github.com/crowdsecurity/crowdsec@v1.6.1/azure-pipelines.yml

github.com/crowdsecurity/crowdsec@v1.6.1/azure-pipelines.yml (about)

     1  trigger:
     2    tags:
     3      include:
     4        - "v*"
     5      exclude:
     6        - "v*freebsd"
     7    branches:
     8      exclude:
     9        - "*"
    10  pr: none
    11  
    12  pool:
    13    vmImage: windows-latest
    14  
    15  stages:
    16    - stage: Build
    17      jobs:
    18        - job: Build
    19          displayName: "Build"
    20          steps:
    21            - task: GoTool@0
    22              displayName: "Install Go"
    23              inputs:
    24                  version: '1.21.9'
    25  
    26            - pwsh: |
    27                choco install -y make
    28              displayName: "Install builds deps"
    29            - task: PowerShell@2
    30              inputs:
    31                targetType: 'inline'
    32                pwsh: true
    33                #we are not calling make windows_installer because we want to sign the binaries before they are added to the MSI
    34                script: |
    35                  make build BUILD_RE2_WASM=1
    36        
    37            - pwsh: |
    38                $build_version=$env:BUILD_SOURCEBRANCHNAME
    39                #Override the version if it's set in the pipeline
    40                if ( ${env:USERBUILDVERSION} -ne "")
    41                {
    42                  $build_version = ${env:USERBUILDVERSION}
    43                }
    44                if ($build_version.StartsWith("v"))
    45                {
    46                  $build_version = $build_version.Substring(1)
    47                }
    48                if ($build_version.Contains("-")) 
    49                {
    50                  $build_version = $build_version.Substring(0, $build_version.IndexOf("-"))
    51                }
    52                Write-Host  "##vso[task.setvariable variable=BuildVersion;isOutput=true]$build_version"
    53              displayName: GetCrowdsecVersion
    54              name: GetCrowdsecVersion
    55            - pwsh: |
    56                Get-ChildItem -Path .\cmd -Directory | ForEach-Object {
    57                  $dirName = $_.Name
    58                  Get-ChildItem -Path .\cmd\$dirName -File -Filter '*.exe' | ForEach-Object {
    59                    $fileName = $_.Name
    60                    $destDir = Join-Path $(Build.ArtifactStagingDirectory) cmd\$dirName
    61                    New-Item -ItemType Directory -Path $destDir -Force
    62                    Copy-Item -Path .\cmd\$dirName\$fileName -Destination $destDir
    63                  }
    64                }
    65              displayName: "Copy binaries to staging directory"
    66            - task: PublishPipelineArtifact@1
    67              inputs:
    68                targetPath: '$(Build.ArtifactStagingDirectory)'
    69                artifact: 'unsigned_binaries'
    70              displayName: "Upload binaries artifact"
    71  
    72    - stage: Sign
    73      dependsOn: Build
    74      variables: 
    75        - group: 'FOSS Build Variables'
    76        - name: BuildVersion
    77          value: $[ stageDependencies.Build.Build.outputs['GetCrowdsecVersion.BuildVersion'] ]
    78      condition: succeeded()
    79      jobs:
    80        - job: Sign
    81          displayName: "Sign"
    82          steps:
    83            - download: current
    84              artifact: unsigned_binaries
    85              displayName: "Download binaries artifact"
    86            - task: CopyFiles@2
    87              inputs:
    88                SourceFolder: '$(Pipeline.Workspace)/unsigned_binaries'
    89                TargetFolder: '$(Build.SourcesDirectory)'
    90              displayName: "Copy binaries to workspace"
    91            - task: DotNetCoreCLI@2
    92              displayName: "Install SignTool tool"
    93              inputs:
    94                command: 'custom'
    95                custom: 'tool'
    96                arguments: install --global sign --version 0.9.0-beta.23127.3
    97            - task: AzureKeyVault@2
    98              displayName: "Get signing parameters"
    99              inputs:
   100                azureSubscription: "Azure subscription"
   101                KeyVaultName: "$(KeyVaultName)"
   102                SecretsFilter: "TenantId,ClientId,ClientSecret,Certificate,KeyVaultUrl"
   103            - pwsh: |
   104                sign code azure-key-vault `
   105                "**/*.exe" `
   106                --base-directory "$(Build.SourcesDirectory)/cmd/" `
   107                --publisher-name "CrowdSec" `
   108                --description "CrowdSec" `
   109                --description-url "https://github.com/crowdsecurity/crowdsec" `
   110                --azure-key-vault-tenant-id "$(TenantId)" `
   111                --azure-key-vault-client-id "$(ClientId)" `
   112                --azure-key-vault-client-secret "$(ClientSecret)" `
   113                --azure-key-vault-certificate "$(Certificate)" `
   114                --azure-key-vault-url "$(KeyVaultUrl)"
   115              displayName: "Sign crowdsec binaries"
   116            - pwsh: |
   117                .\make_installer.ps1 -version '$(BuildVersion)'
   118              displayName: "Build Crowdsec MSI"
   119              name: BuildMSI
   120            - pwsh: |
   121                .\make_chocolatey.ps1 -version '$(BuildVersion)'
   122              displayName: "Build Chocolatey nupkg"
   123            - pwsh: |
   124                sign code azure-key-vault `
   125                "*.msi" `
   126                --base-directory "$(Build.SourcesDirectory)" `
   127                --publisher-name "CrowdSec" `
   128                --description "CrowdSec" `
   129                --description-url "https://github.com/crowdsecurity/crowdsec" `
   130                --azure-key-vault-tenant-id "$(TenantId)" `
   131                --azure-key-vault-client-id "$(ClientId)" `
   132                --azure-key-vault-client-secret "$(ClientSecret)" `
   133                --azure-key-vault-certificate "$(Certificate)" `
   134                --azure-key-vault-url "$(KeyVaultUrl)"
   135              displayName: "Sign MSI package"
   136            - pwsh: |
   137                sign code azure-key-vault `
   138                "*.nupkg" `
   139                --base-directory "$(Build.SourcesDirectory)" `
   140                --publisher-name "CrowdSec" `
   141                --description "CrowdSec" `
   142                --description-url "https://github.com/crowdsecurity/crowdsec" `
   143                --azure-key-vault-tenant-id "$(TenantId)" `
   144                --azure-key-vault-client-id "$(ClientId)" `
   145                --azure-key-vault-client-secret "$(ClientSecret)" `
   146                --azure-key-vault-certificate "$(Certificate)" `
   147                --azure-key-vault-url "$(KeyVaultUrl)"
   148              displayName: "Sign nuget package"
   149            - task: PublishPipelineArtifact@1
   150              inputs:
   151                targetPath: '$(Build.SourcesDirectory)/crowdsec_$(BuildVersion).msi'
   152                artifact: 'signed_msi_package'
   153              displayName: "Upload signed MSI artifact"
   154            - task: PublishPipelineArtifact@1
   155              inputs:
   156                targetPath: '$(Build.SourcesDirectory)/crowdsec.$(BuildVersion).nupkg'
   157                artifact: 'signed_nuget_package'
   158              displayName: "Upload signed nuget artifact"
   159              
   160    - stage: Publish
   161      dependsOn: Sign
   162      jobs:
   163        - deployment: "Publish"
   164          displayName: "Publish to GitHub"
   165          environment: github
   166          strategy:
   167            runOnce:
   168              deploy:
   169                steps:
   170                  - bash: |
   171                      tag=$(curl -H "Accept: application/vnd.github.v3+json"   https://api.github.com/repos/crowdsecurity/crowdsec/releases | jq -r '. | map(select(.prerelease==true)) | sort_by(.created_at) | reverse | .[0].tag_name')
   172                      echo "##vso[task.setvariable variable=LatestPreRelease;isOutput=true]$tag"
   173                    name: GetLatestPrelease
   174                  - task: GitHubRelease@1
   175                    inputs:
   176                      gitHubConnection: "github.com_blotus"
   177                      repositoryName: '$(Build.Repository.Name)'
   178                      action: 'edit'
   179                      tag: '$(GetLatestPrelease.LatestPreRelease)'
   180                      assetUploadMode: 'replace'
   181                      addChangeLog: false
   182                      isPreRelease: true #we force prerelease because the pipeline is invoked on tag creation, which happens when we do a prerelease
   183                      assets: |
   184                        $(Pipeline.Workspace)/signed_msi_package/*.msi
   185                        $(Pipeline.Workspace)/signed_nuget_package/*.nupkg
   186                    condition: ne(variables['GetLatestPrelease.LatestPreRelease'], '')