PowerShell · daxian-dbw · Aug 28, 2024 · Aug 28, 2024 · Aug 28, 2024 · Aug 28, 2024
diff --git a/.config/tsaoptions.json b/.config/tsaoptions.json
@@ -0,0 +1,9 @@
+{
+    "instanceUrl": "https://msazure.visualstudio.com",
+    "projectName": "One",
+    "areaPath": "One\\MGMT\\Compute\\Powershell\\Powershell\\PowerShell Core",
+    "notificationAliases": [
+        "[email protected]",
+        "[email protected]"
+    ]
+}
diff --git a/.github/workflows/dotnet.yml b/.github/workflows/dotnet.yml
@@ -11,43 +11,52 @@ on:
 
 jobs:
   build-linux:
-
     runs-on: ubuntu-latest
+    env:
+      DOTNET_SKIP_FIRST_TIME_EXPERIENCE: 1
 
     steps:
-    - uses: actions/checkout@v3
+    - uses: actions/checkout@v4
     - name: Setup .NET
       uses: actions/setup-dotnet@v3
       with:
-        dotnet-version: 8.0.x
+        dotnet-version: 8.0.400
     - name: Build
       shell: pwsh
-      run: ./build.ps1 -Verbose
+      run: |
+        Import-Module ./build.psm1 -Force
+        Start-Build -Verbose
 
   build-windows:
-
     runs-on: windows-latest
+    env:
+      DOTNET_SKIP_FIRST_TIME_EXPERIENCE: 1
 
     steps:
-    - uses: actions/checkout@v3
+    - uses: actions/checkout@v4
     - name: Setup .NET
       uses: actions/setup-dotnet@v3
       with:
-        dotnet-version: 8.0.x
+        dotnet-version: 8.0.400
     - name: Build
       shell: pwsh
-      run: ./build.ps1 -Verbose
+      run: |
+        Import-Module ./build.psm1 -Force
+        Start-Build -Verbose
 
   build-macos:
-
     runs-on: macos-latest
+    env:
+      DOTNET_SKIP_FIRST_TIME_EXPERIENCE: 1
 
     steps:
-    - uses: actions/checkout@v3
+    - uses: actions/checkout@v4
     - name: Setup .NET
       uses: actions/setup-dotnet@v3
       with:
-        dotnet-version: 8.0.x
+        dotnet-version: 8.0.400
     - name: Build
       shell: pwsh
-      run: ./build.ps1 -Verbose
+      run: |
+        Import-Module ./build.psm1 -Force
+        Start-Build -Verbose
diff --git a/.pipelines/Build-Official.yml b/.pipelines/Build-Official.yml
@@ -0,0 +1,114 @@
+name: AIShell-Build-$(Build.BuildId)
+trigger: none
+
+parameters:
+  - name: SKIP_SIGNING
+    displayName: Skip Signing
+    type: string
+    default: 'NO'
+
+resources:
+  repositories:
+  - repository: ComplianceRepo
+    type: github
+    endpoint: ComplianceGHRepo
+    name: PowerShell/compliance
+    ref: master
+  - repository: onebranchTemplates
+    type: git
+    name: OneBranch.Pipelines/GovernedTemplates
+    ref: refs/heads/main
+
+variables:
+  - name: DOTNET_CLI_TELEMETRY_OPTOUT
+    value: 1
+  - name: POWERSHELL_TELEMETRY_OPTOUT
+    value: 1
+  - name: nugetMultiFeedWarnLevel
+    value: none
+  - name: NugetSecurityAnalysisWarningLevel
+    value: none
+  - name: skipNugetSecurityAnalysis
+    value: true
+  - name: branchCounterKey
+    value: $[format('{0:yyyyMMdd}-{1}', pipeline.startTime,variables['Build.SourceBranch'])]
+  - name: branchCounter
+    value: $[counter(variables['branchCounterKey'], 1)]
+  - name: BUILDSECMON_OPT_IN
+    value: true
+  - name: LinuxContainerImage
+    value: onebranch.azurecr.io/linux/ubuntu-2004:latest
+  - name: WindowsContainerImage
+    value: onebranch.azurecr.io/windows/ltsc2019/vse2022:latest
+  - name: CDP_DEFINITION_BUILD_COUNT
+    value: $[counter('', 0)]
+  - name: SKIP_SIGNING
+    value: ${{ parameters.SKIP_SIGNING }}
+  - group: mscodehub-feed-read-general
+  - group: mscodehub-feed-read-akv
+
+extends:
+  template: v2/OneBranch.Official.CrossPlat.yml@onebranchTemplates
+  parameters:
+    customTags: 'ES365AIMigrationTooling'
+    featureFlags:
+      LinuxHostVersion:
+          Network: KS3
+      WindowsHostVersion:
+          Network: KS3
+    globalSdl:
+      disableLegacyManifest: true
+      # disabled Armorty as we dont have any ARM templates to scan. It fails on some sample ARM templates.
+      armory:
+        enabled: false
+      sbom:
+        enabled: true
+        buildComponentPath: $(Build.SourcesDirectory)\ProjectMercury\shell
+      codeql:
+        compiled:
+          enabled: true
+      cg:
+        enabled: true
+        ignoreDirectories: 'docs,test,tools'
+      asyncSdl:
+        enabled: true
+        forStages: [prep, macos, linux, windows]
+        credscan:
+          enabled: true
+          scanFolder: $(Build.SourcesDirectory)\ProjectMercury\shell
+        binskim:
+          enabled: false
+        apiscan:
+          enabled: false
+        tsaOptionsFile: $(Build.SourcesDirectory)\ProjectMercury\.config\tsaoptions.json
+
+    stages:
+    - stage: macos
+      displayName: macOS - build and sign
+      jobs:
+      - template: /.pipelines/templates/mac.yml@self
+        parameters:
+          Architecture: x64
+      - template: /.pipelines/templates/mac.yml@self
+        parameters:
+          Architecture: arm64
+
+    - stage: linux
+      displayName: linux - build and sign
+      jobs:
+      - template: /.pipelines/templates/linux.yml@self
+        parameters:
+          Architecture: x64
+      - template: /.pipelines/templates/linux.yml@self
+        parameters:
+          Architecture: arm64
+
+    - stage: windows
+      displayName: windows - build and sign
+      jobs:
+      - template: /.pipelines/templates/windows-hosted-build.yml@self
+        parameters:
+          Architecture: x64
+      - template: /.pipelines/templates/windows-hosted-build.yml@self
+        parameters:
+          Architecture: arm64
diff --git a/.pipelines/Package-Official.yml b/.pipelines/Package-Official.yml
diff --git a/.pipelines/Release-Official.yml b/.pipelines/Release-Official.yml
diff --git a/.pipelines/templates/finalize.yml b/.pipelines/templates/finalize.yml
@@ -0,0 +1,6 @@
+# This was used before migrating to OneBranch to deal with one of the SDL taks from failing with a warning instead of an error.
+steps:
+- pwsh: |
+    throw "Jobs with an Issue will not work for release. Please fix the issue and try again."
+  displayName: Check for SucceededWithIssues
+  condition: eq(variables['Agent.JobStatus'],'SucceededWithIssues')
diff --git a/.pipelines/templates/linux.yml b/.pipelines/templates/linux.yml
@@ -0,0 +1,148 @@
+parameters:
+  Architecture: 'x64'
+
+jobs:
+- job: build_${{ parameters.Architecture }}
+  displayName: Build Linux ${{ parameters.Architecture }}
+  condition: succeeded()
+  pool:
+    type: linux
+  variables:
+  - name: runCodesignValidationInjection
+    value: false
+  - name: NugetSecurityAnalysisWarningLevel
+    value: none
+  - name: DOTNET_SKIP_FIRST_TIME_EXPERIENCE
+    value: 1
+  - group: DotNetPrivateBuildAccess
+  - name: ob_outputDirectory
+    value: '$(Build.ArtifactStagingDirectory)/ONEBRANCH_ARTIFACT'
+  - name: repoRoot
+    value: $(Build.SourcesDirectory)\ProjectMercury
+  - name: ob_sdl_codeSignValidation_enabled
+    value: false
+  - name: ob_sdl_binskim_enabled
+    value: true
+  - name: ob_sdl_tsa_configFile
+    value: $(repoRoot)\.config\tsaoptions.json
+  - name: Architecture
+    value: ${{ parameters.Architecture }}
+  - name: Runtime
+    value: 'linux-$(Architecture)'
+  - name: ob_sdl_sbom_packageName
+    value: 'AIShell.Linux.${{ parameters.Architecture }}'
+  #CodeQL tasks added manually to workaround signing failures
+  - name: ob_sdl_codeql_compiled_enabled
+    value: false
+
+  steps:
+  - checkout: self
+    clean: true
+    env:
+      ob_restore_phase: true
+
+  - template: /.pipelines/templates/update-nuget-config.yml@self
+    parameters:
+      repoRoot: $(repoRoot)
+
+  # Add CodeQL Init task right before your 'Build' step.
+  - task: CodeQL3000Init@0
+    env:
+      ob_restore_phase: true
+    inputs:
+      Enabled: true
+      Language: csharp
+
+  - pwsh: |
+      Import-Module $(repoRoot)/build.psm1 -Force
+      Install-Dotnet
+
+      $runtime = '$(Runtime)'
+      Write-Verbose -Message "Building with Runtime: $runtime"
+      $result = Start-Build -Runtime $runtime -Configuration Release -Clean -PassThru -Verbose
+
+      if ($result) {
+        $vstsCommandString = "vso[task.setvariable variable=AppDir]$result.App"
+        Write-Host ("sending " + $vstsCommandString)
+        Write-Host "##$vstsCommandString"
+
+        $vstsCommandString = "vso[task.setvariable variable=ModuleDir]$result.Module"
+        Write-Host ("sending " + $vstsCommandString)
+        Write-Host "##$vstsCommandString"
+      }
+    displayName: 'Build Linux - $(Architecture)'
+    env:
+      ob_restore_phase: true
+
+  # Add CodeQL Finalize task right after your 'Build' step.
+  - task: CodeQL3000Finalize@0
+    env:
+      ob_restore_phase: true
+
+  - pwsh: |
+      $uploadAppPath = New-Item -ItemType Directory -Path '$(ob_outputDirectory)/unsigned-app' -Force
+      Write-Verbose -Verbose -Message "uploadAppPath: $uploadAppPath"
+      Copy-Item -Path '$(AppDir)/*' -Destination $uploadAppPath -Recurse -Force -Verbose
+
+      $uploadModulePath = New-Item -ItemType Directory -Path '$(ob_outputDirectory)/unsigned-module' -Force
+      Write-Verbose -Verbose -Message "uploadModulePath: $uploadModulePath"
+      Copy-Item -Path '$(ModuleDir)/*' -Destination $uploadModulePath -Recurse -Force -Verbose
+    displayName: 'Upload unsigned app and module files'
+
+  - template: /.pipelines/templates/finalize.yml@self
+
+- job: sign_${{ parameters.Architecture }}
+  displayName: Sign Linux ${{ parameters.Architecture }}
+  condition: succeeded()
+  dependsOn: build_${{ parameters.Architecture }}
+  pool:
+    type: windows
+  variables:
+  - name: runCodesignValidationInjection
+    value: false
+  - name: NugetSecurityAnalysisWarningLevel
+    value: none
+  - name: DOTNET_SKIP_FIRST_TIME_EXPERIENCE
+    value: 1
+  - group: DotNetPrivateBuildAccess
+  - group: certificate_logical_to_actual
+  - name: ob_outputDirectory
+    value: '$(Build.ArtifactStagingDirectory)/ONEBRANCH_ARTIFACT'
+  - name: repoRoot
+    value: $(Build.SourcesDirectory)\ProjectMercury
+  - name: ob_sdl_codeSignValidation_enabled
+    value: false
+  - name: ob_sdl_binskim_enabled
+    value: false
+  - name: ob_sdl_tsa_configFile
+    value: $(repoRoot)\.config\tsaoptions.json
+  - name: Architecture
+    value: ${{ parameters.Architecture }}
+  - name: Runtime
+    value: 'linux-$(Architecture)'
+  - name: ob_sdl_codeql_compiled_enabled
+    value: false
+
+  steps:
+  - checkout: self
+    clean: true
+    env:
+      ob_restore_phase: true
+
+  - task: DownloadPipelineArtifact@2
+    inputs:
+      artifact: drop_linux_build_${{ parameters.Architecture }}
+      path: $(Pipeline.Workspace)/drop_linux_build
+    displayName: Download build
+
+  - pwsh: |
+      Get-ChildItem -Path $(Pipeline.Workspace)/drop_linux_build -Recurse
+    displayName: 'List downloaded files'
+
+  - template: /.pipelines/templates/sign-files.yml@self
+    parameters:
+      appPath: '$(Pipeline.Workspace)/drop_linux_build/unsigned-app'
+      modulePath: '$(Pipeline.Workspace)/drop_linux_build/unsigned-module'
+      repoRoot: '$(repoRoot)'
+
+  - template: /.pipelines/templates/finalize.yml@self