trigger: tags: include: - "v*" exclude: - "v*freebsd" branches: exclude: - "*" pr: none pool: vmImage: windows-latest stages: - stage: Build jobs: - job: Build displayName: "Build" steps: - task: GoTool@0 displayName: "Install Go" inputs: version: '1.21.9' - pwsh: | choco install -y make displayName: "Install builds deps" - task: PowerShell@2 inputs: targetType: 'inline' pwsh: true #we are not calling make windows_installer because we want to sign the binaries before they are added to the MSI script: | make build BUILD_RE2_WASM=1 - pwsh: | $build_version=$env:BUILD_SOURCEBRANCHNAME #Override the version if it's set in the pipeline if ( ${env:USERBUILDVERSION} -ne "") { $build_version = ${env:USERBUILDVERSION} } if ($build_version.StartsWith("v")) { $build_version = $build_version.Substring(1) } if ($build_version.Contains("-")) { $build_version = $build_version.Substring(0, $build_version.IndexOf("-")) } Write-Host "##vso[task.setvariable variable=BuildVersion;isOutput=true]$build_version" displayName: GetCrowdsecVersion name: GetCrowdsecVersion - pwsh: | Get-ChildItem -Path .\cmd -Directory | ForEach-Object { $dirName = $_.Name Get-ChildItem -Path .\cmd\$dirName -File -Filter '*.exe' | ForEach-Object { $fileName = $_.Name $destDir = Join-Path $(Build.ArtifactStagingDirectory) cmd\$dirName New-Item -ItemType Directory -Path $destDir -Force Copy-Item -Path .\cmd\$dirName\$fileName -Destination $destDir } } displayName: "Copy binaries to staging directory" - task: PublishPipelineArtifact@1 inputs: targetPath: '$(Build.ArtifactStagingDirectory)' artifact: 'unsigned_binaries' displayName: "Upload binaries artifact" - stage: Sign dependsOn: Build variables: - group: 'FOSS Build Variables' - name: BuildVersion value: $[ stageDependencies.Build.Build.outputs['GetCrowdsecVersion.BuildVersion'] ] condition: succeeded() jobs: - job: Sign displayName: "Sign" steps: - download: current artifact: unsigned_binaries displayName: "Download binaries artifact" - task: CopyFiles@2 inputs: SourceFolder: '$(Pipeline.Workspace)/unsigned_binaries' TargetFolder: '$(Build.SourcesDirectory)' displayName: "Copy binaries to workspace" - task: DotNetCoreCLI@2 displayName: "Install SignTool tool" inputs: command: 'custom' custom: 'tool' arguments: install --global sign --version 0.9.0-beta.23127.3 - task: AzureKeyVault@2 displayName: "Get signing parameters" inputs: azureSubscription: "Azure subscription" KeyVaultName: "$(KeyVaultName)" SecretsFilter: "TenantId,ClientId,ClientSecret,Certificate,KeyVaultUrl" - pwsh: | sign code azure-key-vault ` "**/*.exe" ` --base-directory "$(Build.SourcesDirectory)/cmd/" ` --publisher-name "CrowdSec" ` --description "CrowdSec" ` --description-url "https://github.com/crowdsecurity/crowdsec" ` --azure-key-vault-tenant-id "$(TenantId)" ` --azure-key-vault-client-id "$(ClientId)" ` --azure-key-vault-client-secret "$(ClientSecret)" ` --azure-key-vault-certificate "$(Certificate)" ` --azure-key-vault-url "$(KeyVaultUrl)" displayName: "Sign crowdsec binaries" - pwsh: | .\make_installer.ps1 -version '$(BuildVersion)' displayName: "Build Crowdsec MSI" name: BuildMSI - pwsh: | .\make_chocolatey.ps1 -version '$(BuildVersion)' displayName: "Build Chocolatey nupkg" - pwsh: | sign code azure-key-vault ` "*.msi" ` --base-directory "$(Build.SourcesDirectory)" ` --publisher-name "CrowdSec" ` --description "CrowdSec" ` --description-url "https://github.com/crowdsecurity/crowdsec" ` --azure-key-vault-tenant-id "$(TenantId)" ` --azure-key-vault-client-id "$(ClientId)" ` --azure-key-vault-client-secret "$(ClientSecret)" ` --azure-key-vault-certificate "$(Certificate)" ` --azure-key-vault-url "$(KeyVaultUrl)" displayName: "Sign MSI package" - pwsh: | sign code azure-key-vault ` "*.nupkg" ` --base-directory "$(Build.SourcesDirectory)" ` --publisher-name "CrowdSec" ` --description "CrowdSec" ` --description-url "https://github.com/crowdsecurity/crowdsec" ` --azure-key-vault-tenant-id "$(TenantId)" ` --azure-key-vault-client-id "$(ClientId)" ` --azure-key-vault-client-secret "$(ClientSecret)" ` --azure-key-vault-certificate "$(Certificate)" ` --azure-key-vault-url "$(KeyVaultUrl)" displayName: "Sign nuget package" - task: PublishPipelineArtifact@1 inputs: targetPath: '$(Build.SourcesDirectory)/crowdsec_$(BuildVersion).msi' artifact: 'signed_msi_package' displayName: "Upload signed MSI artifact" - task: PublishPipelineArtifact@1 inputs: targetPath: '$(Build.SourcesDirectory)/crowdsec.$(BuildVersion).nupkg' artifact: 'signed_nuget_package' displayName: "Upload signed nuget artifact" - stage: Publish dependsOn: Sign jobs: - deployment: "Publish" displayName: "Publish to GitHub" environment: github strategy: runOnce: deploy: steps: - bash: | tag=$(curl -H "Accept: application/vnd.github.v3+json" https://api.github.com/repos/crowdsecurity/crowdsec/releases | jq -r '. | map(select(.prerelease==true)) | sort_by(.created_at) | reverse | .[0].tag_name') echo "##vso[task.setvariable variable=LatestPreRelease;isOutput=true]$tag" name: GetLatestPrelease - task: GitHubRelease@1 inputs: gitHubConnection: "github.com_blotus" repositoryName: '$(Build.Repository.Name)' action: 'edit' tag: '$(GetLatestPrelease.LatestPreRelease)' assetUploadMode: 'replace' addChangeLog: false isPreRelease: true #we force prerelease because the pipeline is invoked on tag creation, which happens when we do a prerelease assets: | $(Pipeline.Workspace)/signed_msi_package/*.msi $(Pipeline.Workspace)/signed_nuget_package/*.nupkg condition: ne(variables['GetLatestPrelease.LatestPreRelease'], '')