azure-pipelines.yml

trigger:
  branches:
    include:
      - main

pr: none

parameters:
  - name: buildAgent
    displayName: 'The build agent to use'
    type: object
    default:
      name: Maui-1ESPT
      image: 1ESPT-Windows2022
      os: windows
  - name: runApiScan
    displayName: 'Run API Scan'
    type: boolean
    default: false
  - name: forceRealSigning
    displayName: 'Ignore all logic and force Real signing on binaries'
    type: boolean
    default: false

variables:
  - template: /scripts/azure-pipelines-variables.yml@self

resources:
  repositories:
    - repository: yaml-templates
      type: git
      name: DevDiv/Xamarin.yaml-templates
      ref: refs/heads/main
    - repository: 1ESTemplates
      type: git
      name: 1ESPipelineTemplates/MicroBuildTemplate

extends:
  template: azure-pipelines/MicroBuild.1ES.Official.yml@1ESTemplates
  parameters:
    pool: ${{ parameters.buildAgent }}
    customBuildTags:
      - ES365AIMigrationTooling
    sdl:
      sourceRepositoriesToScan:
        exclude:
        - repository: yaml-templates
      binskim:
        enabled: true
        break: false
      codeInspector:
        enabled: true
      credscan:
        enabled: true
      policheck:
        enabled: true
      spotBugs:
        enabled: false
      tsa:
        enabled: true
        configFile: $(Build.SourcesDirectory)/.config/tsaoptions.json
    stages:

      - stage: build
        displayName: Build
        jobs:
          - job: build
            displayName: Build
            templateContext:
              outputParentDirectory: 'output'
              outputs:
                - output: pipelineArtifact
                  displayName: 'Upload NuGets'
                  artifactName: 'nuget'
                  targetPath: 'output/nugets'
            steps:
              - template: /scripts/azure-pipelines-steps-prepare.yml@self
              - pwsh: dotnet cake --target=pack
                displayName: Pack NuGets

      - stage: signing
        displayName: Sign NuGets
        dependsOn: build
        jobs:
          - template: sign-artifacts/jobs/v4.yml@yaml-templates
            parameters:
              usePipelineArtifactTasks: true
              checkoutType: 'self'
              ${{ if or(eq(parameters.forceRealSigning, 'true'), eq(variables['Build.SourceBranch'], 'refs/heads/main'), startsWith(variables['Build.SourceBranch'], 'refs/heads/release/')) }}:
                signType: 'Real'
              ${{ else }}:
                signType: 'Test'

      - ${{ if or(eq(parameters.runApiScan, 'true'), and(eq(variables['Build.Reason'], 'Schedule'), or(eq(variables['Build.SourceBranch'], 'refs/heads/main'), startsWith(variables['Build.SourceBranch'], 'refs/heads/release/')))) }}:
        - template: security/apiscan/v0.yml@yaml-templates
          parameters:
            windowsPoolName: ${{ parameters.buildAgent.name }}
            windowsImageOverride: ${{ parameters.buildAgent.image }}
            timeoutInMinutes: 480
            tsaConfigFile: $(Build.SourcesDirectory)/.config/tsaoptions.json
            tsaUploadEnabled: true
            stageDependsOn:
             - build
            scanArtifacts:
             - nuget
            apiScanSoftwareName: SkiaSharp
            apiScanSoftwareVersionNum: $(MAJOR_VERSION)
            apiScanAuthConnectionString: 'runAs=App;AppId=$(ApiScanClientId)'
            preScanSteps:
              - pwsh: |
                  $nupkgs = (Get-ChildItem "$(Build.ArtifactStagingDirectory)\binaries-to-scan\*\*.*nupkg")
                  foreach ($nupkg in $nupkgs) {
                    $filename = $nupkg.Name.TrimEnd('.nupkg')
                    $dest = "$(Build.ArtifactStagingDirectory)\binaries-to-scan\nuget_symbols-extracted\$filename"
                    Write-Host "Extracting '$nupkg' to '$dest'..."
                    Expand-Archive $nupkg $dest
                    Remove-Item $nupkg
                  }
                displayName: Extract all the .nupkg files