Adopt 1ES PT (microsoft#207844)

* extend 1es pipeline template

* oops

* fix template references

* argh

* hmm

* hm

* hm

* use outputs for compilation artifact

* this

* use 1ES.PublishPipelineArtifact@1 instead of publish

* more 1ES.PublishPipelineArtifact@1 adoption

* provide windows pool for sdl sources

* sdl

* fix pools

* fix macos

* disable sbom for intermediate artifacts

* use mariner linux

* try inline tsa options

* fix credscan

* hm

* sudo it

* more suppressions

* be explicit with SBOM build drop paths

* fix indentation

* fix file extensions

* fix cli sbom build drop paths

* fix more build

* fix unzip cli

* careful with _manifest in artifacts

* do not close file

* add logging

* debug

* use snapcraft container

* remove size check

* fix macos cli step

* fix snap permissions

* fix macos

* better logs

* fix snap

* more cred scan suppressions

* even more supressiong

* alpine-arm64: try using x64

* Revert "alpine-arm64: try using x64"

This reverts commit bf2003b.

* test docker

* I wonder

* logs

* hm

* fix indentation

* hm

* hm

* fix snap finds

* remove auth

* use hostArchitecture

* snap: limit find

* hm

* sudo

* Add validateToolOutput: None to the build pipeline

* bring back sdl-scan

* try all tools: true

* use release

* Update Azure Pipelines YAML file for Linux product build and test

* hm

* hm

* same for win32

* hm

* hm

* Revert "hm"

This reverts commit 1b9dcae.

* use branch

* fix template file

* fix template paths

Author: joaomoreno

build/azure-pipelines/alpine/cli-build-alpine.yml

@@ -33,7 +33,7 @@ steps:
       workingDirectory: build
       displayName: Install pipeline build
 
-    - template: ../cli/cli-apply-patches.yml
+    - template: ../cli/cli-apply-patches.yml@self
 
   - task: Npm@1
     displayName: Download openssl prebuilt
@@ -58,7 +58,7 @@ steps:
       sudo ln -s "/usr/bin/g++" "/usr/bin/musl-g++" || echo "link exists"
     displayName: Install musl build dependencies
 
-  - template: ../cli/install-rust-posix.yml
+  - template: ../cli/install-rust-posix.yml@self
     parameters:
       targets:
         - ${{ if eq(parameters.VSCODE_BUILD_ALPINE_ARM64, true) }}:
@@ -67,7 +67,7 @@ steps:
           - x86_64-unknown-linux-musl
 
   - ${{ if eq(parameters.VSCODE_BUILD_ALPINE_ARM64, true) }}:
-    - template: ../cli/cli-compile.yml
+    - template: ../cli/cli-compile.yml@self
       parameters:
         VSCODE_CLI_TARGET: aarch64-unknown-linux-musl
         VSCODE_CLI_ARTIFACT: vscode_cli_alpine_arm64_cli
@@ -80,7 +80,7 @@ steps:
           OPENSSL_STATIC: "1"
 
   - ${{ if eq(parameters.VSCODE_BUILD_ALPINE, true) }}:
-    - template: ../cli/cli-compile.yml
+    - template: ../cli/cli-compile.yml@self
       parameters:
         VSCODE_CLI_TARGET: x86_64-unknown-linux-musl
         VSCODE_CLI_ARTIFACT: vscode_cli_alpine_x64_cli
@@ -92,14 +92,23 @@ steps:
           OPENSSL_INCLUDE_DIR: $(Build.ArtifactStagingDirectory)/openssl/x64-linux-musl/include
           OPENSSL_STATIC: "1"
 
-  - ${{ if eq(parameters.VSCODE_BUILD_ALPINE_ARM64, true) }}:
-    - template: ../cli/cli-publish.yml
-      parameters:
-        VSCODE_CLI_ARTIFACT: vscode_cli_alpine_arm64_cli
-        VSCODE_CHECK_ONLY: ${{ parameters.VSCODE_CHECK_ONLY }}
+  - ${{ if not(parameters.VSCODE_CHECK_ONLY) }}:
+    - ${{ if eq(parameters.VSCODE_BUILD_ALPINE_ARM64, true) }}:
+      - task: 1ES.PublishPipelineArtifact@1
+        inputs:
+          targetPath: $(Build.ArtifactStagingDirectory)/vscode_cli_alpine_arm64_cli.tar.gz
+          artifactName: vscode_cli_alpine_arm64_cli
+          sbomBuildDropPath: $(Build.ArtifactStagingDirectory)/cli
+          sbomPackageName: "VS Code Alpine arm64 CLI"
+          sbomPackageVersion: $(Build.SourceVersion)
+        displayName: Publish vscode_cli_alpine_arm64_cli artifact
 
-  - ${{ if eq(parameters.VSCODE_BUILD_ALPINE, true) }}:
-    - template: ../cli/cli-publish.yml
-      parameters:
-        VSCODE_CLI_ARTIFACT: vscode_cli_alpine_x64_cli
-        VSCODE_CHECK_ONLY: ${{ parameters.VSCODE_CHECK_ONLY }}
+    - ${{ if eq(parameters.VSCODE_BUILD_ALPINE, true) }}:
+      - task: 1ES.PublishPipelineArtifact@1
+        inputs:
+          targetPath: $(Build.ArtifactStagingDirectory)/vscode_cli_alpine_x64_cli.tar.gz
+          artifactName: vscode_cli_alpine_x64_cli
+          sbomBuildDropPath: $(Build.ArtifactStagingDirectory)/cli
+          sbomPackageName: "VS Code Alpine x64 CLI"
+          sbomPackageVersion: $(Build.SourceVersion)
+        displayName: Publish vscode_cli_alpine_x64_cli artifact

build/azure-pipelines/alpine/product-build-alpine.yml

@@ -5,7 +5,7 @@ steps:
       versionFilePath: .nvmrc
       nodejsMirror: https://github.com/joaomoreno/node-mirror/releases/download
 
-  - template: ../distro/download-distro.yml
+  - template: ../distro/download-distro.yml@self
 
   - task: AzureKeyVault@1
     displayName: "Azure Key Vault: Get Secrets"
@@ -107,16 +107,18 @@ steps:
   - script: node build/azure-pipelines/distro/mixin-quality
     displayName: Mixin distro quality
 
-  - template: ../common/install-builtin-extensions.yml
+  - template: ../common/install-builtin-extensions.yml@self
 
   - script: |
       set -e
       TARGET=$([ "$VSCODE_ARCH" == "x64" ] && echo "linux-alpine" || echo "alpine-arm64") # TODO@joaomoreno
       yarn gulp vscode-reh-$TARGET-min-ci
       (cd .. && mv vscode-reh-$TARGET vscode-server-$TARGET) # TODO@joaomoreno
       ARCHIVE_PATH=".build/linux/server/vscode-server-$TARGET.tar.gz"
+      DIR_PATH="$(realpath ../vscode-server-$TARGET)"
       mkdir -p $(dirname $ARCHIVE_PATH)
       tar --owner=0 --group=0 -czf $ARCHIVE_PATH -C .. vscode-server-$TARGET
+      echo "##vso[task.setvariable variable=SERVER_DIR_PATH]$DIR_PATH"
       echo "##vso[task.setvariable variable=SERVER_PATH]$ARCHIVE_PATH"
     env:
       GITHUB_TOKEN: "$(github-distro-mixin-password)"
@@ -128,8 +130,10 @@ steps:
       yarn gulp vscode-reh-web-$TARGET-min-ci
       (cd .. && mv vscode-reh-web-$TARGET vscode-server-$TARGET-web) # TODO@joaomoreno
       ARCHIVE_PATH=".build/linux/web/vscode-server-$TARGET-web.tar.gz"
+      DIR_PATH="$(realpath ../vscode-server-$TARGET-web)"
       mkdir -p $(dirname $ARCHIVE_PATH)
       tar --owner=0 --group=0 -czf $ARCHIVE_PATH -C .. vscode-server-$TARGET-web
+      echo "##vso[task.setvariable variable=WEB_DIR_PATH]$DIR_PATH"
       echo "##vso[task.setvariable variable=WEB_PATH]$ARCHIVE_PATH"
     env:
       GITHUB_TOKEN: "$(github-distro-mixin-password)"
@@ -139,36 +143,40 @@ steps:
     condition: and(succeededOrFailed(), notIn(variables['Agent.JobStatus'], 'Succeeded', 'SucceededWithIssues'))
     displayName: Generate artifact prefix
 
-  - script: mkdir $(agent.builddirectory)/vscode-alpine-$(VSCODE_ARCH)
-    displayName: Make folder for SBOM
-
-  - task: AzureArtifacts.manifest-generator-task.manifest-generator-task.ManifestGeneratorTask@0
-    displayName: Generate SBOM
+  - task: 1ES.PublishPipelineArtifact@1
     inputs:
-      BuildDropPath: $(agent.builddirectory)/vscode-alpine-$(VSCODE_ARCH)
-      PackageName: Visual Studio Code Server
-
-  - publish: $(agent.builddirectory)/vscode-alpine-$(VSCODE_ARCH)/_manifest
-    displayName: Publish SBOM
-    artifact: $(ARTIFACT_PREFIX)sbom_vscode_alpine_$(VSCODE_ARCH)
-
-  - publish: $(SERVER_PATH)
-    artifact: $(ARTIFACT_PREFIX)vscode_server_alpine_$(VSCODE_ARCH)_archive-unsigned
+      targetPath: $(SERVER_PATH)
+      artifactName: $(ARTIFACT_PREFIX)vscode_server_alpine_$(VSCODE_ARCH)_archive-unsigned
+      sbomBuildDropPath: $(SERVER_DIR_PATH)
+      sbomPackageName: "VS Code Alpine $(VSCODE_ARCH) Server"
+      sbomPackageVersion: $(Build.SourceVersion)
     displayName: Publish server archive
     condition: and(succeededOrFailed(), ne(variables['SERVER_PATH'], ''), ne(variables['VSCODE_ARCH'], 'x64'))
 
-  - publish: $(WEB_PATH)
-    artifact: $(ARTIFACT_PREFIX)vscode_web_alpine_$(VSCODE_ARCH)_archive-unsigned
+  - task: 1ES.PublishPipelineArtifact@1
+    inputs:
+      targetPath: $(WEB_PATH)
+      artifactName: $(ARTIFACT_PREFIX)vscode_web_alpine_$(VSCODE_ARCH)_archive-unsigned
+      sbomBuildDropPath: $(WEB_DIR_PATH)
+      sbomPackageName: "VS Code Alpine $(VSCODE_ARCH) Web"
+      sbomPackageVersion: $(Build.SourceVersion)
     displayName: Publish web server archive
     condition: and(succeededOrFailed(), ne(variables['WEB_PATH'], ''), ne(variables['VSCODE_ARCH'], 'x64'))
 
-  # Legacy x64 artifact name
-  - publish: $(SERVER_PATH)
-    artifact: $(ARTIFACT_PREFIX)vscode_server_linux_alpine_archive-unsigned
+  # same as above, keep legacy name
+  - task: 1ES.PublishPipelineArtifact@1
+    inputs:
+      targetPath: $(SERVER_PATH)
+      artifactName: $(ARTIFACT_PREFIX)vscode_server_linux_alpine_archive-unsigned
+      sbomEnabled: false
     displayName: Publish x64 server archive
     condition: and(succeededOrFailed(), ne(variables['SERVER_PATH'], ''), eq(variables['VSCODE_ARCH'], 'x64'))
 
-  - publish: $(WEB_PATH)
-    artifact: $(ARTIFACT_PREFIX)vscode_web_linux_alpine_archive-unsigned
+  # same as above, keep legacy name
+  - task: 1ES.PublishPipelineArtifact@1
+    inputs:
+      targetPath: $(WEB_PATH)
+      artifactName: $(ARTIFACT_PREFIX)vscode_web_linux_alpine_archive-unsigned
+      sbomEnabled: false
     displayName: Publish x64 web server archive
     condition: and(succeededOrFailed(), ne(variables['WEB_PATH'], ''), eq(variables['VSCODE_ARCH'], 'x64'))

build/azure-pipelines/cli/cli-apply-patches.yml

@@ -1,5 +1,5 @@
 steps:
-  - template: ../distro/download-distro.yml
+  - template: ../distro/download-distro.yml@self
 
   - script: node build/azure-pipelines/distro/mixin-quality
     displayName: Mixin distro quality

build/azure-pipelines/cli/cli-compile.yml

@@ -110,13 +110,14 @@ steps:
 
           Write-Host "##vso[task.setvariable variable=VSCODE_CLI_APPLICATION_NAME]$env:VSCODE_CLI_APPLICATION_NAME"
 
-          Move-Item -Path $(Build.SourcesDirectory)/cli/target/${{ parameters.VSCODE_CLI_TARGET }}/release/code.exe -Destination "$(Build.ArtifactStagingDirectory)/${env:VSCODE_CLI_APPLICATION_NAME}.exe"
+          New-Item -ItemType Directory -Force -Path "$(Build.ArtifactStagingDirectory)/cli"
+          Move-Item -Path $(Build.SourcesDirectory)/cli/target/${{ parameters.VSCODE_CLI_TARGET }}/release/code.exe -Destination "$(Build.ArtifactStagingDirectory)/cli/${env:VSCODE_CLI_APPLICATION_NAME}.exe"
         displayName: Stage CLI
 
       - task: ArchiveFiles@2
         displayName: Archive CLI
         inputs:
-          rootFolderOrFile: $(Build.ArtifactStagingDirectory)/$(VSCODE_CLI_APPLICATION_NAME).exe
+          rootFolderOrFile: $(Build.ArtifactStagingDirectory)/cli/$(VSCODE_CLI_APPLICATION_NAME).exe
           includeRootFolder: false
           archiveType: zip
           archiveFile: $(Build.ArtifactStagingDirectory)/${{ parameters.VSCODE_CLI_ARTIFACT }}.zip
@@ -127,43 +128,19 @@ steps:
           VSCODE_CLI_APPLICATION_NAME=$(node -p "require(\"$VSCODE_CLI_PRODUCT_JSON\").applicationName")
           echo "##vso[task.setvariable variable=VSCODE_CLI_APPLICATION_NAME]$VSCODE_CLI_APPLICATION_NAME"
 
-          mv $(Build.SourcesDirectory)/cli/target/${{ parameters.VSCODE_CLI_TARGET }}/release/code $(Build.ArtifactStagingDirectory)/$VSCODE_CLI_APPLICATION_NAME
+          mkdir -p $(Build.ArtifactStagingDirectory)/cli
+          mv $(Build.SourcesDirectory)/cli/target/${{ parameters.VSCODE_CLI_TARGET }}/release/code $(Build.ArtifactStagingDirectory)/cli/$VSCODE_CLI_APPLICATION_NAME
         displayName: Stage CLI
 
-      - ${{ if contains(parameters.VSCODE_CLI_TARGET, '-darwin') }}:
-        - task: ArchiveFiles@2
-          displayName: Archive CLI
-          inputs:
-            rootFolderOrFile: $(Build.ArtifactStagingDirectory)/$(VSCODE_CLI_APPLICATION_NAME)
-            includeRootFolder: false
+      - task: ArchiveFiles@2
+        displayName: Archive CLI
+        inputs:
+          rootFolderOrFile: $(Build.ArtifactStagingDirectory)/cli/$(VSCODE_CLI_APPLICATION_NAME)
+          includeRootFolder: false
+          ${{ if contains(parameters.VSCODE_CLI_TARGET, '-darwin') }}:
             archiveType: zip
             archiveFile: $(Build.ArtifactStagingDirectory)/${{ parameters.VSCODE_CLI_ARTIFACT }}.zip
-
-      - ${{ else }}:
-        - task: ArchiveFiles@2
-          displayName: Archive CLI
-          inputs:
-            rootFolderOrFile: $(Build.ArtifactStagingDirectory)/$(VSCODE_CLI_APPLICATION_NAME)
-            includeRootFolder: false
+          ${{ else }}:
             archiveType: tar
             tarCompression: gz
             archiveFile: $(Build.ArtifactStagingDirectory)/${{ parameters.VSCODE_CLI_ARTIFACT }}.tar.gz
-
-    # Make a folder for the SBOM for the specific artifact
-    - ${{ if contains(parameters.VSCODE_CLI_TARGET, '-windows-') }}:
-      - powershell: mkdir $(Build.ArtifactStagingDirectory)/sbom_${{ parameters.VSCODE_CLI_ARTIFACT }}
-        displayName: Make folder for SBOM (Windows)
-
-    - ${{ else }}:
-      - script: mkdir $(Build.ArtifactStagingDirectory)/sbom_${{ parameters.VSCODE_CLI_ARTIFACT }}
-        displayName: Make folder for SBOM (non-Windows)
-
-    # The if cases above are for different OSes,
-    # but we're still in the branch where the cli is being published in general.
-    # Generate and publish an SBOM.
-    - task: AzureArtifacts.manifest-generator-task.manifest-generator-task.ManifestGeneratorTask@0
-      displayName: Generate SBOM
-      inputs:
-        BuildComponentPath: $(Build.SourcesDirectory)/cli
-        BuildDropPath: $(Build.ArtifactStagingDirectory)/sbom_${{ parameters.VSCODE_CLI_ARTIFACT }}
-        PackageName: Visual Studio Code CLI

build/azure-pipelines/cli/cli-darwin-sign.yml

@@ -26,6 +26,12 @@ steps:
         artifact: ${{ target }}
         path: $(Build.ArtifactStagingDirectory)/pkg/${{ target }}
 
+    - task: ExtractFiles@1
+      displayName: Extract artifact
+      inputs:
+        archiveFilePatterns: $(Build.ArtifactStagingDirectory)/pkg/${{ target }}/*.zip
+        destinationFolder: $(Build.ArtifactStagingDirectory)/sign/${{ target }}
+
   - script: node build/azure-pipelines/common/sign $(Agent.ToolsDirectory)/esrpclient/*/*/net6.0/esrpcli.dll sign-darwin $(ESRP-PKI) $(esrp-aad-username) $(esrp-aad-password) $(Build.ArtifactStagingDirectory)/pkg "*.zip"
     displayName: Codesign
 
@@ -40,6 +46,11 @@ steps:
         echo "##vso[task.setvariable variable=ASSET_ID]$ASSET_ID"
       displayName: Set asset id variable
 
-    - publish: $(Build.ArtifactStagingDirectory)/pkg/${{ target }}/$(ASSET_ID).zip
+    - task: 1ES.PublishPipelineArtifact@1
+      inputs:
+        targetPath: $(Build.ArtifactStagingDirectory)/pkg/${{ target }}/$(ASSET_ID).zip
+        artifactName: $(ASSET_ID)
+        sbomBuildDropPath: $(Build.ArtifactStagingDirectory)/sign/${{ target }}
+        sbomPackageName: "VS Code macOS ${{ target }} CLI"
+        sbomPackageVersion: $(Build.SourceVersion)
       displayName: Publish signed artifact with ID $(ASSET_ID)
-      artifact: $(ASSET_ID)

build/azure-pipelines/cli/cli-publish.yml

@@ -59,6 +59,11 @@ steps:
           archiveType: zip
           archiveFile: $(Build.ArtifactStagingDirectory)/$(ASSET_ID).zip
 
-      - publish: $(Build.ArtifactStagingDirectory)/$(ASSET_ID).zip
+      - task: 1ES.PublishPipelineArtifact@1
+        inputs:
+          targetPath: $(Build.ArtifactStagingDirectory)/$(ASSET_ID).zip
+          artifactName: $(ASSET_ID)
+          sbomBuildDropPath: $(Build.ArtifactStagingDirectory)/sign/${{ target }}
+          sbomPackageName: "VS Code Windows ${{ target }} CLI"
+          sbomPackageVersion: $(Build.SourceVersion)
         displayName: Publish signed artifact with ID $(ASSET_ID)
-        artifact: $(ASSET_ID)

build/azure-pipelines/cli/cli-win32-sign.yml

@@ -1,5 +1,5 @@
 steps:
-  - template: ./install-rust-posix.yml
+  - template: ./install-rust-posix.yml@self
 
   - script: cargo clippy -- -D warnings
     workingDirectory: cli