Merge branch 'microsoft:main' into main

Author: Saadnajmi

.ado/android-pr.yml

@@ -18,8 +18,7 @@ variables:
 jobs:
   - job: AndroidRNPR
     displayName: Android React Native PR
-    pool:
-      vmImage: $(VmImageUbuntu)
+    pool: $(PoolUbuntu)
     timeoutInMinutes: 90 # how long to run the job before automatically cancelling
     cancelTimeoutInMinutes: 5 # how much time to give 'run always even if cancelled tasks' before killing them
     steps:
@@ -58,7 +57,7 @@ jobs:
       - task: CmdLine@2
         displayName: 'Verify Dependencies can be enumerated'
         inputs:
-          script: sudo apt-get install python3-pip && sudo apt-get install python3-setuptools && pip3 install BeautifulSoup4 && pip3 install wheel && pip3 install wget && python3 android-patches/patching-tool/scripts/downloadDependencies.py $(Build.SourcesDirectory) && tree $(Build.SourcesDirectory)/android
+          script: sudo apt-get install python3-pip && sudo apt-get install python3-setuptools && pip3 install BeautifulSoup4 && pip3 install wheel && pip3 install wget && python3 .ado/downloadAndroidDependencies.py $(Build.SourcesDirectory) && tree $(Build.SourcesDirectory)/android
 
 
       # Very similar to the default pack task .. but appends 'ndk21' to the nuget pack version
@@ -80,7 +79,7 @@ jobs:
           BUILD_SOURCESDIRECTORY: $(Build.SourcesDirectory)
           BUILD_SOURCEBRANCH: $(Build.SourceBranch)
           SYSTEM_ACCESSTOKEN: $(System.AccessToken)
-          githubApiToken: $(githubApiToken)
+          githubApiToken: $(githubAuthToken)
 
 #     In RN64 "clean" task tries to run the build again. It is reproing in 0.64-stable branch but fixed in 0.65-stable.
 #     I can't zero on the exact cause .. but turns out the issue is with rntester clean task.

android-patches/patching-tool/scripts/downloadDependencies.py renamed to .ado/downloadAndroidDependencies.py

@@ -1,5 +1,5 @@
 # It is expected that a `latestStableBranch` variable is set in the pipeline's settings:
-# https://dev.azure.com/ms/react-native/_apps/hub/ms.vss-build-web.ci-designer-hub?pipelineId=221
+# https://dev.azure.com/office/ISS/_apps/hub/ms.vss-build-web.ci-designer-hub?pipelineId=18541
 
 # This file defines the build steps to publish a release
 name: $(Date:yyyyMMdd).$(Rev:.r)
@@ -18,14 +18,23 @@ pr: none
 
 variables:
   - template: variables/vars.yml
+  - group: React-native-macos Secrets
+  - group: InfoSec-SecurityResults
+  - name: tags
+    value: production,externalfacing
 
 jobs:
   - job: RNGithubNpmJSPublish
     displayName: React-Native GitHub Publish to npmjs.org
     pool:
       vmImage: $(VmImageApple)
+    variables:
+      - name: BUILDSECMON_OPT_IN
+        value: true
     timeoutInMinutes: 90 # how long to run the job before automatically cancelling
     cancelTimeoutInMinutes: 5 # how much time to give 'run always even if cancelled tasks' before killing them
+    dependsOn: 
+      - Compliance
     steps:
       - checkout: self # self represents the repo where the initial Pipelines YAML file was found
         clean: true # whether to fetch clean each time
@@ -111,17 +120,18 @@ jobs:
           BUILD_STAGINGDIRECTORY: $(Build.StagingDirectory)
           BUILD_SOURCEBRANCH: $(Build.SourceBranch)
           SYSTEM_ACCESSTOKEN: $(System.AccessToken)
-          githubApiToken: $(githubApiToken)
+          githubApiToken: $(githubAuthToken)
         condition: and(succeeded(), ne(variables['Build.SourceBranchName'], 'main'))
 
 
   - job: RNMacOSInitNpmJSPublish
     displayName: react-native-macos-init Publish to npmjs.org
-    pool:
-      vmImage: $(VmImageUbuntu)
+    pool: Azure-Pipelines-EO-Ubuntu20.04-Office
     timeoutInMinutes: 90 # how long to run the job before automatically cancelling
     cancelTimeoutInMinutes: 5 # how much time to give 'run always even if cancelled tasks' before killing them
     condition: eq(variables['Build.SourceBranchName'], 'main')
+    dependsOn: 
+      - Compliance
     steps:
       - checkout: self # self represents the repo where the initial Pipelines YAML file was found
         clean: true # whether to fetch clean each time
@@ -146,6 +156,11 @@ jobs:
             cd packages/react-native-macos-init
             yarn build
 
+      - task: CmdLine@2
+        displayName: Code tested in other pipeline [test]
+        inputs:
+          script: echo "This code is tested as part of an integration test. See the 'Verify react-native-macos-init' task."
+
       - task: CmdLine@2
         displayName: "Publish react-native-macos-init to npmjs.org"
         inputs:
@@ -166,10 +181,11 @@ jobs:
 
   - job: RNGithubOfficePublish
     displayName: React-Native GitHub Publish to Office
-    pool:
-      vmImage: $(VmImageUbuntu)
+    pool: Azure-Pipelines-EO-Ubuntu20.04-Office
     timeoutInMinutes: 90 # how long to run the job before automatically cancelling
     cancelTimeoutInMinutes: 5 # how much time to give 'run always even if cancelled tasks' before killing them
+    dependsOn: 
+      - Compliance
     steps:
       - checkout: self # self represents the repo where the initial Pipelines YAML file was found
         clean: true # whether to fetch clean each time
@@ -202,7 +218,7 @@ jobs:
       - task: CmdLine@2
         displayName: 'Verify Dependencies can be enumerated'
         inputs:
-          script: sudo apt-get install python3-pip && sudo apt-get install python3-setuptools && pip3 install BeautifulSoup4 && pip3 install wheel && pip3 install wget && python3 android-patches/patching-tool/scripts/downloadDependencies.py $(Build.SourcesDirectory) && tree $(Build.SourcesDirectory)/android
+          script: sudo apt-get install python3-pip && sudo apt-get install python3-setuptools && pip3 install BeautifulSoup4 && pip3 install wheel && pip3 install wget && python3 .ado/downloadAndroidDependencies.py $(Build.SourcesDirectory) && tree $(Build.SourcesDirectory)/android
 
 
       # Very similar to the default pack task .. but appends 'ndk21b' to the nuget pack version
@@ -220,7 +236,7 @@ jobs:
           BUILD_SOURCESDIRECTORY: $(Build.SourcesDirectory)
           BUILD_SOURCEBRANCH: $(Build.SourceBranch)
           SYSTEM_ACCESSTOKEN: $(System.AccessToken)
-          githubApiToken: $(githubApiToken)
+          githubApiToken: $(githubAuthToken)
 
       - task: AzureArtifacts.manifest-generator-task.manifest-generator-task.ManifestGeneratorTask@0
         displayName: 📒 Generate Manifest
@@ -232,3 +248,15 @@ jobs:
         inputs:
           PathtoPublish: '$(Build.StagingDirectory)/final'
           ArtifactName: 'ReactNative-Final'
+
+  - job: Compliance
+    displayName: React-Native GitHub Compliance pipeline
+    pool: OE-OfficePublic
+    timeoutInMinutes: 15 # how long to run the job before automatically cancelling
+    steps:
+      - checkout: self # self represents the repo where the initial Pipelines YAML file was found
+        clean: true # whether to fetch clean each time
+        fetchDepth: 10 # the depth of commits to ask Git to fetch
+        lfs: false # whether to download Git-LFS files
+        submodules: recursive # set to 'true' for a single level of submodules or 'recursive' to get submodules of submodules
+        persistCredentials: true # set to 'true' to leave the OAuth token in the Git config after the initial fetch

.ado/publish.yml

@@ -5,4 +5,4 @@ steps:
   - task: CmdLine@2
     displayName: Apply Android specific patches for Office consumption
     inputs:
-      script: node $(System.DefaultWorkingDirectory)/android-patches/patching-tool/bundle/bundle.js patch $(System.DefaultWorkingDirectory) Build OfficeRNHost V8 Focus MAC ImageColor JniUtils RootViewAttach --patch-store $(System.DefaultWorkingDirectory)/android-patches/patches --log-folder $(System.DefaultWorkingDirectory)/android-patches/logs --confirm ${{ parameters.apply_office_patches }}
+      script: npm_config_yes=true npx @rnx-kit/draft-patch-rnmacos patch $(System.DefaultWorkingDirectory) Build OfficeRNHost V8 Focus MAC ImageColor JniUtils RootViewAttach --patch-store $(System.DefaultWorkingDirectory)/android-patches/patches --log-folder $(System.DefaultWorkingDirectory)/android-patches/logs --confirm ${{ parameters.apply_office_patches }}

.ado/templates/apple-droid-node-patching.yml

@@ -16,7 +16,7 @@ steps:
     displayName: 'yarn install'
 
   - task: CmdLine@2
-    displayName: yarn test-ci
+    displayName: yarn test-ci [test]
     inputs:
       script: 'yarn test-ci'
 

.ado/templates/apple-job-javascript.yml

@@ -99,7 +99,7 @@ steps:
       workingDirectory: $(Agent.BuildDirectory)/testcli
 
   - task: CmdLine@2
-    displayName: Run macos
+    displayName: Run macos [test]
     inputs:
       script: npx react-native run-macos
       workingDirectory: $(Agent.BuildDirectory)/testcli

.ado/templates/react-native-macos-init.yml

@@ -1,5 +1,5 @@
 variables:
   VmImageApple: macOS-11
-  VmImageUbuntu: ubuntu-20.04
+  PoolUbuntu: cxe-ubuntu-20-04-small
   slice_name: 'Xcode_13_1'
   xcode_version: '/Applications/Xcode_13.1.app'

.ado/variables/vars.yml

@@ -336,8 +336,9 @@ jobs:
       - run:
           name: "Run Tests: JavaScript Tests"
           command: node ./scripts/run-ci-javascript-tests.js --maxWorkers 2
-      - run_e2e:
-          platform: js
+      # TODO(macOS GH#949): Disable this failing test
+      # - run_e2e:
+      #     platform: js
 
       # Optionally, run disabled tests
       - when:
@@ -823,11 +824,12 @@ workflows:
       #     run_detox_tests: true
       #     requires:
       #       - setup_ios
-      - test_js:
-          name: test_js_prev_lts
-          executor: nodeprevlts
-          requires:
-            - setup_js
+      # TODO(macOS GH#949): Disable this failing test
+      # - test_js:
+      #     name: test_js_prev_lts
+      #     executor: nodeprevlts
+      #     requires:
+      #       - setup_js
       - test_docker:
           filters:
             branches:

.circleci/config.yml

@@ -0,0 +1,21 @@
+{
+  "tool": "Credential Scanner",
+  "suppressions": [
+    {
+      "file": "keystores/debug.keystore",
+      "_justification": "Debug key needed for android. Does not contain a particular secret"
+    },
+    {
+      "file": "template/android/app/debug.keystore",
+      "_justification": "Debug key needed for android. Does not contain a particular secret"
+    },
+    {
+      "file": "packages/rn-tester/android/app/gradle.properties",
+      "_justification": "Debug key needed for android. Does not contain a particular secret"
+    },
+    {
+      "file": "packages/rn-tester/android/app/my-release-key.keystore",
+      "_justification": "Debug key needed for android. Does not contain a particular secret"
+    }
+  ]
+}

.config/CredScanSuppressions.json

@@ -13,7 +13,7 @@ name: "CodeQL"
 
 on:
   push:
-    branches: [ main, *-stable ]
+    branches: [ main ]
   pull_request:
     # The branches below must be a subset of the branches above
     branches: [ main ]