Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

blackduck in azure pipeline #461

Closed
wants to merge 5 commits into from
Closed

blackduck in azure pipeline #461

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
adfb066
blackduck in azure pipeline
dasormeter Apr 10, 2019
e375e1a
update blackduck scanning commands
dasormeter May 30, 2019
ef87cda
TEMPORARILY disable steps before blackduck scan
dasormeter May 30, 2019
5c82cc8
temporarily run only osx pipeline
dasormeter Jun 25, 2019
8ee3d8b
updated blackduck scan command
dasormeter Apr 17, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
310 changes: 155 additions & 155 deletions azure-pipelines.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -35,161 +35,161 @@ jobs:
$(Slack.URL)
condition: and(failed(), eq(variables['Build.SourceBranchName'], 'master'))

- job: macOS
timeoutInMinutes: 360
pool:
vmImage: 'macOS-10.14'
steps:
- template: ci/build-unix.yml
parameters:
name: macos
- bash: |
set -euo pipefail
MESSAGE=$(git log --pretty=format:%s -n1)
curl -XPOST \
-i \
-H 'Content-type: application/json' \
--data "{\"text\":\"<!here> *FAILED* macOS: <https://dev.azure.com/digitalasset/daml/_build/results?buildId=$(Build.BuildId)|$MESSAGE>\n\"}" \
$(Slack.URL)
condition: and(failed(), eq(variables['Build.SourceBranchName'], 'master'))
# - job: macOS
# timeoutInMinutes: 360
# pool:
# vmImage: 'macOS-10.14'
# steps:
# - template: ci/build-unix.yml
# parameters:
# name: macos
# - bash: |
# set -euo pipefail
# MESSAGE=$(git log --pretty=format:%s -n1)
# curl -XPOST \
# -i \
# -H 'Content-type: application/json' \
# --data "{\"text\":\"<!here> *FAILED* macOS: <https://dev.azure.com/digitalasset/daml/_build/results?buildId=$(Build.BuildId)|$MESSAGE>\n\"}" \
# $(Slack.URL)
# condition: and(failed(), eq(variables['Build.SourceBranchName'], 'master'))

- job: Windows
timeoutInMinutes: 360
pool:
name: 'windows-pool'
steps:
- template: ci/build-windows.yml
- bash: |
set -euo pipefail
MESSAGE=$(git log --pretty=format:%s -n1)
curl -XPOST \
-i \
-H 'Content-type: application/json' \
--data "{\"text\":\"<!here> *FAILED* Windows: <https://dev.azure.com/digitalasset/daml/_build/results?buildId=$(Build.BuildId)|$MESSAGE>\n\"}" \
$(Slack.URL)
condition: and(failed(), eq(variables['Build.SourceBranchName'], 'master'))
# - job: Windows
# timeoutInMinutes: 360
# pool:
# name: 'windows-pool'
# steps:
# - template: ci/build-windows.yml
# - bash: |
# set -euo pipefail
# MESSAGE=$(git log --pretty=format:%s -n1)
# curl -XPOST \
# -i \
# -H 'Content-type: application/json' \
# --data "{\"text\":\"<!here> *FAILED* Windows: <https://dev.azure.com/digitalasset/daml/_build/results?buildId=$(Build.BuildId)|$MESSAGE>\n\"}" \
# $(Slack.URL)
# condition: and(failed(), eq(variables['Build.SourceBranchName'], 'master'))

- job: perf
timeoutInMinutes: 60
pool:
name: 'linux-pool'
steps:
- checkout: self
- bash: ci/dev-env-install.sh
displayName: 'Build/Install the Developer Environment'
- bash: ci/configure-bazel.sh
displayName: 'Configure Bazel'
env:
IS_FORK: $(System.PullRequest.IsFork)
# to upload to the bazel cache
GOOGLE_APPLICATION_CREDENTIALS_CONTENT: $(GOOGLE_APPLICATION_CREDENTIALS_CONTENT)
- bash: |
set -euo pipefail
eval "$(./dev-env/bin/dade-assist)"
bazel run -- //ledger/sandbox-perf -foe true -i1 -f1 -wi 1 -bm avgt -rf csv -rff "$(Build.StagingDirectory)/sandbox-perf.csv"
- task: PublishBuildArtifacts@1
condition: succeededOrFailed()
inputs:
pathtoPublish: '$(Build.StagingDirectory)'
artifactName: 'Perf test logs'
- bash: |
set -euo pipefail
MESSAGE=$(git log --pretty=format:%s -n1)
curl -XPOST \
-i \
-H 'Content-type: application/json' \
--data "{\"text\":\"<!here> *FAILED* perf: <https://dev.azure.com/digitalasset/daml/_build/results?buildId=$(Build.BuildId)|$MESSAGE>\n\"}" \
$(Slack.URL)
condition: and(failed(), eq(variables['Build.SourceBranchName'], 'master'))
# - job: perf
# timeoutInMinutes: 60
# pool:
# name: 'linux-pool'
# steps:
# - checkout: self
# - bash: ci/dev-env-install.sh
# displayName: 'Build/Install the Developer Environment'
# - bash: ci/configure-bazel.sh
# displayName: 'Configure Bazel'
# env:
# IS_FORK: $(System.PullRequest.IsFork)
# # to upload to the bazel cache
# GOOGLE_APPLICATION_CREDENTIALS_CONTENT: $(GOOGLE_APPLICATION_CREDENTIALS_CONTENT)
# - bash: |
# set -euo pipefail
# eval "$(./dev-env/bin/dade-assist)"
# bazel run -- //ledger/sandbox-perf -foe true -i1 -f1 -wi 1 -bm avgt -rf csv -rff "$(Build.StagingDirectory)/sandbox-perf.csv"
# - task: PublishBuildArtifacts@1
# condition: succeededOrFailed()
# inputs:
# pathtoPublish: '$(Build.StagingDirectory)'
# artifactName: 'Perf test logs'
# - bash: |
# set -euo pipefail
# MESSAGE=$(git log --pretty=format:%s -n1)
# curl -XPOST \
# -i \
# -H 'Content-type: application/json' \
# --data "{\"text\":\"<!here> *FAILED* perf: <https://dev.azure.com/digitalasset/daml/_build/results?buildId=$(Build.BuildId)|$MESSAGE>\n\"}" \
# $(Slack.URL)
# condition: and(failed(), eq(variables['Build.SourceBranchName'], 'master'))

- job: Windows_signing
# Signing is a separate job so that we can make sure that we only sign on releases.
# Since the release check is run on Linux, we do not have access to that information
# in the regular Windows step.
dependsOn: [ "Windows", "Linux" ]
pool:
name: 'windows-pool'
condition: and(succeeded(), eq(dependencies.Linux.outputs['release.has_released'], 'true'))
variables:
unsigned-installer: $[ dependencies.Windows.outputs['publish.artifact-unsigned-windows-installer'] ]
steps:
- checkout: self
persistCredentials: true
- task: DownloadPipelineArtifact@0
inputs:
artifactName: $(unsigned-installer)
targetPath: $(Build.StagingDirectory)/
- bash: |
set -euo pipefail
INSTALLER=daml-sdk-$(cat VERSION)-windows.exe
mv "$(Build.StagingDirectory)/$(unsigned-installer)" "$(Build.StagingDirectory)/$INSTALLER"
chmod +x "$(Build.StagingDirectory)/$INSTALLER"
echo "$SIGNING_KEY" | base64 -d > signing_key.pfx
MSYS_NO_PATHCONV=1 signtool.exe sign '/f' signing_key.pfx '/fd' sha256 '/tr' "http://timestamp.digicert.com" '/v' "$(Build.StagingDirectory)/$INSTALLER"
rm signing_key.pfx
echo "##vso[task.setvariable variable=artifact-windows-installer;isOutput=true]$INSTALLER"
echo "##vso[task.setvariable variable=has_released;isOutput=true]true"
name: signing
env:
SIGNING_KEY: $(microsoft-code-signing)
- task: PublishPipelineArtifact@0
inputs:
targetPath: $(Build.StagingDirectory)/$(signing.artifact-windows-installer)
artifactName: $(signing.artifact-windows-installer)
- job: release
dependsOn: [ "Linux", "macOS", "Windows", "Windows_signing", "perf"]
pool:
vmImage: "Ubuntu-16.04"
condition: and(succeeded(),
eq( dependencies.Linux.outputs['release.has_released'], 'true' ),
eq( dependencies.macOS.outputs['release.has_released'], 'true' ),
eq( dependencies.Windows.outputs['release.has_released'], 'true' ))
variables:
artifact-linux: $[ dependencies.Linux.outputs['publish.artifact'] ]
artifact-macos: $[ dependencies.macOS.outputs['publish.artifact'] ]
artifact-windows: $[ dependencies.Windows.outputs['publish.artifact'] ]
artifact-windows-installer: $[ dependencies.Windows_signing.outputs['signing.artifact-windows-installer'] ]
steps:
- checkout: self
persistCredentials: true
- bash: |
set -euxo pipefail
git tag v$(cat VERSION)
git push origin v$(cat VERSION)
mkdir $(Build.StagingDirectory)/release
- task: DownloadPipelineArtifact@0
inputs:
artifactName: $(artifact-linux)
targetPath: $(Build.StagingDirectory)/release
- task: DownloadPipelineArtifact@0
inputs:
artifactName: $(artifact-macos)
targetPath: $(Build.StagingDirectory)/release
- task: DownloadPipelineArtifact@0
inputs:
artifactName: $(artifact-windows)
targetPath: $(Build.StagingDirectory)/release
- task: DownloadPipelineArtifact@0
inputs:
artifactName: $(artifact-windows-installer)
targetPath: $(Build.StagingDirectory)/release
- task: GitHubRelease@0
inputs:
gitHubConnection: 'garyverhaegen-da'
repositoryName: '$(Build.Repository.Name)'
action: 'create'
target: '$(Build.SourceVersion)'
tagSource: 'auto'
assets: $(Build.StagingDirectory)/release/*
assetUploadMode: 'replace'
addChangeLog: false
isPrerelease: true
- bash: |
set -euo pipefail
MESSAGE=$(git log --pretty=format:%s -n1)
curl -XPOST \
-i \
-H 'Content-type: application/json' \
--data "{\"text\":\"<!here> *FAILED* Release: <https://dev.azure.com/digitalasset/daml/_build/results?buildId=$(Build.BuildId)|$MESSAGE>\n\"}" \
$(Slack.URL)
condition: and(failed(), eq(variables['Build.SourceBranchName'], 'master'))
# - job: Windows_signing
# # Signing is a separate job so that we can make sure that we only sign on releases.
# # Since the release check is run on Linux, we do not have access to that information
# # in the regular Windows step.
# dependsOn: [ "Windows", "Linux" ]
# pool:
# name: 'windows-pool'
# condition: and(succeeded(), eq(dependencies.Linux.outputs['release.has_released'], 'true'))
# variables:
# unsigned-installer: $[ dependencies.Windows.outputs['publish.artifact-unsigned-windows-installer'] ]
# steps:
# - checkout: self
# persistCredentials: true
# - task: DownloadPipelineArtifact@0
# inputs:
# artifactName: $(unsigned-installer)
# targetPath: $(Build.StagingDirectory)/
# - bash: |
# set -euo pipefail
# INSTALLER=daml-sdk-$(cat VERSION)-windows.exe
# mv "$(Build.StagingDirectory)/$(unsigned-installer)" "$(Build.StagingDirectory)/$INSTALLER"
# chmod +x "$(Build.StagingDirectory)/$INSTALLER"
# echo "$SIGNING_KEY" | base64 -d > signing_key.pfx
# MSYS_NO_PATHCONV=1 signtool.exe sign '/f' signing_key.pfx '/fd' sha256 '/tr' "http://timestamp.digicert.com" '/v' "$(Build.StagingDirectory)/$INSTALLER"
# rm signing_key.pfx
# echo "##vso[task.setvariable variable=artifact-windows-installer;isOutput=true]$INSTALLER"
# echo "##vso[task.setvariable variable=has_released;isOutput=true]true"
# name: signing
# env:
# SIGNING_KEY: $(microsoft-code-signing)
# - task: PublishPipelineArtifact@0
# inputs:
# targetPath: $(Build.StagingDirectory)/$(signing.artifact-windows-installer)
# artifactName: $(signing.artifact-windows-installer)
# - job: release
# dependsOn: [ "Linux", "macOS", "Windows", "Windows_signing", "perf"]
# pool:
# vmImage: "Ubuntu-16.04"
# condition: and(succeeded(),
# eq( dependencies.Linux.outputs['release.has_released'], 'true' ),
# eq( dependencies.macOS.outputs['release.has_released'], 'true' ),
# eq( dependencies.Windows.outputs['release.has_released'], 'true' ))
# variables:
# artifact-linux: $[ dependencies.Linux.outputs['publish.artifact'] ]
# artifact-macos: $[ dependencies.macOS.outputs['publish.artifact'] ]
# artifact-windows: $[ dependencies.Windows.outputs['publish.artifact'] ]
# artifact-windows-installer: $[ dependencies.Windows_signing.outputs['signing.artifact-windows-installer'] ]
# steps:
# - checkout: self
# persistCredentials: true
# - bash: |
# set -euxo pipefail
# git tag v$(cat VERSION)
# git push origin v$(cat VERSION)
# mkdir $(Build.StagingDirectory)/release
# - task: DownloadPipelineArtifact@0
# inputs:
# artifactName: $(artifact-linux)
# targetPath: $(Build.StagingDirectory)/release
# - task: DownloadPipelineArtifact@0
# inputs:
# artifactName: $(artifact-macos)
# targetPath: $(Build.StagingDirectory)/release
# - task: DownloadPipelineArtifact@0
# inputs:
# artifactName: $(artifact-windows)
# targetPath: $(Build.StagingDirectory)/release
# - task: DownloadPipelineArtifact@0
# inputs:
# artifactName: $(artifact-windows-installer)
# targetPath: $(Build.StagingDirectory)/release
# - task: GitHubRelease@0
# inputs:
# gitHubConnection: 'garyverhaegen-da'
# repositoryName: '$(Build.Repository.Name)'
# action: 'create'
# target: '$(Build.SourceVersion)'
# tagSource: 'auto'
# assets: $(Build.StagingDirectory)/release/*
# assetUploadMode: 'replace'
# addChangeLog: false
# isPrerelease: true
# - bash: |
# set -euo pipefail
# MESSAGE=$(git log --pretty=format:%s -n1)
# curl -XPOST \
# -i \
# -H 'Content-type: application/json' \
# --data "{\"text\":\"<!here> *FAILED* Release: <https://dev.azure.com/digitalasset/daml/_build/results?buildId=$(Build.BuildId)|$MESSAGE>\n\"}" \
# $(Slack.URL)
# condition: and(failed(), eq(variables['Build.SourceBranchName'], 'master'))
58 changes: 33 additions & 25 deletions ci/build-unix.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -45,29 +45,37 @@ steps:
pathtoPublish: 'bazel-testlogs/'
artifactName: 'Test logs'

- bash: ci/release.sh
displayName: 'Release'
condition: and(succeeded(),
eq(variables['System.PullRequest.IsFork'], 'False'))
env:
# to connect to bintray
JFROG_CONFIG_CONTENT: $(JFROG_CONFIG_CONTENT)
# For signing artifacts to be uploaded to Maven Central.
GPG_KEY: $(gpg-code-signing)
# Configuration the Sonatype Open Source Repository Hosting
MAVEN_USERNAME: $(MAVEN_USERNAME)
MAVEN_PASSWORD: $(MAVEN_PASSWORD)
MAVEN_URL: "https://oss.sonatype.org"
name: release
- bash: |
set -euo pipefail
ARTIFACT=daml-sdk-$(release_tag)-${{ parameters.name }}.tar.gz
cp bazel-genfiles/release/sdk-release-tarball.tar.gz $(Build.StagingDirectory)/$ARTIFACT
echo "##vso[task.setvariable variable=artifact;isOutput=true]$ARTIFACT"
name: publish
condition: eq(variables['release.has_released'], 'true')
- task: PublishPipelineArtifact@0
condition: eq(variables['release.has_released'], 'true')
inputs:
targetPath: $(Build.StagingDirectory)/$(publish.artifact)
artifactName: $(publish.artifact)
set -euxo pipefail
eval "$($(dirname "$0")/dev-env/bin/dade-assist)"
bash <(curl -s https://raw.githubusercontent.com/DACH-NY/security-blackduck/master/synopsys-detect) ci-build digitalasset_daml local-bh-npm --logging.level.com.synopsys.integration=DEBUG --detect.npm.include.dev.dependencies=true --detect.yarn.prod.only=false --detect.tools=DETECTOR --detect.included.detector.types=NPM,YARN --detect.detector.search.exclusion.paths=language-support/ts/codegen/tests/ts,language-support/ts/daml-types,language-support/ts/daml-react,language-support/ts/daml-ledger
displayName: 'Blackduck Scan'
env:
BLACKDUCK_HUBDETECT_TOKEN: $(BLACKDUCK_HUBDETECT_TOKEN)

# - bash: ci/release.sh
# displayName: 'Release'
# condition: and(succeeded(),
# eq(variables['System.PullRequest.IsFork'], 'False'))
# env:
# # to connect to bintray
# JFROG_CONFIG_CONTENT: $(JFROG_CONFIG_CONTENT)
# # For signing artifacts to be uploaded to Maven Central.
# GPG_KEY: $(gpg-code-signing)
# # Configuration the Sonatype Open Source Repository Hosting
# MAVEN_USERNAME: $(MAVEN_USERNAME)
# MAVEN_PASSWORD: $(MAVEN_PASSWORD)
# MAVEN_URL: "https://oss.sonatype.org"
# name: release
# - bash: |
# set -euo pipefail
# ARTIFACT=daml-sdk-$(release_tag)-${{ parameters.name }}.tar.gz
# cp bazel-genfiles/release/sdk-release-tarball.tar.gz $(Build.StagingDirectory)/$ARTIFACT
# echo "##vso[task.setvariable variable=artifact;isOutput=true]$ARTIFACT"
# name: publish
# condition: eq(variables['release.has_released'], 'true')
# - task: PublishPipelineArtifact@0
# condition: eq(variables['release.has_released'], 'true')
# inputs:
# targetPath: $(Build.StagingDirectory)/$(publish.artifact)
# artifactName: $(publish.artifact)