diff --git a/eng/pipelines/akv-non-official-pipeline.yml b/eng/pipelines/akv-non-official-pipeline.yml new file mode 100644 index 0000000000..d625497fda --- /dev/null +++ b/eng/pipelines/akv-non-official-pipeline.yml @@ -0,0 +1,137 @@ +################################################################################# +# Licensed to the .NET Foundation under one or more agreements. # +# The .NET Foundation licenses this file to you under the MIT license. # +# See the LICENSE file in the project root for more information. # +################################################################################# + +name: $(Year:YY)$(DayOfYear)$(Rev:.r) + +parameters: + - name: buildConfiguration + displayName: 'Build configuration' + type: 'string' + values: + - 'Release' + - 'Debug' + default: 'Release' + + - name: publishSymbols + displayName: 'Publish symbols' + type: 'boolean' + default: false + + - name: runSdlTasks + displayName: 'Run SDL Tasks' + type: 'boolean' + default: true + +variables: + - template: /eng/pipelines/variables/common-variables.yml@self + - template: /eng/pipelines/variables/onebranch-variables.yml@self + - template: /eng/pipelines/variables/esrp-signing-variables.yml@self + - template: /eng/pipelines/variables/akv-official-variables.yml@self + +resources: + repositories: + - repository: templates + type: 'git' + name: 'OneBranch.Pipelines/GovernedTemplates' + ref: 'refs/heads/main' + +extends: + template: 'v2/OneBranch.NonOfficial.CrossPlat.yml@templates' + + parameters: + featureFlags: + WindowsHostVersion: + Version: '2022' + + globalSdl: + # See https://aka.ms/obpipelines/sdl + + apiscan: + enabled: ${{ parameters.runSdlTasks }} + softwareFolder: '${{ variables.apiScanDllPath }}' + softwareName: 'Microsoft.Data.SqlClient' # Note: This name is registered with ApiScan + softwareVersionNum: '${{ variables.assemblyFileVersion }}' + symbolsFolder: '${{ variables.apiScanPdbPath }}' + + armory: + enabled: ${{ parameters.runSdlTasks }} + break: true + + asyncSdl: + # If this should be enabled, move supported tools under this item, + # see https://aka.ms/obpipelines/asyncsdl + enabled: false + + binskim: + enabled: ${{ parameters.runSdlTasks }} + break: true + + codeinspector: + enabled: ${{ parameters.runSdlTasks }} + logLevel: Error + + codeql: + enabled: ${{ parameters.runSdlTasks }} + sourceRoot: '$(REPO_ROOT)/src/Microsoft.Data.SqlClient/add-ons/AzureKeyVaultProvider' + # Note, this can only be done if project doesn't depend on other projects. In + # package reference mode, this is true, but if we ever enable project reference + # builds, this will have to be removed. + + credscan: + enabled: ${{ parameters.runSdlTasks }} + suppressionsFile: '$(REPO_ROOT)/.config/CredScanSuppressions.json' + + eslint: + enabled: false + + policheck: + enabled: ${{ parameters.runSdlTasks }} + break: true + exclusionFile: '$(REPO_ROOT)/.config/PolicheckExclusions.xml' + + roslyn: + enabled: ${{ parameters.runSdlTasks }} + break: true + # Requires RoslynAnalyzers task to be added after build task + + publishLogs: + enabled: ${{ parameters.runSdlTasks }} + + sbom: + enabled: ${{ parameters.runSdlTasks }} + packageName: 'Microsoft.Data.SqlClient.AlwaysEncrypted.AzureKeyVaultProvider' + packageVersion: ${{ variables.nugetPackageVersion }} + + tsa: + # OneBranch publishes all sdl results to TSA. If TSA is disabled all SDL tools will + # be forced into 'break' build mode. + enabled: true + configFile: '$(REPO_ROOT)/.config/tsaoptions.json' + + stages: + - stage: BuildAkv + displayName: 'Build AKV' + jobs: + - template: /eng/pipelines/jobs/build-akv-official-job.yml@self + parameters: + apiScanDllPath: '${{ variables.apiScanDllPath }}' + apiScanPdbPath: '${{ variables.apiScanPdbPath }}' + assemblyFileVersion: '${{ variables.assemblyFileVersion }}' + buildConfiguration: '${{ parameters.buildConfiguration }}' + nugetPackageVersion: '${{ variables.nugetPackageVersion }}' + mdsPackageVersion: '${{ variables.mdsPackageVersion }}' + publishSymbols: '${{ parameters.publishSymbols }}' + signingAppRegistrationClientId: '$(SigningAppRegistrationClientId)' + signingAppRegistrationTenantId: '$(SigningAppRegistrationTenantId)' + signingAuthAkvName: '$(SigningAuthAkvName)' + signingAuthSignCertName: '$(SigningAuthSignCertName)' + signingEsrpClientId: '$(SigningEsrpClientId)' + signingEsrpConnectedServiceName: '$(SigningEsrpConnectedServiceName)' + symbolsAzureSubscription: '$(SymbolsAzureSubscription)' + symbolsPublishProjectName: '$(SymbolsPublishProjectName)' + symbolsPublishServer: '$(SymbolsPublishServer)' + symbolsPublishTokenUri: '$(SymbolsPublishTokenUri)' + symbolsUploadAccount: '$(SymbolsUploadAccount)' diff --git a/eng/pipelines/akv-official-pipeline.yml b/eng/pipelines/akv-official-pipeline.yml index d7bc900bb8..3ba3e5410e 100644 --- a/eng/pipelines/akv-official-pipeline.yml +++ b/eng/pipelines/akv-official-pipeline.yml @@ -9,14 +9,6 @@ name: $(Year:YY)$(DayOfYear)$(Rev:.r) # @TODO: Add triggers and schedules parameters: - - name: oneBranchType - displayName: 'OneBranch template' - type: 'string' - values: - - 'Official' - - 'NonOfficial' - default: 'Official' - - name: buildConfiguration displayName: 'Build configuration' type: 'string' @@ -49,7 +41,7 @@ resources: ref: 'refs/heads/main' extends: - template: 'v2/OneBranch.${{ parameters.oneBranchType }}.CrossPlat.yml@templates' + template: 'v2/OneBranch.Official.CrossPlat.yml@templates' parameters: featureFlags: @@ -118,7 +110,7 @@ extends: tsa: # OneBranch publishes all sdl results to TSA. If TSA is disabled all SDL tools will # be forced into 'break' build mode. - enabled: ${{ eq(parameters.oneBranchType, 'Official') }} + enabled: true configFile: '$(REPO_ROOT)/.config/tsaoptions.json' stages: diff --git a/eng/pipelines/dotnet-sqlclient-non-official-pipeline.yml b/eng/pipelines/dotnet-sqlclient-non-official-pipeline.yml new file mode 100644 index 0000000000..f785932406 --- /dev/null +++ b/eng/pipelines/dotnet-sqlclient-non-official-pipeline.yml @@ -0,0 +1,151 @@ +################################################################################# +# Licensed to the .NET Foundation under one or more agreements. # +# The .NET Foundation licenses this file to you under the MIT license. # +# See the LICENSE file in the project root for more information. # +################################################################################# + +name: $(Year:YY)$(DayOfYear)$(Rev:.r) +trigger: + branches: + include: + - internal/main + paths: + include: + - .azuredevops + - .config + - doc + - eng/pipelines + - src + - tools + - azurepipelines-coverage.yml + - build.proj + - NuGet.config + +parameters: # parameters are shown up in ADO UI in a build queue time +- name: 'debug' + displayName: 'Enable debug output' + type: boolean + default: false + +- name: publishSymbols + displayName: 'Publish symbols' + type: boolean + default: false + +- name: CurrentNetFxVersion + displayName: 'Lowest supported .NET Framework version (MDS validation)' + type: string + default: 'net462' + +- name: isPreview + displayName: 'Is this a preview build?' + type: boolean + default: false + +# The timeout, in minutes, for each test job. +- name: testJobTimeout + displayName: 'Test job timeout (in minutes)' + type: number + default: 60 + +variables: + - template: /eng/pipelines/libraries/variables.yml@self + - name: packageFolderName + value: drop_buildMDS_build_signed_package + - name: PublishSymbols + value: ${{ parameters['publishSymbols'] }} + - name: CurrentNetFxVersion + value: ${{ parameters['CurrentNetFxVersion'] }} + +resources: + repositories: + - repository: templates + type: git + name: OneBranch.Pipelines/GovernedTemplates + ref: refs/heads/main + +extends: + template: v2/OneBranch.NonOfficial.CrossPlat.yml@templates # https://aka.ms/obpipelines/templates + parameters: + featureFlags: + # Suggested by MerlinBot (https://sqlclientdrivers.visualstudio.com/ADO.Net/_git/dotnet-sqlclient/pullrequest/4882) + EnableCDPxPAT: false + WindowsHostVersion: 1ESWindows2022 + globalSdl: # https://aka.ms/obpipelines/sdl + tsa: + # The OneBranch template will set 'break' to false for the other SDL + # tools when TSA is enabled. This allows TSA to gather the results + # and publish them for downstream analysis. + enabled: true + apiscan: + enabled: true + softwareFolder: $(softwareFolder) + symbolsFolder: $(symbolsFolder) + softwarename: Microsoft.Data.SqlClient + versionNumber: $(AssemblyFileVersion) + codeql: + compiled: + enabled: ${{ not(parameters['isPreview']) }} + sbom: + enabled: ${{ not(parameters['isPreview']) }} + packageName: Microsoft.Data.SqlClient + packageVersion: $(NugetPackageVersion) + policheck: + enabled: ${{ not(parameters['isPreview']) }} + break: true # always break the build on policheck issues. You can disable it by setting to 'false' + exclusionsFile: $(REPOROOT)\.config\PolicheckExclusions.xml + asyncSdl: + enabled: false + credscan: + enabled: ${{ not(parameters['isPreview']) }} + suppressionsFile: $(REPOROOT)/.config/CredScanSuppressions.json + binskim: + enabled: ${{ not(parameters['isPreview']) }} + armory: + enabled: ${{ not(parameters['isPreview']) }} + break: true + eslint: # TypeScript and JavaScript + enabled: false + roslyn: + enabled: ${{ not(parameters['isPreview']) }} + break: true + publishLogs: + enabled: ${{ not(parameters['isPreview']) }} + tsaOptionsPath: $(REPOROOT)\.config\tsaoptions.json + disableLegacyManifest: true + stages: + - stage: buildMDS + displayName: 'Build MDS' + jobs: + - template: eng/pipelines/common/templates/jobs/build-signed-package-job.yml@self + parameters: + symbolsFolder: $(symbolsFolder) + softwareFolder: $(softwareFolder) + publishSymbols: ${{ parameters['publishSymbols'] }} + isPreview: ${{ parameters['isPreview'] }} + + - stage: mds_package_validation + displayName: 'MDS Package Validation' + dependsOn: buildMDS + jobs: + - template: eng/pipelines/common/templates/jobs/validate-signed-package-job.yml@self + parameters: + packageFolderName: $(packageFolderName) + isPreview: ${{ parameters['isPreview'] }} + downloadPackageStep: + download: current + artifact: $(packageFolderName) + patterns: '**/*.*nupkg' + displayName: 'Download NuGet Package' + +# Disabling as of 10/15/2025 due to OneBranch apparently disallowing MSBuild tasks in validation stages. +# - template: eng/pipelines/common/templates/jobs/run-tests-package-reference-job.yml@self +# parameters: +# packageFolderName: $(packageFolderName) +# isPreview: ${{ parameters['isPreview'] }} +# timeout: ${{ parameters.testJobTimeout }} +# downloadPackageStep: +# download: current +# artifact: $(packageFolderName) +# patterns: '**/*.nupkg' +# displayName: 'Download NuGet Package' diff --git a/eng/pipelines/dotnet-sqlclient-signing-pipeline.yml b/eng/pipelines/dotnet-sqlclient-signing-pipeline.yml index b41811ca37..5a4611da54 100644 --- a/eng/pipelines/dotnet-sqlclient-signing-pipeline.yml +++ b/eng/pipelines/dotnet-sqlclient-signing-pipeline.yml @@ -51,13 +51,6 @@ parameters: # parameters are shown up in ADO UI in a build queue time type: string default: 'net462' -- name: oneBranchType - displayName: 'Select OneBranch template' - default: Official - values: - - NonOfficial - - Official - - name: isPreview displayName: 'Is this a preview build?' type: boolean @@ -86,7 +79,7 @@ resources: ref: refs/heads/main extends: - template: v2/OneBranch.${{parameters.oneBranchType }}.CrossPlat.yml@templates # https://aka.ms/obpipelines/templates + template: v2/OneBranch.Official.CrossPlat.yml@templates # https://aka.ms/obpipelines/templates parameters: featureFlags: # Suggested by MerlinBot (https://sqlclientdrivers.visualstudio.com/ADO.Net/_git/dotnet-sqlclient/pullrequest/4882) @@ -100,11 +93,6 @@ extends: enabled: true apiscan: enabled: true - # For non-official builds, the OneBranch template seems to set APIScan's - # 'break' to true even when TSA is enabled. We don't want APIScan to - # break non-official builds, so we explicitly set 'break' to false here. - ${{ if ne(parameters.oneBranchType, 'Official') }}: - break: false softwareFolder: $(softwareFolder) symbolsFolder: $(symbolsFolder) softwarename: Microsoft.Data.SqlClient