Add SBOM for release pipeline (#20519)

adityapatwardhan · web-flow · commit faba49e24aec · 2023-10-19T15:08:01.000-07:00
diff --git a/tools/releaseBuild/azureDevOps/releasePipeline.yml b/tools/releaseBuild/azureDevOps/releasePipeline.yml
@@ -29,6 +29,12 @@ resources:
     name: Internal-PowerShellTeam-Tools
     ref: main-mirror
 
+  - repository: ComplianceRepo
+    type: github
+    endpoint: ComplianceGHRepo
+    name: PowerShell/compliance
+    ref: master
+
 variables:
   - name: runCodesignValidationInjection
     value : false
@@ -341,7 +347,6 @@ stages:
 - stage: PublishPackages
   displayName: Publish packages
   dependsOn: GitHubManualTasks
-  timeoutInMinutes: 120
   jobs:
   - job: PublishNuget
 
diff --git a/tools/releaseBuild/azureDevOps/templates/release-CreateGitHubDraft.yml b/tools/releaseBuild/azureDevOps/templates/release-CreateGitHubDraft.yml
@@ -7,17 +7,16 @@ steps:
 - template: release-SetReleaseTagAndContainerName.yml
 
 - pwsh: |
-    Import-module '$(BUILD.SOURCESDIRECTORY)/build.psm1'
+    Import-module '$(BUILD.SOURCESDIRECTORY)/PowerShell/build.psm1'
     Install-AzCopy
   displayName: Install AzCopy
   retryCountOnTaskFailure: 2
 
 - pwsh: |
-    Import-module '$(BUILD.SOURCESDIRECTORY)/build.psm1'
+    Import-module '$(BUILD.SOURCESDIRECTORY)/PowerShell/build.psm1'
     $azcopy = Find-AzCopy
     Write-Verbose -Verbose "Found AzCopy: $azcopy"
 
-    & $azcopy login --service-principal --application-id $(PowerShellReleaseSPN)
     & $azcopy cp https://$(StorageAccount).blob.core.windows.net/$(AzureVersion) $(System.ArtifactsDirectory) --recursive
 
     $packagesPath = Get-ChildItem -Path $(System.ArtifactsDirectory)\*.deb -Recurse -File | Select-Object -First 1 -ExpandProperty DirectoryName
@@ -27,7 +26,7 @@ steps:
   displayName: Download Azure Artifacts
   retryCountOnTaskFailure: 2
   env:
-    AZCOPY_SPA_CLIENT_SECRET: $(PowerShellReleaseSPNSecret)
+    AZCOPY_AUTO_LOGIN_TYPE: MSI
 
 - pwsh: |
     Get-ChildItem $(System.ArtifactsDirectory)\* -recurse | Select-Object -ExpandProperty FullName
@@ -55,6 +54,24 @@ steps:
     Write-Verbose -Verbose -Message $fileContent
   displayName: Add sha256 hashes
 
+- checkout: ComplianceRepo
+
+- pwsh: |
+    $releaseVersion = '$(ReleaseTag)' -replace '^v',''
+    $vstsCommandString = "vso[task.setvariable variable=ReleaseVersion]$releaseVersion"
+    Write-Host "sending " + $vstsCommandString
+    Write-Host "##$vstsCommandString"
+  displayName: 'Set release version'
+
+- template: Sbom.yml@ComplianceRepo
+  parameters:
+    BuildDropPath: '$(PackagesRoot)'
+    Build_Repository_Uri: 'https://github.com/powershell/powershell.git'
+    displayName: PowerShell Hashes SBOM
+    packageName: PowerShell Artifact Hashes
+    packageVersion: $(ReleaseVersion)
+    sourceScanPath: '$(PackagesRoot)'
+
 - pwsh: |
     Import-module '$(Pipeline.Workspace)/tools/Scripts/GitHubRelease.psm1'
     $releaseVersion = '$(ReleaseTag)' -replace '^v',''
@@ -69,7 +86,7 @@ steps:
       $semanticVersion.Major.ToString() + "." + $semanticVersion.Minor.ToString() + ".md"
     }
 
-    $filePath = "$env:BUILD_SOURCESDIRECTORY/CHANGELOG/$fileName"
+    $filePath = "$env:BUILD_SOURCESDIRECTORY/PowerShell/CHANGELOG/$fileName"
     Write-Verbose -Verbose "Selected Log file: $filePath"
 
     if (-not (Test-Path $filePath)) {
diff --git a/tools/releaseBuild/azureDevOps/templates/release-ValidatePackageNames.yml b/tools/releaseBuild/azureDevOps/templates/release-ValidatePackageNames.yml
@@ -16,13 +16,11 @@ steps:
     $azcopy = Find-AzCopy
     Write-Verbose -Verbose "Found AzCopy: $azcopy"
 
-    & $azcopy login --service-principal --application-id $(PowerShellReleaseSPN)
-
     & $azcopy cp https://$(StorageAccount).blob.core.windows.net/$(AzureVersion)/* $(System.ArtifactsDirectory) --recursive
 
   displayName: Download Azure Artifacts
   env:
-    AZCOPY_SPA_CLIENT_SECRET: $(PowerShellReleaseSPNSecret)
+    AZCOPY_AUTO_LOGIN_TYPE: MSI
 
 - pwsh: |
     Get-ChildItem $(System.ArtifactsDirectory)\* -recurse | Select-Object -ExpandProperty Name
diff --git a/tools/releaseBuild/azureDevOps/templates/vpackReleaseJob.yml b/tools/releaseBuild/azureDevOps/templates/vpackReleaseJob.yml
@@ -39,15 +39,13 @@ jobs:
       $azcopy = Find-AzCopy
       Write-Verbose -Verbose "Found AzCopy: $azcopy"
 
-      & $azcopy login --service-principal --application-id $(PowerShellReleaseSPN)
-
       Write-Host "running: $azcopy cp https://$(StorageAccount).blob.core.windows.net/$(AzureVersion)/PowerShell-$(Version)-win-${{ parameters.architecture }}.zip $(System.ArtifactsDirectory)"
 
       & $azcopy cp https://$(StorageAccount).blob.core.windows.net/$(AzureVersion)/PowerShell-$(Version)-win-${{ parameters.architecture }}.zip $(System.ArtifactsDirectory)
     displayName: 'Download Azure Artifacts'
     retryCountOnTaskFailure: 2
     env:
-      AZCOPY_SPA_CLIENT_SECRET: $(PowerShellReleaseSPNSecret)
+      AZCOPY_AUTO_LOGIN_TYPE: MSI
 
   - pwsh: 'Get-ChildItem $(System.ArtifactsDirectory)\* -recurse | Select-Object -ExpandProperty Name'
     displayName: 'Capture Artifact Listing'
