PowerShell · adityapatwardhan · Jun 10, 2024 · Apr 22, 2024
diff --git a/.pipelines/PowerShell-Coordinated_Packages-Official.yml b/.pipelines/PowerShell-Coordinated_Packages-Official.yml
@@ -68,6 +68,7 @@ variables:
   - name: SKIP_SIGNING
     value: ${{ parameters.SKIP_SIGNING }}
   - group: 'AzDevOpsArtifacts'
+  - group: 'mscodehub-feed-read-akv'
 
 extends:
   template: v2/OneBranch.Official.CrossPlat.yml@onebranchTemplates

diff --git a/.pipelines/PowerShell-Packages-Official.yml b/.pipelines/PowerShell-Packages-Official.yml
@@ -0,0 +1,223 @@
+trigger: none # https://aka.ms/obpipelines/triggers
+
+parameters: # parameters are shown up in ADO UI in a build queue time
+  - name: 'debug'
+    displayName: 'Enable debug output'
+    type: boolean
+    default: false
+  - name: InternalSDKBlobURL
+    displayName: URL to the blob having internal .NET SDK
+    type: string
+    default: ' '
+  - name: ReleaseTagVar
+    displayName: Release Tag
+    type: string
+    default: 'fromBranch'
+  - name: SKIP_SIGNING
+    displayName: Skip Signing
+    type: string
+    default: 'NO'
+
+variables:
+  - name: CDP_DEFINITION_BUILD_COUNT
+    value: $[counter('', 0)] # needed for onebranch.pipeline.version task https://aka.ms/obpipelines/versioning
+  - name: system.debug
+    value: ${{ parameters.debug }}
+  - name: ENABLE_PRS_DELAYSIGN
+    value: 1
+  - name: ROOT
+    value: $(Build.SourcesDirectory)
+  - name: NUGET_XMLDOC_MODE
+    value: none
+  - name: nugetMultiFeedWarnLevel
+    value: none
+  - name: NugetSecurityAnalysisWarningLevel
+    value: none
+  - name: skipNugetSecurityAnalysis
+    value: true
+  - name: ReleaseTagVar
+    value: ${{ parameters.ReleaseTagVar }}
+  - name: ob_outputDirectory
+    value: '$(Build.ArtifactStagingDirectory)/ONEBRANCH_ARTIFACT'
+  - name: WindowsContainerImage
+    value: 'onebranch.azurecr.io/windows/ltsc2019/vse2022:latest' # Docker image which is used to build the project https://aka.ms/obpipelines/containers
+  - name: LinuxContainerImage
+    value: mcr.microsoft.com/onebranch/cbl-mariner/build:2.0
+  - group: mscodehub-feed-read-akv
+
+resources:
+  pipelines:
+    - pipeline: CoOrdinatedBuildPipeline
+      source: 'PowerShell-Coordinated Packages-Official'
+      trigger:
+        branches:
+          include:
+            - master
+            - releases/*
+
+  repositories:
+    - repository: templates
+      type: git
+      name: OneBranch.Pipelines/GovernedTemplates
+      ref: refs/heads/main
+
+extends:
+  template: v2/OneBranch.Official.CrossPlat.yml@templates # https://aka.ms/obpipelines/templates
+  parameters:
+    cloudvault: # https://aka.ms/obpipelines/cloudvault
+      enabled: false
+    featureFlags:
+      linuxEsrpSigning: true
+    globalSdl:
+      disableLegacyManifest: true
+      # disabled Armorty as we dont have any ARM templates to scan. It fails on some sample ARM templates.
+      armory:
+        enabled: false
+      sbom:
+        enabled: true
+      compiled:
+        enabled: false
+      credscan:
+        enabled: true
+        scanFolder:  $(Build.SourcesDirectory)
+        suppressionsFile: $(Build.SourcesDirectory)\.config\suppress.json
+      cg:
+        enabled: true
+        ignoreDirectories: '.devcontainer,demos,docker,docs,src,test,tools/packaging'
+      asyncSdl: # https://aka.ms/obpipelines/asyncsdl
+        enabled: true
+        forStages: ['build']
+        credscan:
+          enabled: true
+          scanFolder:  $(Build.SourcesDirectory)
+          suppressionsFile: $(Build.SourcesDirectory)\PowerShell\.config\suppress.json
+        binskim:
+          enabled: false
+        # APIScan requires a non-Ready-To-Run build
+        apiscan:
+          enabled: false
+        tsaOptionsFile: .config\tsaoptions.json
+    stages:
+    - stage: mac_package
+      jobs:
+      - template: /.pipelines/templates/mac-package-build.yml@self
+        parameters:
+          buildArchitecture: x64
+
+      - template: /.pipelines/templates/mac-package-build.yml@self
+        parameters:
+          buildArchitecture: arm64
+
+    - stage: windows_package
+      jobs:
+      - template: /.pipelines/templates/windows-package-build.yml@self
+        parameters:
+          runtime: x64
+
+      - template: /.pipelines/templates/windows-package-build.yml@self
+        parameters:
+          runtime: arm64
+
+      - template: /.pipelines/templates/windows-package-build.yml@self
+        parameters:
+          runtime: x86
+
+      - template: /.pipelines/templates/windows-package-build.yml@self
+        parameters:
+          runtime: fxdependent
+
+      - template: /.pipelines/templates/windows-package-build.yml@self
+        parameters:
+          runtime: fxdependentWinDesktop
+
+      - template: /.pipelines/templates/windows-package-build.yml@self
+        parameters:
+          runtime: minsize
+
+    - stage: linux_package
+      jobs:
+      - template: /.pipelines/templates/linux-package-build.yml@self
+        parameters:
+          unsignedDrop: 'drop_linux_build_linux_x64'
+          signedDrop: 'drop_linux_sign_linux_x64'
+          packageType: deb
+          jobName: deb
+
+      - template: /.pipelines/templates/linux-package-build.yml@self
+        parameters:
+          unsignedDrop: 'drop_linux_build_linux_fxd_x64_mariner'
+          signedDrop: 'drop_linux_sign_linux_fxd_x64_mariner'
+          packageType: rpm-fxdependent  #mariner-x64
+          jobName: mariner_x64
+
+      - template: /.pipelines/templates/linux-package-build.yml@self
+        parameters:
+          unsignedDrop: 'drop_linux_build_linux_fxd_arm64_mariner'
+          signedDrop: 'drop_linux_sign_linux_fxd_arm64_mariner'
+          packageType: rpm-fxdependent-arm64 #mariner-arm64
+          jobName: mariner_arm64
+
+      - template: /.pipelines/templates/linux-package-build.yml@self
+        parameters:
+          unsignedDrop: 'drop_linux_build_linux_x64'
+          signedDrop: 'drop_linux_sign_linux_x64'
+          packageType: rpm
+          jobName: rpm
+
+      - template: /.pipelines/templates/linux-package-build.yml@self
+        parameters:
+          unsignedDrop: 'drop_linux_build_linux_arm'
+          signedDrop: 'drop_linux_sign_linux_arm'
+          packageType: tar-arm
+          jobName: tar_arm
+
+      - template: /.pipelines/templates/linux-package-build.yml@self
+        parameters:
+          unsignedDrop: 'drop_linux_build_linux_arm64'
+          signedDrop: 'drop_linux_sign_linux_arm64'
+          packageType: tar-arm64
+          jobName: tar_arm64
+
+      - template: /.pipelines/templates/linux-package-build.yml@self
+        parameters:
+          unsignedDrop: 'drop_linux_build_linux_x64_alpine'
+          signedDrop: 'drop_linux_sign_linux_x64_alpine'
+          packageType: tar-alpine
+          jobName: tar_alpine
+
+      - template: /.pipelines/templates/linux-package-build.yml@self
+        parameters:
+          unsignedDrop: 'drop_linux_build_linux_fxd'
+          signedDrop: 'drop_linux_sign_linux_fxd'
+          packageType: fxdependent
+          jobName: fxdependent
+
+      - template: /.pipelines/templates/linux-package-build.yml@self
+        parameters:
+          unsignedDrop: 'drop_linux_build_linux_x64'
+          signedDrop: 'drop_linux_sign_linux_x64'
+          packageType: tar
+          jobName: tar
+
+      - template: /.pipelines/templates/linux-package-build.yml@self
+        parameters:
+          unsignedDrop: 'drop_linux_build_linux_fxd_x64_alpine'
+          signedDrop: 'drop_linux_sign_linux_fxd_x64_alpine'
+          packageType: tar-alpine-fxdependent
+          jobName: tar_alpine_fxd
+
+      - template: /.pipelines/templates/linux-package-build.yml@self
+        parameters:
+          unsignedDrop: 'drop_linux_build_linux_x64_minSize'
+          signedDrop: 'drop_linux_sign_linux_x64_minSize'
+          packageType: min-size
+          jobName: minSize
+
+    - stage: nupkg
+      jobs:
+      - template: /.pipelines/templates/nupkg.yml@self
+
+    - stage: upload
+      dependsOn: [mac_package, windows_package, linux_package, nupkg]
+      jobs:
+      - template: /.pipelines/templates/uploadToAzure.yml@self
diff --git a/.pipelines/templates/SetVersionVariables.yml b/.pipelines/templates/SetVersionVariables.yml
@@ -13,7 +13,7 @@ steps:
       downloadPath: '$(System.ArtifactsDirectory)'
     displayName: Download Build Info Json
     env:
-      ob_restore_phase: true # This ensures checkout is done at the beginning of the restore phase
+      ob_restore_phase: true # This ensures this done in restore phase to workaround signing issue
 
 - powershell: |
     $path = "./build.psm1"
@@ -43,7 +43,7 @@ steps:
     }
   displayName: 'Set repo Root'
   env:
-    ob_restore_phase: true # This ensures checkout is done at the beginning of the restore phase
+    ob_restore_phase: true # This ensures this done in restore phase to workaround signing issue
 
 - powershell: |
     $createJson = ("${{ parameters.CreateJson }}" -ne "no")
@@ -58,11 +58,11 @@ steps:
     Write-Host "##$vstsCommandString"
   displayName: 'Set ${{ parameters.ReleaseTagVarName }} and other version Variables'
   env:
-    ob_restore_phase: true # This ensures checkout is done at the beginning of the restore phase
+    ob_restore_phase: true # This ensures this done in restore phase to workaround signing issue
 
 - powershell: |
     Get-ChildItem -Path env:
   displayName: Capture environment
   condition: succeededOrFailed()
   env:
-    ob_restore_phase: true # This ensures checkout is done at the beginning of the restore phase
+    ob_restore_phase: true # This ensures this done in restore phase to workaround signing issue
diff --git a/.pipelines/templates/insert-nuget-config-azfeed.yml b/.pipelines/templates/insert-nuget-config-azfeed.yml
@@ -5,7 +5,7 @@ steps:
 - pwsh: |
     $configPath = "${env:NugetConfigDir}/nuget.config"
     Import-Module ${{ parameters.repoRoot }}/build.psm1 -Force
-    New-NugetConfigFile -NugetFeedUrl $(PowerShellCore_PublicPackages) -UserName $(AzDevOpsFeedUserName) -ClearTextPAT $(AzDevOpsFeedUserName) -FeedName AzDevOpsFeed -Destination "${env:NugetConfigDir}"
+    New-NugetConfigFile -NugetFeedUrl $(PowerShellCore_PublicPackages) -UserName $(AzDevopsFeedUserNameKVPAT) -ClearTextPAT $(mscodehubPackageReadPat) -FeedName AzDevOpsFeed -Destination "${env:NugetConfigDir}"
     if(-not (Test-Path $configPath))
     {
         throw "nuget.config is not created"
@@ -20,7 +20,7 @@ steps:
 - pwsh: |
     $configPath = "${env:NugetConfigDir}/nuget.config"
     Import-Module ${{ parameters.repoRoot }}/build.psm1 -Force
-    New-NugetConfigFile -NugetFeedUrl $(PowerShellCore_PublicPackages) -UserName $(AzDevOpsFeedUserName) -ClearTextPAT $(AzDevOpsFeedUserName) -FeedName AzDevOpsFeed -Destination "${env:NugetConfigDir}"
+    New-NugetConfigFile -NugetFeedUrl $(PowerShellCore_PublicPackages) -UserName $(AzDevopsFeedUserNameKVPAT) -ClearTextPAT $(mscodehubPackageReadPat) -FeedName AzDevOpsFeed -Destination "${env:NugetConfigDir}"
     if(-not (Test-Path $configPath))
     {
         throw "nuget.config is not created"