Enable daily runs with compliance (#3664)

MicrosoftDocs · Feb 7, 2019 · bdf8ad1 · bdf8ad1
1 parent 0d3c8dd
commit bdf8ad1
Show file tree

Hide file tree

Showing 8 changed files with 503 additions and 46 deletions.
diff --git a/build.ps1 b/build.ps1
@@ -37,6 +37,8 @@ function Get-ContentWithoutHeader {
     }
   }
 
+[Net.ServicePointManager]::SecurityProtocol = [Net.ServicePointManager]::SecurityProtocol -bor [Net.SecurityProtocolType]::Tls12
+
 # Pandoc source URL
 $panDocVersion = "2.0.6"
 $pandocSourceURL = "https://github.com/jgm/pandoc/releases/download/$panDocVersion/pandoc-$panDocVersion-windows.zip"

diff --git a/ci-steps.yml b/ci-steps.yml
@@ -0,0 +1,42 @@
+steps:
+- powershell: |
+    Get-ChildItem Env:\
+  displayName: Capture environment
+
+#- powershell: |
+#    if ((Get-Command pwsh -CommandType Application -ErrorAction Ignore) -eq $null)
+#    {
+#      Write-Verbose -Verbose "Installing pwsh"
+#      $destPath = "${env:BUILD_ARTIFACTSTAGINGDIRECTORY}/install-powershell.ps1"
+#      Invoke-WebRequest -Uri 'https://raw.githubusercontent.com/PowerShell/PowerShell/master/tools/install-powershell.ps1' -OutFile $destPath
+#      Unblock-File $destPath
+#      & $destPath -UseMSI -Quiet
+#    }
+#  displayName: Install pwsh if not available
+
+- powershell: |
+    Install-Module -Name platyPS -Repository PSGallery -Force
+  displayName: Install tools
+
+- powershell: |
+    $(Build.SourcesDirectory)\build.ps1
+  displayName: Build
+
+- powershell: |
+    Compress-Archive -Path "$(Build.SourcesDirectory)\updatablehelp\*" -DestinationPath "$(Build.ArtifactStagingDirectory)\updatablehelp-$(Build.BuildId).zip"
+    Write-Host "##vso[artifact.upload containerfolder=artifacts;artifactname=artifacts]$(Build.ArtifactStagingDirectory)\updatablehelp-$(Build.BuildId).zip"
+  displayName: Compress and upload updatable help content
+
+  # We run tests on Windows PowerShell. Changing to PowerShell core would need changes to the tests
+- powershell: |
+    Install-Module -Name Pester -Repository PSGallery -Force -SkipPublisherCheck
+    Import-Module "$(Build.SourcesDirectory)/tests/PowerShellDocsTests.psm1" -Force
+    Invoke-Test
+  displayName: Test
+
+# Publish Test Results to Azure Pipelines/TFS
+- task: PublishTestResults@2
+  inputs:
+    testResultsFormat: 'NUnit'
+    testResultsFiles: '**/TestResults.xml'
+    searchFolder: '$(Build.SourcesDirectory)'
diff --git a/ci.yml b/ci.yml
@@ -9,6 +9,7 @@ trigger:
     - reference/**/*
     - build.ps1
     - ci.yml
+    - ci-steps.yml
     - .openpublishing.build.ps1
     - .openpublishing.publish.config.json
     - .openpublishing.redirection.json
@@ -28,6 +29,7 @@ pr:
     - reference/**/*
     - build.ps1
     - ci.yml
+    - ci-steps.yml
     - .openpublishing.build.ps1
     - .openpublishing.publish.config.json
     - .openpublishing.redirection.json
@@ -42,48 +44,9 @@ resources:
   clean: true
 
 jobs:
-- job:
-  displayName: Build PowerShell Docs
-  condition: succeeded()
+- job: build_and_test
+  displayName: Build And Test
   pool: Hosted VS2017
-  steps:
-  - powershell: |
-      Get-ChildItem Env:\
-    displayName: Capture environment
-
-  - powershell: |
-      if ((Get-Command pwsh -CommandType Application) -eq $null)
-      {
-        $destPath = "${env:BUILD_ARTIFACTSTAGINGDIRECTORY}/install-powershell.ps1"
-        Invoke-WebRequest -Uri 'https://raw.githubusercontent.com/PowerShell/PowerShell/master/tools/install-powershell.ps1' -OutFile $destPath
-        Unblock-File $destPath
-        & $destPath -UseMSI -Quiet
-      }
-    displayName: Install pwsh if not available
-
-  - pwsh: |
-      Install-Module -Name platyPS -Repository PSGallery -Force
-    displayName: Install tools
-
-  - pwsh: |
-      $(Build.SourcesDirectory)\build.ps1
-    displayName: Build
 
-  - pwsh: |
-      Compress-Archive -Path "$(Build.SourcesDirectory)\updatablehelp\*" -DestinationPath "$(Build.ArtifactStagingDirectory)\updatablehelp-$(Build.BuildId).zip"
-      Write-Host "##vso[artifact.upload containerfolder=artifacts;artifactname=artifacts]$(Build.ArtifactStagingDirectory)\updatablehelp-$(Build.BuildId).zip"
-    displayName: Compress and upload updatable help content
-
-    # We run tests on Windows PowerShell. Changing to PowerShell core would need changes to the tests
-  - powershell: |
-      Install-Module -Name Pester -Repository PSGallery -Force
-      Import-Module "$(Build.SourcesDirectory)/tests/PowerShellDocsTests.psm1" -Force
-      Invoke-Test
-    displayName: Test
-
-  # Publish Test Results to Azure Pipelines/TFS
-  - task: PublishTestResults@2
-    inputs:
-      testResultsFormat: 'NUnit'
-      testResultsFiles: '**/TestResults.xml'
-      searchFolder: '$(Build.SourcesDirectory)'
+  steps:
+    - template: ci-steps.yml
diff --git a/daily.yml b/daily.yml
@@ -0,0 +1,71 @@
+name: PowerShell-Docs-Daily-$(Date:yyyyMMdd)$(Rev:.rr)
+trigger:
+  branches:
+    include:
+    - live
+    - staging
+  paths:
+    include:
+    - reference/**/*
+    - build.ps1
+    - ci.yml
+    - ci-steps.yml
+    - .openpublishing.build.ps1
+    - .openpublishing.publish.config.json
+    - .openpublishing.redirection.json
+    - tests/**/*
+    - '**/docfx.json'
+    - '**/TOC.yml'
+    - '**/toc.yml'
+    - '**/*.md'
+
+pr:
+  branches:
+    include:
+    - staging
+    - live
+  paths:
+    include:
+    - reference/**/*
+    - build.ps1
+    - ci.yml
+    - ci-steps.yml
+    - .openpublishing.build.ps1
+    - .openpublishing.publish.config.json
+    - .openpublishing.redirection.json
+    - tests/**/*
+    - '**/docfx.json'
+    - '**/TOC.yml'
+    - '**/toc.yml'
+    - '**/*.md'
+
+resources:
+- repo: self
+  clean: true
+
+jobs:
+- job: build_and_test
+  displayName: Build And Test
+  pool: Package ES CodeHub Lab E
+
+  steps:
+    - template: ci-steps.yml
+
+    - task: securedevelopmentteam.vss-secure-development-tools.build-task-antimalware.AntiMalware@3
+      displayName: 'Run Defender Scan'
+
+    - task: securedevelopmentteam.vss-secure-development-tools.build-task-policheck.PoliCheck@1
+      displayName: 'Run PoliCheck'
+      inputs:
+        targetType: F
+        optionsFC: 0
+        optionsXS: 0
+        optionsPE: '1|2|3|4'
+        optionsHMENABLE: 0
+        optionsRulesDBPath: '$(Build.SourcesDirectory)\tools\terms\PowerShell-Docs-Terms-Rules.mdb'
+        optionsFTPATH: '$(Build.SourcesDirectory)\tools\terms\FileTypeSet.xml'
+      continueOnError: true
+
+
+
+
diff --git a/jea/security-considerations.md b/jea/security-considerations.md
@@ -123,7 +123,7 @@ For example, consider the following role capability entry:
 ```
 
 This role capability allows users to run any PowerShell cmdlet with the noun "Process" from the Microsoft.PowerShell.Management module.
-Users may need to access cmdlets like `Get-Process` to understand what applications are running on the system and `Stop-Process` to kill any hung applications.
+Users may need to access cmdlets like `Get-Process` to understand what applications are running on the system and `Stop-Process` to kill any applications that are not responding.
 However, this entry also allows `Start-Process`, which can be used to start up an arbitrary program with full administrator permissions.
 The program doesn't need to be installed locally on the system, so an adversary could simply start a program on a file share that gives the connecting user local admin privileges, runs malware, and more.'