Build pipeline for main branch. (#350)

nikithauc · MIchaelMainer · web-flow · commit 35a4b7b703fd · 2023-02-02T12:27:45.000-08:00
* build pipeline with component governance

* Apply suggestions from code review

Co-authored-by: Michael Mainer &lt;MIchaelMainer@users.noreply.github.com&gt;

* path of file

[skip ci]

---------

Co-authored-by: Michael Mainer &lt;MIchaelMainer@users.noreply.github.com&gt;
diff --git a/.azure-pipelines/ci-build-production.yml b/.azure-pipelines/ci-build-production.yml
@@ -0,0 +1,38 @@
+# Typescript Typings V1 npm build and release pipeline
+name: $(BuildDefinitionName)_$(SourceBranchName)_$(Date:yyyyMMdd)$(Rev:.r)
+
+trigger:
+  branches:
+    include:
+      - main
+  paths:
+    include:
+      - microsoft-graph.d.ts
+
+pr: none
+
+pool:
+  vmImage: windows-latest
+
+steps:
+
+- script: git checkout main
+- template: ./common-templates/security-pre-checks.yml
+- task: CopyFiles@2
+  displayName: 'Copy Files to staging directory'
+  inputs:
+    SourceFolder: '$(System.DefaultWorkingDirectory)'
+    Contents: |
+     **/*
+     !spec/**
+     !.azure-pipelines/**
+     !.github/**
+     !.git/**
+     !.vscode/**
+     !typings-demo.gif
+    TargetFolder: '$(Build.ArtifactStagingDirectory)'
+
+- task: PublishBuildArtifacts@1
+  displayName: 'Publish Artifact: drop'
+
+- template: ./common-templates/security-post-checks.yml
diff --git a/.azure-pipelines/common-templates/security-post-checks.yml b/.azure-pipelines/common-templates/security-post-checks.yml
@@ -0,0 +1,53 @@
+# Copyright (c) Microsoft Corporation. All rights reserved.
+# Licensed under the MIT License.
+steps:
+  - task: CodesignValidation@0
+
+  - task: SdtReport@1
+    displayName: "Security Analysis Report"
+    continueOnError: true
+    condition: succeededOrFailed()
+    inputs:
+      AllTools: false
+      APIScan: false
+      BinSkim: false
+      BinSkimBreakOn: "WarningAbove"
+      CodesignValidation: false
+      CodesignValidationBreakOn: "WarningAbove"
+      CredScan: true
+      FortifySCA: false
+      FxCop: false
+      ModernCop: false
+      MSRD: false
+      PoliCheck: true
+      PoliCheckBreakOn: "Severity1"
+      RoslynAnalyzers: false
+      RoslynAnalyzersBreakOn: "WarningAbove"
+      SDLNativeRules: false
+      Semmle: false
+      TSLint: false
+      TSLintBreakOn: "WarningAbove"
+      ToolLogsNotFoundAction: "Standard"
+
+  - task: PublishSecurityAnalysisLogs@3
+    displayName: "Publish Security Analysis Logs"
+    inputs:
+      ArtifactName: "CodeAnalysisLogs"
+      ArtifactType: "Container"
+      AllTools: false
+      AntiMalware: false
+      APIScan: false
+      BinSkim: false
+      CodesignValidation: false
+      CredScan: true
+      FortifySCA: false
+      FxCop: false
+      ModernCop: true
+      MSRD: false
+      PoliCheck: true
+      RoslynAnalyzers: false
+      SDLNativeRules: false
+      Semmle: false
+      TSLint: true
+      WebScout: false
+      ToolLogsNotFoundAction: "Standard"
diff --git a/.azure-pipelines/common-templates/security-pre-checks.yml b/.azure-pipelines/common-templates/security-pre-checks.yml
@@ -0,0 +1,21 @@
+# Copyright (c) Microsoft Corporation. All rights reserved.
+# Licensed under the MIT License.
+steps:
+  - task: CredScan@2
+    displayName: "Run CredScan"
+    inputs:
+      debugMode: false
+      batchSize: 20
+      toolMajorVersion: "V2"
+      searchersFileType: "Skype"
+
+  - task: PoliCheck@1
+    displayName: "Run PoliCheck"
+    condition: and(succeeded(), eq(eq(variables['Build.SourceBranch'], 'refs/heads/main'), false))
+    inputs:
+      targetType: F
+      SOMEnabled: true
+      optionsFC: 0
+      optionsXS: 0
+      optionsHMENABLE: 0
+      continueOnError: true
diff --git a/.github/workflows/create-v1.0-pull-request.yml b/.github/workflows/create-v1.0-pull-request.yml
@@ -1,9 +1,9 @@
 # Copyright (c) Microsoft Corporation. All rights reserved.
 # Licensed under the MIT License.
 
-# This action will automatically create a pull request against master if the pushed branch
+# This action will automatically create a pull request against main if the pushed branch
 # has a branch path spec like 1.0/pipelinebuild/*. Configure this action by updating the
-# environment variable values[0]. 
+# environment variable values[0].
 
 name: "create pull request"
 
@@ -36,11 +36,11 @@ jobs:
       env:
         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         MESSAGE_TITLE: Generated v1.0 typings using Typewriter
-        MESSAGE_BODY: "This pull request was automatically created by the GitHub Action, **${{github.workflow}}**. \n\n The commit hash is _${{github.sha}}_. \n\n **Important** Check for unexpected deletions or changes in this PR. Make sure to bump the version. Create a GitHub release after releasing on npm and [DefinitelyTyped](http://definitelytyped.org/guides/contributing.html). \n\n cc: @darrelmiller"
+        MESSAGE_BODY: "This pull request was automatically created by the GitHub Action, **${{github.workflow}}**. \n\n The commit hash is _${{github.sha}}_. \n\n **Important** Check for unexpected deletions or changes in this PR. Make sure to bump the version. Create a GitHub release after releasing on npm and [DefinitelyTyped](http://definitelytyped.org/guides/contributing.html). \n\n"
         REVIEWERS: peombwa,ddyett,zengin,MIchaelMainer
         ASSIGNEDTO: nikithauc
         LABELS: generated
-        BASE: master
+        BASE: main
       run: |
         curl -fsSL https://github.com/github/hub/raw/master/script/get | bash -s 2.14.1
         bin/hub pull-request -b "$BASE" -h "$GITHUB_REF" -m "$MESSAGE_TITLE" -m "$MESSAGE_BODY" -r "$REVIEWERS" -a "$ASSIGNEDTO" -l "$LABELS"
