forked from microsoft/powerplatform-build-tools
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathOfficialBuild.yml
124 lines (108 loc) · 3.4 KB
/
OfficialBuild.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
# Copyright (c) Microsoft Corporation.
# Licensed under the MIT License.
# https://aka.ms/yaml
#
# Official build to produce versioned and signed VSIX
variables:
# https://aka.ms/gdn-injection
GDN_CODESIGN_TARGETDIRECTORY: "$(Build.SourcesDirectory)\\out\\packages"
# no codesigning for JavaScript:
GDN_CODESIGN_EXCLUSIONS: "f|**/*.js"
runCodesignValidationInjection: true
# ESRP still fails to sign AzDevOps task extension .vsix
breakCodesignValidationInjection: false
#
# set the following in the pipeline's web UI editor:
# GITHUB_TOKEN # GitHub PAT with scopes: repo; must have SSO enabled for GH org 'microsoft' for corp user
# AZ_DevOps_Read_PAT # PAT to read from AzDO feed in msazure
# isEsrpEnabled : # true/false
trigger: none
# - release/*
# PR loops only via GH workflows
pr: none
pool:
vmImage: 'windows-latest'
steps:
- checkout: self
lfs: true
- task: NodeTool@0
displayName: 'Use nodejs 16.x'
inputs:
versionSpec: '16.x'
- script: |
node --version
npm --version
git --version
displayName: Toolchain info
# need to authenticate to npm package feed in microsoft/powerplatform-cli-wrapper (see also README.md)
- task: npmAuthenticate@0
displayName: 'setup package feed authN with github'
inputs:
workingFile: .npmrc
customEndpoint: github.com_npm_davidjenni
- task: Npm@1
displayName: 'Restore (npm install)'
inputs:
command: custom
customCommand: ci
# authN for pushing tags via release-it
- task: Npm@1
displayName: 'set git repo authN'
inputs:
command: custom
customCommand: run set-git-authn -- "$(GITHUB_TOKEN)"
- task: Npm@1
displayName: 'set-version to calculate patch-version with release-it'
inputs:
command: custom
customCommand: run set-version
- task: Npm@1
displayName: 'Build and prepare-pack'
inputs:
command: custom
customCommand: run prepare-pack -- --feedPAT $(AZ_DevOps_Read_PAT)
- task: Npm@1
displayName: 'Package VSIX'
inputs:
command: custom
customCommand: run pack -- --isOfficial
# https://microsoft.sharepoint.com/teams/prss/esrp/info/ESRP%20Onboarding%20Wiki/Generating%20Signing%20JSON.aspx
# https://microsoft.sharepoint.com/teams/prss/esrp/info/ESRP%20Onboarding%20Wiki/Selecting%20CodeSign%20Certificates.aspx
- task: SFP.build-tasks.custom-build-task-1.EsrpCodeSigning@1
displayName: 'ESRP sign vsix packages'
condition : and(succeeded(), eq(variables['isEsrpEnabled'], true))
inputs:
ConnectedServiceName: ESRPCodeSigningConnection
FolderPath: 'out/packages'
Pattern: '*.vsix'
signConfigType: inlineSignParams
inlineOperation: |
[
{
"KeyCode": "CP-233016",
"OperationCode": "OpcSign",
"Parameters": {
"FileDigest": "/fd SHA256"
},
"ToolName": "sign",
"ToolVersion": "1.0"
},
{
"KeyCode": "CP-233016",
"OperationCode": "OpcVerify",
"Parameters": {},
"ToolName": "sign",
"ToolVersion": "1.0"
}
]
ServiceEndpointUrl: 'https://api.esrp.microsoft.com/api/v1'
- task: AzureArtifacts.manifest-generator-task.manifest-generator-task.ManifestGeneratorTask@0
displayName: 'SBOM Generation Task'
inputs:
BuildDropPath: out/packages
- task: PublishBuildArtifacts@1
displayName: 'Publish packages'
condition: always()
inputs:
PathtoPublish: out/packages
ArtifactName: packages