Azure DevOps pipeline resources

rayluo · rayluo · commit 6bdd63f94a9d · 2024-06-21T11:53:20.000-07:00
diff --git a/.ado/azure-pipelines.yml b/.ado/azure-pipelines.yml
@@ -0,0 +1,114 @@
+# Derived from https://dev.azure.com/mseng/Python/_git/dlltracer-python?path=/azure-pipelines.yml
+name: 0.$(Year:yyyy).$(DayOfYear).$(Rev:r)
+
+parameters:
+- name: Signed
+  displayName: "Real signed"
+  type: boolean
+  default: false
+- name: Publish
+  displayName: "Publish"
+  type: boolean
+  default: false
+- name: Feed
+  displayName: "Publish to feed"
+  type: string
+  default: "pypi"
+- name: SigningKeyCode
+  displayName: "Signing key (when 'Signed' is selected)"
+  type: string
+  #default: "CP-230072" # Testing (never trusted)
+  default: "CP-230012" # Real signed
+  #default: "CP-231522" # OSS real signed
+  #default: "CP-230856" # MSFT-internal signed
+- name: pythons
+  displayName: "Python versions (amd64)"
+  type: object
+  default:
+  - wheeltag: cp37-cp37-win_amd64
+    version: 3.7
+    arch: x64
+    id: 37x64
+  - wheeltag: cp38-cp38-win_amd64
+    version: 3.8
+    arch: x64
+    id: 38x64
+  - wheeltag: cp39-cp39-win_amd64
+    version: 3.9
+    arch: x64
+    id: 39x64
+  - wheeltag: cp310-cp310-win_amd64
+    version: '3.10.*'
+    arch: x64
+    id: 310x64
+  - wheeltag: cp311-cp311-win_amd64
+    version: 3.11
+    arch: x64
+    id: 311x64
+  - wheeltag: cp312-cp312-win_amd64
+    version: 3.12
+    arch: x64
+    id: 312x64
+
+
+resources:
+  repositories:
+  - repository: dlltracer
+    name: microsoft/dlltracer-python
+    type: github
+    ref: main
+    endpoint: zooba
+  - repository: 1esPipelines
+    type: git
+    name: 1ESPipelineTemplates/1ESPipelineTemplates
+    ref: refs/tags/release
+
+
+trigger: none
+
+
+variables:
+  REF: $[ resources.repositories['dlltracer'].ref ]
+  PIP_DISABLE_PIP_VERSION_CHECK: true
+  PIP_NO_COLOR: true
+  PIP_NO_INPUT: true
+  PIP_PROGRESS_BAR: off
+  PIP_REQUIRE_VIRTUALENV: false
+  PIP_VERBOSE: true
+  PYMSBUILD_VERBOSE: true
+
+
+extends:
+  template: v1/1ES.Official.PipelineTemplate.yml@1esPipelines
+  parameters:
+    pool:
+      name: Python-1ES-Hosted-Pool
+      image: windows-1espt
+      os: windows
+
+    sdl:
+      sourceRepositoriesToScan:
+        include:
+        - repository: dlltracer
+
+    customBuildTags:
+    - ${{ if eq(parameters.Signed, 'true') }}:
+      - signed
+      - signed-${{ parameters.SigningKeyCode }}
+    - ${{ each py in parameters.pythons }}:
+      - ${{ py.wheeltag }}
+
+    stages:
+    - stage: Stage
+      jobs:
+      - template: build.yml@self
+        parameters:
+          pythons: ${{ parameters.pythons }}
+          Signed: ${{ parameters.Signed }}
+          SigningKeyCode: ${{ parameters.SigningKeyCode }}
+
+      - ${{ if eq(parameters.Publish, 'true') }}:
+        - template: publish.yml@self
+          parameters:
+            Feed: ${{ parameters.Feed }}
+
diff --git a/.ado/build.yml b/.ado/build.yml
@@ -0,0 +1,170 @@
+parameters:
+  Artifact: dist
+  pythons: []
+  Signed: false
+  SigningKeyCode: ''
+
+jobs:
+- job: Build
+
+  variables:
+  - ${{ if eq(parameters.Signed, 'true') }}:
+    - group: ESRPClient
+  - name: DistDir
+    value: $(Build.ArtifactStagingDirectory)/dist
+  - name: TempDir
+    value: $(Build.BinariesDirectory)/tmp
+  - name: LayoutDir
+    value: $(Build.BinariesDirectory)/layout
+
+  steps:
+  - checkout: dlltracer
+
+  - task: UsePythonVersion@0
+    inputs:
+      versionSpec: '>=3.10'
+      architecture: 'x64'
+    displayName: 'Use latest Python by default'
+
+  # Acquire a copy of each Python version, specifically for its Include and libs directories.
+  - ${{ each py in parameters.pythons }}:
+    - task: UsePythonVersion@0
+      name: 'py${{ py.id }}'
+      displayName: 'Download ${{ py.wheeltag }}'
+      inputs:
+        versionSpec: '${{ py.version }}'
+        architecture: '${{ py.arch }}'
+        addToPath: false
+
+  - task: PipAuthenticate@1
+    inputs:
+      artifactFeeds: Python
+    displayName: 'Authenticate pip for internal feed'
+
+  - powershell: |
+      python -m pip install pymsbuild Cython
+    displayName: 'Install dependencies'
+
+  - powershell: |
+      Write-Output "##vso[task.setvariable variable=GITHUB_REF]$(REF)"
+    displayName: 'Update build reference'
+    condition: and(succeeded(), startswith(variables['REF'], 'refs/tags/'))
+
+  ##############################################################################
+  # BUILD SDIST and EXTENSION MODULES
+  ##############################################################################
+
+  # sdist requires no signing/SBOM or special handling, so just build it
+  - powershell: |
+      python -m pymsbuild sdist -d $(DistDir)
+    displayName: 'Build sdist'
+
+  # Build the extension modules for this Python version, but do not
+  # pack the wheel yet (the '--layout' option achieves this)
+  - ${{ each py in parameters.pythons }}:
+    - powershell: |
+        $env:PYTHON_INCLUDES = Join-Path $env:PREFIX "Include"
+        $env:PYTHON_LIBS = Join-Path $env:PREFIX "libs"
+        python -m pymsbuild wheel -d $(DistDir) --layout "$(LayoutDir)/${{ py.id }}"
+        "" | Out-File -Encoding ascii "$(LayoutDir)/${{ py.id }}-extras.txt"
+      displayName: 'Build ${{ py.wheeltag }}'
+      env:
+        PREFIX: $(py${{ py.id }}.pythonLocation)
+        PYMSBUILD_WHEEL_TAG: ${{ py.wheeltag }}
+
+  ##############################################################################
+  # CODE SIGN EXTENSION MODULES
+  ##############################################################################
+
+  - ${{ if eq(parameters.Signed, 'true') }}:
+    - task: 1ES.Signing@1
+      displayName: 'Codesign modules'
+      inputs:
+        ClientID: $(ESRP.ClientID)
+        TenantID: $(ESRP.TenantID)
+        Directory: '$(LayoutDir)'
+        Pattern: |
+          **/*.pyd
+        Operations: |
+          [
+            {
+              "KeyCode" : "${{parameters.SigningKeyCode}}",
+              "OperationCode" : "SigntoolSign",
+              "Parameters" : {
+                "OpusName" : "dlltracer-python $(REF)",
+                "OpusInfo" : "https://github.com/microsoft/dlltracer-python/",
+                "Append" : "/as",
+                "FileDigest" : "/fd \"SHA256\"",
+                "PageHash" : "/NPH",
+                "TimeStamp" : "/tr \"http://rfc3161.gtm.corp.microsoft.com/TSS/HttpTspServer\" /td sha256"
+              },
+              "ToolName" : "sign",
+              "ToolVersion" : "1.0"
+            },
+            {
+              "KeyCode" : "${{parameters.SigningKeyCode}}",
+              "OperationCode" : "SigntoolVerify",
+              "Parameters" : {},
+              "ToolName" : "sign",
+              "ToolVersion" : "1.0"
+            }
+          ]
+
+  ##############################################################################
+  # GENERATE SBOM (only when signing)
+  ##############################################################################
+
+  - ${{ if eq(parameters.Signed, 'true') }}:
+    - ${{ each py in parameters.pythons }}:
+      - task: AzureArtifacts.manifest-generator-task.manifest-generator-task.ManifestGeneratorTask@0
+        displayName: 'Generate SBOM for Python ${{ py.wheeltag }}'
+        inputs:
+          BuildDropPath: "$(LayoutDir)/${{ py.id }}"
+
+      # Move the SBOM manifest directory into the dist-info directory
+      # and add its content to the list of files to include.
+      - powershell: |
+          $m = gi "*.dist-info" | select -first 1
+          mv _manifest $m -Force
+          $new_files = (gci "$m\_manifest" -File -Recurse).FullName
+          $new_files | Out-File "$(LayoutDir)\${{ py.id }}-extras.txt" -Encoding ascii
+        workingDirectory: '$(LayoutDir)/${{ py.id }}'
+        displayName: 'Add SBOM into ${{ py.wheeltag }} wheel'
+
+  ##############################################################################
+  # PACK WHEELS
+  ##############################################################################
+
+  - ${{ each py in parameters.pythons }}:
+    - powershell: >
+        python -m pymsbuild
+        pack
+        --layout-dir "$(LayoutDir)/${{ py.id }}"
+        --add "@$(LayoutDir)/${{ py.id }}-extras.txt"
+      displayName: 'Pack ${{ py.wheeltag }} wheel'
+
+  ##############################################################################
+  # SMOKE TESTS
+  ##############################################################################
+
+  - powershell: |
+      python -m pip wheel (gi "$(DistDir)\*.tar.gz") -w $(TempDir)
+    displayName: 'Test that SDist will build'
+
+  - powershell: |
+      python -m pip install dlltracer
+      if ($?) { python -c "import dlltracer, dlltracer._native" }
+    displayName: 'Check that built module will import'
+    env:
+      PIP_NO_DEPS: 1
+      PIP_NO_INDEX: 1
+      PIP_FIND_LINKS: $(TempDir)
+      PIP_ONLY_BINARY: ':all:'
+
+  templateContext:
+    outputs:
+    - output: pipelineArtifact
+      path: $(DistDir)
+      artifact: ${{ parameters.Artifact }}
+      displayName: 'Publish build to ${{ parameters.Artifact }}'
+
diff --git a/.ado/publish.yml b/.ado/publish.yml
@@ -0,0 +1,64 @@
+parameters:
+  Artifact: dist
+  Feed: pypi
+
+jobs:
+- job: Publish
+  dependsOn: Build
+  displayName: 'Publish to ${{ parameters.Feed }}'
+
+  variables:
+    DistDir: $(Pipeline.Workspace)\${{ parameters.Artifact }}
+
+  steps:
+  - checkout: none
+
+  - download: current
+    artifact: ${{ parameters.Artifact }}
+    displayName: 'Download built distribution'
+
+  - ${{ if eq(parameters.Feed, 'pypi') }}:
+    - task: EsrpRelease@4
+      displayName: 'ESRP Release to PyPI'
+      inputs:
+        ConnectedServiceName: 'Python ESRP Release'
+        Intent: PackageDistribution
+        ContentType: PyPI
+        FolderLocation: $(DistDir)
+        Owners: 'stevdo@microsoft.com'
+        Approvers: 'grwheele@microsoft.com'
+        ServiceEndpointUrl: 'https://api.esrp.microsoft.com'
+        MainPublisher: 'Python'
+        DomainTenantId: '72f988bf-86f1-41af-91ab-2d7cd011db47'
+
+  - ${{ else }}:
+    - task: PipAuthenticate@1
+      inputs:
+        artifactFeeds: Python
+      displayName: 'Authenticate pip for internal feed'
+
+    - powershell: python -m pip install twine
+      displayName: Install twine
+
+    - task: TwineAuthenticate@1
+      inputs:
+        artifactFeed: ${{ parameters.Feed }}
+      displayName: 'Authenticate internal feed'
+
+    - powershell: >
+        python -m twine
+        upload
+        --config-file "$(PYPIRC_PATH)"
+        "$(DistDir)/*.tar.gz"
+        "$(DistDir)/*.whl"
+      displayName: 'Push to internal feed'
+      env:
+        TWINE_REPOSITORY: ${{ parameters.Feed }}
+        TWINE_NON_INTERACTIVE: 1
+
+  - powershell: |
+      $feed = "${{ parameters.Feed }}" -replace '[^a-zA-Z]', '_'
+      echo "##vso[build.addbuildtag]published"
+      echo "##vso[build.addbuildtag]published-$feed"
+    displayName: 'Add publishedfeed tag'
+
