diff --git a/.config/tsaoptions.json b/.config/tsaoptions.json index 7552bd7226..786ef4331a 100644 --- a/.config/tsaoptions.json +++ b/.config/tsaoptions.json @@ -1,4 +1,5 @@ { + "codebaseName": "TFSMSAzure_PowerShell", "instanceUrl": "https://msazure.visualstudio.com", "projectName": "One", "areaPath": "One\\MGMT\\Compute\\Powershell\\Powershell\\PowerShell Core\\pwsh", diff --git a/.pipelines/PowerShell-Coordinated_Packages-Official.yml b/.pipelines/PowerShell-Coordinated_Packages-Official.yml index eddc5283df..a050300b1f 100644 --- a/.pipelines/PowerShell-Coordinated_Packages-Official.yml +++ b/.pipelines/PowerShell-Coordinated_Packages-Official.yml @@ -1,4 +1,4 @@ -name: UnifiedPackageBuild-$(Build.BuildId) +name: UnifiedPackageBuild-$(BUILD.SOURCEBRANCHNAME)-$(Build.BuildId) trigger: none parameters: @@ -11,19 +11,23 @@ parameters: type: string default: 'fromBranch' - name: SKIP_SIGNING - displayName: Skip Signing + displayName: Debugging - Skip Signing type: string default: 'NO' - name: RUN_TEST_AND_RELEASE - displayName: Run Test and Release Artifacts Stage + displayName: Debugging - Run Test and Release Artifacts Stage type: boolean default: true - name: RUN_WINDOWS - displayName: Enable Windows Stage + displayName: Debugging - Enable Windows Stage type: boolean default: true - name: ENABLE_MSBUILD_BINLOGS - displayName: Enable MSBuild Binary Logs + displayName: Debugging - Enable MSBuild Binary Logs + type: boolean + default: false + - name: FORCE_CODEQL + displayName: Debugging - Enable CodeQL and set cadence to 1 hour type: boolean default: false @@ -74,6 +78,16 @@ variables: - group: mscodehub-feed-read-akv - name: ENABLE_MSBUILD_BINLOGS value: ${{ parameters.ENABLE_MSBUILD_BINLOGS }} + - ${{ if eq(parameters['FORCE_CODEQL'],'true') }}: + # Cadence is hours before CodeQL will allow a re-upload of the database + - name: CodeQL.Cadence + value: 1 + - name: CODEQL_ENABLED + ${{ if or(eq(variables['Build.SourceBranch'], 'refs/heads/master'), eq(parameters['FORCE_CODEQL'],'true')) }}: + value: true + ${{ else }}: + value: false + extends: template: v2/OneBranch.Official.CrossPlat.yml@onebranchTemplates @@ -91,11 +105,10 @@ extends: enabled: false sbom: enabled: true - compiled: - ${{ if eq(variables['Build.SourceBranch'], 'refs/heads/master') }}: - enabled: true - ${{ else }}: - enabled: false + codeql: + compiled: + enabled: $(CODEQL_ENABLED) + tsaEnabled: true # This enables TSA bug filing only for CodeQL 3000 credscan: enabled: true scanFolder: $(Build.SourcesDirectory) diff --git a/.pipelines/templates/linux.yml b/.pipelines/templates/linux.yml index 2e6f9c3e5e..7daa73f3a3 100644 --- a/.pipelines/templates/linux.yml +++ b/.pipelines/templates/linux.yml @@ -33,9 +33,9 @@ jobs: value: ${{ parameters.Runtime }} - name: ob_sdl_sbom_packageName value: 'Microsoft.Powershell.Linux.${{ parameters.Runtime }}' - - ${{ if eq(variables['Build.SourceBranch'], 'refs/heads/master') }}: - - name: ob_sdl_codeql_compiled_enabled - value: true + # We add this manually, so we need it disabled the OneBranch auto-injected one. + - name: ob_sdl_codeql_compiled_enabled + value: false steps: - checkout: self @@ -54,12 +54,14 @@ jobs: repoRoot: $(PowerShellRoot) - task: CodeQL3000Init@0 # Add CodeQL Init task right before your 'Build' step. - condition: eq(variables['Build.SourceBranch'], 'refs/heads/master') + condition: eq(variables['CODEQL_ENABLED'], 'true') env: ob_restore_phase: true # Set ob_restore_phase to run this step before '🔒 Setup Signing' step. inputs: Enabled: true - AnalyzeInPipeline: true + # AnalyzeInPipeline: false = upload results + # AnalyzeInPipeline: true = do not upload results + AnalyzeInPipeline: false Language: csharp - pwsh: | @@ -110,7 +112,7 @@ jobs: ob_restore_phase: true # Set ob_restore_phase to run this step before '🔒 Setup Signing' step. - task: CodeQL3000Finalize@0 # Add CodeQL Finalize task right after your 'Build' step. - condition: eq(variables['Build.SourceBranch'], 'refs/heads/master') + condition: eq(variables['CODEQL_ENABLED'], 'true') env: ob_restore_phase: true # Set ob_restore_phase to run this step before '🔒 Setup Signing' step. diff --git a/.pipelines/templates/windows-hosted-build.yml b/.pipelines/templates/windows-hosted-build.yml index 735ed7cc48..d8d5811df6 100644 --- a/.pipelines/templates/windows-hosted-build.yml +++ b/.pipelines/templates/windows-hosted-build.yml @@ -34,9 +34,9 @@ jobs: value: ${{ parameters.BuildConfiguration }} - name: ob_sdl_sbom_packageName value: 'Microsoft.Powershell.Windows.${{ parameters.Architecture }}' - - ${{ if eq(variables['Build.SourceBranch'], 'refs/heads/master') }}: - - name: ob_sdl_codeql_compiled_enabled - value: true + # We add this manually, so we need it disabled the OneBranch auto-injected one. + - name: ob_sdl_codeql_compiled_enabled + value: false steps: - checkout: self @@ -55,12 +55,14 @@ jobs: repoRoot: $(PowerShellRoot) - task: CodeQL3000Init@0 # Add CodeQL Init task right before your 'Build' step. - condition: eq(variables['Build.SourceBranch'], 'refs/heads/master') + condition: eq(variables['CODEQL_ENABLED'], 'true') env: ob_restore_phase: true # Set ob_restore_phase to run this step before '🔒 Setup Signing' step. inputs: Enabled: true - AnalyzeInPipeline: true + # AnalyzeInPipeline: false = upload results + # AnalyzeInPipeline: true = do not upload results + AnalyzeInPipeline: false Language: csharp - pwsh: | @@ -184,7 +186,7 @@ jobs: ob_restore_phase: true # Set ob_restore_phase to run this step before '🔒 Setup Signing' step. - task: CodeQL3000Finalize@0 # Add CodeQL Finalize task right after your 'Build' step. - condition: eq(variables['Build.SourceBranch'], 'refs/heads/master') + condition: eq(variables['CODEQL_ENABLED'], 'true') env: ob_restore_phase: true # Set ob_restore_phase to run this step before '🔒 Setup Signing' step.