.azure-pipelines/release.yml: add Windows release pipeline

mjcheetham · mjcheetham · commit 27fb194f3c36 · 2025-09-23T11:56:23.000+01:00
Add a release pipeline for Windows using Azure Pipelines.
ESRP code signing is currently incomplete, and not enabled by default.

This pipeline uses internal Microsoft 1ES templates.

Signed-off-by: Matthew John Cheetham &lt;mjcheetham@outlook.com&gt;
diff --git a/.azure-pipelines/release.yml b/.azure-pipelines/release.yml
@@ -0,0 +1,157 @@
+name: Release-$(Date:yyyyMMdd)$(Rev:.r)
+trigger: none
+pr: none
+
+resources:
+  repositories:
+    - repository: 1ESPipelines
+      type: git
+      name: 1ESPipelineTemplates/1ESPipelineTemplates
+      ref: refs/tags/release
+
+parameters:
+  - name: 'esrp'
+    type: boolean
+    default: false
+    displayName: 'Enable ESRP code signing'
+
+variables:
+  - name: 'esrpConnectionName'
+    value: 'ESRP-1ESGitClient'
+  - name: 'esrpEndpointUrl'
+    value: 'https://api.esrp.microsoft.com/api/v2'
+  - name: 'esrpClientId'
+    value: 'TODO'
+  - name: 'esrpTenantId'
+    value: 'TODO'
+  - name: 'esrpAuthAkvName'
+    value: 'TODO'
+  - name: 'esrpAuthCertName'
+    value: 'TODO'
+  - name: 'esrpAuthSignCertName'
+    value: 'TODO'
+
+extends:
+  template: v1/1ES.Official.PipelineTemplate.yml@1ESPipelines
+  parameters:
+    stages:
+      - stage: windows
+        displayName: 'Windows'
+        jobs:
+          - job: win_x86_build
+            displayName: 'Windows Build and Sign (x86)'
+            pool:
+              name: GitClient-1ESHostedPool-intel-pc
+              image: win-x86_64-ado1es
+              os: windows
+            templateContext:
+              outputs:
+                - output: pipelineArtifact
+                  targetPath: '$(Build.ArtifactStagingDirectory)/payload'
+                  artifactName: 'win-x86_payload'
+                - output: pipelineArtifact
+                  targetPath: '$(Build.ArtifactStagingDirectory)/installers'
+                  artifactName: 'win-x86_installers'
+            steps:
+              - checkout: self
+              - task: UseDotNet@2
+                displayName: 'Use .NET 8 SDK'
+                inputs:
+                  packageType: sdk
+                  version: '8.x'
+              - task: PowerShell@2
+                displayName: 'Build payload'
+                inputs:
+                  pwsh: true
+                  targetType: filePath
+                  filePath: '.\src\windows\Installer.Windows\layout.ps1'
+                  arguments: |
+                    -Configuration Release `
+                    -Output $(Build.ArtifactStagingDirectory)\payload `
+                    -SymbolOutput $(Build.ArtifactStagingDirectory)\symbols
+              - task: EsrpCodeSigning@5
+                condition: and(succeeded(), eq('${{ parameters.esrp }}', true))
+                displayName: 'Sign payload'
+                inputs:
+                  connectedServiceName: '$(esrpConnectionName)'
+                  appRegistrationClientId: '$(esrpClientId)'
+                  appRegistrationTenantId: '$(esrpTenantId)'
+                  authAkvName: '$(esrpAuthAkvName)'
+                  authCertName: '$(esrpAuthCertName)'
+                  authSignCertName: '$(esrpAuthSignCertName)'
+                  serviceEndpointUrl: '$(esrpEndpointUrl)'
+                  folderPath: '$(Build.ArtifactStagingDirectory)\payload'
+                  pattern: '**\*.exe;**\*.dll'
+                  signConfigType: inlineSignParams
+                  inlineOperation: |
+                    [
+                      {
+                         "keyCode": "TODO",
+                         "operationCode": "SigntoolSign"
+                         "parameters": {
+                            "OpusName": "Microsoft",
+                            "OpusInfo": "http://microsoft.com",
+                            "FileDigest": "/fd \"SHA256\"",
+                            "PageHash": "/NPH",
+                            "Timestamp": "/tr \"http://rfc3161.gtm.corp.microsoft.com/TSS/HttpTspServer\" /td sha256"
+                         },
+                         "toolName": "sign",
+                         "toolVersion": "1.0"
+                      },
+                      {
+                        "keyCode": "TODO",
+                        "operationCode": "SigntoolVerify",
+                        "parameters": {},
+                        "toolName": "sign",
+                        "toolVersion": "1.0"
+                      }
+                    ]
+              - task: PowerShell@2
+                displayName: 'Build installers'
+                inputs:
+                  pwsh: true
+                  targetType: inline
+                  script: |
+                    dotnet build '.\src\windows\Installer.Windows\Installer.Windows.csproj' `
+                      --configuration Release `
+                      --no-dependencies `
+                      -p:NoLayout=true `
+                      -p:PayloadPath="$(Build.ArtifactStagingDirectory)\payload"
+                      -p:OutputPath="$(Build.ArtifactStagingDirectory)\installers"
+              - task: EsrpCodeSigning@5
+                condition: and(succeeded(), eq('${{ parameters.esrp }}', true))
+                displayName: 'Sign installers'
+                inputs:
+                  connectedServiceName: '$(esrpConnectionName)'
+                  appRegistrationClientId: '$(esrpClientId)'
+                  appRegistrationTenantId: '$(esrpTenantId)'
+                  authAkvName: '$(esrpAuthAkvName)'
+                  authCertName: '$(esrpAuthCertName)'
+                  authSignCertName: '$(esrpAuthSignCertName)'
+                  serviceEndpointUrl: '$(esrpEndpointUrl)'
+                  folderPath: '$(Build.ArtifactStagingDirectory)\installers'
+                  pattern: '**\*.exe'
+                  signConfigType: inlineSignParams
+                  inlineOperation: |
+                    [
+                      {
+                         "keyCode": "TODO",
+                         "operationCode": "SigntoolSign"
+                         "parameters": {
+                            "OpusName": "Microsoft",
+                            "OpusInfo": "http://microsoft.com",
+                            "FileDigest": "/fd \"SHA256\"",
+                            "PageHash": "/NPH",
+                            "Timestamp": "/tr \"http://rfc3161.gtm.corp.microsoft.com/TSS/HttpTspServer\" /td sha256"
+                         },
+                         "toolName": "sign",
+                         "toolVersion": "1.0"
+                      },
+                      {
+                        "keyCode": "TODO",
+                        "operationCode": "SigntoolVerify",
+                        "parameters": {},
+                        "toolName": "sign",
+                        "toolVersion": "1.0"
+                      }
+                    ]
