|
| 1 | +name: 0.0.$(Date:yyMM.d)$(Rev:rrr) |
| 2 | + |
| 3 | +parameters: |
| 4 | +- name: AgentPool |
| 5 | + type: object |
| 6 | + default: |
| 7 | + Medium: |
| 8 | + name: rnw-pool-4-microsoft |
| 9 | + demands: ImageOverride -equals rnw-img-vs2022-node22 |
| 10 | + Large: |
| 11 | + name: rnw-pool-8-microsoft |
| 12 | + demands: ImageOverride -equals rnw-img-vs2022-node22 |
| 13 | +- name: forceCodeQL |
| 14 | + displayName: Force CodeQL to rebuild databases |
| 15 | + type: boolean |
| 16 | + default: false |
| 17 | +- name: complianceWarnOnly |
| 18 | + displayName: Convert compliance errors to warnings |
| 19 | + type: boolean |
| 20 | + default: true # Let's get all results in this pipeline |
| 21 | + |
| 22 | +variables: |
| 23 | + - template: variables/windows.yml |
| 24 | + - group: RNW Secrets |
| 25 | + - name: Codeql.Enabled |
| 26 | + value: true |
| 27 | + - ${{ if eq(parameters.forceCodeQL, true) }}: |
| 28 | + - name: Codeql.Cadence |
| 29 | + value: 0 |
| 30 | + - ${{ if eq(parameters.forceCodeQL, false) }}: |
| 31 | + - name: Codeql.Cadence |
| 32 | + value: 120 # In hours, default to only run every 5 days |
| 33 | + |
| 34 | +trigger: none |
| 35 | +pr: none |
| 36 | + |
| 37 | +jobs: |
| 38 | + - job: RnwUniversalCompliance |
| 39 | + displayName: RNW Universal Compliance |
| 40 | + pool: ${{ parameters.AgentPool.Large }} |
| 41 | + timeoutInMinutes: 360 # Compliance tasks recommend to 3x usual build timeout |
| 42 | + |
| 43 | + steps: |
| 44 | + - template: templates/checkout-shallow.yml |
| 45 | + |
| 46 | + - template: templates/prepare-js-env.yml |
| 47 | + |
| 48 | + - template: templates/set-version-vars.yml |
| 49 | + parameters: |
| 50 | + buildEnvironment: Continuous |
| 51 | + |
| 52 | + - template: templates/publish-version-vars.yml |
| 53 | + |
| 54 | + - template: templates/prepare-build-env.yml |
| 55 | + parameters: |
| 56 | + platform: x64 |
| 57 | + configuration: Release |
| 58 | + buildEnvironment: Continuous |
| 59 | + |
| 60 | + - template: templates/apply-published-version-vars.yml |
| 61 | + |
| 62 | + # Pre-build compliance tasks |
| 63 | + |
| 64 | + - template: templates/run-compliance-prebuild.yml |
| 65 | + parameters: |
| 66 | + complianceWarnOnly: ${{ parameters.complianceWarnOnly }} |
| 67 | + |
| 68 | + - task: NuGetAuthenticate@1 |
| 69 | + |
| 70 | + # AgentES Task (https://aka.ms/UES) |
| 71 | + # Installs and runs the "Agent ES" tool, which scans the source code for banned file types. |
| 72 | + - powershell: | |
| 73 | + & nuget.exe install AgentES -FallbackSource https://microsoft.pkgs.visualstudio.com/_packaging/Undocked.Shell.Services/nuget/v3/index.json |
| 74 | + $AgentESPath = (Get-ChildItem -Path AgentES* -Filter AgentES.exe -Recurse | %{$_.FullName}) |
| 75 | + & $AgentESPath $env:BUILD_SOURCESDIRECTORY -e:$env:BUILD_SOURCESDIRECTORY\.ado\config\AgentES.Exemptions.json -b |
| 76 | + displayName: "⚖️ AgentES - Scan of Repository for UES Policy Violations" |
| 77 | + workingDirectory: $(Agent.BuildDirectory) |
| 78 | + continueOnError: ${{ parameters.complianceWarnOnly }} |
| 79 | +
|
| 80 | + # Initialize CodeQL 3000 Task (https://aka.ms/codeql3000) |
| 81 | + # Performs static code analysis. |
| 82 | + - task: CodeQL3000Init@0 |
| 83 | + displayName: "🛡️ Initialize CodeQL" |
| 84 | + continueOnError: ${{ parameters.complianceWarnOnly }} |
| 85 | + |
| 86 | + # Build RNW |
| 87 | + |
| 88 | + - template: templates/msbuild-sln.yml |
| 89 | + parameters: |
| 90 | + solutionDir: vnext |
| 91 | + solutionName: Microsoft.ReactNative.NewArch.sln |
| 92 | + buildPlatform: x64 |
| 93 | + buildConfiguration: Release |
| 94 | + |
| 95 | + # Post-build compliance tasks |
| 96 | + |
| 97 | + - template: templates/run-compliance-postbuild.yml |
| 98 | + parameters: |
| 99 | + complianceWarnOnly: ${{ parameters.complianceWarnOnly }} |
| 100 | + |
| 101 | + # Attack Surface Analyzer (ASA) for SDL compliance |
| 102 | + # This is integrated into the compliance pipeline but runs independently |
| 103 | + # Note: ASA requires before/after snapshots, so we run a separate analysis |
| 104 | + - task: PowerShell@2 |
| 105 | + displayName: '🛡️ Attack Surface Analyzer - Note' |
| 106 | + inputs: |
| 107 | + targetType: inline |
| 108 | + script: | |
| 109 | + Write-Host "==========================================" |
| 110 | + Write-Host "Attack Surface Analyzer (ASA) Information" |
| 111 | + Write-Host "==========================================" |
| 112 | + Write-Host "" |
| 113 | + Write-Host "ASA runs as a separate job in the PR pipeline (see stages.yml)." |
| 114 | + Write-Host "It performs before/after snapshot analysis of the build process." |
| 115 | + Write-Host "" |
| 116 | + Write-Host "For manual ASA runs or to view results:" |
| 117 | + Write-Host "1. Check PR pipeline artifacts for ASA_Results" |
| 118 | + Write-Host "2. Review docs/attack-surface-analyzer.md for guidance" |
| 119 | + Write-Host "3. Run ASA locally: dotnet tool install -g Microsoft.CST.AttackSurfaceAnalyzer.CLI" |
| 120 | + Write-Host "" |
| 121 | + Write-Host "✅ ASA integration is active in PR builds" |
| 122 | +
|
| 123 | + # Finalize CodeQL 3000 Task (https://aka.ms/codeql3000) |
| 124 | + # Performs static code analysis. |
| 125 | + - task: CodeQL3000Finalize@0 |
| 126 | + displayName: "🛡️ Finalize CodeQL" |
| 127 | + inputs: |
| 128 | + # Enable TSA for automatic bug filing from CodeQL |
| 129 | + TSAEnabled: true |
| 130 | + TSAOptions: | |
| 131 | + { |
| 132 | + "areaPath": "OS\\Windows Client and Services\\WinPD\\SPICE\\ReactNative", |
| 133 | + "iterationPath": "OS\\Future", |
| 134 | + "notificationAliases": ["$(TSANotificationAliases)"], |
| 135 | + "codebaseAdmins": ["$(TSACodebaseAdmins)"], |
| 136 | + "bugTags": ["SDL", "Security"], |
| 137 | + "instanceUrl": "https://dev.azure.com/microsoft", |
| 138 | + "projectName": "OS" |
| 139 | + } |
| 140 | + continueOnError: ${{ parameters.complianceWarnOnly }} |
0 commit comments