-
Notifications
You must be signed in to change notification settings - Fork 466
Expand file tree
/
Copy pathrelease.yml
More file actions
351 lines (328 loc) · 15.1 KB
/
release.yml
File metadata and controls
351 lines (328 loc) · 15.1 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
name: $(date:yy)$(DayOfYear)$(rev:.r)
trigger: none
pr: none
#
# Release pipeline for VFS for Git.
#
# Builds the Windows x64 installer, ESRP-signs the inner Payload binaries and
# the outer SetupGVFS installer, stages all release artifacts, and (optionally)
# publishes a draft GitHub Release.
#
# Designed to be run manually from Azure DevOps, typically against the
# `releases/shipped` branch. Triggers are intentionally `none`; PR/CI builds
# are handled by the GitHub Actions workflow at .github/workflows/build.yaml.
#
resources:
repositories:
- repository: 1ESPipelines
type: git
name: 1ESPipelineTemplates/1ESPipelineTemplates
ref: refs/tags/release
parameters:
- name: 'esrp'
type: boolean
default: true
displayName: 'Enable ESRP code signing'
- name: 'github'
type: boolean
default: true
displayName: 'Enable GitHub release publishing'
variables:
- name: 'GVFSMajorAndMinorVersion'
value: '2.0'
- name: 'GVFSRevision'
value: $(Build.BuildNumber)
- name: 'GVFSVersion'
value: $(GVFSMajorAndMinorVersion).$(GVFSRevision)
- name: 'BuildConfiguration'
value: 'Release'
- name: 'OutDir'
value: $(Agent.BuildDirectory)\vfsforgit\out
- name: 'esrpAppConnectionName'
value: '1ESGitClient-ESRP-App'
- name: 'githubConnectionName'
value: 'GitHub-VFSForGit'
# ESRP signing variables set in the pipeline settings:
# - esrpEndpointUrl
# - esrpClientId
# - esrpTenantId
# - esrpKeyVaultName
# - esrpSignReqCertName
extends:
template: v1/1ES.Official.PipelineTemplate.yml@1ESPipelines
parameters:
featureFlags:
incrementalSDLBinaryAnalysis: false
disableNetworkIsolation: true
sdl:
sourceAnalysisPool:
name: GitClientPME-1ESHostedPool-intel-pc
image: win-x86_64-ado1es
os: windows
binskim:
enabled: false
justificationForDisabling: "Guardian and BinSkim do not support a suppression for InnoSetup installer file"
stages:
- stage: build
displayName: 'Build and Sign'
jobs:
- job: Build
displayName: 'Build VFS for Git (Windows x64)'
pool:
name: GitClientPME-1ESHostedPool-intel-pc
image: win-x86_64-ado1es
os: windows
templateContext:
outputParentDirectory: $(Build.ArtifactStagingDirectory)
outputs:
- output: pipelineArtifact
targetPath: $(Build.ArtifactStagingDirectory)\GVFS.Installers
artifactName: Installer
- output: pipelineArtifact
targetPath: $(Build.ArtifactStagingDirectory)\FastFetch
artifactName: FastFetch
- output: pipelineArtifact
targetPath: $(Build.ArtifactStagingDirectory)\Symbols
artifactName: Symbols
- output: pipelineArtifact
targetPath: $(Build.ArtifactStagingDirectory)\GVFS.FunctionalTests
artifactName: FunctionalTests
steps:
- checkout: self
displayName: 'Checkout VFS for Git'
path: vfsforgit/src
- task: UseDotNet@2
displayName: 'Use .NET SDK (global.json)'
inputs:
useGlobalJson: true
workingDirectory: $(Build.SourcesDirectory)
- task: NuGetToolInstaller@1
displayName: 'Use NuGet 6.x'
inputs:
versionSpec: '6.x'
- task: NuGetAuthenticate@1
displayName: 'Authenticate to internal NuGet feed (for Microsoft.Build.Vcpkg)'
- task: PowerShell@2
displayName: 'Install VS C++ workload (NativeAOT prerequisite)'
inputs:
filePath: $(Build.SourcesDirectory)\.azure-pipelines\scripts\install-vs-cpp-workload.ps1
- task: PowerShell@2
displayName: 'Enable Projected File System (ProjFS)'
inputs:
filePath: $(Build.SourcesDirectory)\.azure-pipelines\scripts\enable-projfs.ps1
# Download the Microsoft.Build.Vcpkg NuGet package out-of-band so we
# can hand the build a path to TerrapinRetrievalTool.exe via
# -p:TerrapinRetrievalToolPath. The package is pulled from an
# internal NuGet feed (see .azure-pipelines/official-release-nuget.config).
# Downloading it this way -- rather than as an msbuild Sdk import --
# keeps the internal feed out of the root nuget.config that
# external contributors and the public GitHub Actions workflow see.
- task: NuGetCommand@2
displayName: 'Download Microsoft.Build.Vcpkg package (Terrapin retrieval tool)'
inputs:
command: custom
arguments: 'install Microsoft.Build.Vcpkg -Version 2026.5.25.434-aa40adda53 -ConfigFile $(Build.SourcesDirectory)\.azure-pipelines\official-release-nuget.config -OutputDirectory $(Agent.TempDirectory)\nuget-internal -ExcludeVersion -DirectDownload -NonInteractive'
# Restore vcpkg native dependencies through the Terrapin asset
# cache (the release pipeline's build agents have x-block-origin
# enforced and cannot download from the public internet). Runs the
# _RestoreVcpkgDependencies MSBuild target with
# UseTerrapinAssetCache=true and TerrapinRetrievalToolPath pointing
# at the binary extracted by the previous step. vcpkg downloads
# then route through https://vcpkg.storage.devpackages.microsoft.io.
# Build.bat's own vcpkg install step then skips because the libs
# are already present.
- script: |
dotnet build "$(Build.SourcesDirectory)\GVFS\GVFS.Common\GVFS.Common.csproj" ^
/t:_RestoreVcpkgDependencies ^
-c $(BuildConfiguration) ^
-p:UseTerrapinAssetCache=true ^
-p:TerrapinRetrievalToolPath=$(Agent.TempDirectory)\nuget-internal\Microsoft.Build.Vcpkg\trt\TerrapinRetrievalTool.exe ^
-v:detailed
displayName: 'Restore vcpkg native libraries (Terrapin cache)'
- script: |
$(Build.SourcesDirectory)\scripts\Build.bat ^
$(BuildConfiguration) ^
$(GVFSVersion) ^
detailed
env:
# Skip the Inno Setup compile step inside Build.bat so that
# the Payload binaries can be ESRP-signed before they get
# packaged into the installer. The installer is built in a
# dedicated step further down, after signing.
SkipCreateInstaller: 'true'
displayName: 'Build ($(BuildConfiguration))'
- script: |
$(Build.SourcesDirectory)\scripts\RunUnitTests.bat ^
$(BuildConfiguration)
displayName: 'Run unit tests'
# ESRP signing of the standalone binaries (Payload + FastFetch).
# The installer hasn't been built yet, so it can be packaged from
# signed binaries in a single Inno Setup pass.
- ${{ if eq(parameters.esrp, true) }}:
- template: .azure-pipelines/esrp/sign.yml@self
parameters:
displayName: 'Sign VFS for Git binaries'
folderPath: $(OutDir)\GVFS.Payload\bin\$(BuildConfiguration)\win-x64
pattern: |
GitHooksLoader.exe
GVFS.exe
GVFS.Hooks.exe
GVFS.Mount.exe
GVFS.PostIndexChangedHook.exe
GVFS.ReadObjectHook.exe
GVFS.Service.exe
GVFS.VirtualFileSystemHook.exe
inlineOperation: |
[
{
"KeyCode": "CP-230012",
"OperationCode": "SigntoolSign",
"ToolName": "sign",
"ToolVersion": "1.0",
"Parameters": {
"OpusName": "Microsoft",
"OpusInfo": "https://www.microsoft.com",
"FileDigest": "/fd SHA256",
"PageHash": "/NPH",
"TimeStamp": "/tr \"http://rfc3161.gtm.corp.microsoft.com/TSS/HttpTspServer\" /td sha256"
}
},
{
"KeyCode": "CP-230012",
"OperationCode": "SigntoolVerify",
"ToolName": "sign",
"ToolVersion": "1.0",
"Parameters": {}
}
]
- template: .azure-pipelines/esrp/sign.yml@self
parameters:
displayName: 'Sign FastFetch'
folderPath: $(OutDir)\FastFetch\bin\$(BuildConfiguration)\net10.0-windows10.0.17763.0\win-x64\publish
pattern: 'FastFetch.exe'
inlineOperation: |
[
{
"KeyCode": "CP-230012",
"OperationCode": "SigntoolSign",
"ToolName": "sign",
"ToolVersion": "1.0",
"Parameters": {
"OpusName": "Microsoft",
"OpusInfo": "https://www.microsoft.com",
"FileDigest": "/fd SHA256",
"PageHash": "/NPH",
"TimeStamp": "/tr \"http://rfc3161.gtm.corp.microsoft.com/TSS/HttpTspServer\" /td sha256"
}
},
{
"KeyCode": "CP-230012",
"OperationCode": "SigntoolVerify",
"ToolName": "sign",
"ToolVersion": "1.0",
"Parameters": {}
}
]
# Build the installer (Inno Setup compile) now that the Payload
# binaries are signed. --no-dependencies ensures the Payload's
# layout step does NOT re-run and overwrite our signed binaries
# with unsigned originals from each project's individual bin
# folder.
- script: |
dotnet build "$(Build.SourcesDirectory)\GVFS\GVFS.Installers\GVFS.Installers.csproj" ^
-c $(BuildConfiguration) ^
--no-restore --no-dependencies ^
-p:GVFSVersion=$(GVFSVersion) || EXIT /B 1
displayName: 'Build VFS for Git installer'
- ${{ if eq(parameters.esrp, true) }}:
- template: .azure-pipelines/esrp/sign.yml@self
parameters:
displayName: 'Sign VFS for Git installer'
folderPath: $(OutDir)\GVFS.Installers\bin\$(BuildConfiguration)\win-x64
pattern: 'SetupGVFS.*.exe'
inlineOperation: |
[
{
"KeyCode": "CP-230012",
"OperationCode": "SigntoolSign",
"ToolName": "sign",
"ToolVersion": "1.0",
"Parameters": {
"OpusName": "Microsoft",
"OpusInfo": "https://www.microsoft.com",
"FileDigest": "/fd SHA256",
"PageHash": "/NPH",
"TimeStamp": "/tr \"http://rfc3161.gtm.corp.microsoft.com/TSS/HttpTspServer\" /td sha256"
}
},
{
"KeyCode": "CP-230012",
"OperationCode": "SigntoolVerify",
"ToolName": "sign",
"ToolVersion": "1.0",
"Parameters": {}
}
]
- script: |
$(Build.SourcesDirectory)\scripts\CreateBuildArtifacts.bat ^
$(BuildConfiguration) ^
$(Build.ArtifactStagingDirectory)
displayName: 'Stage artifacts'
- stage: release
displayName: 'Release'
dependsOn: [build]
# Only publish a draft GitHub release when ESRP signing was enabled in
# this run -- otherwise we would risk uploading unsigned installer
# binaries to the public release workflow.
condition: and(succeeded(), eq('${{ parameters.github }}', true), eq('${{ parameters.esrp }}', true))
jobs:
- job: github
displayName: 'Publish GitHub release'
pool:
name: GitClientPME-1ESHostedPool-intel-pc
image: win-x86_64-ado1es
os: windows
templateContext:
type: releaseJob
isProduction: true
inputs:
- input: pipelineArtifact
artifactName: Installer
targetPath: $(Pipeline.Workspace)/assets/Installer
- input: pipelineArtifact
artifactName: Symbols
targetPath: $(Pipeline.Workspace)/assets/Symbols
steps:
- task: CopyFiles@2
displayName: 'Gather PDB files'
inputs:
SourceFolder: $(Pipeline.Workspace)/assets/Symbols
Contents: '**/*.pdb'
TargetFolder: $(Pipeline.Workspace)/_pdbs
- task: ArchiveFiles@2
displayName: 'Prepare PDB files for upload'
inputs:
rootFolderOrFile: $(Pipeline.Workspace)/_pdbs
includeRootFolder: false
archiveType: zip
archiveFile: $(Pipeline.Workspace)/_final/Symbols.zip
replaceExistingArchive: true
- task: CopyFiles@2
displayName: 'Prepare installer for upload'
inputs:
SourceFolder: $(Pipeline.Workspace)/assets/Installer
Contents: 'SetupGVFS.*.exe'
TargetFolder: $(Pipeline.Workspace)/_final
- task: GitHubRelease@1
displayName: 'Create draft GitHub Release'
inputs:
gitHubConnection: $(githubConnectionName)
repositoryName: microsoft/VFSForGit
tag: 'v$(GVFSVersion)'
tagSource: userSpecifiedTag
title: 'VFS for Git $(GVFSVersion)'
isDraft: true
isPreRelease: true
addChangeLog: true
assets: |
$(Pipeline.Workspace)/_final/*