mirrors/PowerShell
0
0
Fork 0
mirror of https://github.com/PowerShell/PowerShell.git synced 2024-11-23 01:34:19 +08:00
Code Issues Packages Projects Releases Wiki Activity

Ensure the official build files CodeQL issues (#24278)

Browse Source 
* Enable and Disable CodeQL in the right places during the official build

* fix codeql condition

* fix syntax error

* Enable codeQL issue filing

* use parameter instead of branch to force codeql

* try to name the build better

* Update .pipelines/PowerShell-Coordinated_Packages-Official.yml

* add debugging to display name of debugging parameters

* fix spacing

* Update .pipelines/PowerShell-Coordinated_Packages-Official.yml
This commit is contained in:
Travis Plunk 2024-09-12 10:11:55 -07:00 committed by GitHub
parent 50e99a2489
commit a42e5dbd1d
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
4 changed files with 40 additions and 22 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.config/tsaoptions.json
View File

@ -1,4 +1,5 @@
{ {
"codebaseName": "TFSMSAzure_PowerShell",
"instanceUrl": "https://msazure.visualstudio.com", "instanceUrl": "https://msazure.visualstudio.com",
"projectName": "One", "projectName": "One",
"areaPath": "One\\MGMT\\Compute\\Powershell\\Powershell\\PowerShell Core\\pwsh", "areaPath": "One\\MGMT\\Compute\\Powershell\\Powershell\\PowerShell Core\\pwsh",

33
.pipelines/PowerShell-Coordinated_Packages-Official.yml
View File

@ -1,4 +1,4 @@
name: UnifiedPackageBuild-$(Build.BuildId) name: UnifiedPackageBuild-$(BUILD.SOURCEBRANCHNAME)-$(Build.BuildId)
trigger: none trigger: none
parameters: parameters:
@ -11,19 +11,23 @@ parameters:
type: string type: string
default: 'fromBranch' default: 'fromBranch'
- name: SKIP_SIGNING - name: SKIP_SIGNING
displayName: Skip Signing displayName: Debugging - Skip Signing
type: string type: string
default: 'NO' default: 'NO'
- name: RUN_TEST_AND_RELEASE - name: RUN_TEST_AND_RELEASE
displayName: Run Test and Release Artifacts Stage displayName: Debugging - Run Test and Release Artifacts Stage
type: boolean type: boolean
default: true default: true
- name: RUN_WINDOWS - name: RUN_WINDOWS
displayName: Enable Windows Stage displayName: Debugging - Enable Windows Stage
type: boolean type: boolean
default: true default: true
- name: ENABLE_MSBUILD_BINLOGS - name: ENABLE_MSBUILD_BINLOGS
displayName: Enable MSBuild Binary Logs displayName: Debugging - Enable MSBuild Binary Logs
type: boolean
default: false
- name: FORCE_CODEQL
displayName: Debugging - Enable CodeQL and set cadence to 1 hour
type: boolean type: boolean
default: false default: false
@ -74,6 +78,16 @@ variables:
- group: mscodehub-feed-read-akv - group: mscodehub-feed-read-akv
- name: ENABLE_MSBUILD_BINLOGS - name: ENABLE_MSBUILD_BINLOGS
value: ${{ parameters.ENABLE_MSBUILD_BINLOGS }} value: ${{ parameters.ENABLE_MSBUILD_BINLOGS }}
- ${{ if eq(parameters['FORCE_CODEQL'],'true') }}:
# Cadence is hours before CodeQL will allow a re-upload of the database
- name: CodeQL.Cadence
value: 1
- name: CODEQL_ENABLED
${{ if or(eq(variables['Build.SourceBranch'], 'refs/heads/master'), eq(parameters['FORCE_CODEQL'],'true')) }}:
value: true
${{ else }}:
value: false
extends: extends:
template: v2/OneBranch.Official.CrossPlat.yml@onebranchTemplates template: v2/OneBranch.Official.CrossPlat.yml@onebranchTemplates
@ -91,11 +105,10 @@ extends:
enabled: false enabled: false
sbom: sbom:
enabled: true enabled: true
compiled: codeql:
${{ if eq(variables['Build.SourceBranch'], 'refs/heads/master') }}: compiled:
enabled: true enabled: $(CODEQL_ENABLED)
${{ else }}: tsaEnabled: true # This enables TSA bug filing only for CodeQL 3000
enabled: false
credscan: credscan:
enabled: true enabled: true
scanFolder: $(Build.SourcesDirectory) scanFolder: $(Build.SourcesDirectory)

14
.pipelines/templates/linux.yml
View File

@ -33,9 +33,9 @@ jobs:
value: ${{ parameters.Runtime }} value: ${{ parameters.Runtime }}
- name: ob_sdl_sbom_packageName - name: ob_sdl_sbom_packageName
value: 'Microsoft.Powershell.Linux.${{ parameters.Runtime }}' value: 'Microsoft.Powershell.Linux.${{ parameters.Runtime }}'
- ${{ if eq(variables['Build.SourceBranch'], 'refs/heads/master') }}: # We add this manually, so we need it disabled the OneBranch auto-injected one.
- name: ob_sdl_codeql_compiled_enabled - name: ob_sdl_codeql_compiled_enabled
value: true value: false
steps: steps:
- checkout: self - checkout: self
@ -54,12 +54,14 @@ jobs:
repoRoot: $(PowerShellRoot) repoRoot: $(PowerShellRoot)
- task: CodeQL3000Init@0 # Add CodeQL Init task right before your 'Build' step. - task: CodeQL3000Init@0 # Add CodeQL Init task right before your 'Build' step.
condition: eq(variables['Build.SourceBranch'], 'refs/heads/master') condition: eq(variables['CODEQL_ENABLED'], 'true')
env: env:
ob_restore_phase: true # Set ob_restore_phase to run this step before '🔒 Setup Signing' step. ob_restore_phase: true # Set ob_restore_phase to run this step before '🔒 Setup Signing' step.
inputs: inputs:
Enabled: true Enabled: true
AnalyzeInPipeline: true # AnalyzeInPipeline: false = upload results
# AnalyzeInPipeline: true = do not upload results
AnalyzeInPipeline: false
Language: csharp Language: csharp
- pwsh: | - pwsh: |
@ -110,7 +112,7 @@ jobs:
ob_restore_phase: true # Set ob_restore_phase to run this step before '🔒 Setup Signing' step. ob_restore_phase: true # Set ob_restore_phase to run this step before '🔒 Setup Signing' step.
- task: CodeQL3000Finalize@0 # Add CodeQL Finalize task right after your 'Build' step. - task: CodeQL3000Finalize@0 # Add CodeQL Finalize task right after your 'Build' step.
condition: eq(variables['Build.SourceBranch'], 'refs/heads/master') condition: eq(variables['CODEQL_ENABLED'], 'true')
env: env:
ob_restore_phase: true # Set ob_restore_phase to run this step before '🔒 Setup Signing' step. ob_restore_phase: true # Set ob_restore_phase to run this step before '🔒 Setup Signing' step.

14
.pipelines/templates/windows-hosted-build.yml
View File

@ -34,9 +34,9 @@ jobs:
value: ${{ parameters.BuildConfiguration }} value: ${{ parameters.BuildConfiguration }}
- name: ob_sdl_sbom_packageName - name: ob_sdl_sbom_packageName
value: 'Microsoft.Powershell.Windows.${{ parameters.Architecture }}' value: 'Microsoft.Powershell.Windows.${{ parameters.Architecture }}'
- ${{ if eq(variables['Build.SourceBranch'], 'refs/heads/master') }}: # We add this manually, so we need it disabled the OneBranch auto-injected one.
- name: ob_sdl_codeql_compiled_enabled - name: ob_sdl_codeql_compiled_enabled
value: true value: false
steps: steps:
- checkout: self - checkout: self
@ -55,12 +55,14 @@ jobs:
repoRoot: $(PowerShellRoot) repoRoot: $(PowerShellRoot)
- task: CodeQL3000Init@0 # Add CodeQL Init task right before your 'Build' step. - task: CodeQL3000Init@0 # Add CodeQL Init task right before your 'Build' step.
condition: eq(variables['Build.SourceBranch'], 'refs/heads/master') condition: eq(variables['CODEQL_ENABLED'], 'true')
env: env:
ob_restore_phase: true # Set ob_restore_phase to run this step before '🔒 Setup Signing' step. ob_restore_phase: true # Set ob_restore_phase to run this step before '🔒 Setup Signing' step.
inputs: inputs:
Enabled: true Enabled: true
AnalyzeInPipeline: true # AnalyzeInPipeline: false = upload results
# AnalyzeInPipeline: true = do not upload results
AnalyzeInPipeline: false
Language: csharp Language: csharp
- pwsh: | - pwsh: |
@ -184,7 +186,7 @@ jobs:
ob_restore_phase: true # Set ob_restore_phase to run this step before '🔒 Setup Signing' step. ob_restore_phase: true # Set ob_restore_phase to run this step before '🔒 Setup Signing' step.
- task: CodeQL3000Finalize@0 # Add CodeQL Finalize task right after your 'Build' step. - task: CodeQL3000Finalize@0 # Add CodeQL Finalize task right after your 'Build' step.
condition: eq(variables['Build.SourceBranch'], 'refs/heads/master') condition: eq(variables['CODEQL_ENABLED'], 'true')
env: env:
ob_restore_phase: true # Set ob_restore_phase to run this step before '🔒 Setup Signing' step. ob_restore_phase: true # Set ob_restore_phase to run this step before '🔒 Setup Signing' step.