diff --git a/.vsts-ci/azure-pipelines-ci.yml b/.vsts-ci/azure-pipelines-ci.yml index 6a84ed6..74682b7 100644 --- a/.vsts-ci/azure-pipelines-ci.yml +++ b/.vsts-ci/azure-pipelines-ci.yml @@ -9,33 +9,22 @@ pr: branches: include: - master - - feature-* - paths: - exclude: - - /.dependabot/* - - /.poshchan/* - - /.github/**/* - - /.vscode/**/* - - /.vsts-ci/misc-analysis.yml - - /tools/**/* - - .editorconfig - - .gitattributes - - .gitignore - - /docs/**/* - - /CHANGELOG.md - - /CONTRIBUTING.md - - /README.md - - /LICENSE.txt - - /CODE_OF_CONDUCT.md + +resources: + repositories: + - repository: ComplianceRepo + type: github + endpoint: ComplianceGHRepo + name: PowerShell/compliance stages: - stage: Build - displayName: Build PowerShell Package + displayName: Build PSDesiredStateConfiguration module jobs: - job: BuildPkg displayName: Build Package pool: - vmImage: windows-2019 + vmImage: windows-latest steps: - template: templates/ci-build.yml - pwsh: | @@ -46,33 +35,4 @@ stages: - pwsh: | $(Build.SourcesDirectory)/build.ps1 -Publish -Signed displayName: Publish - timeoutInMinutes: 10 - -- stage: Test - displayName: Test Package - jobs: - - template: templates/ci-test.yml - parameters: - jobName: TestPkgWin - displayName: PowerShell Core on Windows - imageName: windows-2019 - - # Not supported on Windows PowerShell per PSD1 - # - template: test.yml - # parameters: - # jobName: TestPkgWinPS - # displayName: Windows PowerShell on Windows - # imageName: windows-2019 - # powershellExecutable: powershell - - - template: templates/ci-test.yml - parameters: - jobName: TestPkgUbuntu16 - displayName: PowerShell Core on Ubuntu 16.04 - imageName: ubuntu-16.04 - - - template: templates/ci-test.yml - parameters: - jobName: TestPkgWinMacOS - displayName: PowerShell Core on macOS - imageName: macOS-10.14 + timeoutInMinutes: 10 \ No newline at end of file diff --git a/.vsts-ci/azure-pipelines-release.yml b/.vsts-ci/azure-pipelines-release.yml index 281711e..7050094 100644 --- a/.vsts-ci/azure-pipelines-release.yml +++ b/.vsts-ci/azure-pipelines-release.yml @@ -1,36 +1,24 @@ name: $(BuildDefinitionName)_$(date:yyMM).$(date:dd)$(rev:rrr) -trigger: - batch: true - branches: - include: - - master - paths: - exclude: - - /.dependabot/* - - /.poshchan/* - - /.github/**/* - - /.vscode/**/* - - /.vsts-ci/misc-analysis.yml - - /tools/**/* - - .editorconfig - - .gitattributes - - .gitignore - - /docs/**/* - - /CHANGELOG.md - - /CONTRIBUTING.md - - /README.md - - /LICENSE.txt - - /CODE_OF_CONDUCT.md +trigger: none + +resources: + repositories: + - repository: ComplianceRepo + type: github + endpoint: ComplianceGHRepo + name: PowerShell/compliance stages: - stage: Build - displayName: Build PowerShell Package + displayName: Build PSDesiredStateConfiguration module + pool: + name: Package ES CodeHub Lab E jobs: - job: BuildPkg displayName: Build Package - pool: - name: 'Package ES CodeHub Lab E' + variables: + - group: ESRP steps: - powershell: | $powerShellPath = Join-Path -Path $env:AGENT_TEMPDIRECTORY -ChildPath 'powershell' @@ -41,110 +29,158 @@ stages: Write-Host "##$vstsCommandString" displayName: Install PowerShell Core - - task: PkgESSetupBuild@10 - displayName: 'Package ES - Setup Build' + - task: NuGetToolInstaller@1 + displayName: 'Install NuGet 5.9.1' inputs: - productName: PSDesiredStateConfiguration + checkLatest: false + version: 5.9.1 - - template: templates/shouldsign.yml - - - powershell: | + - pwsh: | Get-ChildItem -Path env: - displayName: Capture environment + displayName: Capture environment for build condition: succeededOrFailed() - - template: templates/ci-build.yml - - - powershell: | - Write-Verbose "BUILD_OUTPUT_PATH- $env:BUILD_OUTPUT_PATH" -Verbose - Write-Verbose "SIGNED_OUTPUT_PATH- $env:SIGNED_OUTPUT_PATH" -Verbose - Copy-Item $env:BUILD_OUTPUT_PATH $env:SIGNED_OUTPUT_PATH -Recurse -Force - displayName: Copy unsigned files first - - - task: PkgESCodeSign@10 - displayName: 'CodeSign tools/releaseBuild/signing.xml' - env: - SYSTEM_ACCESSTOKEN: $(System.AccessToken) - inputs: - signConfigXml: tools/releaseBuild/signing.xml - inPathRoot: '$(BUILD_OUTPUT_PATH)' - outPathRoot: '$(SIGNED_OUTPUT_PATH)' - condition: and(succeeded(), eq(variables['SHOULD_SIGN'], 'true')) + - pwsh: | + $modulePath = Join-Path -Path $env:AGENT_TEMPDIRECTORY -ChildPath 'TempModules' + if (Test-Path -Path $modulePath) { + Write-Verbose -Verbose "Deleting existing temp module path: $modulePath" + Remove-Item -Path $modulePath -Recurse -Force -ErrorAction Ignore + } + if (! (Test-Path -Path $modulePath)) { + Write-Verbose -Verbose "Creating new temp module path: $modulePath" + $null = New-Item -Path $modulePath -ItemType Directory + } + displayName: Create temporary module path - - task: PowerShell@1 - displayName: 'Create catalog file' - inputs: - scriptType: inlineScript - inlineScript: | - $signedDir = "$env:SIGNED_OUTPUT_PATH\PSDesiredStateConfiguration" - New-FileCatalog -CatalogFilePath "$env:SIGNED_OUTPUT_PATH\PSDesiredStateConfiguration\PSDesiredStateConfiguration.cat" -Path "$signedDir" - - - task: PkgESCodeSign@10 - displayName: 'CodeSign tools/releaseBuild/FileCatalogSigning.xml' - env: - SYSTEM_ACCESSTOKEN: $(System.AccessToken) - inputs: - signConfigXml: tools/releaseBuild/FileCatalogSigning.xml - inPathRoot: '$(SIGNED_OUTPUT_PATH)' - outPathRoot: '$(SIGNED_OUTPUT_PATH)' - condition: and(succeeded(), eq(variables['SHOULD_SIGN'], 'true')) + - pwsh: | + $modulePath = Join-Path -Path $env:AGENT_TEMPDIRECTORY -ChildPath 'TempModules' + Write-Verbose -Verbose "Install PowerShellGet V3 to temp module path" + Save-Module -Name PowerShellGet -Path $modulePath -MinimumVersion 3.0.0-beta10 -AllowPrerelease -Force + Write-Verbose -Verbose "Install PlatyPS to temp module path" + Save-Module -Name "platyPS" -Path $modulePath -Force + Write-Verbose -Verbose "Install PSScriptAnalyzer to temp module path" + Save-Module -Name "PSScriptAnalyzer" -Path $modulePath -RequiredVersion 1.18.0 -Force + Write-Verbose -Verbose "Install Pester 4.X to temp module path" + Save-Module -Name "Pester" -MaximumVersion 4.99 -Path $modulePath -Force + Write-Verbose -Verbose "Install PSPackageProject to temp module path" + Save-Module -Name PSPackageProject -Path $modulePath -Force + displayName: Install PSPackageProject and dependencies - - task: ms.vss-governance-buildtask.governance-build-task-component-detection.ComponentGovernanceComponentDetection@0 - displayName: 'Component Detection' + - pwsh: | + $modulePath = Join-Path -Path $env:AGENT_TEMPDIRECTORY -ChildPath 'TempModules' + $env:PSModulePath = $modulePath + [System.IO.Path]::PathSeparator + $env:PSModulePath + $modPath = Join-Path -Path $modulePath -ChildPath PSPackageProject + Write-Verbose -Verbose "Importing PSPackageProject from: $modPath" + Import-Module -Name $modPath -Force + # + $(Build.SourcesDirectory)/build.ps1 -Build -Clean + displayName: Execute build - - task: AntiMalware@3 - inputs: - InputType: 'Basic' - ScanType: 'CustomScan' - FileDirPath: '$(SIGNED_OUTPUT_PATH)' - EnableServices: false - SupportLogOnError: false - TreatSignatureUpdateFailureAs: 'Warning' - SignatureFreshness: 'UpToDate' - TreatStaleSignatureAs: 'Error' - - - task: PoliCheck@1 - condition: succeededOrFailed() - inputs: - targetType: F - optionsFC: 0 - optionsXS: 0 - optionsPE: '1|2|3|4' - optionsHMENABLE: 0 - optionsFTPATH: '$(Build.SourcesDirectory)\tools\terms\FileTypeSet.xml' - - - task: CredScan@2 - condition: succeededOrFailed() + - pwsh: | + $signSrcPath = "$(Build.SourcesDirectory)\out\PSDesiredStateConfiguration" + # Set signing src path variable + $vstsCommandString = "vso[task.setvariable variable=signSrcPath]${signSrcPath}" + Write-Host "sending " + $vstsCommandString + Write-Host "##$vstsCommandString" + $signOutPath = "$(Build.SourcesDirectory)\signed\PSDesiredStateConfiguration" + $null = New-Item -ItemType Directory -Path $signOutPath + # Set signing out path variable + $vstsCommandString = "vso[task.setvariable variable=signOutPath]${signOutPath}" + Write-Host "sending " + $vstsCommandString + Write-Host "##$vstsCommandString" + # Set path variable for guardian codesign validation + $vstsCommandString = "vso[task.setvariable variable=GDN_CODESIGN_TARGETDIRECTORY]${signOutPath}" + Write-Host "sending " + $vstsCommandString + Write-Host "##$vstsCommandString" + displayName: Setup variables for signing + + - template: EsrpSign.yml@ComplianceRepo + parameters: + # the folder which contains the binaries to sign + buildOutputPath: $(signSrcPath) + # the location to put the signed output + signOutputPath: $(signOutPath) + # the certificate ID to use + certificateId: "CP-230012" + # the file pattern to use, comma separated + pattern: '*.psm1,*.psd1' - # Publish results as artifacts - - task: PublishSecurityAnalysisLogs@3 - condition: succeededOrFailed() - inputs: - ArtifactName: 'CodeAnalysisLogs' - ArtifactType: 'Container' - - # Publish to TSA server - # - task: TSAUpload@1 - # condition: succeededOrFailed() - # continueOnError: true - # inputs: - # tsaVersion: 'TsaV2' - # codebase: 'Existing' - # tsaEnvironment: 'PROD' - # codeBaseName: 'PSDesiredStateConfiguration_20190828' - # uploadAPIScan: false - # uploadBinSkim: false - # uploadCredScan: true - # uploadFortifySCA: false - # uploadFxCop: false - # uploadModernCop: false - # uploadPoliCheck: true - # uploadPREfast: false - # uploadRoslyn: false - # uploadTSLint: false - # uploadAsync: true + - pwsh: | + $repoName = [guid]::newGuid().ToString("N") + $packageRoot = "$(Build.SourcesDirectory)\signed\PSDesiredStateConfiguration" + Register-PSRepository -Name $repoName -SourceLocation $packageRoot -InstallationPolicy Trusted + Publish-Module -Path $packageRoot -Repository $repoName + Unregister-PSRepository -Name $repoName + Get-ChildItem -Recurse -Path $packageRoot | Write-Verbose -Verbose + $nupkgPath = (Get-ChildItem -Recurse -Path $packageRoot -Filter "PSDesiredStateConfiguration*.nupkg" | select -First 1).FullName + Write-Host "##vso[artifact.upload containerfolder=nupkg;artifactname=nupkg]$nupkgPath" + displayName: Package and publish nupkg + name: ProduceNupkg + + - publish: "$(signSrcPath)" + artifact: Build + displayName: Publish build + + - publish: "$(signOutPath)" + artifact: SignedBuild + displayName: Publish signed build + +- stage: Compliance + displayName: Compliance + dependsOn: Build + jobs: + - job: Compliance_Job + pool: + name: Package ES CodeHub Lab E + steps: + - checkout: self + - checkout: ComplianceRepo + - download: current + artifact: SignedBuild - pwsh: | - $(Build.SourcesDirectory)/build.ps1 -Publish -Signed - displayName: Publish - timeoutInMinutes: 10 + Get-ChildItem -Path "$(Pipeline.Workspace)\SignedBuild" -Recurse + displayName: Capture downloaded artifacts + - template: script-module-compliance.yml@ComplianceRepo + parameters: + # component-governance + sourceScanPath: '$(Pipeline.Workspace)\SignedBuild' + # credscan + suppressionsFile: '' + # TermCheck + optionsRulesDBPath: '' + optionsFTPath: '' + # tsa-upload + codeBaseName: 'PSDesiredStateConfiguration_20210423' + # selections + APIScan: false # set to false when not using Windows APIs. + +- stage: Deploy + displayName: Publish to PowerShell gallery + dependsOn: + - Build + - Compliance + jobs: + - deployment: DeployPowerShellGallery + displayName: Deploy nupkg to PowerShell Gallery + pool: + vmImage: windows-latest + environment: 'PSDesiredStateConfiguration-ReleaseApproval' + strategy: + runOnce: + deploy: + steps: + - download: current + artifact: 'nupkg' + - task: NuGetToolInstaller@1 + displayName: 'Install NuGet 5.9.1' + inputs: + checkLatest: false + version: 5.9.1 + - task: NuGetCommand@2 + displayName: 'NuGet push' + inputs: + command: push + packagesToPush: '$(Pipeline.Workspace)\nupkg\PSDesiredStateConfiguration.*.nupkg' + nuGetFeedType: external + publishFeedCredentials: 'PowerShellGallery' \ No newline at end of file diff --git a/azure-pipelines.yml b/azure-pipelines.yml deleted file mode 100644 index aa91291..0000000 --- a/azure-pipelines.yml +++ /dev/null @@ -1,19 +0,0 @@ -# Starter pipeline -# Start with a minimal pipeline that you can customize to build and deploy your code. -# Add steps that build, run tests, deploy, and more: -# https://aka.ms/yaml - -trigger: -- master - -pool: - vmImage: 'ubuntu-latest' - -steps: -- script: echo Hello, world! - displayName: 'Run a one-line script' - -- script: | - echo Add other tasks to build, test, and deploy your project. - echo See https://aka.ms/yaml - displayName: 'Run a multi-line script'