dotnet-framework-docker/eng/docker-tools/templates/steps/init-signing-linux.yml at f30ee4123ea5731aadd7b32ca4801e1af1235db0 · dotnet-docker-bot/dotnet-framework-docker · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
# Installs the MicroBuild signing plugin for ESRP container image signing.
# After installation, MBSIGN_APPFOLDER environment variable points to DDSignFiles.dll location.
parameters:
- name: signType
  type: string
  default: test
  values:
  - test
  - real

- name: condition
  type: string
  default: "true"

- name: microBuildOutputFolder
  type: string
  default: $(Agent.TempDirectory)/MicroBuild

# Name of the pipeline variable to set with the signing docker run options.
# The variable will contain both the MicroBuild plugin volume mount and
# the --env-file flag, ready to pass as extraDockerRunOptions to run-imagebuilder.
- name: dockerRunOptionsVariableName
  type: string

steps:
# Install .NET 8.0 SDK for MicroBuild plugin installation using dotnet-install.sh.
# We avoid UseDotNet@2 because it sets DOTNET_ROOT globally, which breaks PowerShell
# (pwsh) on Azure Linux 3 where pwsh requires the .NET 9.0 runtime from the system
# .NET installation. Instead, we install to an isolated directory and only expose it
# to the MicroBuild task via its env block.
- powershell: >
    $(engDockerToolsPath)/Install-DotNetSdk.ps1
    -InstallPath "${{ parameters.microBuildOutputFolder }}/.dotnet"
    -Channel "8.0"
  displayName: Install .NET SDK for MicroBuild Plugin
  condition: and(succeeded(), ${{ parameters.condition }})

# Create a global.json in the MicroBuild folder that pins to the installed SDK.
# This prevents the repo's global.json from causing SDK resolution failures
# when MicroBuild runs dotnet restore from this directory.
- script: |
    mkdir -p ${{ parameters.microBuildOutputFolder }}
    version=$(${{ parameters.microBuildOutputFolder }}/.dotnet/dotnet --version)
    cat > ${{ parameters.microBuildOutputFolder }}/global.json << EOF
    {
      "sdk": {
        "version": "$version"
      }
    }
    EOF
  displayName: Create global.json for MicroBuild
  condition: and(succeeded(), ${{ parameters.condition }})

- task: MicroBuildSigningPlugin@4
  displayName: Install MicroBuild Signing Plugin
  condition: and(succeeded(), ${{ parameters.condition }})
  inputs:
    version: $(MicroBuildPluginVersion)
    ${{ if eq(parameters.signType, 'test') }}:
      signType: test
    ${{ else }}:
      signType: real
    zipSources: false
    feedSource: $(MicroBuildFeedSource)
    ConnectedServiceName: 'MicroBuild Signing Task (DevDiv)'
    ConnectedPMEServiceName: c24de2a5-cc7a-493d-95e4-8e5ff5cad2bc
    workingDirectory: ${{ parameters.microBuildOutputFolder }}
  env:
    TeamName: $(TeamName)
    MicroBuildOutputFolderOverride: $(Agent.TempDirectory)/MicroBuild
    SYSTEM_ACCESSTOKEN: $(System.AccessToken)
    PATH: ${{ parameters.microBuildOutputFolder }}/.dotnet:$(PATH)

# Configure docker run options for signing.
# Writes an env file with signing variables and sets $(signingDockerRunOptions)
# with both the MicroBuild plugin volume mount and the --env-file flag.
- task: PowerShell@2
  displayName: Configure ImageBuilder Signing Options
  condition: and(succeeded(), ${{ parameters.condition }})
  inputs:
    targetType: 'inline'
    script: |
      # Write the signing env file for docker --env-file.
      # Docker reads this file on the host before creating the container,
      # so no volume mount is needed for the file itself.
      $envFilePath = "$(Agent.TempDirectory)/imagebuilder-signing.env"
      $envFileContent = @(
        # MicroBuild plugin variables for DDSignFiles.dll
        "MBSIGN_APPFOLDER=/microbuild"
        "VSENGESRPSSL"
        "USEESRPCLI"
        "MBSIGN_CONNECTEDSERVICE"

        # Container-local temp/workspace paths (host paths aren't accessible inside the container)
        "MBSIGNTEMPDIR=/tmp/MicroBuildSign"
        "PIPELINE_WORKSPACE=$(Build.ArtifactStagingDirectory)"
        "AGENT_TEMPDIRECTORY=/tmp"

        # Azure DevOps pipeline variables for ESRP bearer token auth (ESRPUtils.GetAccountInfo)
        "SYSTEM_TEAMFOUNDATIONCOLLECTIONURI"
        "BUILD_BUILDID"
        "SYSTEM_TEAMPROJECT"
        "BUILD_SOURCEBRANCH"

        # Azure DevOps pipeline variables for ESRP CLI federated token (ESRPCliDll.GetFederatedTokenData)
        "SYSTEM_JOBID"
        "SYSTEM_PLANID"
        "SYSTEM_TEAMPROJECTID"
        "SYSTEM_HOSTTYPE"
        "SYSTEM_COLLECTIONURI"

        # Azure DevOps pipeline variables for DDSignFilesConfiguration
        "BUILD_DEFINITIONNAME"
        "BUILD_BUILDNUMBER"
      )

      $envFileContent | Set-Content -Path $envFilePath -Encoding utf8NoBOM

      # Compose docker run options for signing:
      # - Volume mount for MicroBuild plugin directory (DDSignFiles.dll and esrpcli.dll)
      # - Env file with signing environment variables
      $signingDockerRunOptions = "-v $env:MBSIGN_APPFOLDER`:/microbuild --env-file `"$envFilePath`""
      Write-Host "signingDockerRunOptions: $signingDockerRunOptions"
      Write-Host "##vso[task.setvariable variable=${{ parameters.dockerRunOptionsVariableName }}]$signingDockerRunOptions"