-
Notifications
You must be signed in to change notification settings - Fork 353
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Make SDL/Guardian scripts and templates flexible #7611
Conversation
It looks like my dotnet-release validation build failed early on while downloading some packages. 🙁 (503 (Service Unavailable).) I'd appreciate any help you can provide in testing this, I'm not sure what to expect from this pipeline. /cc @markwilkie |
It looks like the 503 errors I'm hitting in the dev branch build and Arcade CI are caused by an ongoing AzDO package feed outage. (Discussion in FR channel.) Will rerun later. |
A new build I queued seems to have passed the part that uses the SDL scripts: Do you think there's any more validation that would be reasonable to do here, @adiaaida? |
I think this is a good amount of validation. I'll take a look at the PR |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Personally, I think some of the verbose script block calls make the logs a little confusing to read, but I rarely look at the sdl logs anyway, so maybe they are actually helpful when things fail.
Otherwise, this looks good to me.
Yep, they absolutely do, it's just what I ended up with when I tried implementing this as a little util function. The maintainability/trustability improvement over the widespread code duplication is worth it IMO. I noticed at least one of the duplicate |
To double check:
Fixes #7592 (see this issue for list of overall changes)
I kicked off a
dotnet-release
validation branch here (per some instructions in a mail thread--just copied the changes over to a dev branch and requeued an existing build): https://dev.azure.com/dnceng/internal/_build/results?buildId=1233186&view=resultsThe way I made it more flexible is to make
execute-all-sdl-tools.ps1
take an array ofobject
, not juststring
. It should be backwards compatible withstrings
, but ahashtable
can configure more particulars. For example, I can pass these in the list of tools to get PoliCheck to scan two specific directories:I split
run-sdl.ps1
into a more focusedrun-sdl.ps1
andconfigure-sdl-tool.ps1
for the new "configure everything, then run once" workflow.