Update windows pipeline (#2909)
This commit is contained in:
parent
dd71f0a866
commit
c76325b91b
3 changed files with 111 additions and 49 deletions
|
@ -15,15 +15,9 @@ pool:
|
||||||
stages:
|
stages:
|
||||||
- stage: Build
|
- stage: Build
|
||||||
jobs:
|
jobs:
|
||||||
- job:
|
- job: Build
|
||||||
displayName: "Build"
|
displayName: "Build"
|
||||||
steps:
|
steps:
|
||||||
- task: DotNetCoreCLI@2
|
|
||||||
displayName: "Install SignClient"
|
|
||||||
inputs:
|
|
||||||
command: 'custom'
|
|
||||||
custom: 'tool'
|
|
||||||
arguments: 'install --global SignClient --version 1.3.155'
|
|
||||||
- task: GoTool@0
|
- task: GoTool@0
|
||||||
displayName: "Install Go"
|
displayName: "Install Go"
|
||||||
inputs:
|
inputs:
|
||||||
|
@ -39,24 +33,14 @@ stages:
|
||||||
#we are not calling make windows_installer because we want to sign the binaries before they are added to the MSI
|
#we are not calling make windows_installer because we want to sign the binaries before they are added to the MSI
|
||||||
script: |
|
script: |
|
||||||
make build BUILD_RE2_WASM=1
|
make build BUILD_RE2_WASM=1
|
||||||
- task: AzureKeyVault@2
|
|
||||||
inputs:
|
|
||||||
azureSubscription: 'Azure subscription 1(8a93ab40-7e99-445e-ad47-0f6a3e2ef546)'
|
|
||||||
KeyVaultName: 'CodeSigningSecrets'
|
|
||||||
SecretsFilter: 'CodeSigningUser,CodeSigningPassword'
|
|
||||||
RunAsPreJob: false
|
|
||||||
|
|
||||||
- task: DownloadSecureFile@1
|
|
||||||
inputs:
|
|
||||||
secureFile: appsettings.json
|
|
||||||
|
|
||||||
- pwsh: |
|
|
||||||
SignClient.exe Sign --name "crowdsec-binaries" `
|
|
||||||
--input "**/*.exe" --config (Join-Path -Path $(Agent.TempDirectory) -ChildPath "appsettings.json") `
|
|
||||||
--user $(CodeSigningUser) --secret '$(CodeSigningPassword)'
|
|
||||||
displayName: "Sign Crowdsec binaries + plugins"
|
|
||||||
- pwsh: |
|
- pwsh: |
|
||||||
$build_version=$env:BUILD_SOURCEBRANCHNAME
|
$build_version=$env:BUILD_SOURCEBRANCHNAME
|
||||||
|
#Override the version if it's set in the pipeline
|
||||||
|
if ( ${env:USERBUILDVERSION} -ne "")
|
||||||
|
{
|
||||||
|
$build_version = ${env:USERBUILDVERSION}
|
||||||
|
}
|
||||||
if ($build_version.StartsWith("v"))
|
if ($build_version.StartsWith("v"))
|
||||||
{
|
{
|
||||||
$build_version = $build_version.Substring(1)
|
$build_version = $build_version.Substring(1)
|
||||||
|
@ -69,35 +53,112 @@ stages:
|
||||||
displayName: GetCrowdsecVersion
|
displayName: GetCrowdsecVersion
|
||||||
name: GetCrowdsecVersion
|
name: GetCrowdsecVersion
|
||||||
- pwsh: |
|
- pwsh: |
|
||||||
.\make_installer.ps1 -version '$(GetCrowdsecVersion.BuildVersion)'
|
Get-ChildItem -Path .\cmd -Directory | ForEach-Object {
|
||||||
|
$dirName = $_.Name
|
||||||
|
Get-ChildItem -Path .\cmd\$dirName -File -Filter '*.exe' | ForEach-Object {
|
||||||
|
$fileName = $_.Name
|
||||||
|
$destDir = Join-Path $(Build.ArtifactStagingDirectory) cmd\$dirName
|
||||||
|
New-Item -ItemType Directory -Path $destDir -Force
|
||||||
|
Copy-Item -Path .\cmd\$dirName\$fileName -Destination $destDir
|
||||||
|
}
|
||||||
|
}
|
||||||
|
displayName: "Copy binaries to staging directory"
|
||||||
|
- task: PublishPipelineArtifact@1
|
||||||
|
inputs:
|
||||||
|
targetPath: '$(Build.ArtifactStagingDirectory)'
|
||||||
|
artifact: 'unsigned_binaries'
|
||||||
|
displayName: "Upload binaries artifact"
|
||||||
|
|
||||||
|
- stage: Sign
|
||||||
|
dependsOn: Build
|
||||||
|
variables:
|
||||||
|
- group: 'FOSS Build Variables'
|
||||||
|
- name: BuildVersion
|
||||||
|
value: $[ stageDependencies.Build.Build.outputs['GetCrowdsecVersion.BuildVersion'] ]
|
||||||
|
condition: succeeded()
|
||||||
|
jobs:
|
||||||
|
- job: Sign
|
||||||
|
displayName: "Sign"
|
||||||
|
steps:
|
||||||
|
- download: current
|
||||||
|
artifact: unsigned_binaries
|
||||||
|
displayName: "Download binaries artifact"
|
||||||
|
- task: CopyFiles@2
|
||||||
|
inputs:
|
||||||
|
SourceFolder: '$(Pipeline.Workspace)/unsigned_binaries'
|
||||||
|
TargetFolder: '$(Build.SourcesDirectory)'
|
||||||
|
displayName: "Copy binaries to workspace"
|
||||||
|
- task: DotNetCoreCLI@2
|
||||||
|
displayName: "Install SignTool tool"
|
||||||
|
inputs:
|
||||||
|
command: 'custom'
|
||||||
|
custom: 'tool'
|
||||||
|
arguments: install --global sign --version 0.9.0-beta.23127.3
|
||||||
|
- task: AzureKeyVault@2
|
||||||
|
displayName: "Get signing parameters"
|
||||||
|
inputs:
|
||||||
|
azureSubscription: "Azure subscription"
|
||||||
|
KeyVaultName: "$(KeyVaultName)"
|
||||||
|
SecretsFilter: "TenantId,ClientId,ClientSecret,Certificate,KeyVaultUrl"
|
||||||
|
- pwsh: |
|
||||||
|
sign code azure-key-vault `
|
||||||
|
"**/*.exe" `
|
||||||
|
--base-directory "$(Build.SourcesDirectory)/cmd/" `
|
||||||
|
--publisher-name "CrowdSec" `
|
||||||
|
--description "CrowdSec" `
|
||||||
|
--description-url "https://github.com/crowdsecurity/crowdsec" `
|
||||||
|
--azure-key-vault-tenant-id "$(TenantId)" `
|
||||||
|
--azure-key-vault-client-id "$(ClientId)" `
|
||||||
|
--azure-key-vault-client-secret "$(ClientSecret)" `
|
||||||
|
--azure-key-vault-certificate "$(Certificate)" `
|
||||||
|
--azure-key-vault-url "$(KeyVaultUrl)"
|
||||||
|
displayName: "Sign crowdsec binaries"
|
||||||
|
- pwsh: |
|
||||||
|
.\make_installer.ps1 -version '$(BuildVersion)'
|
||||||
displayName: "Build Crowdsec MSI"
|
displayName: "Build Crowdsec MSI"
|
||||||
name: BuildMSI
|
name: BuildMSI
|
||||||
|
|
||||||
- pwsh: |
|
- pwsh: |
|
||||||
.\make_chocolatey.ps1 -version '$(GetCrowdsecVersion.BuildVersion)'
|
.\make_chocolatey.ps1 -version '$(BuildVersion)'
|
||||||
displayName: "Build Chocolatey nupkg"
|
displayName: "Build Chocolatey nupkg"
|
||||||
|
|
||||||
- pwsh: |
|
- pwsh: |
|
||||||
SignClient.exe Sign --name "crowdsec-msi" `
|
sign code azure-key-vault `
|
||||||
--input "*.msi" --config (Join-Path -Path $(Agent.TempDirectory) -ChildPath "appsettings.json") `
|
"*.msi" `
|
||||||
--user $(CodeSigningUser) --secret '$(CodeSigningPassword)'
|
--base-directory "$(Build.SourcesDirectory)" `
|
||||||
displayName: "Sign Crowdsec MSI"
|
--publisher-name "CrowdSec" `
|
||||||
|
--description "CrowdSec" `
|
||||||
- task: PublishBuildArtifacts@1
|
--description-url "https://github.com/crowdsecurity/crowdsec" `
|
||||||
|
--azure-key-vault-tenant-id "$(TenantId)" `
|
||||||
|
--azure-key-vault-client-id "$(ClientId)" `
|
||||||
|
--azure-key-vault-client-secret "$(ClientSecret)" `
|
||||||
|
--azure-key-vault-certificate "$(Certificate)" `
|
||||||
|
--azure-key-vault-url "$(KeyVaultUrl)"
|
||||||
|
displayName: "Sign MSI package"
|
||||||
|
- pwsh: |
|
||||||
|
sign code azure-key-vault `
|
||||||
|
"*.nupkg" `
|
||||||
|
--base-directory "$(Build.SourcesDirectory)" `
|
||||||
|
--publisher-name "CrowdSec" `
|
||||||
|
--description "CrowdSec" `
|
||||||
|
--description-url "https://github.com/crowdsecurity/crowdsec" `
|
||||||
|
--azure-key-vault-tenant-id "$(TenantId)" `
|
||||||
|
--azure-key-vault-client-id "$(ClientId)" `
|
||||||
|
--azure-key-vault-client-secret "$(ClientSecret)" `
|
||||||
|
--azure-key-vault-certificate "$(Certificate)" `
|
||||||
|
--azure-key-vault-url "$(KeyVaultUrl)"
|
||||||
|
displayName: "Sign nuget package"
|
||||||
|
- task: PublishPipelineArtifact@1
|
||||||
inputs:
|
inputs:
|
||||||
PathtoPublish: '$(Build.Repository.LocalPath)\\crowdsec_$(GetCrowdsecVersion.BuildVersion).msi'
|
targetPath: '$(Build.SourcesDirectory)/crowdsec_$(BuildVersion).msi'
|
||||||
ArtifactName: 'crowdsec.msi'
|
artifact: 'signed_msi_package'
|
||||||
publishLocation: 'Container'
|
displayName: "Upload signed MSI artifact"
|
||||||
displayName: "Upload MSI artifact"
|
- task: PublishPipelineArtifact@1
|
||||||
|
|
||||||
- task: PublishBuildArtifacts@1
|
|
||||||
inputs:
|
inputs:
|
||||||
PathtoPublish: '$(Build.Repository.LocalPath)\\windows\\Chocolatey\\crowdsec\\crowdsec.$(GetCrowdsecVersion.BuildVersion).nupkg'
|
targetPath: '$(Build.SourcesDirectory)/crowdsec.$(BuildVersion).nupkg'
|
||||||
ArtifactName: 'crowdsec.nupkg'
|
artifact: 'signed_nuget_package'
|
||||||
publishLocation: 'Container'
|
displayName: "Upload signed nuget artifact"
|
||||||
displayName: "Upload nupkg artifact"
|
|
||||||
- stage: Publish
|
- stage: Publish
|
||||||
dependsOn: Build
|
dependsOn: Sign
|
||||||
jobs:
|
jobs:
|
||||||
- deployment: "Publish"
|
- deployment: "Publish"
|
||||||
displayName: "Publish to GitHub"
|
displayName: "Publish to GitHub"
|
||||||
|
@ -119,8 +180,7 @@ stages:
|
||||||
assetUploadMode: 'replace'
|
assetUploadMode: 'replace'
|
||||||
addChangeLog: false
|
addChangeLog: false
|
||||||
isPreRelease: true #we force prerelease because the pipeline is invoked on tag creation, which happens when we do a prerelease
|
isPreRelease: true #we force prerelease because the pipeline is invoked on tag creation, which happens when we do a prerelease
|
||||||
#the .. is an ugly hack, but I can't find the var that gives D:\a\1 ...
|
|
||||||
assets: |
|
assets: |
|
||||||
$(Build.ArtifactStagingDirectory)\..\crowdsec.msi/*.msi
|
$(Pipeline.Workspace)/signed_msi_package/*.msi
|
||||||
$(Build.ArtifactStagingDirectory)\..\crowdsec.nupkg/*.nupkg
|
$(Pipeline.Workspace)/signed_nuget_package/*.nupkg
|
||||||
condition: ne(variables['GetLatestPrelease.LatestPreRelease'], '')
|
condition: ne(variables['GetLatestPrelease.LatestPreRelease'], '')
|
||||||
|
|
|
@ -16,3 +16,5 @@ Set-Location .\windows\Chocolatey\crowdsec
|
||||||
Copy-Item ..\..\..\crowdsec_$version.msi tools\crowdsec.msi
|
Copy-Item ..\..\..\crowdsec_$version.msi tools\crowdsec.msi
|
||||||
|
|
||||||
choco pack --version $version
|
choco pack --version $version
|
||||||
|
|
||||||
|
Copy-Item crowdsec.$version.nupkg ..\..\..\
|
|
@ -1,7 +1,7 @@
|
||||||
param (
|
param (
|
||||||
$version
|
$version
|
||||||
)
|
)
|
||||||
$env:Path += ";C:\Program Files (x86)\WiX Toolset v3.11\bin"
|
$env:Path += ";C:\Program Files (x86)\WiX Toolset v3.14\bin"
|
||||||
if ($version.StartsWith("v"))
|
if ($version.StartsWith("v"))
|
||||||
{
|
{
|
||||||
$version = $version.Substring(1)
|
$version = $version.Substring(1)
|
||||||
|
|
Loading…
Reference in a new issue