first run

microsoft · Oct 30, 2024 · 1940db7 · 1940db7
1 parent aa2c82f
commit 1940db7
Show file tree

Hide file tree

Showing 3 changed files with 259 additions and 0 deletions.
diff --git a/tools/ci_build/github/azure-pipeline/templates/win-esrp-dll.yml b/tools/ci_build/github/azure-pipeline/templates/win-esrp-dll.yml
@@ -0,0 +1,121 @@
+parameters:
+- name: DoEsrp
+  type: boolean
+  default: true
+
+- name: FolderPath
+  type: string
+  default: ''
+
+- name: DisplayName
+  type: string
+  default: ''
+
+- name: Pattern
+  type: string
+  default: '*.dll'
+
+steps:
+- task: SFP.build-tasks.custom-build-task-1.EsrpCodeSigning@5
+  displayName: ${{ parameters.DisplayName }}
+  condition: and(succeeded(), eq('${{ parameters.DoEsrp }}', true))
+  inputs:
+    ConnectedServiceName: 'OnnxrunTimeCodeSign_20240611'
+    AppRegistrationClientId: '53d54d02-978d-4305-8572-583cf6711c4f'
+    AppRegistrationTenantId: '72f988bf-86f1-41af-91ab-2d7cd011db47'
+    AuthAKVName: 'buildkeyvault'
+    AuthCertName: '53d54d02-SSL-AutoRotate'
+    AuthSignCertName: '53d54d02-978d-4305-8572-583cf6711c4f'
+    signConfigType: inlineSignParams
+    inlineOperation: |
+      [
+        {
+          "keyCode": "CP-230012",
+          "operationSetCode": "SigntoolSign",
+          "parameters": [
+            {
+              "parameterName": "OpusName",
+              "parameterValue": "Microsoft"
+            },
+            {
+              "parameterName": "OpusInfo",
+              "parameterValue": "http://www.microsoft.com"
+            },
+            {
+              "parameterName": "PageHash",
+              "parameterValue": "/NPH"
+            },
+            {
+              "parameterName": "FileDigest",
+              "parameterValue": "/fd sha256"
+            },
+            {
+              "parameterName": "TimeStamp",
+              "parameterValue": "/tr \"http://rfc3161.gtm.corp.microsoft.com/TSS/HttpTspServer\" /td sha256"
+            }
+          ],
+          "toolName": "signtool.exe",
+          "toolVersion": "6.2.9304.0"
+        }
+      ]
+    FolderPath: ${{ parameters.FolderPath }}
+    Pattern: ${{ parameters.Pattern }}
+    SessionTimeout: 90
+    ServiceEndpointUrl: 'https://api.esrp.microsoft.com/api/v2'
+    MaxConcurrency: 25
+
+- task: PowerShell@2
+  displayName: 'Signature validation for signed file(s)'
+  inputs:
+    targetType: 'inline'
+    script: |
+      Write-Host "FolderPath: ${{ parameters.FolderPath }}"
+      Write-Host "Pattern(s): ${{ parameters.Pattern }}"
+
+      if ("${{ parameters.Pattern }}" -eq "")
+      {
+          Write-Host "Pattern is empty."
+          exit 0
+      }
+
+      $valid_flag=$true
+      $normal_sign_status="Valid"
+
+      $patterns="${{ parameters.Pattern }}" -split ','
+
+      foreach($pattern_original in $patterns)
+      {
+          $pattern=$pattern_original.Trim()
+          Write-Host "Validating pattern:" $pattern
+
+          $file_names=Get-ChildItem -Path ${{ parameters.FolderPath }} .\$pattern -Name -Recurse -Force
+
+          foreach($file in $file_names)
+          {
+              $file_path=Join-Path ${{ parameters.FolderPath }} -ChildPath $file
+              $sign=Get-AuthenticodeSignature -FilePath $file_path
+              $sign_status=$sign.Status.ToString()
+              Write-Host "File:" $file
+              Write-Host "Signature Status:" $sign_status
+              if ($sign_status -ne $normal_sign_status)
+              {
+                  Write-Host "File" $file "does not have valid signature."
+                  Write-Host "Signature status:" $sign.status
+                  Write-Host "Signature message:" $sign.StatusMessage
+                  $valid_flag=$false
+                  break
+              }
+          }
+      }
+
+      if ($valid_flag -eq $false)
+      {
+          Write-Host "Signature validation failed."
+          exit 1
+      }
+      else
+      {
+          Write-Host "Signature validation passed."
+          exit 0
+      }
+    workingDirectory: ${{ parameters.FolderPath }}
diff --git a/tools/ci_build/github/azure-pipeline/templates/windows-build-stage.yml b/tools/ci_build/github/azure-pipeline/templates/windows-build-stage.yml
@@ -0,0 +1,92 @@
+parameters:
+- name: CibwEnv
+  displayName: 'Extra env variable set to CIBW_ENVIRONMENT, in form of "A=1 B=2 C=3"'
+  type: string
+  default: ''
+
+stages:
+- stage: Windows_Build
+  dependsOn: []
+  jobs:
+  - job: main
+    pool:
+      name: onnxruntime-Win-CPU-2022
+      os: windows
+
+    variables:
+      CIBW_BUILD: cp3{8,9,10,11,12}-*amd64
+      CIBW_ARCHS: AMD64
+      CIBW_ENVIRONMENT: "${{ parameters.CibwEnv }}"
+      CIBW_BUILD_VERBOSITY: 1
+      ob_outputDirectory: '$(REPOROOT)\out'
+      ob_sdl_binskim_break: true
+
+    steps:
+    - script: |
+        @echo off
+        set vswherepath="%ProgramFiles(x86)%\Microsoft Visual Studio\Installer\vswhere.exe"
+        for /f "usebackq delims=" %%i in (`%vswherepath% -latest -property installationPath`) do (
+          set vslatest="%%i"
+          if exist "%%i\Common7\Tools\vsdevcmd.bat" (
+            set vsdevcmd="%%i\Common7\Tools\vsdevcmd.bat"
+          )
+          if exist "%%i\Common7\IDE\CommonExtensions\Microsoft\CMake\CMake\bin\cmake.exe" (
+            set vscmake="%%i\Common7\IDE\CommonExtensions\Microsoft\CMake\CMake\bin\cmake.exe"
+          )
+          if exist "%%i\MSBuild\Current\Bin\amd64\msbuild.exe" (
+            set vsmsbuild="%%i\MSBuild\Current\Bin\amd64\msbuild.exe"
+          )
+        )
+
+        @echo vslatest %vslatest%
+        @echo vsdevcmd %vsdevcmd%
+        @echo vscmake %vscmake%
+        @echo vsmsbuild %vsmsbuild%
+
+        @echo ##vso[task.setvariable variable=vslatest]%vslatest%
+        @echo ##vso[task.setvariable variable=vsdevcmd]%vsdevcmd%
+        @echo ##vso[task.setvariable variable=vscmake]%vscmake%
+        @echo ##vso[task.setvariable variable=vsmsbuild]%vsmsbuild%
+      displayName: 'locate vsdevcmd via vswhere'
+
+    - task: UsePythonVersion@0
+    - script: |
+        call $(vsdevcmd) -arch=amd64
+        set PYTHONPATH=
+        set PYTHONHOME=
+        python -m pip install --upgrade pip
+        python -m pip install cibuildwheel numpy
+        python -m cibuildwheel --platform windows --archs AMD64 --output-dir $(REPOROOT)\out
+      displayName: Build wheels
+
+    - task: SDLNativeRules@3
+      inputs:
+        msBuildArchitecture: amd64
+        setupCommandlines: '"$(vscmake)" $(REPOROOT) -A x64 -B $(REPOROOT)\windows_out -DOCOS_BUILD_PYTHON=ON -DOCOS_ENABLE_CTEST=OFF -DCMAKE_BUILD_TYPE=RelWithDebInfo'
+        msBuildCommandline: '"$(vsmsbuild)" "$(REPOROOT)\windows_out\onnxruntime_extensions.sln" /p:RunCodeAnalysis=true /p:platform=x64 /p:configuration=RelWithDebInfo /p:VisualStudioVersion="17.0" /m /p:PreferredToolArchitecture=x64 /t:extensions_shared;extensions_pydll'
+        excludedPaths: '$(REPOROOT)\windows_out#$(Build.SourcesDirectory)\cmake#C:\program files (x86)'
+      displayName: 'Run the PREfast SDL Native Rules for MSBuild'
+
+    - task: PostAnalysis@2
+      inputs:
+        GdnBreakGdnToolSDLNativeRulesSeverity: Warning
+        GdnBreakGdnToolSDLNativeRules: true
+      displayName: 'Guardian Break'
+
+    - script: |
+        7z x $(REPOROOT)\out\*.whl -o$(REPOROOT)\out\*
+      displayName: unzip the package
+
+    - template: win-esrp-dll.yml
+      parameters:
+        FolderPath: '$(REPOROOT)\out'
+        DisplayName: 'Sign runtime DLLs'
+        Pattern: '**/**/*.pyd,**/**/*.dll'
+
+    - script: |
+        for /D %%i in ("out\onnxruntime_extensions*-win*") do (
+          7z u %%i.whl .\%%i\*
+          rmdir /s /q %%i
+          )
+      workingDirectory: '$(REPOROOT)'
+      displayName: zip package
diff --git a/tools/ci_build/github/onnxruntime-extensions-official.yml b/tools/ci_build/github/onnxruntime-extensions-official.yml
@@ -0,0 +1,46 @@
+trigger: none
+
+parameters: # parameters are shown up in ADO UI in a build queue time
+- name: 'debug'
+  displayName: 'Enable debug output'
+  type: boolean
+  default: false
+
+- name: ExtraEnv
+  displayName: 'Extra env variable set to CIBW_ENVIRONMENT, in form of "A=1 B=2 C=3"'
+  type: string
+  default: 'ExampleEnvVar=ON'
+
+variables:
+- template: templates/common-variables.yml@self
+  parameters:
+    debug: ${{ parameters.debug }}
+
+resources:
+  repositories:
+    - repository: 1esPipelines
+      type: git
+      name: 1ESPipelineTemplates/1ESPipelineTemplates
+      ref: refs/tags/release
+
+extends:
+  template: v1/1ES.Official.PipelineTemplate.yml@1esPipelines
+  parameters:
+    sdl:
+      tsa:
+        enabled: true
+      binskim:
+        enabled: true
+        targetPathPattern: '**\RelWithDebInfo\ortextensions.dll'  # avoid scanning the 3rd party DLLs.
+      codeql:
+        compiled:
+          enabled: true
+        cadence: 10
+      policheck:
+        break: true # always break the build on policheck issues. You can disable it by setting to 'false'
+        exclusionsFile: '$(REPOROOT)\.config\policheck_exclusions.xml'
+
+    stages:
+    - template: templates/windows-build-stage.yml@self
+      parameters:
+        CibwEnv: ${{ parameters.ExtraEnv }}