Updated for https://dev.azure.com/office/35d89fa2-df50-4442-9cb8-cc86… #97
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # This pipeline will be triggered manually. | |
| parameters: | |
| - name: version | |
| type: string | |
| - name: prerelease | |
| displayName: Prerelease? | |
| type: boolean | |
| default: true | |
| - name: buildConfigs | |
| type: object | |
| default: | |
| - pool: | |
| name: Azure-Pipelines-1ESPT-ExDShared | |
| image: windows-latest | |
| os: windows | |
| runtime: win-x64 | |
| archiveExt: zip | |
| - pool: | |
| name: Azure Pipelines | |
| image: macOS-latest | |
| os: macOS | |
| runtime: osx-x64 | |
| archiveExt: tar.gz | |
| - pool: | |
| name: Azure Pipelines | |
| image: macOS-latest | |
| os: macOS | |
| runtime: osx-arm64 | |
| archiveExt: tar.gz | |
| variables: | |
| - name: tags | |
| value: "production" | |
| readonly: true | |
| - name: pythonVersion | |
| value: 3.10 | |
| readonly: true | |
| - name: artifactsPath | |
| value: $(Build.ArtifactStagingDirectory)/azureauth-${{ parameters.version }} | |
| readonly: true | |
| trigger: none | |
| pr: none | |
| resources: | |
| repositories: | |
| - repository: OfficePipelineTemplates | |
| type: git | |
| name: 1ESPipelineTemplates/OfficePipelineTemplates | |
| ref: refs/tags/release | |
| extends: | |
| template: v1/Office.Official.PipelineTemplate.yml@OfficePipelineTemplates | |
| parameters: | |
| pool: | |
| name: Azure-Pipelines-1ESPT-ExDShared | |
| image: ubuntu-latest | |
| os: linux | |
| sdl: | |
| sourceAnalysisPool: | |
| name: Azure-Pipelines-1ESPT-ExDShared | |
| image: windows-latest | |
| os: windows | |
| # This prevents auto-injected Roslyn task from running the build again. | |
| roslyn: | |
| copyLogsOnly: true | |
| stages: | |
| - stage: validate | |
| displayName: Validate | |
| jobs: | |
| - job: validate | |
| displayName: Validate | |
| steps: | |
| - checkout: self | |
| - task: UsePythonVersion@0 | |
| displayName: Use Python $(pythonVersion) | |
| inputs: | |
| versionSpec: $(pythonVersion) | |
| - task: Bash@3 | |
| inputs: | |
| targetType: inline | |
| script: | | |
| echo ${{ parameters.version }} | python ./bin/version.py | |
| - stage: build | |
| displayName: Build | |
| jobs: | |
| - ${{ each config in parameters.buildConfigs }}: | |
| - job: build_${{ replace(config.runtime,'-', '_') }} | |
| displayName: Building for ${{ config.runtime }} on ${{ config.pool.name }} | |
| pool: | |
| name: ${{ config.pool.name }} | |
| image: ${{ config.pool.image }} | |
| os: ${{ config.pool.os }} | |
| templateContext: | |
| outputs: | |
| - output: pipelineArtifact | |
| targetPath: dist/${{ config.runtime }} | |
| artifactName: azureauth-${{ parameters.version }}-${{ config.runtime }} | |
| steps: | |
| - checkout: self | |
| - task: UseDotNet@2 | |
| displayName: Use .NET Core sdk 8.x | |
| inputs: | |
| version: 8.x | |
| - task: NuGetToolInstaller@0 | |
| displayName: Use NuGet 6.x | |
| inputs: | |
| versionSpec: 6.x | |
| - task: DotNetCoreCLI@2 | |
| displayName: Install dependencies | |
| inputs: | |
| command: restore | |
| feedsToUse: select | |
| vstsFeed: $(VSTS_FEED_ID) | |
| includeNuGetOrg: false | |
| arguments: --runtime ${{ config.runtime }} | |
| # 1ES PT requires explicit build task for Roslyn analysis. Auto-injected Roslyn task will use build logs from this build. | |
| - task: DotNetCoreCLI@2 | |
| displayName: Build projects | |
| env: | |
| ADO_TOKEN: $(System.AccessToken) | |
| inputs: | |
| command: 'build' | |
| projects: '**/*.csproj' | |
| - task: DotNetCoreCLI@2 | |
| displayName: Test | |
| inputs: | |
| command: test | |
| arguments: --configuration release --no-restore | |
| - task: DotNetCoreCLI@2 | |
| displayName: Build artifacts | |
| env: | |
| ADO_TOKEN: $(System.AccessToken) | |
| inputs: | |
| command: publish | |
| projects: src/AzureAuth/AzureAuth.csproj | |
| arguments: -p:Version=${{ parameters.version }} --configuration release --self-contained true --runtime ${{ config.runtime }} --output dist/${{ config.runtime }} | |
| publishWebProjects: false | |
| zipAfterPublish: false | |
| modifyOutputPath: true | |
| - stage: sign | |
| displayName: Sign | |
| dependsOn: build | |
| jobs: | |
| - ${{ each config in parameters.buildConfigs }}: | |
| - job: sign_${{ replace(config.runtime,'-', '_') }} | |
| displayName: Signing ${{ config.runtime }} | |
| pool: | |
| name: Azure-Pipelines-1ESPT-ExDShared | |
| image: windows-latest | |
| os: windows | |
| templateContext: | |
| sdl: | |
| suppression: | |
| suppressionFile: $(Build.SourcesDirectory)\.config\guardian\SDL\.gdnsuppress | |
| inputs: | |
| - input: pipelineArtifact | |
| artifactName: azureauth-${{ parameters.version }}-${{ config.runtime }} | |
| targetPath: $(artifactsPath)-${{ config.runtime }} | |
| outputs: | |
| - output: pipelineArtifact | |
| artifactName: azureauth-${{ parameters.version }}-${{ config.runtime }}-signed | |
| targetPath: $(artifactsPath)-${{ config.runtime }}-signed | |
| steps: | |
| - task: EsrpCodeSigning@5 | |
| displayName: Sign artifacts win-x64 | |
| condition: eq('${{ config.runtime }}', 'win-x64') | |
| inputs: | |
| ConnectedServiceName: $(ESRP_KV_SERVICE_CONNECTION) | |
| AppRegistrationClientId: $(SIGNING_AAD_ID) | |
| AppRegistrationTenantId: $(SIGNING_TENANT_ID) | |
| AuthAKVName: $(AZURE_VAULT) | |
| AuthCertName: $(AZURE_VAULT_ESRP_AAD_CERT_NAME) | |
| AuthSignCertName: $(AZURE_VAULT_ESRP_REQ_CERT_NAME) | |
| FolderPath: $(artifactsPath)-${{ config.runtime }}/AzureAuth | |
| Pattern: '*.dll,*.exe' | |
| signConfigType: 'inlineSignParams' | |
| inlineOperation: | | |
| [ | |
| { | |
| "KeyCode": "$(SIGNING_KEY_CODE_AUTHENTICODE)", | |
| "OperationCode": "SigntoolSign", | |
| "ToolName": "sign", | |
| "ToolVersion": "1.0", | |
| "Parameters": { | |
| "OpusName": "Microsoft", | |
| "OpusInfo": "https://www.microsoft.com", | |
| "FileDigest": "/fd SHA256", | |
| "PageHash": "/NPH", | |
| "TimeStamp": "/tr \"http://rfc3161.gtm.corp.microsoft.com/TSS/HttpTspServer\" /td sha256" | |
| } | |
| }, | |
| { | |
| "KeyCode": "$(SIGNING_KEY_CODE_AUTHENTICODE)", | |
| "OperationCode": "SigntoolVerify", | |
| "ToolName": "sign", | |
| "ToolVersion": "1.0", | |
| "Parameters": {} | |
| } | |
| ] | |
| SessionTimeout: '60' | |
| MaxConcurrency: '50' | |
| MaxRetryAttempts: '5' | |
| PendingAnalysisWaitTimeoutMinutes: '5' | |
| # We need to zip the artifacts for osx before sending to ESRP for signing. | |
| - task: ArchiveFiles@2 | |
| displayName: Codesigning - zip artifacts to send to ESRP | |
| condition: startsWith('${{ config.runtime }}', 'osx') | |
| inputs: | |
| rootFolderOrFile: $(artifactsPath)-${{ config.runtime }} | |
| includeRootFolder: false | |
| archiveType: zip | |
| archiveFile: $(artifactsPath)-${{ config.runtime }}.zip | |
| - task: EsrpCodeSigning@5 | |
| displayName: Sign artifacts osx | |
| condition: startsWith('${{ config.runtime }}', 'osx') | |
| inputs: | |
| ConnectedServiceName: $(ESRP_KV_SERVICE_CONNECTION) | |
| AppRegistrationClientId: $(SIGNING_AAD_ID) | |
| AppRegistrationTenantId: $(SIGNING_TENANT_ID) | |
| AuthAKVName: $(AZURE_VAULT) | |
| AuthCertName: $(AZURE_VAULT_ESRP_AAD_CERT_NAME) | |
| AuthSignCertName: $(AZURE_VAULT_ESRP_REQ_CERT_NAME) | |
| FolderPath: $(Build.ArtifactStagingDirectory) | |
| Pattern: 'azureauth-${{ parameters.version }}-${{ config.runtime }}.zip' | |
| signConfigType: 'inlineSignParams' | |
| inlineOperation: | | |
| [ | |
| { | |
| "KeyCode": "$(SIGNING_KEY_CODE_MAC)", | |
| "OperationCode": "MacAppDeveloperSign", | |
| "ToolName": "sign", | |
| "ToolVersion": "1.0", | |
| "Parameters": {} | |
| }, | |
| { | |
| "KeyCode": "$(SIGNING_KEY_CODE_MAC)", | |
| "OperationCode": "SigntoolVerify", | |
| "ToolName": "sign", | |
| "ToolVersion": "1.0", | |
| "Parameters": {} | |
| } | |
| ] | |
| SessionTimeout: '60' | |
| MaxConcurrency: '50' | |
| MaxRetryAttempts: '5' | |
| PendingAnalysisWaitTimeoutMinutes: '5' | |
| - task: ExtractFiles@1 | |
| displayName: Extract signed artifacts osx | |
| condition: startsWith('${{ config.runtime }}', 'osx') | |
| inputs: | |
| archiveFilePatterns: $(artifactsPath)-${{ config.runtime }}.zip | |
| destinationFolder: $(artifactsPath)-${{ config.runtime }} | |
| cleanDestinationFolder: true | |
| overwriteExistingFiles: true | |
| # We rename the signed artifacts to avoid conflicts with the unsigned pipeline artifacts from the previous stage. | |
| - task: PowerShell@2 | |
| displayName: Rename signed artifacts | |
| inputs: | |
| workingDirectory: $(Build.ArtifactStagingDirectory) | |
| targetType: 'inline' | |
| script: | | |
| mv "azureauth-${{ parameters.version }}-${{ config.runtime }}" "azureauth-${{ parameters.version }}-${{ config.runtime }}-signed" | |
| # Currently we package artifacts into the most commonly accessible archive format for their respective platforms. | |
| - stage: package | |
| displayName: Package | |
| dependsOn: sign | |
| jobs: | |
| - job: package | |
| displayName: Package | |
| pool: | |
| name: Azure-Pipelines-1ESPT-ExDShared | |
| image: ubuntu-latest | |
| os: linux | |
| templateContext: | |
| inputs: | |
| - ${{ each config in parameters.buildConfigs }}: | |
| - input: pipelineArtifact | |
| artifactName: azureauth-${{ parameters.version }}-${{ config.runtime }}-signed | |
| targetPath: $(artifactsPath)-${{ config.runtime }}-signed | |
| outputs: | |
| - output: pipelineArtifact | |
| artifactName: azureauth-${{ parameters.version }}-packaged | |
| targetPath: $(artifactsPath)-packaged | |
| steps: | |
| - task: PowerShell@2 | |
| displayName: Create directory to place packaged artifacts | |
| inputs: | |
| workingDirectory: $(Build.ArtifactStagingDirectory) | |
| targetType: 'inline' | |
| script: | | |
| mkdir azureauth-${{ parameters.version }}-packaged | |
| - task: ArchiveFiles@2 | |
| displayName: Create win-x64 archive | |
| inputs: | |
| rootFolderOrFile: $(artifactsPath)-win-x64-signed/AzureAuth | |
| includeRootFolder: false | |
| archiveType: zip | |
| archiveFile: $(artifactsPath)-packaged/azureauth-${{ parameters.version }}-win-x64.zip | |
| - task: Bash@3 | |
| displayName: Prepare osx-x64 executables | |
| inputs: | |
| targetType: inline | |
| workingDirectory: $(Build.ArtifactStagingDirectory) | |
| script: | | |
| cd azureauth-${{ parameters.version }}-osx-x64-signed/AzureAuth | |
| chmod +x azureauth createdump *.dylib | |
| - task: ArchiveFiles@2 | |
| displayName: Create osx-x64 archive | |
| inputs: | |
| rootFolderOrFile: $(artifactsPath)-osx-x64-signed/AzureAuth | |
| includeRootFolder: false | |
| archiveType: tar | |
| tarCompression: gz | |
| archiveFile: $(artifactsPath)-packaged/azureauth-${{ parameters.version }}-osx-x64.tar.gz | |
| - task: Bash@3 | |
| displayName: Prepare osx-arm64 executables | |
| inputs: | |
| workingDirectory: $(Build.ArtifactStagingDirectory) | |
| targetType: inline | |
| script: | | |
| cd azureauth-${{ parameters.version }}-osx-arm64-signed/AzureAuth | |
| chmod +x azureauth createdump *.dylib | |
| - task: ArchiveFiles@2 | |
| displayName: Create osx-arm64 archive | |
| inputs: | |
| rootFolderOrFile: $(artifactsPath)-osx-arm64-signed/AzureAuth | |
| includeRootFolder: false | |
| archiveType: tar | |
| tarCompression: gz | |
| archiveFile: $(artifactsPath)-packaged/azureauth-${{ parameters.version }}-osx-arm64.tar.gz | |
| - stage: release | |
| displayName: Release | |
| dependsOn: package | |
| jobs: | |
| - job: approval | |
| displayName: Manual Approval | |
| pool: server | |
| timeoutInMinutes: 5760 # job times out in 4 days | |
| steps: | |
| - task: ManualValidation@0 | |
| timeoutInMinutes: 4320 # task times out in 3 days | |
| inputs: | |
| notifyUsers: $(REVIEWER) | |
| instructions: 'Review the AzureAuth GitHub Release.' | |
| - job: release | |
| displayName: Release | |
| dependsOn: approval | |
| pool: | |
| name: Azure-Pipelines-1ESPT-ExDShared | |
| image: ubuntu-latest | |
| os: linux | |
| templateContext: | |
| inputs: | |
| - input: pipelineArtifact | |
| artifactName: azureauth-${{ parameters.version }}-packaged | |
| targetPath: $(artifactsPath)-packaged | |
| steps: | |
| - task: GitHubRelease@1 | |
| displayName: Create AzureAuth GitHub Release | |
| inputs: | |
| gitHubConnection: $(GITHUB_RELEASE_SERVICE_CONNECTION) | |
| repositoryName: 'AzureAD/microsoft-authentication-cli' | |
| action: 'create' | |
| target: $(Build.SourceVersion) | |
| tagSource: 'userSpecifiedTag' | |
| tag: ${{ parameters.version }} | |
| isPrerelease: ${{ parameters.prerelease }} | |
| isDraft: false | |
| addChangeLog: false | |
| releaseNotesSource: 'inline' | |
| releaseNotesInline: "Release ${{ parameters.version }}. See [`CHANGELOG.md`](https://github.com/AzureAD/microsoft-authentication-cli/blob/${{ parameters.version }}/CHANGELOG.md) for updates." | |
| assets: | | |
| $(artifactsPath)-packaged/azureauth-${{ parameters.version }}-win-x64.zip | |
| $(artifactsPath)-packaged/azureauth-${{ parameters.version }}-osx-x64.tar.gz | |
| $(artifactsPath)-packaged/azureauth-${{ parameters.version }}-osx-arm64.tar.gz |