azure-pipelines.yml

schedules:
# Run from Monday to Friday at 5:30 UTC (https://docs.microsoft.com/en-us/azure/devops/pipelines/process/scheduled-triggers?view=azure-devops&tabs=yaml#cron-syntax)
- cron: "30 5 * * 1-5"
  displayName: Daily build
  branches:
    include:
    - master
    - branch-*
  always: true

trigger:
- master
- branch-*

pool: .net-bubble-aws-re-team-prod

variables:
  - group: sonar-dotnet-variables
  - group: sonarsource-build-variables
  - group: artifactory_access
  - group: digicert-keylocker
  # ~https://github.com/SonarSource/re-ci-images/blob/master/docker/mvn/settings-private.xml
  - name: ARTIFACTORY_PRIVATE_USERNAME
    value: $[variables.ARTIFACTORY_PRIVATE_READER_USERNAME]
  - name: ARTIFACTORY_QA_READER_USERNAME
    value: $[variables.ARTIFACTORY_PRIVATE_READER_USERNAME]
  - name: UnitTestProjectPath
    value: 'analyzers\tests\SonarAnalyzer.Test\'
  - name: UnitTestResultsPath
    value: '$(Build.SourcesDirectory)\TestResults'
  - name: CoveragePath
    value: '$(Build.SourcesDirectory)\coverage'
  - name: UnitTestExclusionsPattern
    value: 'analyzers/tests/SonarAnalyzer.Test/TestCases/**/*'
  - name: isReleaseBranch
    value: ${{ or(eq(variables['Build.SourceBranch'], 'refs/heads/master'), startsWith(variables['Build.SourceBranch'], 'refs/heads/branch-')) }}
  - name: vsVersion
    value: '17.0'

resources:
  repositories:
    - repository: pipelines-yaml-templates
      type: git
      name: pipelines-yaml-templates
      ref:  refs/tags/v3.0.0

stages:
- stage: build
  # Build the dotnet analyzers and stage to repox
  displayName: 'Build:'
  jobs:
  - job: dotnetBuildjob
    displayName: 'Build and package'
    workspace:
      clean: all

    steps:
    - task: NuGetToolInstaller@1
      displayName: "Install NuGet"

    - script: '"$(MSBUILD_PATH)" /t:restore /p:RestoreLockedMode=true /p:RestoreConfigFile="analyzers\NuGet.Config" $(solution)'
      env:
        ARTIFACTORY_USER: $(ARTIFACTORY_PRIVATE_READER_USERNAME)
        ARTIFACTORY_PASSWORD: $(ARTIFACTORY_PRIVATE_READER_ACCESS_TOKEN)
      displayName: "NuGet Restore"

    - powershell: .\scripts\build\store-azp-variables.ps1
      displayName: "Store AZP Variables"

    - publish: $(Agent.BuildDirectory)/Azp-Variables
      artifact: Azp-Variables
      displayName: "Publish AZP Variables as pipeline artifact"

    - template: set-azp-variables-steps.yml@pipelines-yaml-templates

    - task: VSBuild@1
      displayName: 'Set BranchName, Sha1 and BuildNumber'
      inputs:
        solution: scripts/version/ChangeVersion.proj
        msbuildArgs: '/p:Sha1=$(Build.SourceVersion) /p:BranchName=$(Build.SourceBranchName) /p:BuildNumber=$(Build.BuildId) /p:BuildConfiguration=$(BuildConfiguration)'
        vsVersion: $(vsVersion)

    - task: DownloadSecureFile@1
      displayName: 'Download snk file'
      name: snk
      inputs:
        secureFile: SonarSourceSecret.snk

    - task: DownloadSecureFile@1
      # This file is used by the "DigiCert Signing Manager KSP" Key Storage Provider to authenticate against the DigiCert private key provider server.
      displayName: 'Download p12 file'
      name: SM_CLIENT_CERT
      inputs:
        secureFile: digicert_authentication_certificate.p12

    - task: DownloadSecureFile@1
      # This file contains the signing certificate without the private key. The private key will be downloaded later, during the signing process.
      displayName: 'Download crt file'
      name: SM_CLIENT_CRT
      inputs:
        secureFile: cert_525594307.crt

    - task: PowerShell@2
      displayName: "Signing certificate setup"
      # Initialize the DigiCert Private Key Provider.
      # What we think it does: The smctl tool authenticates with a client certificate (SM_CLIENT_CERT_FILE) and a client password (SM_CLIENT_CERT_PASSWORD).
      # It uses an API Key (SM_API_KEY) and the ID of the certificate (SM_CERT) to check if the authenticated client is authorized to use the
      # certificate specified and synchronize (potentially private) information about the certificate.
      condition: eq(variables.isReleaseBranch, 'True')
      env:
        SM_CLIENT_CERT_FILE: $(SM_CLIENT_CERT.secureFilePath)
        SM_CLIENT_CERT_PASSWORD: $(SM_CLIENT_CERT_PASSWORD)
        SM_API_KEY: $(SM_API_KEY)
        SM_CERT: $(SM_CERT)
      inputs:
        targetType: 'inline'
        script: |
          Write-Output "smctl sync:"
          smctl windows certsync

    - task: VSBuild@1
      displayName: "Build and sign SonarAnalyzer solution"
      env:
        SM_CLIENT_CRT_FILE: $(SM_CLIENT_CRT.secureFilePath)
        SM_CLIENT_CERT_FILE: $(SM_CLIENT_CERT.secureFilePath)
        SM_CLIENT_CERT_PASSWORD: $(SM_CLIENT_CERT_PASSWORD)
        SM_API_KEY: $(SM_API_KEY)
        SM_CERT: $(SM_CERT)
      inputs:
        solution: '$(solution)'
        platform: '$(buildPlatform)'
        configuration: '$(buildConfiguration)'
        msbuildArgs: '/p:SignAssembly=$(isReleaseBranch) /p:AssemblyOriginatorKeyFile="$(snk.secureFilePath)" /p:Sha1=$(Build.SourceVersion) /p:BuildNumber=$(Build.BuildId) /p:WarningLevel=0'
        vsVersion: $(vsVersion)

    - task: NuGetCommand@2
      displayName: "Build NuGet packages"
      inputs:
        command: pack
        packagesToPack: 'analyzers/src/**/*.nuspec;analyzers/packaging/*.nuspec'
        configuration: '$(BuildConfiguration)'
        packDestination: '$(Build.ArtifactStagingDirectory)/packages'
        verbosityPack: 'Detailed'
        publishPackageMetadata: true

    - task: PowerShell@2
      displayName: "Sign NuGet packages"
      condition: eq(variables.isReleaseBranch, 'True')
      env:
        PACKAGES_PATH: '$(Build.ArtifactStagingDirectory)\packages\*.nupkg'
        SM_CLIENT_CERT_FILE: $(SM_CLIENT_CERT.secureFilePath)
        SM_CLIENT_CERT_PASSWORD: $(SM_CLIENT_CERT_PASSWORD)
        SM_API_KEY: $(SM_API_KEY)
        SM_CERT: $(SM_CERT)
      inputs:
        targetType: 'inline'
        script: |
          nuget sign "$env:PACKAGES_PATH" -Overwrite -HashAlgorithm SHA256 -CertificateFingerprint $(SM_CERT_FP) -Timestamper http://timestamp.digicert.com -TimestampHashAlgorithm SHA256

    - task: PublishBuildArtifacts@1
      displayName: 'Publish NuGet packages as build artifacts'
      inputs:
        pathToPublish: '$(Build.ArtifactStagingDirectory)/packages'
        artifactName: 'NuGet Packages'

    - task: PublishPipelineArtifact@1
      displayName: 'Publish analyzer binaries as pipeline artifact'
      inputs:
        path: analyzers/packaging/binaries/
        artifact: Binaries

    - task: PublishPipelineArtifact@1
      displayName: 'Publish analyzer test binaries as pipeline artifact'
      inputs:
        path: '$(UnitTestProjectPath)\bin'
        artifact: TestBinaries

- stage: qa
  # .NET code analysis, UTs, ITs, build Java and publish SC QG
  displayName: 'Tests:'
  dependsOn: build

  jobs:
  - job: runUnitTestsDotNet
    displayName: '.NET UTs'
    workspace:
      clean: all
    strategy:
      matrix:
        Net48:
          CoverageArtifactName: 'DotNetCoverageNet48'
          TestResultsArtifactName: 'DotNetTestResultsNet48'
          ProjectFilePath: 'tests\SonarAnalyzer.Test\SonarAnalyzer.Test.csproj'
          FrameworkMoniker: 'net48'
        Net80:
          CoverageArtifactName: 'DotNetCoverageNet8'
          TestResultsArtifactName: 'DotNetTestResultsNet8'
          ProjectFilePath: 'tests\SonarAnalyzer.Test\SonarAnalyzer.Test.csproj'
          FrameworkMoniker: 'net8.0'
        Styling:
          CoverageArtifactName: 'DotNetCoverageStyling'
          TestResultsArtifactName: 'DotNetTestResultsStyling'
          ProjectFilePath: 'tests\SonarAnalyzer.CSharp.Styling.Test\SonarAnalyzer.CSharp.Styling.Test.csproj'
          FrameworkMoniker: 'net8.0'
        TestFramework:
          CoverageArtifactName: 'DotNetCoverageTestFramework'
          TestResultsArtifactName: 'DotNetTestResultsTestFramework'
          ProjectFilePath: 'tests\SonarAnalyzer.TestFramework.Test\SonarAnalyzer.TestFramework.Test.csproj'
          FrameworkMoniker: 'net8.0'
        ITs.JsonParser:
          CoverageArtifactName: 'ITs.JsonParserCoverage'
          TestResultsArtifactName: 'ITs.JsonParserResults'
          ProjectFilePath: 'tests\ITs.JsonParser.Test\ITs.JsonParser.Test.csproj'
          FrameworkMoniker: 'net8.0'

    steps:
    - task: UseDotNet@2
      displayName: Use .NET
      inputs:
        packageType: 'sdk'
        version: 8.0.300

    - task: DownloadPipelineArtifact@2
      displayName: 'Download binaries to test'
      inputs:
        artifact: TestBinaries
        targetPath: '$(UnitTestProjectPath)\bin'

    - powershell: |
        cd analyzers
        & dotnet test $(ProjectFilePath) -f $(FrameworkMoniker) -c $(BuildConfiguration) -l trx --results-directory $(UnitTestResultsPath) /p:AltCover=true,AltCoverForce=true,AltCoverVisibleBranches=true,AltCoverAssemblyFilter="testhost|Moq|Humanizer|AltCover|Microsoft|\.Test^",AltCoverPathFilter="SonarAnalyzer\.CFG\\ShimLayer|SonarAnalyzer\.ShimLayer\.CodeGeneration",AltCoverAttributeFilter="ExcludeFromCodeCoverage",AltCoverReport="$(CoveragePath)/coverage.$(CoverageArtifactName).xml"
      displayName: '.Net UTs'
      env:
        ARTIFACTORY_USER: $(ARTIFACTORY_PRIVATE_READER_USERNAME)
        ARTIFACTORY_PASSWORD: $(ARTIFACTORY_PRIVATE_READER_ACCESS_TOKEN)

    - task: PublishPipelineArtifact@1
      displayName: 'Save coverage files'
      inputs:
        path: '$(CoveragePath)'
        artifact: $(CoverageArtifactName)

    - task: PublishPipelineArtifact@1
      displayName: 'Save test results files'
      inputs:
        path: '$(UnitTestResultsPath)'
        artifact: $(TestResultsArtifactName)

    - task: PublishTestResults@2
      condition: always()
      displayName: 'Publish test results'
      inputs:
        testRunner: VSTest
        testResultsFiles: '*.trx'
        searchFolder: '$(UnitTestResultsPath)'
        testRunTitle: '$(Agent.JobName)'

  - job: dotNetAnalysis
    displayName: '.Net Analysis'
    workspace:
      clean: all
    # This job runs the .Net code analysis and uploads to SonarCloud the test results and coverage reports generated
    # in previous jobs.
    condition: eq(dependencies.runUnitTestsDotNet.result, 'Succeeded')
    dependsOn:
    - runUnitTestsDotNet
    steps:
    - task: NuGetToolInstaller@1
      displayName: "Install NuGet"

    - template: set-azp-variables-steps.yml@pipelines-yaml-templates

    - task: SonarCloudPrepare@2
      displayName: 'Code Analysis - Begin (PR)'
      condition: eq(variables['Build.Reason'], 'PullRequest')
      inputs:
        SonarCloud: 'SonarCloud'
        organization: 'sonarsource'
        scannerMode: 'MSBuild'
        projectKey: 'sonaranalyzer-dotnet'
        projectName: 'Sonar .NET Analyzer'
        projectVersion: '$(SONAR_PROJECT_VERSION)'
        extraProperties: |
          sonar.verbose=true
          sonar.cs.opencover.reportsPaths="$(CoveragePath)/*.xml"
          sonar.cs.vstest.reportsPaths="$(UnitTestResultsPath)/*.trx"
          sonar.test.exclusions="$(UnitTestExclusionsPattern)"
          sonar.analysis.buildNumber=$(Build.BuildId)
          sonar.analysis.pipeline=$(Build.BuildId)
          sonar.analysis.sha1=$(System.PullRequest.SourceCommitId)
          sonar.analysis.prNumber=$(System.PullRequest.PullRequestNumber)
          sonar.analysis.repository=$(Build.Repository.ID)

    - task: SonarCloudPrepare@2
      displayName: 'Code Analysis - Begin (master or branch)'
      condition: ne(variables['Build.Reason'], 'PullRequest')
      inputs:
        SonarCloud: 'SonarCloud'
        organization: 'sonarsource'
        scannerMode: 'MSBuild'
        projectKey: 'sonaranalyzer-dotnet'
        projectName: 'SonarAnalyzer for .NET'
        projectVersion: '$(SONAR_PROJECT_VERSION)'
        extraProperties: |
          sonar.verbose=true
          sonar.cs.opencover.reportsPaths="$(CoveragePath)/*.xml"
          sonar.cs.vstest.reportsPaths="$(UnitTestResultsPath)/*.trx"
          sonar.test.exclusions="$(UnitTestExclusionsPattern)"
          sonar.analysis.buildNumber=$(Build.BuildId)
          sonar.analysis.pipeline=$(Build.BuildId)
          sonar.analysis.sha1=$(Build.SourceVersion)
          sonar.analysis.repository=$(Build.Repository.ID)

    - task: VSBuild@1
      displayName: 'Set BranchName, Sha1 and BuildNumber properties from Azure pipeline variables'
      inputs:
        solution: scripts/version/ChangeVersion.proj
        msbuildArgs: '/p:Sha1=$(Build.SourceVersion) /p:BranchName=$(Build.SourceBranchName) /p:BuildNumber=$(Build.BuildId) /p:BuildConfiguration=$(BuildConfiguration)'
        vsVersion: $(vsVersion)

    - script: '"$(MSBUILD_PATH)" /t:restore /p:RestoreLockedMode=true /p:RestoreConfigFile="analyzers\NuGet.Config" $(solution)'
      env:
        ARTIFACTORY_USER: $(ARTIFACTORY_PRIVATE_READER_USERNAME)
        ARTIFACTORY_PASSWORD: $(ARTIFACTORY_PRIVATE_READER_ACCESS_TOKEN)
      displayName: "NuGet Restore"

    - task: VSBuild@1
      displayName: "Run .Net code analysis"
      inputs:
        solution: '$(solution)'
        platform: '$(buildPlatform)'
        configuration: '$(buildConfiguration)'
        msbuildArgs: '/p:RunAnalyzers=true'
        vsVersion: $(vsVersion)

    - task: DownloadPipelineArtifact@2
      displayName: 'Download coverage reports'
      inputs:
        artifact: DotNetCoverageNet48
        targetPath: 'coverage'

    - task: DownloadPipelineArtifact@2
      displayName: 'Download coverage reports'
      inputs:
        artifact: DotNetCoverageNet8
        targetPath: 'coverage'

    - task: DownloadPipelineArtifact@2
      displayName: 'Download coverage reports'
      inputs:
        artifact: DotNetCoverageStyling
        targetPath: 'coverage'

    - task: DownloadPipelineArtifact@2
      displayName: 'Download coverage reports'
      inputs:
        artifact: DotNetCoverageTestFramework
        targetPath: 'coverage'

    - task: DownloadPipelineArtifact@2
      displayName: 'Download coverage reports'
      inputs:
        artifact: ITs.JsonParserCoverage
        targetPath: 'coverage'

    - task: DownloadPipelineArtifact@2
      displayName: 'Download test results'
      inputs:
        artifact: DotNetTestResultsNet48
        targetPath: 'TestResults'

    - task: DownloadPipelineArtifact@2
      displayName: 'Download test results'
      inputs:
        artifact: DotNetTestResultsNet8
        targetPath: 'TestResults'

    - task: DownloadPipelineArtifact@2
      displayName: 'Download test results'
      inputs:
        artifact: DotNetTestResultsStyling
        targetPath: 'TestResults'

    - task: DownloadPipelineArtifact@2
      displayName: 'Download test results'
      inputs:
        artifact: DotNetTestResultsTestFramework
        targetPath: 'TestResults'

    - task: DownloadPipelineArtifact@2
      displayName: 'Download test results'
      inputs:
        artifact: ITs.JsonParserResults
        targetPath: 'TestResults'

    - powershell: |
        # Coverage is computed in another job and can have a different base path.
        # We need to normalize content of the coverage files to the current VM job path.
        # Values generated by the agent can look like this:
        #   `C:\sonar-ci\_work\1\s`
        #   `C:\sonar-ci\_work\2\s`
        $CurrentPath = ${env:BUILD_SOURCESDIRECTORY}
        $Pattern = [Regex]::Escape($CurrentPath) -Replace "\\\\\d+\\\\","\\\d+\\" # We replace the existing escaped "\\1\\" digit(s) with actual pattern to search for any other digit(s)
        dir coverage\*.xml | % {
            $Path = $_.FullName
            Write-Host "Updating ${Path} to common root ${CurrentPath}"
            (Get-Content -Path $Path -Raw) -Replace $Pattern,$CurrentPath | Set-Content $Path
        }
      displayName: Fix coverage paths

    - task: SonarCloudAnalyze@2
      displayName: 'Code Analysis - End'

    - task: SonarCloudPublish@2
      displayName: 'Code Analysis - Publish QG'
      inputs:
        pollingTimeoutSec: '300'

  - job: runIntegrationTestsJob
    displayName: '.NET ITs'
    workspace:
      clean: all
    steps:
    - task: DownloadPipelineArtifact@2
      displayName: 'Download binaries to test'
      inputs:
        artifact: Binaries
        targetPath: 'analyzers/packaging/binaries/'

    - task: NuGetToolInstaller@1
      displayName: "Install NuGet"

    - task: PowerShell@2
      displayName: 'Run ITs'
      inputs:
        filePath: 'analyzers/its/regression-test.ps1'
        workingDirectory: 'analyzers/its'
      env:
        ARTIFACTORY_USER: $(ARTIFACTORY_PRIVATE_READER_USERNAME)
        ARTIFACTORY_PASSWORD: $(ARTIFACTORY_PRIVATE_READER_ACCESS_TOKEN)

  - job: runJavaBuild
    displayName: 'Java build'
    workspace:
      clean: all
    steps:
    - task: DownloadPipelineArtifact@2
      displayName: 'Download .Net binaries for Maven build'
      inputs:
        artifact: Binaries
        targetPath: 'analyzers/packaging/binaries/'

    - template: set-azp-variables-steps.yml@pipelines-yaml-templates

    - task: DownloadSecureFile@1
      displayName: 'Download Maven settings'
      name: mavenSettings
      inputs:
        secureFile: 'maven-settings.xml'

    - task: DownloadSecureFile@1
      displayName: 'Download the sign key'
      name: signKey
      inputs:
        secureFile: 'sign-key.asc'

      # Template below is in https://dev.azure.com/sonarsource/DotNetTeam%20Project/_git/pipelines-yaml-templates?path=/update-maven-version-steps.yml&version=GBmaster
      # For more info see scripts/version/README.md
    - template: update-maven-version-steps.yml@pipelines-yaml-templates
      parameters:
        mavenSettingsFilePath: $(mavenSettings.secureFilePath)

  - job: runJavaUnitTests
    displayName: 'Java UTs'
    dependsOn: runJavaBuild
    workspace:
      clean: all
    steps:
    - task: DownloadSecureFile@1
      displayName: 'Download Maven settings'
      name: mavenSettings
      inputs:
        secureFile: 'maven-settings.xml'

    - template: set-azp-variables-steps.yml@pipelines-yaml-templates

    - template: update-maven-version-steps.yml@pipelines-yaml-templates
      parameters:
        mavenSettingsFilePath: $(mavenSettings.secureFilePath)

    - task: DownloadPipelineArtifact@2
      displayName: 'Download .Net binaries for Maven build'
      inputs:
        artifact: Binaries
        targetPath: 'analyzers/packaging/binaries/'

    - task: SonarCloudPrepare@2
      displayName: 'Prepare code analysis for Java plugin'
      inputs:
        SonarCloud: 'SonarCloud'
        organization: 'sonarsource'
        scannerMode: 'Other'

    - task: Maven@3
      displayName: 'Maven verify, UTs with SonarCloud'
      inputs:
        goals: 'verify'
        options: -B --settings $(mavenSettings.secureFilePath) -Pcoverage -Dsonar.projectVersion=$(SONAR_PROJECT_VERSION)
        publishJUnitResults: true
        testResultsFiles: '**/surefire-reports/TEST-*.xml'
        testRunTitle: '$(Agent.JobName)'
        javaHomeOption: 'JDKVersion'
        jdkVersionOption: '1.17'
        mavenOptions: $(MAVEN_OPTS)
        sonarQubeRunAnalysis: true
        sqMavenPluginVersionChoice: 'latest'

    - task: SonarCloudPublish@2
      displayName: 'Code Analysis - Publish QG'
      inputs:
        pollingTimeoutSec: '300'

  - job: runJavaIntegrationTests
    displayName: 'Java ITs'
    dependsOn: runJavaBuild
    workspace:
      clean: all
    strategy:
      matrix:
        CSharp:
          testPattern: 'csharp/*'
        Others:
          testPattern: 'vbnet/*,shared/*'
    steps:
    - task: DownloadSecureFile@1
      displayName: 'Download Maven settings'
      name: mavenSettings
      inputs:
        secureFile: 'maven-settings.xml'

    - template: update-maven-version-steps.yml@pipelines-yaml-templates
      parameters:
        mavenSettingsFilePath: $(mavenSettings.secureFilePath)

    - task: DownloadPipelineArtifact@2
      displayName: 'Download .Net binaries for Maven build'
      inputs:
        artifact: Binaries
        targetPath: 'analyzers/packaging/binaries/'

    - template: set-azp-variables-steps.yml@pipelines-yaml-templates

    - task: Maven@3
      displayName: 'Maven install'
      env:
        ARTIFACTORY_DEPLOY_PASSWORD: $(ARTIFACTORY_QA_DEPLOYER_ACCESS_TOKEN)
      inputs:
        goals: 'clean install'
        options: >-
          $(commonMavenArguments)
          --settings $(mavenSettings.secureFilePath)
          -DskipTests=true
        publishJUnitResults: false
        javaHomeOption: 'JDKVersion'
        jdkVersionOption: '1.17'
        mavenOptions: $(MAVEN_OPTS)

    - task: Maven@3
      displayName: 'Maven ITs'
      env:
        ARTIFACTORY_USER: $(ARTIFACTORY_PRIVATE_READER_USERNAME)
        ARTIFACTORY_PASSWORD: $(ARTIFACTORY_PRIVATE_READER_ACCESS_TOKEN)
        # For Orchestrator (https://github.com/SonarSource/orchestrator/commit/d5396c75ab77e6088afe58e61b0cd0693ac885f0)
        ARTIFACTORY_ACCESS_TOKEN: $(ARTIFACTORY_PRIVATE_READER_ACCESS_TOKEN)
        GITHUB_TOKEN: $(GITHUB_TOKEN)
      inputs:
        mavenPomFile: its/pom.xml
        goals: 'verify'
        options: -Dtest=$(testPattern) -B --settings $(mavenSettings.secureFilePath)
        publishJUnitResults: true
        testResultsFiles: '**/surefire-reports/TEST-*.xml'
        testRunTitle: '$(Agent.JobName)'
        javaHomeOption: 'JDKVersion'
        jdkVersionOption: '1.17'
        mavenOptions: $(MAVEN_OPTS)