[release/6.0.1xx] Add CI for security-partners-dotnet #14963
Conversation
lbussell
force-pushed
the
security-partners-ci
branch
from
41c02f4 to
77a500f
Compare
|
@MichaelSimons trying a new approach: remove all nuget configs from all submodules. I don't think it will cause any major build issues. Let me know what you think. (internal) CI run: https://dev.azure.com/dnceng/internal/_build/results?buildId=2043133&view=results |
src/SourceBuild/Arcade/eng/common/templates/job/source-build-build-tarball.yml
Show resolved
Hide resolved
| @@ -0,0 +1,19 @@ | |||
| variables: | |||
There was a problem hiding this comment.
We should avoid putting content at the root of the tarball. This should go into the eng\pipelines folder IMO.
There was a problem hiding this comment.
There is no existing eng/pipelines folder that I see. Do you mean to put it in <installer src>/eng/... or <tarball content>/eng/...?
There was a problem hiding this comment.
I intended to create the folder in <tarball content>/eng/. I would be fine with just putting it in <tarball content>/
| @@ -0,0 +1,19 @@ | |||
| variables: | |||
| NugetSecurityAnalysisWarningLevel: none | |||
There was a problem hiding this comment.
Is this variable used? From your feedback, it doesn't seem to. I think it is worth reaching out to [email protected] on why this doesn't work.
There was a problem hiding this comment.
There are some places setting this in dotnet - https://github.com/dotnet/project-system/blob/5930b5b0dc5afb547eb399cd71445d43338647cb/eng/pipelines/pull-request.yml#L46
There was a problem hiding this comment.
Perhaps the problem is not multiple feeds rather there is no clear first?
There was a problem hiding this comment.
It seems to me that this variable does nothing and might have been a placeholder while teams fix their NuGet configs. I have sent an email to that alias and CC'ed you, and I will remove the variable from the pipeline as well.
| @@ -0,0 +1,19 @@ | |||
| variables: | |||
There was a problem hiding this comment.
Does this pipeline need a PR trigger?
There was a problem hiding this comment.
For PR validation on Azure Repos Git, it's configured via the UI and not yaml: https://learn.microsoft.com/en-us/azure/devops/pipelines/repos/azure-repos-git?view=azure-devops&tabs=yaml#pr-triggers
I'll put a trigger: none here for now, but do you think we should have it trigger on commits to release/* branches as well as for PR validation?
There was a problem hiding this comment.
Thanks, I didn't realize that.
|
For some reason the online smoke tests have failed, but only after I fixed the installer nuget config path. @MichaelSimons could you take a look, given you're more familiar with the smoke test nuget config setup? https://dev.azure.com/dnceng/internal/_build/results?buildId=2043133&view=results (internal link) |
| inputs: | ||
| filePath: $(Build.SourcesDirectory)/eng/common/SetupNugetSources.sh | ||
| arguments: $(Build.SourcesDirectory)/NuGet.config $Token | ||
| filePath: $(installerSrcDir)/eng/common/SetupNugetSources.sh |
There was a problem hiding this comment.
I think the problem with the failing tests is that in an offline build, we strip the online feeds from the repo's nuget configs - https://github.com/dotnet/installer/blob/main/src/SourceBuild/tarball/content/repos/Directory.Build.targets#L184. Additionally, we don't want to be adding these sources for the installer's nuget.config we build with. We really only want to manipulate the nuget.config used for testing. I'll let you propose how to accomplish that.
MichaelSimons
left a comment
MichaelSimons
left a comment
There was a problem hiding this comment.
Friendly reminder to proactively ping the thread on the nuget security scanning issue.
src/SourceBuild/Arcade/eng/common/templates/job/source-build-build-tarball.yml
Outdated
Show resolved
Hide resolved
lbussell
changed the title
…uild-tarball.yml Co-authored-by: Michael Simons <[email protected]>
|
I submitted dotnet/source-build#3125 as a draft in case we don't get an exception to the NuGet Security Analysis check. |
This reverts commit 87b8a2c.
* [release/6.0.1xx] Add CI for security-partners-dotnet (#14963) * Add CI for dotnet-security-partners * Remove nuget configs from all repo submodules * Address code review * Move security-partners ci to tarball/eng dir * Copy out installer NuGet config before build * Fix relative path for installer template * Update src/SourceBuild/Arcade/eng/common/templates/job/source-build-build-tarball.yml Co-authored-by: Michael Simons <[email protected]> * Revert "Remove nuget configs from all repo submodules" This reverts commit 87b8a2c. Co-authored-by: Michael Simons <[email protected]> * Update branding to 6.0.113 Co-authored-by: Logan Bussell <[email protected]> Co-authored-by: Michael Simons <[email protected]> Co-authored-by: Sean Reeser <[email protected]> Co-authored-by: Marc Paine <[email protected]> Co-authored-by: Matt Mitchell <[email protected]>
3 participants
Pending this CI run: https://dev.azure.com/dnceng/internal/_build/results?buildId=2042997&view=results
one-half of dotnet/source-build#2904