-
Notifications
You must be signed in to change notification settings - Fork 553
Expand file tree
/
Copy pathazure-pipelines-release.yml
More file actions
120 lines (112 loc) · 4.55 KB
/
azure-pipelines-release.yml
File metadata and controls
120 lines (112 loc) · 4.55 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
trigger: none
name: $(Date:yyyyMMdd).$(Rev:r)
appendCommitMessageToRunName: false
variables:
- template: /eng/common/templates-official/variables/pool-providers.yml@self
resources:
pipelines:
- pipeline: 'ef6-ci-official'
project: 'internal'
source: 'dotnet\ef6\ef6-ci-official'
repositories:
- repository: 1ESPipelineTemplates
type: git
name: 1ESPipelineTemplates/1ESPipelineTemplates
ref: refs/tags/release
extends:
template: v1/1ES.Official.PipelineTemplate.yml@1ESPipelineTemplates
parameters:
pool:
name: $(DncEngInternalBuildPool)
image: 1es-windows-2022
os: windows
# Note: 'Permissive,CFSClean' blocks NuGet.org - must use just 'Permissive'
settings:
networkIsolationPolicy: Permissive
featureFlags:
sdlNugetPathOptimization: true
stages:
- stage: Nuget
displayName: Push to Nuget.org
jobs:
- job: PreDeploymentApprovalJob
displayName: Pre-Deployment Approval
condition: succeeded()
timeoutInMinutes: 43200
pool: server
steps:
- task: ManualValidation@1
inputs:
instructions: 'Approve publishing the packages from the EF6 build $(resources.pipeline.ef6-ci-official.runID) from branch $(resources.pipeline.ef6-ci-official.sourceBranch) to NuGet.org'
allowApproversToApproveTheirOwnRuns: false
notifyUsers: |-
ansvyryd@microsoft.com,
sampatel@microsoft.com,
artl@microsoft.com
approvers: |-
ansvyryd@microsoft.com,
sampatel@microsoft.com,
artl@microsoft.com
- job: Deploy
dependsOn: PreDeploymentApprovalJob
condition: succeeded()
templateContext:
type: releaseJob
isProduction: true
inputs:
- input: pipelineArtifact
pipeline: 'ef6-ci-official'
artifactName: 'PackageArtifactsSbom'
targetPath: '$(Pipeline.Workspace)/PackageArtifactsSbom'
steps:
- task: NuGetToolInstaller@1
displayName: Use NuGet 7.x
inputs:
versionSpec: 7.x
checkLatest: true
- powershell: |
$packagesPath = "$(Pipeline.Workspace)/PackageArtifactsSbom"
Write-Host "=== Verifying Package Signatures ==="
$packages = Get-ChildItem -Path $packagesPath -Filter "*.nupkg" -Recurse |
Where-Object { $_.Name -notlike "*.symbols.nupkg" }
if ($packages.Count -eq 0) {
Write-Error "No packages found in $packagesPath"
exit 1
}
$failedVerification = @()
foreach ($package in $packages) {
Write-Host "Verifying: $($package.Name)"
$originalErrorActionPreference = $ErrorActionPreference
$ErrorActionPreference = 'Continue'
$result = & nuget verify -Signatures $package.FullName 2>&1
$verifyExitCode = $LASTEXITCODE
$ErrorActionPreference = $originalErrorActionPreference
if ($verifyExitCode -ne 0) {
Write-Host " ❌ Signature verification FAILED"
Write-Host $result
$failedVerification += $package.Name
}
else {
Write-Host " ✓ Signature valid"
}
}
if ($failedVerification.Count -gt 0) {
Write-Host ""
Write-Host "=== SIGNATURE VERIFICATION FAILED ==="
foreach ($pkg in $failedVerification) {
Write-Host " - $pkg"
}
Write-Error "Package signature verification failed. Aborting release."
exit 1
}
Write-Host ""
Write-Host "✓ All $($packages.Count) packages passed signature verification"
displayName: Verify Package Signatures
- task: 1ES.PublishNuGet@1
displayName: 'NuGet push'
inputs:
useDotNetTask: false
packageParentPath: '$(Pipeline.Workspace)/PackageArtifactsSbom'
packagesToPush: $(Pipeline.Workspace)/PackageArtifactsSbom/**/*.nupkg
nuGetFeedType: external
publishFeedCredentials: nuget.org (efcore client owner)