build: Add a 1ES Pipeline Templates version of Canary#20127
Open
build: Add a 1ES Pipeline Templates version of Canary#20127
Conversation
This reverts commit 9771a64.
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
Member
Author
|
Salient diffs between diff --git a/build/pipelines/ob-nightly.yml b/build/pipelines/1espt-nightly.yml
index 603593dca..cbd6cfef7 100644
--- a/build/pipelines/ob-nightly.yml
+++ b/build/pipelines/1espt-nightly.yml
@@ -13,6 +13,10 @@ parameters:
displayName: "Deploy to **PUBLIC** Azure Storage"
type: boolean
default: true
+ - name: official
+ displayName: "Run on Official 1ES Pipeline Templates"
+ type: boolean
+ default: true
name: $(BuildDefinitionName)_$(date:yyMM).$(date:dd)$(rev:rrr)
@@ -20,12 +24,11 @@ variables:
- template: templates-v2/variables-nuget-package-version.yml
parameters:
branding: Canary
- - template: templates-v2/variables-onebranch-config.yml
extends:
- template: templates-v2/pipeline-onebranch-full-release-build.yml
+ template: templates-v2/pipeline-1espt-full-release-build.yml
parameters:
- official: true
+ official: ${{ parameters.official }}
branding: Canary
buildTerminal: true
pgoBuildMode: Optimize
@@ -40,7 +43,6 @@ extends:
useManagedIdentity: $(SigningUseManagedIdentity)
clientId: $(SigningOriginalClientId)
publishSymbolsToPublic: true
- publishVpackToWindows: false
symbolExpiryTime: 15
symbolPublishingSubscription: $(SymbolPublishingServiceConnection)
symbolPublishingProject: $(SymbolPublishingProject)
@@ -48,12 +50,9 @@ extends:
extraPublishJobs:
- template: build/pipelines/templates-v2/job-deploy-to-azure-storage.yml@self
parameters:
- pool: { type: windows }
- variables:
- ob_sdl_prefast_enabled: false # This is a collection of powershell scripts
- ob_git_checkout: false # This job checks itself out
- ob_git_skip_checkout_none: true
- ob_outputDirectory: "$(Build.SourcesDirectory)/_none"
+ pool:
+ name: SHINE-INT-S
+ os: windows
dependsOn: [PublishSymbols]
storagePublicRootURL: $(AppInstallerRootURL)
subscription: $(AzureSubscriptionName)and likewise, diffs between the actual pipeline templates: diff --git a/build/pipelines/templates-v2/pipeline-onebranch-full-release-build.yml b/build/pipelines/templates-v2/pipeline-1espt-full-release-build.yml
index bd78a0d5f..62e541a2c 100644
--- a/build/pipelines/templates-v2/pipeline-onebranch-full-release-build.yml
+++ b/build/pipelines/templates-v2/pipeline-1espt-full-release-build.yml
@@ -49,12 +49,6 @@ parameters:
- name: symbolExpiryTime
type: string
default: 36530 # This is the default from PublishSymbols@2
- - name: createVpack
- type: boolean
- default: false
- - name: publishVpackToWindows
- type: boolean
- default: false
- name: symbolPublishingSubscription
type: string
- name: symbolPublishingProject
@@ -69,42 +63,30 @@ parameters:
resources:
repositories:
- - repository: templates
+ - repository: 1esPipelines
type: git
- name: OneBranch.Pipelines/GovernedTemplates
- ref: refs/heads/main
+ name: 1ESPipelineTemplates/1ESPipelineTemplates
+ ref: refs/tags/release
extends:
${{ if eq(parameters.official, true) }}:
- template: v2/Microsoft.Official.yml@templates # https://aka.ms/obpipelines/templates
+ template: v1/1ES.Official.PipelineTemplate.yml@1esPipelines
${{ else }}:
- template: v2/Microsoft.NonOfficial.yml@templates
+ template: v1/1ES.Unofficial.PipelineTemplate.yml@1esPipelines
parameters:
- featureFlags:
- WindowsHostVersion:
- Version: 2022
- Network: R1
- platform:
- name: 'windows_undocked'
- product: 'Windows Terminal'
- cloudvault: # https://aka.ms/obpipelines/cloudvault
- enabled: false
- globalSdl: # https://aka.ms/obpipelines/sdl
- enableCheckCFlags: false # CheckCFlags is broken and exploding our builds; to remove, :g/BAD-FLAGS/d
- isNativeCode: true
- prefast:
- enabled: true
- asyncSdl:
- enabled: true
- tsaOptionsFile: 'build/config/tsa.json'
+ customBuildTags:
+ - 1ES.PT.ViaStartRight
+ pool:
+ name: SHINE-INT-L
+ os: windows
+ sdl:
tsa:
enabled: true
configFile: '$(Build.SourcesDirectory)\build\config\tsa.json'
binskim:
- break: false
- scanOutputDirectoryOnly: true
+ enabled: true
policheck:
- break: false
+ enabled: false
severity: Note
baseline:
baselineFile: '$(Build.SourcesDirectory)\build\config\release.gdnbaselines'
@@ -117,17 +99,12 @@ extends:
jobs:
- template: ./build/pipelines/templates-v2/job-build-project.yml@self
parameters:
- pool: { type: windows }
- variables:
- ob_sdl_checkcflags_enabled: false # BAD-FLAGS
- ob_sdl_xfgcheck_enabled: false # BAD-FLAGS
- ob_sdl_prefast_runDuring: Build
- ob_sdl_checkCompliantCompilerWarnings: true
- ob_git_checkout: false # This job checks itself out
- ob_git_skip_checkout_none: true
- ob_outputDirectory: $(JobOutputDirectory)
- ob_artifactBaseName: $(JobOutputArtifactName)
- publishArtifacts: false # Handled by OneBranch
+ outerTemplateContext:
+ outputs:
+ - output: pipelineArtifact
+ targetPath: $(JobOutputDirectory)
+ artifactName: $(JobOutputArtifactName)
+ publishArtifacts: false # Handled by 1ESPT
branding: ${{ parameters.branding }}
buildTerminal: ${{ parameters.buildTerminal }}
buildConPTY: ${{ parameters.buildConPTY }}
@@ -135,13 +112,15 @@ extends:
pgoBuildMode: ${{ parameters.pgoBuildMode }}
buildConfigurations: ${{ parameters.buildConfigurations }}
buildPlatforms: ${{ parameters.buildPlatforms }}
- generateSbom: false # this is handled by onebranch
+ generateSbom: false # this is handled by 1ESPT
removeAllNonSignedFiles: true # appease the overlords
codeSign: ${{ parameters.codeSign }}
signingIdentity: ${{ parameters.signingIdentity }}
- beforeBuildSteps: # Right before we build, lay down the universal package and localizations
+ beforeBuildSteps:
- template: ./build/pipelines/templates-v2/steps-setup-versioning.yml@self
+ - template: ./build/pipelines/templates-v2/steps-install-terrapin.yml@self
+
- task: UniversalPackages@0
displayName: Download terminal-internal Universal Package
inputs:
@@ -153,16 +132,12 @@ extends:
# Add an Any CPU build flavor for the WPF control bits
- template: ./build/pipelines/templates-v2/job-build-project.yml@self
parameters:
- pool: { type: windows }
- variables:
- ob_sdl_checkcflags_enabled: false # BAD-FLAGS
- ob_sdl_xfgcheck_enabled: false # BAD-FLAGS
- ob_sdl_prefast_enabled: false # This is a C# build job
- ob_git_checkout: false # This job checks itself out
- ob_git_skip_checkout_none: true
- ob_outputDirectory: $(JobOutputDirectory)
- ob_artifactBaseName: $(JobOutputArtifactName)
- publishArtifacts: false # Handled by OneBranch
+ outerTemplateContext:
+ outputs:
+ - output: pipelineArtifact
+ targetPath: $(JobOutputDirectory)
+ artifactName: $(JobOutputArtifactName)
+ publishArtifacts: false # Handled by 1ESPT
jobName: BuildWPF
branding: ${{ parameters.branding }}
buildTerminal: false
@@ -170,7 +145,7 @@ extends:
buildConfigurations: ${{ parameters.buildConfigurations }}
buildPlatforms:
- Any CPU
- generateSbom: false # this is handled by onebranch
+ generateSbom: false # this is handled by 1ESPT
removeAllNonSignedFiles: true # appease the overlords
codeSign: ${{ parameters.codeSign }}
signingIdentity: ${{ parameters.signingIdentity }}
@@ -185,95 +160,56 @@ extends:
- ${{ if eq(parameters.buildTerminal, true) }}:
- template: ./build/pipelines/templates-v2/job-merge-msix-into-bundle.yml@self
parameters:
- pool: { type: windows }
- variables:
- ob_sdl_checkcflags_enabled: false # BAD-FLAGS
- ob_sdl_xfgcheck_enabled: false # BAD-FLAGS
- ob_sdl_prefast_enabled: false # This is a collection of powershell scripts
- ob_git_checkout: false # This job checks itself out
- ob_git_skip_checkout_none: true
- ob_outputDirectory: $(JobOutputDirectory)
- ob_artifactBaseName: $(JobOutputArtifactName)
- ### This job is also in charge of submitting the vpack to Windows if it's enabled
- ob_createvpack_enabled: ${{ and(parameters.buildTerminal, parameters.createVpack) }}
- ob_updateOSManifest_enabled: ${{ and(parameters.buildTerminal, parameters.createVpack, parameters.publishVpackToWindows) }}
- ### If enabled above, these options are in play.
- ob_createvpack_packagename: 'WindowsTerminal.app'
- ob_createvpack_owneralias: 'conhost@microsoft.com'
- ob_createvpack_description: 'VPack for the Windows Terminal Application'
- ob_createvpack_targetDestinationDirectory: '$(Destination)'
- ob_createvpack_propsFile: false
- ob_createvpack_provData: true
- ob_createvpack_metadata: '$(Build.SourceVersion)'
- ob_createvpack_topLevelRetries: 0
- ob_createvpack_failOnStdErr: true
- ob_createvpack_taskLogVerbosity: Detailed
- ob_createvpack_verbose: true
- ob_createvpack_vpackdirectory: '$(JobOutputDirectory)\vpack'
- ob_createvpack_versionAs: string
- ob_createvpack_version: '$(XES_PACKAGEVERSIONNUMBER)'
- ob_updateOSManifest_gitcheckinConfigPath: '$(Build.SourcesDirectory)\build\config\GitCheckin.json'
- # We're skipping the 'fetch' part of the OneBranch rules, but that doesn't mean
- # that it doesn't expect to have downloaded a manifest directly to some 'destination'
- # folder that it can then update and upload.
- # Effectively: it says "destination" but it means "source"
- # DH: Don't ask why.
- ob_updateOSManifest_destination: $(XES_VPACKMANIFESTDIRECTORY)
- ob_updateOSManifest_skipFetch: true
- publishArtifacts: false # Handled by OneBranch
+ pool:
+ name: SHINE-INT-S
+ os: windows
+ outerTemplateContext:
+ outputs:
+ - output: pipelineArtifact
+ targetPath: $(JobOutputDirectory)
+ artifactName: $(JobOutputArtifactName)
+ publishArtifacts: false # Handled by 1ESPT
jobName: Bundle
branding: ${{ parameters.branding }}
buildConfigurations: ${{ parameters.buildConfigurations }}
buildPlatforms: ${{ parameters.buildPlatforms }}
- generateSbom: false # Handled by onebranch
+ generateSbom: false # Handled by 1ESPT
codeSign: ${{ parameters.codeSign }}
signingIdentity: ${{ parameters.signingIdentity }}
- afterBuildSteps:
- # This directory has to exist, even if we aren't using createvpack, because the Guardian rules demand it.
- - pwsh: |-
- New-Item "$(JobOutputDirectory)/vpack" -Type Directory
- displayName: Make sure the vpack directory exists
-
- - ${{ if parameters.createVpack }}:
- - pwsh: |-
- Copy-Item -Verbose -Path "$(MsixBundlePath)" -Destination (Join-Path "$(JobOutputDirectory)/vpack" 'Microsoft.WindowsTerminal_8wekyb3d8bbwe.msixbundle')
- displayName: Stage msixbundle for vpack
- ${{ if eq(parameters.buildConPTY, true) }}:
- template: ./build/pipelines/templates-v2/job-package-conpty.yml@self
parameters:
- pool: { type: windows }
- variables:
- ob_sdl_checkcflags_enabled: false # BAD-FLAGS
- ob_sdl_xfgcheck_enabled: false # BAD-FLAGS
- ob_sdl_prefast_enabled: false # This is a collection of powershell scripts
- ob_git_checkout: false # This job checks itself out
- ob_git_skip_checkout_none: true
- ob_outputDirectory: $(JobOutputDirectory)
- ob_artifactBaseName: $(JobOutputArtifactName)
- publishArtifacts: false # Handled by OneBranch
+ pool:
+ name: SHINE-INT-S
+ os: windows
+ outerTemplateContext:
+ outputs:
+ - output: pipelineArtifact
+ targetPath: $(JobOutputDirectory)
+ artifactName: $(JobOutputArtifactName)
+ publishArtifacts: false # Handled by 1ESPT
buildConfigurations: ${{ parameters.buildConfigurations }}
buildPlatforms: ${{ parameters.buildPlatforms }}
- generateSbom: false # this is handled by onebranch
+ generateSbom: false # this is handled by 1ESPT
codeSign: ${{ parameters.codeSign }}
signingIdentity: ${{ parameters.signingIdentity }}
- ${{ if eq(parameters.buildWPF, true) }}:
- template: ./build/pipelines/templates-v2/job-build-package-wpf.yml@self
parameters:
- pool: { type: windows }
- variables:
- ob_sdl_checkcflags_enabled: false # BAD-FLAGS
- ob_sdl_xfgcheck_enabled: false # BAD-FLAGS
- ob_sdl_prefast_enabled: false # This is a collection of powershell scripts
- ob_git_checkout: false # This job checks itself out
- ob_git_skip_checkout_none: true
- ob_outputDirectory: $(JobOutputDirectory)
- ob_artifactBaseName: $(JobOutputArtifactName)
- publishArtifacts: false # Handled by OneBranch
+ pool:
+ name: SHINE-INT-S
+ os: windows
+ outerTemplateContext:
+ outputs:
+ - output: pipelineArtifact
+ targetPath: $(JobOutputDirectory)
+ artifactName: $(JobOutputArtifactName)
+ publishArtifacts: false # Handled by 1ESPT
buildConfigurations: ${{ parameters.buildConfigurations }}
buildPlatforms: ${{ parameters.buildPlatforms }}
- generateSbom: false # this is handled by onebranch
+ generateSbom: false # this is handled by 1ESPT
codeSign: ${{ parameters.codeSign }}
signingIdentity: ${{ parameters.signingIdentity }}
@@ -286,19 +222,12 @@ extends:
jobs:
- template: ./build/pipelines/templates-v2/job-publish-symbols-using-symbolrequestprod-api.yml@self
parameters:
- pool: { type: windows }
+ pool:
+ name: SHINE-INT-S
+ os: windows
includePublicSymbolServer: ${{ parameters.publishSymbolsToPublic }}
symbolExpiryTime: ${{ parameters.symbolExpiryTime }}
subscription: ${{ parameters.symbolPublishingSubscription }}
symbolProject: ${{ parameters.symbolPublishingProject }}
- variables:
- ob_sdl_checkcflags_enabled: false # BAD-FLAGS
- ob_sdl_xfgcheck_enabled: false # BAD-FLAGS
- ob_sdl_prefast_enabled: false # This is a collection of powershell scripts
- ob_git_checkout: false # This job checks itself out
- ob_git_skip_checkout_none: true
- ob_outputDirectory: $(Build.ArtifactStagingDirectory)
- # Without this, OneBranch will nerf our symbol tasks
- ob_symbolsPublishing_enabled: true
- ${{ parameters.extraPublishJobs }} |
DHowett
commented
Apr 17, 2026
|
|
||
| jobs: | ||
| - job: ${{ parameters.jobName }} | ||
| templateContext: ${{ parameters.outerTemplateContext }} |
Member
Author
There was a problem hiding this comment.
this stuff allows the outer template to inject stuff into THIS job for the grandparent/ancestor template. lol.
Member
There was a problem hiding this comment.
lmao "yes yes pass along our parameters whatever"
This comment has been minimized.
This comment has been minimized.
There was a problem hiding this comment.
Suggestion: The OneBranch pipeline has PoliCheck enabled (non-breaking) via policheck: break: false, but this new 1ESPT template explicitly disables it (enabled: false). Consider re-enabling it as non-breaking to maintain parity:
\\yaml
policheck:
enabled: true
break: false # Match OneBranch behavior: scan but don't fail the build
severity: Note
\\
Member
Author
|
Thanks Gordon! I'm choosing to keep this as-is, but may address in a follow-up PR that targets all of our code scanning rules at once. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This pipeline runs on our agents, rather than OneBranch's, and doesn't use all of the OneBranch machinery--which is only required for producing a vpack that we check into Windows. Since Canary will never be a vpack, we don't need to worry.
It runs at about twice the speed and we control the build images!
This pull request also adds support for the "Terrapin Retrieval Tool," which will allow us to move away from having vcpkg contact remote servers directly to download source code (and which may become mandatory even in our OneBranch pipelines.)