diff --git a/build/azure-pipelines.yml b/build/azure-pipelines.yml index fd8adb7..57207a0 100644 --- a/build/azure-pipelines.yml +++ b/build/azure-pipelines.yml @@ -7,6 +7,10 @@ parameters: - name: SignOutput type: boolean default: False + - name: APIScanDisabled + displayName: "Disable API Scan" + type: boolean + default: false - name: Platforms type: object default: @@ -28,6 +32,12 @@ variables: cfsNpmWarnLevel: 'warn' cfsCargoWarnLevel: 'warn' +# APIScan only runs in release mode in the release branch + ${{ if eq(variables['Build.SourceBranchName'], 'release') }}: + apiscanMode: release + ${{ else }}: + apiscanMode: prerelease + resources: repositories: - repository: m365Pipelines @@ -204,24 +214,6 @@ extends: } ] - # Commented out until our implementation is fixed - # - task: AzureKeyVault@1 - # inputs: - # azureSubscription: 'DevHomeAzureServiceConnection' - # KeyVaultName: 'DevHomeKeyVault' - # SecretsFilter: 'ApiScanConnectionString' - # RunAsPreJob: false - - # - task: APIScan@2 - # inputs: - # softwareFolder: '$(Build.StagingDirectory)' - # softwareName: 'Dev Home Azure Extension' - # softwareVersionNum: '1.0' - # softwareBuildNum: '$(Build.BuildId)' - # symbolsFolder: 'SRV*http://symweb' - # env: - # AzureServicesAuthConnectionString: $(ApiScanConnectionString) - - task: Windows Application Driver@0 condition: and(always(), eq('${{ platform}}', 'x64')) inputs: @@ -264,6 +256,37 @@ extends: SymbolServerType: TeamServices SymbolsProduct: DevHomeAzureExtension + # Only run APIScan for non-arm release to avoid duplicate results unless it is disabled. + # Copy surrogate file to binary directory to use relative paths which are not architecture dependent. + - task: CopyFiles@2 + condition: and(ne('${{ platform }}', 'arm64'), eq('${{ configuration }}', 'release'), ne(${{ parameters.APIScanDisabled }}, true)) + inputs: + SourceFolder: '$(Build.SourcesDirectory)\build' + Contents: 'surrogate.xml' + TargetFolder: '$(Build.ArtifactStagingDirectory)\rawBinaries' + + - task: APIScan@2 + displayName: Run APIScan + condition: and(ne('${{ platform }}', 'arm64'), eq('${{ configuration }}', 'release'), ne(${{ parameters.APIScanDisabled }}, true)) + inputs: + softwareFolder: '$(appxPackageDir)\${{ configuration }}' + softwareName: 'Dev Home GitHub Extension' + softwareVersionNum: '1.0' + softwareBuildNum: '$(Build.BuildId)' + isLargeApp: false + toolVersion: 'Latest' + # PAT required to get debug symbols on 1ES VM. + symbolsFolder: '$(Build.ArtifactStagingDirectory)\rawBinaries' + # Use surrogate.xml to map release binaries in the MSIX to debug binaries for APIScan. + # surrogate.xml can be created by using SurrogateGenerator.ps1 PowerShell script. + surrogateConfigurationFolder: '$(Build.ArtifactStagingDirectory)\rawBinaries' + modeType: '$(apiscanMode)' + preserveLogsFolder: true + azureSubscription: DevHomeAzureServiceConnection + env: + AzureServicesAuthConnectionString: RunAs=App;AppId=$(AppId);TenantId=$(TenantId);ServiceConnectionId=$(ServiceConnectionId); + SYSTEM_ACCESSTOKEN: $(System.AccessToken) + templateContext: outputs: - output: pipelineArtifact diff --git a/build/surrogate.xml b/build/surrogate.xml new file mode 100644 index 0000000..2a06d67 Binary files /dev/null and b/build/surrogate.xml differ