adding Azure DevOps official build with ESRP signing (microsoft#61)

* adding Azure DevOps official build with ESRP signing * need to bootstrap GH package authN before npm install Co-authored-by: david@DAVID-PC <[email protected]>
eleung83 · Mar 18, 2022 · 1cb4701 · 1cb4701
1 parent 0f2b469
commit 1cb4701
Show file tree

Hide file tree

Showing 9 changed files with 721 additions and 746 deletions.
diff --git a/.azure-pipelines/OfficialBuild.yml b/.azure-pipelines/OfficialBuild.yml
@@ -0,0 +1,118 @@
+# Copyright (c) Microsoft Corporation.
+# Licensed under the MIT License.
+# https://aka.ms/yaml
+#
+# Official build to produce versioned and signed VSIX
+
+variables:
+  # https://aka.ms/gdn-injection
+  GDN_CODESIGN_TARGETDIRECTORY: "$(Build.SourcesDirectory)\\out\\packages"
+  # no codesigning for JavaScript:
+  GDN_CODESIGN_EXCLUSIONS: "f|**/*.js"
+  runCodesignValidationInjection: true
+  breakCodesignValidationInjection: true
+  #
+  # set the following in the pipeline's web UI editor:
+  # GITHUB_TOKEN        # GitHub PAT with scopes: repo; must have SSO enabled for GH org 'microsoft' for corp user
+  # AZ_DevOps_Read_PAT  # PAT to read from AzDO feed in msazure
+  # VSIX_PATCH_VERSION   # VSIX package's patch version; must be manually managed for now!
+
+trigger: none
+#   - release/*
+
+# PR loops only via GH workflows
+pr: none
+
+pool:
+  vmImage: 'windows-latest'
+
+steps:
+- script: echo "##vso[build.updatebuildnumber]0.1.$(VSIX_PATCH_VERSION)
+  displayName: Set AzDO Job/Build version
+
+# - script: mkdir package && echo $(VSIX_VERSION),$(Build.SourceVersion) > package/version.csv
+#   displayName: Capture build version in package/version.csv
+
+- task: NodeTool@0
+  displayName: 'Use nodejs 16.x'
+  inputs:
+    versionSpec: '16.x'
+
+# need to authenticate to npm package feed in microsoft/powerplatform-cli-wrapper (see also README.md)
+- task: npmAuthenticate@0
+  displayName: 'setup package feed authN with github'
+  inputs:
+    workingFile: .npmrc
+    customEndpoint: github.com_npm_davidjenni
+
+- task: Npm@1
+  displayName: 'set git repo authN'
+  inputs:
+    command: custom
+    customCommand: run set-git-authn -- "$(GITHUB_TOKEN)"
+
+- task: Npm@1
+  displayName: 'Restore (npm install)'
+  inputs:
+    command: custom
+    customCommand: ci
+
+# - task: Npm@1
+#   displayName: 'auto-increment version'
+#   inputs:
+#     command: custom
+#     customCommand: run increment-version
+
+- task: Npm@1
+  displayName: 'Build'
+  inputs:
+    command: custom
+    customCommand: run prepare-pack -- --feedPAT $(AZ_DevOps_Read_PAT)
+
+- task: Npm@1
+  displayName: 'Package VSIX'
+  inputs:
+    command: custom
+    customCommand: run pack -- --patch $(VSIX_PATCH_VERSION) --isOfficial
+
+# https://microsoft.sharepoint.com/teams/prss/esrp/info/ESRP%20Onboarding%20Wiki/Generating%20Signing%20JSON.aspx
+# https://microsoft.sharepoint.com/teams/prss/esrp/info/ESRP%20Onboarding%20Wiki/Selecting%20CodeSign%20Certificates.aspx
+- task: SFP.build-tasks.custom-build-task-1.EsrpCodeSigning@1
+  displayName: 'ESRP sign vsix packages'
+  inputs:
+    ConnectedServiceName: ESRPCodeSigningConnection
+    FolderPath: 'out/packages'
+    Pattern: '*.vsix'
+    signConfigType: inlineSignParams
+    inlineOperation: |
+      [
+        {
+          "KeyCode": "CP-233016",
+          "OperationCode": "OpcSign",
+          "Parameters": {
+              "FileDigest": "/fd SHA256"
+          },
+          "ToolName": "sign",
+          "ToolVersion": "1.0"
+        },
+        {
+          "KeyCode": "CP-233016",
+          "OperationCode": "OpcVerify",
+          "Parameters": {},
+          "ToolName": "sign",
+          "ToolVersion": "1.0"
+        }
+      ]
+    ServiceEndpointUrl: 'https://api.esrp.microsoft.com/api/v1'
+
+- task: AzureArtifacts.manifest-generator-task.manifest-generator-task.ManifestGeneratorTask@0
+  displayName: 'SBOM Generation Task'
+  inputs:
+    BuildDropPath: out/packages
+
+- task: PublishBuildArtifacts@1
+  displayName: 'Publish packages'
+  condition: always()
+  inputs:
+    PathtoPublish: out/packages
+    ArtifactName: packages
diff --git a/.vscode/extensions.json b/.vscode/extensions.json
@@ -3,7 +3,6 @@
     "editorconfig.editorconfig",
     "davidanson.vscode-markdownlint",
     "eamodio.gitlens",
-    "github.vscode-pull-request-github",
     "me-dutour-mathieu.vscode-github-actions",
     "ms-azure-devops.azure-pipelines"
   ]

diff --git a/.vscode/launch.json b/.vscode/launch.json
@@ -66,7 +66,8 @@
       "program": "${workspaceFolder}/node_modules/gulp/bin/gulp.js",
       "cwd": "${workspaceFolder}",
       "args": [
-        "recompile"
+        "pack",
+        "--patch", "42"
       ],
       "skipFiles": [
         "<node_internals>/**"

diff --git a/gulp/lib/nugetInstall.js b/gulp/lib/nugetInstall.js
@@ -3,6 +3,7 @@ const { chmod } = require("fs-extra");
 const fetch = require("node-fetch");
 const path = require("path");
 const unzip = require("unzip-stream");
+const argv = require('yargs').argv;
 
 module.exports = async function nugetInstall(feed, package) {
   const packageName = package.name.toLowerCase();
@@ -18,10 +19,10 @@ module.exports = async function nugetInstall(feed, package) {
     redirect: "manual",
   };
   if (feed.authenticated) {
-    const readPAT = process.env[feed.patEnvironmentVariable];
+    const readPAT = argv.feedPAT || process.env[feed.patEnvironmentVariable];
     if (!readPAT) {
       throw new Error(
-        `nuget feed ${feed.name} requires authN but env var '${feed.patEnvironmentVariable}' was not defined!`
+        `nuget feed ${feed.name} requires authN but env var '${feed.patEnvironmentVariable}' was not defined! Alt: pass in as argument --feedPAT <PAT>`
       );
     }
     reqInit.headers["Authorization"] = `Basic ${Buffer.from(

diff --git a/gulp/pack.js b/gulp/pack.js
@@ -1,7 +1,6 @@
 const { mkdir, pathExists, copy, existsSync, writeJsonSync } = require("fs-extra");
 const createTfxRunner = require("./lib/createTfxRunner");
-const { argv } = require("process");
-const { ArgumentParser } = require("argparse");
+const argv = require('yargs').argv;
 const { createCommandRunner } = require("@microsoft/powerplatform-cli-wrapper");
 const { extract: extractTar } = require("tar");
 const find = require("find");
@@ -12,7 +11,7 @@ const outDir = 'out';
 const stagingDir = `${outDir}/staging`;
 const npmPackageDir = `${outDir}/npm-package`;
 const packagesDir = `${outDir}/packages`;
-const isOfficial = !!process.env.GITHUB_ACTIONS;
+const isOfficial = argv.isOfficial || false;
 
 module.exports = async () => {
   const manifest = require("../extension/extension-manifest.json");
@@ -87,22 +86,9 @@ function setVersion(manifest) {
   const currentVersionParts = manifest.version.split(".");
   const [currentMajor, currentMinor, currentPatch] = currentVersionParts;
 
-  const parser = new ArgumentParser();
-  parser.add_argument("--major", {
-    type: "int",
-    default: currentMajor,
-  });
-  parser.add_argument("--minor", {
-    type: "int",
-    default: currentMinor,
-  });
-  parser.add_argument("--patch", {
-    type: "int",
-    default: currentPatch,
-  });
-
-  const gulpArgs = argv.slice(3);
-  const { major, minor, patch } = parser.parse_args(gulpArgs);
+  const major = argv.major || currentMajor;
+  const minor = argv.minor || currentMinor;
+  const patch = argv.patch || currentPatch;
 
   manifest.version = `${major}.${minor}.${patch}`;
   return {

diff --git a/gulpfile.js b/gulpfile.js
@@ -22,6 +22,7 @@ exports.lint = lint;
 exports.test = test.all;
 exports.unitTest = test.unitTest;
 exports.componentTest = test.componentTest;
+exports.preparePack = gulp.series(recompile, restore);
 exports.pack = pack;
 exports.ci = gulp.series(recompile, lint, restore, test.unitTest, pack, test.componentTest);
 exports.default = recompile;