@@ -19,19 +19,27 @@ resources:
1919parameters :
2020- name : OneLocSourceBranch
2121 default : refs/heads/main
22+ - name : ApiScanSourceBranch
23+ default : refs/heads/main
2224- name : Skip1ESComplianceTasks
2325 default : false
2426- name : SignArtifacts
2527 default : false
2628
2729variables :
2830- group : Xamarin-Secrets
31+ - name : ApiScanSoftwareName
32+ value : VS
33+ - name : ApiScanSoftwareVersion
34+ value : 17.10
2935- name : DisablePipelineConfigDetector
3036 value : true
3137- name : WindowsPoolImage1ESPT
3238 value : 1ESPT-Windows2022
3339- name : LinuxPoolImage1ESPT
3440 value : 1ESPT-Ubuntu22.04
41+ - name : MicroBuildPoolName
42+ value : VSEngSS-MicroBuild2022-1ES
3543
3644extends :
3745 ${{ if or(eq(variables['Build.Reason'], 'PullRequest'), eq('${{ parameters.Skip1ESComplianceTasks }}', 'true')) }} :
@@ -335,7 +343,7 @@ extends:
335343 jobs :
336344 - job : OneLocBuild
337345 displayName : OneLocBuild
338- pool : VSEngSS-MicroBuild2022-1ES
346+ pool : $(MicroBuildPoolName)
339347 timeoutInMinutes : 30
340348 variables :
341349 - group : Xamarin-Secrets
@@ -368,3 +376,75 @@ extends:
368376 isShouldReusePrSelected : true
369377 isAutoCompletePrSelected : false
370378 isUseLfLineEndingsSelected : true
379+
380+ - stage : Compliance
381+ displayName : Compliance
382+ dependsOn : Build
383+ condition : and(eq(dependencies.Build.result, 'Succeeded'), eq(variables['Build.SourceBranch'], '${{ parameters.ApiScanSourceBranch }}'))
384+ jobs :
385+ - job : api_scan
386+ displayName : API Scan
387+ pool :
388+ name : Maui-1ESPT
389+ image : $(WindowsPoolImage1ESPT)
390+ os : windows
391+ timeoutInMinutes : 360
392+ workspace :
393+ clean : all
394+ steps :
395+ - task : DownloadPipelineArtifact@2
396+ displayName : download nuget artifact
397+ inputs :
398+ artifactName : nuget
399+ downloadPath : $(Build.StagingDirectory)
400+ itemPattern : ' *.nupkg'
401+
402+ - task : ExtractFiles@1
403+ displayName : Extract nuget
404+ inputs :
405+ archiveFilePatterns : $(Build.StagingDirectory)\**\*.nupkg
406+ destinationFolder : $(Build.SourcesDirectory)\nuget
407+
408+ - task : CopyFiles@2
409+ displayName : Collect Files for APIScan
410+ inputs :
411+ Contents : |
412+ $(Build.SourcesDirectory)\nuget\**\?(*.dll|*.exe|*.pdb)
413+ !$(Build.SourcesDirectory)\**\runtimes\win-arm64\native\libzipsharpnative*.dll
414+ TargetFolder : $(Agent.TempDirectory)\T
415+
416+ - powershell : Get-ChildItem -Path "$(Agent.TempDirectory)\T" -Recurse
417+ displayName : List Files for APIScan
418+
419+ - task : APIScan@2
420+ displayName : Run APIScan
421+ inputs :
422+ softwareFolder : $(Agent.TempDirectory)\T
423+ symbolsFolder : ' SRV*http://symweb;$(Agent.TempDirectory)\T'
424+ softwareName : $(ApiScanSoftwareName)
425+ softwareVersionNum : $(ApiScanSoftwareVersion)
426+ toolVersion : Latest
427+ env :
428+ AzureServicesAuthConnectionString : runAs=App;AppId=$(ApiScanClientId);TenantId=$(ApiScanTenant);AppKey=$(ApiScanSecret)
429+
430+ - task : SdtReport@2
431+ displayName : Guardian Export - Security Report
432+ inputs :
433+ GdnExportAllTools : false
434+ GdnExportGdnToolApiScan : true
435+ GdnExportOutputSuppressionFile : apiscan.gdnsuppress
436+
437+ - task : PublishSecurityAnalysisLogs@3
438+ displayName : Publish Guardian Artifacts
439+ inputs :
440+ ArtifactName : APIScan Logs
441+ ArtifactType : Container
442+ AllTools : false
443+ APIScan : true
444+ ToolLogsNotFoundAction : Warning
445+
446+ - task : PostAnalysis@2
447+ displayName : Fail Build on Guardian Issues
448+ inputs :
449+ GdnBreakAllTools : false
450+ GdnBreakGdnToolApiScan : true
0 commit comments