From 5fcda8363c3135e621d963643d9b79be6090cbf4 Mon Sep 17 00:00:00 2001 From: Justin Chung Date: Mon, 3 Mar 2025 15:25:41 -0600 Subject: [PATCH 01/44] Add tool to download modules from CFS and change download methods in pipeline to use the tool --- .pipelines/templates/checkAzureContainer.yml | 2 +- .pipelines/templates/compliance/apiscan.yml | 10 +------- .../templates/compliance/generateNotice.yml | 11 +-------- .../templates/release-MakeBlobPublic.yml | 4 ++-- .pipelines/templates/release-create-msix.yml | 2 +- .../templates/release-upload-buildinfo.yml | 2 +- .../release-validate-packagenames.yml | 2 +- .pipelines/templates/uploadToAzure.yml | 2 +- tools/installPSResources.ps1 | 24 +++++++++++++++++++ 9 files changed, 33 insertions(+), 26 deletions(-) create mode 100644 tools/installPSResources.ps1 diff --git a/.pipelines/templates/checkAzureContainer.yml b/.pipelines/templates/checkAzureContainer.yml index a5ce2b1c666..f34d9fcfcc2 100644 --- a/.pipelines/templates/checkAzureContainer.yml +++ b/.pipelines/templates/checkAzureContainer.yml @@ -58,7 +58,7 @@ jobs: targetType: 'inline' script: | Get-PackageProvider -Name NuGet -ForceBootstrap - Install-Module -Name Az.Storage -Verbose -Force -AllowClobber + ./tools/installPSResource.ps1 -PSRepository CFS Uninstall-AzureRm -Verbose - task: AzurePowerShell@5 diff --git a/.pipelines/templates/compliance/apiscan.yml b/.pipelines/templates/compliance/apiscan.yml index bfe97827801..d868d0bacd7 100644 --- a/.pipelines/templates/compliance/apiscan.yml +++ b/.pipelines/templates/compliance/apiscan.yml @@ -79,15 +79,7 @@ jobs: retryCountOnTaskFailure: 2 - pwsh: | - $modules = 'Az.Accounts', 'Az.Storage' - foreach($module in $modules) { - if(!(get-module $module -listavailable)) { - Write-Verbose "installing $module..." -verbose - Install-Module $module -force -AllowClobber - } else { - Write-Verbose "$module already installed." -verbose - } - } + ./tools/installPSResource.ps1 -PSRepository CFS -Verbose displayName: Install PowerShell modules workingDirectory: '$(repoRoot)' diff --git a/.pipelines/templates/compliance/generateNotice.yml b/.pipelines/templates/compliance/generateNotice.yml index 9a00ed6f01d..c04b6afcf61 100644 --- a/.pipelines/templates/compliance/generateNotice.yml +++ b/.pipelines/templates/compliance/generateNotice.yml @@ -96,16 +96,7 @@ jobs: displayName: Initalize PowerShellGet - powershell: | - $modules = 'Az.Accounts', 'Az.Storage' - foreach($module in $modules) { - if(!(get-module $module -listavailable)) { - Write-Verbose "installing $module..." -verbose - Install-Module $module -force -AllowClobber - } else { - Write-Verbose "$module already installed." -verbose - #Update-Module $module -verbose - } - } + ./tools/installPSResource.ps1 -PSRepository CFS displayName: Install PowerShell modules - powershell: | diff --git a/.pipelines/templates/release-MakeBlobPublic.yml b/.pipelines/templates/release-MakeBlobPublic.yml index f11a0839e47..e46c081d901 100644 --- a/.pipelines/templates/release-MakeBlobPublic.yml +++ b/.pipelines/templates/release-MakeBlobPublic.yml @@ -60,7 +60,7 @@ jobs: Write-Host 'AzureRM module removed' } - Install-Module -Name Az.Storage -Force -AllowClobber -Scope CurrentUser -Verbose + ./tools/installPSResource.ps1 -PSRepository CFS -Verbose displayName: Remove AzRM modules - task: AzurePowerShell@5 @@ -158,7 +158,7 @@ jobs: Write-Host 'AzureRM module removed' } - Install-Module -Name Az.Storage -Force -AllowClobber -Scope CurrentUser -Verbose + ./tools/installPSResource.ps1 -PSRepository CFS -Verbose displayName: Remove AzRM modules - task: AzurePowerShell@5 diff --git a/.pipelines/templates/release-create-msix.yml b/.pipelines/templates/release-create-msix.yml index cdb86544baf..fff045138b5 100644 --- a/.pipelines/templates/release-create-msix.yml +++ b/.pipelines/templates/release-create-msix.yml @@ -36,7 +36,7 @@ jobs: Write-Host 'AzureRM module removed' } - Install-Module -Name Az.Storage -Force -AllowClobber -Scope CurrentUser -Verbose + ./tools/installPSResource.ps1 -PSRepository CFS -Verbose displayName: Remove AzRM modules and install Az.Storage diff --git a/.pipelines/templates/release-upload-buildinfo.yml b/.pipelines/templates/release-upload-buildinfo.yml index 27af6c87b64..e8373c2a899 100644 --- a/.pipelines/templates/release-upload-buildinfo.yml +++ b/.pipelines/templates/release-upload-buildinfo.yml @@ -112,7 +112,7 @@ jobs: Write-Host 'AzureRM module removed' } - Install-Module -Name Az.Storage -Force -AllowClobber -Scope CurrentUser -Verbose + ./tools/installPSResource.ps1 -PSRepository CFS -Verbose displayName: Remove AzRM modules - task: AzurePowerShell@5 diff --git a/.pipelines/templates/release-validate-packagenames.yml b/.pipelines/templates/release-validate-packagenames.yml index df467eacc28..3a4a455a8cd 100644 --- a/.pipelines/templates/release-validate-packagenames.yml +++ b/.pipelines/templates/release-validate-packagenames.yml @@ -36,7 +36,7 @@ jobs: Write-Host 'AzureRM module removed' } - Install-Module -Name Az.Storage -Force -AllowClobber -Scope CurrentUser -Verbose + ./tools/installPSResource.ps1 -PSRepository CFS -Verbose displayName: Remove AzRM modules and install Az.Storage diff --git a/.pipelines/templates/uploadToAzure.yml b/.pipelines/templates/uploadToAzure.yml index cd6f7d6739c..69af76c7a1c 100644 --- a/.pipelines/templates/uploadToAzure.yml +++ b/.pipelines/templates/uploadToAzure.yml @@ -264,7 +264,7 @@ jobs: Write-Host 'AzureRM module removed' } - Install-Module -Name Az.Storage -Force -AllowClobber -Scope CurrentUser -Verbose + ./tools/installPSResource.ps1 -PSRepository CFS -Verbose displayName: Remove AzRM modules diff --git a/tools/installPSResources.ps1 b/tools/installPSResources.ps1 new file mode 100644 index 00000000000..62cde0e0895 --- /dev/null +++ b/tools/installPSResources.ps1 @@ -0,0 +1,24 @@ +# Copyright (c) Microsoft Corporation. +# Licensed under the MIT License. +param( + [ValidateSet("PSGallery", "CFS")] + [string]$PSRepository = "PSGallery" +) + +if ($PSRepository -eq "CFS" -and -not (Get-PSResourceRepository -Name CFS -ErrorAction SilentlyContinue)) { + Register-PSResourceRepository -Name CFS -Uri "https://pkgs.dev.azure.com/powershell/PowerShell/_packaging/PowerShellGalleryMirror/nuget/v3/index.json" +} + +# NOTE: Due to a bug in Install-PSResource with upstream feeds, we have to +# request an exact version. Otherwise, if a newer version is available in the +# upstream feed, it will fail to install any version at all. +Install-PSResource -Verbose -TrustRepository -RequiredResource @{ + "Az.Accounts" = @{ + version = "4.0.2" + repository = $PSRepository + } + "Az.Storage" = @{ + version = "8.1.0" + repository = $PSRepository + } +} From c070137e6f776fe0d40beaaa3df8fb32e68d7023 Mon Sep 17 00:00:00 2001 From: Justin Chung Date: Mon, 3 Mar 2025 18:40:22 -0600 Subject: [PATCH 02/44] Fix Andy's suggestions --- .pipelines/templates/checkAzureContainer.yml | 1 - .pipelines/templates/compliance/apiscan.yml | 3 +-- .pipelines/templates/compliance/generateNotice.yml | 3 +-- tools/installPSResources.ps1 | 2 +- 4 files changed, 3 insertions(+), 6 deletions(-) diff --git a/.pipelines/templates/checkAzureContainer.yml b/.pipelines/templates/checkAzureContainer.yml index f34d9fcfcc2..f8aafc58c3a 100644 --- a/.pipelines/templates/checkAzureContainer.yml +++ b/.pipelines/templates/checkAzureContainer.yml @@ -57,7 +57,6 @@ jobs: inputs: targetType: 'inline' script: | - Get-PackageProvider -Name NuGet -ForceBootstrap ./tools/installPSResource.ps1 -PSRepository CFS Uninstall-AzureRm -Verbose diff --git a/.pipelines/templates/compliance/apiscan.yml b/.pipelines/templates/compliance/apiscan.yml index d868d0bacd7..dd5fff8aa2d 100644 --- a/.pipelines/templates/compliance/apiscan.yml +++ b/.pipelines/templates/compliance/apiscan.yml @@ -78,8 +78,7 @@ jobs: workingDirectory: '$(repoRoot)' retryCountOnTaskFailure: 2 - - pwsh: | - ./tools/installPSResource.ps1 -PSRepository CFS -Verbose + - pwsh: ./tools/installPSResource.ps1 -PSRepository CFS displayName: Install PowerShell modules workingDirectory: '$(repoRoot)' diff --git a/.pipelines/templates/compliance/generateNotice.yml b/.pipelines/templates/compliance/generateNotice.yml index c04b6afcf61..1cf540b87a8 100644 --- a/.pipelines/templates/compliance/generateNotice.yml +++ b/.pipelines/templates/compliance/generateNotice.yml @@ -95,8 +95,7 @@ jobs: Get-PackageProvider -Name NuGet -ForceBootstrap displayName: Initalize PowerShellGet - - powershell: | - ./tools/installPSResource.ps1 -PSRepository CFS + - pwsh: ./tools/installPSResource.ps1 -PSRepository CFS displayName: Install PowerShell modules - powershell: | diff --git a/tools/installPSResources.ps1 b/tools/installPSResources.ps1 index 62cde0e0895..4ab1a9dc4bb 100644 --- a/tools/installPSResources.ps1 +++ b/tools/installPSResources.ps1 @@ -16,7 +16,7 @@ Install-PSResource -Verbose -TrustRepository -RequiredResource @{ "Az.Accounts" = @{ version = "4.0.2" repository = $PSRepository - } + } "Az.Storage" = @{ version = "8.1.0" repository = $PSRepository From c2859e44ed24072a49136b1ded951ddfdb4605a0 Mon Sep 17 00:00:00 2001 From: Justin Chung Date: Tue, 4 Mar 2025 10:18:23 -0600 Subject: [PATCH 03/44] Update binary pipeline to new name --- .pipelines/PowerShell-Packages-Official.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.pipelines/PowerShell-Packages-Official.yml b/.pipelines/PowerShell-Packages-Official.yml index 7fce394ca19..13fc4cf54be 100644 --- a/.pipelines/PowerShell-Packages-Official.yml +++ b/.pipelines/PowerShell-Packages-Official.yml @@ -64,7 +64,7 @@ variables: resources: pipelines: - pipeline: CoOrdinatedBuildPipeline - source: 'PowerShell-Coordinated Packages-Official' + source: 'PowerShell-Coordinated Binaries-Official' trigger: branches: include: From 02b086f118af38e00120dae4b766cac590a48f91 Mon Sep 17 00:00:00 2001 From: Justin Chung Date: Thu, 6 Mar 2025 15:29:03 -0600 Subject: [PATCH 04/44] Remove -verbose from tools call --- .pipelines/templates/release-MakeBlobPublic.yml | 4 ++-- .pipelines/templates/release-create-msix.yml | 2 +- .pipelines/templates/release-upload-buildinfo.yml | 2 +- .pipelines/templates/release-validate-packagenames.yml | 2 +- .pipelines/templates/uploadToAzure.yml | 2 +- 5 files changed, 6 insertions(+), 6 deletions(-) diff --git a/.pipelines/templates/release-MakeBlobPublic.yml b/.pipelines/templates/release-MakeBlobPublic.yml index e46c081d901..7f55166b553 100644 --- a/.pipelines/templates/release-MakeBlobPublic.yml +++ b/.pipelines/templates/release-MakeBlobPublic.yml @@ -60,7 +60,7 @@ jobs: Write-Host 'AzureRM module removed' } - ./tools/installPSResource.ps1 -PSRepository CFS -Verbose + ./tools/installPSResource.ps1 -PSRepository CFS displayName: Remove AzRM modules - task: AzurePowerShell@5 @@ -158,7 +158,7 @@ jobs: Write-Host 'AzureRM module removed' } - ./tools/installPSResource.ps1 -PSRepository CFS -Verbose + ./tools/installPSResource.ps1 -PSRepository CFS displayName: Remove AzRM modules - task: AzurePowerShell@5 diff --git a/.pipelines/templates/release-create-msix.yml b/.pipelines/templates/release-create-msix.yml index fff045138b5..d8cf1453719 100644 --- a/.pipelines/templates/release-create-msix.yml +++ b/.pipelines/templates/release-create-msix.yml @@ -36,7 +36,7 @@ jobs: Write-Host 'AzureRM module removed' } - ./tools/installPSResource.ps1 -PSRepository CFS -Verbose + ./tools/installPSResource.ps1 -PSRepository CFS displayName: Remove AzRM modules and install Az.Storage diff --git a/.pipelines/templates/release-upload-buildinfo.yml b/.pipelines/templates/release-upload-buildinfo.yml index e8373c2a899..af7887231c9 100644 --- a/.pipelines/templates/release-upload-buildinfo.yml +++ b/.pipelines/templates/release-upload-buildinfo.yml @@ -112,7 +112,7 @@ jobs: Write-Host 'AzureRM module removed' } - ./tools/installPSResource.ps1 -PSRepository CFS -Verbose + ./tools/installPSResource.ps1 -PSRepository CFS displayName: Remove AzRM modules - task: AzurePowerShell@5 diff --git a/.pipelines/templates/release-validate-packagenames.yml b/.pipelines/templates/release-validate-packagenames.yml index 3a4a455a8cd..e410b7bf025 100644 --- a/.pipelines/templates/release-validate-packagenames.yml +++ b/.pipelines/templates/release-validate-packagenames.yml @@ -36,7 +36,7 @@ jobs: Write-Host 'AzureRM module removed' } - ./tools/installPSResource.ps1 -PSRepository CFS -Verbose + ./tools/installPSResource.ps1 -PSRepository CFS displayName: Remove AzRM modules and install Az.Storage diff --git a/.pipelines/templates/uploadToAzure.yml b/.pipelines/templates/uploadToAzure.yml index 69af76c7a1c..2a2cfb28694 100644 --- a/.pipelines/templates/uploadToAzure.yml +++ b/.pipelines/templates/uploadToAzure.yml @@ -264,7 +264,7 @@ jobs: Write-Host 'AzureRM module removed' } - ./tools/installPSResource.ps1 -PSRepository CFS -Verbose + ./tools/installPSResource.ps1 -PSRepository CFS displayName: Remove AzRM modules From 330a5bd1bc355411a6e68609b3a8db54c6d1b392 Mon Sep 17 00:00:00 2001 From: Justin Chung Date: Mon, 10 Mar 2025 16:30:48 -0500 Subject: [PATCH 05/44] Test to see of AzureRM is still there --- .pipelines/templates/release-validate-packagenames.yml | 10 +--------- 1 file changed, 1 insertion(+), 9 deletions(-) diff --git a/.pipelines/templates/release-validate-packagenames.yml b/.pipelines/templates/release-validate-packagenames.yml index e410b7bf025..fd19234c888 100644 --- a/.pipelines/templates/release-validate-packagenames.yml +++ b/.pipelines/templates/release-validate-packagenames.yml @@ -29,15 +29,7 @@ jobs: displayName: Set Release Name - pwsh: | - $azureRmModule = Get-InstalledModule AzureRM -ErrorAction SilentlyContinue -Verbose - if ($azureRmModule) { - Write-Host 'AzureRM module exists. Removing it' - Uninstall-AzureRm - Write-Host 'AzureRM module removed' - } - - ./tools/installPSResource.ps1 -PSRepository CFS - + Get-Module -ListAvailable | Write-Verbose -Verbose displayName: Remove AzRM modules and install Az.Storage - task: AzurePowerShell@5 From b617bfcc8789afdb1bb102b472a4866fa17e4aac Mon Sep 17 00:00:00 2001 From: Justin Chung Date: Mon, 10 Mar 2025 16:34:27 -0500 Subject: [PATCH 06/44] Fix binaries pipeline name in release yml --- .pipelines/PowerShell-Release-Official.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.pipelines/PowerShell-Release-Official.yml b/.pipelines/PowerShell-Release-Official.yml index 335ef4f71d3..bb83c98ae81 100644 --- a/.pipelines/PowerShell-Release-Official.yml +++ b/.pipelines/PowerShell-Release-Official.yml @@ -72,7 +72,7 @@ resources: pipelines: - pipeline: CoOrdinatedBuildPipeline - source: 'PowerShell-Coordinated Packages-Official' + source: 'PowerShell-Coordinated Binaries-Official' - pipeline: PSPackagesOfficial source: 'PowerShell-Packages-Official' From 6763d6044bc2cf00a363a0c5b555e6e5a8d12783 Mon Sep 17 00:00:00 2001 From: Justin Chung Date: Wed, 26 Mar 2025 13:23:34 -0500 Subject: [PATCH 07/44] Sign MacOS packages with OB signing --- .pipelines/PowerShell-Packages-Official.yml | 13 +++- .pipelines/templates/mac-package-build.yml | 61 +++-------------- .pipelines/templates/mac-package-sign.yml | 74 +++++++++++++++++++++ 3 files changed, 97 insertions(+), 51 deletions(-) create mode 100644 .pipelines/templates/mac-package-sign.yml diff --git a/.pipelines/PowerShell-Packages-Official.yml b/.pipelines/PowerShell-Packages-Official.yml index 13fc4cf54be..38c9798159c 100644 --- a/.pipelines/PowerShell-Packages-Official.yml +++ b/.pipelines/PowerShell-Packages-Official.yml @@ -129,6 +129,17 @@ extends: parameters: buildArchitecture: arm64 + - stage: mac_package_sign + dependsOn: [mac_package] + jobs: + - template: /.pipelines/templates/mac-package-sign.yml@self + parameters: + buildArchitecture: x64 + + - template: /.pipelines/templates/mac-package-sign.yml@self + parameters: + buildArchitecture: arm64 + - stage: windows_package dependsOn: [prep] jobs: @@ -244,6 +255,6 @@ extends: - template: /.pipelines/templates/nupkg.yml@self - stage: upload - dependsOn: [mac_package, windows_package, linux_package, nupkg] + dependsOn: [mac_package_sign, windows_package, linux_package, nupkg] jobs: - template: /.pipelines/templates/uploadToAzure.yml@self diff --git a/.pipelines/templates/mac-package-build.yml b/.pipelines/templates/mac-package-build.yml index 37a5ed48b07..56240bae1e2 100644 --- a/.pipelines/templates/mac-package-build.yml +++ b/.pipelines/templates/mac-package-build.yml @@ -172,57 +172,18 @@ jobs: Write-Verbose -Verbose "Compressed files:" Get-ChildItem -Path $(Pipeline.Workspace) -Filter "*.zip" -File | Write-Verbose -Verbose displayName: Compress package files for signing - - - task: SFP.build-tasks.custom-build-task-1.EsrpCodeSigning@5 - displayName: 'ESRP CodeSigning' - inputs: - ConnectedServiceName: 'ESRPMacOSSigning' - AppRegistrationClientId: '$(AppRegistrationClientId)' - AppRegistrationTenantId: '$(AppRegistrationTenantId)' - AuthAKVName: 'pwsh-CICD-Keyvault' - AuthCertName: 'PS-macos-signing' - AuthSignCertName: 'ESRP-OneCert' # this is not needed for pkg signing - FolderPath: $(Pipeline.Workspace) - Pattern: '*.zip' - signConfigType: inlineSignParams - inlineOperation: | - [{ - "KeyCode": "$(KeyCode)", - "OperationSetCode": "MacAppDeveloperSign", - "parameters": [ - { - "parameterName": "hardening", - "parameterValue": "enable" - }, - { - "parameterName": "OpusInfo", - "parameterValue": "http://Microsoft.com" - } - ], - "ToolName": "sign", - "ToolVersion": "1.0" - }] - SessionTimeout: 90 - ServiceEndpointUrl: '$(ServiceEndpointUrl)' - MaxConcurrency: 25 - + - pwsh: | - $signedPkg = Get-ChildItem -Path $(Pipeline.Workspace) -Filter "*osx*.zip" -File - - $signedPkg | ForEach-Object { - Write-Verbose -Verbose "Signed package zip: $_" - - if (-not (Test-Path $_)) { - throw "Package not found: $_" + $macosPackages = Get-ChildItem -Path $(Pipeline.Workspace) -Filter "*.zip" -File + foreach($pkg in $macosPackages) { + Write-Verbose -Verbose "Package to sign: $pkg" + if (-not (Test-Path $pkg)) { + throw "Package not found: $pkg" } - - if (-not (Test-Path $env:ob_outputDirectory)) { - $null = New-Item -Path $env:ob_outputDirectory -ItemType Directory - } - - Expand-Archive -Path $_ -DestinationPath $env:ob_outputDirectory -Verbose } - Write-Verbose -Verbose "Expanded pkg file:" - Get-ChildItem -Path $env:ob_outputDirectory | Write-Verbose -Verbose - displayName: Expand signed file + $artifactName = 'macos-packages-${{ parameters.buildArchitecture }}' + Write-Host "##vso[artifact.upload containerfolder=$artifactName;artifactname=$artifactName]$(OB_OUTPUTDIRECTORY)" + + Get-ChildItem -Path $(OB_OUTPUTDIRECTORY) -Filter "*.zip" -File | Write-Verbose -Verbose + displayName: Upload package for signing MacOS${{ parameters.buildArchitecture }} diff --git a/.pipelines/templates/mac-package-sign.yml b/.pipelines/templates/mac-package-sign.yml new file mode 100644 index 00000000000..17b7fd251db --- /dev/null +++ b/.pipelines/templates/mac-package-sign.yml @@ -0,0 +1,74 @@ +parameters: + parentJob: '' + buildArchitecture: x64 + +jobs: +- job: sign_package_macOS_${{ parameters.buildArchitecture }} + displayName: Sign Package macOS ${{ parameters.buildArchitecture }} + condition: succeeded() + pool: + type: linux + + variables: + - name: HOMEBREW_NO_ANALYTICS + value: 1 + - name: runCodesignValidationInjection + value: false + - name: nugetMultiFeedWarnLevel + value: none + - name: NugetSecurityAnalysisWarningLevel + value: none + - name: skipNugetSecurityAnalysis + value: true + - group: DotNetPrivateBuildAccess + - name: ob_outputDirectory + value: '$(Build.ArtifactStagingDirectory)/ONEBRANCH_ARTIFACT' + - name: ob_sdl_binskim_enabled + value: true + - name: ob_sdl_credscan_suppressionsfileforartifacts + value: $(Build.SourcesDirectory)/PowerShell/.config/suppress.json + - name: BuildArch + value: ${{ parameters.buildArchitecture }} + + steps: + - checkout: self + clean: true + + - pwsh: | + Get-ChildItem -Path env: | Out-String -width 9999 -Stream | write-Verbose -Verbose + displayName: Capture environment + + - task: DownloadPipelineArtifact@2 + inputs: + artifact: 'macos-packages-${{ parameters.buildArchitecture }}' + path: '$(Pipeline.Workspace)' + displayName: Download MacOs Package ${{ parameters.buildArchitecture }} + + - task: onebranch.pipeline.signing@1 + displayName: 'Onebranch Signing MacOS ${{ parameters.buildArchitecture }}' + inputs: + command: 'sign' + signing_profile: CP-401337-Apple + files_to_sign: '**/*.zip' + search_root: '$(Pipeline.Workspace)' + + - pwsh: | + $signedPkg = Get-ChildItem -Path '$(Pipeline.Workspace)' -Filter "*osx*.zip" -File + + $signedPkg | ForEach-Object { + Write-Verbose -Verbose "Signed package zip: $_" + + if (-not (Test-Path $_)) { + throw "Package not found: $_" + } + + if (-not (Test-Path $env:ob_outputDirectory)) { + $null = New-Item -Path $env:ob_outputDirectory -ItemType Directory + } + + Expand-Archive -Path $_ -DestinationPath $env:ob_outputDirectory -Verbose + } + + Write-Verbose -Verbose "Expanded pkg file:" + Get-ChildItem -Path $env:ob_outputDirectory | Write-Verbose -Verbose + displayName: Expand signed file From b4496aff01232e5275d8e576a03c22a67877132a Mon Sep 17 00:00:00 2001 From: Justin Chung <124807742+jshigetomi@users.noreply.github.com> Date: Tue, 11 Mar 2025 14:53:04 -0500 Subject: [PATCH 08/44] Remove Az module installs and AzureRM uninstalls in pipeline (#25118) Co-authored-by: Justin Chung --- .../PowerShell-Release-Official-Azure.yml | 2 +- .pipelines/templates/checkAzureContainer.yml | 9 -------- .pipelines/templates/compliance/apiscan.yml | 4 ---- .../templates/compliance/generateNotice.yml | 13 ----------- .../templates/release-MakeBlobPublic.yml | 22 ------------------- .pipelines/templates/release-create-msix.yml | 12 ---------- .../templates/release-upload-buildinfo.yml | 11 ---------- .../release-validate-packagenames.yml | 4 ---- .pipelines/templates/uploadToAzure.yml | 12 ---------- 9 files changed, 1 insertion(+), 88 deletions(-) diff --git a/.pipelines/PowerShell-Release-Official-Azure.yml b/.pipelines/PowerShell-Release-Official-Azure.yml index acba669ffa3..2d644c7a5dd 100644 --- a/.pipelines/PowerShell-Release-Official-Azure.yml +++ b/.pipelines/PowerShell-Release-Official-Azure.yml @@ -56,7 +56,7 @@ resources: pipelines: - pipeline: CoOrdinatedBuildPipeline - source: 'PowerShell-Coordinated Packages-Official' + source: 'PowerShell-Coordinated Binaries-Official' - pipeline: PSPackagesOfficial source: 'PowerShell-Packages-Official' diff --git a/.pipelines/templates/checkAzureContainer.yml b/.pipelines/templates/checkAzureContainer.yml index f8aafc58c3a..f5e36f38a92 100644 --- a/.pipelines/templates/checkAzureContainer.yml +++ b/.pipelines/templates/checkAzureContainer.yml @@ -51,15 +51,6 @@ jobs: } displayName: 'Check suppress.json' - # Needed as per FAQ here: https://eng.ms/docs/products/onebranch/build/troubleshootingfaqs - - task: PowerShell@2 - displayName: 'Update Az.Storage Module' - inputs: - targetType: 'inline' - script: | - ./tools/installPSResource.ps1 -PSRepository CFS - Uninstall-AzureRm -Verbose - - task: AzurePowerShell@5 displayName: Check if blob exists and delete if specified inputs: diff --git a/.pipelines/templates/compliance/apiscan.yml b/.pipelines/templates/compliance/apiscan.yml index dd5fff8aa2d..4e945b40349 100644 --- a/.pipelines/templates/compliance/apiscan.yml +++ b/.pipelines/templates/compliance/apiscan.yml @@ -78,10 +78,6 @@ jobs: workingDirectory: '$(repoRoot)' retryCountOnTaskFailure: 2 - - pwsh: ./tools/installPSResource.ps1 -PSRepository CFS - displayName: Install PowerShell modules - workingDirectory: '$(repoRoot)' - - task: AzurePowerShell@5 displayName: Download winverify-private Artifacts inputs: diff --git a/.pipelines/templates/compliance/generateNotice.yml b/.pipelines/templates/compliance/generateNotice.yml index 1cf540b87a8..b9d489795b1 100644 --- a/.pipelines/templates/compliance/generateNotice.yml +++ b/.pipelines/templates/compliance/generateNotice.yml @@ -95,19 +95,6 @@ jobs: Get-PackageProvider -Name NuGet -ForceBootstrap displayName: Initalize PowerShellGet - - pwsh: ./tools/installPSResource.ps1 -PSRepository CFS - displayName: Install PowerShell modules - - - powershell: | - if(Get-Command -Name Uninstall-AzureRm -ErrorAction Ignore){ - Write-Verbose "running Uninstall-AzureRm" -verbose - Uninstall-AzureRm - } else { - Write-Verbose "Uninstall-AzureRm not present" -verbose - } - displayName: Uninstall Uninstall-AzureRm - continueOnError: true - - task: AzurePowerShell@5 displayName: Upload Notice inputs: diff --git a/.pipelines/templates/release-MakeBlobPublic.yml b/.pipelines/templates/release-MakeBlobPublic.yml index 7f55166b553..c8f12938d25 100644 --- a/.pipelines/templates/release-MakeBlobPublic.yml +++ b/.pipelines/templates/release-MakeBlobPublic.yml @@ -52,17 +52,6 @@ jobs: Get-ChildItem Env: displayName: 'Capture Environment Variables' - - pwsh: | - $azureRmModule = Get-InstalledModule AzureRM -ErrorAction SilentlyContinue -Verbose - if ($azureRmModule) { - Write-Host 'AzureRM module exists. Removing it' - Uninstall-AzureRm - Write-Host 'AzureRM module removed' - } - - ./tools/installPSResource.ps1 -PSRepository CFS - displayName: Remove AzRM modules - - task: AzurePowerShell@5 displayName: Copy blobs to PSInfra storage inputs: @@ -150,17 +139,6 @@ jobs: Get-ChildItem Env: | Out-String -width 9999 -Stream | write-Verbose -Verbose displayName: 'Capture Environment Variables' - - pwsh: | - $azureRmModule = Get-InstalledModule AzureRM -ErrorAction SilentlyContinue -Verbose - if ($azureRmModule) { - Write-Host 'AzureRM module exists. Removing it' - Uninstall-AzureRm - Write-Host 'AzureRM module removed' - } - - ./tools/installPSResource.ps1 -PSRepository CFS - displayName: Remove AzRM modules - - task: AzurePowerShell@5 displayName: Copy blobs to PSInfra storage inputs: diff --git a/.pipelines/templates/release-create-msix.yml b/.pipelines/templates/release-create-msix.yml index d8cf1453719..3714e623b5e 100644 --- a/.pipelines/templates/release-create-msix.yml +++ b/.pipelines/templates/release-create-msix.yml @@ -27,18 +27,6 @@ jobs: artifact: drop_windows_package_package_win_x86 displayName: Download x86 msix patterns: '**/*.msix' - - - pwsh: | - $azureRmModule = Get-InstalledModule AzureRM -ErrorAction SilentlyContinue -Verbose - if ($azureRmModule) { - Write-Host 'AzureRM module exists. Removing it' - Uninstall-AzureRm - Write-Host 'AzureRM module removed' - } - - ./tools/installPSResource.ps1 -PSRepository CFS - displayName: Remove AzRM modules and install Az.Storage - # Finds the makeappx tool on the machine with image: 'onebranch.azurecr.io/windows/ltsc2022/vse2022:latest' - pwsh: | diff --git a/.pipelines/templates/release-upload-buildinfo.yml b/.pipelines/templates/release-upload-buildinfo.yml index af7887231c9..8d59078b905 100644 --- a/.pipelines/templates/release-upload-buildinfo.yml +++ b/.pipelines/templates/release-upload-buildinfo.yml @@ -104,17 +104,6 @@ jobs: } displayName: Create json files - - pwsh: | - $azureRmModule = Get-InstalledModule AzureRM -ErrorAction SilentlyContinue -Verbose - if ($azureRmModule) { - Write-Host 'AzureRM module exists. Removing it' - Uninstall-AzureRm - Write-Host 'AzureRM module removed' - } - - ./tools/installPSResource.ps1 -PSRepository CFS - displayName: Remove AzRM modules - - task: AzurePowerShell@5 displayName: Upload buildjson to blob inputs: diff --git a/.pipelines/templates/release-validate-packagenames.yml b/.pipelines/templates/release-validate-packagenames.yml index fd19234c888..983d6690036 100644 --- a/.pipelines/templates/release-validate-packagenames.yml +++ b/.pipelines/templates/release-validate-packagenames.yml @@ -28,10 +28,6 @@ jobs: Write-Host "##vso[build.updatebuildnumber]$name" displayName: Set Release Name - - pwsh: | - Get-Module -ListAvailable | Write-Verbose -Verbose - displayName: Remove AzRM modules and install Az.Storage - - task: AzurePowerShell@5 displayName: Upload packages to blob inputs: diff --git a/.pipelines/templates/uploadToAzure.yml b/.pipelines/templates/uploadToAzure.yml index 2a2cfb28694..3bcceeb1af7 100644 --- a/.pipelines/templates/uploadToAzure.yml +++ b/.pipelines/templates/uploadToAzure.yml @@ -256,18 +256,6 @@ jobs: New-Item -Path $(Build.ArtifactStagingDirectory)/uploaded -ItemType Directory -Force displayName: Create output directory for packages - - pwsh: | - $azureRmModule = Get-InstalledModule AzureRM -ErrorAction SilentlyContinue -Verbose - if ($azureRmModule) { - Write-Host 'AzureRM module exists. Removing it' - Uninstall-AzureRm - Write-Host 'AzureRM module removed' - } - - ./tools/installPSResource.ps1 -PSRepository CFS - - displayName: Remove AzRM modules - - task: AzurePowerShell@5 displayName: Upload packages to blob inputs: From ee39aed6156be9befcd749b322007f58ded4d6fe Mon Sep 17 00:00:00 2001 From: Justin Chung <124807742+jshigetomi@users.noreply.github.com> Date: Mon, 17 Mar 2025 14:19:51 -0500 Subject: [PATCH 09/44] Update package pipeline windows image version (#25191) Co-authored-by: Justin Chung --- .pipelines/PowerShell-Packages-Official.yml | 5 ++++- .pipelines/templates/checkAzureContainer.yml | 3 ++- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/.pipelines/PowerShell-Packages-Official.yml b/.pipelines/PowerShell-Packages-Official.yml index 38c9798159c..dd5126a660b 100644 --- a/.pipelines/PowerShell-Packages-Official.yml +++ b/.pipelines/PowerShell-Packages-Official.yml @@ -51,7 +51,7 @@ variables: - name: ob_outputDirectory value: '$(Build.ArtifactStagingDirectory)/ONEBRANCH_ARTIFACT' - name: WindowsContainerImage - value: 'onebranch.azurecr.io/windows/ltsc2019/vse2022:latest' # Docker image which is used to build the project + value: 'onebranch.azurecr.io/windows/ltsc2022/vse2022:latest' # Docker image which is used to build the project - name: LinuxContainerImage value: mcr.microsoft.com/onebranch/cbl-mariner/build:2.0 - group: mscodehub-feed-read-general @@ -83,6 +83,9 @@ extends: cloudvault: enabled: false featureFlags: + WindowsHostVersion: + Version: 2022 + Network: KS3 linuxEsrpSigning: true globalSdl: disableLegacyManifest: true diff --git a/.pipelines/templates/checkAzureContainer.yml b/.pipelines/templates/checkAzureContainer.yml index f5e36f38a92..a6a86214d07 100644 --- a/.pipelines/templates/checkAzureContainer.yml +++ b/.pipelines/templates/checkAzureContainer.yml @@ -56,7 +56,8 @@ jobs: inputs: azureSubscription: az-blob-cicd-infra scriptType: inlineScript - azurePowerShellVersion: latestVersion + azurePowerShellVersion: LatestVersion + pwsh: true inline: | $containersToDelete = @('$(AzureVersion)', '$(AzureVersion)-private', '$(AzureVersion)-nuget', '$(AzureVersion)-gc') From 2d918ef5e4255131ff22765aab9df560a0605c44 Mon Sep 17 00:00:00 2001 From: Justin Chung Date: Thu, 27 Mar 2025 15:22:17 -0500 Subject: [PATCH 10/44] Remove GCM of ob_outputdirectory --- .pipelines/templates/mac-package-build.yml | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/.pipelines/templates/mac-package-build.yml b/.pipelines/templates/mac-package-build.yml index 56240bae1e2..a8a1f2bb3ac 100644 --- a/.pipelines/templates/mac-package-build.yml +++ b/.pipelines/templates/mac-package-build.yml @@ -128,8 +128,8 @@ jobs: env: __DOTNET_RUNTIME_FEED_KEY: $(RUNTIME_SOURCEFEED_KEY) -- job: sign_package_macOS_${{ parameters.buildArchitecture }} - displayName: Sign Package macOS ${{ parameters.buildArchitecture }} +- job: Upload_Pacakge_macOS_${{ parameters.buildArchitecture }} + displayName: Upload Package macOS ${{ parameters.buildArchitecture }} dependsOn: package_macOS_${{ parameters.buildArchitecture }} condition: succeeded() pool: @@ -184,6 +184,4 @@ jobs: $artifactName = 'macos-packages-${{ parameters.buildArchitecture }}' Write-Host "##vso[artifact.upload containerfolder=$artifactName;artifactname=$artifactName]$(OB_OUTPUTDIRECTORY)" - - Get-ChildItem -Path $(OB_OUTPUTDIRECTORY) -Filter "*.zip" -File | Write-Verbose -Verbose displayName: Upload package for signing MacOS${{ parameters.buildArchitecture }} From 8f954281efe8b335a68c90451bd1a3580311a42c Mon Sep 17 00:00:00 2001 From: Justin Chung Date: Thu, 27 Mar 2025 17:10:28 -0500 Subject: [PATCH 11/44] Use task to publish artifacts --- .pipelines/PowerShell-Packages-Official.yml | 6 --- .pipelines/templates/mac-package-build.yml | 57 --------------------- .pipelines/templates/mac-package-sign.yml | 43 +++++----------- 3 files changed, 13 insertions(+), 93 deletions(-) diff --git a/.pipelines/PowerShell-Packages-Official.yml b/.pipelines/PowerShell-Packages-Official.yml index dd5126a660b..aa8f51fc518 100644 --- a/.pipelines/PowerShell-Packages-Official.yml +++ b/.pipelines/PowerShell-Packages-Official.yml @@ -136,12 +136,6 @@ extends: dependsOn: [mac_package] jobs: - template: /.pipelines/templates/mac-package-sign.yml@self - parameters: - buildArchitecture: x64 - - - template: /.pipelines/templates/mac-package-sign.yml@self - parameters: - buildArchitecture: arm64 - stage: windows_package dependsOn: [prep] diff --git a/.pipelines/templates/mac-package-build.yml b/.pipelines/templates/mac-package-build.yml index a8a1f2bb3ac..881a4003cbd 100644 --- a/.pipelines/templates/mac-package-build.yml +++ b/.pipelines/templates/mac-package-build.yml @@ -128,60 +128,3 @@ jobs: env: __DOTNET_RUNTIME_FEED_KEY: $(RUNTIME_SOURCEFEED_KEY) -- job: Upload_Pacakge_macOS_${{ parameters.buildArchitecture }} - displayName: Upload Package macOS ${{ parameters.buildArchitecture }} - dependsOn: package_macOS_${{ parameters.buildArchitecture }} - condition: succeeded() - pool: - type: windows - - variables: - - name: ob_outputDirectory - value: '$(Build.ArtifactStagingDirectory)/ONEBRANCH_ARTIFACT' - - name: ob_sdl_binskim_enabled - value: true - - name: ob_sdl_credscan_suppressionsfileforartifacts - value: $(Build.SourcesDirectory)/PowerShell/.config/suppress.json - - name: BuildArch - value: ${{ parameters.buildArchitecture }} - - group: mscodehub-macos-package-signing - - steps: - - download: current - artifact: macos-pkgs - - - pwsh: | - $buildArch = '${{ parameters.buildArchitecture }}' - $macosRuntime = "osx-$buildArch" - $pkgNameFilter = "powershell-*$macosRuntime.pkg" - $pkgPath = Get-ChildItem -Path $(Pipeline.Workspace) -Filter $pkgNameFilter -Recurse -File - - if ($pkgPath.Count -eq 0) { - throw "No package found for $macosRuntime" - } - - foreach($p in $pkgPath) { - $file = $p.FullName - $fileName = $p.BaseName - Write-Verbose -verbose "Compressing $file" - $zipFile = "$(Pipeline.Workspace)\${fileName}.zip" - Write-Verbose -Verbose "Zip file: $zipFile" - Compress-Archive -Path $file -Destination $zipFile - } - - Write-Verbose -Verbose "Compressed files:" - Get-ChildItem -Path $(Pipeline.Workspace) -Filter "*.zip" -File | Write-Verbose -Verbose - displayName: Compress package files for signing - - - pwsh: | - $macosPackages = Get-ChildItem -Path $(Pipeline.Workspace) -Filter "*.zip" -File - foreach($pkg in $macosPackages) { - Write-Verbose -Verbose "Package to sign: $pkg" - if (-not (Test-Path $pkg)) { - throw "Package not found: $pkg" - } - } - - $artifactName = 'macos-packages-${{ parameters.buildArchitecture }}' - Write-Host "##vso[artifact.upload containerfolder=$artifactName;artifactname=$artifactName]$(OB_OUTPUTDIRECTORY)" - displayName: Upload package for signing MacOS${{ parameters.buildArchitecture }} diff --git a/.pipelines/templates/mac-package-sign.yml b/.pipelines/templates/mac-package-sign.yml index 17b7fd251db..a4bd095540d 100644 --- a/.pipelines/templates/mac-package-sign.yml +++ b/.pipelines/templates/mac-package-sign.yml @@ -1,9 +1,5 @@ -parameters: - parentJob: '' - buildArchitecture: x64 - jobs: -- job: sign_package_macOS_${{ parameters.buildArchitecture }} +- job: sign_package_macOS_packges displayName: Sign Package macOS ${{ parameters.buildArchitecture }} condition: succeeded() pool: @@ -40,35 +36,22 @@ jobs: - task: DownloadPipelineArtifact@2 inputs: - artifact: 'macos-packages-${{ parameters.buildArchitecture }}' + buildType: 'Current' + artifact: 'macos-pkgs' path: '$(Pipeline.Workspace)' - displayName: Download MacOs Package ${{ parameters.buildArchitecture }} + displayName: Download MacOs Packages - task: onebranch.pipeline.signing@1 - displayName: 'Onebranch Signing MacOS ${{ parameters.buildArchitecture }}' + displayName: 'Onebranch Signing MacOS Packages' inputs: command: 'sign' signing_profile: CP-401337-Apple - files_to_sign: '**/*.zip' - search_root: '$(Pipeline.Workspace)' + files_to_sign: '**/*.{pkg,tar.gz}' + search_root: '$(Pipeline.Workspace)/macos-pkgs/' - - pwsh: | - $signedPkg = Get-ChildItem -Path '$(Pipeline.Workspace)' -Filter "*osx*.zip" -File - - $signedPkg | ForEach-Object { - Write-Verbose -Verbose "Signed package zip: $_" - - if (-not (Test-Path $_)) { - throw "Package not found: $_" - } - - if (-not (Test-Path $env:ob_outputDirectory)) { - $null = New-Item -Path $env:ob_outputDirectory -ItemType Directory - } - - Expand-Archive -Path $_ -DestinationPath $env:ob_outputDirectory -Verbose - } - - Write-Verbose -Verbose "Expanded pkg file:" - Get-ChildItem -Path $env:ob_outputDirectory | Write-Verbose -Verbose - displayName: Expand signed file + - task: PublishPipelineArtifact@1 + displayName: 'Upload Signed MacOS Packages' + inputs: + targetPath: '$(Pipeline.Workspace)/macos-pkgs' + publishLocation: 'pipeline' + artifact: 'macos-pkgs-signed' From 53b1a293a9bc288ea1bd5586072b9918a79720f5 Mon Sep 17 00:00:00 2001 From: Justin Chung Date: Thu, 27 Mar 2025 17:13:50 -0500 Subject: [PATCH 12/44] Sign in place in onebranch artifact directory --- .pipelines/templates/mac-package-sign.yml | 16 +--------------- 1 file changed, 1 insertion(+), 15 deletions(-) diff --git a/.pipelines/templates/mac-package-sign.yml b/.pipelines/templates/mac-package-sign.yml index a4bd095540d..68c84aa2963 100644 --- a/.pipelines/templates/mac-package-sign.yml +++ b/.pipelines/templates/mac-package-sign.yml @@ -34,24 +34,10 @@ jobs: Get-ChildItem -Path env: | Out-String -width 9999 -Stream | write-Verbose -Verbose displayName: Capture environment - - task: DownloadPipelineArtifact@2 - inputs: - buildType: 'Current' - artifact: 'macos-pkgs' - path: '$(Pipeline.Workspace)' - displayName: Download MacOs Packages - - task: onebranch.pipeline.signing@1 displayName: 'Onebranch Signing MacOS Packages' inputs: command: 'sign' signing_profile: CP-401337-Apple files_to_sign: '**/*.{pkg,tar.gz}' - search_root: '$(Pipeline.Workspace)/macos-pkgs/' - - - task: PublishPipelineArtifact@1 - displayName: 'Upload Signed MacOS Packages' - inputs: - targetPath: '$(Pipeline.Workspace)/macos-pkgs' - publishLocation: 'pipeline' - artifact: 'macos-pkgs-signed' + search_root: '$(ob_outputDirectory)/macos-pkgs/' From 60792ec0be60806d94f485f1fe99e97fef49edc2 Mon Sep 17 00:00:00 2001 From: Justin Chung Date: Mon, 31 Mar 2025 11:59:58 -0500 Subject: [PATCH 13/44] Download mac packages, sign, and upload to artifacts --- .pipelines/templates/mac-package-sign.yml | 22 +++++++++++++++++++++- 1 file changed, 21 insertions(+), 1 deletion(-) diff --git a/.pipelines/templates/mac-package-sign.yml b/.pipelines/templates/mac-package-sign.yml index 68c84aa2963..3a62f199455 100644 --- a/.pipelines/templates/mac-package-sign.yml +++ b/.pipelines/templates/mac-package-sign.yml @@ -34,10 +34,30 @@ jobs: Get-ChildItem -Path env: | Out-String -width 9999 -Stream | write-Verbose -Verbose displayName: Capture environment + - pwsh: | + New-Item -Path '$(Build.ArtifactStagingDirectory)/downloads' -ItemType Directory -Force + displayName: Create downloads directory + + - task: DownloadPipelineArtifact@2 + inputs: + buildType: 'current' + artifact: macos-pkgs + itemPattern: | + **/*.pkg + **/*.tar.gz + targetPath: '$(Build.ArtifactStagingDirectory)/downloads' + displayName: Download macos tar packages + - task: onebranch.pipeline.signing@1 displayName: 'Onebranch Signing MacOS Packages' inputs: command: 'sign' signing_profile: CP-401337-Apple files_to_sign: '**/*.{pkg,tar.gz}' - search_root: '$(ob_outputDirectory)/macos-pkgs/' + search_root: '$(Build.ArtifactStagingDirectory)/downloads/' + + - pwsh: | + Write-Verbose -Verbose "Creating output directory for signed MacOS packages: $(ob_outputDirectory)/SignedMacPackages" + New-Item -Path $(ob_outputDirectory)/SignedMacPackages -ItemType Directory -Force + Get-ChildItem -Path "$(Build.ArtifactStagingDirectory)/downloads/*" -Recurse | + Copy-Item -Destination $(ob_outputDirectory)/SignedMacPackages -Recurse -Verbose From df60de2b5417f8628013bdc54274287c520004de Mon Sep 17 00:00:00 2001 From: Justin Chung Date: Mon, 31 Mar 2025 12:29:25 -0500 Subject: [PATCH 14/44] Add display name --- .pipelines/templates/mac-package-sign.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.pipelines/templates/mac-package-sign.yml b/.pipelines/templates/mac-package-sign.yml index 3a62f199455..b34b04a609c 100644 --- a/.pipelines/templates/mac-package-sign.yml +++ b/.pipelines/templates/mac-package-sign.yml @@ -61,3 +61,4 @@ jobs: New-Item -Path $(ob_outputDirectory)/SignedMacPackages -ItemType Directory -Force Get-ChildItem -Path "$(Build.ArtifactStagingDirectory)/downloads/*" -Recurse | Copy-Item -Destination $(ob_outputDirectory)/SignedMacPackages -Recurse -Verbose + displayName: Copy signed MacOS packages to output directory From af0c567b1abb3c6ad39de621e68086815dcfbcc4 Mon Sep 17 00:00:00 2001 From: Justin Chung Date: Tue, 1 Apr 2025 11:54:31 -0500 Subject: [PATCH 15/44] Sign during same stage different job --- .pipelines/PowerShell-Packages-Official.yml | 7 +-- .pipelines/templates/mac-package-build.yml | 56 ++++++++++++++++++ .pipelines/templates/mac-package-sign.yml | 64 --------------------- 3 files changed, 57 insertions(+), 70 deletions(-) delete mode 100644 .pipelines/templates/mac-package-sign.yml diff --git a/.pipelines/PowerShell-Packages-Official.yml b/.pipelines/PowerShell-Packages-Official.yml index aa8f51fc518..30b9e415215 100644 --- a/.pipelines/PowerShell-Packages-Official.yml +++ b/.pipelines/PowerShell-Packages-Official.yml @@ -132,11 +132,6 @@ extends: parameters: buildArchitecture: arm64 - - stage: mac_package_sign - dependsOn: [mac_package] - jobs: - - template: /.pipelines/templates/mac-package-sign.yml@self - - stage: windows_package dependsOn: [prep] jobs: @@ -252,6 +247,6 @@ extends: - template: /.pipelines/templates/nupkg.yml@self - stage: upload - dependsOn: [mac_package_sign, windows_package, linux_package, nupkg] + dependsOn: [mac_package, windows_package, linux_package, nupkg] jobs: - template: /.pipelines/templates/uploadToAzure.yml@self diff --git a/.pipelines/templates/mac-package-build.yml b/.pipelines/templates/mac-package-build.yml index 881a4003cbd..d2425703aef 100644 --- a/.pipelines/templates/mac-package-build.yml +++ b/.pipelines/templates/mac-package-build.yml @@ -128,3 +128,59 @@ jobs: env: __DOTNET_RUNTIME_FEED_KEY: $(RUNTIME_SOURCEFEED_KEY) +- job: sign_package_macOS_${{ parameters.buildArchitecture }} + displayName: Sign Package macOS ${{ parameters.buildArchitecture }} + dependsOn: package_macOS_${{ parameters.buildArchitecture }} + condition: succeeded() + pool: + type: linux + + variables: + - name: ob_outputDirectory + value: '$(Build.ArtifactStagingDirectory)/ONEBRANCH_ARTIFACT' + - name: ob_sdl_binskim_enabled + value: true + - name: ob_sdl_credscan_suppressionsfileforartifacts + value: $(Build.SourcesDirectory)/PowerShell/.config/suppress.json + - name: BuildArch + value: ${{ parameters.buildArchitecture }} + - group: mscodehub-macos-package-signing + + steps: + - pwsh: | + Get-ChildItem -Path env: | Out-String -width 9999 -Stream | write-Verbose -Verbose + displayName: Capture environment + + - pwsh: | + New-Item -Path '$(Build.ArtifactStagingDirectory)/downloads' -ItemType Directory -Force + displayName: Create downloads directory + + - pwsh: | + $buildArch = '${{ parameters.buildArchitecture }}' + $macosRuntime = "osx-$buildArch" + $pkgNameFilter = "powershell-*$macosRuntime.pkg" + + Write-Host "##vso[task.setvariable variable=pkgNameFilter]$pkgNameFilter" + Write-Host "Dynamic filter set to: $pkgNameFilter" + displayName: Set Dynamic Filter for Download + + - task: DownloadPipelineArtifact@2 + inputs: + buildType: 'current' + artifact: macos-pkgs + itemPattern: '$(pkgNameFilter)' + targetPath: '$(Build.ArtifactStagingDirectory)/downloads' + displayName: Download macos tar packages + + - task: onebranch.pipeline.signing@1 + displayName: 'Onebranch Signing MacOS Packages' + inputs: + command: 'sign' + signing_profile: CP-401337-Apple + files_to_sign: '**/*.pkg' + search_root: '$(Build.ArtifactStagingDirectory)/downloads/' + + - pwsh: | + $pkgPath = Get-ChildItem -Path "$(Build.ArtifactStagingDirectory)/downloads" -Recurse -Filter "*.pkg" | Select-Object -ExpandProperty FullName + Write-Host "##vso[artifact.upload containerfolder=signed-macos-pkgs;artifactname=signed-macos-pkgs]$pkgPath" + displayName: Upload signed MacOS packages to Artifacts diff --git a/.pipelines/templates/mac-package-sign.yml b/.pipelines/templates/mac-package-sign.yml deleted file mode 100644 index b34b04a609c..00000000000 --- a/.pipelines/templates/mac-package-sign.yml +++ /dev/null @@ -1,64 +0,0 @@ -jobs: -- job: sign_package_macOS_packges - displayName: Sign Package macOS ${{ parameters.buildArchitecture }} - condition: succeeded() - pool: - type: linux - - variables: - - name: HOMEBREW_NO_ANALYTICS - value: 1 - - name: runCodesignValidationInjection - value: false - - name: nugetMultiFeedWarnLevel - value: none - - name: NugetSecurityAnalysisWarningLevel - value: none - - name: skipNugetSecurityAnalysis - value: true - - group: DotNetPrivateBuildAccess - - name: ob_outputDirectory - value: '$(Build.ArtifactStagingDirectory)/ONEBRANCH_ARTIFACT' - - name: ob_sdl_binskim_enabled - value: true - - name: ob_sdl_credscan_suppressionsfileforartifacts - value: $(Build.SourcesDirectory)/PowerShell/.config/suppress.json - - name: BuildArch - value: ${{ parameters.buildArchitecture }} - - steps: - - checkout: self - clean: true - - - pwsh: | - Get-ChildItem -Path env: | Out-String -width 9999 -Stream | write-Verbose -Verbose - displayName: Capture environment - - - pwsh: | - New-Item -Path '$(Build.ArtifactStagingDirectory)/downloads' -ItemType Directory -Force - displayName: Create downloads directory - - - task: DownloadPipelineArtifact@2 - inputs: - buildType: 'current' - artifact: macos-pkgs - itemPattern: | - **/*.pkg - **/*.tar.gz - targetPath: '$(Build.ArtifactStagingDirectory)/downloads' - displayName: Download macos tar packages - - - task: onebranch.pipeline.signing@1 - displayName: 'Onebranch Signing MacOS Packages' - inputs: - command: 'sign' - signing_profile: CP-401337-Apple - files_to_sign: '**/*.{pkg,tar.gz}' - search_root: '$(Build.ArtifactStagingDirectory)/downloads/' - - - pwsh: | - Write-Verbose -Verbose "Creating output directory for signed MacOS packages: $(ob_outputDirectory)/SignedMacPackages" - New-Item -Path $(ob_outputDirectory)/SignedMacPackages -ItemType Directory -Force - Get-ChildItem -Path "$(Build.ArtifactStagingDirectory)/downloads/*" -Recurse | - Copy-Item -Destination $(ob_outputDirectory)/SignedMacPackages -Recurse -Verbose - displayName: Copy signed MacOS packages to output directory From 2eadb781c83cd53929ec94fcc199eccd01bea09b Mon Sep 17 00:00:00 2001 From: Justin Chung Date: Tue, 1 Apr 2025 11:55:20 -0500 Subject: [PATCH 16/44] Fix display name --- .pipelines/templates/mac-package-build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.pipelines/templates/mac-package-build.yml b/.pipelines/templates/mac-package-build.yml index d2425703aef..df94cde48bf 100644 --- a/.pipelines/templates/mac-package-build.yml +++ b/.pipelines/templates/mac-package-build.yml @@ -170,7 +170,7 @@ jobs: artifact: macos-pkgs itemPattern: '$(pkgNameFilter)' targetPath: '$(Build.ArtifactStagingDirectory)/downloads' - displayName: Download macos tar packages + displayName: Download MacOS packages - task: onebranch.pipeline.signing@1 displayName: 'Onebranch Signing MacOS Packages' From 3d7c3e5e507eae00dbf0545f3de8c83d8a257f8f Mon Sep 17 00:00:00 2001 From: Justin Chung Date: Tue, 1 Apr 2025 12:49:20 -0500 Subject: [PATCH 17/44] Fix filter to add macos-pkg in filter --- .pipelines/templates/mac-package-build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.pipelines/templates/mac-package-build.yml b/.pipelines/templates/mac-package-build.yml index df94cde48bf..30fc3905302 100644 --- a/.pipelines/templates/mac-package-build.yml +++ b/.pipelines/templates/mac-package-build.yml @@ -158,7 +158,7 @@ jobs: - pwsh: | $buildArch = '${{ parameters.buildArchitecture }}' $macosRuntime = "osx-$buildArch" - $pkgNameFilter = "powershell-*$macosRuntime.pkg" + $pkgNameFilter = "macos-pkgs/powershell-*$macosRuntime.pkg" Write-Host "##vso[task.setvariable variable=pkgNameFilter]$pkgNameFilter" Write-Host "Dynamic filter set to: $pkgNameFilter" From 65b89a14b854d0ebc918f91926f3506c36abb3f9 Mon Sep 17 00:00:00 2001 From: Justin Chung Date: Mon, 7 Apr 2025 14:40:29 -0500 Subject: [PATCH 18/44] Use CP-233029-Apple keycode and Dynamic-WINMSAPP1ST --- .pipelines/templates/mac-package-build.yml | 2 +- .pipelines/templates/release-create-msix.yml | 8 ++++++++ 2 files changed, 9 insertions(+), 1 deletion(-) diff --git a/.pipelines/templates/mac-package-build.yml b/.pipelines/templates/mac-package-build.yml index 30fc3905302..0c23d8979be 100644 --- a/.pipelines/templates/mac-package-build.yml +++ b/.pipelines/templates/mac-package-build.yml @@ -176,7 +176,7 @@ jobs: displayName: 'Onebranch Signing MacOS Packages' inputs: command: 'sign' - signing_profile: CP-401337-Apple + signing_profile: CP-233029-Apple files_to_sign: '**/*.pkg' search_root: '$(Build.ArtifactStagingDirectory)/downloads/' diff --git a/.pipelines/templates/release-create-msix.yml b/.pipelines/templates/release-create-msix.yml index 3714e623b5e..0188ed4c2bc 100644 --- a/.pipelines/templates/release-create-msix.yml +++ b/.pipelines/templates/release-create-msix.yml @@ -75,6 +75,14 @@ jobs: displayName: Create MsixBundle retryCountOnTaskFailure: 1 + - task: onebranch.pipeline.signing@1 + displayName: Sign MsixBundle + inputs: + command: 'sign' + signing_profile: Dynamic-WINMSAPP1ST + files_to_sign: '**/*.msixbundle' + search_root: '$(BundleDir)' + - task: AzurePowerShell@5 displayName: Upload msix to blob inputs: From 4bd9b6076f8623e4615ad52bd061a8f8ec6d28d4 Mon Sep 17 00:00:00 2001 From: Justin Chung Date: Tue, 8 Apr 2025 11:13:51 -0500 Subject: [PATCH 19/44] Use inline operation with custom JSON --- .pipelines/templates/mac-package-build.yml | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/.pipelines/templates/mac-package-build.yml b/.pipelines/templates/mac-package-build.yml index 0c23d8979be..c46d9c310f1 100644 --- a/.pipelines/templates/mac-package-build.yml +++ b/.pipelines/templates/mac-package-build.yml @@ -176,9 +176,17 @@ jobs: displayName: 'Onebranch Signing MacOS Packages' inputs: command: 'sign' - signing_profile: CP-233029-Apple files_to_sign: '**/*.pkg' search_root: '$(Build.ArtifactStagingDirectory)/downloads/' + inlineOperation: | + [ + { + "keyCode":"CP-401337-Apple", + "toolName":"sign", + "operationSetCode":"MacAppDeveloperSign", + "toolVersion":"1.0" + } + ] - pwsh: | $pkgPath = Get-ChildItem -Path "$(Build.ArtifactStagingDirectory)/downloads" -Recurse -Filter "*.pkg" | Select-Object -ExpandProperty FullName From a901ecb4a42fbb08720db30b4c6fe04231bf85fa Mon Sep 17 00:00:00 2001 From: Justin Chung Date: Tue, 8 Apr 2025 12:46:44 -0500 Subject: [PATCH 20/44] Use provided YAML --- .pipelines/templates/mac-package-build.yml | 18 +++++++++++------- 1 file changed, 11 insertions(+), 7 deletions(-) diff --git a/.pipelines/templates/mac-package-build.yml b/.pipelines/templates/mac-package-build.yml index c46d9c310f1..7361901edbc 100644 --- a/.pipelines/templates/mac-package-build.yml +++ b/.pipelines/templates/mac-package-build.yml @@ -173,19 +173,23 @@ jobs: displayName: Download MacOS packages - task: onebranch.pipeline.signing@1 - displayName: 'Onebranch Signing MacOS Packages' + displayName: 'OneBranch CodeSigning Package' inputs: command: 'sign' files_to_sign: '**/*.pkg' search_root: '$(Build.ArtifactStagingDirectory)/downloads/' - inlineOperation: | + inline_operation: | [ - { - "keyCode":"CP-401337-Apple", - "toolName":"sign", - "operationSetCode":"MacAppDeveloperSign", - "toolVersion":"1.0" + { + "KeyCode": "CP-401337-Apple", + "OperationCode": "MacAppDeveloperSign", + "ToolName": "sign", + "ToolVersion": "1.0", + "Parameters": { + "Hardening": "Enable", + "OpusInfo": "http://microsoft.com" } + } ] - pwsh: | From af02fa5d8c2d170e55a44746b9462f793d31ab84 Mon Sep 17 00:00:00 2001 From: Justin Chung Date: Tue, 8 Apr 2025 14:13:43 -0500 Subject: [PATCH 21/44] Revert to previous method and sign with ob --- .pipelines/templates/mac-package-build.yml | 63 ++++++++++++++-------- 1 file changed, 40 insertions(+), 23 deletions(-) diff --git a/.pipelines/templates/mac-package-build.yml b/.pipelines/templates/mac-package-build.yml index 7361901edbc..1e141458e8f 100644 --- a/.pipelines/templates/mac-package-build.yml +++ b/.pipelines/templates/mac-package-build.yml @@ -147,36 +147,37 @@ jobs: - group: mscodehub-macos-package-signing steps: - - pwsh: | - Get-ChildItem -Path env: | Out-String -width 9999 -Stream | write-Verbose -Verbose - displayName: Capture environment - - - pwsh: | - New-Item -Path '$(Build.ArtifactStagingDirectory)/downloads' -ItemType Directory -Force - displayName: Create downloads directory - + - download: current + artifact: macos-pkgs + - pwsh: | $buildArch = '${{ parameters.buildArchitecture }}' $macosRuntime = "osx-$buildArch" - $pkgNameFilter = "macos-pkgs/powershell-*$macosRuntime.pkg" + $pkgNameFilter = "powershell-*$macosRuntime.pkg" + $pkgPath = Get-ChildItem -Path $(Pipeline.Workspace) -Filter $pkgNameFilter -Recurse -File + + if ($pkgPath.Count -eq 0) { + throw "No package found for $macosRuntime" + } - Write-Host "##vso[task.setvariable variable=pkgNameFilter]$pkgNameFilter" - Write-Host "Dynamic filter set to: $pkgNameFilter" - displayName: Set Dynamic Filter for Download + foreach($p in $pkgPath) { + $file = $p.FullName + $fileName = $p.BaseName + Write-Verbose -verbose "Compressing $file" + $zipFile = "$(Pipeline.Workspace)\${fileName}.zip" + Write-Verbose -Verbose "Zip file: $zipFile" + Compress-Archive -Path $file -Destination $zipFile + } - - task: DownloadPipelineArtifact@2 - inputs: - buildType: 'current' - artifact: macos-pkgs - itemPattern: '$(pkgNameFilter)' - targetPath: '$(Build.ArtifactStagingDirectory)/downloads' - displayName: Download MacOS packages + Write-Verbose -Verbose "Compressed files:" + Get-ChildItem -Path $(Pipeline.Workspace) -Filter "*.zip" -File | Write-Verbose -Verbose + displayName: Compress package files for signing - task: onebranch.pipeline.signing@1 displayName: 'OneBranch CodeSigning Package' inputs: command: 'sign' - files_to_sign: '**/*.pkg' + files_to_sign: '**/*.zip' search_root: '$(Build.ArtifactStagingDirectory)/downloads/' inline_operation: | [ @@ -193,6 +194,22 @@ jobs: ] - pwsh: | - $pkgPath = Get-ChildItem -Path "$(Build.ArtifactStagingDirectory)/downloads" -Recurse -Filter "*.pkg" | Select-Object -ExpandProperty FullName - Write-Host "##vso[artifact.upload containerfolder=signed-macos-pkgs;artifactname=signed-macos-pkgs]$pkgPath" - displayName: Upload signed MacOS packages to Artifacts + $signedPkg = Get-ChildItem -Path $(Pipeline.Workspace) -Filter "*osx*.zip" -File + + $signedPkg | ForEach-Object { + Write-Verbose -Verbose "Signed package zip: $_" + + if (-not (Test-Path $_)) { + throw "Package not found: $_" + } + + if (-not (Test-Path $env:ob_outputDirectory)) { + $null = New-Item -Path $env:ob_outputDirectory -ItemType Directory + } + + Expand-Archive -Path $_ -DestinationPath $env:ob_outputDirectory -Verbose + } + + Write-Verbose -Verbose "Expanded pkg file:" + Get-ChildItem -Path $env:ob_outputDirectory | Write-Verbose -Verbose + displayName: Expand signed file From 87a8171cd2ebcc47eb422f4a62ed1fca306f8eea Mon Sep 17 00:00:00 2001 From: Justin Chung Date: Tue, 8 Apr 2025 14:15:04 -0500 Subject: [PATCH 22/44] Search pipeline.workspace --- .pipelines/templates/mac-package-build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.pipelines/templates/mac-package-build.yml b/.pipelines/templates/mac-package-build.yml index 1e141458e8f..b42c8ed1b77 100644 --- a/.pipelines/templates/mac-package-build.yml +++ b/.pipelines/templates/mac-package-build.yml @@ -178,7 +178,7 @@ jobs: inputs: command: 'sign' files_to_sign: '**/*.zip' - search_root: '$(Build.ArtifactStagingDirectory)/downloads/' + search_root: '$(Pipeline.Workspace)' inline_operation: | [ { From 4cd31eb9e063d1d401c286253e16efc64ab2e471 Mon Sep 17 00:00:00 2001 From: Justin Chung Date: Tue, 8 Apr 2025 16:15:37 -0500 Subject: [PATCH 23/44] Filter for only osx zip --- .pipelines/templates/mac-package-build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.pipelines/templates/mac-package-build.yml b/.pipelines/templates/mac-package-build.yml index b42c8ed1b77..3e590338e44 100644 --- a/.pipelines/templates/mac-package-build.yml +++ b/.pipelines/templates/mac-package-build.yml @@ -177,7 +177,7 @@ jobs: displayName: 'OneBranch CodeSigning Package' inputs: command: 'sign' - files_to_sign: '**/*.zip' + files_to_sign: '**/*-osx-*.zip' search_root: '$(Pipeline.Workspace)' inline_operation: | [ From 8a1dcb04230121050abaea79a5110c5043ec6d51 Mon Sep 17 00:00:00 2001 From: Justin Chung Date: Tue, 8 Apr 2025 20:33:57 -0500 Subject: [PATCH 24/44] Fix ob_outputdirectory reference --- .pipelines/templates/mac-package-build.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.pipelines/templates/mac-package-build.yml b/.pipelines/templates/mac-package-build.yml index 3e590338e44..c4611d1b9a9 100644 --- a/.pipelines/templates/mac-package-build.yml +++ b/.pipelines/templates/mac-package-build.yml @@ -203,13 +203,13 @@ jobs: throw "Package not found: $_" } - if (-not (Test-Path $env:ob_outputDirectory)) { - $null = New-Item -Path $env:ob_outputDirectory -ItemType Directory + if (-not (Test-Path $(ob_outputDirectory))) { + $null = New-Item -Path $(ob_outputDirectory) -ItemType Directory } - Expand-Archive -Path $_ -DestinationPath $env:ob_outputDirectory -Verbose + Expand-Archive -Path $_ -DestinationPath $(ob_outputDirectory) -Verbose } Write-Verbose -Verbose "Expanded pkg file:" - Get-ChildItem -Path $env:ob_outputDirectory | Write-Verbose -Verbose + Get-ChildItem -Path $(ob_outputDirectory) | Write-Verbose -Verbose displayName: Expand signed file From 1a10ad7bbb3e3d3be6ba5d61678440440b6e7a0f Mon Sep 17 00:00:00 2001 From: Justin Chung Date: Wed, 9 Apr 2025 11:58:24 -0500 Subject: [PATCH 25/44] Use KeyCode --- .pipelines/templates/mac-package-build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.pipelines/templates/mac-package-build.yml b/.pipelines/templates/mac-package-build.yml index c4611d1b9a9..f3cbd691474 100644 --- a/.pipelines/templates/mac-package-build.yml +++ b/.pipelines/templates/mac-package-build.yml @@ -182,7 +182,7 @@ jobs: inline_operation: | [ { - "KeyCode": "CP-401337-Apple", + "KeyCode": "$(KeyCode)", "OperationCode": "MacAppDeveloperSign", "ToolName": "sign", "ToolVersion": "1.0", From ee06651802ee2a3e083382ce18663ecfd3bd5c6a Mon Sep 17 00:00:00 2001 From: Justin Chung Date: Wed, 9 Apr 2025 12:32:07 -0500 Subject: [PATCH 26/44] Upload msixbundle to artifacts --- .pipelines/templates/release-create-msix.yml | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/.pipelines/templates/release-create-msix.yml b/.pipelines/templates/release-create-msix.yml index 0188ed4c2bc..227246b09fa 100644 --- a/.pipelines/templates/release-create-msix.yml +++ b/.pipelines/templates/release-create-msix.yml @@ -69,6 +69,7 @@ jobs: & $makeappx bundle /d $sourceDir /p "$outputDir\$pkgName" Get-ChildItem -Path $sourceDir -Recurse + # "Uploading msixbundle to Artifacts $vstsCommandString = "vso[task.setvariable variable=BundleDir]$outputDir" Write-Host "sending " + $vstsCommandString Write-Host "##$vstsCommandString" @@ -82,6 +83,16 @@ jobs: signing_profile: Dynamic-WINMSAPP1ST files_to_sign: '**/*.msixbundle' search_root: '$(BundleDir)' + + - pwsh: | + $signedBundle = Get-ChildItem -Path $(BundleDir) -Filter "*.msixbundle" -File + Write-Verbose -Verbose "Signed bundle: $signedBundle" + + Copy-Item -Path $signedBundle -DestinationPath $(ob_outputDirectory) -Verbose + + Write-Verbose -Verbose "Uploaded Bundle:" + Get-ChildItem -Path $(ob_outputDirectory) | Write-Verbose -Verbose + displayName: Upload msixbundle to Artifacts - task: AzurePowerShell@5 displayName: Upload msix to blob From 4cce0fe42bff33ba52761459234a3ed4c667cb5d Mon Sep 17 00:00:00 2001 From: Justin Chung Date: Wed, 9 Apr 2025 12:47:29 -0500 Subject: [PATCH 27/44] Fix Destination parameter --- .pipelines/templates/release-create-msix.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.pipelines/templates/release-create-msix.yml b/.pipelines/templates/release-create-msix.yml index 227246b09fa..c6b5ba51677 100644 --- a/.pipelines/templates/release-create-msix.yml +++ b/.pipelines/templates/release-create-msix.yml @@ -88,7 +88,7 @@ jobs: $signedBundle = Get-ChildItem -Path $(BundleDir) -Filter "*.msixbundle" -File Write-Verbose -Verbose "Signed bundle: $signedBundle" - Copy-Item -Path $signedBundle -DestinationPath $(ob_outputDirectory) -Verbose + Copy-Item -Path $signedBundle -Destination $(ob_outputDirectory) -Verbose Write-Verbose -Verbose "Uploaded Bundle:" Get-ChildItem -Path $(ob_outputDirectory) | Write-Verbose -Verbose From 287b457e575d932c6aecfd42c8d1f1f7729b83aa Mon Sep 17 00:00:00 2001 From: Justin Chung Date: Fri, 11 Apr 2025 12:51:41 -0500 Subject: [PATCH 28/44] Combined github and nuget releases --- .pipelines/PowerShell-Release-Official.yml | 33 ++++------ ...ithubtasks.yml => release-githubNuget.yml} | 60 +++++++++++++++++++ .../templates/release-publish-nuget.yml | 58 ------------------ 3 files changed, 71 insertions(+), 80 deletions(-) rename .pipelines/templates/{release-githubtasks.yml => release-githubNuget.yml} (60%) delete mode 100644 .pipelines/templates/release-publish-nuget.yml diff --git a/.pipelines/PowerShell-Release-Official.yml b/.pipelines/PowerShell-Release-Official.yml index bb83c98ae81..35f1fa1f3aa 100644 --- a/.pipelines/PowerShell-Release-Official.yml +++ b/.pipelines/PowerShell-Release-Official.yml @@ -17,8 +17,8 @@ parameters: # parameters are shown up in ADO UI in a build queue time displayName: Skip Signing type: string default: 'NO' - - name: SkipPMCPublish - displayName: Skip PMC Publish + - name: SkipPublish + displayName: Skip Publishing to GitHub and Nuget type: boolean default: false - name: SkipPSInfraInstallers @@ -83,7 +83,7 @@ resources: - releases/* extends: - template: v2/OneBranch.Official.CrossPlat.yml@templates + template: v2/OneBranch.NonOfficial.CrossPlat.yml@templates parameters: release: category: NonAzure @@ -280,16 +280,18 @@ extends: Update and merge the changelog for the release. This step is required for creating GitHub draft release. - - stage: PublishGitHubRelease - displayName: Publish GitHub Release + - stage: PublishGitHubReleaseAndNuget + displayName: Publish GitHub and Nuget Release dependsOn: - setReleaseTagAndUploadTools - UpdateChangeLog variables: - ob_release_environment: Production + ob_release_environment: Test jobs: - - template: /.pipelines/templates/release-githubtasks.yml@self - + - template: /.pipelines/templates/release-githubNuget.yml@self + parameters: + SkipPublish: ${{ parameters.SkipPublish }} + - stage: PushGitTagAndMakeDraftPublic displayName: Push Git Tag and Make Draft Public dependsOn: PublishGitHubRelease @@ -317,19 +319,7 @@ extends: jobs: - template: /.pipelines/templates/release-MakeBlobPublic.yml@self parameters: - SkipPSInfraInstallers: ${{ parameters.SkipPSInfraInstallers }} - - - stage: PublishNuGet - displayName: Publish NuGet - dependsOn: - - setReleaseTagAndUploadTools - - PushGitTagAndMakeDraftPublic - variables: - ob_release_environment: Production - jobs: - - template: /.pipelines/templates/release-publish-nuget.yml@self - parameters: - skipPublish: true + SkipPSInfraInstallers: ${{ parameters.SkipPSInfraInstallers }} - stage: PublishPMC displayName: Publish PMC @@ -423,7 +413,6 @@ extends: - stage: ChangesToMaster displayName: Ensure changes are in GH master dependsOn: - - PublishNuGet - PublishPMC jobs: - template: /.pipelines/templates/approvalJob.yml@self diff --git a/.pipelines/templates/release-githubtasks.yml b/.pipelines/templates/release-githubNuget.yml similarity index 60% rename from .pipelines/templates/release-githubtasks.yml rename to .pipelines/templates/release-githubNuget.yml index acdb45e18fb..f0f8bb328ae 100644 --- a/.pipelines/templates/release-githubtasks.yml +++ b/.pipelines/templates/release-githubNuget.yml @@ -1,3 +1,8 @@ +parameters: + - name: skipPublish + default: false + type: boolean + jobs: - job: GithubReleaseDraft displayName: Create GitHub Release Draft @@ -58,6 +63,7 @@ jobs: displayName: List all files in the workspace - task: PowerShell@2 + condition: and(ne('${{ parameters.skipPublish }}', 'false'), succeeded()) inputs: targetType: inline pwsh: true @@ -86,3 +92,57 @@ jobs: Publish-ReleaseDraft -Tag '$(ReleaseTag)' -Name '$(ReleaseTag) Release of PowerShell' -Description $clContent -User PowerShell -Repository PowerShell -PackageFolder "$(Pipeline.Workspace)/GitHubPackages" -Token $(GitHubReleasePat) displayName: Publish Release Draft + +- job: NuGetPublish + displayName: Publish to NuGet + condition: succeeded() + pool: + type: release + os: windows + templateContext: + inputs: + - input: pipelineArtifact + artifactName: drop_setReleaseTagAndUploadTools_SetTagAndTools + - input: pipelineArtifact + pipeline: PSPackagesOfficial + artifactName: drop_upload_upload_packages + variables: + - template: ./variable/release-shared.yml@self + parameters: + VERSION: $[ stageDependencies.setReleaseTagAndUploadTools.SetTagAndTools.outputs['OutputVersion.Version'] ] + + steps: + - template: release-install-pwsh.yml + + - pwsh: | + Write-Verbose -Verbose "Version: $(Version)" + Get-ChildItem Env: | Out-String -width 9999 -Stream | write-Verbose -Verbose + displayName: 'Capture Environment Variables' + + - pwsh: | + #Exclude all global tool packages. Their names start with 'PowerShell.' + $null = New-Item -ItemType Directory -Path "$(Pipeline.Workspace)/release" + Copy-Item "$(Pipeline.Workspace)/NuGetPackages/*.nupkg" -Destination "$(Pipeline.Workspace)/release" -Exclude "PowerShell.*.nupkg" -Force -Verbose + + $releaseVersion = '$(Version)' + $globalToolPath = "$(Pipeline.Workspace)/NuGetPackages/PowerShell.$releaseVersion.nupkg" + + if ($releaseVersion -notlike '*-*') { + # Copy the global tool package for stable releases + Copy-Item $globalToolPath -Destination "$(Pipeline.Workspace)/release" + } + + Write-Verbose -Verbose "The .nupkgs below will be pushed:" + Get-ChildItem "$(Pipeline.Workspace)/release" -recurse + displayName: Download and capture nupkgs + condition: and(ne('${{ parameters.skipPublish }}', 'false'), succeeded()) + + - task: NuGetCommand@2 + displayName: 'NuGet push' + condition: and(ne('${{ parameters.skipPublish }}', 'false'), succeeded()) + inputs: + command: push + packagesToPush: '$(Pipeline.Workspace)/release/*.nupkg' + nuGetFeedType: external + publishFeedCredentials: PowerShellNuGetOrgPush + \ No newline at end of file diff --git a/.pipelines/templates/release-publish-nuget.yml b/.pipelines/templates/release-publish-nuget.yml deleted file mode 100644 index 98249844d4c..00000000000 --- a/.pipelines/templates/release-publish-nuget.yml +++ /dev/null @@ -1,58 +0,0 @@ -parameters: - - name: skipPublish - default: false - type: boolean - -jobs: -- job: NuGetPublish - displayName: Publish to NuGet - condition: succeeded() - pool: - type: release - os: windows - templateContext: - inputs: - - input: pipelineArtifact - artifactName: drop_setReleaseTagAndUploadTools_SetTagAndTools - - input: pipelineArtifact - pipeline: PSPackagesOfficial - artifactName: drop_upload_upload_packages - variables: - - template: ./variable/release-shared.yml@self - parameters: - VERSION: $[ stageDependencies.setReleaseTagAndUploadTools.SetTagAndTools.outputs['OutputVersion.Version'] ] - - steps: - - template: release-install-pwsh.yml - - - pwsh: | - Write-Verbose -Verbose "Version: $(Version)" - Get-ChildItem Env: | Out-String -width 9999 -Stream | write-Verbose -Verbose - displayName: 'Capture Environment Variables' - - - pwsh: | - #Exclude all global tool packages. Their names start with 'PowerShell.' - $null = New-Item -ItemType Directory -Path "$(Pipeline.Workspace)/release" - Copy-Item "$(Pipeline.Workspace)/NuGetPackages/*.nupkg" -Destination "$(Pipeline.Workspace)/release" -Exclude "PowerShell.*.nupkg" -Force -Verbose - - $releaseVersion = '$(Version)' - $globalToolPath = "$(Pipeline.Workspace)/NuGetPackages/PowerShell.$releaseVersion.nupkg" - - if ($releaseVersion -notlike '*-*') { - # Copy the global tool package for stable releases - Copy-Item $globalToolPath -Destination "$(Pipeline.Workspace)/release" - } - - Write-Verbose -Verbose "The .nupkgs below will be pushed:" - Get-ChildItem "$(Pipeline.Workspace)/release" -recurse - displayName: Download and capture nupkgs - condition: and(ne('${{ parameters.skipPublish }}', 'false'), succeeded()) - - - task: NuGetCommand@2 - displayName: 'NuGet push' - condition: and(ne('${{ parameters.skipPublish }}', 'false'), succeeded()) - inputs: - command: push - packagesToPush: '$(Pipeline.Workspace)/release/*.nupkg' - nuGetFeedType: external - publishFeedCredentials: PowerShellNuGetOrgPush From 5d1df492481e30258111439e5b71794bc7bfa4b5 Mon Sep 17 00:00:00 2001 From: Justin Chung Date: Fri, 11 Apr 2025 12:54:28 -0500 Subject: [PATCH 29/44] Change name for stage dependency --- .pipelines/PowerShell-Release-Official.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.pipelines/PowerShell-Release-Official.yml b/.pipelines/PowerShell-Release-Official.yml index 35f1fa1f3aa..c7f4b349eb2 100644 --- a/.pipelines/PowerShell-Release-Official.yml +++ b/.pipelines/PowerShell-Release-Official.yml @@ -294,7 +294,7 @@ extends: - stage: PushGitTagAndMakeDraftPublic displayName: Push Git Tag and Make Draft Public - dependsOn: PublishGitHubRelease + dependsOn: PublishGitHubReleaseAndNuget jobs: - template: /.pipelines/templates/approvalJob.yml@self parameters: From 0bff81e507d7150d037acd3bab9cd35f5ad10126 Mon Sep 17 00:00:00 2001 From: Justin Chung Date: Fri, 11 Apr 2025 13:35:06 -0500 Subject: [PATCH 30/44] Remove SNAP --- .pipelines/PowerShell-Release-Official.yml | 12 ------------ 1 file changed, 12 deletions(-) diff --git a/.pipelines/PowerShell-Release-Official.yml b/.pipelines/PowerShell-Release-Official.yml index c7f4b349eb2..a06daccccec 100644 --- a/.pipelines/PowerShell-Release-Official.yml +++ b/.pipelines/PowerShell-Release-Official.yml @@ -422,17 +422,6 @@ extends: instructions: | Make sure that changes README.md and metadata.json are merged into master on GitHub. - - stage: ReleaseSnap - displayName: Release Snap - dependsOn: ChangesToMaster - jobs: - - template: /.pipelines/templates/approvalJob.yml@self - parameters: - displayName: Publish Snap - jobName: PublishSnapJob - instructions: | - Publish Snap - - stage: ReleaseToMU displayName: Release to MU dependsOn: PushGitTagAndMakeDraftPublic # This only needs the blob to be available @@ -448,7 +437,6 @@ extends: dependsOn: - ReleaseToMU - ReleaseSymbols - - ReleaseSnap jobs: - template: /.pipelines/templates/approvalJob.yml@self parameters: From 163cd7a7941513c2b390d4b4f0812f428182325d Mon Sep 17 00:00:00 2001 From: Justin Chung Date: Fri, 11 Apr 2025 16:16:36 -0500 Subject: [PATCH 31/44] Use GitHubRelease Task --- .pipelines/templates/release-githubNuget.yml | 45 ++++++++++++-------- 1 file changed, 28 insertions(+), 17 deletions(-) diff --git a/.pipelines/templates/release-githubNuget.yml b/.pipelines/templates/release-githubNuget.yml index f0f8bb328ae..6eec7cdf78d 100644 --- a/.pipelines/templates/release-githubNuget.yml +++ b/.pipelines/templates/release-githubNuget.yml @@ -12,8 +12,6 @@ jobs: os: windows templateContext: inputs: - - input: pipelineArtifact - artifactName: drop_setReleaseTagAndUploadTools_SetTagAndTools - input: pipelineArtifact pipeline: PSPackagesOfficial artifactName: drop_upload_upload_packages @@ -63,12 +61,10 @@ jobs: displayName: List all files in the workspace - task: PowerShell@2 - condition: and(ne('${{ parameters.skipPublish }}', 'false'), succeeded()) inputs: targetType: inline pwsh: true script: | - Import-module '$(Pipeline.Workspace)/ToolArtifact/GitHubRelease.psm1' $releaseVersion = '$(ReleaseTag)' -replace '^v','' Write-Verbose -Verbose "Available modules: " Get-Module | Write-Verbose -Verbose @@ -89,9 +85,26 @@ jobs: $clContent = $changelog | Select-Object -Skip ($startLine-1) -First ($endLine - $startLine) | Out-String Write-Verbose -Verbose "Selected content: `n$clContent" - - Publish-ReleaseDraft -Tag '$(ReleaseTag)' -Name '$(ReleaseTag) Release of PowerShell' -Description $clContent -User PowerShell -Repository PowerShell -PackageFolder "$(Pipeline.Workspace)/GitHubPackages" -Token $(GitHubReleasePat) - displayName: Publish Release Draft + + #upload clContent as a variable + Write-Host "##vso[task.setvariable variable=ReleaseNotes;]$clContent" + + #if name has prelease then make preelease true as a variable + if ($releaseVersion -like '*-preview*') { + Write-Host "##vso[task.setvariable variable=IsPreRelease;]true" + } else { + Write-Host "##vso[task.setvariable variable=IsPreRelease;]false" + } + displayName: Set variables for GitHub release task + + - task: GitHubRelease@1 + inputs: + gitHubConnection: 'GitHubRelease' + action: 'create' + tag: '$(ReleaseTag)' + releaseNotesInline: '$(ReleaseNotes)' + isDraft: true + isPrerelease: '$(IsPreRelease)' - job: NuGetPublish displayName: Publish to NuGet @@ -101,8 +114,6 @@ jobs: os: windows templateContext: inputs: - - input: pipelineArtifact - artifactName: drop_setReleaseTagAndUploadTools_SetTagAndTools - input: pipelineArtifact pipeline: PSPackagesOfficial artifactName: drop_upload_upload_packages @@ -137,12 +148,12 @@ jobs: displayName: Download and capture nupkgs condition: and(ne('${{ parameters.skipPublish }}', 'false'), succeeded()) - - task: NuGetCommand@2 - displayName: 'NuGet push' - condition: and(ne('${{ parameters.skipPublish }}', 'false'), succeeded()) - inputs: - command: push - packagesToPush: '$(Pipeline.Workspace)/release/*.nupkg' - nuGetFeedType: external - publishFeedCredentials: PowerShellNuGetOrgPush + #- task: NuGetCommand@2 + # displayName: 'NuGet push' + # condition: and(ne('${{ parameters.skipPublish }}', 'false'), succeeded()) + # inputs: + # command: push + # packagesToPush: '$(Pipeline.Workspace)/release/*.nupkg' + # nuGetFeedType: external + # publishFeedCredentials: PowerShellNuGetOrgPush \ No newline at end of file From db19c9efcd427af8ac93bff6b6fefab1e3fe833c Mon Sep 17 00:00:00 2001 From: Justin Chung Date: Fri, 11 Apr 2025 16:23:05 -0500 Subject: [PATCH 32/44] use PowerShell service connection --- .pipelines/templates/release-githubNuget.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.pipelines/templates/release-githubNuget.yml b/.pipelines/templates/release-githubNuget.yml index 6eec7cdf78d..39bfa4796c8 100644 --- a/.pipelines/templates/release-githubNuget.yml +++ b/.pipelines/templates/release-githubNuget.yml @@ -99,7 +99,7 @@ jobs: - task: GitHubRelease@1 inputs: - gitHubConnection: 'GitHubRelease' + gitHubConnection: PowerShell action: 'create' tag: '$(ReleaseTag)' releaseNotesInline: '$(ReleaseNotes)' From c43a198a1be5da90bf3e584b11414a0d68c68494 Mon Sep 17 00:00:00 2001 From: Justin Chung Date: Fri, 11 Apr 2025 16:41:55 -0500 Subject: [PATCH 33/44] Change stage and job name remove tool upload --- .pipelines/PowerShell-Release-Official.yml | 6 ++-- ...ols.yml => release-SetTagAndChangelog.yml} | 28 +------------------ .pipelines/templates/release-githubNuget.yml | 6 ++-- 3 files changed, 8 insertions(+), 32 deletions(-) rename .pipelines/templates/{release-SetTagAndTools.yml => release-SetTagAndChangelog.yml} (60%) diff --git a/.pipelines/PowerShell-Release-Official.yml b/.pipelines/PowerShell-Release-Official.yml index a06daccccec..a686513121c 100644 --- a/.pipelines/PowerShell-Release-Official.yml +++ b/.pipelines/PowerShell-Release-Official.yml @@ -116,10 +116,10 @@ extends: tsaOptionsFile: .config\tsaoptions.json stages: - - stage: setReleaseTagAndUploadTools + - stage: setReleaseTagAndChangelog displayName: 'Set Release Tag and Upload Tools' jobs: - - template: /.pipelines/templates/release-SetTagAndTools.yml@self + - template: /.pipelines/templates/release-SetTagAndChangelog.yml@self - stage: msixbundle displayName: 'Create MSIX Bundle' @@ -283,7 +283,7 @@ extends: - stage: PublishGitHubReleaseAndNuget displayName: Publish GitHub and Nuget Release dependsOn: - - setReleaseTagAndUploadTools + - setReleaseTagAndChangelog - UpdateChangeLog variables: ob_release_environment: Test diff --git a/.pipelines/templates/release-SetTagAndTools.yml b/.pipelines/templates/release-SetTagAndChangelog.yml similarity index 60% rename from .pipelines/templates/release-SetTagAndTools.yml rename to .pipelines/templates/release-SetTagAndChangelog.yml index 7b8a946e323..4e3eb2ccc5e 100644 --- a/.pipelines/templates/release-SetTagAndTools.yml +++ b/.pipelines/templates/release-SetTagAndChangelog.yml @@ -1,5 +1,5 @@ jobs: -- job: SetTagAndTools +- job: setTagAndChangelog displayName: Set Tag and Tools condition: succeeded() pool: @@ -19,32 +19,6 @@ jobs: clean: true env: ob_restore_phase: true - - - checkout: PSInternalTools - clean: true - env: - ob_restore_phase: true - - - pwsh: | - New-Item -ItemType Directory -Path '$(Pipeline.Workspace)/ToolArtifact' - Get-ChildItem -Path '$(Build.SourcesDirectory)/Internal-PowerShellTeam-Tools/Scripts' -Filter 'GitHubRelease.psm1' -ErrorAction SilentlyContinue | - Copy-Item -Destination '$(Pipeline.Workspace)/ToolArtifact' -Verbose - displayName: Move GitHub Tool - - - task: onebranch.pipeline.signing@1 - displayName: Sign Tools - inputs: - command: 'sign' - signing_profile: internal_azure_service - files_to_sign: '*.ps1;*.psm1' - search_root: '$(Pipeline.Workspace)/ToolArtifact' - - - pwsh: | - Write-Verbose -Verbose "Creating output directory for release tools: $(ob_outputDirectory)/ToolArtifact" - New-Item -Path $(ob_outputDirectory)/ToolArtifact -ItemType Directory -Force - Get-ChildItem -Path "$(Pipeline.Workspace)/ToolArtifact/*" -Recurse | - Copy-Item -Destination $(ob_outputDirectory)/ToolArtifact -Recurse -Verbose - displayName: Upload Tools - pwsh: | Write-Verbose -Verbose "Release Tag: $(OutputReleaseTag.releaseTag)" diff --git a/.pipelines/templates/release-githubNuget.yml b/.pipelines/templates/release-githubNuget.yml index 39bfa4796c8..7de523ec0ef 100644 --- a/.pipelines/templates/release-githubNuget.yml +++ b/.pipelines/templates/release-githubNuget.yml @@ -12,13 +12,15 @@ jobs: os: windows templateContext: inputs: + - input: pipelineArtifact + artifactName: drop_setReleaseTagAndChangelog_SetTagAndChangelog - input: pipelineArtifact pipeline: PSPackagesOfficial artifactName: drop_upload_upload_packages variables: - template: ./variable/release-shared.yml@self parameters: - RELEASETAG: $[ stageDependencies.setReleaseTagAndUploadTools.SetTagAndTools.outputs['OutputReleaseTag.releaseTag'] ] + RELEASETAG: $[ stageDependencies.setReleaseTagAndChangelog.setTagAndChangelog.outputs['OutputReleaseTag.releaseTag'] ] steps: - task: PowerShell@2 @@ -120,7 +122,7 @@ jobs: variables: - template: ./variable/release-shared.yml@self parameters: - VERSION: $[ stageDependencies.setReleaseTagAndUploadTools.SetTagAndTools.outputs['OutputVersion.Version'] ] + VERSION: $[ stageDependencies.setReleaseTagAndChangelog.SetTagAndChangelog.outputs['OutputVersion.Version'] ] steps: - template: release-install-pwsh.yml From e136d0f7c86630bbaea23fc7bea811089ff209e9 Mon Sep 17 00:00:00 2001 From: Justin Chung Date: Fri, 11 Apr 2025 16:54:29 -0500 Subject: [PATCH 34/44] Remove tag option --- .pipelines/templates/release-githubNuget.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.pipelines/templates/release-githubNuget.yml b/.pipelines/templates/release-githubNuget.yml index 7de523ec0ef..913afd96f25 100644 --- a/.pipelines/templates/release-githubNuget.yml +++ b/.pipelines/templates/release-githubNuget.yml @@ -103,7 +103,6 @@ jobs: inputs: gitHubConnection: PowerShell action: 'create' - tag: '$(ReleaseTag)' releaseNotesInline: '$(ReleaseNotes)' isDraft: true isPrerelease: '$(IsPreRelease)' From f567186f75d145343369c59185865503d172addf Mon Sep 17 00:00:00 2001 From: Justin Chung Date: Fri, 11 Apr 2025 19:56:33 -0500 Subject: [PATCH 35/44] Use user specified tag --- .pipelines/templates/release-githubNuget.yml | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/.pipelines/templates/release-githubNuget.yml b/.pipelines/templates/release-githubNuget.yml index 913afd96f25..c14d9958192 100644 --- a/.pipelines/templates/release-githubNuget.yml +++ b/.pipelines/templates/release-githubNuget.yml @@ -102,9 +102,15 @@ jobs: - task: GitHubRelease@1 inputs: gitHubConnection: PowerShell + repositoryName: PowerShell/PowerShell + target: $ENV:BUILD_SOURCEBRANCH + assets: '$(Pipeline.Workspace)/GitHubPackages/*' + tagSource: 'userSpecified' + tag: '$(ReleaseTag)' + isDraft: true + addChangeLog: false action: 'create' releaseNotesInline: '$(ReleaseNotes)' - isDraft: true isPrerelease: '$(IsPreRelease)' - job: NuGetPublish From f01019bb70fec39a03c0eda4e025b338354d3b39 Mon Sep 17 00:00:00 2001 From: Justin Chung Date: Fri, 11 Apr 2025 21:13:40 -0500 Subject: [PATCH 36/44] User specified tag --- .pipelines/templates/release-githubNuget.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.pipelines/templates/release-githubNuget.yml b/.pipelines/templates/release-githubNuget.yml index c14d9958192..855274a04b1 100644 --- a/.pipelines/templates/release-githubNuget.yml +++ b/.pipelines/templates/release-githubNuget.yml @@ -105,7 +105,7 @@ jobs: repositoryName: PowerShell/PowerShell target: $ENV:BUILD_SOURCEBRANCH assets: '$(Pipeline.Workspace)/GitHubPackages/*' - tagSource: 'userSpecified' + tagSource: 'userSpecifiedTag' tag: '$(ReleaseTag)' isDraft: true addChangeLog: false From 13f4743675d4076f97a326226c8e8bdceef4a8d7 Mon Sep 17 00:00:00 2001 From: Justin Chung Date: Fri, 11 Apr 2025 21:52:35 -0500 Subject: [PATCH 37/44] Debug release notes --- .pipelines/templates/release-githubNuget.yml | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/.pipelines/templates/release-githubNuget.yml b/.pipelines/templates/release-githubNuget.yml index 855274a04b1..ab1b2756060 100644 --- a/.pipelines/templates/release-githubNuget.yml +++ b/.pipelines/templates/release-githubNuget.yml @@ -88,7 +88,6 @@ jobs: Write-Verbose -Verbose "Selected content: `n$clContent" - #upload clContent as a variable Write-Host "##vso[task.setvariable variable=ReleaseNotes;]$clContent" #if name has prelease then make preelease true as a variable @@ -99,6 +98,11 @@ jobs: } displayName: Set variables for GitHub release task + - pwsh: | + Write-Host "ReleaseNotes content:" + Write-Host "$(ReleaseNotes)" + displayName: Verify Release Notes + - task: GitHubRelease@1 inputs: gitHubConnection: PowerShell From c07f79cbbd81b5e8b208ece92379ce7c4ba82d23 Mon Sep 17 00:00:00 2001 From: Justin Chung Date: Fri, 11 Apr 2025 22:15:14 -0500 Subject: [PATCH 38/44] Use releaseNotesFilePath --- .pipelines/templates/release-githubNuget.yml | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/.pipelines/templates/release-githubNuget.yml b/.pipelines/templates/release-githubNuget.yml index ab1b2756060..804ce54ac33 100644 --- a/.pipelines/templates/release-githubNuget.yml +++ b/.pipelines/templates/release-githubNuget.yml @@ -88,8 +88,11 @@ jobs: Write-Verbose -Verbose "Selected content: `n$clContent" - Write-Host "##vso[task.setvariable variable=ReleaseNotes;]$clContent" - + $releaseNotesFilePath = "$(Pipeline.Workspace)/release-notes.md" + $clContent | Out-File -FilePath $releaseNotesFilePath -Encoding utf8 + + Write-Host "##vso[task.setvariable variable=ReleaseNotesFilePath;]$releaseNotesFilePath" + #if name has prelease then make preelease true as a variable if ($releaseVersion -like '*-preview*') { Write-Host "##vso[task.setvariable variable=IsPreRelease;]true" @@ -100,7 +103,7 @@ jobs: - pwsh: | Write-Host "ReleaseNotes content:" - Write-Host "$(ReleaseNotes)" + Get-Content "$(Pipeline.Workspace)/release-notes.md" -Raw | Out-String -width 9999 | Write-Host displayName: Verify Release Notes - task: GitHubRelease@1 @@ -114,7 +117,7 @@ jobs: isDraft: true addChangeLog: false action: 'create' - releaseNotesInline: '$(ReleaseNotes)' + releaseNotesFilePath: '$(ReleaseNotesFilePath)' isPrerelease: '$(IsPreRelease)' - job: NuGetPublish From c41f9b40b997eb33a1c55bb73858fe7e90a06e22 Mon Sep 17 00:00:00 2001 From: Justin Chung Date: Fri, 11 Apr 2025 22:36:55 -0500 Subject: [PATCH 39/44] Use github release pat --- .pipelines/templates/release-githubNuget.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.pipelines/templates/release-githubNuget.yml b/.pipelines/templates/release-githubNuget.yml index 804ce54ac33..dece861a2a0 100644 --- a/.pipelines/templates/release-githubNuget.yml +++ b/.pipelines/templates/release-githubNuget.yml @@ -108,7 +108,7 @@ jobs: - task: GitHubRelease@1 inputs: - gitHubConnection: PowerShell + gitHubConnection: $(GitHubReleasePat) repositoryName: PowerShell/PowerShell target: $ENV:BUILD_SOURCEBRANCH assets: '$(Pipeline.Workspace)/GitHubPackages/*' From 3ca612b8e0248096a754b256b96a1b7f8e341fd1 Mon Sep 17 00:00:00 2001 From: Justin Chung Date: Fri, 11 Apr 2025 22:39:08 -0500 Subject: [PATCH 40/44] Use new service connection --- .pipelines/templates/release-githubNuget.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.pipelines/templates/release-githubNuget.yml b/.pipelines/templates/release-githubNuget.yml index dece861a2a0..363b5881ffd 100644 --- a/.pipelines/templates/release-githubNuget.yml +++ b/.pipelines/templates/release-githubNuget.yml @@ -108,7 +108,7 @@ jobs: - task: GitHubRelease@1 inputs: - gitHubConnection: $(GitHubReleasePat) + gitHubConnection: GitHubReleasePAT repositoryName: PowerShell/PowerShell target: $ENV:BUILD_SOURCEBRANCH assets: '$(Pipeline.Workspace)/GitHubPackages/*' From a3b4d32d07c436d2e6a0a61f49a76201b4e72417 Mon Sep 17 00:00:00 2001 From: Justin Chung Date: Mon, 14 Apr 2025 15:11:44 -0500 Subject: [PATCH 41/44] Use my repo to test tag --- .pipelines/templates/release-githubNuget.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.pipelines/templates/release-githubNuget.yml b/.pipelines/templates/release-githubNuget.yml index 363b5881ffd..1c2dd3ca6f6 100644 --- a/.pipelines/templates/release-githubNuget.yml +++ b/.pipelines/templates/release-githubNuget.yml @@ -109,7 +109,7 @@ jobs: - task: GitHubRelease@1 inputs: gitHubConnection: GitHubReleasePAT - repositoryName: PowerShell/PowerShell + repositoryName: jshigetomi/PowerShell target: $ENV:BUILD_SOURCEBRANCH assets: '$(Pipeline.Workspace)/GitHubPackages/*' tagSource: 'userSpecifiedTag' From 2e2a7b33d48b901b4e254097f3b328c9405d5909 Mon Sep 17 00:00:00 2001 From: Justin Chung Date: Wed, 16 Apr 2025 09:10:38 -0500 Subject: [PATCH 42/44] Use target master for now --- .pipelines/templates/release-githubNuget.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.pipelines/templates/release-githubNuget.yml b/.pipelines/templates/release-githubNuget.yml index 1c2dd3ca6f6..73157c48868 100644 --- a/.pipelines/templates/release-githubNuget.yml +++ b/.pipelines/templates/release-githubNuget.yml @@ -110,7 +110,7 @@ jobs: inputs: gitHubConnection: GitHubReleasePAT repositoryName: jshigetomi/PowerShell - target: $ENV:BUILD_SOURCEBRANCH + target: master assets: '$(Pipeline.Workspace)/GitHubPackages/*' tagSource: 'userSpecifiedTag' tag: '$(ReleaseTag)' From 5bf819b09ff5c07f1a18d748240006ca1163196f Mon Sep 17 00:00:00 2001 From: Justin Chung <124807742+jshigetomi@users.noreply.github.com> Date: Mon, 21 Apr 2025 13:48:27 -0500 Subject: [PATCH 43/44] Rename stages --- .pipelines/PowerShell-Release-Official.yml | 2 +- .pipelines/templates/release-SetTagAndChangelog.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.pipelines/PowerShell-Release-Official.yml b/.pipelines/PowerShell-Release-Official.yml index a686513121c..25c4bbbd328 100644 --- a/.pipelines/PowerShell-Release-Official.yml +++ b/.pipelines/PowerShell-Release-Official.yml @@ -117,7 +117,7 @@ extends: stages: - stage: setReleaseTagAndChangelog - displayName: 'Set Release Tag and Upload Tools' + displayName: 'Set Release Tag and Upload Changelog' jobs: - template: /.pipelines/templates/release-SetTagAndChangelog.yml@self diff --git a/.pipelines/templates/release-SetTagAndChangelog.yml b/.pipelines/templates/release-SetTagAndChangelog.yml index 4e3eb2ccc5e..f0c516dd28f 100644 --- a/.pipelines/templates/release-SetTagAndChangelog.yml +++ b/.pipelines/templates/release-SetTagAndChangelog.yml @@ -1,6 +1,6 @@ jobs: - job: setTagAndChangelog - displayName: Set Tag and Tools + displayName: Set Tag and Upload Changelog condition: succeeded() pool: type: windows From ff90291630629b0510c2ca28e6a09fe1fa38f265 Mon Sep 17 00:00:00 2001 From: Justin Chung <124807742+jshigetomi@users.noreply.github.com> Date: Mon, 21 Apr 2025 13:49:43 -0500 Subject: [PATCH 44/44] Switch to official --- .pipelines/PowerShell-Release-Official.yml | 4 ++-- .pipelines/templates/release-githubNuget.yml | 18 +++++++++--------- 2 files changed, 11 insertions(+), 11 deletions(-) diff --git a/.pipelines/PowerShell-Release-Official.yml b/.pipelines/PowerShell-Release-Official.yml index 25c4bbbd328..4d924c4b44f 100644 --- a/.pipelines/PowerShell-Release-Official.yml +++ b/.pipelines/PowerShell-Release-Official.yml @@ -83,7 +83,7 @@ resources: - releases/* extends: - template: v2/OneBranch.NonOfficial.CrossPlat.yml@templates + template: v2/OneBranch.Official.CrossPlat.yml@templates parameters: release: category: NonAzure @@ -286,7 +286,7 @@ extends: - setReleaseTagAndChangelog - UpdateChangeLog variables: - ob_release_environment: Test + ob_release_environment: Production jobs: - template: /.pipelines/templates/release-githubNuget.yml@self parameters: diff --git a/.pipelines/templates/release-githubNuget.yml b/.pipelines/templates/release-githubNuget.yml index 73157c48868..8209bec538d 100644 --- a/.pipelines/templates/release-githubNuget.yml +++ b/.pipelines/templates/release-githubNuget.yml @@ -109,7 +109,7 @@ jobs: - task: GitHubRelease@1 inputs: gitHubConnection: GitHubReleasePAT - repositoryName: jshigetomi/PowerShell + repositoryName: PowerShell/PowerShell target: master assets: '$(Pipeline.Workspace)/GitHubPackages/*' tagSource: 'userSpecifiedTag' @@ -162,12 +162,12 @@ jobs: displayName: Download and capture nupkgs condition: and(ne('${{ parameters.skipPublish }}', 'false'), succeeded()) - #- task: NuGetCommand@2 - # displayName: 'NuGet push' - # condition: and(ne('${{ parameters.skipPublish }}', 'false'), succeeded()) - # inputs: - # command: push - # packagesToPush: '$(Pipeline.Workspace)/release/*.nupkg' - # nuGetFeedType: external - # publishFeedCredentials: PowerShellNuGetOrgPush + - task: NuGetCommand@2 + displayName: 'NuGet push' + condition: and(ne('${{ parameters.skipPublish }}', 'false'), succeeded()) + inputs: + command: push + packagesToPush: '$(Pipeline.Workspace)/release/*.nupkg' + nuGetFeedType: external + publishFeedCredentials: PowerShellNuGetOrgPush \ No newline at end of file