From 7fee38e2f5198edaf268e42d49ef0a5ce5eacab7 Mon Sep 17 00:00:00 2001 From: Peter Collins Date: Wed, 20 Mar 2024 13:42:46 -0700 Subject: [PATCH 1/7] [ci] Use managed identity for ApiScan --- build-tools/automation/azure-pipelines-nightly.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/build-tools/automation/azure-pipelines-nightly.yaml b/build-tools/automation/azure-pipelines-nightly.yaml index a71b2ac0872..2659c77394b 100644 --- a/build-tools/automation/azure-pipelines-nightly.yaml +++ b/build-tools/automation/azure-pipelines-nightly.yaml @@ -335,7 +335,7 @@ stages: isLargeApp: true toolVersion: Latest env: - AzureServicesAuthConnectionString: runAs=App;AppId=$(ApiScanClientId);TenantId=$(ApiScanTenant);AppKey=$(ApiScanSecret) + AzureServicesAuthConnectionString: runAs=App;AppId=$(ApiScanClientId) - task: SdtReport@2 displayName: Guardian Export - Security Report From b2812fe1385dc535f40dcd0752938e95aefe62f7 Mon Sep 17 00:00:00 2001 From: Peter Collins Date: Wed, 20 Mar 2024 13:47:55 -0700 Subject: [PATCH 2/7] Testing --- .../automation/azure-pipelines-nightly.yaml | 51 ++++++++++--------- 1 file changed, 28 insertions(+), 23 deletions(-) diff --git a/build-tools/automation/azure-pipelines-nightly.yaml b/build-tools/automation/azure-pipelines-nightly.yaml index 2659c77394b..a8548d89b4f 100644 --- a/build-tools/automation/azure-pipelines-nightly.yaml +++ b/build-tools/automation/azure-pipelines-nightly.yaml @@ -283,8 +283,8 @@ stages: - stage: compliance_scan displayName: Compliance - dependsOn: mac_build - condition: and(eq(dependencies.mac_build.result, 'Succeeded'), eq(variables['Build.SourceBranch'], '${{ parameters.ApiScanSourceBranch }}')) + #dependsOn: mac_build + #condition: and(eq(dependencies.mac_build.result, 'Succeeded'), eq(variables['Build.SourceBranch'], '${{ parameters.ApiScanSourceBranch }}')) jobs: - job: api_scan displayName: API Scan @@ -295,31 +295,36 @@ stages: workspace: clean: all steps: - - template: /build-tools/automation/yaml-templates/setup-test-environment.yaml - parameters: - installApkDiff: false + #- template: /build-tools/automation/yaml-templates/setup-test-environment.yaml + # parameters: + # installApkDiff: false - - task: DownloadPipelineArtifact@2 - displayName: Download binutils pdbs - inputs: - artifactName: $(WindowsToolchainPdbArtifactName) - downloadPath: $(Build.StagingDirectory)\binutils-pdb + #- task: DownloadPipelineArtifact@2 + # displayName: Download binutils pdbs + # inputs: + # artifactName: $(WindowsToolchainPdbArtifactName) + # downloadPath: $(Build.StagingDirectory)\binutils-pdb - - powershell: | - Expand-Archive "$(Build.StagingDirectory)\binutils-pdb\$(WindowsToolchainPdbArtifactName).zip" "$(System.DefaultWorkingDirectory)\binutils-pdb" - Get-ChildItem -Path "$(System.DefaultWorkingDirectory)\binutils-pdb" -Recurse - displayName: Extract binutils pdbs + #- powershell: | + # Expand-Archive "$(Build.StagingDirectory)\binutils-pdb\$(WindowsToolchainPdbArtifactName).zip" "$(System.DefaultWorkingDirectory)\binutils-pdb" + # Get-ChildItem -Path "$(System.DefaultWorkingDirectory)\binutils-pdb" -Recurse + # displayName: Extract binutils pdbs ### Copy .dll, .exe, .pdb files for APIScan - - task: CopyFiles@2 - displayName: Collect Files for APIScan - inputs: - Contents: | - $(System.DefaultWorkingDirectory)\bin\$(XA.Build.Configuration)\dotnet\packs\Microsoft.Android*\**\?(*.dll|*.exe|*.pdb) - $(System.DefaultWorkingDirectory)\binutils-pdb\*.pdb - TargetFolder: $(Build.StagingDirectory)\apiscan - OverWrite: true - flattenFolders: true + #- task: CopyFiles@2 + # displayName: Collect Files for APIScan + # inputs: + # Contents: | + # $(System.DefaultWorkingDirectory)\bin\$(XA.Build.Configuration)\dotnet\packs\Microsoft.Android*\**\?(*.dll|*.exe|*.pdb) + # $(System.DefaultWorkingDirectory)\binutils-pdb\*.pdb + # TargetFolder: $(Build.StagingDirectory)\apiscan + # OverWrite: true + # flattenFolders: true + + - pwsh: | + mkdir $(Build.StagingDirectory)\apiscan + New-Item $(Build.StagingDirectory)\apiscan\dummy.dll + displayName: create invalid file - pwsh: Get-ChildItem -Path "$(Build.StagingDirectory)\apiscan" -Recurse displayName: List Files for APIScan From 9b52f1ee9eee8f90f8b59e58d10a3d8754f51f03 Mon Sep 17 00:00:00 2001 From: Peter Collins Date: Wed, 20 Mar 2024 13:49:01 -0700 Subject: [PATCH 3/7] Testing --- build-tools/automation/azure-pipelines-nightly.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/build-tools/automation/azure-pipelines-nightly.yaml b/build-tools/automation/azure-pipelines-nightly.yaml index a8548d89b4f..9b2bfce82f5 100644 --- a/build-tools/automation/azure-pipelines-nightly.yaml +++ b/build-tools/automation/azure-pipelines-nightly.yaml @@ -283,7 +283,7 @@ stages: - stage: compliance_scan displayName: Compliance - #dependsOn: mac_build + dependsOn: [] #condition: and(eq(dependencies.mac_build.result, 'Succeeded'), eq(variables['Build.SourceBranch'], '${{ parameters.ApiScanSourceBranch }}')) jobs: - job: api_scan From a2d5b6fed20d89c90245f924f1eb1bc80cabb292 Mon Sep 17 00:00:00 2001 From: Peter Collins Date: Wed, 20 Mar 2024 14:26:16 -0700 Subject: [PATCH 4/7] Update pool and id var --- build-tools/automation/azure-pipelines-nightly.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/build-tools/automation/azure-pipelines-nightly.yaml b/build-tools/automation/azure-pipelines-nightly.yaml index 9b2bfce82f5..7003af44922 100644 --- a/build-tools/automation/azure-pipelines-nightly.yaml +++ b/build-tools/automation/azure-pipelines-nightly.yaml @@ -289,8 +289,8 @@ stages: - job: api_scan displayName: API Scan pool: - name: Azure Pipelines - vmImage: windows-2022 + name: MAUI-1ESPT + demands: ImageOverride -equals $(WindowsPoolImage1ESPT) timeoutInMinutes: 480 workspace: clean: all @@ -340,7 +340,7 @@ stages: isLargeApp: true toolVersion: Latest env: - AzureServicesAuthConnectionString: runAs=App;AppId=$(ApiScanClientId) + AzureServicesAuthConnectionString: runAs=App;AppId=$(ApiScanMAUI1ESPTMangedId) - task: SdtReport@2 displayName: Guardian Export - Security Report From b4ae506201a486221465ee95cc31fe2fe9932790 Mon Sep 17 00:00:00 2001 From: Peter Collins Date: Mon, 25 Mar 2024 12:05:23 -0700 Subject: [PATCH 5/7] Revert testing changes --- .../automation/azure-pipelines-nightly.yaml | 59 +++++++++---------- 1 file changed, 27 insertions(+), 32 deletions(-) diff --git a/build-tools/automation/azure-pipelines-nightly.yaml b/build-tools/automation/azure-pipelines-nightly.yaml index 7003af44922..99a9afba7f9 100644 --- a/build-tools/automation/azure-pipelines-nightly.yaml +++ b/build-tools/automation/azure-pipelines-nightly.yaml @@ -283,8 +283,8 @@ stages: - stage: compliance_scan displayName: Compliance - dependsOn: [] - #condition: and(eq(dependencies.mac_build.result, 'Succeeded'), eq(variables['Build.SourceBranch'], '${{ parameters.ApiScanSourceBranch }}')) + dependsOn: mac_build + condition: and(eq(dependencies.mac_build.result, 'Succeeded'), eq(variables['Build.SourceBranch'], '${{ parameters.ApiScanSourceBranch }}')) jobs: - job: api_scan displayName: API Scan @@ -295,36 +295,31 @@ stages: workspace: clean: all steps: - #- template: /build-tools/automation/yaml-templates/setup-test-environment.yaml - # parameters: - # installApkDiff: false - - #- task: DownloadPipelineArtifact@2 - # displayName: Download binutils pdbs - # inputs: - # artifactName: $(WindowsToolchainPdbArtifactName) - # downloadPath: $(Build.StagingDirectory)\binutils-pdb - - #- powershell: | - # Expand-Archive "$(Build.StagingDirectory)\binutils-pdb\$(WindowsToolchainPdbArtifactName).zip" "$(System.DefaultWorkingDirectory)\binutils-pdb" - # Get-ChildItem -Path "$(System.DefaultWorkingDirectory)\binutils-pdb" -Recurse - # displayName: Extract binutils pdbs - - ### Copy .dll, .exe, .pdb files for APIScan - #- task: CopyFiles@2 - # displayName: Collect Files for APIScan - # inputs: - # Contents: | - # $(System.DefaultWorkingDirectory)\bin\$(XA.Build.Configuration)\dotnet\packs\Microsoft.Android*\**\?(*.dll|*.exe|*.pdb) - # $(System.DefaultWorkingDirectory)\binutils-pdb\*.pdb - # TargetFolder: $(Build.StagingDirectory)\apiscan - # OverWrite: true - # flattenFolders: true - - - pwsh: | - mkdir $(Build.StagingDirectory)\apiscan - New-Item $(Build.StagingDirectory)\apiscan\dummy.dll - displayName: create invalid file + - template: /build-tools/automation/yaml-templates/setup-test-environment.yaml + parameters: + installApkDiff: false + + - task: DownloadPipelineArtifact@2 + displayName: Download binutils pdbs + inputs: + artifactName: $(WindowsToolchainPdbArtifactName) + downloadPath: $(Build.StagingDirectory)\binutils-pdb + + - powershell: | + Expand-Archive "$(Build.StagingDirectory)\binutils-pdb\$(WindowsToolchainPdbArtifactName).zip" "$(System.DefaultWorkingDirectory)\binutils-pdb" + Get-ChildItem -Path "$(System.DefaultWorkingDirectory)\binutils-pdb" -Recurse + displayName: Extract binutils pdbs + + ## Copy .dll, .exe, .pdb files for APIScan + - task: CopyFiles@2 + displayName: Collect Files for APIScan + inputs: + Contents: | + $(System.DefaultWorkingDirectory)\bin\$(XA.Build.Configuration)\dotnet\packs\Microsoft.Android*\**\?(*.dll|*.exe|*.pdb) + $(System.DefaultWorkingDirectory)\binutils-pdb\*.pdb + TargetFolder: $(Build.StagingDirectory)\apiscan + OverWrite: true + flattenFolders: true - pwsh: Get-ChildItem -Path "$(Build.StagingDirectory)\apiscan" -Recurse displayName: List Files for APIScan From 9ee718b8185988eb3cb595e98bab9d574334ad31 Mon Sep 17 00:00:00 2001 From: Peter Collins Date: Mon, 25 Mar 2024 12:14:43 -0700 Subject: [PATCH 6/7] Format --- build-tools/automation/azure-pipelines-nightly.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/build-tools/automation/azure-pipelines-nightly.yaml b/build-tools/automation/azure-pipelines-nightly.yaml index 99a9afba7f9..e60955459a9 100644 --- a/build-tools/automation/azure-pipelines-nightly.yaml +++ b/build-tools/automation/azure-pipelines-nightly.yaml @@ -310,7 +310,7 @@ stages: Get-ChildItem -Path "$(System.DefaultWorkingDirectory)\binutils-pdb" -Recurse displayName: Extract binutils pdbs - ## Copy .dll, .exe, .pdb files for APIScan + ### Copy .dll, .exe, .pdb files for APIScan - task: CopyFiles@2 displayName: Collect Files for APIScan inputs: From 3bdd277625b1367e4d69e61aff3d5de9c436a8fe Mon Sep 17 00:00:00 2001 From: Peter Collins Date: Mon, 25 Mar 2024 14:34:41 -0700 Subject: [PATCH 7/7] Fix typo --- build-tools/automation/azure-pipelines-nightly.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/build-tools/automation/azure-pipelines-nightly.yaml b/build-tools/automation/azure-pipelines-nightly.yaml index e60955459a9..49a37060c02 100644 --- a/build-tools/automation/azure-pipelines-nightly.yaml +++ b/build-tools/automation/azure-pipelines-nightly.yaml @@ -335,7 +335,7 @@ stages: isLargeApp: true toolVersion: Latest env: - AzureServicesAuthConnectionString: runAs=App;AppId=$(ApiScanMAUI1ESPTMangedId) + AzureServicesAuthConnectionString: runAs=App;AppId=$(ApiScanMAUI1ESPTManagedId) - task: SdtReport@2 displayName: Guardian Export - Security Report