io/vcpkg/vcpkg-linux:2024-03-21 sh -c "cmake -G Ninja -DCMAKE_TOOLCHAIN_FILE=/source/azure-pipelines/vcpkg-linux/toolchain.cmake -DCMAKE_BUILD_TYPE=Release -DBUILD_TESTING=OFF -DVCPKG_DEVELOPMENT_WARNINGS=ON -DVCPKG_WARNINGS_AS_ERRORS=ON -DVCPKG_BUILD_FUZZING=OFF -DVCPKG_EMBED_GIT_SHA=ON -DVCPKG_OFFICIAL_BUILD=ON -DVCPKG_CMAKERC_URL=$(cmakerc-tarball-url) -DVCPKG_FMT_URL=$(fmt-tarball-url) -DVCPKG_STANDALONE_BUNDLE_SHA=$(VCPKG_STANDALONE_BUNDLE_SHA) -DVCPKG_BASE_VERSION=$(VCPKG_BASE_VERSION) -DVCPKG_VERSION=$(Build.SourceVersion) -S /source -B /build 2>&1 && ninja -C /build" + mv "$(Agent.TempDirectory)/build/vcpkg" "$(Build.ArtifactStagingDirectory)/vcpkg-glibc" + - job: muslc_build + displayName: 'muslc (Alpine) Build' + pool: + name: 'vcpkg-mariner-1espt' + dependsOn: + - arch_independent + variables: + VCPKG_STANDALONE_BUNDLE_SHA: $[ dependencies.arch_independent.outputs['shas.VCPKG_STANDALONE_BUNDLE_SHA'] ] + VCPKG_BASE_VERSION: $[ dependencies.arch_independent.outputs['versions.VCPKG_BASE_VERSION'] ] + templateContext: + outputs: + - output: pipelineArtifact + displayName: 'Publish Unsigned muslc Binary' + artifactName: 'staging' + publishLocation: 'Container' + steps: + - bash: | + az login --identity --username 29a4d3e7-c7d5-41c7-b5a0-fee8cf466371 + az acr login --name vcpkgdockercontainers + displayName: 'Set up managed identity' + - task: CmdLine@2 + displayName: "Build vcpkg in Alpine" + inputs: + failOnStderr: false + script: | + mkdir -p "$(Agent.TempDirectory)/build" + docker run --rm --mount "type=bind,source=$(Build.Repository.LocalPath),target=/source,readonly" --mount "type=bind,source=$(Agent.TempDirectory)/build,target=/build" vcpkgdockercontainers.azurecr.io/vcpkg/vcpkg-alpine:3.16 sh -c "cmake -G Ninja -DCMAKE_BUILD_TYPE=Release -DBUILD_TESTING=OFF -DVCPKG_DEVELOPMENT_WARNINGS=ON -DVCPKG_WARNINGS_AS_ERRORS=ON -DVCPKG_BUILD_FUZZING=OFF -DVCPKG_EMBED_GIT_SHA=ON -DVCPKG_OFFICIAL_BUILD=ON -DCMAKE_CXX_FLAGS=\"-static -s -static-libgcc -static-libstdc++\" -DVCPKG_CMAKERC_URL=$(cmakerc-tarball-url) -DVCPKG_FMT_URL=$(fmt-tarball-url) -DVCPKG_STANDALONE_BUNDLE_SHA=$(VCPKG_STANDALONE_BUNDLE_SHA) -DVCPKG_BASE_VERSION=$(VCPKG_BASE_VERSION) -DVCPKG_VERSION=$(Build.SourceVersion) -S /source -B /build 2>&1 && ninja -C /build" + mv "$(Agent.TempDirectory)/build/vcpkg" "$(Build.ArtifactStagingDirectory)/vcpkg-muslc" + - job: windows_and_sign + displayName: 'Build Windows binaries and Sign' + timeoutInMinutes: 120 + dependsOn: + - arch_independent + - macos_build + - glibc_build + - muslc_build + pool: + name: 'VSEngSS-MicroBuild2022-1ES' + variables: + VCPKG_STANDALONE_BUNDLE_SHA: $[ dependencies.arch_independent.outputs['shas.VCPKG_STANDALONE_BUNDLE_SHA'] ] + VCPKG_BASE_VERSION: $[ dependencies.arch_independent.outputs['versions.VCPKG_BASE_VERSION'] ] + VCPKG_FULL_VERSION: $[ dependencies.arch_independent.outputs['versions.VCPKG_FULL_VERSION'] ] + Codeql.BuildIdentifier: vcpkg_cpp + Codeql.Language: cpp + templateContext: + mb: + signing: + enabled: true + feedSource: 'https://devdiv.pkgs.visualstudio.com/DefaultCollection/_packaging/MicroBuildToolset/nuget/v3/index.json' + signType: $(SignType) + zipSources: false + outputs: + - output: pipelineArtifact + displayName: 'Publish Drop' + targetPath: '$(Build.ArtifactStagingDirectory)\drop' + artifactName: 'Drop' + publishLocation: 'Container' + - ${{ if or(eq(parameters.PublishTo, 'GitHub and NuGet'),eq(parameters.PublishTo, 'NuGet Only')) }}: + - output: pipelineArtifact + displayName: 'Publish nupkg as Artifact' + targetPath: '$(Build.ArtifactStagingDirectory)/vs-insertion/drop' + artifactName: 'vs-insertion' + publishLocation: 'Container' + - ${{ if and(eq(parameters.PublishTo, 'GitHub and NuGet'), eq(variables.SignType, 'real'), succeeded()) }}: + - output: nuget + displayName: 'NuGet publish for VS Insertion' + condition: and(eq(variables.SignType, 'real'), succeeded()) + packageParentPath: '$(Build.ArtifactStagingDirectory)' + packagesToPush: '$(Build.ArtifactStagingDirectory)/vs-insertion/drop/VS.Redist.Vcpkg.amd64.1.0.0-$(VCPKG_FULL_VERSION).nupkg' + publishVstsFeed: '97a41293-2972-4f48-8c0e-05493ae82010' + steps: + - task: CodeQL3000Init@0 + displayName: 'CodeQL Initialize' + - task: CmdLine@2 + displayName: "Build vcpkg amd64 with CMake" + inputs: + failOnStderr: true + script: | + call "C:\Program Files\Microsoft Visual Studio\2022\Enterprise\Common7\Tools\VsDevCmd.bat" -arch=amd64 -host_arch=amd64 + cmake.exe --version + cmake.exe -G Ninja -DCMAKE_BUILD_TYPE=Release -DBUILD_TESTING=OFF -DVCPKG_DEVELOPMENT_WARNINGS=ON -DVCPKG_WARNINGS_AS_ERRORS=ON -DVCPKG_BUILD_FUZZING=OFF -DVCPKG_BUILD_TLS12_DOWNLOADER=ON -DVCPKG_EMBED_GIT_SHA=ON -DVCPKG_OFFICIAL_BUILD=ON "-DVCPKG_FMT_URL=$(fmt-tarball-url)" "-DVCPKG_CMAKERC_URL=$(cmakerc-tarball-url)" "-DVCPKG_BASE_VERSION=$(VCPKG_BASE_VERSION)" "-DVCPKG_VERSION=$(Build.SourceVersion)" "-DVCPKG_STANDALONE_BUNDLE_SHA=$(VCPKG_STANDALONE_BUNDLE_SHA)" -B "$(Build.BinariesDirectory)\amd64" + ninja.exe -C "$(Build.BinariesDirectory)\amd64" + - task: CmdLine@2 + displayName: "Build vcpkg arm64 with CMake" + inputs: + failOnStderr: true + script: | + call "C:\Program Files\Microsoft Visual Studio\2022\Enterprise\Common7\Tools\VsDevCmd.bat" -arch=arm64 -host_arch=amd64 + cmake.exe --version + cmake.exe -G Ninja -DCMAKE_BUILD_TYPE=Release -DBUILD_TESTING=OFF -DVCPKG_DEVELOPMENT_WARNINGS=ON -DVCPKG_WARNINGS_AS_ERRORS=ON -DVCPKG_BUILD_FUZZING=OFF -DVCPKG_BUILD_TLS12_DOWNLOADER=ON -DVCPKG_EMBED_GIT_SHA=ON -DVCPKG_OFFICIAL_BUILD=ON -DVCPKG_PDB_SUFFIX="-arm64" "-DVCPKG_FMT_URL=$(fmt-tarball-url)" "-DVCPKG_CMAKERC_URL=$(cmakerc-tarball-url)" "-DVCPKG_BASE_VERSION=$(VCPKG_BASE_VERSION)" "-DVCPKG_VERSION=$(Build.SourceVersion)" "-DVCPKG_STANDALONE_BUNDLE_SHA=$(VCPKG_STANDALONE_BUNDLE_SHA)" -B "$(Build.BinariesDirectory)\arm64" + ninja.exe -C "$(Build.BinariesDirectory)\arm64" + - task: CodeQL3000Finalize@0 + displayName: 'CodeQL Finalize' + - task: NuGetToolInstaller@1 + inputs: + versionSpec: 5.7 + - task: NuGetCommand@2 + displayName: 'NuGet Restore MicroBuild Signing Extension' + inputs: + command: 'restore' + restoreSolution: 'azure-pipelines/binary-signing.signproj' + feedsToUse: 'config' + restoreDirectory: '$(Build.SourcesDirectory)\packages' + - task: DownloadBuildArtifacts@0 + displayName: 'Download Staging' + inputs: + artifactName: staging + - task: CmdLine@2 + displayName: 'Copy Linux Binaries to BinariesDirectory' + inputs: + failOnStderr: true + script: | + mkdir "$(Build.BinariesDirectory)\build" + copy /Y "$(Build.ArtifactStagingDirectory)\staging\vcpkg-init" "$(Build.BinariesDirectory)\vcpkg-init" + copy /Y "$(Build.ArtifactStagingDirectory)\staging\vcpkg-glibc" "$(Build.BinariesDirectory)\vcpkg-glibc" + copy /Y "$(Build.ArtifactStagingDirectory)\staging\vcpkg-muslc" "$(Build.BinariesDirectory)\vcpkg-muslc" + - task: MSBuild@1 + displayName: 'Sign Binaries' + inputs: + solution: 'azure-pipelines\binary-signing.signproj' + msbuildArguments: '/p:OutDir=$(Build.BinariesDirectory)\ /p:IntermediateOutputPath=$(Build.BinariesDirectory)\' + - task: MicroBuildSignMacFiles@1 + displayName: 'Developer Sign Mac Binaries' + condition: and(eq(variables.SignType, 'test'), succeeded()) + inputs: + SigningTarget: '$(Build.ArtifactStagingDirectory)\staging\vcpkg-macos.zip' + SigningCert: '8005' + SigningPluginSource: 'https://devdiv.pkgs.visualstudio.com/DefaultCollection/_packaging/MicroBuildToolset/nuget/v3/index.json' + SigningPluginVersion: 'latest' + - task: MicroBuildSignMacFiles@1 + displayName: 'Sign and Harden Mac Binaries' + condition: and(eq(variables.SignType, 'real'), succeeded()) + inputs: + SigningTarget: '$(Build.ArtifactStagingDirectory)\staging\vcpkg-macos.zip' + SigningCert: '8025' + SigningPluginSource: 'https://devdiv.pkgs.visualstudio.com/DefaultCollection/_packaging/MicroBuildToolset/nuget/v3/index.json' + SigningPluginVersion: 'latest' + - task: MicroBuildSignMacFiles@1 + displayName: 'Notarize Mac Binaries' + condition: and(eq(variables.SignType, 'real'), succeeded()) + inputs: + SigningTarget: '$(Build.ArtifactStagingDirectory)\staging\vcpkg-macos.zip' + SigningCert: '8020' + MacAppName: 'vcpkg' + SigningPluginSource: 'https://devdiv.pkgs.visualstudio.com/DefaultCollection/_packaging/MicroBuildToolset/nuget/v3/index.json' + SigningPluginVersion: 'latest' + - task: Powershell@2 + displayName: 'Mint VS Insertion standalone bundle' + inputs: + pwsh: true + filePath: vcpkg-init/mint-standalone-bundle.ps1 + arguments: '-DestinationDir "$(Build.ArtifactStagingDirectory)/vs-insertion/staging" -TempDir standalone-temp -SignedFilesRoot "$(Build.ArtifactStagingDirectory)\staging" -Deployment "VisualStudio" -VcpkgBaseVersion "$(VCPKG_BASE_VERSION)"' + - task: CmdLine@2 + displayName: 'Arrange Drop and Symbols' + inputs: + failOnStderr: true + script: | + mkdir "$(Build.ArtifactStagingDirectory)\drop" - copy "$(Build.SourcesDirectory)\NOTICE.txt" "$(Build.ArtifactStagingDirectory)\drop\NOTICE.txt" + copy "$(Build.SourcesDirectory)\NOTICE.txt" "$(Build.ArtifactStagingDirectory)\drop\NOTICE.txt" - move "$(Build.ArtifactStagingDirectory)\staging\vcpkg-init" "$(Build.ArtifactStagingDirectory)\drop\vcpkg-init" - move "$(Build.ArtifactStagingDirectory)\staging\vcpkg-init.cmd" "$(Build.ArtifactStagingDirectory)\drop\vcpkg-init.cmd" - move "$(Build.ArtifactStagingDirectory)\staging\vcpkg-init.ps1" "$(Build.ArtifactStagingDirectory)\drop\vcpkg-init.ps1" - move "$(Build.ArtifactStagingDirectory)\staging\scripts\applocal.ps1" "$(Build.ArtifactStagingDirectory)\drop\applocal.ps1" - move "$(Build.ArtifactStagingDirectory)\staging\scripts\addPoshVcpkgToPowershellProfile.ps1" "$(Build.ArtifactStagingDirectory)\drop\addPoshVcpkgToPowershellProfile.ps1" - move "$(Build.ArtifactStagingDirectory)\staging\scripts\posh-vcpkg.psm1" "$(Build.ArtifactStagingDirectory)\drop\posh-vcpkg.psm1" - move "$(Build.ArtifactStagingDirectory)\staging\vcpkg-glibc" "$(Build.ArtifactStagingDirectory)\drop\vcpkg-glibc" - move "$(Build.ArtifactStagingDirectory)\staging\vcpkg-muslc" "$(Build.ArtifactStagingDirectory)\drop\vcpkg-muslc" - move "$(Build.ArtifactStagingDirectory)\staging\vcpkg-standalone-bundle.tar.gz" "$(Build.ArtifactStagingDirectory)\drop\vcpkg-standalone-bundle.tar.gz" + move "$(Build.ArtifactStagingDirectory)\staging\vcpkg-init" "$(Build.ArtifactStagingDirectory)\drop\vcpkg-init" + move "$(Build.ArtifactStagingDirectory)\staging\vcpkg-init.cmd" "$(Build.ArtifactStagingDirectory)\drop\vcpkg-init.cmd" + move "$(Build.ArtifactStagingDirectory)\staging\vcpkg-init.ps1" "$(Build.ArtifactStagingDirectory)\drop\vcpkg-init.ps1" + move "$(Build.ArtifactStagingDirectory)\staging\scripts\applocal.ps1" "$(Build.ArtifactStagingDirectory)\drop\applocal.ps1" + move "$(Build.ArtifactStagingDirectory)\staging\scripts\addPoshVcpkgToPowershellProfile.ps1" "$(Build.ArtifactStagingDirectory)\drop\addPoshVcpkgToPowershellProfile.ps1" + move "$(Build.ArtifactStagingDirectory)\staging\scripts\posh-vcpkg.psm1" "$(Build.ArtifactStagingDirectory)\drop\posh-vcpkg.psm1" + move "$(Build.ArtifactStagingDirectory)\staging\vcpkg-glibc" "$(Build.ArtifactStagingDirectory)\drop\vcpkg-glibc" + move "$(Build.ArtifactStagingDirectory)\staging\vcpkg-muslc" "$(Build.ArtifactStagingDirectory)\drop\vcpkg-muslc" + move "$(Build.ArtifactStagingDirectory)\staging\vcpkg-standalone-bundle.tar.gz" "$(Build.ArtifactStagingDirectory)\drop\vcpkg-standalone-bundle.tar.gz" - move "$(Build.BinariesDirectory)\amd64\vcpkg.exe" "$(Build.ArtifactStagingDirectory)\drop\vcpkg.exe" - copy "$(Build.ArtifactStagingDirectory)\drop\vcpkg.exe" "$(Build.ArtifactStagingDirectory)\vs-insertion\staging\vcpkg.exe" + move "$(Build.BinariesDirectory)\amd64\vcpkg.exe" "$(Build.ArtifactStagingDirectory)\drop\vcpkg.exe" + copy "$(Build.ArtifactStagingDirectory)\drop\vcpkg.exe" "$(Build.ArtifactStagingDirectory)\vs-insertion\staging\vcpkg.exe" - move "$(Build.BinariesDirectory)\amd64\vcpkg.pdb" "$(Build.ArtifactStagingDirectory)\drop\vcpkg.pdb" - move "$(Build.BinariesDirectory)\amd64\tls12-download.exe" "$(Build.ArtifactStagingDirectory)\drop\tls12-download.exe" - move "$(Build.BinariesDirectory)\amd64\tls12-download.pdb" "$(Build.ArtifactStagingDirectory)\drop\tls12-download.pdb" - move "$(Build.BinariesDirectory)\arm64\vcpkg.exe" "$(Build.ArtifactStagingDirectory)\drop\vcpkg-arm64.exe" - move "$(Build.BinariesDirectory)\arm64\vcpkg-arm64.pdb" "$(Build.ArtifactStagingDirectory)\drop\vcpkg-arm64.pdb" - move "$(Build.BinariesDirectory)\arm64\tls12-download.exe" "$(Build.ArtifactStagingDirectory)\drop\tls12-download-arm64.exe" - move "$(Build.BinariesDirectory)\arm64\tls12-download-arm64.pdb" "$(Build.ArtifactStagingDirectory)\drop\tls12-download-arm64.pdb" + move "$(Build.BinariesDirectory)\amd64\vcpkg.pdb" "$(Build.ArtifactStagingDirectory)\drop\vcpkg.pdb" + move "$(Build.BinariesDirectory)\amd64\tls12-download.exe" "$(Build.ArtifactStagingDirectory)\drop\tls12-download.exe" + move "$(Build.BinariesDirectory)\amd64\tls12-download.pdb" "$(Build.ArtifactStagingDirectory)\drop\tls12-download.pdb" + move "$(Build.BinariesDirectory)\arm64\vcpkg.exe" "$(Build.ArtifactStagingDirectory)\drop\vcpkg-arm64.exe" + move "$(Build.BinariesDirectory)\arm64\vcpkg-arm64.pdb" "$(Build.ArtifactStagingDirectory)\drop\vcpkg-arm64.pdb" + move "$(Build.BinariesDirectory)\arm64\tls12-download.exe" "$(Build.ArtifactStagingDirectory)\drop\tls12-download-arm64.exe" + move "$(Build.BinariesDirectory)\arm64\tls12-download-arm64.pdb" "$(Build.ArtifactStagingDirectory)\drop\tls12-download-arm64.pdb" - mkdir "$(Build.ArtifactStagingDirectory)\staging\macos" - tar.exe -C "$(Build.ArtifactStagingDirectory)\staging\macos" -xf "$(Build.ArtifactStagingDirectory)\staging\vcpkg-macos.zip" - move "$(Build.ArtifactStagingDirectory)\staging\macos\vcpkg" "$(Build.ArtifactStagingDirectory)\drop\vcpkg-macos" + mkdir "$(Build.ArtifactStagingDirectory)\staging\macos" + tar.exe -C "$(Build.ArtifactStagingDirectory)\staging\macos" -xf "$(Build.ArtifactStagingDirectory)\staging\vcpkg-macos.zip" + move "$(Build.ArtifactStagingDirectory)\staging\macos\vcpkg" "$(Build.ArtifactStagingDirectory)\drop\vcpkg-macos" - copy "$(Build.SourcesDirectory)\azure-pipelines\vs-insertion\vcpkg.nuspec" "$(Build.ArtifactStagingDirectory)\vs-insertion\staging\vcpkg.nuspec" + copy "$(Build.SourcesDirectory)\azure-pipelines\vs-insertion\vcpkg.nuspec" "$(Build.ArtifactStagingDirectory)\vs-insertion\staging\vcpkg.nuspec" - mkdir "$(Build.ArtifactStagingDirectory)\symbols" - copy "$(Build.ArtifactStagingDirectory)\drop\vcpkg.exe" "$(Build.ArtifactStagingDirectory)\symbols\vcpkg.exe" - copy "$(Build.ArtifactStagingDirectory)\drop\vcpkg.pdb" "$(Build.ArtifactStagingDirectory)\symbols\vcpkg.pdb" - copy "$(Build.ArtifactStagingDirectory)\drop\tls12-download.exe" "$(Build.ArtifactStagingDirectory)\symbols\tls12-download.exe" - copy "$(Build.ArtifactStagingDirectory)\drop\tls12-download.pdb" "$(Build.ArtifactStagingDirectory)\symbols\tls12-download.pdb" - copy "$(Build.ArtifactStagingDirectory)\drop\vcpkg-arm64.exe" "$(Build.ArtifactStagingDirectory)\symbols\vcpkg-arm64.exe" - copy "$(Build.ArtifactStagingDirectory)\drop\vcpkg-arm64.pdb" "$(Build.ArtifactStagingDirectory)\symbols\vcpkg-arm64.pdb" - copy "$(Build.ArtifactStagingDirectory)\drop\tls12-download-arm64.exe" "$(Build.ArtifactStagingDirectory)\symbols\tls12-download-arm64.exe" - copy "$(Build.ArtifactStagingDirectory)\drop\tls12-download-arm64.pdb" "$(Build.ArtifactStagingDirectory)\symbols\tls12-download-arm64.pdb" - - task: AzureArtifacts.manifest-generator-task.manifest-generator-task.ManifestGeneratorTask@0 - displayName: 'Generate SBOMs' - inputs: - BuildDropPath: '$(Build.ArtifactStagingDirectory)/drop' - ManifestDirPath: '$(Build.ArtifactStagingDirectory)/drop' - PackageName: vcpkg - PackageVersion: '$(VCPKG_BASE_VERSION)' - - task: CmdLine@2 - displayName: 'Add Drop PGP Signatures (real sign only)' - condition: and(eq(variables.SignType, 'real'), succeeded()) - inputs: - failOnStderr: true - script: | - move "$(Build.BinariesDirectory)\vcpkg-init" "$(Build.ArtifactStagingDirectory)\drop\vcpkg-init.sig" - move "$(Build.BinariesDirectory)\vcpkg-glibc" "$(Build.ArtifactStagingDirectory)\drop\vcpkg-glibc.sig" - move "$(Build.BinariesDirectory)\vcpkg-muslc" "$(Build.ArtifactStagingDirectory)\drop\vcpkg-muslc.sig" - # Create NuGet package. - - task: NuGetCommand@2 - displayName: 'NuGet pack for VS Insertion' - inputs: - command: custom - arguments: 'pack $(Build.ArtifactStagingDirectory)/vs-insertion/staging/vcpkg.nuspec -NoDefaultExcludes -OutputDirectory "$(Build.ArtifactStagingDirectory)/vs-insertion/drop" -Properties version=$(VCPKG_FULL_VERSION)' - - task: MSBuild@1 - displayName: 'Sign VS Insertion NuGet Package' - inputs: - solution: 'azure-pipelines\nuget-package.signproj' - msbuildArguments: '/p:OutDir=$(Build.ArtifactStagingDirectory)\vs-insertion\drop /p:IntermediateOutputPath=$(Build.ArtifactStagingDirectory)\vs-insertion\drop' - - task: PublishBuildArtifacts@1 - displayName: 'Publish nupkg as Artifact' - inputs: - PathtoPublish: '$(Build.ArtifactStagingDirectory)/vs-insertion/drop' - ArtifactName: 'vs-insertion' - publishLocation: 'Container' - # Do compliance checks. - - task: BinSkim@4 - inputs: - InputType: 'CommandLine' - arguments: 'analyze "$(Build.ArtifactStagingDirectory)\drop\vcpkg.exe" "$(Build.ArtifactStagingDirectory)\drop\tls12-download.exe" "$(Build.ArtifactStagingDirectory)\vcpkg-arm64.exe" "$(Build.ArtifactStagingDirectory)\tls12-download-arm64.exe"' - - task: PoliCheck@2 - inputs: - inputType: 'Basic' - targetType: 'F' - targetArgument: '$(Build.ArtifactStagingDirectory)\drop' - result: 'PoliCheck.xml' - - task: securedevelopmentteam.vss-secure-development-tools.build-task-credscan.CredScan@3 - displayName: Run CredScan - inputs: - toolMajorVersion: V2 - - task: securedevelopmentteam.vss-secure-development-tools.build-task-postanalysis.PostAnalysis@2 - displayName: Check for compliance errors - # To avoid spurious warnings about missing logs, explicitly declare what we scanned. - inputs: - BinSkim: true - CredScan: true - PoliCheck: true - # Publish everything to a Drop - - task: PublishBuildArtifacts@1 - displayName: 'Publish Drop' - inputs: - PathtoPublish: '$(Build.ArtifactStagingDirectory)\drop' - ArtifactName: 'Drop' - publishLocation: 'Container' - # Publish everything to VS Insertion - - ${{ if or(eq(parameters.PublishTo, 'GitHub and NuGet'),eq(parameters.PublishTo, 'NuGet Only')) }}: - - task: NuGetCommand@2 - displayName: 'NuGet publish for VS Insertion' - condition: and(eq(variables.SignType, 'real'), succeeded()) - inputs: - command: push - packagesToPush: '$(Build.ArtifactStagingDirectory)/vs-insertion/drop/VS.Redist.Vcpkg.amd64.1.0.0-$(VCPKG_FULL_VERSION).nupkg' - publishVstsFeed: '97a41293-2972-4f48-8c0e-05493ae82010' - # Publish symbols - - ${{ if ne(parameters.PublishTo, 'None') }}: - - task: MicroBuildArchiveSymbols@4 - displayName: 'Upload Symbols' - inputs: - SymbolsFeatureName: 'vcpkg' - SymbolsProject: 'VS' - SymbolsAgentPath: '$(Build.ArtifactStagingDirectory)\symbols' - azureSubscription: 'Symbols Upload (DevDiv)' - # Publish everything to a GitHub Release - - ${{ if eq(parameters.PublishTo, 'GitHub and NuGet') }}: - - task: DownloadSecureFile@1 - displayName: Download Deploy Key - name: githubDeployKey - condition: and(eq(variables.SignType, 'real'), succeeded()) - inputs: - secureFile: id_vcpkg_tool - # GitHub has a large, regularly changing set of IP address, so ignore the - # hostname and allow anything with the right key. - # https://docs.github.com/en/github/authenticating-to-github/keeping-your-account-and-data-secure/about-githubs-ip-addresses - # This public key should have the well-known fingerprint documented below. - # SHA256:uNiVztksCsDhcc0u9e8BujQXVUpKZIDTMczCvj3tD2s - # https://docs.github.com/en/github/authenticating-to-github/keeping-your-account-and-data-secure/githubs-ssh-key-fingerprints - - script: mkdir %USERPROFILE%\.ssh && echo github.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCj7ndNxQowgcQnjshcLrqPEiiphnt+VTTvDP6mHBL9j1aNUkY4Ue1gvwnGLVlOhGeYrnZaMgRK6+PKCUXaDbC7qtbW8gIkhL7aGCsOr/C56SJMy/BCZfxd1nWzAOxSDPgVsmerOBYfNqltV9/hWCqBywINIR+5dIg6JTJ72pcEpEjcYgXkE2YEFXV1JHnsKgbLWNlhScqb2UmyRkQyytRLtL+38TGxkxCflmO+5Z8CSSNY7GidjMIZ7Q4zMjA2n1nGrlTDkzwDCsw+wqFPGQA179cnfGWOWRVruj16z6XyvxvjJwbz0wQZ75XK5tKSb7FNyeIEs4TT4jk+S4dhPeAUC5y+bDYirYgM4GC7uEnztnZyaVWQ7B381AK4Qdrwt51ZqExKbQpTUNn+EjqoTwvqNj4kqx5QUCI0ThS/YkOxJCXmPUWZbhjpCg56i+2aB6CmK2JGhn57K5mj0MNdBXA4/WnwH6XoPWJzK5Nyu2zB3nAZp+S5hpQs+p1vN1/wsjk=>>%USERPROFILE%\.ssh\known_hosts - displayName: Store GitHub Public Key - condition: and(eq(variables.SignType, 'real'), succeeded()) - - script: git -c user.email=embeddedbot@microsoft.com -c user.name="Embedded Bot" push git@github.com:microsoft/vcpkg-tool HEAD:refs/tags/%VCPKG_BASE_VERSION% - condition: and(eq(variables.SignType, 'real'), succeeded()) - env: - GIT_SSH_COMMAND: ssh -i "$(githubDeployKey.secureFilePath)" - displayName: Push Release Tag - - task: GitHubRelease@0 - displayName: Publish GitHub Release - condition: and(eq(variables.SignType, 'real'), succeeded()) - inputs: - gitHubConnection: embeddedbot - repositoryName: microsoft/vcpkg-tool - isPreRelease: true - isDraft: true - title: $(VCPKG_BASE_VERSION) Release - tagSource: manual - tag: $(VCPKG_BASE_VERSION) - assets: "$(Build.ArtifactStagingDirectory)\\drop\\*" - addChangeLog: false - compareWith: 'lastFullRelease' - - task: MicroBuildCleanup@1 - condition: succeededOrFailed() - displayName: MicroBuild Cleanup + mkdir "$(Build.ArtifactStagingDirectory)\symbols" + copy "$(Build.ArtifactStagingDirectory)\drop\vcpkg.exe" "$(Build.ArtifactStagingDirectory)\symbols\vcpkg.exe" + copy "$(Build.ArtifactStagingDirectory)\drop\vcpkg.pdb" "$(Build.ArtifactStagingDirectory)\symbols\vcpkg.pdb" + copy "$(Build.ArtifactStagingDirectory)\drop\tls12-download.exe" "$(Build.ArtifactStagingDirectory)\symbols\tls12-download.exe" + copy "$(Build.ArtifactStagingDirectory)\drop\tls12-download.pdb" "$(Build.ArtifactStagingDirectory)\symbols\tls12-download.pdb" + copy "$(Build.ArtifactStagingDirectory)\drop\vcpkg-arm64.exe" "$(Build.ArtifactStagingDirectory)\symbols\vcpkg-arm64.exe" + copy "$(Build.ArtifactStagingDirectory)\drop\vcpkg-arm64.pdb" "$(Build.ArtifactStagingDirectory)\symbols\vcpkg-arm64.pdb" + copy "$(Build.ArtifactStagingDirectory)\drop\tls12-download-arm64.exe" "$(Build.ArtifactStagingDirectory)\symbols\tls12-download-arm64.exe" + copy "$(Build.ArtifactStagingDirectory)\drop\tls12-download-arm64.pdb" "$(Build.ArtifactStagingDirectory)\symbols\tls12-download-arm64.pdb" + - task: CmdLine@2 + displayName: 'Add Drop PGP Signatures (real sign only)' + condition: and(eq(variables.SignType, 'real'), succeeded()) + inputs: + failOnStderr: true + script: | + move "$(Build.BinariesDirectory)\vcpkg-init" "$(Build.ArtifactStagingDirectory)\drop\vcpkg-init.sig" + move "$(Build.BinariesDirectory)\vcpkg-glibc" "$(Build.ArtifactStagingDirectory)\drop\vcpkg-glibc.sig" + move "$(Build.BinariesDirectory)\vcpkg-muslc" "$(Build.ArtifactStagingDirectory)\drop\vcpkg-muslc.sig" + - task: NuGetCommand@2 + displayName: 'NuGet pack for VS Insertion' + inputs: + command: custom + arguments: 'pack $(Build.ArtifactStagingDirectory)/vs-insertion/staging/vcpkg.nuspec -NoDefaultExcludes -OutputDirectory "$(Build.ArtifactStagingDirectory)/vs-insertion/drop" -Properties version=$(VCPKG_FULL_VERSION)' + - task: MSBuild@1 + displayName: 'Sign VS Insertion NuGet Package' + inputs: + solution: 'azure-pipelines\nuget-package.signproj' + msbuildArguments: '/p:OutDir=$(Build.ArtifactStagingDirectory)\vs-insertion\drop /p:IntermediateOutputPath=$(Build.ArtifactStagingDirectory)\vs-insertion\drop' + - task: BinSkim@4 + inputs: + InputType: 'CommandLine' + arguments: 'analyze "$(Build.ArtifactStagingDirectory)\drop\vcpkg.exe" "$(Build.ArtifactStagingDirectory)\drop\tls12-download.exe" "$(Build.ArtifactStagingDirectory)\vcpkg-arm64.exe" "$(Build.ArtifactStagingDirectory)\tls12-download-arm64.exe"' + - task: PoliCheck@2 + inputs: + inputType: 'Basic' + targetType: 'F' + targetArgument: '$(Build.ArtifactStagingDirectory)\drop' + result: 'PoliCheck.xml' + - ${{ if ne(parameters.PublishTo, 'None') }}: + - task: MicroBuildArchiveSymbols@4 + displayName: 'Upload Symbols' + inputs: + SymbolsFeatureName: 'vcpkg' + SymbolsProject: 'VS' + SymbolsAgentPath: '$(Build.ArtifactStagingDirectory)\symbols' + azureSubscription: 'Symbols Upload (DevDiv)' + # Publish everything to a GitHub Release + - ${{ if eq(parameters.PublishTo, 'GitHub and NuGet') }}: + - task: DownloadSecureFile@1 + displayName: Download Deploy Key + name: githubDeployKey + condition: and(eq(variables.SignType, 'real'), succeeded()) + inputs: + secureFile: id_vcpkg_tool + # GitHub has a large, regularly changing set of IP address, so ignore the + # hostname and allow anything with the right key. + # https://docs.github.com/en/github/authenticating-to-github/keeping-your-account-and-data-secure/about-githubs-ip-addresses + # This public key should have the well-known fingerprint documented below. + # SHA256:uNiVztksCsDhcc0u9e8BujQXVUpKZIDTMczCvj3tD2s + # https://docs.github.com/en/github/authenticating-to-github/keeping-your-account-and-data-secure/githubs-ssh-key-fingerprints + - script: mkdir %USERPROFILE%\.ssh && echo github.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCj7ndNxQowgcQnjshcLrqPEiiphnt+VTTvDP6mHBL9j1aNUkY4Ue1gvwnGLVlOhGeYrnZaMgRK6+PKCUXaDbC7qtbW8gIkhL7aGCsOr/C56SJMy/BCZfxd1nWzAOxSDPgVsmerOBYfNqltV9/hWCqBywINIR+5dIg6JTJ72pcEpEjcYgXkE2YEFXV1JHnsKgbLWNlhScqb2UmyRkQyytRLtL+38TGxkxCflmO+5Z8CSSNY7GidjMIZ7Q4zMjA2n1nGrlTDkzwDCsw+wqFPGQA179cnfGWOWRVruj16z6XyvxvjJwbz0wQZ75XK5tKSb7FNyeIEs4TT4jk+S4dhPeAUC5y+bDYirYgM4GC7uEnztnZyaVWQ7B381AK4Qdrwt51ZqExKbQpTUNn+EjqoTwvqNj4kqx5QUCI0ThS/YkOxJCXmPUWZbhjpCg56i+2aB6CmK2JGhn57K5mj0MNdBXA4/WnwH6XoPWJzK5Nyu2zB3nAZp+S5hpQs+p1vN1/wsjk=>>%USERPROFILE%\.ssh\known_hosts + displayName: Store GitHub Public Key + condition: and(eq(variables.SignType, 'real'), succeeded()) + - script: git -c user.email=embeddedbot@microsoft.com -c user.name="Embedded Bot" push git@github.com:microsoft/vcpkg-tool HEAD:refs/tags/%VCPKG_BASE_VERSION% + condition: and(eq(variables.SignType, 'real'), succeeded()) + env: + GIT_SSH_COMMAND: ssh -i "$(githubDeployKey.secureFilePath)" + displayName: Push Release Tag + - task: GitHubRelease@0 + displayName: Publish GitHub Release + condition: and(eq(variables.SignType, 'real'), succeeded()) + inputs: + gitHubConnection: embeddedbot + repositoryName: microsoft/vcpkg-tool + isPreRelease: true + isDraft: true + title: $(VCPKG_BASE_VERSION) Release + tagSource: manual + tag: $(VCPKG_BASE_VERSION) + assets: "$(Build.ArtifactStagingDirectory)\\drop\\*" + addChangeLog: false + compareWith: 'lastFullRelease' \ No newline at end of file From 33684cabedd042adc5dc05203049c93b32da2724 Mon Sep 17 00:00:00 2001 From: Billy Robert O'Neal III Date: Mon, 25 Mar 2024 22:48:00 -0700 Subject: [PATCH 02/12] Try to fix condition syntax --- azure-pipelines/signing.yml | 25 ++++++++++++------------- 1 file changed, 12 insertions(+), 13 deletions(-) diff --git a/azure-pipelines/signing.yml b/azure-pipelines/signing.yml index be36eeb3ed..b5172a2847 100644 --- a/azure-pipelines/signing.yml +++ b/azure-pipelines/signing.yml @@ -312,19 +312,18 @@ extends: targetPath: '$(Build.ArtifactStagingDirectory)\drop' artifactName: 'Drop' publishLocation: 'Container' - - ${{ if or(eq(parameters.PublishTo, 'GitHub and NuGet'),eq(parameters.PublishTo, 'NuGet Only')) }}: - - output: pipelineArtifact - displayName: 'Publish nupkg as Artifact' - targetPath: '$(Build.ArtifactStagingDirectory)/vs-insertion/drop' - artifactName: 'vs-insertion' - publishLocation: 'Container' - - ${{ if and(eq(parameters.PublishTo, 'GitHub and NuGet'), eq(variables.SignType, 'real'), succeeded()) }}: - - output: nuget - displayName: 'NuGet publish for VS Insertion' - condition: and(eq(variables.SignType, 'real'), succeeded()) - packageParentPath: '$(Build.ArtifactStagingDirectory)' - packagesToPush: '$(Build.ArtifactStagingDirectory)/vs-insertion/drop/VS.Redist.Vcpkg.amd64.1.0.0-$(VCPKG_FULL_VERSION).nupkg' - publishVstsFeed: '97a41293-2972-4f48-8c0e-05493ae82010' + - output: pipelineArtifact + displayName: 'Publish nupkg as Artifact' + targetPath: '$(Build.ArtifactStagingDirectory)/vs-insertion/drop' + artifactName: 'vs-insertion' + publishLocation: 'Container' + condition: or(eq(parameters.PublishTo, 'GitHub and NuGet'),eq(parameters.PublishTo, 'NuGet Only'), succeeded()) + - output: nuget + displayName: 'NuGet publish for VS Insertion' + packageParentPath: '$(Build.ArtifactStagingDirectory)' + packagesToPush: '$(Build.ArtifactStagingDirectory)/vs-insertion/drop/VS.Redist.Vcpkg.amd64.1.0.0-$(VCPKG_FULL_VERSION).nupkg' + publishVstsFeed: '97a41293-2972-4f48-8c0e-05493ae82010' + condition: and(or(eq(parameters.PublishTo, 'GitHub and NuGet'),eq(parameters.PublishTo, 'NuGet Only')), eq(variables.SignType, 'real'), succeeded()) steps: - task: CodeQL3000Init@0 displayName: 'CodeQL Initialize' From 9bc71cf8e266740536227c7540697d45b692b501 Mon Sep 17 00:00:00 2001 From: Billy Robert O'Neal III Date: Mon, 25 Mar 2024 22:49:24 -0700 Subject: [PATCH 03/12] wip --- azure-pipelines/signing.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/azure-pipelines/signing.yml b/azure-pipelines/signing.yml index b5172a2847..29866244df 100644 --- a/azure-pipelines/signing.yml +++ b/azure-pipelines/signing.yml @@ -218,6 +218,7 @@ extends: displayName: 'Publish Unsigned MacOS Binary' artifactName: 'staging' publishLocation: 'Container' + targetPath: '$(Build.ArtifactStagingDirectory)' steps: - task: CmdLine@2 displayName: "Build vcpkg with CMake" @@ -270,6 +271,7 @@ extends: displayName: 'Publish Unsigned muslc Binary' artifactName: 'staging' publishLocation: 'Container' + targetPath: '$(Build.ArtifactStagingDirectory)' steps: - bash: | az login --identity --username 29a4d3e7-c7d5-41c7-b5a0-fee8cf466371 @@ -523,4 +525,4 @@ extends: tag: $(VCPKG_BASE_VERSION) assets: "$(Build.ArtifactStagingDirectory)\\drop\\*" addChangeLog: false - compareWith: 'lastFullRelease' \ No newline at end of file + compareWith: 'lastFullRelease' From 776bfad0aaf74b54ce44b7c0eeb510c565ebb269 Mon Sep 17 00:00:00 2001 From: Billy Robert O'Neal III Date: Mon, 25 Mar 2024 22:50:17 -0700 Subject: [PATCH 04/12] wip --- azure-pipelines/signing.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/azure-pipelines/signing.yml b/azure-pipelines/signing.yml index 29866244df..a05661672c 100644 --- a/azure-pipelines/signing.yml +++ b/azure-pipelines/signing.yml @@ -243,6 +243,7 @@ extends: displayName: 'Publish Unsigned glibc Binary' artifactName: 'staging' publishLocation: 'Container' + targetPath: '$(Build.ArtifactStagingDirectory)' steps: - bash: | az login --identity --username 29a4d3e7-c7d5-41c7-b5a0-fee8cf466371 From 1ba07e6d906b76cf42bcac0ef36128e73590f951 Mon Sep 17 00:00:00 2001 From: Billy Robert O'Neal III Date: Mon, 25 Mar 2024 22:51:34 -0700 Subject: [PATCH 05/12] Make the stage name prettier. --- azure-pipelines/signing.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/azure-pipelines/signing.yml b/azure-pipelines/signing.yml index a05661672c..1da94946a7 100644 --- a/azure-pipelines/signing.yml +++ b/azure-pipelines/signing.yml @@ -56,6 +56,7 @@ extends: image: 1ESPT-Windows2022 stages: - stage: stage + displayName: 'Build and Sign vcpkg' jobs: - job: arch_independent displayName: 'Build and Sign Arch-Independent Scripts and vcpkg-artifacts' From e089719d16305ee9c303f12d3189c719dbd880f4 Mon Sep 17 00:00:00 2001 From: Billy Robert O'Neal III Date: Mon, 25 Mar 2024 23:11:59 -0700 Subject: [PATCH 06/12] Tag the pools --- azure-pipelines/signing.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/azure-pipelines/signing.yml b/azure-pipelines/signing.yml index 1da94946a7..92c1676c6d 100644 --- a/azure-pipelines/signing.yml +++ b/azure-pipelines/signing.yml @@ -209,7 +209,9 @@ extends: dependsOn: - arch_independent pool: + name: Azure Pipelines vmImage: macOS-12 + os: macOS variables: VCPKG_STANDALONE_BUNDLE_SHA: $[ dependencies.arch_independent.outputs['shas.VCPKG_STANDALONE_BUNDLE_SHA'] ] VCPKG_BASE_VERSION: $[ dependencies.arch_independent.outputs['versions.VCPKG_BASE_VERSION'] ] @@ -235,6 +237,7 @@ extends: - arch_independent pool: name: 'vcpkg-mariner-1espt' + os: linux variables: VCPKG_STANDALONE_BUNDLE_SHA: $[ dependencies.arch_independent.outputs['shas.VCPKG_STANDALONE_BUNDLE_SHA'] ] VCPKG_BASE_VERSION: $[ dependencies.arch_independent.outputs['versions.VCPKG_BASE_VERSION'] ] @@ -262,6 +265,7 @@ extends: displayName: 'muslc (Alpine) Build' pool: name: 'vcpkg-mariner-1espt' + os: linux dependsOn: - arch_independent variables: From c0f375b1e9a1aad87b96ae476d29950de6bf80d0 Mon Sep 17 00:00:00 2001 From: Billy Robert O'Neal III Date: Mon, 25 Mar 2024 23:12:10 -0700 Subject: [PATCH 07/12] Delete duplicate CodeQL entries --- azure-pipelines/signing.yml | 10 ---------- 1 file changed, 10 deletions(-) diff --git a/azure-pipelines/signing.yml b/azure-pipelines/signing.yml index 92c1676c6d..059e9b6b4e 100644 --- a/azure-pipelines/signing.yml +++ b/azure-pipelines/signing.yml @@ -29,8 +29,6 @@ variables: - group: vcpkg Terrapin URLs - name: TeamName value: vcpkg -- name: Codeql.Enabled - value: true # If the user didn't override the signing type, then only real-sign on main. - ${{ if ne(parameters.SignTypeOverride, 'default') }}: - name: SignType @@ -124,15 +122,11 @@ extends: displayName: Detect Components inputs: sourceScanPath: vcpkg-artifacts - - task: CodeQL3000Init@0 - displayName: CodeQL Initialize - script: | mkdir "$(Build.BinariesDirectory)" mkdir "$(Build.BinariesDirectory)\vcpkg-artifacts" node "$(Build.SourcesDirectory)\vcpkg-artifacts\node_modules\typescript\bin\tsc" -p "$(Build.SourcesDirectory)\vcpkg-artifacts" --outDir "$(Build.BinariesDirectory)\vcpkg-artifacts" displayName: Build TypeScript - - task: CodeQL3000Finalize@0 - displayName: CodeQL Finalize - task: Npm@1 inputs: command: 'custom' @@ -333,8 +327,6 @@ extends: publishVstsFeed: '97a41293-2972-4f48-8c0e-05493ae82010' condition: and(or(eq(parameters.PublishTo, 'GitHub and NuGet'),eq(parameters.PublishTo, 'NuGet Only')), eq(variables.SignType, 'real'), succeeded()) steps: - - task: CodeQL3000Init@0 - displayName: 'CodeQL Initialize' - task: CmdLine@2 displayName: "Build vcpkg amd64 with CMake" inputs: @@ -353,8 +345,6 @@ extends: cmake.exe --version cmake.exe -G Ninja -DCMAKE_BUILD_TYPE=Release -DBUILD_TESTING=OFF -DVCPKG_DEVELOPMENT_WARNINGS=ON -DVCPKG_WARNINGS_AS_ERRORS=ON -DVCPKG_BUILD_FUZZING=OFF -DVCPKG_BUILD_TLS12_DOWNLOADER=ON -DVCPKG_EMBED_GIT_SHA=ON -DVCPKG_OFFICIAL_BUILD=ON -DVCPKG_PDB_SUFFIX="-arm64" "-DVCPKG_FMT_URL=$(fmt-tarball-url)" "-DVCPKG_CMAKERC_URL=$(cmakerc-tarball-url)" "-DVCPKG_BASE_VERSION=$(VCPKG_BASE_VERSION)" "-DVCPKG_VERSION=$(Build.SourceVersion)" "-DVCPKG_STANDALONE_BUNDLE_SHA=$(VCPKG_STANDALONE_BUNDLE_SHA)" -B "$(Build.BinariesDirectory)\arm64" ninja.exe -C "$(Build.BinariesDirectory)\arm64" - - task: CodeQL3000Finalize@0 - displayName: 'CodeQL Finalize' - task: NuGetToolInstaller@1 inputs: versionSpec: 5.7 From 1751f7017b41782200cfeb38af60da7906d39559 Mon Sep 17 00:00:00 2001 From: Billy Robert O'Neal III Date: Mon, 25 Mar 2024 23:54:19 -0700 Subject: [PATCH 08/12] Give stages unique staging names --- azure-pipelines/signing.yml | 56 ++++++++++++++++++++++--------------- 1 file changed, 34 insertions(+), 22 deletions(-) diff --git a/azure-pipelines/signing.yml b/azure-pipelines/signing.yml index 059e9b6b4e..649b12f2fe 100644 --- a/azure-pipelines/signing.yml +++ b/azure-pipelines/signing.yml @@ -87,7 +87,7 @@ extends: - output: pipelineArtifact displayName: 'Publish Architecture Independent Staging' targetPath: '$(Build.ArtifactStagingDirectory)\staging' - artifactName: 'staging' + artifactName: 'stagingArchIndependent' publishLocation: 'Container' steps: - task: Powershell@2 @@ -213,7 +213,7 @@ extends: outputs: - output: pipelineArtifact displayName: 'Publish Unsigned MacOS Binary' - artifactName: 'staging' + artifactName: 'stagingMacOS' publishLocation: 'Container' targetPath: '$(Build.ArtifactStagingDirectory)' steps: @@ -239,7 +239,7 @@ extends: outputs: - output: pipelineArtifact displayName: 'Publish Unsigned glibc Binary' - artifactName: 'staging' + artifactName: 'stagingGlibc' publishLocation: 'Container' targetPath: '$(Build.ArtifactStagingDirectory)' steps: @@ -269,7 +269,7 @@ extends: outputs: - output: pipelineArtifact displayName: 'Publish Unsigned muslc Binary' - artifactName: 'staging' + artifactName: 'stagingMuslc' publishLocation: 'Container' targetPath: '$(Build.ArtifactStagingDirectory)' steps: @@ -356,18 +356,30 @@ extends: feedsToUse: 'config' restoreDirectory: '$(Build.SourcesDirectory)\packages' - task: DownloadBuildArtifacts@0 - displayName: 'Download Staging' + displayName: 'Download stagingArchIndependent' inputs: - artifactName: staging + artifactName: stagingArchIndependent + - task: DownloadBuildArtifacts@0 + displayName: 'Download stagingMacOS' + inputs: + artifactName: stagingMacOS + - task: DownloadBuildArtifacts@0 + displayName: 'Download stagingGlibc' + inputs: + artifactName: stagingGlibc + - task : DownloadBuildArtifacts@0 + displayName: 'Download stagingMuslc' + inputs: + artifactName: stagingMuslc - task: CmdLine@2 displayName: 'Copy Linux Binaries to BinariesDirectory' inputs: failOnStderr: true script: | mkdir "$(Build.BinariesDirectory)\build" - copy /Y "$(Build.ArtifactStagingDirectory)\staging\vcpkg-init" "$(Build.BinariesDirectory)\vcpkg-init" - copy /Y "$(Build.ArtifactStagingDirectory)\staging\vcpkg-glibc" "$(Build.BinariesDirectory)\vcpkg-glibc" - copy /Y "$(Build.ArtifactStagingDirectory)\staging\vcpkg-muslc" "$(Build.BinariesDirectory)\vcpkg-muslc" + copy /Y "$(Build.ArtifactStagingDirectory)\stagingArchIndependent\vcpkg-init" "$(Build.BinariesDirectory)\vcpkg-init" + copy /Y "$(Build.ArtifactStagingDirectory)\stagingGlibc\vcpkg-glibc" "$(Build.BinariesDirectory)\vcpkg-glibc" + copy /Y "$(Build.ArtifactStagingDirectory)\stagingMuslc\vcpkg-muslc" "$(Build.BinariesDirectory)\vcpkg-muslc" - task: MSBuild@1 displayName: 'Sign Binaries' inputs: @@ -377,7 +389,7 @@ extends: displayName: 'Developer Sign Mac Binaries' condition: and(eq(variables.SignType, 'test'), succeeded()) inputs: - SigningTarget: '$(Build.ArtifactStagingDirectory)\staging\vcpkg-macos.zip' + SigningTarget: '$(Build.ArtifactStagingDirectory)\stagingMacOS\vcpkg-macos.zip' SigningCert: '8005' SigningPluginSource: 'https://devdiv.pkgs.visualstudio.com/DefaultCollection/_packaging/MicroBuildToolset/nuget/v3/index.json' SigningPluginVersion: 'latest' @@ -385,7 +397,7 @@ extends: displayName: 'Sign and Harden Mac Binaries' condition: and(eq(variables.SignType, 'real'), succeeded()) inputs: - SigningTarget: '$(Build.ArtifactStagingDirectory)\staging\vcpkg-macos.zip' + SigningTarget: '$(Build.ArtifactStagingDirectory)\stagingMacOS\vcpkg-macos.zip' SigningCert: '8025' SigningPluginSource: 'https://devdiv.pkgs.visualstudio.com/DefaultCollection/_packaging/MicroBuildToolset/nuget/v3/index.json' SigningPluginVersion: 'latest' @@ -393,7 +405,7 @@ extends: displayName: 'Notarize Mac Binaries' condition: and(eq(variables.SignType, 'real'), succeeded()) inputs: - SigningTarget: '$(Build.ArtifactStagingDirectory)\staging\vcpkg-macos.zip' + SigningTarget: '$(Build.ArtifactStagingDirectory)\stagingMacOS\vcpkg-macos.zip' SigningCert: '8020' MacAppName: 'vcpkg' SigningPluginSource: 'https://devdiv.pkgs.visualstudio.com/DefaultCollection/_packaging/MicroBuildToolset/nuget/v3/index.json' @@ -413,15 +425,15 @@ extends: copy "$(Build.SourcesDirectory)\NOTICE.txt" "$(Build.ArtifactStagingDirectory)\drop\NOTICE.txt" - move "$(Build.ArtifactStagingDirectory)\staging\vcpkg-init" "$(Build.ArtifactStagingDirectory)\drop\vcpkg-init" - move "$(Build.ArtifactStagingDirectory)\staging\vcpkg-init.cmd" "$(Build.ArtifactStagingDirectory)\drop\vcpkg-init.cmd" - move "$(Build.ArtifactStagingDirectory)\staging\vcpkg-init.ps1" "$(Build.ArtifactStagingDirectory)\drop\vcpkg-init.ps1" - move "$(Build.ArtifactStagingDirectory)\staging\scripts\applocal.ps1" "$(Build.ArtifactStagingDirectory)\drop\applocal.ps1" - move "$(Build.ArtifactStagingDirectory)\staging\scripts\addPoshVcpkgToPowershellProfile.ps1" "$(Build.ArtifactStagingDirectory)\drop\addPoshVcpkgToPowershellProfile.ps1" - move "$(Build.ArtifactStagingDirectory)\staging\scripts\posh-vcpkg.psm1" "$(Build.ArtifactStagingDirectory)\drop\posh-vcpkg.psm1" - move "$(Build.ArtifactStagingDirectory)\staging\vcpkg-glibc" "$(Build.ArtifactStagingDirectory)\drop\vcpkg-glibc" - move "$(Build.ArtifactStagingDirectory)\staging\vcpkg-muslc" "$(Build.ArtifactStagingDirectory)\drop\vcpkg-muslc" - move "$(Build.ArtifactStagingDirectory)\staging\vcpkg-standalone-bundle.tar.gz" "$(Build.ArtifactStagingDirectory)\drop\vcpkg-standalone-bundle.tar.gz" + move "$(Build.ArtifactStagingDirectory)\stagingArchIndependent\vcpkg-init" "$(Build.ArtifactStagingDirectory)\drop\vcpkg-init" + move "$(Build.ArtifactStagingDirectory)\stagingArchIndependent\vcpkg-init.cmd" "$(Build.ArtifactStagingDirectory)\drop\vcpkg-init.cmd" + move "$(Build.ArtifactStagingDirectory)\stagingArchIndependent\vcpkg-init.ps1" "$(Build.ArtifactStagingDirectory)\drop\vcpkg-init.ps1" + move "$(Build.ArtifactStagingDirectory)\stagingArchIndependent\scripts\applocal.ps1" "$(Build.ArtifactStagingDirectory)\drop\applocal.ps1" + move "$(Build.ArtifactStagingDirectory)\stagingArchIndependent\scripts\addPoshVcpkgToPowershellProfile.ps1" "$(Build.ArtifactStagingDirectory)\drop\addPoshVcpkgToPowershellProfile.ps1" + move "$(Build.ArtifactStagingDirectory)\stagingArchIndependent\scripts\posh-vcpkg.psm1" "$(Build.ArtifactStagingDirectory)\drop\posh-vcpkg.psm1" + move "$(Build.ArtifactStagingDirectory)\stagingGlibc\vcpkg-glibc" "$(Build.ArtifactStagingDirectory)\drop\vcpkg-glibc" + move "$(Build.ArtifactStagingDirectory)\stagingMuslc\vcpkg-muslc" "$(Build.ArtifactStagingDirectory)\drop\vcpkg-muslc" + move "$(Build.ArtifactStagingDirectory)\stagingArchIndependent\vcpkg-standalone-bundle.tar.gz" "$(Build.ArtifactStagingDirectory)\drop\vcpkg-standalone-bundle.tar.gz" move "$(Build.BinariesDirectory)\amd64\vcpkg.exe" "$(Build.ArtifactStagingDirectory)\drop\vcpkg.exe" copy "$(Build.ArtifactStagingDirectory)\drop\vcpkg.exe" "$(Build.ArtifactStagingDirectory)\vs-insertion\staging\vcpkg.exe" @@ -435,7 +447,7 @@ extends: move "$(Build.BinariesDirectory)\arm64\tls12-download-arm64.pdb" "$(Build.ArtifactStagingDirectory)\drop\tls12-download-arm64.pdb" mkdir "$(Build.ArtifactStagingDirectory)\staging\macos" - tar.exe -C "$(Build.ArtifactStagingDirectory)\staging\macos" -xf "$(Build.ArtifactStagingDirectory)\staging\vcpkg-macos.zip" + tar.exe -C "$(Build.ArtifactStagingDirectory)\staging\macos" -xf "$(Build.ArtifactStagingDirectory)\stagingMacOS\vcpkg-macos.zip" move "$(Build.ArtifactStagingDirectory)\staging\macos\vcpkg" "$(Build.ArtifactStagingDirectory)\drop\vcpkg-macos" copy "$(Build.SourcesDirectory)\azure-pipelines\vs-insertion\vcpkg.nuspec" "$(Build.ArtifactStagingDirectory)\vs-insertion\staging\vcpkg.nuspec" From e35814071b79bbbd4deed729bc1b14af654dbfec Mon Sep 17 00:00:00 2001 From: Billy Robert O'Neal III Date: Tue, 26 Mar 2024 00:27:05 -0700 Subject: [PATCH 09/12] Try to fix outputs condition --- azure-pipelines/signing.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/azure-pipelines/signing.yml b/azure-pipelines/signing.yml index 649b12f2fe..5cc260dd3d 100644 --- a/azure-pipelines/signing.yml +++ b/azure-pipelines/signing.yml @@ -319,13 +319,13 @@ extends: targetPath: '$(Build.ArtifactStagingDirectory)/vs-insertion/drop' artifactName: 'vs-insertion' publishLocation: 'Container' - condition: or(eq(parameters.PublishTo, 'GitHub and NuGet'),eq(parameters.PublishTo, 'NuGet Only'), succeeded()) + condition: ${{ or(eq(parameters.PublishTo, 'GitHub and NuGet'),eq(parameters.PublishTo, 'NuGet Only')) }} - output: nuget displayName: 'NuGet publish for VS Insertion' packageParentPath: '$(Build.ArtifactStagingDirectory)' packagesToPush: '$(Build.ArtifactStagingDirectory)/vs-insertion/drop/VS.Redist.Vcpkg.amd64.1.0.0-$(VCPKG_FULL_VERSION).nupkg' publishVstsFeed: '97a41293-2972-4f48-8c0e-05493ae82010' - condition: and(or(eq(parameters.PublishTo, 'GitHub and NuGet'),eq(parameters.PublishTo, 'NuGet Only')), eq(variables.SignType, 'real'), succeeded()) + condition: ${{ and(or(eq(parameters.PublishTo, 'GitHub and NuGet'),eq(parameters.PublishTo, 'NuGet Only')), eq(variables.SignType, 'real')) }} steps: - task: CmdLine@2 displayName: "Build vcpkg amd64 with CMake" From 356b830a94c29db97809f7d54d02535439c0aec9 Mon Sep 17 00:00:00 2001 From: Billy Robert O'Neal III Date: Tue, 26 Mar 2024 03:46:46 -0700 Subject: [PATCH 10/12] Use inputs --- azure-pipelines/signing.yml | 29 +++++++++++++---------------- 1 file changed, 13 insertions(+), 16 deletions(-) diff --git a/azure-pipelines/signing.yml b/azure-pipelines/signing.yml index 5cc260dd3d..781ea1b31a 100644 --- a/azure-pipelines/signing.yml +++ b/azure-pipelines/signing.yml @@ -308,6 +308,19 @@ extends: feedSource: 'https://devdiv.pkgs.visualstudio.com/DefaultCollection/_packaging/MicroBuildToolset/nuget/v3/index.json' signType: $(SignType) zipSources: false + inputs: + - input: pipelineArtifact + artifactName: stagingArchIndependent + targetPath: $(Build.ArtifactStagingDirectory)\stagingArchIndependent + - input: pipelineArtifact + artifactName: stagingMacOS + targetPath: $(Build.ArtifactStagingDirectory)\stagingMacOS + - input: pipelineArtifact + artifactName: stagingGlibc + targetPath: $(Build.ArtifactStagingDirectory)\stagingGlibc + - input: pipelineArtifact + artifactName: stagingMuslc + targetPath: $(Build.ArtifactStagingDirectory)\stagingMuslc outputs: - output: pipelineArtifact displayName: 'Publish Drop' @@ -355,22 +368,6 @@ extends: restoreSolution: 'azure-pipelines/binary-signing.signproj' feedsToUse: 'config' restoreDirectory: '$(Build.SourcesDirectory)\packages' - - task: DownloadBuildArtifacts@0 - displayName: 'Download stagingArchIndependent' - inputs: - artifactName: stagingArchIndependent - - task: DownloadBuildArtifacts@0 - displayName: 'Download stagingMacOS' - inputs: - artifactName: stagingMacOS - - task: DownloadBuildArtifacts@0 - displayName: 'Download stagingGlibc' - inputs: - artifactName: stagingGlibc - - task : DownloadBuildArtifacts@0 - displayName: 'Download stagingMuslc' - inputs: - artifactName: stagingMuslc - task: CmdLine@2 displayName: 'Copy Linux Binaries to BinariesDirectory' inputs: From 87dd746df357b796fca2978ff5e830902a40f038 Mon Sep 17 00:00:00 2001 From: Billy Robert O'Neal III Date: Tue, 26 Mar 2024 12:55:44 -0700 Subject: [PATCH 11/12] Fix VS standalone bundle. --- azure-pipelines/signing.yml | 13 +++++++++++-- vcpkg-init/mint-standalone-bundle.ps1 | 16 ++++++++-------- 2 files changed, 19 insertions(+), 10 deletions(-) diff --git a/azure-pipelines/signing.yml b/azure-pipelines/signing.yml index 781ea1b31a..1f85028c7b 100644 --- a/azure-pipelines/signing.yml +++ b/azure-pipelines/signing.yml @@ -176,7 +176,7 @@ extends: inputs: pwsh: true filePath: vcpkg-init/mint-standalone-bundle.ps1 - arguments: '-DestinationTarball "$(Build.BinariesDirectory)\vcpkg-standalone-bundle.tar.gz" -TempDir standalone-temp -SignedFilesRoot "$(Build.BinariesDirectory)" -Deployment OneLiner -VcpkgBaseVersion "$(VCPKG_INITIAL_BASE_VERSION)"' + arguments: '-DestinationTarball "$(Build.BinariesDirectory)\vcpkg-standalone-bundle.tar.gz" -TempDir standalone-temp -ArchIndependentSignedFilesRoot "$(Build.BinariesDirectory)" -Deployment OneLiner -VcpkgBaseVersion "$(VCPKG_INITIAL_BASE_VERSION)"' - script: | mkdir "$(Build.ArtifactStagingDirectory)\staging" mkdir "$(Build.ArtifactStagingDirectory)\staging\scripts" @@ -210,6 +210,9 @@ extends: VCPKG_STANDALONE_BUNDLE_SHA: $[ dependencies.arch_independent.outputs['shas.VCPKG_STANDALONE_BUNDLE_SHA'] ] VCPKG_BASE_VERSION: $[ dependencies.arch_independent.outputs['versions.VCPKG_BASE_VERSION'] ] templateContext: + mb: + signing: + enabled: false outputs: - output: pipelineArtifact displayName: 'Publish Unsigned MacOS Binary' @@ -236,6 +239,9 @@ extends: VCPKG_STANDALONE_BUNDLE_SHA: $[ dependencies.arch_independent.outputs['shas.VCPKG_STANDALONE_BUNDLE_SHA'] ] VCPKG_BASE_VERSION: $[ dependencies.arch_independent.outputs['versions.VCPKG_BASE_VERSION'] ] templateContext: + mb: + signing: + enabled: false outputs: - output: pipelineArtifact displayName: 'Publish Unsigned glibc Binary' @@ -266,6 +272,9 @@ extends: VCPKG_STANDALONE_BUNDLE_SHA: $[ dependencies.arch_independent.outputs['shas.VCPKG_STANDALONE_BUNDLE_SHA'] ] VCPKG_BASE_VERSION: $[ dependencies.arch_independent.outputs['versions.VCPKG_BASE_VERSION'] ] templateContext: + mb: + signing: + enabled: false outputs: - output: pipelineArtifact displayName: 'Publish Unsigned muslc Binary' @@ -412,7 +421,7 @@ extends: inputs: pwsh: true filePath: vcpkg-init/mint-standalone-bundle.ps1 - arguments: '-DestinationDir "$(Build.ArtifactStagingDirectory)/vs-insertion/staging" -TempDir standalone-temp -SignedFilesRoot "$(Build.ArtifactStagingDirectory)\staging" -Deployment "VisualStudio" -VcpkgBaseVersion "$(VCPKG_BASE_VERSION)"' + arguments: '-DestinationDir "$(Build.ArtifactStagingDirectory)/vs-insertion/staging" -TempDir standalone-temp -ArchIndependentSignedFilesRoot "$(Build.ArtifactStagingDirectory)\stagingArchIndependent" -Deployment "VisualStudio" -VcpkgBaseVersion "$(VCPKG_BASE_VERSION)"' - task: CmdLine@2 displayName: 'Arrange Drop and Symbols' inputs: diff --git a/vcpkg-init/mint-standalone-bundle.ps1 b/vcpkg-init/mint-standalone-bundle.ps1 index 5ace2f0b40..8183794fbd 100644 --- a/vcpkg-init/mint-standalone-bundle.ps1 +++ b/vcpkg-init/mint-standalone-bundle.ps1 @@ -9,7 +9,7 @@ Param( [Parameter(Mandatory = $True)] [string]$Deployment, [Parameter(Mandatory = $True)] - [string]$SignedFilesRoot, + [string]$ArchIndependentSignedFilesRoot, [Parameter(Mandatory = $true)] [string]$VcpkgBaseVersion ) @@ -85,12 +85,12 @@ try { Set-Content -Path "out/vcpkg-version.txt" -Value $VcpkgBaseVersion -NoNewLine -Encoding Ascii Copy-Item -Path "$PSScriptRoot/../NOTICE.txt" -Destination 'out/NOTICE.txt' Copy-Item -Path "$PSScriptRoot/vcpkg-cmd.cmd" -Destination 'out/vcpkg-cmd.cmd' - Copy-Item -Path "$SignedFilesRoot/vcpkg-init" -Destination 'out/vcpkg-init' - Copy-Item -Path "$SignedFilesRoot/vcpkg-init.ps1" -Destination 'out/vcpkg-init.ps1' - Copy-Item -Path "$SignedFilesRoot/vcpkg-init.cmd" -Destination 'out/vcpkg-init.cmd' - Copy-Item -Path "$SignedFilesRoot/scripts/addPoshVcpkgToPowershellProfile.ps1" -Destination 'out/scripts/addPoshVcpkgToPowershellProfile.ps1' + Copy-Item -Path "$ArchIndependentSignedFilesRoot/vcpkg-init" -Destination 'out/vcpkg-init' + Copy-Item -Path "$ArchIndependentSignedFilesRoot/vcpkg-init.ps1" -Destination 'out/vcpkg-init.ps1' + Copy-Item -Path "$ArchIndependentSignedFilesRoot/vcpkg-init.cmd" -Destination 'out/vcpkg-init.cmd' + Copy-Item -Path "$ArchIndependentSignedFilesRoot/scripts/addPoshVcpkgToPowershellProfile.ps1" -Destination 'out/scripts/addPoshVcpkgToPowershellProfile.ps1' New-Item -Path 'out/scripts/buildsystems/msbuild' -ItemType 'Directory' -Force - Copy-Item -Path "$SignedFilesRoot/scripts/applocal.ps1" -Destination 'out/scripts/buildsystems/msbuild/applocal.ps1' + Copy-Item -Path "$ArchIndependentSignedFilesRoot/scripts/applocal.ps1" -Destination 'out/scripts/buildsystems/msbuild/applocal.ps1' # None of the standalone bundles support classic mode, so turn that off in the bundled copy of the props $propsContent = Get-Content "$PSScriptRoot/vcpkg.props" -Raw -Encoding Ascii @@ -101,9 +101,9 @@ try { Copy-Item -Path "$PSScriptRoot/vcpkg.targets" -Destination 'out/scripts/buildsystems/msbuild/vcpkg.targets' New-Item -Path 'out/scripts/posh-vcpkg/0.0.1' -ItemType 'Directory' -Force - Copy-Item -Path "$SignedFilesRoot/scripts/posh-vcpkg.psm1" -Destination 'out/scripts/posh-vcpkg/0.0.1/posh-vcpkg.psm1' + Copy-Item -Path "$ArchIndependentSignedFilesRoot/scripts/posh-vcpkg.psm1" -Destination 'out/scripts/posh-vcpkg/0.0.1/posh-vcpkg.psm1' - Copy-Item -Path "$SignedFilesRoot/vcpkg-artifacts" -Destination 'out/vcpkg-artifacts' -Recurse + Copy-Item -Path "$ArchIndependentSignedFilesRoot/vcpkg-artifacts" -Destination 'out/vcpkg-artifacts' -Recurse New-Item -Path "out/.vcpkg-root" -ItemType "File" Set-Content -Path "out/vcpkg-bundle.json" ` From 34e50d106b42eb2136d8b0d6e7abfb51709de080 Mon Sep 17 00:00:00 2001 From: Billy Robert O'Neal III Date: Wed, 27 Mar 2024 18:34:31 -0700 Subject: [PATCH 12/12] Add apiscan, remove binskim. --- azure-pipelines/signing.yml | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/azure-pipelines/signing.yml b/azure-pipelines/signing.yml index 1f85028c7b..5079cd20d4 100644 --- a/azure-pipelines/signing.yml +++ b/azure-pipelines/signing.yml @@ -486,10 +486,15 @@ extends: inputs: solution: 'azure-pipelines\nuget-package.signproj' msbuildArguments: '/p:OutDir=$(Build.ArtifactStagingDirectory)\vs-insertion\drop /p:IntermediateOutputPath=$(Build.ArtifactStagingDirectory)\vs-insertion\drop' - - task: BinSkim@4 + - task: APIScan@2 + env: + AzureServicesAuthConnectionString: RunAs=App;AppId=d318cba7-db4d-4fb3-99e1-01879cb74e91 inputs: - InputType: 'CommandLine' - arguments: 'analyze "$(Build.ArtifactStagingDirectory)\drop\vcpkg.exe" "$(Build.ArtifactStagingDirectory)\drop\tls12-download.exe" "$(Build.ArtifactStagingDirectory)\vcpkg-arm64.exe" "$(Build.ArtifactStagingDirectory)\tls12-download-arm64.exe"' + softwareFolder: '$(Build.ArtifactStagingDirectory)\drop' + softwareName: 'vcpkg' + softwareVersionNum: 'N/A' + softwareBuildNum: '$(Build.BuildId)' + symbolsFolder: '$(Build.ArtifactStagingDirectory)\drop' - task: PoliCheck@2 inputs: inputType: 'Basic'