Skip to content

Commit

Permalink
build: add a OneBranch Official release pipeline (#16081)
Browse files Browse the repository at this point in the history
This pipeline does everything the existing release pipeline does, except
it does it using the OneBranch official templates.

Most of our existing build infrastructure has been reused, with the
following changes:

- We are no longer using `job-submit-windows-vpack`, as OneBranch does
this for us.
- `job-merge-msix-into-bundle` now supports afterBuildSteps, which we
use to stage the msixbundle into the right place for the vpack
- `job-build-project` supports deleting all non-signed files (which the
OneBranch post-build validation requires)
- `job-build-project` now deletes `console.dll`, which is unused in any
of our builds, because XFGCheck blows up on it for some reason on x86
- `job-publish-symbols` now supports two different types of PAT
ingestion
- I have pulled out the NuGet filename variables into a shared variables
template

I have also introduced a TSA config (which files bugs on us for binary
analysis failures as well as using the word 'sucks' and stuff.)

I have also baselined a number of control flow guard/binary analysis
failures.

(cherry picked from commit 6489f6b)
Service-Card-Id: 90706777
Service-Version: 1.19
  • Loading branch information
DHowett committed Oct 3, 2023
1 parent 4c795b5 commit b9cbf0f
Show file tree
Hide file tree
Showing 11 changed files with 1,577 additions and 24 deletions.
1,127 changes: 1,127 additions & 0 deletions build/config/release.gdnbaselines

Large diffs are not rendered by default.

6 changes: 6 additions & 0 deletions build/config/tsa.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
{
"instanceUrl": "https://microsoft.visualstudio.com",
"projectName": "OS",
"areaPath": "OS\\Windows Client and Services\\ADEPT\\E4D-Engineered for Developers\\SHINE\\Terminal",
"notificationAliases": ["condev@microsoft.com", "duhowett@microsoft.com"]
}
47 changes: 47 additions & 0 deletions build/pipelines/ob-nightly.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,47 @@
trigger: none
pr: none
schedules:
- cron: "30 3 * * 2-6" # Run at 03:30 UTC Tuesday through Saturday (After the work day in Pacific, Mon-Fri)
displayName: "Nightly Terminal Build"
branches:
include:
- main
always: false # only run if there's code changes!

parameters:
- name: publishToAzure
displayName: "Deploy to **PUBLIC** Azure Storage"
type: boolean
default: true

name: $(BuildDefinitionName)_$(date:yyMM).$(date:dd)$(rev:rrr)

variables:
- template: templates-v2/variables-nuget-package-version.yml
- template: templates-v2/variables-onebranch-config.yml

extends:
template: templates-v2/pipeline-onebranch-full-release-build.yml
parameters:
official: true
branding: Canary
buildTerminal: true
pgoBuildMode: Optimize
codeSign: true
publishSymbolsToPublic: true
publishVpackToWindows: false
symbolExpiryTime: 15
${{ if eq(true, parameters.publishToAzure) }}:
extraPublishJobs:
- template: job-deploy-to-azure-storage.yml
parameters:
pool: { type: windows }
dependsOn: [PublishSymbols]
storagePublicRootURL: $(AppInstallerRootURL)
subscription: $(AzureSubscriptionName)
storageAccount: $(AzureStorageAccount)
storageContainer: $(AzureStorageContainer)
buildConfiguration: Release
buildPlatforms: [x64, x86, arm64]
environment: production-canary

81 changes: 81 additions & 0 deletions build/pipelines/ob-release.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,81 @@
trigger: none
pr: none

# Expose all of these parameters for user configuration.
parameters:
- name: branding
displayName: "Branding (Build Type)"
type: string
default: Release
values:
- Release
- Preview
- Canary
- Dev
- name: buildTerminal
displayName: "Build Windows Terminal MSIX"
type: boolean
default: true
- name: buildConPTY
displayName: "Build ConPTY NuGet"
type: boolean
default: false
- name: buildWPF
displayName: "Build Terminal WPF Control"
type: boolean
default: false
- name: pgoBuildMode
displayName: "PGO Build Mode"
type: string
default: Optimize
values:
- Optimize
- Instrument
- None
- name: buildConfigurations
displayName: "Build Configurations"
type: object
default:
- Release
- name: buildPlatforms
displayName: "Build Platforms"
type: object
default:
- x64
- x86
- arm64
- name: terminalInternalPackageVersion
displayName: "Terminal Internal Package Version"
type: string
default: '0.0.8'

- name: publishSymbolsToPublic
displayName: "Publish Symbols to MSDL"
type: boolean
default: true
- name: publishVpackToWindows
displayName: "Publish VPack to Windows"
type: boolean
default: false

name: $(BuildDefinitionName)_$(date:yyMM).$(date:dd)$(rev:rrr)

variables:
- template: templates-v2/variables-nuget-package-version.yml
- template: templates-v2/variables-onebranch-config.yml

extends:
template: templates-v2/pipeline-onebranch-full-release-build.yml
parameters:
official: true
branding: ${{ parameters.branding }}
buildTerminal: ${{ parameters.buildTerminal }}
buildConPTY: ${{ parameters.buildConPTY }}
buildWPF: ${{ parameters.buildWPF }}
pgoBuildMode: ${{ parameters.pgoBuildMode }}
buildConfigurations: ${{ parameters.buildConfigurations }}
buildPlatforms: ${{ parameters.buildPlatforms }}
codeSign: true
terminalInternalPackageVersion: ${{ parameters.terminalInternalPackageVersion }}
publishSymbolsToPublic: ${{ parameters.publishSymbolsToPublic }}
publishVpackToWindows: ${{ parameters.publishVpackToWindows }}
14 changes: 14 additions & 0 deletions build/pipelines/templates-v2/job-build-project.yml
Original file line number Diff line number Diff line change
Expand Up @@ -62,6 +62,9 @@ parameters:
- name: publishArtifacts
type: boolean
default: true
- name: removeAllNonSignedFiles
type: boolean
default: false

jobs:
- job: ${{ parameters.jobName }}
Expand Down Expand Up @@ -168,6 +171,7 @@ jobs:
# - Directories ending in Lib (static lib projects that we fully linked into DLLs which may also contain unnecessary resources)
# - All LocalTests_ project outputs, as they were subsumed into TestHostApp
# - All PDB files inside the WindowsTerminal/ output, which do not belong there.
# - console.dll, which apparently breaks XFGCheck? lol.
- pwsh: |-
$binDir = '$(Terminal.BinDir)'
$ImportLibs = Get-ChildItem $binDir -Recurse -File -Filter '*.exp' | ForEach-Object { $_.FullName -Replace "exp$","lib" }
Expand All @@ -184,6 +188,8 @@ jobs:
$Items += Get-ChildItem '$(Terminal.BinDir)' -Filter '*.pdb' -Recurse
}
$Items += Get-ChildItem $binDir -Filter 'console.dll'
$Items | Remove-Item -Recurse -Force -Verbose -ErrorAction:Ignore
displayName: Clean up static libs and extra symbols
errorActionPreference: silentlyContinue # It's OK if this silently fails
Expand Down Expand Up @@ -241,6 +247,14 @@ jobs:
Write-Host "##vso[task.setvariable variable=WindowsTerminalPackagePath]${PackageFilename}"
displayName: Re-pack the new Terminal package after signing
# Some of our governed pipelines explicitly fail builds that have *any* non-codesigned filed (!)
- ${{ if eq(parameters.removeAllNonSignedFiles, true) }}:
- pwsh: |-
Get-ChildItem "$(Terminal.BinDir)" -Recurse -Include "*.dll","*.exe" |
Where-Object { (Get-AuthenticodeSignature $_).Status -Ne "Valid" } |
Remove-Item -Verbose -Force
displayName: Remove all non-signed output files
- ${{ else }}: # No Signing
- ${{ if or(parameters.buildTerminal, parameters.buildEverything) }}:
- pwsh: |-
Expand Down
9 changes: 8 additions & 1 deletion build/pipelines/templates-v2/job-merge-msix-into-bundle.yml
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,9 @@ parameters:
- name: publishArtifacts
type: boolean
default: true
- name: afterBuildSteps
type: stepList
default: []

jobs:
- job: ${{ parameters.jobName }}
Expand Down Expand Up @@ -85,7 +88,9 @@ jobs:
$Components[0] = ([int]$Components[0] + $VersionEpoch)
$BundleVersion = $Components -Join "."
New-Item -Type Directory "$(System.ArtifactsDirectory)/bundle"
.\build\scripts\Create-AppxBundle.ps1 -InputPath 'bin/' -ProjectName CascadiaPackage -BundleVersion $BundleVersion -OutputPath "$(System.ArtifactsDirectory)\bundle\$(BundleStemName)_$(XES_APPXMANIFESTVERSION)_8wekyb3d8bbwe.msixbundle"
$BundlePath = "$(System.ArtifactsDirectory)\bundle\$(BundleStemName)_$(XES_APPXMANIFESTVERSION)_8wekyb3d8bbwe.msixbundle"
.\build\scripts\Create-AppxBundle.ps1 -InputPath 'bin/' -ProjectName CascadiaPackage -BundleVersion $BundleVersion -OutputPath $BundlePath
Write-Host "##vso[task.setvariable variable=MsixBundlePath]${BundlePath}"
displayName: Create msixbundle
- ${{ if eq(parameters.codeSign, true) }}:
Expand Down Expand Up @@ -139,6 +144,8 @@ jobs:
ValidateSignature: true
Verbosity: 'Verbose'

- ${{ parameters.afterBuildSteps }}

- ${{ if eq(parameters.publishArtifacts, true) }}:
- publish: $(JobOutputDirectory)
artifact: $(JobOutputArtifactName)
Expand Down
13 changes: 12 additions & 1 deletion build/pipelines/templates-v2/job-publish-symbols.yml
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,12 @@ parameters:
- name: symbolExpiryTime
type: string
default: 36530 # This is the default from PublishSymbols@2
- name: variables
type: object
default: {}
- name: symbolPatGoesInTaskInputs
type: boolean
default: false

jobs:
- job: ${{ parameters.jobName }}
Expand All @@ -27,6 +33,8 @@ jobs:
${{ else }}:
displayName: Publish Symbols Internally
dependsOn: ${{ parameters.dependsOn }}
variables:
${{ insert }}: ${{ parameters.variables }}
steps:
- checkout: self
clean: true
Expand Down Expand Up @@ -76,11 +84,14 @@ jobs:
SymbolsProduct: 'Windows Terminal Converged Symbols'
SymbolsVersion: '$(XES_APPXMANIFESTVERSION)'
SymbolExpirationInDays: ${{ parameters.symbolExpiryTime }}
${{ if eq(parameters.symbolPatGoesInTaskInputs, true) }}:
Pat: $(ADO_microsoftpublicsymbols_PAT)
# The ADO task does not support indexing of GitHub sources.
# There is a bug which causes this task to fail if LIB includes an inaccessible path (even though it does not depend on it).
# To work around this issue, we just force LIB to be any dir that we know exists.
# Copied from https://github.com/microsoft/icu/blob/f869c214adc87415dfe751d81f42f1bca55dcf5f/build/azure-nuget.yml#L564-L583
env:
LIB: $(Build.SourcesDirectory)
ArtifactServices_Symbol_AccountName: microsoftpublicsymbols
ArtifactServices_Symbol_PAT: $(ADO_microsoftpublicsymbols_PAT)
${{ if ne(parameters.symbolPatGoesInTaskInputs, true) }}:
ArtifactServices_Symbol_PAT: $(ADO_microsoftpublicsymbols_PAT)
23 changes: 1 addition & 22 deletions build/pipelines/templates-v2/pipeline-full-release-build.yml
Original file line number Diff line number Diff line change
Expand Up @@ -61,28 +61,7 @@ parameters:
demands: ImageOverride -equals SHINE-VS17-Latest

variables:
# If we are building a branch called "release-*", change the NuGet suffix
# to "preview". If we don't do that, XES will set the suffix to "release1"
# because it truncates the value after the first period.
# We also want to disable the suffix entirely if we're Release branded while
# on a release branch.
# main is special, however. XES ignores main. Since we never produce actual
# shipping builds from main, we want to force it to have a beta label as
# well.
#
# In effect:
# BRANCH / BRANDING | Release | Preview
# ------------------|----------------------------|-----------------------------
# release-* | 1.12.20220427 | 1.13.20220427-preview
# main | 1.14.20220427-experimental | 1.14.20220427-experimental
# all others | 1.14.20220427-mybranch | 1.14.20220427-mybranch
${{ if startsWith(variables['Build.SourceBranchName'], 'release-') }}:
${{ if eq(parameters.branding, 'Release') }}:
NoNuGetPackBetaVersion: true
${{ else }}:
NuGetPackBetaVersion: preview
${{ elseif eq(variables['Build.SourceBranchName'], 'main') }}:
NuGetPackBetaVersion: experimental
- template: variables-nuget-package-version.yml

resources:
repositories:
Expand Down
Loading

0 comments on commit b9cbf0f

Please sign in to comment.