mirror of
https://github.com/PowerShell/PowerShell.git
synced 2024-11-23 01:34:19 +08:00
Ensure the official build files CodeQL issues (#24278)
* Enable and Disable CodeQL in the right places during the official build * fix codeql condition * fix syntax error * Enable codeQL issue filing * use parameter instead of branch to force codeql * try to name the build better * Update .pipelines/PowerShell-Coordinated_Packages-Official.yml * add debugging to display name of debugging parameters * fix spacing * Update .pipelines/PowerShell-Coordinated_Packages-Official.yml
This commit is contained in:
parent
50e99a2489
commit
a42e5dbd1d
@ -1,4 +1,5 @@
|
||||
{
|
||||
"codebaseName": "TFSMSAzure_PowerShell",
|
||||
"instanceUrl": "https://msazure.visualstudio.com",
|
||||
"projectName": "One",
|
||||
"areaPath": "One\\MGMT\\Compute\\Powershell\\Powershell\\PowerShell Core\\pwsh",
|
||||
|
@ -1,4 +1,4 @@
|
||||
name: UnifiedPackageBuild-$(Build.BuildId)
|
||||
name: UnifiedPackageBuild-$(BUILD.SOURCEBRANCHNAME)-$(Build.BuildId)
|
||||
trigger: none
|
||||
|
||||
parameters:
|
||||
@ -11,19 +11,23 @@ parameters:
|
||||
type: string
|
||||
default: 'fromBranch'
|
||||
- name: SKIP_SIGNING
|
||||
displayName: Skip Signing
|
||||
displayName: Debugging - Skip Signing
|
||||
type: string
|
||||
default: 'NO'
|
||||
- name: RUN_TEST_AND_RELEASE
|
||||
displayName: Run Test and Release Artifacts Stage
|
||||
displayName: Debugging - Run Test and Release Artifacts Stage
|
||||
type: boolean
|
||||
default: true
|
||||
- name: RUN_WINDOWS
|
||||
displayName: Enable Windows Stage
|
||||
displayName: Debugging - Enable Windows Stage
|
||||
type: boolean
|
||||
default: true
|
||||
- name: ENABLE_MSBUILD_BINLOGS
|
||||
displayName: Enable MSBuild Binary Logs
|
||||
displayName: Debugging - Enable MSBuild Binary Logs
|
||||
type: boolean
|
||||
default: false
|
||||
- name: FORCE_CODEQL
|
||||
displayName: Debugging - Enable CodeQL and set cadence to 1 hour
|
||||
type: boolean
|
||||
default: false
|
||||
|
||||
@ -74,6 +78,16 @@ variables:
|
||||
- group: mscodehub-feed-read-akv
|
||||
- name: ENABLE_MSBUILD_BINLOGS
|
||||
value: ${{ parameters.ENABLE_MSBUILD_BINLOGS }}
|
||||
- ${{ if eq(parameters['FORCE_CODEQL'],'true') }}:
|
||||
# Cadence is hours before CodeQL will allow a re-upload of the database
|
||||
- name: CodeQL.Cadence
|
||||
value: 1
|
||||
- name: CODEQL_ENABLED
|
||||
${{ if or(eq(variables['Build.SourceBranch'], 'refs/heads/master'), eq(parameters['FORCE_CODEQL'],'true')) }}:
|
||||
value: true
|
||||
${{ else }}:
|
||||
value: false
|
||||
|
||||
|
||||
extends:
|
||||
template: v2/OneBranch.Official.CrossPlat.yml@onebranchTemplates
|
||||
@ -91,11 +105,10 @@ extends:
|
||||
enabled: false
|
||||
sbom:
|
||||
enabled: true
|
||||
codeql:
|
||||
compiled:
|
||||
${{ if eq(variables['Build.SourceBranch'], 'refs/heads/master') }}:
|
||||
enabled: true
|
||||
${{ else }}:
|
||||
enabled: false
|
||||
enabled: $(CODEQL_ENABLED)
|
||||
tsaEnabled: true # This enables TSA bug filing only for CodeQL 3000
|
||||
credscan:
|
||||
enabled: true
|
||||
scanFolder: $(Build.SourcesDirectory)
|
||||
|
@ -33,9 +33,9 @@ jobs:
|
||||
value: ${{ parameters.Runtime }}
|
||||
- name: ob_sdl_sbom_packageName
|
||||
value: 'Microsoft.Powershell.Linux.${{ parameters.Runtime }}'
|
||||
- ${{ if eq(variables['Build.SourceBranch'], 'refs/heads/master') }}:
|
||||
# We add this manually, so we need it disabled the OneBranch auto-injected one.
|
||||
- name: ob_sdl_codeql_compiled_enabled
|
||||
value: true
|
||||
value: false
|
||||
|
||||
steps:
|
||||
- checkout: self
|
||||
@ -54,12 +54,14 @@ jobs:
|
||||
repoRoot: $(PowerShellRoot)
|
||||
|
||||
- task: CodeQL3000Init@0 # Add CodeQL Init task right before your 'Build' step.
|
||||
condition: eq(variables['Build.SourceBranch'], 'refs/heads/master')
|
||||
condition: eq(variables['CODEQL_ENABLED'], 'true')
|
||||
env:
|
||||
ob_restore_phase: true # Set ob_restore_phase to run this step before '🔒 Setup Signing' step.
|
||||
inputs:
|
||||
Enabled: true
|
||||
AnalyzeInPipeline: true
|
||||
# AnalyzeInPipeline: false = upload results
|
||||
# AnalyzeInPipeline: true = do not upload results
|
||||
AnalyzeInPipeline: false
|
||||
Language: csharp
|
||||
|
||||
- pwsh: |
|
||||
@ -110,7 +112,7 @@ jobs:
|
||||
ob_restore_phase: true # Set ob_restore_phase to run this step before '🔒 Setup Signing' step.
|
||||
|
||||
- task: CodeQL3000Finalize@0 # Add CodeQL Finalize task right after your 'Build' step.
|
||||
condition: eq(variables['Build.SourceBranch'], 'refs/heads/master')
|
||||
condition: eq(variables['CODEQL_ENABLED'], 'true')
|
||||
env:
|
||||
ob_restore_phase: true # Set ob_restore_phase to run this step before '🔒 Setup Signing' step.
|
||||
|
||||
|
@ -34,9 +34,9 @@ jobs:
|
||||
value: ${{ parameters.BuildConfiguration }}
|
||||
- name: ob_sdl_sbom_packageName
|
||||
value: 'Microsoft.Powershell.Windows.${{ parameters.Architecture }}'
|
||||
- ${{ if eq(variables['Build.SourceBranch'], 'refs/heads/master') }}:
|
||||
# We add this manually, so we need it disabled the OneBranch auto-injected one.
|
||||
- name: ob_sdl_codeql_compiled_enabled
|
||||
value: true
|
||||
value: false
|
||||
|
||||
steps:
|
||||
- checkout: self
|
||||
@ -55,12 +55,14 @@ jobs:
|
||||
repoRoot: $(PowerShellRoot)
|
||||
|
||||
- task: CodeQL3000Init@0 # Add CodeQL Init task right before your 'Build' step.
|
||||
condition: eq(variables['Build.SourceBranch'], 'refs/heads/master')
|
||||
condition: eq(variables['CODEQL_ENABLED'], 'true')
|
||||
env:
|
||||
ob_restore_phase: true # Set ob_restore_phase to run this step before '🔒 Setup Signing' step.
|
||||
inputs:
|
||||
Enabled: true
|
||||
AnalyzeInPipeline: true
|
||||
# AnalyzeInPipeline: false = upload results
|
||||
# AnalyzeInPipeline: true = do not upload results
|
||||
AnalyzeInPipeline: false
|
||||
Language: csharp
|
||||
|
||||
- pwsh: |
|
||||
@ -184,7 +186,7 @@ jobs:
|
||||
ob_restore_phase: true # Set ob_restore_phase to run this step before '🔒 Setup Signing' step.
|
||||
|
||||
- task: CodeQL3000Finalize@0 # Add CodeQL Finalize task right after your 'Build' step.
|
||||
condition: eq(variables['Build.SourceBranch'], 'refs/heads/master')
|
||||
condition: eq(variables['CODEQL_ENABLED'], 'true')
|
||||
env:
|
||||
ob_restore_phase: true # Set ob_restore_phase to run this step before '🔒 Setup Signing' step.
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user