diff options
Diffstat (limited to 'azure-pipelines')
-rw-r--r-- | azure-pipelines/release-pypi.yml | 35 | ||||
-rw-r--r-- | azure-pipelines/release.yml | 36 | ||||
-rw-r--r-- | azure-pipelines/source_scan.yml | 11 | ||||
-rw-r--r-- | azure-pipelines/template/build_packages.yml | 31 | ||||
-rw-r--r-- | azure-pipelines/template/publish_pypi.yml | 43 | ||||
-rw-r--r-- | azure-pipelines/template/static_analysis.yml | 72 |
6 files changed, 228 insertions, 0 deletions
diff --git a/azure-pipelines/release-pypi.yml b/azure-pipelines/release-pypi.yml new file mode 100644 index 0000000..37df592 --- /dev/null +++ b/azure-pipelines/release-pypi.yml @@ -0,0 +1,35 @@ +trigger: none +pr: none + +resources: + repositories: + - repository: templates + type: github + name: microsoft/vscode-engineering + ref: main + endpoint: Monaco + +parameters: + - name: publishPackage + displayName: 🚀 Publish Package + type: boolean + default: false + +extends: + template: azure-pipelines/pypi-package/pipeline.yml@templates + parameters: + publishPackage: ${{ parameters.publishPackage }} + pythonVersion: '3.7' + # We don't ship any built in packages. + generateNotice: false + pyProjectTomlPath: $(Build.SourcesDirectory)/packages/python/pyproject.toml + buildSteps: + - script: python -m pip install nox + displayName: Install nox + + - script: python -m nox --session build + displayName: Build package (sdist and wheels) + + - publish: $(Build.SourcesDirectory)/packages/python/dist + artifact: dist + displayName: 🚛 Publish artifact diff --git a/azure-pipelines/release.yml b/azure-pipelines/release.yml new file mode 100644 index 0000000..6c12d7d --- /dev/null +++ b/azure-pipelines/release.yml @@ -0,0 +1,36 @@ +trigger: none +pr: none + +variables: + Codeql.Enabled: true + +parameters: + - name: publishPyPI + displayName: 🚀 Publish To PyPI + type: string + values: [Skip, Test, Real] + default: Test + +stages: + - stage: pre_build + displayName: Pre-build validation + jobs: + - template: template/static_analysis.yml + + - stage: build + displayName: Build sdist and wheels + dependsOn: pre_build + variables: + skipComponentGovernanceDetection: true # handled by pre_build + jobs: + - template: template/build_packages.yml + + - stage: publish + displayName: Publish + dependsOn: build + variables: + skipComponentGovernanceDetection: true # handled by pre_build + jobs: + - template: template/publish_pypi.yml + parameters: + publishPyPI: ${{parameters.publishPyPI}} diff --git a/azure-pipelines/source_scan.yml b/azure-pipelines/source_scan.yml new file mode 100644 index 0000000..14dc842 --- /dev/null +++ b/azure-pipelines/source_scan.yml @@ -0,0 +1,11 @@ +trigger: + - main + +variables: + Codeql.Enabled: true + +stages: + - stage: pre_build + displayName: Pre-build validation + jobs: + - template: template/static_analysis.yml diff --git a/azure-pipelines/template/build_packages.yml b/azure-pipelines/template/build_packages.yml new file mode 100644 index 0000000..ca99144 --- /dev/null +++ b/azure-pipelines/template/build_packages.yml @@ -0,0 +1,31 @@ +jobs: + - job: BuildPkg + displayName: Build package + + pool: + vmImage: windows-latest + + steps: + - task: UsePythonVersion@0 + displayName: "Use Python 3.7" + inputs: + versionSpec: 3.7 + + - script: python -m pip install -U pip + displayName: Upgrade Pip + + # For faster/better builds of sdists. + - script: python -m pip install wheel + displayName: Install build pre-requisite + + - script: python -m pip install nox + displayName: Install nox + + - script: python -m nox --session build + displayName: Build sdist and wheels + + - task: PublishBuildArtifacts@1 + displayName: "Publish Artifact" + inputs: + pathToPublish: "$(Build.SourcesDirectory)/packages/python/dist" + artifactName: dist diff --git a/azure-pipelines/template/publish_pypi.yml b/azure-pipelines/template/publish_pypi.yml new file mode 100644 index 0000000..1f29e1b --- /dev/null +++ b/azure-pipelines/template/publish_pypi.yml @@ -0,0 +1,43 @@ +parameters: + - name: publishPyPI + displayName: 🚀 Publish To PyPI + type: string + +jobs: + - job: PublishPkg + displayName: Publish Packages + + pool: + vmImage: windows-latest + + steps: + - task: DownloadPipelineArtifact@2 + displayName: "Download Pipeline Artifact" + inputs: + artifactName: dist + targetPath: "$(Build.SourcesDirectory)/dist" + + - task: UsePythonVersion@0 + displayName: "Use Python 3.7" + inputs: + versionSpec: 3.7 + + - script: python -m pip install -U pip + displayName: Upgrade Pip + + - script: python -m pip install twine + displayName: Install Twine + + - ${{ if eq(parameters.publishPyPI, 'Test') }}: + - script: python -m twine upload -r testpypi dist/* + displayName: Publish to Test PyPI + env: + TWINE_USERNAME: __token__ + TWINE_PASSWORD: $(test_pypi_token) + + - ${{ if eq(parameters.publishPyPI, 'Real') }}: + - script: python -m twine upload dist/* + displayName: Publish to PyPI + env: + TWINE_USERNAME: __token__ + TWINE_PASSWORD: $(real_pypi_token) diff --git a/azure-pipelines/template/static_analysis.yml b/azure-pipelines/template/static_analysis.yml new file mode 100644 index 0000000..ffd0f44 --- /dev/null +++ b/azure-pipelines/template/static_analysis.yml @@ -0,0 +1,72 @@ +jobs: + - job: SourceScan + displayName: Source Scan + + pool: + vmImage: windows-latest + + steps: + - task: securedevelopmentteam.vss-secure-development-tools.build-task-credscan.CredScan@3 + displayName: 'Run Credential Scanner' + inputs: + outputFormat: pre + debugMode: false + continueOnError: true + + - task: securedevelopmentteam.vss-secure-development-tools.build-task-policheck.PoliCheck@2 + displayName: 'Run PoliCheck' + inputs: + targetType: F + continueOnError: true + + - task: securedevelopmentteam.vss-secure-development-tools.build-task-antimalware.AntiMalware@4 + displayName: 'Run AntiMalware' + inputs: + FileDirPath: '$(Build.SourcesDirectory)' + EnableServices: true + continueOnError: true + + - task: ms.vss-governance-buildtask.governance-build-task-component-detection.ComponentGovernanceComponentDetection@0 + displayName: Component Detection + inputs: + ignoreDirectories: '$(Build.SourcesDirectory)/tests' + continueOnError: true + + - task: securedevelopmentteam.vss-secure-development-tools.build-task-report.SdtReport@2 + displayName: Create Security Analysis Report + inputs: + AllTools: false + AntiMalware: true + BinSkim: false + CredScan: true + PoliCheck: true + APIScan: false + CodesignValidation: false + FortifySCA: false + FxCop: false + ModernCop: false + MSRD: false + RoslynAnalyzers: false + SDLNativeRules: false + Semmle: false + TSLint: false + WebScout: false + continueOnError: true + + - task: securedevelopmentteam.vss-secure-development-tools.build-task-publishsecurityanalysislogs.PublishSecurityAnalysisLogs@3 + displayName: Publish Security Analysis Logs + + - job: VersionChk + displayName: Version Check + + pool: + vmImage: ubuntu-latest + + steps: + - task: UsePythonVersion@0 + displayName: 'Use Python 3.11' + inputs: + versionSpec: 3.11 + + - script: python ./.github/workflows/version_check.py + displayName: Version Check |