From bab82e7f8ae74dad28129030224ff37ed2abc263 Mon Sep 17 00:00:00 2001 From: Peter Collins Date: Thu, 11 Jul 2024 14:47:58 -0400 Subject: [PATCH 1/4] [ci] Use DotNetCoreCLI to sign macOS files We've been having issues with the signing steps that run doing the macOS build. Migration to a new post-build workflow is in progress, however this will hopefully fix things more quickly and be safer to backport. --- .../yaml-templates/commercial-build.yaml | 31 +++++++++---------- 1 file changed, 15 insertions(+), 16 deletions(-) diff --git a/build-tools/automation/yaml-templates/commercial-build.yaml b/build-tools/automation/yaml-templates/commercial-build.yaml index 7a665ea1501..57848740a56 100644 --- a/build-tools/automation/yaml-templates/commercial-build.yaml +++ b/build-tools/automation/yaml-templates/commercial-build.yaml @@ -71,46 +71,45 @@ steps: condition: and(succeeded(), eq(variables['MicroBuildSignType'], 'Real')) # Restore needs to be executed first or MicroBuild targets won't be imported in time -- task: MSBuild@1 +- task: DotNetCoreCLI@2 displayName: msbuild /t:Restore sign-content.proj condition: and(succeeded(), eq(variables['MicroBuildSignType'], 'Real')) inputs: - solution: ${{ parameters.xaSourcePath }}/build-tools/installers/sign-content.proj - configuration: $(XA.Build.Configuration) - msbuildArguments: /t:Restore /bl:${{ parameters.xaSourcePath }}/bin/Build$(XA.Build.Configuration)/restore-sign-content.binlog + projects: ${{ parameters.xaSourcePath }}/build-tools/installers/sign-content.proj + arguments: /t:Restore /p:Configuration=$(XA.Build.Configuration) /bl:${{ parameters.xaSourcePath }}/bin/Build$(XA.Build.Configuration)/restore-sign-content.binlog -- task: MSBuild@1 +- task: DotNetCoreCLI@2 displayName: PKG signing - add entitlements and sign condition: and(succeeded(), eq(variables['MicroBuildSignType'], 'Real')) inputs: - solution: ${{ parameters.xaSourcePath }}/build-tools/installers/sign-content.proj - configuration: $(XA.Build.Configuration) - msbuildArguments: >- + projects: ${{ parameters.xaSourcePath }}/build-tools/installers/sign-content.proj + arguments: >- /t:AddMachOEntitlements;AddMSBuildFilesUnixSign;AddMSBuildFilesUnixSignAndHarden;Build + /p:Configuration=$(XA.Build.Configuration) /p:SignType=$(MicroBuildSignType) /p:MicroBuildOverridePluginDirectory=$(Build.StagingDirectory)/MicroBuild/Plugins /bl:${{ parameters.xaSourcePath }}/bin/Build$(XA.Build.Configuration)/sign-content.binlog -- task: MSBuild@1 +- task: DotNetCoreCLI@2 displayName: PKG signing - sign binutils libraries condition: and(succeeded(), eq(variables['MicroBuildSignType'], 'Real')) inputs: - solution: ${{ parameters.xaSourcePath }}/build-tools/installers/sign-content.proj - configuration: $(XA.Build.Configuration) - msbuildArguments: >- + projects: ${{ parameters.xaSourcePath }}/build-tools/installers/sign-content.proj + arguments: >- /t:AddBinUtilsFilesUnixSign;Build + /p:Configuration=$(XA.Build.Configuration) /p:SignType=$(MicroBuildSignType) /p:MicroBuildOverridePluginDirectory=$(Build.StagingDirectory)/MicroBuild/Plugins /bl:${{ parameters.xaSourcePath }}/bin/Build$(XA.Build.Configuration)/sign-bu-lib.binlog -- task: MSBuild@1 +- task: DotNetCoreCLI@2 displayName: PKG signing - sign binutils executables condition: and(succeeded(), eq(variables['MicroBuildSignType'], 'Real')) inputs: - solution: ${{ parameters.xaSourcePath }}/build-tools/installers/sign-content.proj - configuration: $(XA.Build.Configuration) - msbuildArguments: >- + projects: ${{ parameters.xaSourcePath }}/build-tools/installers/sign-content.proj + arguments: >- /t:AddBinUtilsFilesUnixSignAndHarden;Build + /p:Configuration=$(XA.Build.Configuration) /p:SignType=$(MicroBuildSignType) /p:MicroBuildOverridePluginDirectory=$(Build.StagingDirectory)/MicroBuild/Plugins /bl:${{ parameters.xaSourcePath }}/bin/Build$(XA.Build.Configuration)/sign-bu-ex.binlog From e4a8bb3968c3196e49271767eed16b12a6039dd4 Mon Sep 17 00:00:00 2001 From: Peter Collins Date: Thu, 11 Jul 2024 17:43:37 -0400 Subject: [PATCH 2/4] Increase default verbosity --- .../automation/yaml-templates/commercial-build.yaml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/build-tools/automation/yaml-templates/commercial-build.yaml b/build-tools/automation/yaml-templates/commercial-build.yaml index 57848740a56..1cc81ea2885 100644 --- a/build-tools/automation/yaml-templates/commercial-build.yaml +++ b/build-tools/automation/yaml-templates/commercial-build.yaml @@ -76,7 +76,7 @@ steps: condition: and(succeeded(), eq(variables['MicroBuildSignType'], 'Real')) inputs: projects: ${{ parameters.xaSourcePath }}/build-tools/installers/sign-content.proj - arguments: /t:Restore /p:Configuration=$(XA.Build.Configuration) /bl:${{ parameters.xaSourcePath }}/bin/Build$(XA.Build.Configuration)/restore-sign-content.binlog + arguments: /t:Restore /p:Configuration=$(XA.Build.Configuration) -v:n /bl:${{ parameters.xaSourcePath }}/bin/Build$(XA.Build.Configuration)/restore-sign-content.binlog - task: DotNetCoreCLI@2 displayName: PKG signing - add entitlements and sign @@ -85,7 +85,7 @@ steps: projects: ${{ parameters.xaSourcePath }}/build-tools/installers/sign-content.proj arguments: >- /t:AddMachOEntitlements;AddMSBuildFilesUnixSign;AddMSBuildFilesUnixSignAndHarden;Build - /p:Configuration=$(XA.Build.Configuration) + /p:Configuration=$(XA.Build.Configuration) -v:n /p:SignType=$(MicroBuildSignType) /p:MicroBuildOverridePluginDirectory=$(Build.StagingDirectory)/MicroBuild/Plugins /bl:${{ parameters.xaSourcePath }}/bin/Build$(XA.Build.Configuration)/sign-content.binlog @@ -97,7 +97,7 @@ steps: projects: ${{ parameters.xaSourcePath }}/build-tools/installers/sign-content.proj arguments: >- /t:AddBinUtilsFilesUnixSign;Build - /p:Configuration=$(XA.Build.Configuration) + /p:Configuration=$(XA.Build.Configuration) -v:n /p:SignType=$(MicroBuildSignType) /p:MicroBuildOverridePluginDirectory=$(Build.StagingDirectory)/MicroBuild/Plugins /bl:${{ parameters.xaSourcePath }}/bin/Build$(XA.Build.Configuration)/sign-bu-lib.binlog @@ -109,7 +109,7 @@ steps: projects: ${{ parameters.xaSourcePath }}/build-tools/installers/sign-content.proj arguments: >- /t:AddBinUtilsFilesUnixSignAndHarden;Build - /p:Configuration=$(XA.Build.Configuration) + /p:Configuration=$(XA.Build.Configuration) -v:n /p:SignType=$(MicroBuildSignType) /p:MicroBuildOverridePluginDirectory=$(Build.StagingDirectory)/MicroBuild/Plugins /bl:${{ parameters.xaSourcePath }}/bin/Build$(XA.Build.Configuration)/sign-bu-ex.binlog From de50efa25c796b8c1003a79d2eb282b140d10286 Mon Sep 17 00:00:00 2001 From: Peter Collins Date: Mon, 15 Jul 2024 12:44:23 -0400 Subject: [PATCH 3/4] Try to disable CodeQL --- build-tools/automation/azure-pipelines.yaml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/build-tools/automation/azure-pipelines.yaml b/build-tools/automation/azure-pipelines.yaml index ca669345f15..585670980b7 100644 --- a/build-tools/automation/azure-pipelines.yaml +++ b/build-tools/automation/azure-pipelines.yaml @@ -74,7 +74,9 @@ extends: binskim: scanOutputDirectoryOnly: true codeql: - runSourceLanguagesInSourceAnalysis: true + compiled: + enabled: false + justificationForDisabling: CodeQL tasks run during the nightly build pipeline policheck: enabled: false justification: Built in task does not support multi-language scanning From 5de2c01cdf08193a9c155801d5c3395c3f169ac7 Mon Sep 17 00:00:00 2001 From: Peter Collins Date: Mon, 15 Jul 2024 14:29:26 -0400 Subject: [PATCH 4/4] Revert "Try to disable CodeQL" This reverts commit de50efa25c796b8c1003a79d2eb282b140d10286. --- build-tools/automation/azure-pipelines.yaml | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/build-tools/automation/azure-pipelines.yaml b/build-tools/automation/azure-pipelines.yaml index 585670980b7..ca669345f15 100644 --- a/build-tools/automation/azure-pipelines.yaml +++ b/build-tools/automation/azure-pipelines.yaml @@ -74,9 +74,7 @@ extends: binskim: scanOutputDirectoryOnly: true codeql: - compiled: - enabled: false - justificationForDisabling: CodeQL tasks run during the nightly build pipeline + runSourceLanguagesInSourceAnalysis: true policheck: enabled: false justification: Built in task does not support multi-language scanning