mirror of
https://github.com/Microsoft/vscode
synced 2024-08-27 04:49:35 +00:00
parent
c00e89d9ae
commit
c0f739ea25
21
build/azure-pipelines/.gdntsa
Normal file
21
build/azure-pipelines/.gdntsa
Normal file
|
@ -0,0 +1,21 @@
|
|||
{
|
||||
"codebaseName": "vscode-client",
|
||||
"ppe": false,
|
||||
"notificationAliases": [
|
||||
"sbatten@microsoft.com"
|
||||
],
|
||||
"codebaseAdmins": [
|
||||
"REDMOND\\stbatt",
|
||||
"REDMOND\\monacotools",
|
||||
],
|
||||
"instanceUrl": "https://msazure.visualstudio.com/defaultcollection",
|
||||
"projectName": "One",
|
||||
"areaPath": "One\\VSCode\\Client",
|
||||
"iterationPath": "One",
|
||||
"notifyAlways": true,
|
||||
"tools": [
|
||||
"BinSkim",
|
||||
"CredScan",
|
||||
"CodeQL"
|
||||
]
|
||||
}
|
225
build/azure-pipelines/sdl-scan.yml
Normal file
225
build/azure-pipelines/sdl-scan.yml
Normal file
|
@ -0,0 +1,225 @@
|
|||
trigger: none
|
||||
pr: none
|
||||
|
||||
parameters:
|
||||
- name: ENABLE_TERRAPIN
|
||||
displayName: "Enable Terrapin"
|
||||
type: boolean
|
||||
default: true
|
||||
- name: SCAN_WINDOWS
|
||||
displayName: "Scan Windows"
|
||||
type: boolean
|
||||
default: true
|
||||
- name: SCAN_LINUX
|
||||
displayName: "Scan Linux"
|
||||
type: boolean
|
||||
default: false
|
||||
|
||||
variables:
|
||||
- name: ENABLE_TERRAPIN
|
||||
value: ${{ eq(parameters.ENABLE_TERRAPIN, true) }}
|
||||
- name: SCAN_WINDOWS
|
||||
value: ${{ eq(parameters.SCAN_WINDOWS, true) }}
|
||||
- name: SCAN_LINUX
|
||||
value: ${{ eq(parameters.SCAN_LINUX, true) }}
|
||||
- name: VSCODE_MIXIN_REPO
|
||||
value: microsoft/vscode-distro
|
||||
- name: skipComponentGovernanceDetection
|
||||
value: true
|
||||
- name: NPM_ARCH
|
||||
value: x64
|
||||
- name: VSCODE_ARCH
|
||||
value: x64
|
||||
|
||||
stages:
|
||||
- stage: Windows
|
||||
condition: eq(variables.SCAN_WINDOWS, 'true')
|
||||
pool:
|
||||
vmImage: VS2017-Win2016
|
||||
jobs:
|
||||
- job: WindowsJob
|
||||
timeoutInMinutes: 0
|
||||
steps:
|
||||
- task: CredScan@3
|
||||
continueOnError: true
|
||||
inputs:
|
||||
scanFolder: '$(Build.SourcesDirectory)'
|
||||
outputFormat: 'pre'
|
||||
- task: NodeTool@0
|
||||
inputs:
|
||||
versionSpec: "14.x"
|
||||
|
||||
- task: geeklearningio.gl-vsts-tasks-yarn.yarn-installer-task.YarnInstaller@2
|
||||
inputs:
|
||||
versionSpec: "1.x"
|
||||
|
||||
- task: AzureKeyVault@1
|
||||
displayName: "Azure Key Vault: Get Secrets"
|
||||
inputs:
|
||||
azureSubscription: "vscode-builds-subscription"
|
||||
KeyVaultName: vscode
|
||||
SecretsFilter: "github-distro-mixin-password,ESRP-SSL-AADAuth,vscode-storage-key,builds-docdb-key-readwrite"
|
||||
|
||||
- powershell: |
|
||||
. build/azure-pipelines/win32/exec.ps1
|
||||
$ErrorActionPreference = "Stop"
|
||||
"machine github.com`nlogin vscode`npassword $(github-distro-mixin-password)" | Out-File "$env:USERPROFILE\_netrc" -Encoding ASCII
|
||||
|
||||
exec { git config user.email "vscode@microsoft.com" }
|
||||
exec { git config user.name "VSCode" }
|
||||
displayName: Prepare tooling
|
||||
|
||||
- powershell: |
|
||||
. build/azure-pipelines/win32/exec.ps1
|
||||
$ErrorActionPreference = "Stop"
|
||||
exec { git pull --no-rebase https://github.com/$(VSCODE_MIXIN_REPO).git $(node -p "require('./package.json').distro") }
|
||||
displayName: Merge distro
|
||||
|
||||
- powershell: |
|
||||
. build/azure-pipelines/win32/exec.ps1
|
||||
$ErrorActionPreference = "Stop"
|
||||
exec { npx https://aka.ms/enablesecurefeed standAlone }
|
||||
timeoutInMinutes: 5
|
||||
condition: and(succeeded(), eq(variables['ENABLE_TERRAPIN'], 'true'))
|
||||
displayName: Switch to Terrapin packages
|
||||
|
||||
- task: Semmle@1
|
||||
inputs:
|
||||
sourceCodeDirectory: '$(Build.SourcesDirectory)'
|
||||
language: 'cpp'
|
||||
buildCommandsString: 'yarn --frozen-lockfile'
|
||||
querySuite: 'Required'
|
||||
timeout: '1800'
|
||||
ram: '16384'
|
||||
addProjectDirToScanningExclusionList: true
|
||||
env:
|
||||
npm_config_arch: "$(NPM_ARCH)"
|
||||
npm_config_build_from_source: true
|
||||
PLAYWRIGHT_SKIP_BROWSER_DOWNLOAD: 1
|
||||
GITHUB_TOKEN: "$(github-distro-mixin-password)"
|
||||
displayName: CodeQL
|
||||
|
||||
- powershell: |
|
||||
. build/azure-pipelines/win32/exec.ps1
|
||||
. build/azure-pipelines/win32/retry.ps1
|
||||
$ErrorActionPreference = "Stop"
|
||||
$env:npm_config_arch="$(NPM_ARCH)"
|
||||
$env:npm_config_build_from_source="true"
|
||||
$env:CHILD_CONCURRENCY="1"
|
||||
retry { exec { yarn --frozen-lockfile } }
|
||||
env:
|
||||
PLAYWRIGHT_SKIP_BROWSER_DOWNLOAD: 1
|
||||
GITHUB_TOKEN: "$(github-distro-mixin-password)"
|
||||
displayName: Install dependencies
|
||||
|
||||
- powershell: |
|
||||
. build/azure-pipelines/win32/exec.ps1
|
||||
$ErrorActionPreference = "Stop"
|
||||
exec { yarn gulp "vscode-symbols-win32-$(VSCODE_ARCH)" }
|
||||
displayName: Download Symbols
|
||||
|
||||
- task: BinSkim@4
|
||||
inputs:
|
||||
InputType: 'Basic'
|
||||
Function: 'analyze'
|
||||
TargetPattern: 'guardianGlob'
|
||||
AnalyzeTargetGlob: '$(agent.builddirectory)\scanbin\**.dll;$(agent.builddirectory)\scanbin\**.exe;$(agent.builddirectory)\scanbin\**.node'
|
||||
AnalyzeLocalSymbolDirectories: '$(agent.builddirectory)\scanbin\VSCode-win32-$(VSCODE_ARCH)\pdb'
|
||||
|
||||
- task: TSAUpload@2
|
||||
inputs:
|
||||
GdnPublishTsaOnboard: true
|
||||
GdnPublishTsaConfigFile: '$(Build.SourcesDirectory)\build\azure-pipelines\.gdntsa'
|
||||
|
||||
- stage: Linux
|
||||
dependsOn: []
|
||||
condition: eq(variables.SCAN_LINUX, 'true')
|
||||
pool:
|
||||
vmImage: "Ubuntu-18.04"
|
||||
jobs:
|
||||
- job: LinuxJob
|
||||
steps:
|
||||
- task: CredScan@2
|
||||
inputs:
|
||||
toolMajorVersion: 'V2'
|
||||
- task: NodeTool@0
|
||||
inputs:
|
||||
versionSpec: "14.x"
|
||||
|
||||
- task: geeklearningio.gl-vsts-tasks-yarn.yarn-installer-task.YarnInstaller@2
|
||||
inputs:
|
||||
versionSpec: "1.x"
|
||||
|
||||
- task: AzureKeyVault@1
|
||||
displayName: "Azure Key Vault: Get Secrets"
|
||||
inputs:
|
||||
azureSubscription: "vscode-builds-subscription"
|
||||
KeyVaultName: vscode
|
||||
SecretsFilter: "github-distro-mixin-password,ESRP-SSL-AADAuth,vscode-storage-key,builds-docdb-key-readwrite"
|
||||
|
||||
- script: |
|
||||
set -e
|
||||
cat << EOF > ~/.netrc
|
||||
machine github.com
|
||||
login vscode
|
||||
password $(github-distro-mixin-password)
|
||||
EOF
|
||||
|
||||
git config user.email "vscode@microsoft.com"
|
||||
git config user.name "VSCode"
|
||||
displayName: Prepare tooling
|
||||
|
||||
- script: |
|
||||
set -e
|
||||
git pull --no-rebase https://github.com/$(VSCODE_MIXIN_REPO).git $(node -p "require('./package.json').distro")
|
||||
displayName: Merge distro
|
||||
|
||||
- script: |
|
||||
set -e
|
||||
npx https://aka.ms/enablesecurefeed standAlone
|
||||
timeoutInMinutes: 5
|
||||
condition: and(succeeded(), ne(variables.NODE_MODULES_RESTORED, 'true'), eq(variables['ENABLE_TERRAPIN'], 'true'))
|
||||
displayName: Switch to Terrapin packages
|
||||
|
||||
- script: |
|
||||
set -e
|
||||
export npm_config_arch=$(NPM_ARCH)
|
||||
export npm_config_build_from_source=true
|
||||
|
||||
if [ -z "$CC" ] || [ -z "$CXX" ]; then
|
||||
export CC=$(which gcc-5)
|
||||
export CXX=$(which g++-5)
|
||||
fi
|
||||
|
||||
if [ "$VSCODE_ARCH" == "x64" ]; then
|
||||
export VSCODE_REMOTE_CC=$(which gcc-4.8)
|
||||
export VSCODE_REMOTE_CXX=$(which g++-4.8)
|
||||
fi
|
||||
|
||||
for i in {1..3}; do # try 3 times, for Terrapin
|
||||
yarn --frozen-lockfile && break
|
||||
if [ $i -eq 3 ]; then
|
||||
echo "Yarn failed too many times" >&2
|
||||
exit 1
|
||||
fi
|
||||
echo "Yarn failed $i, trying again..."
|
||||
done
|
||||
env:
|
||||
PLAYWRIGHT_SKIP_BROWSER_DOWNLOAD: 1
|
||||
GITHUB_TOKEN: "$(github-distro-mixin-password)"
|
||||
displayName: Install dependencies
|
||||
|
||||
- script: |
|
||||
set -e
|
||||
yarn gulp vscode-symbols-linux-$(VSCODE_ARCH)
|
||||
displayName: Build
|
||||
|
||||
- task: BinSkim@3
|
||||
inputs:
|
||||
toolVersion: Latest
|
||||
InputType: CommandLine
|
||||
arguments: analyze $(agent.builddirectory)\scanbin\exe\*.* --recurse --local-symbol-directories $(agent.builddirectory)\scanbin\VSCode-linux-$(VSCODE_ARCH)\pdb
|
||||
|
||||
- task: TSAUpload@2
|
||||
inputs:
|
||||
GdnPublishTsaConfigFile: '$(Build.SourceDirectory)\build\azure-pipelines\.gdntsa'
|
104
build/gulpfile.scan.js
Normal file
104
build/gulpfile.scan.js
Normal file
|
@ -0,0 +1,104 @@
|
|||
/*---------------------------------------------------------------------------------------------
|
||||
* Copyright (c) Microsoft Corporation. All rights reserved.
|
||||
* Licensed under the MIT License. See License.txt in the project root for license information.
|
||||
*--------------------------------------------------------------------------------------------*/
|
||||
|
||||
'use strict';
|
||||
|
||||
const gulp = require('gulp');
|
||||
const path = require('path');
|
||||
const task = require('./lib/task');
|
||||
const util = require('./lib/util');
|
||||
const _ = require('underscore');
|
||||
const electron = require('gulp-atom-electron');
|
||||
const { config } = require('./lib/electron');
|
||||
const filter = require('gulp-filter');
|
||||
const deps = require('./lib/dependencies');
|
||||
|
||||
const root = path.dirname(__dirname);
|
||||
|
||||
const BUILD_TARGETS = [
|
||||
{ platform: 'win32', arch: 'ia32' },
|
||||
{ platform: 'win32', arch: 'x64' },
|
||||
{ platform: 'win32', arch: 'arm64' },
|
||||
{ platform: 'darwin', arch: null, opts: { stats: true } },
|
||||
{ platform: 'linux', arch: 'ia32' },
|
||||
{ platform: 'linux', arch: 'x64' },
|
||||
{ platform: 'linux', arch: 'armhf' },
|
||||
{ platform: 'linux', arch: 'arm64' },
|
||||
];
|
||||
|
||||
BUILD_TARGETS.forEach(buildTarget => {
|
||||
const dashed = (str) => (str ? `-${str}` : ``);
|
||||
const platform = buildTarget.platform;
|
||||
const arch = buildTarget.arch;
|
||||
|
||||
const destinationExe = path.join(path.dirname(root), 'scanbin', `VSCode${dashed(platform)}${dashed(arch)}`, 'bin');
|
||||
const destinationPdb = path.join(path.dirname(root), 'scanbin', `VSCode${dashed(platform)}${dashed(arch)}`, 'pdb');
|
||||
|
||||
const tasks = [];
|
||||
|
||||
// removal tasks
|
||||
tasks.push(util.rimraf(destinationExe), util.rimraf(destinationPdb));
|
||||
|
||||
// electron
|
||||
tasks.push(() => electron.dest(destinationExe, _.extend({}, config, { platform, arch: arch === 'armhf' ? 'arm' : arch })));
|
||||
|
||||
// pdbs for windows
|
||||
if (platform === 'win32') {
|
||||
tasks.push(
|
||||
() => electron.dest(destinationPdb, _.extend({}, config, { platform, arch: arch === 'armhf' ? 'arm' : arch, pdbs: true })),
|
||||
util.rimraf(path.join(destinationExe, 'swiftshader')),
|
||||
util.rimraf(path.join(destinationExe, 'd3dcompiler_47.dll')));
|
||||
}
|
||||
|
||||
if (platform === 'linux') {
|
||||
tasks.push(
|
||||
() => electron.dest(destinationPdb, _.extend({}, config, { platform, arch: arch === 'armhf' ? 'arm' : arch, symbols: true }))
|
||||
);
|
||||
}
|
||||
|
||||
// node modules
|
||||
tasks.push(
|
||||
nodeModules(destinationExe, destinationPdb, platform)
|
||||
);
|
||||
|
||||
const setupSymbolsTask = task.define(`vscode-symbols${dashed(platform)}${dashed(arch)}`,
|
||||
task.series(...tasks)
|
||||
);
|
||||
|
||||
gulp.task(setupSymbolsTask);
|
||||
});
|
||||
|
||||
function nodeModules(destinationExe, destinationPdb, platform) {
|
||||
const productionDependencies = deps.getProductionDependencies(root);
|
||||
const dependenciesSrc = _.flatten(productionDependencies.map(d => path.relative(root, d.path)).map(d => [`${d}/**`, `!${d}/**/{test,tests}/**`]));
|
||||
|
||||
const exe = () => {
|
||||
return gulp.src(dependenciesSrc, { base: '.', dot: true })
|
||||
.pipe(filter(['**/*.node']))
|
||||
.pipe(gulp.dest(destinationExe));
|
||||
};
|
||||
|
||||
if (platform === 'win32') {
|
||||
const pdb = () => {
|
||||
return gulp.src(dependenciesSrc, { base: '.', dot: true })
|
||||
.pipe(filter(['**/*.pdb']))
|
||||
.pipe(gulp.dest(destinationPdb));
|
||||
};
|
||||
|
||||
return gulp.parallel(exe, pdb);
|
||||
}
|
||||
|
||||
if (platform === 'linux') {
|
||||
const pdb = () => {
|
||||
return gulp.src(dependenciesSrc, { base: '.', dot: true })
|
||||
.pipe(filter(['**/*.sym']))
|
||||
.pipe(gulp.dest(destinationPdb));
|
||||
};
|
||||
|
||||
return gulp.parallel(exe, pdb);
|
||||
}
|
||||
|
||||
return exe;
|
||||
}
|
Loading…
Reference in a new issue