Publish openapi-diff Using ERSP (#337)

scbedd · web-flow · commit 92878dfb4e9f · 2024-06-18T13:39:38.000-07:00
* use 1es templates for artifact scanning
* publish using esrp
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
@@ -141,10 +141,9 @@ npm list -g oad # Should denote no packages installed
 
 ## Publish the package
 
-- Ensure you bumped the package version in `openapi-diff` `package.json`.
-- Verify [`public.openapi-diff`] passed.
-- Use [`js - tools to npm - publish (@azure)`] to publish the package to the public `npm` feed.
-- Verify in [`@azure/oad` versions] the package was published.
+- Ensure you bumped the package version in [`openapi-diff`] `package.json`.
+- Queue a run of the [`openapi-diff-build`] and approve the 'publish' stage.
+- Verify in [`@azure/oad` versions] the package was published on npmjs.org.
 - Save it to `openapi-platform` feed via [upstream feeds of `openapi-platform`].
 - To make `openapi-alps` use the newly published package:
   - Ensure that you update the minimum package version in  relevant `package.json` files and then run `rush update` and commit the changes.
@@ -160,7 +159,7 @@ npm list -g oad # Should denote no packages installed
 [`dotnet test`]: https://learn.microsoft.com/en-us/dotnet/core/tools/dotnet-test
 [`npm link`]: https://docs.npmjs.com/cli/v10/commands/npm-link
 [the cache]: https://docs.npmjs.com/cli/v10/configuring-npm/folders#cache
-[`js - tools to npm - publish (@azure)`]: https://dev.azure.com/azure-sdk/internal/_release?definitionId=24&_a=releases&view=mine
+[`openapi-diff-build`]: https://dev.azure.com/azure-sdk/internal/_build/index?definitionId=7030
 [`public.openapi-diff`]: https://dev.azure.com/azure-sdk/public/_build?definitionId=135&_a=summary
 [upstream feeds of `openapi-platform`]: https://devdiv.visualstudio.com/DevDiv/_artifacts/feed/openapi-platform/Npm/@azure%2Foad/upstreams/
 [`@azure/oad` versions]: https://www.npmjs.com/package/@azure/oad?activeTab=versions
diff --git a/azure-pipelines.yml b/azure-pipelines.yml
@@ -1,64 +1,93 @@
 trigger:
 - main
 
-variables:
-  Codeql.Enabled: true
+extends:
+  template: /eng/1es-redirect.yml
+  parameters:
+    stages:
+    - stage: Build
+      variables:
+        - template: /eng/image.yml
+      jobs:
+        - job: Build_linux
 
-strategy:
-  matrix:
-    Linux:
-      Pool: azsdk-pool-mms-ubuntu-2204-general
-      OsVmImage: ubuntu-22.04
-      TargetFolder: drop-linux
-    Windows:
-      Pool: azsdk-pool-mms-win-2022-general
-      OsVmImage: windows-2022
-      TargetFolder: drop
+          pool:
+            name: $(LINUXPOOL)
+            image: $(LINUXVMIMAGE)
+            os: linux
 
-pool:
-  name: $(Pool)
-  vmImage: $(OSVmImage)
+          steps:
+            - template: /eng/test-steps.yml
+              parameters:
+                ArtifactName: drop-linux
 
-steps:
-- script: npm ci
-  displayName: npm ci
-- script: npm run lint
-  displayName: lint
-- script: npm run prettier
-  displayName: prettier
-- script: npm test
-  displayName: test
-- script: npm pack
-  displayName: pack
-- task: CopyFiles@2
-  displayName: 'Copy Files to: $(TargetFolder)'
-  inputs:
-    Contents: '*.tgz'
-    TargetFolder: $(TargetFolder)
-- task: PublishBuildArtifacts@1
-  inputs:
-    pathtoPublish: $(Build.SourcesDirectory)/$(TargetFolder)
-    artifactName: $(TargetFolder)
+        - job: Build_Windows
 
-- task: securedevelopmentteam.vss-secure-development-tools.build-task-credscan.CredScan@2 # CredScan@2
-  inputs:
-    toolMajorVersion: 'V2'
-  condition: and(succeeded(), eq(variables['Agent.OS'],'Windows_NT')) # CredScan only supported on Windows
+          pool:
+            name: $(WINDOWSPOOL)
+            image: $(WINDOWSVMIMAGE)
+            os: windows
 
-- task: securedevelopmentteam.vss-secure-development-tools.build-task-postanalysis.PostAnalysis@1 # PostAnalysis@1
-  inputs:
-    AllTools: false
-    APIScan: false
-    BinSkim: false
-    CodesignValidation: false
-    CredScan: true
-    FortifySCA: false
-    FxCop: false
-    ModernCop: false
-    PoliCheck: false
-    RoslynAnalyzers: false
-    SDLNativeRules: false
-    Semmle: false
-    TSLint: false
-    ToolLogsNotFoundAction: 'Standard'
-  condition: and(succeeded(), eq(variables['Agent.OS'],'Windows_NT')) # CredScan only supported on Windows
+          steps:
+            - template: /eng/test-steps.yml
+              parameters:
+                ArtifactName: drop
+
+
+    # only include if running on `internal` build with manual queue, otherwise never include
+    - ${{ if and(in(variables['Build.Reason'], 'Manual', ''), eq(variables['System.TeamProject'], 'internal'))}}:
+      - stage: Publish
+        displayName: Publish
+        dependsOn: Build_And_Test
+
+        jobs:
+          - deployment: Publish
+            environment: 'package-publish'
+            pool:
+              name: azsdk-pool-mms-ubuntu-2004-general
+              image: azsdk-pool-mms-ubuntu-2004-1espt
+              os: linux
+
+            strategy:
+              runOnce:
+                deploy:
+                  steps:
+                  - checkout: self
+                    submodules: false
+
+                  - download: current
+                    artifact: drop
+                    timeoutInMinutes: 5
+
+                  - task: PowerShell@2
+                    inputs:
+                      filePath: '$(Build.SourcesDirectory)/eng/scripts/determine-release-tag.ps1'
+                      failOnStderr: true
+                      pwsh: true
+
+                  - pwsh: |
+                      Write-Host "Will deploy with tag of $(Tag)"
+                      Get-ChildItem "$(Pipeline.Workspace)/drop" -Recurse -Force `
+                        | Where-Object { $_.Name -like "*.tgz" } `
+                        | Copy-Item -Destination "$(Build.ArtifactStagingDirectory)"
+
+                      Get-ChildItem "$(Build.ArtifactStagingDirectory)" -Recurse -Force | % { Write-Host $_.FullName }
+                    displayName: Move artifact to $(Build.ArtifactStagingDirectory)
+
+                  - task: EsrpRelease@7
+                    inputs:
+                      displayName: 'Publish oav to ESRP'
+                      ConnectedServiceName: 'Azure SDK Engineering System'
+                      ClientId: '5f81938c-2544-4f1f-9251-dd9de5b8a81b'
+                      KeyVaultName: 'AzureSDKEngKeyVault'
+                      AuthCertName: 'azure-sdk-esrp-release-auth-certificate'
+                      SignCertName: 'azure-sdk-esrp-release-sign-certificate'
+                      Intent: 'PackageDistribution'
+                      ContentType: 'npm'
+                      FolderLocation: $(Build.ArtifactStagingDirectory)
+                      Owners: ${{ coalesce(variables['Build.RequestedForEmail'], 'azuresdk@microsoft.com') }}
+                      Approvers: 'azuresdk@microsoft.com'
+                      ServiceEndpointUrl: 'https://api.esrp.microsoft.com'
+                      MainPublisher: 'ESRPRELPACMANTEST'
+                      DomainTenantId: '72f988bf-86f1-41af-91ab-2d7cd011db47'
+                      productstate: $(Tag)
diff --git a/eng/1es-redirect.yml b/eng/1es-redirect.yml
@@ -0,0 +1,64 @@
+resources:
+  repositories:
+    - repository: 1ESPipelineTemplates
+      type: git
+      name: 1ESPipelineTemplates/1ESPipelineTemplates
+      ref: refs/tags/release
+    - repository: 1ESPipelineTemplatesCanary
+      type: git
+      name: 1ESPipelineTemplates/1ESPipelineTemplates
+      ref: refs/tags/canary
+
+parameters:
+  - name: stages
+    type: stageList
+    default: []
+  - name: Use1ESOfficial
+    type: boolean
+    default: true
+  - name: oneESTemplateTag
+    type: string
+    default: release
+
+extends:
+  ${{ if and(parameters.Use1ESOfficial, eq(parameters.oneESTemplateTag, 'canary')) }}:
+    template: v1/1ES.Official.PipelineTemplate.yml@1ESPipelineTemplatesCanary
+  ${{ elseif eq(parameters.oneESTemplateTag, 'canary') }}:
+    template: v1/1ES.Unofficial.PipelineTemplate.yml@1ESPipelineTemplatesCanary
+  ${{ elseif and(parameters.Use1ESOfficial, eq(variables['System.TeamProject'], 'internal')) }}:
+    template: v1/1ES.Official.PipelineTemplate.yml@1ESPipelineTemplates
+  ${{ else }}:
+    template: v1/1ES.Unofficial.PipelineTemplate.yml@1ESPipelineTemplates
+  parameters:
+    ${{ if eq(parameters.oneESTemplateTag, 'canary') }}:
+      # Enable 1es template team to verify validation has been run on canary
+      customBuildTags:
+        - 1ES.PT.Tag-refs/tags/canary
+    settings:
+      skipBuildTagsForGitHubPullRequests: true
+    sdl:
+      git:
+        longpaths: true
+        submodules: false
+      sourceRepositoriesToScan:
+        include:
+          - repository: self
+            submodule: false
+        runInSingleJob: true
+      sourceAnalysisPool:
+        name: azsdk-pool-mms-win-2022-general
+        image: azsdk-pool-mms-win-2022-1espt
+        os: windows
+      eslint:
+        enabled: false
+        justificationForDisabling: "ESLint injected task has failures because it uses an old version of mkdirp. We should not fail for tools not controlled by the repo. See: https://dev.azure.com/azur     19 e-sdk/internal/_build/results?buildId=3556850"
+      codeql:
+        compiled:
+          enabled: false
+          justificationForDisabling: "CodeQL times our pipelines out by running for 2+ hours before being force canceled."
+      psscriptanalyzer:
+        compiled: true
+        break: true
+      policy: M365
+
+    stages: ${{ parameters.stages }}
diff --git a/eng/image.yml b/eng/image.yml
@@ -0,0 +1,26 @@
+# Default pool image selection. Set as variable so we can override at pipeline level
+
+variables:
+  - name: LINUXPOOL
+    value: azsdk-pool-mms-ubuntu-2004-general
+  - name: WINDOWSPOOL
+    value: azsdk-pool-mms-win-2022-general
+  - name: MACPOOL
+    value: Azure Pipelines
+
+  - name: LINUXVMIMAGE
+    value: azsdk-pool-mms-ubuntu-2004-1espt
+  - name: LINUXNEXTVMIMAGE
+    value: ubuntu-22.04
+  - name: WINDOWSVMIMAGE
+    value: azsdk-pool-mms-win-2022-1espt
+  - name: MACVMIMAGE
+    value: macos-11
+
+  # Values required for pool.os field in 1es pipeline templates
+  - name: LINUXOS
+    value: linux
+  - name: WINDOWSOS
+    value: windows
+  - name: MACOS
+    value: macOS
diff --git a/eng/publish-1es-artifact.yml b/eng/publish-1es-artifact.yml
@@ -0,0 +1,32 @@
+# This step is used to prevent duplication of artifact publishes when there is an issue that would prevent the overall success of the job.
+# Ensuring that we only publish when successful (and two a differently named artifact otherwise) will allow easy retry on a build pipeline
+# without running into the "cannot override artifact" failure when we finally do get a passing run.
+
+# ArtifactName - The name of the artifact in the "successful" case.
+# ArtifactPath - The path we will be publishing.
+# CustomCondition - Used if there is additional logic necessary to prevent attempt of publish.
+# SbomEnabled - Set whether to auto-inject 1es pipeline template sbom tasks
+
+parameters:
+  ArtifactName: ""
+  ArtifactPath: ""
+  CustomCondition: true
+  SbomEnabled: true
+
+steps:
+  - pwsh: |
+      if ($env:AGENT_JOBSTATUS -eq "Failed") {
+        Write-Host "##vso[task.setvariable variable=PublishArtifactName;]${{ parameters.ArtifactName }}-FailedAttempt$(System.JobAttempt)"
+      } else {
+        Write-Host "##vso[task.setvariable variable=PublishArtifactName;]${{ parameters.ArtifactName }}"
+      }
+    condition: and(succeededOrFailed(), ${{ parameters.CustomCondition }})
+    displayName: Set Artifact Name $(Agent.JobStatus)
+
+  - task: 1ES.PublishPipelineArtifact@1
+    condition: and(succeededOrFailed(), ${{ parameters.CustomCondition }})
+    displayName: "Publish ${{ parameters.ArtifactName }} Artifacts"
+    inputs:
+      artifactName: "$(PublishArtifactName)"
+      targetPath: "${{ parameters.ArtifactPath }}"
+      sbomEnabled: ${{ parameters.SbomEnabled }}
diff --git a/eng/scripts/determine-release-tag.ps1 b/eng/scripts/determine-release-tag.ps1
@@ -0,0 +1,18 @@
+# Read the package.json file
+$packageJsonPath = "$PSScriptRoot/../../package.json"
+$packageJson = Get-Content $packageJsonPath -Raw | ConvertFrom-Json
+
+# Function to check if a version is non-GA
+function Is-NonGA($version) {
+    return $version -match "-(alpha|beta|rc|pre)"
+}
+
+$pkgVersion = $packageJson.version
+
+if (Is-NonGA($pkgVersion)) {
+    Write-Host "##vso[task.setvariable variable=Tag;]beta"
+}
+else {
+    Write-Host "##vso[task.setvariable variable=Tag;]latest"
+}
+
diff --git a/eng/test-steps.yml b/eng/test-steps.yml
@@ -0,0 +1,26 @@
+parameters:
+  - name: ArtifactName
+    type: string
+    default: "drop"
+
+steps:
+  - script: npm ci
+    displayName: npm ci
+  - script: npm run lint
+    displayName: lint
+  - script: npm run prettier
+    displayName: prettier
+  - script: npm test
+    displayName: test
+  - script: npm pack
+    displayName: pack
+  - task: CopyFiles@2
+    displayName: "Copy Files to Staging"
+    inputs:
+      Contents: "*.tgz"
+      TargetFolder: $(Build.ArtifactStagingDirectory)
+
+  - template: /eng/publish-1es-artifact.yml
+    parameters:
+      ArtifactName: ${{ parameters.ArtifactName }}
+      ArtifactPath: $(Build.ArtifactStagingDirectory)
