From 733f954b81074b9ceea8d0e444a0743179c5439b Mon Sep 17 00:00:00 2001 From: Manuel de la Pena Date: Fri, 4 Oct 2024 16:20:52 -0400 Subject: [PATCH] [CI] Remove stages related to the old pkg signing and notarization. --- tools/devops/automation/build-cronjob.yml | 6 - tools/devops/automation/build-lego.yml | 6 - tools/devops/automation/build-pipeline.yml | 17 - .../devops/automation/build-pull-request.yml | 17 - .../automation/publish-pr-html-results.yml | 6 - tools/devops/automation/scripts/notarize.ps1 | 21 -- .../automation/templates/build/build-pkgs.yml | 4 - .../templates/build/build-stage.yml | 5 - .../automation/templates/common/checkout.yml | 3 - .../automation/templates/main-stage.yml | 42 --- .../templates/pipelines/api-diff-pipeline.yml | 6 - .../templates/pipelines/build-pipeline.yml | 18 - .../pipelines/run-macos-tests-pipeline.yml | 6 - .../pipelines/run-tests-pipeline.yml | 6 - .../artifact-github-comment.yml | 43 --- .../templates/sign-and-notarized/funnel.yml | 193 ----------- .../sign-and-notarized/prepare-pkg-stage.yml | 50 --- .../templates/sign-and-notarized/setup.yml | 77 ----- .../sign-and-notarized/sign-and-notarized.yml | 136 -------- .../sign-and-notarized/upload-azure.yml | 327 ------------------ tools/devops/automation/vs-insertion.yml | 6 - 21 files changed, 995 deletions(-) delete mode 100644 tools/devops/automation/scripts/notarize.ps1 delete mode 100644 tools/devops/automation/templates/sign-and-notarized/artifact-github-comment.yml delete mode 100644 tools/devops/automation/templates/sign-and-notarized/funnel.yml delete mode 100644 tools/devops/automation/templates/sign-and-notarized/prepare-pkg-stage.yml delete mode 100644 tools/devops/automation/templates/sign-and-notarized/setup.yml delete mode 100644 tools/devops/automation/templates/sign-and-notarized/sign-and-notarized.yml delete mode 100644 tools/devops/automation/templates/sign-and-notarized/upload-azure.yml diff --git a/tools/devops/automation/build-cronjob.yml b/tools/devops/automation/build-cronjob.yml index 1e152985ae6a..a632e6b367b7 100644 --- a/tools/devops/automation/build-cronjob.yml +++ b/tools/devops/automation/build-cronjob.yml @@ -44,12 +44,6 @@ resources: ref: refs/heads/main endpoint: xamarin - - repository: release-scripts - type: github - name: xamarin/release-scripts - ref: refs/heads/only_codesign - endpoint: xamarin - trigger: - main diff --git a/tools/devops/automation/build-lego.yml b/tools/devops/automation/build-lego.yml index 650d8cd2e46d..206cd16e14eb 100644 --- a/tools/devops/automation/build-lego.yml +++ b/tools/devops/automation/build-lego.yml @@ -38,12 +38,6 @@ resources: ref: refs/heads/main endpoint: xamarin - - repository: release-scripts - type: github - name: xamarin/release-scripts - ref: refs/heads/only_codesign - endpoint: xamarin - trigger: branches: include: diff --git a/tools/devops/automation/build-pipeline.yml b/tools/devops/automation/build-pipeline.yml index 9f26ec4d5aed..19aebaec5301 100644 --- a/tools/devops/automation/build-pipeline.yml +++ b/tools/devops/automation/build-pipeline.yml @@ -35,11 +35,6 @@ parameters: type: boolean default: false - - name: skipESRP - displayName: Skip ESRP - type: boolean - default: false # only to be used when testing the CI and we do not need a signed pkg - - name: pushNugets type: boolean displayName: 'Push Nugets (dotnet)' @@ -155,12 +150,6 @@ resources: ref: refs/heads/main endpoint: xamarin - - repository: release-scripts - type: github - name: xamarin/release-scripts - ref: refs/heads/only_codesign - endpoint: xamarin - - repository: CustomPipelineTemplates type: git name: 1ESPipelineTemplates/MicroBuildTemplate @@ -231,7 +220,6 @@ extends: exclude: - repository: yaml-templates - repository: sdk-insertions - - repository: release-scripts stages: - template: templates/main-stage.yml parameters: @@ -242,14 +230,9 @@ extends: pool: ${{ parameters.pool }} runGovernanceTests: ${{ parameters.runGovernanceTests }} forceInsertion: ${{ parameters.forceInsertion }} - skipESRP: ${{ parameters.skipESRP }} pushNugets: ${{ parameters.pushNugets }} pushNugetsToMaestro: ${{ parameters.pushNugetsToMaestro }} ${{ if ne(length(parameters.testConfigurations), 0)}}: testConfigurations: ${{ parameters.testConfigurations }} deviceTestsConfigurations: ${{ parameters.deviceTestsConfigurations }} macTestsConfigurations: ${{ parameters.macTestsConfigurations }} - signingSetupSteps: - - template: ./templates/sign-and-notarized/setup.yml - parameters: - isPR: false diff --git a/tools/devops/automation/build-pull-request.yml b/tools/devops/automation/build-pull-request.yml index 8f9752a25118..ec6c90b03844 100644 --- a/tools/devops/automation/build-pull-request.yml +++ b/tools/devops/automation/build-pull-request.yml @@ -36,11 +36,6 @@ parameters: type: boolean default: false -- name: skipESRP - displayName: Skip ESRP - type: boolean - default: false # only to be used when testing the CI and we do not need a signed pkg - - name: testConfigurations displayName: Test configurations to run type: object @@ -146,12 +141,6 @@ resources: ref: refs/heads/main endpoint: xamarin - - repository: release-scripts - type: github - name: xamarin/release-scripts - ref: refs/heads/only_codesign - endpoint: xamarin - - repository: CustomPipelineTemplates type: git name: 1ESPipelineTemplates/MicroBuildTemplate @@ -216,7 +205,6 @@ extends: exclude: - repository: yaml-templates - repository: sdk-insertions - - repository: release-scripts stages: - template: templates/main-stage.yml parameters: @@ -227,14 +215,9 @@ extends: pool: ${{ parameters.pool }} runGovernanceTests: ${{ parameters.runGovernanceTests }} forceInsertion: ${{ parameters.forceInsertion }} - skipESRP: ${{ parameters.skipESRP }} pushNugets: false pushNugetsToMaestro: false ${{ if ne(length(parameters.testConfigurations), 0)}}: testConfigurations: ${{ parameters.testConfigurations }} deviceTestsConfigurations: ${{ parameters.deviceTestsConfigurations }} macTestsConfigurations: ${{ parameters.macTestsConfigurations }} - signingSetupSteps: - - template: ./templates/sign-and-notarized/setup.yml - parameters: - isPR: true diff --git a/tools/devops/automation/publish-pr-html-results.yml b/tools/devops/automation/publish-pr-html-results.yml index fd58eddcaf96..623a08c408c3 100644 --- a/tools/devops/automation/publish-pr-html-results.yml +++ b/tools/devops/automation/publish-pr-html-results.yml @@ -29,12 +29,6 @@ resources: ref: refs/heads/main endpoint: xamarin - - repository: release-scripts - type: github - name: xamarin/release-scripts - ref: refs/heads/only_codesign - endpoint: xamarin - - repository: macios.ci type: github name: xamarin/macios.ci diff --git a/tools/devops/automation/scripts/notarize.ps1 b/tools/devops/automation/scripts/notarize.ps1 deleted file mode 100644 index cd507cbf1740..000000000000 --- a/tools/devops/automation/scripts/notarize.ps1 +++ /dev/null @@ -1,21 +0,0 @@ -$summaryPath = "$Env:SYSTEM_DEFAULTWORKINGDIRECTORY/xamarin-macios/tests/TestSummary.md" -try { - # Notarize - & "$Env:BUILD_SOURCESDIRECTORY/release-scripts/notarize.ps1" -FolderForApps $Env:BUILD_SOURCESDIRECTORY/package/notarized - - # Verify that the notarized output is valid - $notarizedRoot = Join-Path $Env:BUILD_SOURCESDIRECTORY package notarized - Get-ChildItem -Path $notarizedRoot -Filter *.pkg -Recurse -File | ForEach-Object { - Write-Debug "pkgutil --check-signature $($_.FullName)" - pkgutil --check-signature "$($_.FullName)" - if ($LastExitCode -eq 0) { - Write-Debug "Signature check of $($_.FullName) succeeded." - } else { - Write-Debug "Signature check of $($_.FullName) failed (exit code: $LastExitCode)." - throw "Signature check of $($_.FullName) failed (exit code: $LastExitCode)." - } - } -} catch { - Add-Content -Path $summaryPath -Value "# :x: Notarization (ESRP) failed :x:`n`n```````n$PSItem`n```````n" - throw -} diff --git a/tools/devops/automation/templates/build/build-pkgs.yml b/tools/devops/automation/templates/build/build-pkgs.yml index b37b7d06ca8b..7863cb18177f 100644 --- a/tools/devops/automation/templates/build/build-pkgs.yml +++ b/tools/devops/automation/templates/build/build-pkgs.yml @@ -20,10 +20,6 @@ parameters: type: boolean default: true - - name: skipESRP - type: boolean - default: false # only to be used when testing the CI and we do not need a signed pkg - - name: isPR type: boolean diff --git a/tools/devops/automation/templates/build/build-stage.yml b/tools/devops/automation/templates/build/build-stage.yml index 950196987a92..a9abc74ee9d5 100644 --- a/tools/devops/automation/templates/build/build-stage.yml +++ b/tools/devops/automation/templates/build/build-stage.yml @@ -14,10 +14,6 @@ parameters: - name: xqaCertPass type: string - - name: skipESRP - type: boolean - default: false # only to be used when testing the CI and we do not need a signed pkg - - name: pool type: string default: automatic @@ -97,4 +93,3 @@ jobs: keyringPass: ${{ parameters.keyringPass }} gitHubToken: ${{ parameters.gitHubToken }} xqaCertPass: ${{ parameters.xqaCertPass }} - skipESRP: ${{ parameters.skipESRP }} diff --git a/tools/devops/automation/templates/common/checkout.yml b/tools/devops/automation/templates/common/checkout.yml index 6996389bff39..961ccd305307 100644 --- a/tools/devops/automation/templates/common/checkout.yml +++ b/tools/devops/automation/templates/common/checkout.yml @@ -36,9 +36,6 @@ steps: - checkout: yaml-templates clean: true -- checkout: release-scripts - clean: true - - pwsh: ./clean_git_vsts.ps1 -GithubToken "$(GitHub.Token)" -MaccorePath "$(System.DefaultWorkingDirectory)/maccore" displayName: 'Clean git mess from VSTS' workingDirectory: $(System.DefaultWorkingDirectory)/xamarin-macios/tools/devops/automation/scripts diff --git a/tools/devops/automation/templates/main-stage.yml b/tools/devops/automation/templates/main-stage.yml index fe218dcc51e9..2a9f3bf0cf53 100644 --- a/tools/devops/automation/templates/main-stage.yml +++ b/tools/devops/automation/templates/main-stage.yml @@ -24,10 +24,6 @@ parameters: type: boolean default: false - - name: skipESRP - type: boolean - default: false # only to be used when testing the CI and we do not need a signed pkg - - name: pushNugets type: boolean default: true # default to true until otherwhise @@ -159,10 +155,6 @@ parameters: - name: macTestsConfigurations type: object - - name: signingSetupSteps - type: stepList - default: [] - - name: legacyPackageJobs type: object default: [ @@ -264,7 +256,6 @@ stages: keyringPass: $(pass--lab--mac--builder--keychain) gitHubToken: $(Github.Token) xqaCertPass: $(xqa--certificates--password) - skipESRP: ${{ parameters.skipESRP }} pool: ${{ parameters.pool }} - stage: build_macos_tests @@ -284,23 +275,6 @@ stages: xqaCertPass: $(xqa--certificates--password) pool: ${{ parameters.pool }} - - stage: prepare_packages_legacy - displayName: '${{ parameters.stageDisplayNamePrefix }}Prepare legacy packages' - condition: and(eq(dependencies.build_packages.result, 'Succeeded'), eq('${{ parameters.enableLegacySigning }}', true)) - dependsOn: - - build_packages - - configure_build - jobs: - - template: ./sign-and-notarized/prepare-pkg-stage.yml - parameters: - isPR: ${{ parameters.isPR }} - repositoryAlias: ${{ parameters.repositoryAlias }} - commit: ${{ parameters.commit }} - signingSetupSteps: ${{ parameters.signingSetupSteps }} - keyringPass: $(pass--lab--mac--builder--keychain) - skipESRP: ${{ parameters.skipESRP }} - packages: ${{ parameters.legacyPackageJobs }} - # .NET Release Prep and VS Insertion Stages, only execute them when the build comes from an official branch and is not a schedule build from OneLoc # setting the stage at this level makes the graph of the UI look better, else the lines overlap and is not clear. - ? ${{ if @@ -328,19 +302,3 @@ stages: commit: ${{ parameters.commit }} pushNugets: ${{ parameters.pushNugets }} pushNugetsToMaestro: ${{ parameters.pushNugetsToMaestro }} - - - stage: funnel - displayName: '${{ parameters.stageDisplayNamePrefix }}Collect signed artifacts' - condition: and(eq(dependencies.prepare_packages_legacy.result, 'Succeeded'), eq('${{ parameters.enableLegacySigning }}', true)) - dependsOn: - - prepare_packages_legacy - - configure_build - jobs: - - template: ./sign-and-notarized/funnel.yml - parameters: - isPR: ${{ parameters.isPR }} - repositoryAlias: ${{ parameters.repositoryAlias }} - commit: ${{ parameters.commit }} - packages: # flatten the pkgs for the parameter - - ${{ each pkg in parameters.legacyPackageJobs }}: - - ${{ pkg }} diff --git a/tools/devops/automation/templates/pipelines/api-diff-pipeline.yml b/tools/devops/automation/templates/pipelines/api-diff-pipeline.yml index b91f24262f6b..7ae6cc065a13 100644 --- a/tools/devops/automation/templates/pipelines/api-diff-pipeline.yml +++ b/tools/devops/automation/templates/pipelines/api-diff-pipeline.yml @@ -50,12 +50,6 @@ resources: ref: refs/heads/main endpoint: xamarin - - repository: release-scripts - type: github - name: xamarin/release-scripts - ref: refs/heads/only_codesign - endpoint: xamarin - variables: - template: ../variables/common.yml - name: DisablePipelineConfigDetector diff --git a/tools/devops/automation/templates/pipelines/build-pipeline.yml b/tools/devops/automation/templates/pipelines/build-pipeline.yml index 6b6415af3731..9967da9d5c98 100644 --- a/tools/devops/automation/templates/pipelines/build-pipeline.yml +++ b/tools/devops/automation/templates/pipelines/build-pipeline.yml @@ -37,11 +37,6 @@ parameters: type: boolean default: false -- name: skipESRP - displayName: Skip ESRP - type: boolean - default: false # only to be used when testing the CI and we do not need a signed pkg - - name: pushNugets type: boolean default: true @@ -55,10 +50,6 @@ parameters: type: boolean default: false -- name: signingSetupSteps - type: stepList - default: [] - - name: testConfigurations displayName: Test configurations to run type: object @@ -164,13 +155,6 @@ resources: ref: refs/heads/main endpoint: xamarin - - repository: release-scripts - type: github - name: xamarin/release-scripts - ref: refs/heads/only_codesign - endpoint: xamarin - - variables: - ${{ if eq(parameters.isPR, false) }}: - ${{ if contains(variables['Build.DefinitionName'], 'private') }}: @@ -202,7 +186,6 @@ stages: runGovernanceTests: ${{ parameters.runGovernanceTests }} enableAPIDiff: ${{ parameters.enableAPIDiff }} forceInsertion: ${{ parameters.forceInsertion }} - skipESRP: ${{ parameters.skipESRP }} pushNugets: ${{ parameters.pushNugets }} pushNugetsToMaestro: ${{ parameters.pushNugetsToMaestro }} ${{ if ne(length(parameters.testConfigurations), 0)}}: @@ -211,4 +194,3 @@ stages: macTestsConfigurations: ${{ parameters.macTestsConfigurations }} azureStorage: ${{ variables['azureStorage'] }} azureContainer: ${{ variables['azureContainer'] }} - signingSetupSteps: ${{ parameters.signingSetupSteps }} diff --git a/tools/devops/automation/templates/pipelines/run-macos-tests-pipeline.yml b/tools/devops/automation/templates/pipelines/run-macos-tests-pipeline.yml index 3a526b26a8d7..30aefb1eabde 100644 --- a/tools/devops/automation/templates/pipelines/run-macos-tests-pipeline.yml +++ b/tools/devops/automation/templates/pipelines/run-macos-tests-pipeline.yml @@ -195,12 +195,6 @@ resources: ref: refs/heads/main endpoint: xamarin - - repository: release-scripts - type: github - name: xamarin/release-scripts - ref: refs/heads/only_codesign - endpoint: xamarin - variables: - template: ../variables/common.yml - name: DisablePipelineConfigDetector diff --git a/tools/devops/automation/templates/pipelines/run-tests-pipeline.yml b/tools/devops/automation/templates/pipelines/run-tests-pipeline.yml index 10bb8c12a2aa..d40034d6782f 100644 --- a/tools/devops/automation/templates/pipelines/run-tests-pipeline.yml +++ b/tools/devops/automation/templates/pipelines/run-tests-pipeline.yml @@ -97,12 +97,6 @@ resources: ref: refs/heads/main endpoint: xamarin - - repository: release-scripts - type: github - name: xamarin/release-scripts - ref: refs/heads/only_codesign - endpoint: xamarin - variables: - template: ../variables/common.yml - name: DisablePipelineConfigDetector diff --git a/tools/devops/automation/templates/sign-and-notarized/artifact-github-comment.yml b/tools/devops/automation/templates/sign-and-notarized/artifact-github-comment.yml deleted file mode 100644 index 75a7a6ae8731..000000000000 --- a/tools/devops/automation/templates/sign-and-notarized/artifact-github-comment.yml +++ /dev/null @@ -1,43 +0,0 @@ -# Job that will download the other artifact from the build and will add a comment with the contents. -parameters: - -- name: isPR - type: boolean - -- name: repositoryAlias - type: string - default: self - -- name: commit - type: string - default: HEAD - -steps: - -- template: ../common/checkout.yml - parameters: - isPR: ${{ parameters.isPR }} - repositoryAlias: ${{ parameters.repositoryAlias }} - commit: ${{ parameters.commit }} - -- template: ../build/download-artifacts.yml - parameters: - runTests: false # we do not run tests on builds - enableAPIDiff: false # we do not run the api diff here. - -- pwsh: | - Import-Module $Env:SYSTEM_DEFAULTWORKINGDIRECTORY\xamarin-macios\tools\devops\automation\scripts\MaciosCI.psd1 - $artifact = New-ArtifactsFromJsonFile -Path "$Env:ARTIFACTS_JSON_PATH" - $gihubComments = New-GitHubCommentsObjectFromUrl -Url "$(Build.Repository.Uri)" -Token $Env:GITHUB_TOKEN -Hash $Env:COMMENT_HASH - $result = $gihubComments.NewCommentFromObject("Artifacts", ":books:", $artifact, "artifacts") - Write-Host $result - env: - GITHUB_TOKEN: $(GitHub.Token) - ACCESSTOKEN: $(System.AccessToken) - ${{ if eq(parameters.repositoryAlias, 'self') }}: - COMMENT_HASH: $(GIT_HASH) - ${{ else }}: - COMMENT_HASH: $(Build.SourceVersion) - displayName: 'Create github comment.' - enabled: true - timeoutInMinutes: 10 diff --git a/tools/devops/automation/templates/sign-and-notarized/funnel.yml b/tools/devops/automation/templates/sign-and-notarized/funnel.yml deleted file mode 100644 index 36ed9035e0be..000000000000 --- a/tools/devops/automation/templates/sign-and-notarized/funnel.yml +++ /dev/null @@ -1,193 +0,0 @@ -# funnel job that will download all the signed artifacts and puts them in the final location -parameters: -- name: packages - type: object - -- name: isPR - type: boolean - -- name: repositoryAlias - type: string - default: self - -- name: commit - type: string - default: HEAD - -- name: uploadPrefix - type: string - default: '$(MaciosUploadPrefix)' - -jobs: -- job: funnel_job - displayName: 'Collect signed artifacts' - condition: and(not(failed()), not(canceled())) # default is succeded(), but that fails if there are any skipped jobs, so change the condition to !failed && !cancelled - timeoutInMinutes: 1000 - variables: - AgentPoolComputed: $[ stageDependencies.configure_build.AgentPoolSelector.outputs['setAgentPool.AgentPoolComputed'] ] - ${{ each pkg in parameters.packages }}: - ${{ pkg.conditionVariable }}: $[ stageDependencies.configure_build.configure.outputs['configure_platforms.${{ pkg.conditionVariable }}'] ] - - pool: - os: macOS - name: $(AgentPoolComputed) - - steps: - - # DO NOT USE THE checkout.yml template. The reason is that the template changes the hash which results in a problem with the artifacts scripts - - template: sdk-unified/steps/checkout/v1.yml@yaml-templates - parameters: - resource: ${{ parameters.repositoryAlias }} - commit: ${{ parameters.commit }} - clean: true - submodules: recursive - path: s/xamarin-macios - - - checkout: maccore - clean: true - persistCredentials: true # hugely important, else there are some scripts that check a single file from maccore that will fail - - - checkout: yaml-templates - clean: true - - - checkout: release-scripts - clean: true - - - pwsh: $(System.DefaultWorkingDirectory)/xamarin-macios/tools/devops/automation/scripts/show_env.ps1 - displayName: 'Show Environment' - - - bash: | - sudo rm -Rf $(Build.SourcesDirectory)/package - sudo rm -Rf $(Build.SourcesDirectory)/classic-*-signed - sudo rm -Rf $(Build.SourcesDirectory)/package-internal - displayName: "Remove artifacts" - condition: always() - - - bash: | - mkdir -p $(Build.SourcesDirectory)/package/notarized - displayName: 'Create target directories.' - - - ${{ each pkg in parameters.packages }}: - - task: DownloadPipelineArtifact@2 - displayName: Download notarized build ${{ pkg.name }} - condition: ne('', variables['${{ pkg.conditionVariable }}']) - inputs: - artifact: '${{ parameters.uploadPrefix }}classic-${{ pkg.name }}-signed' - allowFailedBuilds: true - path: '$(Build.ArtifactStagingDirectory)/classic-${{ pkg.name }}-signed' - - - bash: | - set -x - set -e - - FULL_PATH="$(Build.ArtifactStagingDirectory)/classic-${{ pkg.name }}-signed" - ls -lR $FULL_PATH - cp -a "$FULL_PATH/." "$(Build.SourcesDirectory)/package" - displayName: 'Move pkg ${{ pkg.name }} to its final destination' - condition: ne('', variables['${{ pkg.conditionVariable }}']) - - - template: generate-workspace-info.yml@yaml-templates - parameters: - GitHubToken: $(GitHub.Token) - ArtifactDirectory: $(Build.SourcesDirectory)/package-internal - - # download workload json and add it to out package internal dir, this allows the rest of jobs - # not to need several artifacts but just package-internal - - task: DownloadPipelineArtifact@2 - displayName: Download WorkloadRollback.json - inputs: - patterns: '**/WorkloadRollback.json' - allowFailedBuilds: true - path: $(Build.SourcesDirectory)/package-internal - - - task: 1ES.PublishPipelineArtifact@1 - displayName: 'Publish Build Artifacts (notarized)' - inputs: - path: $(Build.SourcesDirectory)/package-internal - artifact: '${{ parameters.uploadPrefix }}package-internal' - continueOnError: true - - # download msbuild.zip and bundle.zip to the 'package' dir, so that they're uploaded into the 'package' artifact, - # since we later depend on these files being there later. - - task: DownloadPipelineArtifact@2 - displayName: Download msbuild.zip and bundle.zip - inputs: - patterns: | - not-signed-package/msbuild.zip - not-signed-package/bundle.zip - allowFailedBuilds: true - path: $(Build.SourcesDirectory)/not-signed-package - - - bash: | - set -x - set -e - ls -la "$BUILD_SOURCESDIRECTORY"/not-signed-package - cp "$BUILD_SOURCESDIRECTORY"/not-signed-package/not-signed-package/*.zip "$BUILD_SOURCESDIRECTORY"/package - ls -la "$BUILD_SOURCESDIRECTORY"/package - displayName: Copy msbuild.zip and bundle.zip to the package artifact - - - task: 1ES.PublishPipelineArtifact@1 - displayName: 'Publish Build Artifacts (notarized)' - inputs: - path: $(Build.SourcesDirectory)/package - artifact: '${{ parameters.uploadPrefix }}package' - continueOnError: true - -# This job uploads the pkgs generated by the build step in the azure blob storage. This has to be done in a different job -# because the azure blob storate tools DO NOT work on mac OS meaning that we need a bot running Windows. build uploads the contents -# to the pipeline artefacts and we download and upload to azure in this job. -- job: upload_azure_blob - displayName: 'Upload packages to Azure & SBOM' - timeoutInMinutes: 1000 - templateContext: # disable some of the sdl tasks for this job - sdl: - credscan: # run in the sdl stage - enabled: false - binskim: # job does not compile anything - enabled: false - eslint: # no js or anything similar - enabled: false - bandit: # we have no python - enabled: false - dependsOn: - - funnel_job - condition: and(not(failed()), not(canceled())) # default is succeded(), but that fails if there are any skipped jobs, so change the condition to !failed && !cancelled - - variables: - Parameters.outputStorageUri: '' - SKIP_NUGETS: $[ stageDependencies.configure_build.configure.outputs['labels.skip_nugets'] ] - INCLUDE_LEGACY_IOS: $[ stageDependencies.configure_build.configure.outputs['configure_platforms.INCLUDE_LEGACY_IOS'] ] - INCLUDE_LEGACY_MAC: $[ stageDependencies.configure_build.configure.outputs['configure_platforms.INCLUDE_LEGACY_MAC'] ] - - pool: - name: azurepipelines-EO - demands: - - ImageOverride -equals 1ESPT-Windows2022 - steps: - - template: upload-azure.yml - parameters: - repositoryAlias: ${{ parameters.repositoryAlias }} - commit: ${{ parameters.commit }} - sbomFilter: '*.nupkg;*.pkg;*.msi' - -# Job that runs on a vm that downloads the artifacts information and adds a github comment pointing to the results of the build. -- job: artifacts_github_comment - displayName: 'Publish GitHub Comment - Artifacts' - timeoutInMinutes: 1000 - dependsOn: - - upload_azure_blob - condition: succeededOrFailed() - variables: - PR_ID: $[ stageDependencies.configure_build.configure.outputs['labels.pr_number'] ] - TESTS_BOT: $[ stageDependencies.build_packages.build.outputs['build.TESTS_BOT'] ] # we build in a diff bot than the ones used for the comments - GIT_HASH: $[ stageDependencies.build_packages.build.outputs['fix_commit.GIT_HASH'] ] - pool: - name: AzurePipelines-EO - demands: - - ImageOverride -equals 1ESPT-Windows2022 - steps: - - template: artifact-github-comment.yml - parameters: - isPR: ${{ parameters.isPR }} - repositoryAlias: ${{ parameters.repositoryAlias }} - commit: ${{ parameters.commit }} diff --git a/tools/devops/automation/templates/sign-and-notarized/prepare-pkg-stage.yml b/tools/devops/automation/templates/sign-and-notarized/prepare-pkg-stage.yml deleted file mode 100644 index 54c4bf3a98e5..000000000000 --- a/tools/devops/automation/templates/sign-and-notarized/prepare-pkg-stage.yml +++ /dev/null @@ -1,50 +0,0 @@ -parameters: - -- name: keyringPass - type: string - -- name: skipESRP - type: boolean - default: false # only to be used when testing the CI and we do not need a signed pkg - -- name: signingSetupSteps - type: stepList - default: [] - -- name: isPR - type: boolean - -- name: repositoryAlias - type: string - default: self - -- name: commit - type: string - default: HEAD - -- name: packages - type: object - default: [] - -jobs: -- ${{ each pkg in parameters.packages }}: - - job: ${{ pkg.job }} - dependsOn: - displayName: 'Sign & Notarize ${{ pkg.name }}' - condition: ne(stageDependencies.configure_build.configure.outputs['configure_platforms.${{ pkg.conditionVariable }}'],'') - timeoutInMinutes: 1000 - pool: - name: 'VSEng-Xamarin-RedmondMacBuildPool-iOS-Trusted' # always use the trusted pool for signing. - os: macOS - - steps: - - template: sign-and-notarized.yml - parameters: - isPR: ${{ parameters.isPR }} - repositoryAlias: ${{ parameters.repositoryAlias }} - commit: ${{ parameters.commit }} - signingSetupSteps: ${{ parameters.signingSetupSteps }} - keyringPass: ${{ parameters.keyringPass }} - skipESRP: ${{ parameters.skipESRP }} - packageName: ${{ pkg.name }} - packagePattern: ${{ pkg.pattern }} diff --git a/tools/devops/automation/templates/sign-and-notarized/setup.yml b/tools/devops/automation/templates/sign-and-notarized/setup.yml deleted file mode 100644 index b6c212bf4f7a..000000000000 --- a/tools/devops/automation/templates/sign-and-notarized/setup.yml +++ /dev/null @@ -1,77 +0,0 @@ -# template that setups all the diff plugins needed to perform the sign and notarize step -parameters: - -- name: signatureType - type: string - default: 'Real' - -- name: isPR - type: boolean - -- name: repositoryAlias - type: string - default: self - -- name: commit - type: string - default: HEAD - -- name: condition - default: succeeded() - -steps: - -# DO NOT USE THE checkout.yml template. The reason is that the template changes the hash which results in a problem with the artifacts scripts -- template: sdk-unified/steps/checkout/v1.yml@yaml-templates - parameters: - resource: ${{ parameters.repositoryAlias }} - commit: ${{ parameters.commit }} - clean: true - submodules: recursive - path: s/xamarin-macios - -- checkout: maccore - clean: true - persistCredentials: true # hugely important, else there are some scripts that check a single file from maccore that will fail - -- checkout: yaml-templates - clean: true - -- checkout: release-scripts - clean: true - -# the ddsign plugin needs this version or it will crash and will make the sign step fail - -- ${{ if eq(parameters.isPR, false) }}: - - task: UsePythonVersion@0 - inputs: - versionSpec: '3.11.x' - - - task: UseDotNet@2 - inputs: - packageType: sdk - version: 3.x - displayName: 'Install .NET Core SDK 3.x needed for ESRP' - - - pwsh: $(System.DefaultWorkingDirectory)/xamarin-macios/tools/devops/automation/scripts/show_env.ps1 - displayName: 'Show Environment' - - - task: MicroBuildSigningPlugin@4 - displayName: 'Install Signing Plugin' - inputs: - signType: '${{ parameters.signatureType }}' - azureSubscription: $(MicrobuildConnector) - zipSources: false # we do not use the feature and makes the installation to last 10/12 mins instead of < 1 min - env: - SYSTEM_ACCESSTOKEN: $(System.AccessToken) - condition: ${{ parameters.condition }} - - - task: MicroBuildSigningPlugin@4 - displayName: 'Install Notarizing Plugin' - inputs: - signType: 'Real' # test is not present for mac.. - azureSubscription: $(MicrobuildConnector) - zipSources: false # we do not use the feature and makes the installation to last 10/12 mins instead of < 1 min - env: - SYSTEM_ACCESSTOKEN: $(System.AccessToken) - condition: ${{ parameters.condition }} diff --git a/tools/devops/automation/templates/sign-and-notarized/sign-and-notarized.yml b/tools/devops/automation/templates/sign-and-notarized/sign-and-notarized.yml deleted file mode 100644 index d4b403888828..000000000000 --- a/tools/devops/automation/templates/sign-and-notarized/sign-and-notarized.yml +++ /dev/null @@ -1,136 +0,0 @@ -# Provides all the steps to sign and notarize pks and msi -parameters: - -- name: signatureType - type: string - default: 'Real' - -- name: skipESRP - type: boolean - default: false # only to be used when testing the CI and we do not need a signed pkg - -- name: keyringPass - type: string - -- name: packageName - type: string - -- name: packagePattern - type: string - -- name: condition - default: succeeded() - -- name: signingSetupSteps - type: stepList - default: [] - -- name: isPR - type: boolean - -- name: repositoryAlias - type: string - default: self - -- name: commit - type: string - default: HEAD - -- name: uploadPrefix - type: string - default: '$(MaciosUploadPrefix)' - -steps: - -- ${{ each step in parameters.signingSetupSteps }}: - - ${{ each pair in step }}: - ${{ pair.key }}: ${{ pair.value }} - -- bash: | - sudo rm -Rf $(Build.SourcesDirectory)/package - displayName: "Remove artifacts" - condition: always() - -- task: DownloadPipelineArtifact@2 - displayName: Download not notarized build - inputs: - artifact: '${{ parameters.uploadPrefix }}not-signed-package' - patterns: ${{ parameters.packagePattern }} - allowFailedBuilds: true - path: $(Build.SourcesDirectory)/package - -- bash: | - set -x - set -e - - PACKAGES=$(find $(Build.SourcesDirectory)/package -type f -name "${{ parameters.packagePattern }}" | xargs basename) - if [ -z "$PACKAGES" ]; then - echo "Packages ${{ parameters.packageName }} not found." - else - PACKAGES_PATH="$(Build.SourcesDirectory)/package/$PACKAGES" - set +x - echo "##vso[task.setvariable variable=PACKAGES;]$PACKAGES_PATH" - echo "${{ parameters.packageName }} package found at $PACKAGES_PATH" - set -x - fi - displayName: 'Retrieve packages to sign' - condition: ${{ parameters.condition }} - timeoutInMinutes: 180 - -- bash: $(Build.SourcesDirectory)/xamarin-macios/tools/devops/automation/scripts/disable-codeql-arm64.sh - displayName: 'Disable CodeQL' - name: disableCodeQLOnArm64 - -- ${{ if and(eq(parameters.skipESRP, false), eq(parameters.isPR, false)) }}: - - bash: | - set -exo pipefail - if [[ "$SYSTEM_DEBUG" == "true" ]]; then - export ESRP_TEMP="$WORKING_DIR/esrp" - echo "Temp dir is $ESRP_TEMP" - mkdir -p "$ESRP_TEMP" - fi - - echo "$PACKAGES" | xargs -t python3 $(Build.SourcesDirectory)/release-scripts/esrp_sign.py -vv -c "8025" -d $(Build.SourcesDirectory)/package/notarized -e "$MAC_ENTITLEMENTS" - ls -R $(Build.SourcesDirectory)/package - env: - WORKING_DIR: $(System.DefaultWorkingDirectory) - PRODUCTSIGN_KEYCHAIN_PASSWORD: ${{ parameters.keyringPass }} - MAC_ENTITLEMENTS: $(Build.SourcesDirectory)/xamarin-macios/mac-entitlements.plist - name: notarize - displayName: 'Signing Release Build (ESRP)' - timeoutInMinutes: 180 - condition: ${{ parameters.condition }} - -- ${{ if eq(parameters.isPR, false) }}: - - task: ArchiveFiles@1 - displayName: 'Archive ESRP temp' - inputs: - rootFolder: '$(System.DefaultWorkingDirectory)/esrp' - includeRootFolder: false - archiveFile: '$(Build.ArtifactStagingDirectory)/esrp.zip' - continueOnError: true - condition: ${{ and(eq(parameters.condition, true), eq(variables['System.debug'], 'true')) }} - - # Upload the esrp temp dir - - task: 1ES.PublishPipelineArtifact@1 - displayName: 'Publish Artifact: ESRP temp' - inputs: - path: '$(Build.ArtifactStagingDirectory)/esrp.zip' - artifact: '${{ parameters.uploadPrefix }}ESRP-tmp-${{ parameters.packageName }}' - continueOnError: true - condition: ${{ and(eq(parameters.condition, true), eq(variables['System.debug'], 'true')) }} - -- ${{ if eq(parameters.isPR, false) }}: - - task: PowerShell@2 - inputs: - filePath: $(Build.SourcesDirectory)/xamarin-macios/tools/devops/automation/scripts/notarize.ps1 - displayName: 'Notarize & verify packages (ESRP)' - condition: ${{ parameters.condition }} - -# always upload no matter what, since if we are not signing we need the artifact in the pipeline -- task: 1ES.PublishPipelineArtifact@1 - displayName: 'Publish Notarized Classic Artifacts' - inputs: - path: $(Build.SourcesDirectory)/package - artifact: '${{ parameters.uploadPrefix }}classic-${{ parameters.packageName }}-signed' - continueOnError: true diff --git a/tools/devops/automation/templates/sign-and-notarized/upload-azure.yml b/tools/devops/automation/templates/sign-and-notarized/upload-azure.yml deleted file mode 100644 index 24aa23ad50d0..000000000000 --- a/tools/devops/automation/templates/sign-and-notarized/upload-azure.yml +++ /dev/null @@ -1,327 +0,0 @@ -parameters: -- name: sbomFilter - type: string - default: '*' # Supports multiple filters separated by semi-colon such as *.msi;*.nupkg - -- name: repositoryAlias - type: string - default: self - -- name: commit - type: string - default: HEAD - -- name: uploadPrefix - type: string - default: '$(MaciosUploadPrefix)' - -- name: packages - type: object - default: [ - "package", - ] - -steps: -# Do not use the templates/common/checkout.yaml for this job else the azure upload tool will fail because -# it cannot find the correct branch to be used. -- template: sdk-unified/steps/checkout/v1.yml@yaml-templates - parameters: - resource: ${{ parameters.repositoryAlias }} - commit: ${{ parameters.commit }} - clean: true - persistCredentials: true - path: s/xamarin-macios - -- checkout: maccore - clean: true - persistCredentials: true # hugely important, else there are some scripts that check a single file from maccore that will fail - -# checkout an extra repo to ensure that we have the same tree structure in the working directory in all pipelines. -# if you delete this checkout the unified pipeline will have issues. -- checkout: yaml-templates - clean: true - -- pwsh: | - if (Test-Path "$Env:SYSTEM_DEFAULTWORKINGDIRECTORY/artifacts" -PathType Container) { - Remove-Item -Path "$Env:BUILD_SOURCESDIRECTORY/artifacts" -Force -Recurse - } - displayName: "Remove artifacts" - condition: always() - -# Download the Html Report that was added by the tests job. -- ${{ each pkg in parameters.packages }}: - - task: DownloadPipelineArtifact@2 - displayName: Download packages - inputs: - artifactName: ${{ parameters.uploadPrefix }}${{ pkg }} - allowFailedBuilds: true - path: $(Build.SourcesDirectory)/artifacts/${{ parameters.uploadPrefix }}${{ pkg }} - -- pwsh: | - Get-ChildItem -Path "$(Build.SourcesDirectory)\\artifacts" - displayName: "Show downloaded artifacts" - -- pwsh: | - $DropServiceUrl = "https://devdiv.artifacts.visualstudio.com/DefaultCollection" - $StatusDropUrl = "https://vsdrop.microsoft.com/file/v1" - $BuildShortHash = "$(Build.SourceVersion)".subString(0, 7) - $ProjectPathUrl = "Products/$(System.TeamProject)/$(Build.Repository.Name)/$(Build.SourceBranchName)/$BuildShortHash/$(Build.BuildId)" - $PackagePrefix = "$StatusDropUrl/$ProjectPathUrl/${{ parameters.uploadPrefix }}package" - - Write-Host "##vso[task.setvariable variable=PackagePrefix]$PackagePrefix" - displayName: "Set drop status URL variables" - -- pwsh: | - $files = Get-ChildItem -Path "$(Build.SourcesDirectory)\\artifacts\\${{ parameters.uploadPrefix }}package" -File -Force -Name - $manifestFile = "$(Build.SourcesDirectory)\\artifacts\${{ parameters.uploadPrefix }}package\\manifest" - foreach ($f in $files) { - Add-Content -Path "$manifestFile" -Value "$(PackagePrefix);$f" - } - Add-Content -Path "$manifestFile" -Value "$(PackagePrefix);$artifacts.json" - Add-Content -Path "$manifestFile" -Value "$(PackagePrefix);manifest" - env: - VIRTUAL_PATH: $(Build.SourceBranchName)/$(Build.SourceVersion)/$(Build.BuildId) - displayName: "Build manifest" - -# Important needed for the next step -- template: generate-workspace-info.yml@yaml-templates - parameters: - GitHubToken: $(GitHub.Token) - ArtifactDirectory: $(Build.SourcesDirectory)/${{ parameters.uploadPrefix }}package-internal - -- template: upload-to-drop/v1.yml@yaml-templates - parameters: - SourcesDirectory: $(Build.SourcesDirectory)/xamarin-macios - ArtifactsDirectory: $(Build.SourcesDirectory)/artifacts/${{ parameters.uploadPrefix }}package - Azure.DropPrefix: ${{ parameters.uploadPrefix }}package - GitHub.Context: 'vsts-devdiv artifacts' - -- pwsh: $(System.DefaultWorkingDirectory)/xamarin-macios/tools/devops/automation/scripts/show_env.ps1 - displayName: 'Show Environment' - -- pwsh: | - Import-Module $Env:SYSTEM_DEFAULTWORKINGDIRECTORY\\xamarin-macios\\tools\\devops\\automation\\scripts\\MaciosCI.psd1 - $statuses = New-GitHubStatusesObjectFromUrl -Url "$(Build.Repository.Uri)" -Token $(GitHub.Token) - - Dir "$(Build.SourcesDirectory)\\artifacts\\${{ parameters.uploadPrefix }}package" - - # the azure step sets the env variable, but it points to the wrong url since it uses the one in bosstorage, we - # need to use the dl version. - $pkgsVirtualUrl = "$(PackagePrefix)" - Write-Host "Urls is $pkgsVirtualUrl" - - $pkgsPath = "$(Build.SourcesDirectory)\\artifacts\\${{ parameters.uploadPrefix }}package" - - $iOSPkg = Get-ChildItem -Path $pkgsPath -File -Force -Name xamarin.ios-*.pkg - Write-Host "iOS PKG is $iOSPkg" - - - if ($Env:BUILD_REASON -eq "PullRequest") { - $notarizedShouldExist = $false; - } else { - $notarizedShouldExist = $true; - } - - # create an array with objects so that we can set each of the statuses: - if (![string]::IsNullOrEmpty($Env:INCLUDE_LEGACY_IOS)) { - $iOSPkg = Get-ChildItem -Path $pkgsPath -File -Force -Name xamarin.ios-*.pkg - Write-Host "iOS PKG is $iOSPkg" - - $statusInfo += @( - @{ - Path = "$pkgsPath\\$iOSPkg"; - Context = "PKG-Xamarin.iOS"; - Description = $iOSPkg; - TargetUrl = "$pkgsVirtualUrl;$iOSPkg"; - Error = "xamarin.ios pkg not found"; - ShouldExist = $true; - }, - @{ - Path = "$pkgsPath\\notarized\\xamarin.ios-*.pkg"; - Context = "PKG-Xamarin.iOS-notarized" - Description = "$iOSPkg (Notarized)" ; - TargetUrl = "$pkgsVirtualUrl/notarized;$iOSPkg" ; - Error = "Notarized xamarin.ios pkg not found" ; - ShouldExist = $notarizedShouldExist; - } - ) - } else { - Write-Host "Legacy iOS build is disabled" - } - - if (![string]::IsNullOrEmpty($Env:INCLUDE_LEGACY_MAC)) { - $macPkg = Get-ChildItem -Path $pkgsPath -File -Force -Name xamarin.mac-*.pkg - Write-Host "mac PKG is $macPkg" - - $statusInfo += @( - @{ - Path = "$pkgsPath\\xamarin.mac-*.pkg" ; - Context = "PKG-Xamarin.Mac" ; - Description = "$macPkg" ; - TargetUrl = "$pkgsVirtualUrl;$macPkg" ; - Error = "xamarin.mac pkg not found." ; - ShouldExist = $true; - }, - @{ - Path = "$pkgsPath\\notarized\\xamarin.mac-*.pkg" ; - Context = "PKG-Xamarin.Mac-notarized" ; - Description = "$macPkg (Notarized)" ; - TargetUrl = "$pkgsVirtualUrl/notarized;$macPkg" ; - Error = "Notarized xamarin.mac pkg not found." ; - ShouldExist = $notarizedShouldExist; - } - ) - } else { - Write-Host "Legacy macOS build is disabled" - } - - # bundle.zip and msbuild.zip should always exist - $statusInfo += @( - @{ - Path = "$pkgsPath\\bundle.zip" ; - Context = "bundle.zip" ; - Description = "bundle.zip" ; - TargetUrl = "$pkgsVirtualUrl;bundle.zip" ; - Error = "bundle.zip not found." ; - ShouldExist = $true; - }, - @{ - Path = "$pkgsPath\msbuild.zip" ; - Context = "msbuild.zip" ; - Description = "msbuild.zip" ; - TargetUrl = "$pkgsVirtualUrl;msbuild.zip" ; - Error = "msbuild.zip not found." ; - ShouldExist = $true; - } - ) - - foreach ($info in $statusInfo) { - if (Test-Path $info.Path -PathType Leaf) { - $statuses.SetStatus("success", $info.Description, $info.Context, $info.TargetUrl) - } elseif ($info.ShouldExist) { - $statuses.SetStatus("error", $info.Error, $info.Context) - } - } - - $msi = Get-ChildItem -Path $pkgsPath -Filter *.msi -File -Name - - foreach ($n in $msi) { - $statuses.SetStatus("success", "$n", "$n", "$pkgsVirtualUrl;$n") - } - - Write-Host "Setting SBOM.PackagesPath: ${pkgsPath}" - Write-Host "##vso[task.setvariable variable=SBOM.PackagesPath]$pkgsPath" - env: - GITHUB_TOKEN: $(GitHub.Token) - ACCESSTOKEN: $(System.AccessToken) - VIRTUAL_PATH: $(Build.SourceBranchName)/$(Build.SourceVersion)/$(Build.BuildId) - displayName: 'Set GithubStatus' - -# Executive Order (EO): Software Bill of Materials (SBOM): https://www.1eswiki.com/wiki/ADO_sbom_Generator -- pwsh: | - # https://stackoverflow.com/questions/188892/glob-pattern-matching-in-net - function Is-Match([string] $Text, [string] $Filter) - { - $isMatch = $false - - $regexGlobEquivalent = [Regex]::Escape($Filter).Replace("\*", ".*").Replace("\?", ".") - $pattern = "^${regexGlobEquivalent}$" - - # https://stackoverflow.com/questions/42700341/how-can-i-use-powershell-to-do-a-net-regex-matches-method-and-add-a-timeout - $regEx = New-Object -TypeName regex -ArgumentList $pattern, ([Text.RegularExpressions.RegexOptions]::Singleline, [Text.RegularExpressions.RegexOptions]::IgnoreCase) - $isMatch = $regEx.IsMatch($Text) - - return $isMatch - } - - $filter = "${{ parameters.sbomFilter }}" - Write-Host "sbomFilter: ${filter}" - - $sbomStagingDirectory = "$(Build.ArtifactStagingDirectory)/sbom" - Write-Host "Creating SBOM staging directory: ${sbomStagingDirectory}" - - if (-not ([IO.Directory]::Exists($sbomStagingDirectory))) { - [IO.Directory]::CreateDirectory($sbomStagingDirectory) - } - - $pkgsPath = "$(SBOM.PackagesPath)" - Write-Host "Packages path: ${pkgsPath}" - - if ([string]::IsNullOrEmpty($filter)) { - $filter = '*' # Even if the caller attempts to force the parameter to an empty string treat empty as all '*' - } - - $filters = $filter.Split(';', [StringSplitOptions]::RemoveEmptyEntries) - Write-Host "Copying files based on ${filter}" - - $files = [IO.Directory]::GetFiles($pkgsPath) - $files | foreach { - $filename = [IO.Path]::GetFileName($_) - $isMatch = $false - $filters | foreach { - if (-not $isMatch) { - $isMatch = Is-Match -Text $filename -Filter $_ - } - } - - if ($isMatch) { - $destPathAndFilename = [IO.Path]::Combine($sbomStagingDirectory, $filename) - Write-Host "Copying $_ to ${destPathAndFilename}. Filter: ${filter}" - [IO.File]::Copy($_, $destPathAndFilename) - } else { - Write-Host "Skipped file copy based on filter ${filter}: ${filename}" - } - } - displayName: 'SBOM: Staging' - -- pwsh: | - function Get-PackageFileNames([string] $PkgsPath) { - $files = [IO.Directory]::GetFiles($PkgsPath) - $pkgFiles = $files | foreach { [IO.Path]::GetFileName($_) } - return $pkgFiles - } - - $pkgsPath = "$(SBOM.PackagesPath)" - Write-Host "Packages path: ${pkgsPath}" - - $packageFileNames = Get-PackageFileNames -PkgsPath $pkgsPath - $packageFileNames = @($packageFileNames) - Write-Host "Package files: $($packageFileNames.Count)" - $packageFileNames | foreach { Write-Host $_ } - - Write-Host "Setting SBOM.ProductName: Xamarin iOS" - Write-Host "##vso[task.setvariable variable=SBOM.ProductName]Xamarin iOS" # SBOM generation only lets us use a single package name and so choose 'Xamarin iOS' instead of 'Xamarin Mac' - - $sbomManifestVersion = "$(Build.BuildId)" - Write-Host "Setting SBOM.ProductVersion to the build number: ${sbomManifestVersion}" - Write-Host "##vso[task.setvariable variable=SBOM.ProductVersion]$sbomManifestVersion" - displayName: 'SBOM: Set ProductVersion' - -- task: AzureArtifacts.manifest-generator-task.manifest-generator-task.ManifestGeneratorTask@0 - displayName: 'SBOM: Generation' - inputs: - BuildDropPath: '$(Build.ArtifactStagingDirectory)/sbom' - PackageName: '$(SBOM.ProductName)' - PackageVersion: '$(SBOM.ProductVersion)' - Verbosity: Verbose - -- pwsh: | - # The pkg files are already included under the drop-x64 and drop-arm locations - # We only needed them temporarily here as a means to produce the Software Bill of Materials (SBOM) manifest - # No need to include the pkg files (and duplicate them) in the SBOM drop - $sbomStagingDirectory = "$(Build.ArtifactStagingDirectory)/sbom" - - # Delete all top-level package files. This should leave the SBOM '_manifest' directory intact - $pkgFiles = [IO.Directory]::GetFiles($sbomStagingDirectory) - $pkgFiles | foreach { - Write-Host "Deleting PKG: $_" - [IO.File]::Delete($_) - } - displayName: 'SBOM: Cleanup' - -- task: 1ES.PublishPipelineArtifact@1 - displayName: 'SBOM: Publish' - inputs: - artifact: '${{ parameters.uploadPrefix }}sbom' - path: $(Build.ArtifactStagingDirectory)/sbom - condition: succeeded() diff --git a/tools/devops/automation/vs-insertion.yml b/tools/devops/automation/vs-insertion.yml index 177ae4456788..31d7d1b7d754 100644 --- a/tools/devops/automation/vs-insertion.yml +++ b/tools/devops/automation/vs-insertion.yml @@ -21,12 +21,6 @@ resources: ref: refs/heads/main endpoint: xamarin - - repository: release-scripts - type: github - name: xamarin/release-scripts - ref: refs/heads/sign-and-notarized - endpoint: xamarin - # we need all stages to be completed, else we do not have the test results, this trigger is just for CI, because we have # but because we have device issues, and it needs to be gree to trigger, we will deal with it later pipelines: