openkylin
/
kylin-code
9
0
Fork 2
Code Issues Pull Requests Projects Releases Wiki Activity
kylin-code/build/azure-pipelines/sdl-scan.yml

310 lines
12 KiB
YAML
Raw Permalink Blame History

trigger: none
pr: none
parameters:
- name: NPM_REGISTRY
displayName: "Custom NPM Registry"
type: string
default: "https://pkgs.dev.azure.com/monacotools/Monaco/_packaging/vscode/npm/registry/"
- name: SCAN_WINDOWS
displayName: "Scan Windows"
type: boolean
default: true
- name: SCAN_LINUX
displayName: "Scan Linux"
type: boolean
default: false
variables:
- name: NPM_REGISTRY
value: ${{ parameters.NPM_REGISTRY }}
- name: SCAN_WINDOWS
value: ${{ eq(parameters.SCAN_WINDOWS, true) }}
- name: SCAN_LINUX
value: ${{ eq(parameters.SCAN_LINUX, true) }}
- name: VSCODE_MIXIN_REPO
value: microsoft/vscode-distro
- name: skipComponentGovernanceDetection
value: true
- name: NPM_ARCH
value: x64
- name: VSCODE_ARCH
value: x64
- name: Codeql.enabled
value: true
- name: Codeql.TSAEnabled
value: true
- name: Codeql.TSAOptionsPath
value: '$(Build.SourcesDirectory)\build\azure-pipelines\config\tsaoptions.json'
stages:
- stage: Windows
condition: eq(variables.SCAN_WINDOWS, 'true')
pool: 1es-windows-2019-x64
jobs:
- job: WindowsJob
timeoutInMinutes: 0
steps:
- task: CredScan@3
continueOnError: true
inputs:
scanFolder: "$(Build.SourcesDirectory)"
outputFormat: "pre"
- task: NodeTool@0
inputs:
versionSource: fromFile
versionFilePath: .nvmrc
nodejsMirror: https://github.com/joaomoreno/node-mirror/releases/download
- template: ./distro/download-distro.yml
- task: AzureKeyVault@1
displayName: "Azure Key Vault: Get Secrets"
inputs:
azureSubscription: "vscode-builds-subscription"
KeyVaultName: vscode-build-secrets
SecretsFilter: "github-distro-mixin-password"
- powershell: |
. build/azure-pipelines/win32/exec.ps1
$ErrorActionPreference = "Stop"
exec { npm config set registry "$env:NPM_REGISTRY" --location=project }
# npm >v7 deprecated the `always-auth` config option, refs npm/cli@72a7eeb
# following is a workaround for yarn to send authorization header
# for GET requests to the registry.
exec { Add-Content -Path .npmrc -Value "always-auth=true" }
exec { yarn config set registry "$env:NPM_REGISTRY" }
condition: and(succeeded(), ne(variables.NODE_MODULES_RESTORED, 'true'), ne(variables['NPM_REGISTRY'], 'none'))
displayName: Setup NPM & Yarn
- task: npmAuthenticate@0
inputs:
workingFile: .npmrc
condition: and(succeeded(), ne(variables.NODE_MODULES_RESTORED, 'true'), ne(variables['NPM_REGISTRY'], 'none'))
displayName: Setup NPM Authentication
- powershell: |
. build/azure-pipelines/win32/exec.ps1
$ErrorActionPreference = "Stop"
exec { node build/setup-npm-registry.js $env:NPM_REGISTRY }
condition: and(succeeded(), ne(variables.NODE_MODULES_RESTORED, 'true'), ne(variables['NPM_REGISTRY'], 'none'))
displayName: Setup NPM Registry
- task: CodeQL3000Init@0
displayName: CodeQL Initialize
condition: eq(variables['Codeql.enabled'], 'True')
- powershell: |
mkdir -Force .build/node-gyp
displayName: Create custom node-gyp directory
condition: and(succeeded(), ne(variables.NODE_MODULES_RESTORED, 'true'))
- powershell: |
. ../../build/azure-pipelines/win32/exec.ps1
$ErrorActionPreference = "Stop"
# TODO: Should be replaced with upstream URL once https://github.com/nodejs/node-gyp/pull/2825
# gets merged.
exec { git clone https://github.com/rzhao271/node-gyp.git . } "Cloning rzhao271/node-gyp failed"
exec { git checkout 102b347da0c92c29f9c67df22e864e70249cf086 } "Checking out 102b347 failed"
exec { npm install } "Building rzhao271/node-gyp failed"
exec { python3 -m pip install setuptools } "Installing setuptools failed"
displayName: Install custom node-gyp
workingDirectory: .build/node-gyp
condition: and(succeeded(), ne(variables.NODE_MODULES_RESTORED, 'true'))
- powershell: |
. build/azure-pipelines/win32/exec.ps1
. build/azure-pipelines/win32/retry.ps1
$ErrorActionPreference = "Stop"
$env:npm_config_node_gyp = "$(Join-Path $pwd.Path '.build/node-gyp/bin/node-gyp.js')"
$env:npm_config_arch = "$(NPM_ARCH)"
retry { exec { yarn --frozen-lockfile --check-files } }
env:
PLAYWRIGHT_SKIP_BROWSER_DOWNLOAD: 1
GITHUB_TOKEN: "$(github-distro-mixin-password)"
CHILD_CONCURRENCY: 1
displayName: Install dependencies
- script: node build/azure-pipelines/distro/mixin-npm
displayName: Mixin distro node modules
- script: node build/azure-pipelines/distro/mixin-quality
displayName: Mixin distro quality
env:
VSCODE_QUALITY: stable
- powershell: yarn compile
displayName: Compile
- task: CodeQL3000Finalize@0
displayName: CodeQL Finalize
condition: eq(variables['Codeql.enabled'], 'True')
- powershell: yarn gulp "vscode-symbols-win32-$(VSCODE_ARCH)"
env:
GITHUB_TOKEN: "$(github-distro-mixin-password)"
displayName: Download Symbols
- task: PSScriptAnalyzer@1
inputs:
Path: '$(Build.SourcesDirectory)'
Settings: required
Recurse: true
- task: BinSkim@4
inputs:
InputType: "Basic"
Function: "analyze"
TargetPattern: "guardianGlob"
AnalyzeIgnorePdbLoadError: true
AnalyzeTargetGlob: '$(agent.builddirectory)\scanbin\**.dll;$(agent.builddirectory)\scanbin\**.exe;$(agent.builddirectory)\scanbin\**.node'
AnalyzeLocalSymbolDirectories: '$(agent.builddirectory)\scanbin\VSCode-win32-$(VSCODE_ARCH)\pdb'
- task: AntiMalware@4
inputs:
InputType: Basic
ScanType: CustomScan
FileDirPath: '$(Build.SourcesDirectory)'
EnableServices: true
SupportLogOnError: false
TreatSignatureUpdateFailureAs: 'Warning'
SignatureFreshness: 'OneDay'
TreatStaleSignatureAs: 'Error'
- task: PublishSecurityAnalysisLogs@3
inputs:
ArtifactName: CodeAnalysisLogs
ArtifactType: Container
PublishProcessedResults: false
AllTools: true
- task: TSAUpload@2
inputs:
GdnPublishTsaOnboard: true
GdnPublishTsaConfigFile: '$(Build.SourcesDirectory)\build\azure-pipelines\config\tsaoptions.json'
- stage: Linux
dependsOn: []
condition: eq(variables.SCAN_LINUX, 'true')
pool:
vmImage: "Ubuntu-18.04"
jobs:
- job: LinuxJob
steps:
- task: CredScan@2
inputs:
toolMajorVersion: "V2"
- task: NodeTool@0
inputs:
versionSource: fromFile
versionFilePath: .nvmrc
nodejsMirror: https://github.com/joaomoreno/node-mirror/releases/download
- template: ./distro/download-distro.yml
- task: AzureKeyVault@1
displayName: "Azure Key Vault: Get Secrets"
inputs:
azureSubscription: "vscode-builds-subscription"
KeyVaultName: vscode-build-secrets
SecretsFilter: "github-distro-mixin-password"
- script: |
set -e
npm config set registry "$NPM_REGISTRY" --location=project
# npm >v7 deprecated the `always-auth` config option, refs npm/cli@72a7eeb
# following is a workaround for yarn to send authorization header
# for GET requests to the registry.
echo "always-auth=true" >> .npmrc
yarn config set registry "$NPM_REGISTRY"
condition: and(succeeded(), ne(variables.NODE_MODULES_RESTORED, 'true'), ne(variables['NPM_REGISTRY'], 'none'))
displayName: Setup NPM & Yarn
- task: npmAuthenticate@0
inputs:
workingFile: .npmrc
condition: and(succeeded(), ne(variables.NODE_MODULES_RESTORED, 'true'), ne(variables['NPM_REGISTRY'], 'none'))
displayName: Setup NPM Authentication
- script: node build/setup-npm-registry.js $NPM_REGISTRY
condition: and(succeeded(), ne(variables.NODE_MODULES_RESTORED, 'true'), ne(variables['NPM_REGISTRY'], 'none'))
displayName: Setup NPM Registry
- script: |
set -e
for i in {1..5}; do # try 5 times
yarn --cwd build --frozen-lockfile --check-files && break
if [ $i -eq 3 ]; then
echo "Yarn failed too many times" >&2
exit 1
fi
echo "Yarn failed $i, trying again..."
done
displayName: Install build dependencies
- script: |
set -e
export npm_config_arch=$(NPM_ARCH)
if [ -z "$CC" ] || [ -z "$CXX" ]; then
# Download clang based on chromium revision used by vscode
curl -s https://raw.githubusercontent.com/chromium/chromium/96.0.4664.110/tools/clang/scripts/update.py | python - --output-dir=$PWD/.build/CR_Clang --host-os=linux
# Download libcxx headers and objects from upstream electron releases
DEBUG=libcxx-fetcher \
VSCODE_LIBCXX_OBJECTS_DIR=$PWD/.build/libcxx-objects \
VSCODE_LIBCXX_HEADERS_DIR=$PWD/.build/libcxx_headers \
VSCODE_LIBCXXABI_HEADERS_DIR=$PWD/.build/libcxxabi_headers \
VSCODE_ARCH="$(NPM_ARCH)" \
node build/linux/libcxx-fetcher.js
# Set compiler toolchain
export CC=$PWD/.build/CR_Clang/bin/clang
export CXX=$PWD/.build/CR_Clang/bin/clang++
export CXXFLAGS="-std=c++17 -nostdinc++ -D__NO_INLINE__ -I$PWD/.build/libcxx_headers -isystem$PWD/.build/libcxx_headers/include -isystem$PWD/.build/libcxxabi_headers/include -fPIC -flto=thin -fsplit-lto-unit -D_LIBCPP_ABI_NAMESPACE=Cr"
export LDFLAGS="-stdlib=libc++ -fuse-ld=lld -flto=thin -fsplit-lto-unit -L$PWD/.build/libcxx-objects -lc++abi"
export VSCODE_REMOTE_CC=$(which gcc)
export VSCODE_REMOTE_CXX=$(which g++)
fi
for i in {1..5}; do # try 5 times
yarn --frozen-lockfile --check-files && break
if [ $i -eq 3 ]; then
echo "Yarn failed too many times" >&2
exit 1
fi
echo "Yarn failed $i, trying again..."
done
env:
PLAYWRIGHT_SKIP_BROWSER_DOWNLOAD: 1
GITHUB_TOKEN: "$(github-distro-mixin-password)"
displayName: Install dependencies
- script: yarn --frozen-lockfile --check-files
workingDirectory: .build/distro/npm
env:
npm_config_arch: $(NPM_ARCH)
displayName: Install distro node modules
- script: node build/azure-pipelines/distro/mixin-npm
displayName: Mixin distro node modules
- script: node build/azure-pipelines/distro/mixin-quality
displayName: Mixin distro quality
env:
VSCODE_QUALITY: stable
- script: yarn gulp vscode-symbols-linux-$(VSCODE_ARCH)
env:
GITHUB_TOKEN: "$(github-distro-mixin-password)"
displayName: Build
- task: BinSkim@3
inputs:
toolVersion: Latest
InputType: CommandLine
arguments: analyze $(agent.builddirectory)\scanbin\exe\*.* --recurse --local-symbol-directories $(agent.builddirectory)\scanbin\VSCode-linux-$(VSCODE_ARCH)\pdb
- task: TSAUpload@2
inputs:
GdnPublishTsaConfigFile: '$(Build.SourceDirectory)\build\azure-pipelines\config\tsaoptions.json'
Reference in New Issue View Git Blame Copy Permalink