From a5ac169d80c185feac608e626567cb6c22e977bd Mon Sep 17 00:00:00 2001 From: Peter Collins Date: Mon, 22 Jul 2024 13:13:49 -0400 Subject: [PATCH 1/8] [ci] Fix condition for CodeQL on non-main branches The conditions to disable CodeQL across different jobs and branches do not appear be working as expected, hopefully moving the condition set at the pipeline level up a step will fix it. --- build-tools/automation/azure-pipelines.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/build-tools/automation/azure-pipelines.yaml b/build-tools/automation/azure-pipelines.yaml index 24e51edfe55..c02ea9920a1 100644 --- a/build-tools/automation/azure-pipelines.yaml +++ b/build-tools/automation/azure-pipelines.yaml @@ -73,8 +73,8 @@ extends: enableAllTools: false binskim: scanOutputDirectoryOnly: true - codeql: - ${{ if ne(variables['Build.SourceBranch'], 'refs/heads/main') }}: + ${{ if ne(variables['Build.SourceBranch'], 'refs/heads/dev/pjc/cql-disable-fix') }}: + codeql: compiled: enabled: false justificationForDisabling: CodeQL disabled for non-main branch builds From 15fef155558b39fb932da67ef2b73d99cbe517a1 Mon Sep 17 00:00:00 2001 From: Peter Collins Date: Mon, 22 Jul 2024 13:47:20 -0400 Subject: [PATCH 2/8] Move all cql declarations to pipeline --- build-tools/automation/azure-pipelines.yaml | 28 +++++++++++++++---- .../yaml-templates/build-linux.yaml | 6 ---- .../yaml-templates/build-macos.yaml | 5 ---- 3 files changed, 23 insertions(+), 16 deletions(-) diff --git a/build-tools/automation/azure-pipelines.yaml b/build-tools/automation/azure-pipelines.yaml index c02ea9920a1..d516e36294b 100644 --- a/build-tools/automation/azure-pipelines.yaml +++ b/build-tools/automation/azure-pipelines.yaml @@ -73,11 +73,7 @@ extends: enableAllTools: false binskim: scanOutputDirectoryOnly: true - ${{ if ne(variables['Build.SourceBranch'], 'refs/heads/dev/pjc/cql-disable-fix') }}: - codeql: - compiled: - enabled: false - justificationForDisabling: CodeQL disabled for non-main branch builds + policheck: enabled: false justification: Built in task does not support multi-language scanning @@ -101,10 +97,32 @@ extends: skipBuildTagsForGitHubPullRequests: true stages: - template: /build-tools/automation/yaml-templates/build-macos.yaml@self + parameters: + templateContext: + sdl: + codeql: + compiled: + enabled: false + justificationForDisabling: CodeQL runs against the Windows build and nightly macOS build on main - template: /build-tools/automation/yaml-templates/build-windows.yaml@self + parameters: + templateContext: + sdl: + ${{ if ne(variables['Build.SourceBranch'], 'refs/heads/dev/pjc/cql-disable-fix') }}: + codeql: + compiled: + enabled: false + justificationForDisabling: CodeQL runs against the Windows build and nightly macOS build on main - template: /build-tools/automation/yaml-templates/build-linux.yaml@self + parameters: + templateContext: + sdl: + codeql: + compiled: + enabled: false + justificationForDisabling: CodeQL runs against the Windows build and nightly macOS build on main - stage: smoke_tests displayName: Package Tests diff --git a/build-tools/automation/yaml-templates/build-linux.yaml b/build-tools/automation/yaml-templates/build-linux.yaml index 796b5fe5df0..a718dbaa29f 100644 --- a/build-tools/automation/yaml-templates/build-linux.yaml +++ b/build-tools/automation/yaml-templates/build-linux.yaml @@ -34,12 +34,6 @@ stages: CXX: g++-10 CC: gcc-10 ${{ if eq(parameters.use1ESTemplate, true) }}: - templateContext: - sdl: - codeql: - compiled: - enabled: false - justificationForDisabling: CodeQL runs against the Windows build and nightly macOS build outputs: - output: pipelineArtifact displayName: upload linux sdk diff --git a/build-tools/automation/yaml-templates/build-macos.yaml b/build-tools/automation/yaml-templates/build-macos.yaml index eafc4c7499d..c279a6752ba 100644 --- a/build-tools/automation/yaml-templates/build-macos.yaml +++ b/build-tools/automation/yaml-templates/build-macos.yaml @@ -43,11 +43,6 @@ stages: clean: all ${{ if eq(parameters.use1ESTemplate, true) }}: templateContext: - sdl: - codeql: - compiled: - enabled: false - justificationForDisabling: CodeQL runs against the Windows build and nightly macOS build outputParentDirectory: ${{ parameters.xaSourcePath }}/bin outputs: - output: pipelineArtifact From 3c9aaa68faf61f99e6374a11b9740f6cf6e73146 Mon Sep 17 00:00:00 2001 From: Peter Collins Date: Mon, 22 Jul 2024 13:48:39 -0400 Subject: [PATCH 3/8] Format --- build-tools/automation/azure-pipelines.yaml | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) diff --git a/build-tools/automation/azure-pipelines.yaml b/build-tools/automation/azure-pipelines.yaml index d516e36294b..387d4336995 100644 --- a/build-tools/automation/azure-pipelines.yaml +++ b/build-tools/automation/azure-pipelines.yaml @@ -73,7 +73,6 @@ extends: enableAllTools: false binskim: scanOutputDirectoryOnly: true - policheck: enabled: false justification: Built in task does not support multi-language scanning @@ -117,12 +116,12 @@ extends: - template: /build-tools/automation/yaml-templates/build-linux.yaml@self parameters: - templateContext: - sdl: - codeql: - compiled: - enabled: false - justificationForDisabling: CodeQL runs against the Windows build and nightly macOS build on main + templateContext: + sdl: + codeql: + compiled: + enabled: false + justificationForDisabling: CodeQL runs against the Windows build and nightly macOS build on main - stage: smoke_tests displayName: Package Tests From a944dd724ea2f9344dd3410226e1730f2e1f3940 Mon Sep 17 00:00:00 2001 From: Peter Collins Date: Mon, 22 Jul 2024 13:50:08 -0400 Subject: [PATCH 4/8] Fix linux templateContext --- build-tools/automation/yaml-templates/build-linux.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/build-tools/automation/yaml-templates/build-linux.yaml b/build-tools/automation/yaml-templates/build-linux.yaml index a718dbaa29f..f34a25ba776 100644 --- a/build-tools/automation/yaml-templates/build-linux.yaml +++ b/build-tools/automation/yaml-templates/build-linux.yaml @@ -34,6 +34,7 @@ stages: CXX: g++-10 CC: gcc-10 ${{ if eq(parameters.use1ESTemplate, true) }}: + templateContext: outputs: - output: pipelineArtifact displayName: upload linux sdk From eec0a3d8c0a53b55ab89f9d2a5ec192408e0648b Mon Sep 17 00:00:00 2001 From: Peter Collins Date: Mon, 22 Jul 2024 14:09:21 -0400 Subject: [PATCH 5/8] Try to set sdl from context parameter --- build-tools/automation/yaml-templates/build-linux.yaml | 1 + build-tools/automation/yaml-templates/build-macos.yaml | 1 + 2 files changed, 2 insertions(+) diff --git a/build-tools/automation/yaml-templates/build-linux.yaml b/build-tools/automation/yaml-templates/build-linux.yaml index f34a25ba776..91754d74f38 100644 --- a/build-tools/automation/yaml-templates/build-linux.yaml +++ b/build-tools/automation/yaml-templates/build-linux.yaml @@ -35,6 +35,7 @@ stages: CC: gcc-10 ${{ if eq(parameters.use1ESTemplate, true) }}: templateContext: + sdl: ${{ parameters.stageName }}.templateContext.sdl outputs: - output: pipelineArtifact displayName: upload linux sdk diff --git a/build-tools/automation/yaml-templates/build-macos.yaml b/build-tools/automation/yaml-templates/build-macos.yaml index c279a6752ba..21c2ed30a18 100644 --- a/build-tools/automation/yaml-templates/build-macos.yaml +++ b/build-tools/automation/yaml-templates/build-macos.yaml @@ -43,6 +43,7 @@ stages: clean: all ${{ if eq(parameters.use1ESTemplate, true) }}: templateContext: + sdl: ${{ parameters.stageName }}.templateContext.sdl outputParentDirectory: ${{ parameters.xaSourcePath }}/bin outputs: - output: pipelineArtifact From 7de8cf24557707131b0acc7801d015e75fe48f87 Mon Sep 17 00:00:00 2001 From: Peter Collins Date: Mon, 22 Jul 2024 14:18:48 -0400 Subject: [PATCH 6/8] Pass sdl as a parameter --- build-tools/automation/azure-pipelines.yaml | 22 +++++++++---------- .../yaml-templates/build-linux.yaml | 3 ++- .../yaml-templates/build-macos.yaml | 3 ++- 3 files changed, 14 insertions(+), 14 deletions(-) diff --git a/build-tools/automation/azure-pipelines.yaml b/build-tools/automation/azure-pipelines.yaml index 387d4336995..5935c1975d8 100644 --- a/build-tools/automation/azure-pipelines.yaml +++ b/build-tools/automation/azure-pipelines.yaml @@ -97,12 +97,11 @@ extends: stages: - template: /build-tools/automation/yaml-templates/build-macos.yaml@self parameters: - templateContext: - sdl: - codeql: - compiled: - enabled: false - justificationForDisabling: CodeQL runs against the Windows build and nightly macOS build on main + templateContextSdl: + codeql: + compiled: + enabled: false + justificationForDisabling: CodeQL runs against the Windows build and nightly macOS build on main - template: /build-tools/automation/yaml-templates/build-windows.yaml@self parameters: @@ -116,12 +115,11 @@ extends: - template: /build-tools/automation/yaml-templates/build-linux.yaml@self parameters: - templateContext: - sdl: - codeql: - compiled: - enabled: false - justificationForDisabling: CodeQL runs against the Windows build and nightly macOS build on main + templateContextSdl: + codeql: + compiled: + enabled: false + justificationForDisabling: CodeQL runs against the Windows build and nightly macOS build on main - stage: smoke_tests displayName: Package Tests diff --git a/build-tools/automation/yaml-templates/build-linux.yaml b/build-tools/automation/yaml-templates/build-linux.yaml index 91754d74f38..c426c60dc71 100644 --- a/build-tools/automation/yaml-templates/build-linux.yaml +++ b/build-tools/automation/yaml-templates/build-linux.yaml @@ -12,6 +12,7 @@ parameters: stageName: linux_build stageDisplayName: Linux use1ESTemplate: true + templateContextSdl: [] stages: - stage: ${{ parameters.stageName }} @@ -35,7 +36,7 @@ stages: CC: gcc-10 ${{ if eq(parameters.use1ESTemplate, true) }}: templateContext: - sdl: ${{ parameters.stageName }}.templateContext.sdl + sdl: ${{ parameters.templateContextSdl }} outputs: - output: pipelineArtifact displayName: upload linux sdk diff --git a/build-tools/automation/yaml-templates/build-macos.yaml b/build-tools/automation/yaml-templates/build-macos.yaml index 21c2ed30a18..f75eea04789 100644 --- a/build-tools/automation/yaml-templates/build-macos.yaml +++ b/build-tools/automation/yaml-templates/build-macos.yaml @@ -16,6 +16,7 @@ parameters: testAssembliesArtifactName: $(TestAssembliesArtifactName) windowsToolchainPdbArtifactName: $(WindowsToolchainPdbArtifactName) use1ESTemplate: true + templateContextSdl: [] stages: - stage: ${{ parameters.stageName }} @@ -43,7 +44,7 @@ stages: clean: all ${{ if eq(parameters.use1ESTemplate, true) }}: templateContext: - sdl: ${{ parameters.stageName }}.templateContext.sdl + sdl: ${{ parameters.templateContextSdl }} outputParentDirectory: ${{ parameters.xaSourcePath }}/bin outputs: - output: pipelineArtifact From aa36212ff55f30a5659c0d9ebf10a86a25ad0667 Mon Sep 17 00:00:00 2001 From: Peter Collins Date: Mon, 22 Jul 2024 14:27:09 -0400 Subject: [PATCH 7/8] Move conditions into stage templates --- build-tools/automation/azure-pipelines.yaml | 20 ------------------- .../yaml-templates/build-linux.yaml | 7 +++++-- .../yaml-templates/build-macos.yaml | 7 +++++-- .../yaml-templates/build-windows.yaml | 9 +++++++++ 4 files changed, 19 insertions(+), 24 deletions(-) diff --git a/build-tools/automation/azure-pipelines.yaml b/build-tools/automation/azure-pipelines.yaml index 5935c1975d8..208b146a214 100644 --- a/build-tools/automation/azure-pipelines.yaml +++ b/build-tools/automation/azure-pipelines.yaml @@ -96,30 +96,10 @@ extends: skipBuildTagsForGitHubPullRequests: true stages: - template: /build-tools/automation/yaml-templates/build-macos.yaml@self - parameters: - templateContextSdl: - codeql: - compiled: - enabled: false - justificationForDisabling: CodeQL runs against the Windows build and nightly macOS build on main - template: /build-tools/automation/yaml-templates/build-windows.yaml@self - parameters: - templateContext: - sdl: - ${{ if ne(variables['Build.SourceBranch'], 'refs/heads/dev/pjc/cql-disable-fix') }}: - codeql: - compiled: - enabled: false - justificationForDisabling: CodeQL runs against the Windows build and nightly macOS build on main - template: /build-tools/automation/yaml-templates/build-linux.yaml@self - parameters: - templateContextSdl: - codeql: - compiled: - enabled: false - justificationForDisabling: CodeQL runs against the Windows build and nightly macOS build on main - stage: smoke_tests displayName: Package Tests diff --git a/build-tools/automation/yaml-templates/build-linux.yaml b/build-tools/automation/yaml-templates/build-linux.yaml index c426c60dc71..796b5fe5df0 100644 --- a/build-tools/automation/yaml-templates/build-linux.yaml +++ b/build-tools/automation/yaml-templates/build-linux.yaml @@ -12,7 +12,6 @@ parameters: stageName: linux_build stageDisplayName: Linux use1ESTemplate: true - templateContextSdl: [] stages: - stage: ${{ parameters.stageName }} @@ -36,7 +35,11 @@ stages: CC: gcc-10 ${{ if eq(parameters.use1ESTemplate, true) }}: templateContext: - sdl: ${{ parameters.templateContextSdl }} + sdl: + codeql: + compiled: + enabled: false + justificationForDisabling: CodeQL runs against the Windows build and nightly macOS build outputs: - output: pipelineArtifact displayName: upload linux sdk diff --git a/build-tools/automation/yaml-templates/build-macos.yaml b/build-tools/automation/yaml-templates/build-macos.yaml index f75eea04789..eafc4c7499d 100644 --- a/build-tools/automation/yaml-templates/build-macos.yaml +++ b/build-tools/automation/yaml-templates/build-macos.yaml @@ -16,7 +16,6 @@ parameters: testAssembliesArtifactName: $(TestAssembliesArtifactName) windowsToolchainPdbArtifactName: $(WindowsToolchainPdbArtifactName) use1ESTemplate: true - templateContextSdl: [] stages: - stage: ${{ parameters.stageName }} @@ -44,7 +43,11 @@ stages: clean: all ${{ if eq(parameters.use1ESTemplate, true) }}: templateContext: - sdl: ${{ parameters.templateContextSdl }} + sdl: + codeql: + compiled: + enabled: false + justificationForDisabling: CodeQL runs against the Windows build and nightly macOS build outputParentDirectory: ${{ parameters.xaSourcePath }}/bin outputs: - output: pipelineArtifact diff --git a/build-tools/automation/yaml-templates/build-windows.yaml b/build-tools/automation/yaml-templates/build-windows.yaml index 067c9d0a4a0..aed5de9e515 100644 --- a/build-tools/automation/yaml-templates/build-windows.yaml +++ b/build-tools/automation/yaml-templates/build-windows.yaml @@ -10,6 +10,7 @@ parameters: repositoryAlias: self stageName: win_build_test stageDisplayName: Windows + use1ESTemplate: true # This stage ensures Windows specific build steps continue to work, and runs unit tests. stages: @@ -27,6 +28,14 @@ stages: image: $(WindowsPoolImage1ESPT) os: windows timeoutInMinutes: 240 + ${{ if eq(parameters.use1ESTemplate, true) }}: + templateContext: + sdl: + ${{ if ne(variables['Build.SourceBranch'], 'refs/heads/dev/pjc/cql-disable-fix') }}: + codeql: + compiled: + enabled: false + justificationForDisabling: CodeQL runs against the Windows build and nightly macOS build on main steps: - template: sdk-unified/steps/checkout/v1.yml@yaml-templates parameters: From 112a2fe8f87bb5810b0dffe1bd08f187ebe12eac Mon Sep 17 00:00:00 2001 From: Peter Collins Date: Mon, 22 Jul 2024 14:46:21 -0400 Subject: [PATCH 8/8] Disable cql entirely on the CI pipeline --- build-tools/automation/azure-pipelines.yaml | 4 ++++ build-tools/automation/yaml-templates/build-linux.yaml | 5 ----- build-tools/automation/yaml-templates/build-macos.yaml | 5 ----- build-tools/automation/yaml-templates/build-windows.yaml | 9 --------- 4 files changed, 4 insertions(+), 19 deletions(-) diff --git a/build-tools/automation/azure-pipelines.yaml b/build-tools/automation/azure-pipelines.yaml index 208b146a214..a667506d529 100644 --- a/build-tools/automation/azure-pipelines.yaml +++ b/build-tools/automation/azure-pipelines.yaml @@ -73,6 +73,10 @@ extends: enableAllTools: false binskim: scanOutputDirectoryOnly: true + codeql: + compiled: + enabled: false + justificationForDisabling: CodeQL runs against the nightly build policheck: enabled: false justification: Built in task does not support multi-language scanning diff --git a/build-tools/automation/yaml-templates/build-linux.yaml b/build-tools/automation/yaml-templates/build-linux.yaml index 796b5fe5df0..f34a25ba776 100644 --- a/build-tools/automation/yaml-templates/build-linux.yaml +++ b/build-tools/automation/yaml-templates/build-linux.yaml @@ -35,11 +35,6 @@ stages: CC: gcc-10 ${{ if eq(parameters.use1ESTemplate, true) }}: templateContext: - sdl: - codeql: - compiled: - enabled: false - justificationForDisabling: CodeQL runs against the Windows build and nightly macOS build outputs: - output: pipelineArtifact displayName: upload linux sdk diff --git a/build-tools/automation/yaml-templates/build-macos.yaml b/build-tools/automation/yaml-templates/build-macos.yaml index eafc4c7499d..c279a6752ba 100644 --- a/build-tools/automation/yaml-templates/build-macos.yaml +++ b/build-tools/automation/yaml-templates/build-macos.yaml @@ -43,11 +43,6 @@ stages: clean: all ${{ if eq(parameters.use1ESTemplate, true) }}: templateContext: - sdl: - codeql: - compiled: - enabled: false - justificationForDisabling: CodeQL runs against the Windows build and nightly macOS build outputParentDirectory: ${{ parameters.xaSourcePath }}/bin outputs: - output: pipelineArtifact diff --git a/build-tools/automation/yaml-templates/build-windows.yaml b/build-tools/automation/yaml-templates/build-windows.yaml index aed5de9e515..067c9d0a4a0 100644 --- a/build-tools/automation/yaml-templates/build-windows.yaml +++ b/build-tools/automation/yaml-templates/build-windows.yaml @@ -10,7 +10,6 @@ parameters: repositoryAlias: self stageName: win_build_test stageDisplayName: Windows - use1ESTemplate: true # This stage ensures Windows specific build steps continue to work, and runs unit tests. stages: @@ -28,14 +27,6 @@ stages: image: $(WindowsPoolImage1ESPT) os: windows timeoutInMinutes: 240 - ${{ if eq(parameters.use1ESTemplate, true) }}: - templateContext: - sdl: - ${{ if ne(variables['Build.SourceBranch'], 'refs/heads/dev/pjc/cql-disable-fix') }}: - codeql: - compiled: - enabled: false - justificationForDisabling: CodeQL runs against the Windows build and nightly macOS build on main steps: - template: sdk-unified/steps/checkout/v1.yml@yaml-templates parameters: