Skip to content

Commit 12051dd

Browse files
committed
security: applies pipeline type requirements
Signed-off-by: Vincent Biret <[email protected]>
1 parent ca0f832 commit 12051dd

File tree

1 file changed

+76
-71
lines changed

1 file changed

+76
-71
lines changed

.azure-pipelines/ci-build.yml

Lines changed: 76 additions & 71 deletions
Original file line numberDiff line numberDiff line change
@@ -206,12 +206,12 @@ extends:
206206
- task: EsrpCodeSigning@5
207207
displayName: "ESRP CodeSigning"
208208
inputs:
209-
ConnectedServiceName: 'Federated DevX ESRP Managed Identity Connection'
210-
AppRegistrationClientId: '65035b7f-7357-4f29-bf25-c5ee5c3949f8'
211-
AppRegistrationTenantId: 'cdc5aeea-15c5-4db6-b079-fcadd2505dc2'
212-
AuthAKVName: 'akv-prod-eastus'
213-
AuthCertName: 'ReferenceLibraryPrivateCert'
214-
AuthSignCertName: 'ReferencePackagePublisherCertificate'
209+
ConnectedServiceName: "Federated DevX ESRP Managed Identity Connection"
210+
AppRegistrationClientId: "65035b7f-7357-4f29-bf25-c5ee5c3949f8"
211+
AppRegistrationTenantId: "cdc5aeea-15c5-4db6-b079-fcadd2505dc2"
212+
AuthAKVName: "akv-prod-eastus"
213+
AuthCertName: "ReferenceLibraryPrivateCert"
214+
AuthSignCertName: "ReferencePackagePublisherCertificate"
215215
FolderPath: '$(Build.SourcesDirectory)\src'
216216
signConfigType: inlineSignParams
217217
UseMinimatch: true
@@ -281,12 +281,12 @@ extends:
281281
- task: EsrpCodeSigning@5
282282
displayName: "ESRP CodeSigning Nuget Packages"
283283
inputs:
284-
ConnectedServiceName: 'Federated DevX ESRP Managed Identity Connection'
285-
AppRegistrationClientId: '65035b7f-7357-4f29-bf25-c5ee5c3949f8'
286-
AppRegistrationTenantId: 'cdc5aeea-15c5-4db6-b079-fcadd2505dc2'
287-
AuthAKVName: 'akv-prod-eastus'
288-
AuthCertName: 'ReferenceLibraryPrivateCert'
289-
AuthSignCertName: 'ReferencePackagePublisherCertificate'
284+
ConnectedServiceName: "Federated DevX ESRP Managed Identity Connection"
285+
AppRegistrationClientId: "65035b7f-7357-4f29-bf25-c5ee5c3949f8"
286+
AppRegistrationTenantId: "cdc5aeea-15c5-4db6-b079-fcadd2505dc2"
287+
AuthAKVName: "akv-prod-eastus"
288+
AuthCertName: "ReferenceLibraryPrivateCert"
289+
AuthSignCertName: "ReferencePackagePublisherCertificate"
290290
FolderPath: "$(Build.ArtifactStagingDirectory)"
291291
UseMinimatch: true
292292
Pattern: "*.nupkg"
@@ -401,12 +401,12 @@ extends:
401401
- task: EsrpCodeSigning@5
402402
condition: and(succeeded(), startsWith('${{ distribution.architecture }}', 'win'))
403403
inputs:
404-
ConnectedServiceName: 'Federated DevX ESRP Managed Identity Connection'
405-
AppRegistrationClientId: '65035b7f-7357-4f29-bf25-c5ee5c3949f8'
406-
AppRegistrationTenantId: 'cdc5aeea-15c5-4db6-b079-fcadd2505dc2'
407-
AuthAKVName: 'akv-prod-eastus'
408-
AuthCertName: 'ReferenceLibraryPrivateCert'
409-
AuthSignCertName: 'ReferencePackagePublisherCertificate'
404+
ConnectedServiceName: "Federated DevX ESRP Managed Identity Connection"
405+
AppRegistrationClientId: "65035b7f-7357-4f29-bf25-c5ee5c3949f8"
406+
AppRegistrationTenantId: "cdc5aeea-15c5-4db6-b079-fcadd2505dc2"
407+
AuthAKVName: "akv-prod-eastus"
408+
AuthCertName: "ReferenceLibraryPrivateCert"
409+
AuthSignCertName: "ReferencePackagePublisherCertificate"
410410
FolderPath: $(Build.ArtifactStagingDirectory)/binaries/${{ distribution.architecture }}
411411
signConfigType: inlineSignParams
412412
UseMinimatch: true
@@ -469,12 +469,12 @@ extends:
469469
timeoutInMinutes: 15
470470
retryCountOnTaskFailure: 4
471471
inputs:
472-
ConnectedServiceName: 'Federated DevX ESRP Managed Identity Connection'
473-
AppRegistrationClientId: '65035b7f-7357-4f29-bf25-c5ee5c3949f8'
474-
AppRegistrationTenantId: 'cdc5aeea-15c5-4db6-b079-fcadd2505dc2'
475-
AuthAKVName: 'akv-prod-eastus'
476-
AuthCertName: 'ReferenceLibraryPrivateCert'
477-
AuthSignCertName: 'ReferencePackagePublisherCertificate'
472+
ConnectedServiceName: "Federated DevX ESRP Managed Identity Connection"
473+
AppRegistrationClientId: "65035b7f-7357-4f29-bf25-c5ee5c3949f8"
474+
AppRegistrationTenantId: "cdc5aeea-15c5-4db6-b079-fcadd2505dc2"
475+
AuthAKVName: "akv-prod-eastus"
476+
AuthCertName: "ReferenceLibraryPrivateCert"
477+
AuthSignCertName: "ReferencePackagePublisherCertificate"
478478
FolderPath: $(Build.ArtifactStagingDirectory)/binaries
479479
signConfigType: inlineSignParams
480480
UseMinimatch: true
@@ -501,12 +501,12 @@ extends:
501501
timeoutInMinutes: 15
502502
retryCountOnTaskFailure: 4
503503
inputs:
504-
ConnectedServiceName: 'Federated DevX ESRP Managed Identity Connection'
505-
AppRegistrationClientId: '65035b7f-7357-4f29-bf25-c5ee5c3949f8'
506-
AppRegistrationTenantId: 'cdc5aeea-15c5-4db6-b079-fcadd2505dc2'
507-
AuthAKVName: 'akv-prod-eastus'
508-
AuthCertName: 'ReferenceLibraryPrivateCert'
509-
AuthSignCertName: 'ReferencePackagePublisherCertificate'
504+
ConnectedServiceName: "Federated DevX ESRP Managed Identity Connection"
505+
AppRegistrationClientId: "65035b7f-7357-4f29-bf25-c5ee5c3949f8"
506+
AppRegistrationTenantId: "cdc5aeea-15c5-4db6-b079-fcadd2505dc2"
507+
AuthAKVName: "akv-prod-eastus"
508+
AuthCertName: "ReferenceLibraryPrivateCert"
509+
AuthSignCertName: "ReferencePackagePublisherCertificate"
510510
FolderPath: $(Build.ArtifactStagingDirectory)/binaries
511511
signConfigType: inlineSignParams
512512
UseMinimatch: true
@@ -562,12 +562,12 @@ extends:
562562
inputs:
563563
versionSpec: "18.x"
564564
- ${{ each distribution in parameters.distributions }}:
565-
- task: DownloadPipelineArtifact@2
566-
displayName: Download ${{ distribution.jobPrefix }} binaries from artifacts
567-
inputs:
568-
artifact: Binaries_${{ distribution.jobPrefix }}
569-
source: current
570-
targetPath: $(Build.ArtifactStagingDirectory)/Binaries
565+
- task: DownloadPipelineArtifact@2
566+
displayName: Download ${{ distribution.jobPrefix }} binaries from artifacts
567+
inputs:
568+
artifact: Binaries_${{ distribution.jobPrefix }}
569+
source: current
570+
targetPath: $(Build.ArtifactStagingDirectory)/Binaries
571571
- pwsh: $(Build.SourcesDirectory)/scripts/get-prerelease-version.ps1 -currentBranch $(Build.SourceBranch) -previewBranch ${{ parameters.previewBranch }}
572572
displayName: "Set version suffix"
573573
- pwsh: $(Build.SourcesDirectory)/scripts/get-version-from-csproj.ps1
@@ -599,19 +599,19 @@ extends:
599599
workingDirectory: $(Build.SourcesDirectory)/vscode/microsoft-kiota
600600
name: getExtensionFileName
601601
- script: vsce generate-manifest -i $(getExtensionFileName.extensionFileName).vsix -o $(getExtensionFileName.extensionFileName).manifest
602-
displayName: 'Generate extension manifest'
602+
displayName: "Generate extension manifest"
603603
workingDirectory: $(Build.SourcesDirectory)/vscode/microsoft-kiota
604604
- script: cp $(getExtensionFileName.extensionFileName).manifest $(getExtensionFileName.extensionFileName).signature.p7s
605-
displayName: 'Prepare manifest for signing'
605+
displayName: "Prepare manifest for signing"
606606
workingDirectory: $(Build.SourcesDirectory)/vscode/microsoft-kiota
607607
- task: EsrpCodeSigning@5
608608
inputs:
609-
ConnectedServiceName: 'Federated DevX ESRP Managed Identity Connection'
610-
AppRegistrationClientId: '65035b7f-7357-4f29-bf25-c5ee5c3949f8'
611-
AppRegistrationTenantId: 'cdc5aeea-15c5-4db6-b079-fcadd2505dc2'
612-
AuthAKVName: 'akv-prod-eastus'
613-
AuthCertName: 'ReferenceLibraryPrivateCert'
614-
AuthSignCertName: 'ReferencePackagePublisherCertificate'
609+
ConnectedServiceName: "Federated DevX ESRP Managed Identity Connection"
610+
AppRegistrationClientId: "65035b7f-7357-4f29-bf25-c5ee5c3949f8"
611+
AppRegistrationTenantId: "cdc5aeea-15c5-4db6-b079-fcadd2505dc2"
612+
AuthAKVName: "akv-prod-eastus"
613+
AuthCertName: "ReferenceLibraryPrivateCert"
614+
AuthSignCertName: "ReferencePackagePublisherCertificate"
615615
FolderPath: $(Build.SourcesDirectory)/vscode/microsoft-kiota
616616
UseMinimatch: true
617617
Pattern: '**\*.signature.p7s'
@@ -630,7 +630,7 @@ extends:
630630
MaxConcurrency: 25
631631
MaxRetryAttempts: 5
632632
PendingAnalysisWaitTimeoutMinutes: 5
633-
displayName: 'Sign extension'
633+
displayName: "Sign extension"
634634
- task: CopyFiles@2
635635
displayName: Prepare staging folder for upload
636636
inputs:
@@ -682,7 +682,7 @@ extends:
682682
inputs:
683683
azureSubscription: "kiota-vscode-marketplace-publish"
684684
scriptType: "pscore"
685-
scriptLocation: 'inlineScript'
685+
scriptLocation: "inlineScript"
686686
inlineScript: |
687687
$aadToken = az account get-access-token --query accessToken --resource 499b84ac-1321-427f-aa17-267ca6975798 -o tsv
688688
Get-ChildItem -Path $(Pipeline.Workspace) -Filter *.vsix -Recurse | ForEach-Object {
@@ -707,6 +707,15 @@ extends:
707707
os: linux
708708
image: ubuntu-latest
709709
templateContext:
710+
type: releaseJob
711+
isProduction: true
712+
inputs:
713+
- input: pipelineArtifact
714+
artifactName: VSCode
715+
targetPath: "$(Pipeline.Workspace)"
716+
- input: pipelineArtifact
717+
artifactName: Nugets
718+
targetPath: "$(Pipeline.Workspace)"
710719
sdl:
711720
baseline:
712721
baselineFile: $(Build.SourcesDirectory)/guardian/SDL/common/.gdnbaselines
@@ -723,19 +732,11 @@ extends:
723732
clean: true
724733
submodules: true
725734
- ${{ each distribution in parameters.distributions }}:
726-
- task: DownloadPipelineArtifact@2
727-
displayName: Download ${{ distribution.jobPrefix }} binaries from artifacts
728-
inputs:
729-
artifact: Binaries_${{ distribution.jobPrefix }}
730-
source: current
731-
- task: DownloadPipelineArtifact@2
732-
inputs:
733-
artifact: VSCode
734-
source: current
735-
- task: DownloadPipelineArtifact@2
736-
inputs:
737-
artifact: Nugets
738-
source: current
735+
- task: DownloadPipelineArtifact@2
736+
displayName: Download ${{ distribution.jobPrefix }} binaries from artifacts
737+
inputs:
738+
artifact: Binaries_${{ distribution.jobPrefix }}
739+
source: current
739740
- pwsh: $(Build.SourcesDirectory)/scripts/get-prerelease-version.ps1 -currentBranch $(Build.SourceBranch) -previewBranch ${{ parameters.previewBranch }}
740741
displayName: "Set version suffix"
741742
- pwsh: $(Build.SourcesDirectory)/scripts/get-version-from-csproj.ps1
@@ -779,6 +780,13 @@ extends:
779780
isPreRelease: true
780781

781782
- deployment: deploy_kiota
783+
templateContext:
784+
type: releaseJob
785+
isProduction: true
786+
inputs:
787+
- input: pipelineArtifact
788+
artifactName: Nugets
789+
targetPath: "$(Pipeline.Workspace)"
782790
pool:
783791
name: Azure-Pipelines-1ESPT-ExDShared
784792
os: linux
@@ -790,23 +798,25 @@ extends:
790798
deploy:
791799
steps:
792800
- download: none
793-
- task: DownloadPipelineArtifact@2
794-
displayName: Download nupkg from artifacts
795-
inputs:
796-
artifact: Nugets
797-
source: current
798801
- powershell: |
799802
Remove-Item "$(Pipeline.Workspace)/Microsoft.OpenApi.Kiota.Builder.*.nupkg" -Verbose
800803
displayName: remove other nupkgs to avoid duplication
801804
- task: 1ES.PublishNuget@1
802805
displayName: "NuGet push"
803806
inputs:
804807
packagesToPush: "$(Pipeline.Workspace)/Microsoft.OpenApi.Kiota.*.nupkg"
805-
packageParentPath: '$(Pipeline.Workspace)'
808+
packageParentPath: "$(Pipeline.Workspace)"
806809
nuGetFeedType: external
807810
publishFeedCredentials: "OpenAPI Nuget Connection"
808811

809812
- deployment: deploy_builder
813+
templateContext:
814+
type: releaseJob
815+
isProduction: true
816+
inputs:
817+
- input: pipelineArtifact
818+
artifactName: Nugets
819+
targetPath: "$(Pipeline.Workspace)"
810820
pool:
811821
name: Azure-Pipelines-1ESPT-ExDShared
812822
os: linux
@@ -818,18 +828,13 @@ extends:
818828
deploy:
819829
steps:
820830
- download: none
821-
- task: DownloadPipelineArtifact@2
822-
displayName: Download nupkg from artifacts
823-
inputs:
824-
artifact: Nugets
825-
source: current
826831
- powershell: |
827832
Remove-Item "$(Pipeline.Workspace)/Microsoft.OpenApi.Kiota.*.nupkg" -Verbose -Exclude "*.Builder.*"
828833
displayName: remove other nupkgs to avoid duplication
829834
- task: 1ES.PublishNuget@1
830835
displayName: "NuGet push"
831836
inputs:
832837
packagesToPush: "$(Pipeline.Workspace)/Microsoft.OpenApi.Kiota.Builder.*.nupkg"
833-
packageParentPath: '$(Pipeline.Workspace)'
838+
packageParentPath: "$(Pipeline.Workspace)"
834839
nuGetFeedType: external
835840
publishFeedCredentials: "OpenAPI Nuget Connection"

0 commit comments

Comments
 (0)