Files
2025-06-02 13:06:38 -07:00

329 lines
13 KiB
YAML

# Validation pipeline for manifest on pull requests.
variables:
WinGetSvc.PullRequestNumber: $[coalesce(variables.WinGetPullRequestNumber, variables['System.PullRequest.PullRequestNumber'])]
WinGetSvc.OperationId: $[coalesce(variables.WinGetOperationId, variables['Build.BuildNumber'])]
# Name of the run
name: '$(Build.DefinitionName)-$(Build.DefinitionVersion)-$(WinGetSvc.PullRequestNumber)-$(Date:yyyyMMdd)-$(Rev:r)'
trigger: none
pr:
branches:
include:
- master
paths:
include:
- manifests
resources:
repositories:
- repository: 1ESPipelineTemplates
type: git
name: 1ESPipelineTemplates/1ESPipelineTemplates
ref: refs/tags/release
extends:
template: v1/1ES.Official.PipelineTemplate.yml@1ESPipelineTemplates
parameters:
pool:
name: Azure-Pipelines-1ESPT-ExDShared
image: windows-2022
os: windows
customBuildTags:
- ES365AIMigrationTooling
settings:
skipBuildTagsForGitHubPullRequests: true
stages:
- stage: WinGetSvc_Validation
jobs:
# Agent phase. Process pull request changes and validate manifests.
- job: 'FileValidation'
displayName: 'Pull Request Validation'
variables:
skipComponentGovernanceDetection: ${{ true }}
runCodesignValidationInjection: ${{ false }}
timeoutInMinutes: 0
steps:
- checkout: self
persistCredentials: true
# Downloads all the setup files and its dependencies.
- task: AzureCLI@2
displayName: 'Azure Setup'
inputs:
azureSubscription: '$(WinGetSvc.DataAccess)'
scriptType: batch
scriptLocation: inlineScript
inlineScript: |
az storage blob download-batch --auth-mode login -d . --pattern * -s servicewrapper --output none --account-name $(ValidationStorageAccountName)
addSpnToEnvironment: true
- task: CmdLine@2
name: 'wingetsetup'
displayName: 'WinGet Setup'
env:
HOST_KEY: $(AzureFunctionHostKey)
SMART_SCREEN_ENDPOINT: $(AzFuncSmartScreenEndpoint)
DOMAIN_URLS_VALIDATION_ENDPOINT: $(AzFuncDomainUrlValEndpoint)
MANIFEST_POLICY_ENDPOINT: $(AzFuncManifestPolicyEndpoint)
SCAN_ENDPOINT: $(AzFuncScanEndpoint)
INSTALLATION_ENDPOINT: $(AzFuncInstallationVerificationEndpoint)
LABEL_ENDPOINT: $(AzFuncSetLabelOnPullRequestEndpoint)
LABEL_KEY: $(AzureFunctionLabelKey)
CATALOG_CONTENT_VERIFICATION_ENDPOINT: $(AzFuncCatalogContentVerificationEndpoint)
inputs:
script: 'winget_validation_setup.cmd'
workingDirectory: scripts
# Validates integrity of pull request.
- task: AzureCLI@2
displayName: 'Validate Pull Request'
inputs:
azureSubscription: '$(WinGetSvc.DataAccess)'
scriptType: batch
scriptLocation: inlineScript
inlineScript: |
WinGetSvcWrapper.exe process-pr --operationId %WINGETSVC_OPERATIONID%
addSpnToEnvironment: true
failOnStandardError: true
env:
ValidationStorageAccountName: $(ValidationStorageAccountName)
StorageManagedIdentityClientId: $(StorageManagedIdentityClientId)
WinGet:AppConfig:PrimaryEndpoint: $(AppConfigPrimaryEndpoint)
WinGet:AppConfig:SecondaryEndpoint: $(AppConfigSecondaryEndpoint)
DIApplicationInsightKey: $(DIApplicationInsightKey)
ExecutionEnvironment: $(WinGetSvc.ExecutionEnvironment)
# Validates manifest integrity.
- task: AzureCLI@2
displayName: 'Validate Manifest'
inputs:
azureSubscription: '$(WinGetSvc.DataAccess)'
scriptType: batch
scriptLocation: inlineScript
inlineScript: |
WinGetSvcWrapper.exe validate-manifests --operationId %WINGETSVC_OPERATIONID%
addSpnToEnvironment: true
failOnStandardError: true
env:
ValidationStorageAccountName: $(ValidationStorageAccountName)
CacheStorageAccountName: $(CacheStorageAccountName)
StorageManagedIdentityClientId: $(StorageManagedIdentityClientId)
WinGet:AppConfig:PrimaryEndpoint: $(AppConfigPrimaryEndpoint)
WinGet:AppConfig:SecondaryEndpoint: $(AppConfigSecondaryEndpoint)
DIApplicationInsightKey: $(DIApplicationInsightKey)
ExecutionEnvironment: $(WinGetSvc.ExecutionEnvironment)
# Agentless phase. Depends on previous job.
- job: 'ContentValidation'
pool: server
displayName: 'Manifest Content Validation'
timeoutInMinutes: 1500
dependsOn:
- 'FileValidation'
variables:
HostKeySecret: $[ dependencies.FileValidation.outputs['wingetsetup.hostkey']]
SmartScreenEndpointSecret: $[ dependencies.FileValidation.outputs['wingetsetup.smartScreenEndpoint']]
DomainUrlValidationEndpointSecret: $[ dependencies.FileValidation.outputs['wingetsetup.domainUrlValidationEndpoint']]
ManifestPolicyEndpointSecret: $[ dependencies.FileValidation.outputs['wingetsetup.manifestPolicyEndpoint']]
steps:
# Scans all the urls from manifest contents.
- task: AzureFunction@1
displayName: 'URLs Validation'
inputs:
function: '$(SmartScreenEndpointSecret)'
key: '$(HostKeySecret)'
body: |
{
"operationId": "$(WinGetSvc.OperationId)",
"buildId": "$(Build.BuildId)",
"projectId": "$(system.TeamProjectId)",
"planId": "$(system.PlanId)",
"jobId": "$(system.JobId)",
"timelineId": "$(system.TimelineId)",
"taskInstanceId": "$(system.TaskInstanceId)",
"repository": "$(build.repository.id)",
"pipelineType": "ValidationPipeline",
"pullRequestNumber": "$(WinGetSvc.PullRequestNumber)",
"buildSourceBranch": "$(build.SourceBranch)"
}
waitForCompletion: "true"
# Domain url validations.
- task: AzureFunction@1
displayName: 'URL Domain validation'
inputs:
function: '$(DomainUrlValidationEndpointSecret)'
key: '$(HostKeySecret)'
body: |
{
"operationId": "$(WinGetSvc.OperationId)",
"buildId": "$(Build.BuildId)",
"projectId": "$(system.TeamProjectId)",
"planId": "$(system.PlanId)",
"jobId": "$(system.JobId)",
"timelineId": "$(system.TimelineId)",
"taskInstanceId": "$(system.TaskInstanceId)",
"repository": "$(build.repository.id)",
"pipelineType": "ValidationPipeline",
"pullRequestNumber": "$(WinGetSvc.PullRequestNumber)",
"buildSourceBranch": "$(build.SourceBranch)"
}
waitForCompletion: "true"
# Manifest policy checks.
- task: AzureFunction@1
displayName: 'Manifest Policy Validation'
inputs:
function: '$(ManifestPolicyEndpointSecret)'
key: '$(HostKeySecret)'
body: |
{
"operationId": "$(WinGetSvc.OperationId)",
"buildId": "$(Build.BuildId)",
"projectId": "$(system.TeamProjectId)",
"planId": "$(system.PlanId)",
"jobId": "$(system.JobId)",
"timelineId": "$(system.TimelineId)",
"taskInstanceId": "$(system.TaskInstanceId)",
"repository": "$(build.repository.id)",
"pipelineType": "ValidationPipeline",
"pullRequestNumber": "$(WinGetSvc.PullRequestNumber)",
"buildSourceBranch": "$(build.SourceBranch)"
}
waitForCompletion: "true"
# Agentless phase. Depends on previous job.
- job: 'InstallerValidation'
pool: server
displayName: 'Installer Validation'
timeoutInMinutes: 1500
dependsOn:
- 'FileValidation'
- 'ContentValidation'
variables:
HostKeySecret: $[ dependencies.FileValidation.outputs['wingetsetup.hostkey']]
ScanEndpointSecret: $[ dependencies.FileValidation.outputs['wingetsetup.scanEndpoint']]
InstallationEndpointSecret: $[ dependencies.FileValidation.outputs['wingetsetup.installationEndpoint']]
steps:
# Scan installers in manifests.
- task: AzureFunction@1
displayName: 'Installers Scan'
inputs:
function: '$(ScanEndpointSecret)'
key: '$(HostKeySecret)'
body: |
{
"operationId": "$(WinGetSvc.OperationId)",
"buildId": "$(Build.BuildId)",
"projectId": "$(system.TeamProjectId)",
"planId": "$(system.PlanId)",
"jobId": "$(system.JobId)",
"timelineId": "$(system.TimelineId)",
"taskInstanceId": "$(system.TaskInstanceId)",
"repository": "$(build.repository.id)",
"pipelineType": "ValidationPipeline",
"pullRequestNumber": "$(WinGetSvc.PullRequestNumber)",
"buildSourceBranch": "$(build.SourceBranch)"
}
waitForCompletion: "true"
# Validates installation.
- task: AzureFunction@1
displayName: 'Installation Validation'
inputs:
function: '$(InstallationEndpointSecret)'
key: '$(HostKeySecret)'
body: |
{
"operationId": "$(WinGetSvc.OperationId)",
"buildId": "$(Build.BuildId)",
"projectId": "$(system.TeamProjectId)",
"planId": "$(system.PlanId)",
"jobId": "$(system.JobId)",
"timelineId": "$(system.TimelineId)",
"taskInstanceId": "$(system.TaskInstanceId)",
"repository": "$(build.repository.id)",
"pipelineType": "ValidationPipeline",
"pullRequestNumber": "$(WinGetSvc.PullRequestNumber)",
"buildSourceBranch": "$(build.SourceBranch)"
}
waitForCompletion: "true"
# Agentless phase. Depends on previous job.
- job: 'CatalogContentVerification'
pool: server
displayName: 'Catalog Content Verification'
timeoutInMinutes: 1500
dependsOn:
- 'FileValidation'
- 'ContentValidation'
- 'InstallerValidation'
variables:
HostKeySecret: $[ dependencies.FileValidation.outputs['wingetsetup.hostkey']]
CatalogContentVerificationEndpointSecret: $[ dependencies.FileValidation.outputs['wingetsetup.catalogContentVerificationEndpoint']]
steps:
# Catalog content verification
- task: AzureFunction@1
displayName: 'Catalog Content Verification'
inputs:
function: '$(CatalogContentVerificationEndpointSecret)'
key: '$(HostKeySecret)'
body: |
{
"operationId": "$(WinGetSvc.OperationId)",
"buildId": "$(Build.BuildId)",
"projectId": "$(system.TeamProjectId)",
"planId": "$(system.PlanId)",
"jobId": "$(system.JobId)",
"timelineId": "$(system.TimelineId)",
"taskInstanceId": "$(system.TaskInstanceId)",
"repository": "$(build.repository.id)",
"pipelineType": "ValidationPipeline",
"pullRequestNumber": "$(WinGetSvc.PullRequestNumber)",
"buildSourceBranch": "$(build.SourceBranch)"
}
waitForCompletion: "true"
# Agentless phase. Runs even if previous jobs failed.
- job: 'postvalidation'
pool: server
displayName: 'Post Validation'
dependsOn:
- 'FileValidation'
- 'ContentValidation'
- 'InstallerValidation'
- 'CatalogContentVerification'
condition: succeededOrFailed()
variables:
HostKeySecret: $[ dependencies.FileValidation.outputs['wingetsetup.hostkey']]
LabelKeySecret : $[ dependencies.FileValidation.outputs['wingetsetup.labelkey']]
LabelEndpointSecret: $[ dependencies.FileValidation.outputs['wingetsetup.labelEndpoint']]
steps:
# Set label in GitHub PullRequest.
- task: AzureFunction@1
displayName: 'Set Label'
inputs:
function: '$(LabelEndpointSecret)'
key: '$(LabelKeySecret)'
body: |
{
"operationId": "$(WinGetSvc.OperationId)",
"buildId": "$(Build.BuildId)",
"projectId": "$(system.TeamProjectId)",
"planId": "$(system.PlanId)",
"jobId": "$(system.JobId)",
"timelineId": "$(system.TimelineId)",
"taskInstanceId": "$(system.TaskInstanceId)",
"repository": "$(build.repository.id)",
"pipelineType": "ValidationPipeline",
"pullRequestNumber": "$(WinGetSvc.PullRequestNumber)",
"buildSourceBranch": "$(build.SourceBranch)"
}
waitForCompletion: "true"