Skip to content

Commit ca59719

Browse files
dotnet-docker-botdotnet-docker-bot
committed
Update common Docker engineering infrastructure with latest
1 parent eb81b1d commit ca59719

29 files changed

+442
-125
lines changed

eng/common/templates/1es.yml

Lines changed: 70 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,70 @@
1+
# When extending this template, pipelines using a repository resource containing versions files for image caching must
2+
# do the following:
3+
#
4+
# - Do not rely on any source code from the versions repo so as to not circumvent SDL and CG guidelines
5+
# - The versions repo resource must be named `VersionsRepo` to avoid SDL scans
6+
# - The versions repo must be checked out to `$(Build.SourcesDirectory)/versions` to avoid CG scans
7+
#
8+
# If the pipeline is not using a separate repository resource, ensure that there is no source code checked out in
9+
# `$(Build.SourcesDirectory)/versions`, as it will not be scanned.
10+
11+
parameters:
12+
- name: stages
13+
type: stageList
14+
default: []
15+
# List of repositories that will be excluded from SDL scanning. This should
16+
# only be used when including other repos without building their source code.
17+
# E.g. for the dotnet/versions repo.
18+
- name: reposToExcludeFromScanning
19+
type: object
20+
default: []
21+
# The pool that will be used for initializing service connections.
22+
- name: pool
23+
type: object
24+
default:
25+
name: $(default1ESInternalPoolName)
26+
image: $(default1ESInternalPoolImage)
27+
os: linux
28+
# The pool that will be used for SDL jobs.
29+
- name: sourceAnalysisPool
30+
type: object
31+
default:
32+
name: $(defaultSourceAnalysisPoolName)
33+
image: $(defaultSourceAnalysisPoolImage)
34+
os: windows
35+
36+
resources:
37+
repositories:
38+
- repository: 1ESPipelineTemplates
39+
type: git
40+
name: 1ESPipelineTemplates/1ESPipelineTemplates
41+
ref: refs/tags/release
42+
43+
extends:
44+
template: /eng/common/templates/task-prefix-decorator.yml@self
45+
parameters:
46+
baseTemplate: v1/1ES.${{ iif(contains(variables['Build.DefinitionName'], '-official'), 'Official', 'Unofficial') }}.PipelineTemplate.yml@1ESPipelineTemplates
47+
templateParameters:
48+
pool: ${{ parameters.pool }}
49+
sdl:
50+
# Required for unofficial pipelines because we rely on the ManifestGeneratorTask that is
51+
# automatically installed by 1ES pipeline templates
52+
sbom:
53+
enabled: true
54+
binskim:
55+
enabled: true
56+
componentgovernance:
57+
ignoreDirectories: $(Build.SourcesDirectory)/versions
58+
showAlertLink: true
59+
policheck:
60+
enabled: true
61+
${{ if ne(length(parameters.reposToExcludeFromScanning), 0) }}:
62+
sourceRepositoriesToScan:
63+
exclude:
64+
- ${{ each repo in parameters.reposToExcludeFromScanning }}:
65+
- repository: ${{ repo }}
66+
sourceAnalysisPool: ${{ parameters.sourceAnalysisPool }}
67+
tsa:
68+
enabled: true
69+
stages:
70+
- ${{ parameters.stages }}

eng/common/templates/jobs/build-images.yml

Lines changed: 12 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -6,6 +6,7 @@ parameters:
66
buildJobTimeout: 60
77
commonInitStepsForMatrixAndBuild: []
88
customInitSteps: []
9+
publishConfig: null
910
noCache: false
1011
internalProjectName: null
1112
publicProjectName: null
@@ -48,13 +49,13 @@ jobs:
4849
# to escape the single quotes that are in the string which would need to be done outside the context of PowerShell. Since
4950
# all we need is for that value to be in a PowerShell variable, we can get that by the fact that AzDO automatically creates
5051
# the environment variable for us.
51-
$imageBuilderBuildArgs = "$env:IMAGEBUILDERBUILDARGS $(imageBuilder.queueArgs) --image-info-output-path $(imageInfoContainerDir)/$(legName)-image-info.json $(commonMatrixAndBuildOptions)"
52+
$imageBuilderBuildArgs = "$env:IMAGEBUILDERBUILDARGS $env:IMAGEBUILDER_QUEUEARGS --image-info-output-path $(imageInfoContainerDir)/$(legName)-image-info.json $(commonMatrixAndBuildOptions)"
5253
if ($env:SYSTEM_TEAMPROJECT -eq "${{ parameters.internalProjectName }}" -and $env:BUILD_REASON -ne "PullRequest") {
53-
$imageBuilderBuildArgs = "$imageBuilderBuildArgs --repo-prefix $(stagingRepoPrefix) --push"
54+
$imageBuilderBuildArgs = "$imageBuilderBuildArgs --repo-prefix ${{ parameters.publishConfig.buildAcr.repoPrefix }} --push"
5455
}
5556
5657
# If the pipeline isn't configured to disable the cache and a build variable hasn't been set to disable the cache
57-
if ("$(pipelineDisabledCache)" -ne "true" -and $env:NOCACHE -ne "true") {
58+
if ("$(pipelineDisabledCache)" -ne "true" -and "${{ parameters.noCache }}" -ne "true") {
5859
$imageBuilderBuildArgs = "$imageBuilderBuildArgs --image-info-source-path $(versionsBasePath)$(imageInfoVersionsPath)"
5960
}
6061
@@ -66,10 +67,12 @@ jobs:
6667
name: BuildImages
6768
displayName: Build Images
6869
serviceConnections:
70+
# "name" here refers to the argument name, not the service connection name.
71+
# It should probably be changed to "argName".
6972
- name: acr
70-
id: $(build.serviceConnection.id)
71-
tenantId: $(build.serviceConnection.tenantId)
72-
clientId: $(build.serviceConnection.clientId)
73+
id: ${{ parameters.publishConfig.buildAcr.serviceConnection.id }}
74+
tenantId: ${{ parameters.publishConfig.buildAcr.serviceConnection.tenantId }}
75+
clientId: ${{ parameters.publishConfig.buildAcr.serviceConnection.clientId }}
7376
- ${{ if eq(parameters.isInternalServicingValidation, true) }}:
7477
- name: storage
7578
id: $(dotnetstaging.serviceConnection.id)
@@ -86,8 +89,8 @@ jobs:
8689
--architecture $(architecture)
8790
--retry
8891
--digests-out-var 'builtImages'
89-
--acr-subscription '$(acr-staging.subscription)'
90-
--acr-resource-group '$(acr-staging.resourceGroup)'
92+
--acr-subscription '${{ parameters.publishConfig.buildAcr.subscription }}'
93+
--acr-resource-group '${{ parameters.publishConfig.buildAcr.resourceGroup }}'
9194
$(manifestVariables)
9295
$(imageBuilderBuildArgs)
9396
- template: /eng/common/templates/steps/publish-artifact.yml@self
@@ -134,7 +137,7 @@ jobs:
134137
# Manifest tool docs: https://eng.ms/docs/cloud-ai-platform/devdiv/one-engineering-system-1es/1es-docs/secure-supply-chain/custom-sbom-generation-workflows
135138
$images -Split ',' | ForEach-Object {
136139
echo "Generating SBOM for $_";
137-
$formattedImageName = $_.Replace('$(acr-staging.server)/$(stagingRepoPrefix)', "").Replace('/', '_').Replace(':', '_');
140+
$formattedImageName = $_.Replace('${{ parameters.publishConfig.buildAcr.server }}/${{ parameters.publishConfig.buildAcr.repoPrefix }}', "").Replace('/', '_').Replace(':', '_');
138141
$sbomChildDir = "$(sbomDirectory)/$formattedImageName";
139142
New-Item -Type Directory -Path $sbomChildDir > $null;
140143
& $dotnetPath "$manifestToolDllPath" `

eng/common/templates/jobs/copy-base-images-staging.yml

Lines changed: 5 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -5,6 +5,9 @@ parameters:
55
- name: pool
66
type: object
77
default: {}
8+
- name: publishConfig
9+
type: object
10+
default: null
811
- name: customInitSteps
912
type: stepList
1013
default: []
@@ -22,12 +25,5 @@ jobs:
2225
pool: ${{ parameters.pool }}
2326
customInitSteps: ${{ parameters.customInitSteps }}
2427
additionalOptions: ${{ parameters.additionalOptions }}
25-
acr:
26-
server: $(acr-staging.server)
27-
serviceConnection:
28-
tenantId: $(internal-mirror.serviceConnection.tenantId)
29-
clientId: $(internal-mirror.serviceConnection.clientId)
30-
id: $(internal-mirror.serviceConnection.id)
31-
subscription: $(acr-staging.subscription)
32-
resourceGroup: $(acr-staging.resourceGroup)
33-
repoPrefix: $(mirrorRepoPrefix)
28+
acr: ${{ parameters.publishConfig.internalMirrorAcr }}
29+
repoPrefix: ${{ parameters.publishConfig.internalMirrorAcr.repoPrefix }}

eng/common/templates/jobs/generate-matrix.yml

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -6,6 +6,7 @@ parameters:
66
isTestStage: false
77
internalProjectName: null
88
noCache: false
9+
publishConfig: null
910
customInitSteps: []
1011
commonInitStepsForMatrixAndBuild: []
1112
sourceBuildPipelineRunId: ""
@@ -20,6 +21,7 @@ jobs:
2021
- ${{ parameters.customInitSteps }}
2122
- template: /eng/common/templates/steps/validate-branch.yml@self
2223
parameters:
24+
publishConfig: ${{ parameters.publishConfig }}
2325
internalProjectName: ${{ parameters.internalProjectName }}
2426
- template: /eng/common/templates/steps/set-image-info-path-var.yml
2527
parameters:
@@ -36,7 +38,7 @@ jobs:
3638
if ("${{ parameters.isTestStage}}" -eq "true") {
3739
$additionalGenerateBuildMatrixOptions = "$additionalGenerateBuildMatrixOptions --image-info $(artifactsPath)/image-info.json"
3840
}
39-
elseif ("$(pipelineDisabledCache)" -ne "true" -and $env:NOCACHE -ne "true" -and "$(trimCachedImagesForMatrix)" -eq "true") {
41+
elseif ("$(pipelineDisabledCache)" -ne "true" -and "${{ parameters.noCache }}" -ne "true" -and "$(trimCachedImagesForMatrix)" -eq "true") {
4042
# If the pipeline isn't configured to disable the cache and a build variable hasn't been set to disable the cache
4143
$additionalGenerateBuildMatrixOptions = "$additionalGenerateBuildMatrixOptions --image-info $(versionsBasePath)$(imageInfoVersionsPath) --trim-cached-images"
4244
}

eng/common/templates/jobs/publish.yml

Lines changed: 25 additions & 21 deletions
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,7 @@
11
parameters:
22
pool: {}
33
internalProjectName: null
4+
publishConfig: null
45
customInitSteps: []
56
customPublishVariables: []
67
sourceBuildPipelineDefinitionId: ""
@@ -20,7 +21,7 @@ jobs:
2021
- name: imageBuilder.commonCmdArgs
2122
value: >-
2223
--manifest '$(manifest)'
23-
--registry-override '$(acr.server)'
24+
--registry-override '${{ parameters.publishConfig.publishAcr.server }}'
2425
$(manifestVariables)
2526
$(imageBuilder.queueArgs)
2627
- name: publishNotificationRepoName
@@ -46,7 +47,7 @@ jobs:
4647
steps:
4748
- template: /eng/common/templates/steps/init-matrix-build-publish.yml@self
4849
parameters:
49-
cloneVersionsRepo: ${{ variables.publishImageInfo }}
50+
publishConfig: ${{ parameters.publishConfig }}
5051
versionsRepoRef: ${{ parameters.versionsRepoRef }}
5152

5253
- template: /eng/common/templates/steps/retain-build.yml@self
@@ -80,6 +81,8 @@ jobs:
8081
publicSourceBranch: $(publicSourceBranch)
8182

8283
- template: /eng/common/templates/steps/set-dry-run.yml@self
84+
parameters:
85+
publishConfig: ${{ parameters.publishConfig }}
8386

8487
- script: echo "##vso[task.setvariable variable=imageQueueTime]$(date --rfc-2822)"
8588
displayName: Set Publish Variables
@@ -94,19 +97,19 @@ jobs:
9497
displayName: Copy Images
9598
serviceConnections:
9699
- name: acr
97-
id: $(publish.serviceConnection.id)
98-
tenantId: $(publish.serviceConnection.tenantId)
99-
clientId: $(publish.serviceConnection.clientId)
100+
id: ${{ parameters.publishConfig.publishAcr.serviceConnection.id }}
101+
tenantId: ${{ parameters.publishConfig.publishAcr.serviceConnection.tenantId }}
102+
clientId: ${{ parameters.publishConfig.publishAcr.serviceConnection.clientId }}
100103
internalProjectName: ${{ parameters.internalProjectName }}
101104
args: >-
102105
copyAcrImages
103-
'$(acr.subscription)'
104-
'$(acr.resourceGroup)'
105-
'$(stagingRepoPrefix)'
106-
'$(acr-staging.server)'
106+
'${{ parameters.publishConfig.buildAcr.subscription }}'
107+
'${{ parameters.publishConfig.buildAcr.resourceGroup }}'
108+
'${{ parameters.publishConfig.buildAcr.repoPrefix }}'
109+
'${{ parameters.publishConfig.buildAcr.server }}'
107110
--os-type '*'
108111
--architecture '*'
109-
--repo-prefix '$(publishRepoPrefix)'
112+
--repo-prefix '${{ parameters.publishConfig.publishAcr.repoPrefix }}'
110113
--image-info '$(imageInfoContainerDir)/image-info.json'
111114
$(dryRunArg)
112115
$(imageBuilder.pathArgs)
@@ -117,15 +120,15 @@ jobs:
117120
displayName: Publish Manifest
118121
serviceConnections:
119122
- name: acr
120-
id: $(publish.serviceConnection.id)
121-
tenantId: $(publish.serviceConnection.tenantId)
122-
clientId: $(publish.serviceConnection.clientId)
123+
id: ${{ parameters.publishConfig.publishAcr.serviceConnection.id }}
124+
tenantId: ${{ parameters.publishConfig.publishAcr.serviceConnection.tenantId }}
125+
clientId: ${{ parameters.publishConfig.publishAcr.serviceConnection.clientId }}
123126
internalProjectName: ${{ parameters.internalProjectName }}
124127
dockerClientOS: ${{ parameters.dockerClientOS }}
125128
args: >-
126129
publishManifest
127130
'$(imageInfoContainerDir)/image-info.json'
128-
--repo-prefix '$(publishRepoPrefix)'
131+
--repo-prefix '${{ parameters.publishConfig.publishAcr.repoPrefix }}'
129132
--os-type '*'
130133
--architecture '*'
131134
$(dryRunArg)
@@ -142,6 +145,7 @@ jobs:
142145

143146
- template: /eng/common/templates/steps/wait-for-mcr-image-ingestion.yml@self
144147
parameters:
148+
publishConfig: ${{ parameters.publishConfig }}
145149
imageInfoPath: '$(imageinfoContainerDir)/image-info.json'
146150
minQueueTime: $(imageQueueTime)
147151
dryRunArg: $(dryRunArg)
@@ -206,18 +210,18 @@ jobs:
206210
displayName: Generate EOL Annotation Data
207211
serviceConnections:
208212
- name: acr
209-
id: $(publish.serviceConnection.id)
210-
tenantId: $(publish.serviceConnection.tenantId)
211-
clientId: $(publish.serviceConnection.clientId)
213+
id: ${{ parameters.publishConfig.publishAcr.serviceConnection.id }}
214+
tenantId: ${{ parameters.publishConfig.publishAcr.serviceConnection.tenantId }}
215+
clientId: ${{ parameters.publishConfig.publishAcr.serviceConnection.clientId }}
212216
internalProjectName: internal
213217
condition: and(succeeded(), eq(variables['publishEolAnnotations'], 'true'))
214218
args: >-
215219
generateEolAnnotationData
216220
'$(artifactsPath)/eol-annotation-data/eol-annotation-data.json'
217221
'$(imageInfoContainerDir)/full-image-info-orig.json'
218222
'$(imageInfoContainerDir)/full-image-info-new.json'
219-
'$(acr.server)'
220-
'$(publishRepoPrefix)'
223+
'${{ parameters.publishConfig.publishAcr.server }}'
224+
'${{ parameters.publishConfig.publishAcr.repoPrefix }}'
221225
$(generateEolAnnotationDataExtraOptions)
222226
$(dryRunArg)
223227
@@ -232,7 +236,7 @@ jobs:
232236

233237
- template: /eng/common/templates/steps/annotate-eol-digests.yml@self
234238
parameters:
235-
internalProjectName: ${{ parameters.internalProjectName }}
239+
publishConfig: ${{ parameters.publishConfig }}
236240
dataFile: $(artifactsPath)/eol-annotation-data/eol-annotation-data.json
237241

238242
- script: >
@@ -271,7 +275,7 @@ jobs:
271275
$(gitHubNotificationsRepoInfo.authArgs)
272276
'$(gitHubNotificationsRepoInfo.org)'
273277
'$(gitHubNotificationsRepoInfo.repo)'
274-
--repo-prefix '$(publishRepoPrefix)'
278+
--repo-prefix '${{ parameters.publishConfig.publishAcr.repoPrefix }}'
275279
--task "🟪 Copy Images"
276280
--task "🟪 Publish Manifest"
277281
--task "🟪 Wait for Image Ingestion"

eng/common/templates/jobs/test-images-linux-client.yml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -5,6 +5,7 @@ parameters:
55
testJobTimeout: 60
66
preBuildValidation: false
77
internalProjectName: null
8+
publishConfig: null
89
customInitSteps: []
910
sourceBuildPipelineRunId: ""
1011

@@ -24,5 +25,6 @@ jobs:
2425
parameters:
2526
preBuildValidation: ${{ parameters.preBuildValidation }}
2627
internalProjectName: ${{ parameters.internalProjectName }}
28+
publishConfig: ${{ parameters.publishConfig }}
2729
customInitSteps: ${{ parameters.customInitSteps }}
2830
sourceBuildPipelineRunId: ${{ parameters.sourceBuildPipelineRunId }}

eng/common/templates/jobs/test-images-windows-client.yml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -4,6 +4,7 @@ parameters:
44
matrix: {}
55
testJobTimeout: 60
66
internalProjectName: null
7+
publishConfig: null
78
customInitSteps: []
89
sourceBuildPipelineRunId: ""
910

@@ -19,5 +20,6 @@ jobs:
1920
- template: /eng/common/templates/steps/test-images-windows-client.yml@self
2021
parameters:
2122
internalProjectName: ${{ parameters.internalProjectName }}
23+
publishConfig: ${{ parameters.publishConfig }}
2224
customInitSteps: ${{ parameters.customInitSteps }}
2325
sourceBuildPipelineRunId: ${{ parameters.sourceBuildPipelineRunId }}

0 commit comments

Comments
 (0)