-
Notifications
You must be signed in to change notification settings - Fork 6
Expand file tree
/
Copy pathazure-pipelines.yml
More file actions
149 lines (140 loc) · 7.92 KB
/
azure-pipelines.yml
File metadata and controls
149 lines (140 loc) · 7.92 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
trigger:
tags:
include:
- "v*"
branches:
exclude:
- "*"
pr: none
pool:
vmImage: windows-latest
stages:
- stage: Build
jobs:
- job: Build
displayName: "Build"
steps:
- pwsh: |
nuget restore $(Build.Repository.LocalPath)\\cs-windows-firewall-bouncer.sln
displayName: "restore build deps"
- task: DotNetCoreCLI@2
displayName: "Install SignClient"
inputs:
command: 'custom'
custom: 'tool'
arguments: 'install --global SignClient --version 1.3.155'
- task: VSBuild@1
displayName: "Build bouncer"
inputs:
solution: '$(Build.Repository.LocalPath)\\cs-windows-firewall-bouncer.sln'
vsVersion: '17.0'
msbuildArgs: '-t:cs-windows-firewall-bouncer:rebuild'
platform: 'x64'
configuration: 'Release'
- task: AzureKeyVault@2
inputs:
azureSubscription: 'Azure subscription 1(8a93ab40-7e99-445e-ad47-0f6a3e2ef546)'
KeyVaultName: 'CodeSigningSecrets'
SecretsFilter: 'CodeSigningUser,CodeSigningPassword'
RunAsPreJob: false
- task: DownloadSEcureFile@1
inputs:
secureFile: appsettings.json
- pwsh: |
SignClient.exe Sign --name "windows-firewall-bouncer.exe" `
--baseDirectory (Join-Path -Path $(Build.Repository.LocalPath) -ChildPath cs-windows-firewall-bouncer\\bin\\x64\\Release\\net6.0-windows) `
--input "*.{exe,dll}" --config (Join-Path -Path $(Agent.TempDirectory) -ChildPath "appsettings.json") `
--user $(CodeSigningUser) --secret '$(CodeSigningPassword)'
displayName: "Sign bouncer binary"
- task: VSBuild@1
displayName: "Build installers"
inputs:
solution: 'cs-windows-firewall-bouncer.sln'
vsVersion: '17.0'
msbuildArgs: '-t:cs-windows-firewall-installer-bundle /p:RunWixToolsOutOfProc=true'
platform: 'x64'
configuration: 'Release'
- pwsh: |
SignClient.exe Sign --name "windows-firewall-bouncer.msi" `
--baseDirectory (Join-Path -Path $(Build.Repository.LocalPath) -ChildPath cs-windows-firewall-bouncer-setup\\bin\\x64\\Release) `
--input "*.msi" --config (Join-Path -Path $(Agent.TempDirectory) -ChildPath "appsettings.json") `
--user $(CodeSigningUser) --secret '$(CodeSigningPassword)'
displayName: "Sign MSI"
- pwsh: |
$env:Path += ";C:\Program Files (x86)\WiX Toolset v3.11\bin"
New-Item -type Directory bundle_sign
insignia.exe -ib (Join-Path -Path $(Build.Repository.LocalPath) -ChildPath cs-windows-firewall-installer-bundle\\bin\\Release\\cs_windows_firewall_installer_bundle.exe) -o bundle_sign\\engine.exe
SignClient.exe Sign --name "windows-firewall-bouncer-bundle-engine.exe" `
--input "bundle_sign\\engine.exe" --config (Join-Path -Path $(Agent.TempDirectory) -ChildPath "appsettings.json") `
--user $(CodeSigningUser) --secret '$(CodeSigningPassword)'
insignia.exe -ab bundle_sign\\engine.exe (Join-Path -Path $(Build.Repository.LocalPath) -ChildPath cs-windows-firewall-installer-bundle\\bin\\Release\\cs_windows_firewall_installer_bundle.exe) `
-o (Join-Path -Path $(Build.Repository.LocalPath) -ChildPath cs-windows-firewall-installer-bundle\\bin\\Release\\cs_windows_firewall_installer_bundle.exe)
SignClient.exe Sign --name "windows-firewall-bouncer-bundle.exe" `
--baseDirectory (Join-Path $(Build.Repository.LocalPath) -ChildPath cs-windows-firewall-installer-bundle\\bin\\Release) --input "*.exe" `
--config (Join-Path -Path $(Agent.TempDirectory) -ChildPath "appsettings.json") `
--user $(CodeSigningUser) --secret '$(CodeSigningPassword)'
displayName: "Sign bundle"
- pwsh: |
$build_version=("$(Build.SourceBranch)".Split('/')[2].Substring(1))
.\make_choco.ps1
Write-Host "##vso[task.setvariable variable=BuildVersion;isOutput=true]$build_version"
displayName: "Build chocolatey package"
name: "chocoBuild"
- task: PublishBuildArtifacts@1
inputs:
PathtoPublish: '$(Build.Repository.LocalPath)\\cs-windows-firewall-installer-bundle\\bin\\Release\\cs_windows_firewall_installer_bundle.exe'
ArtifactName: 'cs_windows_firewall_installer_bundle.exe'
publishLocation: 'Container'
displayName: "Upload bundle artifact"
- task: PublishBuildArtifacts@1
inputs:
PathtoPublish: '$(Build.Repository.LocalPath)\\cs-windows-firewall-bouncer-setup\\bin\\x64\\Release\\cs_windows_firewall_bouncer_setup.msi'
ArtifactName: 'cs_windows_firewall_bouncer_setup.msi'
publishLocation: 'Container'
displayName: "Upload MSI artifact"
- task: PublishBuildArtifacts@1
inputs:
PathtoPublish: '$(Build.Repository.LocalPath)\\Chocolatey\\crowdsec-windows-firewall-bouncer\\crowdsec-windows-firewall-bouncer.$(chocoBuild.BuildVersion).nupkg'
ArtifactName: 'cs_windows_firewall_bouncer_setup.nupkg'
publishLocation: 'Container'
displayName: "Upload Chocolatey nupkg"
- stage: Publish
dependsOn: Build
jobs:
- deployment: "Publish"
displayName: "Publish to GitHub"
environment: github
variables:
BuildVersion: $[ stageDependencies.Build.Build.outputs['chocoBuild.BuildVersion'] ]
strategy:
runOnce:
deploy:
steps:
- bash: |
tag=$(curl -H "Accept: application/vnd.github.v3+json" https://api.github.com/repos/crowdsecurity/cs-windows-firewall-bouncer/releases | jq -r '. | map(select(.prerelease==true)) | sort_by(.created_at) | reverse | .[0].tag_name')
echo "##vso[task.setvariable variable=LatestPreRelease;isOutput=true]$tag"
name: GetLatestPrelease
- task: AzureKeyVault@2
inputs:
azureSubscription: 'Azure subscription 1(8a93ab40-7e99-445e-ad47-0f6a3e2ef546)'
KeyVaultName: 'CodeSigningSecrets'
SecretsFilter: 'ChocolateyAPIKey'
RunAsPreJob: false
- task: GitHubRelease@1
inputs:
gitHubConnection: "github.com_blotus"
repositoryName: '$(Build.Repository.Name)'
action: 'edit'
tag: '$(GetLatestPrelease.LatestPreRelease)'
assetUploadMode: 'replace'
isPreRelease: true #we force prerelease because the pipeline is invoked on tag creation, which happens when we do a prerelease
#the .. is an ugly hack, but I can't find the var that gives D:\a\1 ...
assets: |
$(Build.ArtifactStagingDirectory)\..\cs_windows_firewall_bouncer_setup.msi\cs_windows_firewall_bouncer_setup.msi
$(Build.ArtifactStagingDirectory)\..\cs_windows_firewall_installer_bundle.exe\cs_windows_firewall_installer_bundle.exe
condition: ne(variables['GetLatestPrelease.LatestPreRelease'], '')
- pwsh: |
choco apikey --key $(ChocolateyAPIKey) --source https://push.chocolatey.org/
choco push $(Build.ArtifactStagingDirectory)\..\cs_windows_firewall_bouncer_setup.nupkg\crowdsec-windows-firewall-bouncer.$(BuildVersion).nupkg --source https://push.chocolatey.org/
displayName: "Push to Chocolatey"
condition: ne(variables['GetLatestPrelease.LatestPreRelease'], '')