sudo/.pipelines/Standard.Pipeline.yml

#################################################################################
#                        OneBranch Pipelines - Buddy                            #
# This pipeline was created by EasyStart from a sample located at:              #
#   https://aka.ms/obpipelines/easystart/samples                                #
# Documentation:  https://aka.ms/obpipelines                                    #
# Yaml Schema:    https://aka.ms/obpipelines/yaml/schema                        #
# Retail Tasks:   https://aka.ms/obpipelines/tasks                              #
# Support:        https://aka.ms/onebranchsup                                   #
#################################################################################

trigger: none
# - main

parameters: # parameters are shown up in ADO UI in a build queue time
# buildPlatforms: This controls which Rust triples we build sudo for.
# These three defaults correspond to x64, x86 and ARM64.
# They're used by:
# - The OneBranch.Common.yml, to control which --target's we build in release
# - The vpack task, below.
- name: buildPlatforms
  type: object
  default:
    - x86_64-pc-windows-msvc # x64
    - i686-pc-windows-msvc # x86
    - aarch64-pc-windows-msvc # arm64

# The official builds default to just the Inbox builds
- name: brandings
  type: object
  default:
    - Inbox
    # - Stable
    # - Dev

# Hourly builds: you may want to change these to nightly ("0 3 * * *" - run at 3am).
schedules:
- cron: 0 * * * *
  displayName: Hourly build
  branches:
    include:
    - master
  always: true

variables:
  CDP_DEFINITION_BUILD_COUNT: $[counter('', 0)] # needed for onebranch.pipeline.version task https://aka.ms/obpipelines/versioning
  WindowsContainerImage: 'onebranch.azurecr.io/windows/ltsc2019/vse2022:latest'

  # LOAD BEARING - the vpack task fails without these
  ROOT: $(Build.SourcesDirectory)
  REPOROOT: $(Build.SourcesDirectory)
  OUTPUTROOT: $(REPOROOT)\out
  NUGET_XMLDOC_MODE: none

resources:
  repositories:
    - repository: templates
      type: git
      name: OneBranch.Pipelines/GovernedTemplates
      ref: refs/heads/main

extends:
  # We're an official build, so we need to extend from the _Official_ build template.
  template: v2/Microsoft.Official.yml@templates
  parameters:
    platform:
      name: 'windows_undocked'
      product: 'sudo'
    cloudvault: # https://aka.ms/obpipelines/cloudvault
      enabled: false
    globalSdl: # https://aka.ms/obpipelines/sdl
      binskim:
        # Rust build scripts will not be built with spectre-mitigations enabled,
        # so only scan the actual output binaries.
        scanOutputDirectoryOnly: true
    stages:
    # Our Build stage will build all three targets in one job, so we don't need
    # to repeat most of the boilerplate work in three separate jobs.
    - stage: Build
      jobs:
      - job: Windows
        pool:
          type: windows

        variables:
          # Binaries will go here
          ob_outputDirectory: '$(Build.SourcesDirectory)/out' # More settings at https://aka.ms/obpipelines/yaml/jobs

          # The vPack gets created from stuff in here
          ob_createvpack_vpackdirectory: '$(ob_outputDirectory)/vpack'
          # It will have a structure like:
          # .../vpack/
          #      - amd64/
          #         - sudo.exe
          #      - i386/
          #         - sudo.exe
          #      - arm64/
          #         - sudo.exe

          # not sure where this goes
          # additionalRustTargets: i686-pc-windows-msvc
          additionalTargets: $(parameters.buildPlatforms)

          # For details on this cargo_target_dir setting, see https://eng.ms/docs/more/rust/topics/onebranch-workaround
          cargo_target_dir: C:\cargo_target_dir

          # All these? Also variables that control the vpack creation.
          ob_createvpack_enabled: true
          ob_createvpack_packagename: 'windows_sudo.$(Build.SourceBranchName)'
          ob_createvpack_owneralias: 'migrie@microsoft.com'
          ob_createvpack_description: 'Sudo for Windows'
          ob_createvpack_targetDestinationDirectory: '$(Destination)'
          ob_createvpack_propsFile: false
          ob_createvpack_provData: true
          ob_createvpack_versionAs: string
          ob_createvpack_version: '$(SudoVersion)-$(CDP_DEFINITION_BUILD_COUNT)'
          ob_createvpack_metadata: '$(Build.SourceVersion)'
          ob_createvpack_topLevelRetries: 0
          ob_createvpack_failOnStdErr: true
          ob_createvpack_taskLogVerbosity: Detailed
          ob_createvpack_verbose: true

        steps:
        # Before we build! Right before we build, pull down localizations from
        # Touchdown.
        #
        # The Terminal build would literally pass this as a parameter of a list
        # of steps to the job-build-project.yml, which is overkill for us
        - template: .pipelines/steps-fetch-and-prepare-localizations.yml@self
          parameters:
            includePseudoLoc: true

        # The actual build is over in Onebranch.Common.yml
        - template: .pipelines/OneBranch.Common.yml@self
          parameters:
            buildPlatforms: ${{ parameters.buildPlatforms }}
            brandings: ${{ parameters.brandings }}
            tracingGuid: $(SecretTracingGuid)

        # This is very shamelessly stolen from curl's pipeline. Small
        # modification: since our cargo.toml has a bunch of lines with "version",
        # bail after the first.
        - script: |-
           rem Parse the version out of cargo.toml
           for /f "tokens=3 delims=- " %%x in ('findstr /c:"version = " sudo\cargo.toml') do (@echo ##vso[task.setvariable variable=SudoVersion]%%~x & goto :EOF)           
          displayName: 'Set SudoVersion'

        # Codesigning. Cribbed directly from the curl codesign task
        - task: onebranch.pipeline.signing@1
          displayName: 'Sign files'
          inputs:
            command: 'sign'
            signing_profile: 'external_distribution'
            files_to_sign: '**/*.exe'
            search_root: '$(ob_outputDirectory)'
            use_testsign: false
            in_container: true

        # This stage grabs each of the sudo's we've built for different
        # architectures, and copies them into the appropriate vpack directory.
        - ${{ each platform in parameters.buildPlatforms }}:
          - task: CopyFiles@2
            displayName: Copy files to vpack (${{platform}})
            inputs:
              # We always use the 'Inbox' branding vvvvv here - vpacks are only ever consumed by the OS
              sourceFolder: '$(ob_outputDirectory)/Inbox/${{platform}}'
              ${{ if eq(platform, 'i686-pc-windows-msvc') }}:
                targetFolder: '$(ob_createvpack_vpackdirectory)/i386'
              ${{ elseif eq(platform, 'x86_64-pc-windows-msvc') }}:
                targetFolder: '$(ob_createvpack_vpackdirectory)/amd64'
              ${{ else }}: # aarch64-pc-windows-msvc
                targetFolder: '$(ob_createvpack_vpackdirectory)/arm64'
              contents: '*'
        - task: CopyFiles@2
          # only do this once
          displayName: Copy manifest to vpack
          inputs:
            sourceFolder: '$(ob_outputDirectory)/'
            targetFolder: '$(ob_createvpack_vpackdirectory)/'
            contents: 'instrumentation.man'