From df2043e0cb4222101f76ec910cc1c56dc5b88f63 Mon Sep 17 00:00:00 2001 From: Madhusudhan Gumbalapura Sudarshan Date: Fri, 5 Jan 2024 12:59:43 -0800 Subject: [PATCH 01/19] azure-pipelines.nuget.yml Pipeline migration to 1ES This commit migrates azure-pipelines.nuget.yml to 1ES template **[How Tested:]** TODOs: - Trigger the pipeline from the topic branch and ensure pipeline succeed and ensure pipeline artifacts matches before and after the migration --- azure-pipelines.nuget.yml | 366 ++++++++++++++++++++------------------ 1 file changed, 189 insertions(+), 177 deletions(-) diff --git a/azure-pipelines.nuget.yml b/azure-pipelines.nuget.yml index e81cfb6f94..a894258745 100644 --- a/azure-pipelines.nuget.yml +++ b/azure-pipelines.nuget.yml @@ -1,12 +1,9 @@ trigger: none parameters: - - name: version - displayName: Version to stamp on binaries and nuget package. Should be in form of "major.minor", for example "1.0" - type: string - -pool: - vmImage: "windows-latest" +- name: version + displayName: Version to stamp on binaries and nuget package. Should be in form of "major.minor", for example "1.0" + type: string variables: solution: "src/AppInstallerCLI.sln" @@ -14,103 +11,126 @@ variables: buildVer: $[counter(${{ parameters.version }}, 1)] version: ${{ parameters.version }}.$(buildVer) -jobs: - - job: "Build" - timeoutInMinutes: 120 - strategy: - matrix: - x86_release: - buildConfiguration: 'Release' - buildPlatform: 'x86' - x64_release: - buildConfiguration: 'Release' - buildPlatform: 'x64' - variables: - artifactsDir: $(Build.ArtifactStagingDirectory)\$(buildPlatform) - steps: - - script: echo $(version) - - - task: NuGetToolInstaller@1 - displayName: Install Nuget - - # Restores all projects, including native (vcxproj) projects - - task: NuGetCommand@2 - displayName: Restore Solution - inputs: - restoreSolution: "$(solution)" - - # Restore these UAP packages as https://github.com/NuGet/Home/issues/7796 leads to all UAP packages being skipped for restore. - # Even though they don't need any actual restore action, they need the project.assets.json file to be created and a direct restore does that. - - task: NuGetCommand@2 - displayName: Restore AppInstallerCLIPackage - inputs: - restoreSolution: 'src\AppInstallerCLIPackage\AppInstallerCLIPackage.wapproj' +resources: + repositories: + - repository: 1ESPipelineTemplates + type: git + name: 1ESPipelineTemplates/1ESPipelineTemplates + ref: refs/tags/release +extends: + template: v1/1ES.Official.PipelineTemplate.yml@1ESPipelineTemplates + parameters: + pool: + name: Azure-Pipelines-1ESPT-ExDShared + image: windows-2022 + os: windows + customBuildTags: + - ES365AIMigrationTooling + + stages: + - stage: stage + jobs: + - job: "Build" + timeoutInMinutes: 120 + strategy: + matrix: + x86_release: + buildConfiguration: 'Release' + buildPlatform: 'x86' + x64_release: + buildConfiguration: 'Release' + buildPlatform: 'x64' + variables: + artifactsDir: $(Build.ArtifactStagingDirectory)\$(buildPlatform) + templateContext: + outputs: + - output: buildArtifact + displayName: 'Publish Pipeline Artifacts' + PathtoPublish: '$(artifactsDir)' + steps: + - script: echo $(version) + + - task: NuGetToolInstaller@1 + displayName: Install Nuget + + # Restores all projects, including native (vcxproj) projects + - task: NuGetCommand@2 + displayName: Restore Solution + inputs: + restoreSolution: "$(solution)" + + # Restore these UAP packages as https://github.com/NuGet/Home/issues/7796 leads to all UAP packages being skipped for restore. + # Even though they don't need any actual restore action, they need the project.assets.json file to be created and a direct restore does that. + - task: NuGetCommand@2 + displayName: Restore AppInstallerCLIPackage + inputs: + restoreSolution: 'src\AppInstallerCLIPackage\AppInstallerCLIPackage.wapproj' - - task: NuGetCommand@2 - displayName: Restore AppInstallerTestMsixInstaller - inputs: - restoreSolution: 'src\AppInstallerTestMsixInstaller\AppInstallerTestMsixInstaller.wapproj' - - # Restores only .NET core projects, but is still necessary, as without this the IndexCreationTool and LocalhostWebServer projects fail to build - - task: DotNetCoreCLI@2 - displayName: DotNet Restore - inputs: - command: "restore" - projects: "**/*.csproj" - - - task: PowerShell@2 - displayName: Update Binary Version - condition: not(eq(variables['Build.Reason'], 'PullRequest')) - inputs: - filePath: 'src\binver\Update-BinVer.ps1' - arguments: '-TargetFile binver\binver\version.h -BuildVersion $(buildVer) -MajorMinorOverride ${{ parameters.version }}' - workingDirectory: "src" - - - task: VSBuild@1 - displayName: Build Solution - inputs: - platform: "$(buildPlatform)" - solution: "$(solution)" - configuration: "$(buildConfiguration)" - - - task: SFP.build-tasks.custom-build-task-1.EsrpCodeSigning@2 - displayName: "ESRP CodeSigning - Package contents" - inputs: - ConnectedServiceName: "WindowsPackageManager ESRP CodeSigning" - FolderPath: src - Pattern: | - *\$(buildConfiguration)\WinGetUtil\WinGetUtil.dll - WinGetUtilInterop\bin\$(buildConfiguration)\netstandard2.0\WinGetUtilInterop.dll - UseMinimatch: true - signConfigType: inlineSignParams - inlineOperation: | - [ - { - "KeyCode" : "CP-230012", - "OperationCode" : "SigntoolSign", - "Parameters" : { - "OpusName" : "Microsoft", - "OpusInfo" : "http://www.microsoft.com", - "FileDigest" : "/fd \"SHA256\"", - "PageHash" : "/NPH", - "TimeStamp" : "/tr \"http://rfc3161.gtm.corp.microsoft.com/TSS/HttpTspServer\" /td sha256" - }, - "ToolName" : "sign", - "ToolVersion" : "1.0" - }, - { - "KeyCode" : "CP-230012", - "OperationCode" : "SigntoolVerify", - "Parameters" : {}, - "ToolName" : "sign", - "ToolVersion" : "1.0" - } - ] - - - task: CopyFiles@2 - displayName: 'Copy nuget pack files to artifacts folder' - inputs: - Contents: | + - task: NuGetCommand@2 + displayName: Restore AppInstallerTestMsixInstaller + inputs: + restoreSolution: 'src\AppInstallerTestMsixInstaller\AppInstallerTestMsixInstaller.wapproj' + + # Restores only .NET core projects, but is still necessary, as without this the IndexCreationTool and LocalhostWebServer projects fail to build + - task: DotNetCoreCLI@2 + displayName: DotNet Restore + inputs: + command: "restore" + projects: "**/*.csproj" + + - task: PowerShell@2 + displayName: Update Binary Version + condition: not(eq(variables['Build.Reason'], 'PullRequest')) + inputs: + filePath: 'src\binver\Update-BinVer.ps1' + arguments: '-TargetFile binver\binver\version.h -BuildVersion $(buildVer) -MajorMinorOverride ${{ parameters.version }}' + workingDirectory: "src" + + - task: VSBuild@1 + displayName: Build Solution + inputs: + platform: "$(buildPlatform)" + solution: "$(solution)" + configuration: "$(buildConfiguration)" + + - task: SFP.build-tasks.custom-build-task-1.EsrpCodeSigning@2 + displayName: "ESRP CodeSigning - Package contents" + inputs: + ConnectedServiceName: "WindowsPackageManager ESRP CodeSigning" + FolderPath: src + Pattern: | + *\$(buildConfiguration)\WinGetUtil\WinGetUtil.dll + WinGetUtilInterop\bin\$(buildConfiguration)\netstandard2.0\WinGetUtilInterop.dll + UseMinimatch: true + signConfigType: inlineSignParams + inlineOperation: | + [ + { + "KeyCode" : "CP-230012", + "OperationCode" : "SigntoolSign", + "Parameters" : { + "OpusName" : "Microsoft", + "OpusInfo" : "http://www.microsoft.com", + "FileDigest" : "/fd \"SHA256\"", + "PageHash" : "/NPH", + "TimeStamp" : "/tr \"http://rfc3161.gtm.corp.microsoft.com/TSS/HttpTspServer\" /td sha256" + }, + "ToolName" : "sign", + "ToolVersion" : "1.0" + }, + { + "KeyCode" : "CP-230012", + "OperationCode" : "SigntoolVerify", + "Parameters" : {}, + "ToolName" : "sign", + "ToolVersion" : "1.0" + } + ] + + - task: CopyFiles@2 + displayName: 'Copy nuget pack files to artifacts folder' + inputs: + Contents: | WinGetUtil.nuspec src\$(buildPlatform)\$(buildConfiguration)\WinGetUtil\WinGetUtil.dll src\$(buildPlatform)\$(buildConfiguration)\WinGetUtil\WinGetUtil.pdb @@ -118,78 +138,70 @@ jobs: src\WinGetUtilInterop\bin\$(buildConfiguration)\netstandard2.0\WinGetUtilInterop.pdb src\WinGetUtilInterop\build\Microsoft.WindowsPackageManager.Utils.targets schemas\JSON\manifests\** - TargetFolder: '$(artifactsDir)' - - - task: PublishPipelineArtifact@1 - displayName: Publish Pipeline Artifacts - inputs: - targetPath: '$(artifactsDir)' - - - job: "Nuget" - timeoutInMinutes: 60 - dependsOn: 'Build' - steps: - - checkout: none - - - task: DownloadPipelineArtifact@2 - displayName: 'Download Build.x64release artifacts' - inputs: - artifactName: Build.x64release - targetPath: '$(Pipeline.Workspace)\Build.x64release' - - - task: DownloadPipelineArtifact@2 - displayName: 'Download Build.x86release artifacts' - inputs: - artifactName: Build.x86release - targetPath: '$(Pipeline.Workspace)\Build.x86release' - - - task: NuGetCommand@2 - displayName: Pack WingetUtil nuget package - inputs: - command: pack - packagesToPack: '$(Pipeline.Workspace)\Build.x64release\WinGetUtil.nuspec' - versioningScheme: byEnvVar - versionEnvVar: version - packDestination: '$(Build.ArtifactStagingDirectory)' - basePath: $(Pipeline.Workspace) - - - task: SFP.build-tasks.custom-build-task-1.EsrpCodeSigning@2 - displayName: "ESRP CodeSigning - NuGet package" - inputs: - ConnectedServiceName: "WindowsPackageManager ESRP CodeSigning" - FolderPath: "$(Build.ArtifactStagingDirectory)" - Pattern: "$(packageName).$(version).nupkg" - signConfigType: inlineSignParams - inlineOperation: | - [ - { - "KeyCode" : "CP-401405", - "OperationCode" : "NuGetSign", - "Parameters" : {}, - "ToolName" : "sign", - "ToolVersion" : "1.0" - }, - { - "KeyCode" : "CP-401405", - "OperationCode" : "NuGetVerify", - "Parameters" : {}, - "ToolName" : "sign", - "ToolVersion" : "1.0" - } - ] - - - task: PublishBuildArtifacts@1 - displayName: Publish nuget package to artifacts - inputs: - PathtoPublish: '$(Build.ArtifactStagingDirectory)\$(packageName).$(version).nupkg' - ArtifactName: $(packageName) - publishLocation: Container - - - task: NuGetCommand@2 - displayName: Push WingetUtil nuget package to nuget.org - inputs: - command: push - nuGetFeedType: external - includeNugetOrg: true - packagesToPush: '$(Build.ArtifactStagingDirectory)\$(packageName).$(version).nupkg' - publishFeedCredentials: "WindowsPackageManagerAzurePipelineNuget - NuGet.org" + TargetFolder: '$(artifactsDir)' + - job: "Nuget" + timeoutInMinutes: 60 + dependsOn: 'Build' + templateContext: + outputs: + - output: pipelineArtifact + displayName: 'Publish nuget package to artifacts' + targetPath: '$(Build.ArtifactStagingDirectory)\$(packageName).$(version).nupkg' + artifactName: $(packageName) + publishLocation: Container + - output: nuget + displayName: 'Push WingetUtil nuget package to nuget.org' + packageParentPath: '$(Build.ArtifactStagingDirectory)' + nuGetFeedType: external + includeNugetOrg: true + packagesToPush: '$(Build.ArtifactStagingDirectory)\$(packageName).$(version).nupkg' + publishFeedCredentials: "WindowsPackageManagerAzurePipelineNuget - NuGet.org" + steps: + - checkout: none + + - task: DownloadPipelineArtifact@2 + displayName: 'Download Build.x64release artifacts' + inputs: + artifactName: Build.x64release + targetPath: '$(Pipeline.Workspace)\Build.x64release' + + - task: DownloadPipelineArtifact@2 + displayName: 'Download Build.x86release artifacts' + inputs: + artifactName: Build.x86release + targetPath: '$(Pipeline.Workspace)\Build.x86release' + + - task: NuGetCommand@2 + displayName: Pack WingetUtil nuget package + inputs: + command: pack + packagesToPack: '$(Pipeline.Workspace)\Build.x64release\WinGetUtil.nuspec' + versioningScheme: byEnvVar + versionEnvVar: version + packDestination: '$(Build.ArtifactStagingDirectory)' + basePath: $(Pipeline.Workspace) + + - task: SFP.build-tasks.custom-build-task-1.EsrpCodeSigning@2 + displayName: "ESRP CodeSigning - NuGet package" + inputs: + ConnectedServiceName: "WindowsPackageManager ESRP CodeSigning" + FolderPath: "$(Build.ArtifactStagingDirectory)" + Pattern: "$(packageName).$(version).nupkg" + signConfigType: inlineSignParams + inlineOperation: | + [ + { + "KeyCode" : "CP-401405", + "OperationCode" : "NuGetSign", + "Parameters" : {}, + "ToolName" : "sign", + "ToolVersion" : "1.0" + }, + { + "KeyCode" : "CP-401405", + "OperationCode" : "NuGetVerify", + "Parameters" : {}, + "ToolName" : "sign", + "ToolVersion" : "1.0" + } + ] \ No newline at end of file From 3f52a5092e8272889284803650d67b7b9987f88f Mon Sep 17 00:00:00 2001 From: Madhusudhan Gumbalapura Sudarshan Date: Fri, 5 Jan 2024 13:19:45 -0800 Subject: [PATCH 02/19] =?UTF-8?q?Resolve=20spell=20check=20bot=20report=20?= =?UTF-8?q?issue=20by=20adding=20=C2=91Azure-Pipelines-1ESPT-ExDShared?= =?UTF-8?q?=C2=92=20to=20expected.txt?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .github/actions/spelling/expect.txt | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/actions/spelling/expect.txt b/.github/actions/spelling/expect.txt index a40c04119d..699b4f2bdf 100644 --- a/.github/actions/spelling/expect.txt +++ b/.github/actions/spelling/expect.txt @@ -35,6 +35,7 @@ ATL AUrl Authenticode azurewebsites +Azure-Pipelines-1ESPT-ExDShared bcp BEFACEF BFirst From a40b14356e50e32ebe16e03d7331834cd93426d5 Mon Sep 17 00:00:00 2001 From: Madhusudhan Gumbalapura Sudarshan Date: Fri, 19 Jan 2024 13:48:05 -0800 Subject: [PATCH 03/19] =?UTF-8?q?Resolve=20downstream=20spelling=20check?= =?UTF-8?q?=20errors=20by=20adding=20=C2=931ESPT=C2=94=20and=20=C2=93ExDSh?= =?UTF-8?q?ared=C2=94=20to=20expect.txt?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .github/actions/spelling/expect.txt | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/actions/spelling/expect.txt b/.github/actions/spelling/expect.txt index 699b4f2bdf..a4c22f23aa 100644 --- a/.github/actions/spelling/expect.txt +++ b/.github/actions/spelling/expect.txt @@ -1,3 +1,4 @@ +1ESPT abcd ABORTIFHUNG accepteula @@ -121,6 +122,7 @@ etest etl execustom EXEHASH +ExDShared experimentalfeatures FECAFEB fedorapeople From a386a608954ba8229639b6dd7e880436229dbff4 Mon Sep 17 00:00:00 2001 From: Madhusudhan Gumbalapura Sudarshan Date: Fri, 19 Jan 2024 13:57:04 -0800 Subject: [PATCH 04/19] =?UTF-8?q?To=20fixing=20the=20spell=20check=20issue?= =?UTF-8?q?=20by=20adding=20words=20=C2=91ESPT=C2=92=20and=20=C2=91DShared?= =?UTF-8?q?=C2=92=20to=20the=20expect.txt=20file.?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .github/actions/spelling/expect.txt | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/actions/spelling/expect.txt b/.github/actions/spelling/expect.txt index a4c22f23aa..7021a66417 100644 --- a/.github/actions/spelling/expect.txt +++ b/.github/actions/spelling/expect.txt @@ -1,4 +1,3 @@ -1ESPT abcd ABORTIFHUNG accepteula @@ -99,6 +98,7 @@ diskfull DISMAPI dnld Dobbeleer +DShared dsc DUPLICATEALIAS dustojnikhummer @@ -116,13 +116,13 @@ epth EQU ERRORONEXIT ESource +ESPT ESRB ests etest etl execustom EXEHASH -ExDShared experimentalfeatures FECAFEB fedorapeople From 1a650c646f7214a54cc2e0d64ade9cf5cb4a5b8a Mon Sep 17 00:00:00 2001 From: Madhusudhan Gumbalapura Sudarshan Date: Fri, 19 Jan 2024 13:59:43 -0800 Subject: [PATCH 05/19] Nit: Alignment fix, added breakline before Nuget Job --- azure-pipelines.nuget.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/azure-pipelines.nuget.yml b/azure-pipelines.nuget.yml index a894258745..7bb5aa37bc 100644 --- a/azure-pipelines.nuget.yml +++ b/azure-pipelines.nuget.yml @@ -139,6 +139,7 @@ extends: src\WinGetUtilInterop\build\Microsoft.WindowsPackageManager.Utils.targets schemas\JSON\manifests\** TargetFolder: '$(artifactsDir)' + - job: "Nuget" timeoutInMinutes: 60 dependsOn: 'Build' From 7aa7f82915c38f75fe8f41bf59b52338cb0f1c59 Mon Sep 17 00:00:00 2001 From: Madhusudhan Gumbalapura Sudarshan Date: Fri, 19 Jan 2024 15:03:18 -0800 Subject: [PATCH 06/19] Nuget publish disabled for 1ES migration validation; to be re-enabled before PR merge --- azure-pipelines.nuget.yml | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/azure-pipelines.nuget.yml b/azure-pipelines.nuget.yml index 7bb5aa37bc..0438083c76 100644 --- a/azure-pipelines.nuget.yml +++ b/azure-pipelines.nuget.yml @@ -150,13 +150,13 @@ extends: targetPath: '$(Build.ArtifactStagingDirectory)\$(packageName).$(version).nupkg' artifactName: $(packageName) publishLocation: Container - - output: nuget - displayName: 'Push WingetUtil nuget package to nuget.org' - packageParentPath: '$(Build.ArtifactStagingDirectory)' - nuGetFeedType: external - includeNugetOrg: true - packagesToPush: '$(Build.ArtifactStagingDirectory)\$(packageName).$(version).nupkg' - publishFeedCredentials: "WindowsPackageManagerAzurePipelineNuget - NuGet.org" + # - output: nuget + # displayName: 'Push WingetUtil nuget package to nuget.org' + # packageParentPath: '$(Build.ArtifactStagingDirectory)' + # nuGetFeedType: external + # includeNugetOrg: true + # packagesToPush: '$(Build.ArtifactStagingDirectory)\$(packageName).$(version).nupkg' + # publishFeedCredentials: "WindowsPackageManagerAzurePipelineNuget - NuGet.org" steps: - checkout: none From 3cabe79869815c9e529c8463d66e19e90b42efb4 Mon Sep 17 00:00:00 2001 From: Madhusudhan Gumbalapura Sudarshan Date: Fri, 19 Jan 2024 15:18:41 -0800 Subject: [PATCH 07/19] Use pipelineArtifact instead of buildArtifact as the output type and assign a meaningful name to the Stage. --- azure-pipelines.nuget.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/azure-pipelines.nuget.yml b/azure-pipelines.nuget.yml index 0438083c76..00773cde6c 100644 --- a/azure-pipelines.nuget.yml +++ b/azure-pipelines.nuget.yml @@ -28,7 +28,7 @@ extends: - ES365AIMigrationTooling stages: - - stage: stage + - stage: Build_Publish jobs: - job: "Build" timeoutInMinutes: 120 @@ -44,9 +44,9 @@ extends: artifactsDir: $(Build.ArtifactStagingDirectory)\$(buildPlatform) templateContext: outputs: - - output: buildArtifact + - output: pipelineArtifact displayName: 'Publish Pipeline Artifacts' - PathtoPublish: '$(artifactsDir)' + targetPath: '$(artifactsDir)' steps: - script: echo $(version) From 56f40fd40702ed82d8944f57d3f56c1b222a29ac Mon Sep 17 00:00:00 2001 From: Madhusudhan Gumbalapura Sudarshan Date: Mon, 22 Jan 2024 13:20:34 -0800 Subject: [PATCH 08/19] Suppress SDL failure by adding guardian\SDL.gdnsuppress from published artifact to repository root The fix address following SDL error: Could not find the module 'Microsoft.WinGet.DSC'. --- guardian/SDL/.gdnsuppress | 137 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 137 insertions(+) create mode 100644 guardian/SDL/.gdnsuppress diff --git a/guardian/SDL/.gdnsuppress b/guardian/SDL/.gdnsuppress new file mode 100644 index 0000000000..c7964f6fa2 --- /dev/null +++ b/guardian/SDL/.gdnsuppress @@ -0,0 +1,137 @@ +{ + "hydrated": false, + "properties": { + "helpUri": "https://eng.ms/docs/microsoft-security/security/azure-security/cloudai-security-fundamentals-engineering/security-integration/guardian-wiki/microsoft-guardian/general/suppressions", + "hydrationStatus": "This file does not contain identifying data. It is safe to check into your repo. To hydrate this file with identifying data, run `guardian hydrate --help` and follow the guidance." + }, + "version": "1.0.0", + "suppressionSets": { + "default": { + "name": "default", + "createdDate": "2024-01-20 00:01:02Z", + "lastUpdatedDate": "2024-01-20 00:01:02Z" + } + }, + "results": { + "64a425d92c4ff3a23893e149517a736e444f5d745c18e961280ca9e6c7583ad4": { + "signature": "64a425d92c4ff3a23893e149517a736e444f5d745c18e961280ca9e6c7583ad4", + "alternativeSignatures": [ + "b231a52f13113732ba6eb0059562696d22e63386eaf4a8371e079c39e13464c5" + ], + "memberOf": [ + "default" + ], + "createdDate": "2024-01-20 00:01:02Z" + }, + "037b90140bbaef1cdda8ff9a2829bc894e6d9ef745b209219bf6c3cf6532a0b4": { + "signature": "037b90140bbaef1cdda8ff9a2829bc894e6d9ef745b209219bf6c3cf6532a0b4", + "alternativeSignatures": [ + "8955e3fdce9d13e2fea6e4edd80f85fc92d3fa4575b7c8aec78de062df0cabf8" + ], + "memberOf": [ + "default" + ], + "createdDate": "2024-01-20 00:01:02Z" + }, + "ba35c30e34e312e15795849df6f2f67b6f77fbae70befd89bddef56d90ebd027": { + "signature": "ba35c30e34e312e15795849df6f2f67b6f77fbae70befd89bddef56d90ebd027", + "alternativeSignatures": [ + "05c6641341e014062bff1bb0ba073b72c6c85a7304c1d91ab0c56399475f341a" + ], + "memberOf": [ + "default" + ], + "createdDate": "2024-01-20 00:01:02Z" + }, + "629a5ff62fd9bd29634548b757dcf026ee86419c1324f3a9d857aedcc6c87e1f": { + "signature": "629a5ff62fd9bd29634548b757dcf026ee86419c1324f3a9d857aedcc6c87e1f", + "alternativeSignatures": [ + "ac0b1bb6e16c27bbbb1ddd338c544e0c688871e60bb1d37cc10f67c288d96ec4" + ], + "memberOf": [ + "default" + ], + "createdDate": "2024-01-20 00:01:02Z" + }, + "9bde2b3e655b9b9286f7a2b2630160a94038b781a1b56c826e9a7f6587a0ffc0": { + "signature": "9bde2b3e655b9b9286f7a2b2630160a94038b781a1b56c826e9a7f6587a0ffc0", + "alternativeSignatures": [ + "4921cc6623cceca162dbd5b90d1ce2b68e82327e4dee42ace06bc1d7abc7b53f" + ], + "memberOf": [ + "default" + ], + "createdDate": "2024-01-20 00:01:02Z" + }, + "f641ed23db16fde82bebb15a12c7ddc15c5e6d351ee26599d85788344ecd2341": { + "signature": "f641ed23db16fde82bebb15a12c7ddc15c5e6d351ee26599d85788344ecd2341", + "alternativeSignatures": [ + "9c005ccfc554298d887c24656e2bb740e84ac166846d78a9ff49e8a22c653ce7" + ], + "memberOf": [ + "default" + ], + "createdDate": "2024-01-20 00:01:02Z" + }, + "341bb1cbc9b433a776e1da069ab6a578412911198daf9e827bae457538ee79b5": { + "signature": "341bb1cbc9b433a776e1da069ab6a578412911198daf9e827bae457538ee79b5", + "alternativeSignatures": [ + "88b177748c73e7f84dc936f59bd58251a43a2517cc79af94714be094e94d383b" + ], + "memberOf": [ + "default" + ], + "createdDate": "2024-01-20 00:01:02Z" + }, + "fbabaf1dffc169cac5d046266716158ec6e66569057d28945a2e575433c49c3d": { + "signature": "fbabaf1dffc169cac5d046266716158ec6e66569057d28945a2e575433c49c3d", + "alternativeSignatures": [ + "fa7c37e0a406315118a19c204696f673103704e2d2e16921da7439b649e69268" + ], + "memberOf": [ + "default" + ], + "createdDate": "2024-01-20 00:01:02Z" + }, + "cfa3b2e5a366b6caa17129f1e30f36a4fce9660296b378c9463050e35444c256": { + "signature": "cfa3b2e5a366b6caa17129f1e30f36a4fce9660296b378c9463050e35444c256", + "alternativeSignatures": [ + "5c9c6d472db911eeea0a0bcc10807f77a4476b8572f782a096f4e16bfb354f36" + ], + "memberOf": [ + "default" + ], + "createdDate": "2024-01-20 00:01:02Z" + }, + "22077a7c2d29c3a189d6676eca4d1e99a8dfde508263ef2a0854083d680aab6e": { + "signature": "22077a7c2d29c3a189d6676eca4d1e99a8dfde508263ef2a0854083d680aab6e", + "alternativeSignatures": [ + "13de9c1c1a3a4462eefe182716e077cdff162cfd858ab8daf308e83617940338" + ], + "memberOf": [ + "default" + ], + "createdDate": "2024-01-20 00:01:02Z" + }, + "8e37f874079c200a8f5fa9022b462b20e318c2a035e61cf6ed45374294968d52": { + "signature": "8e37f874079c200a8f5fa9022b462b20e318c2a035e61cf6ed45374294968d52", + "alternativeSignatures": [ + "4571b7214d460ec428f4c14f36232fa9ad620c6eaa13958ab47aef555e156845" + ], + "memberOf": [ + "default" + ], + "createdDate": "2024-01-20 00:01:02Z" + }, + "5c525a016119c7de6065c03f3f6015e119c53aaaf1798a444963c1b8093f484c": { + "signature": "5c525a016119c7de6065c03f3f6015e119c53aaaf1798a444963c1b8093f484c", + "alternativeSignatures": [ + "7e858857e8b993f25c1741a41d3c426979e4db5fba20f332a0e0e44dc77de901" + ], + "memberOf": [ + "default" + ], + "createdDate": "2024-01-20 00:01:02Z" + } + } +} \ No newline at end of file From 7d646c9688548c3ca6f50fa3e7bf39e27683961d Mon Sep 17 00:00:00 2001 From: Madhusudhan Gumbalapura Sudarshan Date: Mon, 22 Jan 2024 13:29:24 -0800 Subject: [PATCH 09/19] Update pipeline YAML with Guardian Suppressions --- azure-pipelines.nuget.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/azure-pipelines.nuget.yml b/azure-pipelines.nuget.yml index 00773cde6c..beac3aae52 100644 --- a/azure-pipelines.nuget.yml +++ b/azure-pipelines.nuget.yml @@ -26,6 +26,9 @@ extends: os: windows customBuildTags: - ES365AIMigrationTooling + sdl: + suppression: + suppressionFile: $(Build.SourcesDirectory)\guardian\SDL\.gdnsuppress stages: - stage: Build_Publish From 8a88829f1d41bf321db136e219d8ea9a5a7eee55 Mon Sep 17 00:00:00 2001 From: Madhusudhan Gumbalapura Sudarshan Date: Mon, 22 Jan 2024 15:37:30 -0800 Subject: [PATCH 10/19] Enable ControlFlowGuard for release configurations in AppInstallerCLITests.vcxproj This fix should resolve: BinSkim error noticed in the pipeline --- src/AppInstallerCLITests/AppInstallerCLITests.vcxproj | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/src/AppInstallerCLITests/AppInstallerCLITests.vcxproj b/src/AppInstallerCLITests/AppInstallerCLITests.vcxproj index cf9ef4ba37..c91e7228fa 100644 --- a/src/AppInstallerCLITests/AppInstallerCLITests.vcxproj +++ b/src/AppInstallerCLITests/AppInstallerCLITests.vcxproj @@ -115,6 +115,7 @@ $(MSBuildThisFileDirectory)..\AppInstallerCommonCore;$(MSBuildThisFileDirectory)..\AppInstallerRepositoryCore\Public;$(MSBuildThisFileDirectory)..\AppInstallerRepositoryCore;$(MSBuildThisFileDirectory)..\AppInstallerCommonCore\Public;$(MSBuildThisFileDirectory)..\AppInstallerSharedLib\Public;$(MSBuildThisFileDirectory)..\AppInstallerCLICore\Public;$(MSBuildThisFileDirectory)..\AppInstallerCLICore;$(ProjectDir)..\JsonCppLib;$(ProjectDir)..\cpprestsdk\cpprestsdk\Release\include;%(AdditionalIncludeDirectories) true false + false Console @@ -134,6 +135,7 @@ $(MSBuildThisFileDirectory)..\AppInstallerCommonCore;$(MSBuildThisFileDirectory)..\AppInstallerRepositoryCore\Public;$(MSBuildThisFileDirectory)..\AppInstallerRepositoryCore;$(MSBuildThisFileDirectory)..\AppInstallerCommonCore\Public;$(MSBuildThisFileDirectory)..\AppInstallerSharedLib\Public;$(MSBuildThisFileDirectory)..\AppInstallerCLICore\Public;$(MSBuildThisFileDirectory)..\AppInstallerCLICore;$(ProjectDir)..\JsonCppLib;$(ProjectDir)..\cpprestsdk\cpprestsdk\Release\include;%(AdditionalIncludeDirectories) true false + false wininet.lib;shell32.lib;winsqlite3.lib;shlwapi.lib;icuuc.lib;icuin.lib;urlmon.lib;Advapi32.lib;winhttp.lib;onecoreuap.lib;msi.lib;%(AdditionalDependencies) @@ -157,6 +159,8 @@ true false false + Guard + Guard Console From 4142485fe1f03e9914f4ce545a30bc11b9cb2e4c Mon Sep 17 00:00:00 2001 From: Madhusudhan Gumbalapura Sudarshan Date: Mon, 22 Jan 2024 16:05:23 -0800 Subject: [PATCH 11/19] Enable ControlFlowGuard for release configurations in AppInstallerTestExeInstaller.vcxproj This fix will address binskim error in build pipeline --- .../AppInstallerTestExeInstaller.vcxproj | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/src/AppInstallerTestExeInstaller/AppInstallerTestExeInstaller.vcxproj b/src/AppInstallerTestExeInstaller/AppInstallerTestExeInstaller.vcxproj index 8c55233101..8ea3dcf2e6 100644 --- a/src/AppInstallerTestExeInstaller/AppInstallerTestExeInstaller.vcxproj +++ b/src/AppInstallerTestExeInstaller/AppInstallerTestExeInstaller.vcxproj @@ -115,6 +115,9 @@ stdcpp17 stdcpp17 MultiThreadedDebugDLL + false + false + false Console @@ -126,6 +129,7 @@ WIN32;%(PreprocessorDefinitions) true stdcpp17 + false @@ -142,6 +146,10 @@ stdcpp17 stdcpp17 stdcpp17 + Guard + Guard + Guard + Guard Console From 5f42a5bd7009214f5b42725969c756319edd3356 Mon Sep 17 00:00:00 2001 From: Madhusudhan Gumbalapura Sudarshan Date: Mon, 22 Jan 2024 16:09:45 -0800 Subject: [PATCH 12/19] =?UTF-8?q?Add=20=C2=93gdnsuppress=C2=94=20and=20?= =?UTF-8?q?=C2=93cloudai=C2=94=20to=20expect.txt=20to=20correct=20spellche?= =?UTF-8?q?ck=20errors?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .github/actions/spelling/expect.txt | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/actions/spelling/expect.txt b/.github/actions/spelling/expect.txt index 7021a66417..02c480e94f 100644 --- a/.github/actions/spelling/expect.txt +++ b/.github/actions/spelling/expect.txt @@ -64,6 +64,7 @@ cinq CLASSNOTREG CLIE CLOSEAPP +cloudai cloudapp clsctx clsid @@ -142,6 +143,7 @@ fundraiser fuzzer fzanollo gcpi +gdnsuppress GESMBH GHS gity From e9354f1e615320d6454581b392d2dbd25b6c9b12 Mon Sep 17 00:00:00 2001 From: Madhusudhan Gumbalapura Sudarshan Date: Tue, 23 Jan 2024 11:18:22 -0800 Subject: [PATCH 13/19] Switch from pipelineArtifact to buildArtifact to fix root level directory write issue --- azure-pipelines.nuget.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/azure-pipelines.nuget.yml b/azure-pipelines.nuget.yml index beac3aae52..6e3f319606 100644 --- a/azure-pipelines.nuget.yml +++ b/azure-pipelines.nuget.yml @@ -47,7 +47,7 @@ extends: artifactsDir: $(Build.ArtifactStagingDirectory)\$(buildPlatform) templateContext: outputs: - - output: pipelineArtifact + - output: buildArtifacts displayName: 'Publish Pipeline Artifacts' targetPath: '$(artifactsDir)' steps: From 921c9f5aef6e5088717eed63307f6ab587e1426a Mon Sep 17 00:00:00 2001 From: Madhusudhan Gumbalapura Sudarshan Date: Tue, 23 Jan 2024 11:30:17 -0800 Subject: [PATCH 14/19] Change to pipelineArtifact with an artifactName from for distinct artifact names in architecture builds --- azure-pipelines.nuget.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/azure-pipelines.nuget.yml b/azure-pipelines.nuget.yml index 6e3f319606..45d92f95fd 100644 --- a/azure-pipelines.nuget.yml +++ b/azure-pipelines.nuget.yml @@ -47,9 +47,10 @@ extends: artifactsDir: $(Build.ArtifactStagingDirectory)\$(buildPlatform) templateContext: outputs: - - output: buildArtifacts + - output: pipelineArtifact displayName: 'Publish Pipeline Artifacts' targetPath: '$(artifactsDir)' + artifactName: 'Build.$(buildPlatform)$(buildConfiguration)' steps: - script: echo $(version) From 30e5eee87f9804585318f1327018ccc8e0bbae4c Mon Sep 17 00:00:00 2001 From: Madhusudhan Gumbalapura Sudarshan Date: Tue, 23 Jan 2024 13:39:51 -0800 Subject: [PATCH 15/19] Add sbomBuildDropPath to correct sbom manifest generation problem --- azure-pipelines.nuget.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/azure-pipelines.nuget.yml b/azure-pipelines.nuget.yml index 45d92f95fd..32647dfc4e 100644 --- a/azure-pipelines.nuget.yml +++ b/azure-pipelines.nuget.yml @@ -154,6 +154,7 @@ extends: targetPath: '$(Build.ArtifactStagingDirectory)\$(packageName).$(version).nupkg' artifactName: $(packageName) publishLocation: Container + sbomBuildDropPath: '$(Build.ArtifactStagingDirectory)\$(packageName)' # - output: nuget # displayName: 'Push WingetUtil nuget package to nuget.org' # packageParentPath: '$(Build.ArtifactStagingDirectory)' From ad832c426b7a68873232ed6d402fb655441aa475 Mon Sep 17 00:00:00 2001 From: Madhusudhan Gumbalapura Sudarshan Date: Thu, 25 Jan 2024 20:48:15 -0800 Subject: [PATCH 16/19] Set sbomBuildDropPath to parent drop directory to check sbom manifest issue resolution. --- azure-pipelines.nuget.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/azure-pipelines.nuget.yml b/azure-pipelines.nuget.yml index 32647dfc4e..20e9a4920f 100644 --- a/azure-pipelines.nuget.yml +++ b/azure-pipelines.nuget.yml @@ -154,7 +154,7 @@ extends: targetPath: '$(Build.ArtifactStagingDirectory)\$(packageName).$(version).nupkg' artifactName: $(packageName) publishLocation: Container - sbomBuildDropPath: '$(Build.ArtifactStagingDirectory)\$(packageName)' + sbomBuildDropPath: '$(Build.ArtifactStagingDirectory)' # - output: nuget # displayName: 'Push WingetUtil nuget package to nuget.org' # packageParentPath: '$(Build.ArtifactStagingDirectory)' From 4eb78303215fa9201e1c3fcc7f415775e0b86c1c Mon Sep 17 00:00:00 2001 From: Madhusudhan Gumbalapura Sudarshan Date: Fri, 26 Jan 2024 10:54:54 -0800 Subject: [PATCH 17/19] Enable nuget publish outputs to pipeline for final PR review --- azure-pipelines.nuget.yml | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/azure-pipelines.nuget.yml b/azure-pipelines.nuget.yml index 32647dfc4e..4b8b539902 100644 --- a/azure-pipelines.nuget.yml +++ b/azure-pipelines.nuget.yml @@ -155,13 +155,13 @@ extends: artifactName: $(packageName) publishLocation: Container sbomBuildDropPath: '$(Build.ArtifactStagingDirectory)\$(packageName)' - # - output: nuget - # displayName: 'Push WingetUtil nuget package to nuget.org' - # packageParentPath: '$(Build.ArtifactStagingDirectory)' - # nuGetFeedType: external - # includeNugetOrg: true - # packagesToPush: '$(Build.ArtifactStagingDirectory)\$(packageName).$(version).nupkg' - # publishFeedCredentials: "WindowsPackageManagerAzurePipelineNuget - NuGet.org" + - output: nuget + displayName: 'Push WingetUtil nuget package to nuget.org' + packageParentPath: '$(Build.ArtifactStagingDirectory)' + nuGetFeedType: external + includeNugetOrg: true + packagesToPush: '$(Build.ArtifactStagingDirectory)\$(packageName).$(version).nupkg' + publishFeedCredentials: "WindowsPackageManagerAzurePipelineNuget - NuGet.org" steps: - checkout: none From aec933d58550e0c9d1c080b002113a648cb78b6e Mon Sep 17 00:00:00 2001 From: Madhusudhan Gumbalapura Sudarshan Date: Fri, 26 Jan 2024 11:03:21 -0800 Subject: [PATCH 18/19] [user/masudars/Azure_Pipelines_Nuget_To_1ES_Migration bf669bb0] Merge branch 'user/masudars/Azure_Pipelines_Nuget_To_1ES_Migration' of https://github.com/microsoft/winget-cli into user/masudars/Azure_Pipelines_Nuget_To_1ES_Migration --- azure-pipelines.nuget.yml | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/azure-pipelines.nuget.yml b/azure-pipelines.nuget.yml index 20e9a4920f..eff40afe98 100644 --- a/azure-pipelines.nuget.yml +++ b/azure-pipelines.nuget.yml @@ -155,13 +155,13 @@ extends: artifactName: $(packageName) publishLocation: Container sbomBuildDropPath: '$(Build.ArtifactStagingDirectory)' - # - output: nuget - # displayName: 'Push WingetUtil nuget package to nuget.org' - # packageParentPath: '$(Build.ArtifactStagingDirectory)' - # nuGetFeedType: external - # includeNugetOrg: true - # packagesToPush: '$(Build.ArtifactStagingDirectory)\$(packageName).$(version).nupkg' - # publishFeedCredentials: "WindowsPackageManagerAzurePipelineNuget - NuGet.org" + - output: nuget + displayName: 'Push WingetUtil nuget package to nuget.org' + packageParentPath: '$(Build.ArtifactStagingDirectory)' + nuGetFeedType: external + includeNugetOrg: true + packagesToPush: '$(Build.ArtifactStagingDirectory)\$(packageName).$(version).nupkg' + publishFeedCredentials: "WindowsPackageManagerAzurePipelineNuget - NuGet.org" steps: - checkout: none From 77d4f9c169e786f5403e65fcb220bc71d3a05cd5 Mon Sep 17 00:00:00 2001 From: Madhusudhan Gumbalapura Sudarshan Date: Fri, 26 Jan 2024 11:11:59 -0800 Subject: [PATCH 19/19] =?UTF-8?q?Resolve=20spellcheck=20error=20by=20addin?= =?UTF-8?q?g=20=C2=93sbom=C2=94=20to=20expect.txt?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .github/actions/spelling/expect.txt | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/actions/spelling/expect.txt b/.github/actions/spelling/expect.txt index 02c480e94f..a5a2db2128 100644 --- a/.github/actions/spelling/expect.txt +++ b/.github/actions/spelling/expect.txt @@ -376,6 +376,7 @@ runtimeclass ryfu rzkzqaqjwj SARL +sbom schematab sddl SECUREFILEPATH