From 84660f0379d5eb6df71cbfb6cdeb26a10374eed7 Mon Sep 17 00:00:00 2001 From: Aditya Patwardhan Date: Wed, 18 Oct 2023 15:48:26 -0700 Subject: [PATCH 1/5] Add SBOM for GitHub release hashses --- .../azureDevOps/releasePipeline.yml | 7 ++++++- .../templates/release-CreateGitHubDraft.yml | 20 +++++++++++++++++++ 2 files changed, 26 insertions(+), 1 deletion(-) diff --git a/tools/releaseBuild/azureDevOps/releasePipeline.yml b/tools/releaseBuild/azureDevOps/releasePipeline.yml index 3e79785de4a..b406dd0b732 100644 --- a/tools/releaseBuild/azureDevOps/releasePipeline.yml +++ b/tools/releaseBuild/azureDevOps/releasePipeline.yml @@ -29,6 +29,12 @@ resources: name: Internal-PowerShellTeam-Tools ref: main-mirror + - repository: ComplianceRepo + type: github + endpoint: ComplianceGHRepo + name: PowerShell/compliance + ref: master + variables: - name: runCodesignValidationInjection value : false @@ -341,7 +347,6 @@ stages: - stage: PublishPackages displayName: Publish packages dependsOn: GitHubManualTasks - timeoutInMinutes: 120 jobs: - job: PublishNuget diff --git a/tools/releaseBuild/azureDevOps/templates/release-CreateGitHubDraft.yml b/tools/releaseBuild/azureDevOps/templates/release-CreateGitHubDraft.yml index dc7cf126630..0a5f92df086 100644 --- a/tools/releaseBuild/azureDevOps/templates/release-CreateGitHubDraft.yml +++ b/tools/releaseBuild/azureDevOps/templates/release-CreateGitHubDraft.yml @@ -55,6 +55,26 @@ steps: Write-Verbose -Verbose -Message $fileContent displayName: Add sha256 hashes +- checkout: ComplianceRepo + +- pwsh: | + $releaseVersion = '$(ReleaseTag)' -replace '^v','' + $vstsCommandString = "vso[task.setvariable variable=ReleaseVersion]$releaseVersion" + Write-Host "sending " + $vstsCommandString + Write-Host "##$vstsCommandString" + displayName: 'Set release version' + +- template: Sbom.yml@ComplianceRepo + parameters: + BuildDropPath: '$(PackagesRoot)' + Build_Repository_Uri: 'https://github.com/powershell/powershell.git' + displayName: PowerShell Hashes SBOM + packageName: PowerShell Artifact Hashes + packageVersion: $(ReleaseVersion) + # Optional - Path to scan for components or CGManifest.json + # Same as source scan path for Component Governance + # sourceScanPath: + - pwsh: | Import-module '$(Pipeline.Workspace)/tools/Scripts/GitHubRelease.psm1' $releaseVersion = '$(ReleaseTag)' -replace '^v','' From 6f1b820b9ade7983c22a25edf7e4354e7a3742d0 Mon Sep 17 00:00:00 2001 From: Aditya Patwardhan Date: Wed, 18 Oct 2023 15:49:35 -0700 Subject: [PATCH 2/5] Fix indent --- .../templates/release-CreateGitHubDraft.yml | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/tools/releaseBuild/azureDevOps/templates/release-CreateGitHubDraft.yml b/tools/releaseBuild/azureDevOps/templates/release-CreateGitHubDraft.yml index 0a5f92df086..911c5a6f491 100644 --- a/tools/releaseBuild/azureDevOps/templates/release-CreateGitHubDraft.yml +++ b/tools/releaseBuild/azureDevOps/templates/release-CreateGitHubDraft.yml @@ -65,15 +65,15 @@ steps: displayName: 'Set release version' - template: Sbom.yml@ComplianceRepo - parameters: - BuildDropPath: '$(PackagesRoot)' - Build_Repository_Uri: 'https://github.com/powershell/powershell.git' - displayName: PowerShell Hashes SBOM - packageName: PowerShell Artifact Hashes - packageVersion: $(ReleaseVersion) - # Optional - Path to scan for components or CGManifest.json - # Same as source scan path for Component Governance - # sourceScanPath: + parameters: + BuildDropPath: '$(PackagesRoot)' + Build_Repository_Uri: 'https://github.com/powershell/powershell.git' + displayName: PowerShell Hashes SBOM + packageName: PowerShell Artifact Hashes + packageVersion: $(ReleaseVersion) + # Optional - Path to scan for components or CGManifest.json + # Same as source scan path for Component Governance + # sourceScanPath: - pwsh: | Import-module '$(Pipeline.Workspace)/tools/Scripts/GitHubRelease.psm1' From c17c98282f88c559bbe32ed979a4e923a0549239 Mon Sep 17 00:00:00 2001 From: Aditya Patwardhan Date: Wed, 18 Oct 2023 16:19:25 -0700 Subject: [PATCH 3/5] Fix paths due to multi checkout --- .../azureDevOps/templates/release-CreateGitHubDraft.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/tools/releaseBuild/azureDevOps/templates/release-CreateGitHubDraft.yml b/tools/releaseBuild/azureDevOps/templates/release-CreateGitHubDraft.yml index 911c5a6f491..a4f7fa96184 100644 --- a/tools/releaseBuild/azureDevOps/templates/release-CreateGitHubDraft.yml +++ b/tools/releaseBuild/azureDevOps/templates/release-CreateGitHubDraft.yml @@ -7,13 +7,13 @@ steps: - template: release-SetReleaseTagAndContainerName.yml - pwsh: | - Import-module '$(BUILD.SOURCESDIRECTORY)/build.psm1' + Import-module '$(BUILD.SOURCESDIRECTORY)/PowerShell/build.psm1' Install-AzCopy displayName: Install AzCopy retryCountOnTaskFailure: 2 - pwsh: | - Import-module '$(BUILD.SOURCESDIRECTORY)/build.psm1' + Import-module '$(BUILD.SOURCESDIRECTORY)/PowerShell/build.psm1' $azcopy = Find-AzCopy Write-Verbose -Verbose "Found AzCopy: $azcopy" @@ -89,7 +89,7 @@ steps: $semanticVersion.Major.ToString() + "." + $semanticVersion.Minor.ToString() + ".md" } - $filePath = "$env:BUILD_SOURCESDIRECTORY/CHANGELOG/$fileName" + $filePath = "$env:BUILD_SOURCESDIRECTORY/PowerShell/CHANGELOG/$fileName" Write-Verbose -Verbose "Selected Log file: $filePath" if (-not (Test-Path $filePath)) { From a82cf6f7dce736f393eb900bdd36106284321fd7 Mon Sep 17 00:00:00 2001 From: Aditya Patwardhan Date: Wed, 18 Oct 2023 16:32:57 -0700 Subject: [PATCH 4/5] Remove azcopy login in favor of MSI --- .../azureDevOps/templates/release-CreateGitHubDraft.yml | 3 +-- .../azureDevOps/templates/release-ValidatePackageNames.yml | 4 +--- tools/releaseBuild/azureDevOps/templates/vpackReleaseJob.yml | 4 +--- 3 files changed, 3 insertions(+), 8 deletions(-) diff --git a/tools/releaseBuild/azureDevOps/templates/release-CreateGitHubDraft.yml b/tools/releaseBuild/azureDevOps/templates/release-CreateGitHubDraft.yml index a4f7fa96184..56aecb305f9 100644 --- a/tools/releaseBuild/azureDevOps/templates/release-CreateGitHubDraft.yml +++ b/tools/releaseBuild/azureDevOps/templates/release-CreateGitHubDraft.yml @@ -17,7 +17,6 @@ steps: $azcopy = Find-AzCopy Write-Verbose -Verbose "Found AzCopy: $azcopy" - & $azcopy login --service-principal --application-id $(PowerShellReleaseSPN) & $azcopy cp https://$(StorageAccount).blob.core.windows.net/$(AzureVersion) $(System.ArtifactsDirectory) --recursive $packagesPath = Get-ChildItem -Path $(System.ArtifactsDirectory)\*.deb -Recurse -File | Select-Object -First 1 -ExpandProperty DirectoryName @@ -27,7 +26,7 @@ steps: displayName: Download Azure Artifacts retryCountOnTaskFailure: 2 env: - AZCOPY_SPA_CLIENT_SECRET: $(PowerShellReleaseSPNSecret) + AZCOPY_AUTO_LOGIN_TYPE: MSI - pwsh: | Get-ChildItem $(System.ArtifactsDirectory)\* -recurse | Select-Object -ExpandProperty FullName diff --git a/tools/releaseBuild/azureDevOps/templates/release-ValidatePackageNames.yml b/tools/releaseBuild/azureDevOps/templates/release-ValidatePackageNames.yml index 1fb5364302b..44d09d45de1 100644 --- a/tools/releaseBuild/azureDevOps/templates/release-ValidatePackageNames.yml +++ b/tools/releaseBuild/azureDevOps/templates/release-ValidatePackageNames.yml @@ -16,13 +16,11 @@ steps: $azcopy = Find-AzCopy Write-Verbose -Verbose "Found AzCopy: $azcopy" - & $azcopy login --service-principal --application-id $(PowerShellReleaseSPN) - & $azcopy cp https://$(StorageAccount).blob.core.windows.net/$(AzureVersion)/* $(System.ArtifactsDirectory) --recursive displayName: Download Azure Artifacts env: - AZCOPY_SPA_CLIENT_SECRET: $(PowerShellReleaseSPNSecret) + AZCOPY_AUTO_LOGIN_TYPE: MSI - pwsh: | Get-ChildItem $(System.ArtifactsDirectory)\* -recurse | Select-Object -ExpandProperty Name diff --git a/tools/releaseBuild/azureDevOps/templates/vpackReleaseJob.yml b/tools/releaseBuild/azureDevOps/templates/vpackReleaseJob.yml index 61371fcfaa6..83779c75aa0 100644 --- a/tools/releaseBuild/azureDevOps/templates/vpackReleaseJob.yml +++ b/tools/releaseBuild/azureDevOps/templates/vpackReleaseJob.yml @@ -39,15 +39,13 @@ jobs: $azcopy = Find-AzCopy Write-Verbose -Verbose "Found AzCopy: $azcopy" - & $azcopy login --service-principal --application-id $(PowerShellReleaseSPN) - Write-Host "running: $azcopy cp https://$(StorageAccount).blob.core.windows.net/$(AzureVersion)/PowerShell-$(Version)-win-${{ parameters.architecture }}.zip $(System.ArtifactsDirectory)" & $azcopy cp https://$(StorageAccount).blob.core.windows.net/$(AzureVersion)/PowerShell-$(Version)-win-${{ parameters.architecture }}.zip $(System.ArtifactsDirectory) displayName: 'Download Azure Artifacts' retryCountOnTaskFailure: 2 env: - AZCOPY_SPA_CLIENT_SECRET: $(PowerShellReleaseSPNSecret) + AZCOPY_AUTO_LOGIN_TYPE: MSI - pwsh: 'Get-ChildItem $(System.ArtifactsDirectory)\* -recurse | Select-Object -ExpandProperty Name' displayName: 'Capture Artifact Listing' From c0f982428a5bcf647fbdd883055608a5d55341a4 Mon Sep 17 00:00:00 2001 From: Aditya Patwardhan Date: Thu, 19 Oct 2023 14:48:56 -0700 Subject: [PATCH 5/5] Update tools/releaseBuild/azureDevOps/templates/release-CreateGitHubDraft.yml --- .../azureDevOps/templates/release-CreateGitHubDraft.yml | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/tools/releaseBuild/azureDevOps/templates/release-CreateGitHubDraft.yml b/tools/releaseBuild/azureDevOps/templates/release-CreateGitHubDraft.yml index 56aecb305f9..64c4d1b6a24 100644 --- a/tools/releaseBuild/azureDevOps/templates/release-CreateGitHubDraft.yml +++ b/tools/releaseBuild/azureDevOps/templates/release-CreateGitHubDraft.yml @@ -70,9 +70,7 @@ steps: displayName: PowerShell Hashes SBOM packageName: PowerShell Artifact Hashes packageVersion: $(ReleaseVersion) - # Optional - Path to scan for components or CGManifest.json - # Same as source scan path for Component Governance - # sourceScanPath: + sourceScanPath: '$(PackagesRoot)' - pwsh: | Import-module '$(Pipeline.Workspace)/tools/Scripts/GitHubRelease.psm1'