From b058f6ce4f509117f112192a2348c6c4be0f9901 Mon Sep 17 00:00:00 2001 From: Justin Chung <124807742+jshigetomi@users.noreply.github.com> Date: Wed, 20 Aug 2025 15:35:55 -0500 Subject: [PATCH 1/5] Remove asyncSDL and add officialness parameter to all pipelines --- .pipelines/MSIXBundle-vPack-Official.yml | 2 -- ...werShell-Coordinated_Packages-Official.yml | 30 +++++++++--------- .pipelines/PowerShell-Packages-Official.yml | 31 ++++++++++--------- .../PowerShell-Release-Official-Azure.yml | 12 +++++-- .pipelines/PowerShell-Release-Official.yml | 13 +++++--- .pipelines/PowerShell-vPack-Official.yml | 2 -- 6 files changed, 50 insertions(+), 40 deletions(-) diff --git a/.pipelines/MSIXBundle-vPack-Official.yml b/.pipelines/MSIXBundle-vPack-Official.yml index f20e8a31114..d34f0d2d349 100644 --- a/.pipelines/MSIXBundle-vPack-Official.yml +++ b/.pipelines/MSIXBundle-vPack-Official.yml @@ -71,8 +71,6 @@ extends: # APIScan requires a non-Ready-To-Run build apiscan: enabled: false - asyncSDL: - enabled: false tsaOptionsFile: .config/tsaoptions.json stages: diff --git a/.pipelines/PowerShell-Coordinated_Packages-Official.yml b/.pipelines/PowerShell-Coordinated_Packages-Official.yml index 902c31f8a96..f0b67aa1747 100644 --- a/.pipelines/PowerShell-Coordinated_Packages-Official.yml +++ b/.pipelines/PowerShell-Coordinated_Packages-Official.yml @@ -30,6 +30,14 @@ parameters: displayName: Debugging - Enable CodeQL and set cadence to 1 hour type: boolean default: false + - name: Officialness + displayName: Officialness of the Pipeline + type: string + values: + - "Official" + - "Nonofficial" + default: "Official" + resources: repositories: @@ -90,7 +98,7 @@ variables: extends: - template: v2/OneBranch.Official.CrossPlat.yml@onebranchTemplates + template: v2/OneBranch.${{ parameters.Officialness }}.CrossPlat.yml@onebranchTemplates parameters: customTags: 'ES365AIMigrationTooling' featureFlags: @@ -98,6 +106,7 @@ extends: Network: KS3 WindowsHostVersion: Network: KS3 + incrementalSDLBinaryAnalysis: true globalSdl: disableLegacyManifest: true # disabled Armorty as we dont have any ARM templates to scan. It fails on some sample ARM templates. @@ -116,19 +125,12 @@ extends: cg: enabled: true ignoreDirectories: '.devcontainer,demos,docker,docs,src,test,tools/packaging' - asyncSdl: - enabled: true - forStages: [prep, macos, linux, windows, test_and_release_artifacts] - credscan: - enabled: true - scanFolder: $(Build.SourcesDirectory) - suppressionsFile: $(Build.SourcesDirectory)\PowerShell\.config\suppress.json - binskim: - enabled: false - # APIScan requires a non-Ready-To-Run build - apiscan: - enabled: false - tsaOptionsFile: .config\tsaoptions.json + binskim: + enabled: false + # APIScan requires a non-Ready-To-Run build + apiscan: + enabled: false + tsaOptionsFile: .config\tsaoptions.json stages: - stage: prep diff --git a/.pipelines/PowerShell-Packages-Official.yml b/.pipelines/PowerShell-Packages-Official.yml index 487e8cb9c6a..366da308b1c 100644 --- a/.pipelines/PowerShell-Packages-Official.yml +++ b/.pipelines/PowerShell-Packages-Official.yml @@ -24,7 +24,14 @@ parameters: # parameters are shown up in ADO UI in a build queue time displayName: Skip Signing type: string default: 'NO' - + - name: Officialness + displayName: Officialness of the Pipeline + type: string + values: + - "Official" + - "Nonofficial" + default: "Official" + name: pkgs-$(BUILD.SOURCEBRANCHNAME)-$(Build.BuildId) variables: @@ -79,7 +86,7 @@ resources: ref: refs/heads/main extends: - template: v2/OneBranch.Official.CrossPlat.yml@templates + template: v2/OneBranch.${{ parameters.Officialness }}.CrossPlat.yml@templates parameters: cloudvault: enabled: false @@ -88,6 +95,7 @@ extends: Version: 2022 Network: KS3 linuxEsrpSigning: true + incrementalSDLBinaryAnalysis: true globalSdl: disableLegacyManifest: true # disabled Armorty as we dont have any ARM templates to scan. It fails on some sample ARM templates. @@ -104,19 +112,12 @@ extends: cg: enabled: true ignoreDirectories: '.devcontainer,demos,docker,docs,src,test,tools/packaging' - asyncSdl: - enabled: true - forStages: ['build'] - credscan: - enabled: true - scanFolder: $(Build.SourcesDirectory) - suppressionsFile: $(Build.SourcesDirectory)\PowerShell\.config\suppress.json - binskim: - enabled: false - # APIScan requires a non-Ready-To-Run build - apiscan: - enabled: false - tsaOptionsFile: .config\tsaoptions.json + binskim: + enabled: false + # APIScan requires a non-Ready-To-Run build + apiscan: + enabled: false + tsaOptionsFile: .config\tsaoptions.json stages: - stage: prep jobs: diff --git a/.pipelines/PowerShell-Release-Official-Azure.yml b/.pipelines/PowerShell-Release-Official-Azure.yml index 2d644c7a5dd..fa61a46a47d 100644 --- a/.pipelines/PowerShell-Release-Official-Azure.yml +++ b/.pipelines/PowerShell-Release-Official-Azure.yml @@ -13,6 +13,14 @@ parameters: # parameters are shown up in ADO UI in a build queue time displayName: Skip Signing type: string default: 'NO' + - name: Officialness + displayName: Officialness of the Pipeline + type: string + values: + - "Official" + - "Nonofficial" + default: "Official" + name: ev2-$(BUILD.SOURCEBRANCHNAME)-$(Build.BuildId) @@ -74,6 +82,7 @@ extends: Version: 2022 Network: Netlock linuxEsrpSigning: true + incrementalSDLBinaryAnalysis: true cloudvault: enabled: false globalSdl: @@ -81,9 +90,6 @@ extends: # disabled Armory as we dont have any ARM templates to scan. It fails on some sample ARM templates. armory: enabled: false - asyncSdl: - enabled: true - tsaOptionsFile: .config/tsaoptions.json tsa: enabled: true credscan: diff --git a/.pipelines/PowerShell-Release-Official.yml b/.pipelines/PowerShell-Release-Official.yml index 0c41442da9f..cab982e418c 100644 --- a/.pipelines/PowerShell-Release-Official.yml +++ b/.pipelines/PowerShell-Release-Official.yml @@ -25,6 +25,13 @@ parameters: # parameters are shown up in ADO UI in a build queue time displayName: Skip Copying Archives and Installers to PSInfrastructure Public Location type: boolean default: false + - name: Officialness + displayName: Officialness of the Pipeline + type: string + values: + - "Official" + - "Nonofficial" + default: "Official" name: release-$(BUILD.SOURCEBRANCHNAME)-$(Build.BuildId) @@ -83,7 +90,7 @@ resources: - releases/* extends: - template: v2/OneBranch.Official.CrossPlat.yml@templates + template: v2/OneBranch.${{ parameters.Officialness }}.CrossPlat.yml@templates parameters: release: category: NonAzure @@ -91,6 +98,7 @@ extends: WindowsHostVersion: Version: 2022 Network: KS3 + incrementalSDLBinaryAnalysis: true cloudvault: enabled: false globalSdl: @@ -98,9 +106,6 @@ extends: # disabled Armory as we dont have any ARM templates to scan. It fails on some sample ARM templates. armory: enabled: false - asyncSdl: - enabled: true - tsaOptionsFile: .config/tsaoptions.json tsa: enabled: true credscan: diff --git a/.pipelines/PowerShell-vPack-Official.yml b/.pipelines/PowerShell-vPack-Official.yml index 36b6505dd04..9c2fa602800 100644 --- a/.pipelines/PowerShell-vPack-Official.yml +++ b/.pipelines/PowerShell-vPack-Official.yml @@ -96,8 +96,6 @@ extends: # APIScan requires a non-Ready-To-Run build apiscan: enabled: false - asyncSDL: - enabled: false tsaOptionsFile: .config/tsaoptions.json stages: - stage: main From f9969350f737472621800edd89733899acef56e5 Mon Sep 17 00:00:00 2001 From: Justin Chung <124807742+jshigetomi@users.noreply.github.com> Date: Wed, 20 Aug 2025 15:59:46 -0500 Subject: [PATCH 2/5] Use boolean for toggling official and toggle release environment --- ...owerShell-Coordinated_Packages-Official.yml | 16 +++++++--------- .pipelines/PowerShell-Packages-Official.yml | 15 +++++++-------- .../PowerShell-Release-Official-Azure.yml | 16 +++++++--------- .pipelines/PowerShell-Release-Official.yml | 18 +++++++++--------- 4 files changed, 30 insertions(+), 35 deletions(-) diff --git a/.pipelines/PowerShell-Coordinated_Packages-Official.yml b/.pipelines/PowerShell-Coordinated_Packages-Official.yml index f0b67aa1747..54f96115922 100644 --- a/.pipelines/PowerShell-Coordinated_Packages-Official.yml +++ b/.pipelines/PowerShell-Coordinated_Packages-Official.yml @@ -30,13 +30,9 @@ parameters: displayName: Debugging - Enable CodeQL and set cadence to 1 hour type: boolean default: false - - name: Officialness - displayName: Officialness of the Pipeline - type: string - values: - - "Official" - - "Nonofficial" - default: "Official" + - name: OfficialBuild + type: boolean + default: false resources: @@ -95,10 +91,12 @@ variables: value: true ${{ else }}: value: false - + - name: templateFile + value: ${{ iif ( parameters.OfficialBuild, 'v2/OneBranch.Official.CrossPlat.yml@onebranchTemplates', 'v2/OneBranch.NonOfficial.CrossPlat.yml@onebranchTemplates' ) }} + extends: - template: v2/OneBranch.${{ parameters.Officialness }}.CrossPlat.yml@onebranchTemplates + template: ${{ variables.templateFile }} parameters: customTags: 'ES365AIMigrationTooling' featureFlags: diff --git a/.pipelines/PowerShell-Packages-Official.yml b/.pipelines/PowerShell-Packages-Official.yml index 366da308b1c..2a61891965c 100644 --- a/.pipelines/PowerShell-Packages-Official.yml +++ b/.pipelines/PowerShell-Packages-Official.yml @@ -24,13 +24,9 @@ parameters: # parameters are shown up in ADO UI in a build queue time displayName: Skip Signing type: string default: 'NO' - - name: Officialness - displayName: Officialness of the Pipeline - type: string - values: - - "Official" - - "Nonofficial" - default: "Official" + - name: OfficialBuild + type: boolean + default: false name: pkgs-$(BUILD.SOURCEBRANCHNAME)-$(Build.BuildId) @@ -68,6 +64,9 @@ variables: - name: branchCounter value: $[counter(variables['branchCounterKey'], 1)] - group: MSIXSigningProfile + - name: templateFile + value: ${{ iif ( parameters.OfficialBuild, 'v2/OneBranch.Official.CrossPlat.yml@onebranchTemplates', 'v2/OneBranch.NonOfficial.CrossPlat.yml@onebranchTemplates' ) }} + resources: pipelines: @@ -86,7 +85,7 @@ resources: ref: refs/heads/main extends: - template: v2/OneBranch.${{ parameters.Officialness }}.CrossPlat.yml@templates + template: ${{ variables.templateFile }} parameters: cloudvault: enabled: false diff --git a/.pipelines/PowerShell-Release-Official-Azure.yml b/.pipelines/PowerShell-Release-Official-Azure.yml index fa61a46a47d..94cf00d1112 100644 --- a/.pipelines/PowerShell-Release-Official-Azure.yml +++ b/.pipelines/PowerShell-Release-Official-Azure.yml @@ -13,14 +13,9 @@ parameters: # parameters are shown up in ADO UI in a build queue time displayName: Skip Signing type: string default: 'NO' - - name: Officialness - displayName: Officialness of the Pipeline - type: string - values: - - "Official" - - "Nonofficial" - default: "Official" - + - name: OfficialBuild + type: boolean + default: false name: ev2-$(BUILD.SOURCEBRANCHNAME)-$(Build.BuildId) @@ -54,6 +49,9 @@ variables: - name: LinuxContainerImage value: mcr.microsoft.com/onebranch/cbl-mariner/build:2.0 - group: PoolNames + - name: templateFile + value: ${{ iif ( parameters.OfficialBuild, 'v2/OneBranch.Official.CrossPlat.yml@onebranchTemplates', 'v2/OneBranch.NonOfficial.CrossPlat.yml@onebranchTemplates' ) }} + resources: repositories: @@ -75,7 +73,7 @@ resources: - releases/* extends: - template: v2/OneBranch.Official.CrossPlat.yml@templates + template: ${{ variables.templateFile }} parameters: featureFlags: WindowsHostVersion: diff --git a/.pipelines/PowerShell-Release-Official.yml b/.pipelines/PowerShell-Release-Official.yml index cab982e418c..b612e93c772 100644 --- a/.pipelines/PowerShell-Release-Official.yml +++ b/.pipelines/PowerShell-Release-Official.yml @@ -25,13 +25,9 @@ parameters: # parameters are shown up in ADO UI in a build queue time displayName: Skip Copying Archives and Installers to PSInfrastructure Public Location type: boolean default: false - - name: Officialness - displayName: Officialness of the Pipeline - type: string - values: - - "Official" - - "Nonofficial" - default: "Official" + - name: OfficialBuild + type: boolean + default: false name: release-$(BUILD.SOURCEBRANCHNAME)-$(Build.BuildId) @@ -65,6 +61,10 @@ variables: - name: ReleaseTagVar value: ${{ parameters.ReleaseTagVar }} - group: PoolNames + - name: templateFile + value: ${{ iif ( parameters.OfficialBuild, 'v2/OneBranch.Official.CrossPlat.yml@onebranchTemplates', 'v2/OneBranch.NonOfficial.CrossPlat.yml@onebranchTemplates' ) }} + - name: releaseEnvironment + value: ${{ iif ( parameters.OfficialBuild, 'Production', 'Test' ) }} resources: repositories: @@ -90,7 +90,7 @@ resources: - releases/* extends: - template: v2/OneBranch.${{ parameters.Officialness }}.CrossPlat.yml@templates + template: ${{ variables.templateFile }} parameters: release: category: NonAzure @@ -284,7 +284,7 @@ extends: - setReleaseTagAndChangelog - UpdateChangeLog variables: - ob_release_environment: Production + ob_release_environment: ${{ parameters.releaseEnvironment }} jobs: - template: /.pipelines/templates/release-githubNuget.yml@self parameters: From 6f8201960126dfd5c52fd155f781e48bf88acb8f Mon Sep 17 00:00:00 2001 From: Justin Chung <124807742+jshigetomi@users.noreply.github.com> Date: Thu, 21 Aug 2025 10:52:40 -0500 Subject: [PATCH 3/5] Turn on binskim globalization invariant --- .pipelines/PowerShell-Coordinated_Packages-Official.yml | 3 +++ .pipelines/PowerShell-Packages-Official.yml | 3 +++ .pipelines/PowerShell-Release-Official.yml | 6 ++++++ 3 files changed, 12 insertions(+) diff --git a/.pipelines/PowerShell-Coordinated_Packages-Official.yml b/.pipelines/PowerShell-Coordinated_Packages-Official.yml index 54f96115922..180e548ce10 100644 --- a/.pipelines/PowerShell-Coordinated_Packages-Official.yml +++ b/.pipelines/PowerShell-Coordinated_Packages-Official.yml @@ -125,6 +125,9 @@ extends: ignoreDirectories: '.devcontainer,demos,docker,docs,src,test,tools/packaging' binskim: enabled: false + # Fix for ICU package error in Linux containers - enable globalization invariant mode for BinSkim + environment: + DOTNET_SYSTEM_GLOBALIZATION_INVARIANT: true # APIScan requires a non-Ready-To-Run build apiscan: enabled: false diff --git a/.pipelines/PowerShell-Packages-Official.yml b/.pipelines/PowerShell-Packages-Official.yml index 2a61891965c..78db1e36e57 100644 --- a/.pipelines/PowerShell-Packages-Official.yml +++ b/.pipelines/PowerShell-Packages-Official.yml @@ -113,6 +113,9 @@ extends: ignoreDirectories: '.devcontainer,demos,docker,docs,src,test,tools/packaging' binskim: enabled: false + # Fix for ICU package error in Linux containers - enable globalization invariant mode for BinSkim + environment: + DOTNET_SYSTEM_GLOBALIZATION_INVARIANT: true # APIScan requires a non-Ready-To-Run build apiscan: enabled: false diff --git a/.pipelines/PowerShell-Release-Official.yml b/.pipelines/PowerShell-Release-Official.yml index b612e93c772..da0b499fb6e 100644 --- a/.pipelines/PowerShell-Release-Official.yml +++ b/.pipelines/PowerShell-Release-Official.yml @@ -65,6 +65,9 @@ variables: value: ${{ iif ( parameters.OfficialBuild, 'v2/OneBranch.Official.CrossPlat.yml@onebranchTemplates', 'v2/OneBranch.NonOfficial.CrossPlat.yml@onebranchTemplates' ) }} - name: releaseEnvironment value: ${{ iif ( parameters.OfficialBuild, 'Production', 'Test' ) }} + # Fix for BinSkim ICU package error in Linux containers + - name: DOTNET_SYSTEM_GLOBALIZATION_INVARIANT + value: true resources: repositories: @@ -114,6 +117,9 @@ extends: suppressionsFile: $(Build.SourcesDirectory)\.config\suppress.json binskim: break: false # always break the build on binskim issues in addition to TSA upload + # Fix for ICU package error in Linux containers - enable globalization invariant mode for BinSkim + environment: + DOTNET_SYSTEM_GLOBALIZATION_INVARIANT: true policheck: break: true # always break the build on policheck issues. You can disable it by setting to 'false' # suppression: From 80c160bd87e3f376ab40fe7aa501f0763fd2fdc6 Mon Sep 17 00:00:00 2001 From: Justin Chung <124807742+jshigetomi@users.noreply.github.com> Date: Thu, 21 Aug 2025 13:06:13 -0500 Subject: [PATCH 4/5] Try as a variable --- .pipelines/PowerShell-Coordinated_Packages-Official.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.pipelines/PowerShell-Coordinated_Packages-Official.yml b/.pipelines/PowerShell-Coordinated_Packages-Official.yml index 180e548ce10..9d1999756ad 100644 --- a/.pipelines/PowerShell-Coordinated_Packages-Official.yml +++ b/.pipelines/PowerShell-Coordinated_Packages-Official.yml @@ -93,6 +93,9 @@ variables: value: false - name: templateFile value: ${{ iif ( parameters.OfficialBuild, 'v2/OneBranch.Official.CrossPlat.yml@onebranchTemplates', 'v2/OneBranch.NonOfficial.CrossPlat.yml@onebranchTemplates' ) }} + # Fix for BinSkim ICU package error in Linux containers + - name: DOTNET_SYSTEM_GLOBALIZATION_INVARIANT + value: true extends: From 3a29623c7514cebbb996f2cf79709efa36ae6dd4 Mon Sep 17 00:00:00 2001 From: Justin Chung <124807742+jshigetomi@users.noreply.github.com> Date: Thu, 21 Aug 2025 15:50:50 -0500 Subject: [PATCH 5/5] Set binskim exact tool version to 4.4.2 --- .pipelines/MSIXBundle-vPack-Official.yml | 1 + .pipelines/PowerShell-Coordinated_Packages-Official.yml | 7 ++++--- .pipelines/PowerShell-Packages-Official.yml | 4 +--- .pipelines/PowerShell-Release-Official-Azure.yml | 1 + .pipelines/PowerShell-Release-Official.yml | 4 +--- .pipelines/PowerShell-vPack-Official.yml | 1 + 6 files changed, 9 insertions(+), 9 deletions(-) diff --git a/.pipelines/MSIXBundle-vPack-Official.yml b/.pipelines/MSIXBundle-vPack-Official.yml index d34f0d2d349..ef96f63f045 100644 --- a/.pipelines/MSIXBundle-vPack-Official.yml +++ b/.pipelines/MSIXBundle-vPack-Official.yml @@ -68,6 +68,7 @@ extends: suppressionsFile: $(Build.SourcesDirectory)\.config\suppress.json binskim: enabled: false + exactToolVersion: 4.4.2 # APIScan requires a non-Ready-To-Run build apiscan: enabled: false diff --git a/.pipelines/PowerShell-Coordinated_Packages-Official.yml b/.pipelines/PowerShell-Coordinated_Packages-Official.yml index 9d1999756ad..efc28942fcc 100644 --- a/.pipelines/PowerShell-Coordinated_Packages-Official.yml +++ b/.pipelines/PowerShell-Coordinated_Packages-Official.yml @@ -96,6 +96,9 @@ variables: # Fix for BinSkim ICU package error in Linux containers - name: DOTNET_SYSTEM_GLOBALIZATION_INVARIANT value: true + # Disable BinSkim at job level to override NonOfficial template defaults + - name: ob_sdl_binskim_enabled + value: false extends: @@ -128,9 +131,7 @@ extends: ignoreDirectories: '.devcontainer,demos,docker,docs,src,test,tools/packaging' binskim: enabled: false - # Fix for ICU package error in Linux containers - enable globalization invariant mode for BinSkim - environment: - DOTNET_SYSTEM_GLOBALIZATION_INVARIANT: true + exactToolVersion: 4.4.2 # APIScan requires a non-Ready-To-Run build apiscan: enabled: false diff --git a/.pipelines/PowerShell-Packages-Official.yml b/.pipelines/PowerShell-Packages-Official.yml index 78db1e36e57..f0d428bf1d6 100644 --- a/.pipelines/PowerShell-Packages-Official.yml +++ b/.pipelines/PowerShell-Packages-Official.yml @@ -113,9 +113,7 @@ extends: ignoreDirectories: '.devcontainer,demos,docker,docs,src,test,tools/packaging' binskim: enabled: false - # Fix for ICU package error in Linux containers - enable globalization invariant mode for BinSkim - environment: - DOTNET_SYSTEM_GLOBALIZATION_INVARIANT: true + exactToolVersion: 4.4.2 # APIScan requires a non-Ready-To-Run build apiscan: enabled: false diff --git a/.pipelines/PowerShell-Release-Official-Azure.yml b/.pipelines/PowerShell-Release-Official-Azure.yml index 94cf00d1112..8e144f1ee55 100644 --- a/.pipelines/PowerShell-Release-Official-Azure.yml +++ b/.pipelines/PowerShell-Release-Official-Azure.yml @@ -96,6 +96,7 @@ extends: suppressionsFile: $(Build.SourcesDirectory)\.config\suppress.json binskim: break: false # always break the build on binskim issues in addition to TSA upload + exactToolVersion: 4.4.2 policheck: break: true # always break the build on policheck issues. You can disable it by setting to 'false' tsaOptionsFile: .config\tsaoptions.json diff --git a/.pipelines/PowerShell-Release-Official.yml b/.pipelines/PowerShell-Release-Official.yml index da0b499fb6e..8c3e8728533 100644 --- a/.pipelines/PowerShell-Release-Official.yml +++ b/.pipelines/PowerShell-Release-Official.yml @@ -117,9 +117,7 @@ extends: suppressionsFile: $(Build.SourcesDirectory)\.config\suppress.json binskim: break: false # always break the build on binskim issues in addition to TSA upload - # Fix for ICU package error in Linux containers - enable globalization invariant mode for BinSkim - environment: - DOTNET_SYSTEM_GLOBALIZATION_INVARIANT: true + exactToolVersion: 4.4.2 policheck: break: true # always break the build on policheck issues. You can disable it by setting to 'false' # suppression: diff --git a/.pipelines/PowerShell-vPack-Official.yml b/.pipelines/PowerShell-vPack-Official.yml index 9c2fa602800..a1bb28c0e19 100644 --- a/.pipelines/PowerShell-vPack-Official.yml +++ b/.pipelines/PowerShell-vPack-Official.yml @@ -93,6 +93,7 @@ extends: suppressionsFile: $(Build.SourcesDirectory)\.config\suppress.json binskim: enabled: false + exactToolVersion: 4.4.2 # APIScan requires a non-Ready-To-Run build apiscan: enabled: false