microsoft/gctoolkit

Public

mirrored fromhttps://github.com/microsoft/gctoolkitAvailable

Watch0 Fork0 Star0

Code Commits Issues Pull requests Actions Insights Security

e22688560c1eb1b7b3ede206548949117df9a0d8

Find a branch or tag

Branches

e22688560c1eb1b7b3ede206548949117df9a0d8

Clone

HTTPS

Download ZIP

gctoolkit/.devops

.devops/gctoolkit-release.yml

229lines · modecode

Raw Download

Latest commit unavailable.

unknown

1	`# Release GCToolkit to Maven Central`
2	`#`
3	`# Builds and tests the binaries.`
4	`# Signs the artifacts and generates SHA checksums.`
5	`# Publishes the artifacts to Maven Central.`
6
7	`# This pipeline is triggered manually.`
8	`trigger: none`
9	`pr: none`
10
11	`parameters:`
12	`- name: release_tag`
13	`type: string`
14	`displayName: Release Tag`
15
16	`- name: release_type`
17	`type: string`
18	`displayName: Release Type`
19	`default: dry-run`
20	`values:`
21	`- dry-run`
22	`- release`
23
24	`variables:`
25	`JAVA_HOME_11_X64: /usr/lib/jvm/msopenjdk-11`
26	`GCTOOLKIT_TAG: ${{ parameters.release_tag }}`
27
28	`resources:`
29	`repositories:`
30	`- repository: gctoolkit`
31	`type: github`
32	`endpoint: Github-Java-Engineering`
33	`name: microsoft/gctoolkit`
34	`ref: refs/tags/$(GCTOOLKIT_TAG)`
35
36	`- repository: 1esPipelines`
37	`type: git`
38	`name: 1ESPipelineTemplates/1ESPipelineTemplates`
39	`ref: refs/tags/release`
40
41	`extends:`
42	`template: v1/1ES.Official.PipelineTemplate.yml@1esPipelines`
43	`parameters:`
44	`pool:`
45	`name: JEG-mariner2.0-x64-release`
46	`os: linux`
47	`sdl:`
48	`sourceAnalysisPool:`
49	`name: JEG-windows2022-x64-release`
50	`os: windows`
51	`sourceRepositoriesToScan:`
52	`exclude:`
53	`- repository: gctoolkit`
54	`credscan:`
55	`suppressionsFile: $(Build.SourcesDirectory)/.devops/credscan/suppressions.json`
56
57	`stages:`
58	`- stage: Release_GCToolkit`
59	`jobs:`
60	`- job: build_gctoolkit`
61	`workspace:`
62	`clean: all`
63	`displayName: Build with Maven`
64	`steps:`
65	`- checkout: gctoolkit`
66	`path: gctoolkit`
67	`clean: true`
68
69	`# Use modern Java to build`
70	`- task: JavaToolInstaller@0`
71	`inputs:`
72	`versionSpec: '11'`
73	`jdkArchitectureOption: 'x64'`
74	`jdkSourceOption: 'PreInstalled'`
75	`env:`
76	`JAVA_HOME_11_X64: $(JAVA_HOME_11_X64)`
77	`displayName: 'Set Java to v11'`
78
79	`# download signing keys from Azure Key Vault`
80	`- task: AzureKeyVault@2`
81	`displayName: Download GPG signing keys`
82	`inputs:`
83	`azureSubscription: 'JEG-Infrastructure'`
84	`KeyVaultName: 'juniper-keyvault'`
85	`SecretsFilter: 'javask-gpg-passphrase,javask-gpg-private,javask-gpg-public,javask-gpg-trust'`
86	`RunAsPreJob: false`
87
88	`# base64 decode signing keys`
89	`- bash: \|`
90	`echo "Base64 decoding keys..."`
91	`echo "$(javask-gpg-private)" \| base64 -d > private.asc`
92	`echo "$(javask-gpg-public)" \| base64 -d > public.asc`
93	`echo "$(javask-gpg-trust)" \| base64 -d > trust.gpg`
94	`workingDirectory: $(Agent.BuildDirectory)`
95	`displayName: Base64 decode secret`
96
97	`# import signing keys into GPG`
98	`- bash: \|`
99	`echo "GPG importing keys..."`
100	`echo $(javask-gpg-passphrase) \| gpg --batch --passphrase-fd 0 --import $(Agent.BuildDirectory)/private.asc`
101	`echo $(javask-gpg-passphrase) \| gpg --batch --passphrase-fd 0 --import $(Agent.BuildDirectory)/public.asc`
102	`displayName: GPG import keys`
103
104	`# restore owner trust`
105	`- bash: \|`
106	`echo "GPG restore owner trust..."`
107	`gpg --import-ownertrust $(Agent.BuildDirectory)/trust.gpg`
108	`displayName: GPG restore owner trust`
109
110	`# Now that all the keys and whatnot are setup, do the build...`
111	`- bash: \|`
112	`mkdir ~/.m2 \\|\| true`
113	`cp $(Build.SourcesDirectory)/.devops/feed-settings.xml ~/.m2/settings.xml`
114	`displayName: 'Copy feed-settings to .m2'`
115
116	`# Ensure authentication is in place for our use of internal DevDiv feeds`
117	`- task: MavenAuthenticate@0`
118	`inputs:`
119	`artifactsFeeds: 'java-engineering-feed'`
120	`displayName: 'Maven auth for DevDiv'`
121
122	`- bash: \|`
123	`RELEASE_VERSION=$(./mvnw help:evaluate -Dexpression=project.version -q -DforceStdout \| cut -d'-' -f1)`
124	`echo "##vso[task.setvariable variable=RELEASE_VERSION]$RELEASE_VERSION"`
125	`displayName: 'Set RELEASE_VERSION'`
126
127	`- bash: \|`
128	`./mvnw \`
129	`-B -Prelease \`
130	`-DaltDeploymentRepository=local::file:$(Build.ArtifactStagingDirectory)/staging \`
131	`deploy`
132	`displayName: 'Build and deploy to local staging directory'`
133
134	`# Remove .sha1 and .md5 files.`
135	`# Generate .sha256 after signing.`
136	`- bash: \|`
137	`find staging \`
138	`-type f \`
139	`-name "*.sha1" \`
140	`-delete -o \`
141	`-name "*.md5" \`
142	`-delete`
143	`displayName: 'Remove .sha1 and .md5 files'`
144	`workingDirectory: $(Build.ArtifactStagingDirectory)`
145
146	`# ESRP Sign all jars in the semantickernel-java directory`
147	`- task: SFP.build-tasks.custom-build-task-1.EsrpCodeSigning@5`
148	`displayName: ESRP Java JAR Signing`
149	`inputs:`
150	`ConnectedServiceName: 'JEG-Tooling-Prod'`
151	`AppRegistrationClientId: '516af6d8-6ab4-4069-8f64-b18c64d16688'`
152	`AppRegistrationTenantId: '33e01921-4d64-4f8c-a055-5bdaffd5e33d'`
153	`AuthAKVName: 'JEG-tooling-kv'`
154	`AuthCertName: 'JEG-Tooling-auth'`
155	`AuthSignCertName: 'GCToolKit-ESRP'`
156	`FolderPath: '$(Build.ArtifactStagingDirectory)/staging'`
157	`Pattern: '*/-$(RELEASE_VERSION)*.jar'`
158	`UseMinimatch: true`
159	`signConfigType: 'inlineSignParams'`
160	`inlineOperation: \|`
161	`[`
162	`{`
163	`"KeyCode": "CP-447347-Java",`
164	`"OperationCode": "JavaSign",`
165	`"ToolName": "sign",`
166	`"ToolVersion": "1.0",`
167	`"Parameters": {`
168	`"SigAlg": "SHA256withRSA",`
169	`"Timestamp": "-tsa http://sha256timestamp.ws.digicert.com/sha256/timestamp"`
170	`}`
171	`},`
172	`{`
173	`"KeyCode": "CP-447347-Java",`
174	`"OperationCode": "JavaVerify",`
175	`"ToolName": "sign",`
176	`"ToolVersion": "1.0",`
177	`"Parameters": {}`
178	`}`
179	`]`
180	`SessionTimeout: '120'`
181	`MaxConcurrency: '50'`
182	`MaxRetryAttempts: '5'`
183	`VerboseLogin: true`
184
185	`# gpg sign all artifacts in the semantickernel-java directory`
186	`# this will create a .asc file for each file in the directory. This is a detached signature`
187	`# required to publish into Maven Central.`
188	`- bash: \|`
189	for file in `find staging -type f -name -$(RELEASE_VERSION).jar -o -name -$(RELEASE_VERSION).pom`; do
190	`echo $(javask-gpg-passphrase) \| gpg --pinentry-mode loopback --passphrase-fd 0 -ab $file`
191	`done`
192	`workingDirectory: $(Build.ArtifactStagingDirectory)`
193	`displayName: GPG Signing`
194
195	`# generate sha256sums for all files in the staging directory`
196	`- bash: \|`
197	for file in `find staging -type f`; do
198	`sha256sum $file > $file.sha256`
199	`done`
200	`workingDirectory: $(Build.ArtifactStagingDirectory)`
201	`displayName: Create sha256sums`
202
203	`- task: 1ES.PublishPipelineArtifact@1`
204	`inputs:`
205	`targetPath: '$(Build.ArtifactStagingDirectory)/staging'`
206	`artifactName: staged-artifacts`
207
208	`- task: EsrpRelease@8`
209	`inputs:`
210	`connectedservicename: 'JEG-Tooling-Prod'`
211	`keyvaultname: 'JEG-tooling-kv'`
212	`authcertname: 'JEG-Tooling-auth'`
213	`signcertname: 'GCToolKit-ESRP'`
214	`clientid: '516af6d8-6ab4-4069-8f64-b18c64d16688'`
215	`intent: 'PackageDistribution'`
216	`# Test with contentype PyPI to avoid publishing to Maven Central`
217	`${{ if eq(parameters.release_type, 'release') }}:`
218	`contenttype: 'Maven'`
219	`${{ else }}:`
220	`contenttype: 'PyPI'`
221	`contentsource: 'Folder'`
222	`folderlocation: '$(Build.ArtifactStagingDirectory)/staging/com/microsoft/gctoolkit'`
223	`waitforreleasecompletion: true`
224	`owners: 'dekeeler@microsoft.com'`
225	`approvers: 'milderhc@microsoft.com,john.oliver@microsoft.com,dagrieve@microsoft.com,kirk.pepperdine@microsoft.com'`
226	`serviceendpointurl: 'https://api.esrp.microsoft.com'`
227	`mainpublisher: 'ESRPRELPACMAN'`
228	`domaintenantid: '33e01921-4d64-4f8c-a055-5bdaffd5e33d'`
229	`displayName: 'Publish to Maven Central'`
230

microsoft/gctoolkit

Branches

Tags

Clone