Add fxdependent build and enable APIScan

Author: daxian-dbw

.pipelines/Build-Official.yml

@@ -112,3 +112,8 @@ extends:
       displayName: module - build and sign
       jobs:
       - template: /.pipelines/templates/module-build.yml@self
+
+    - stage: APIScan
+      displayName: 'ApiScan'
+      jobs:
+      - template: /.pipelines/templates/apiscan.yaml@self

.pipelines/templates/apiscan.yaml

@@ -0,0 +1,188 @@
+# Copyright (c) Microsoft Corporation.
+# Licensed under the MIT License.
+
+jobs:
+- job: APIScan
+  displayName: APIScan with fxdependent build
+  condition: succeeded()
+  pool:
+    type: windows
+  variables:
+  - name: runCodesignValidationInjection
+    value : false
+  - name: NugetSecurityAnalysisWarningLevel
+    value: none
+  # PAT permissions NOTE: Declare a SymbolServerPAT variable in this group with a 'microsoft' organizanization scoped PAT with 'Symbols' Read permission.
+  # A PAT in the wrong org will give a single Error 203. No PAT will give a single Error 401, and individual pdbs may be missing even if permissions are correct.
+  - group: symbols
+  # Defines the variables APIScanClient, APIScanTenant and APIScanSecret
+  - group: PS-PS-APIScan
+  - group: DotNetPrivateBuildAccess
+  - group: 'Azure Blob variable group'
+  - group: ReleasePipelineSecrets
+  - group: mscodehub-feed-read-general
+  - group: mscodehub-feed-read-akv
+  - name: ob_outputDirectory
+    value: '$(Build.ArtifactStagingDirectory)/ONEBRANCH_ARTIFACT'
+  - name: repoRoot
+    value: $(Build.SourcesDirectory)\AIShell
+  - name: ob_sdl_tsa_configFile
+    value: $(repoRoot)\.config\tsaoptions.json
+  - name: ob_sdl_apiscan_enabled
+    value: true
+  - name: ob_sdl_apiscan_softwareName
+    value: 'AIShell'
+  - name: ob_sdl_apiscan_versionNumber
+    value: '1.0'
+  - name: ob_sdl_apiscan_isLargeApp
+    value: false
+  - name: ob_sdl_apiscan_symbolsFolder
+    value: $(SymbolsServerUrl);$(ob_outputDirectory)
+  - name: Codeql.SourceRoot
+    value: $(repoRoot)
+
+  # APIScan can take a long time
+  timeoutInMinutes: 180
+
+  steps:
+  - checkout: self
+    clean: true
+    fetchTags: true
+    fetchDepth: 1000
+    displayName: Checkout AIShell
+    retryCountOnTaskFailure: 1
+    env:
+      ob_restore_phase: true # This ensures checkout is done at the beginning of the restore phase
+
+  - template: update-nuget-config.yml@self
+    parameters:
+      repoRoot: $(repoRoot)
+
+  - task: UseDotNet@2
+    displayName: 'Use .NET Core sdk'
+    inputs:
+      useGlobalJson: true
+      packageType: 'sdk'
+      workingDirectory: $(Build.SourcesDirectory)"
+
+  - pwsh: |
+      dotnet tool install dotnet-symbol --tool-path $(Agent.ToolsDirectory)\tools\dotnet-symbol
+      $symbolToolPath = Get-ChildItem -Path $(Agent.ToolsDirectory)\tools\dotnet-symbol\dotnet-symbol.exe | Select-Object -First 1 -ExpandProperty FullName
+      Write-Host "##vso[task.setvariable variable=symbolToolPath]$symbolToolPath"
+    displayName: Install dotnet-symbol
+    workingDirectory: '$(repoRoot)'
+    retryCountOnTaskFailure: 2
+
+  - task: AzurePowerShell@5
+    displayName: Download winverify-private Artifacts
+    inputs:
+      azureSubscription: az-blob-cicd-infra
+      scriptType: inlineScript
+      azurePowerShellVersion: LatestVersion
+      workingDirectory: '$(repoRoot)'
+      pwsh: true
+      inline: |
+        # download smybols for getfilesiginforedist.dll
+        $storageAccountName = "pscoretestdata"
+        $containerName = 'winverify-private'
+        $winverifySymbolsPath = New-Item -ItemType Directory -Path '$(System.ArtifactsDirectory)/winverify-symbols' -Force
+        $dllName = 'getfilesiginforedist.dll'
+        $winverifySymbolsDllPath = Join-Path $winverifySymbolsPath $dllName
+
+        $context = New-AzStorageContext -StorageAccountName $storageAccountName -UseConnectedAccount
+        Get-AzStorageBlobContent -Container $containerName -Blob $dllName -Destination $winverifySymbolsDllPath -Context $context
+
+  - pwsh: |
+      Get-ChildItem -Path '$(System.ArtifactsDirectory)/winverify-symbols'
+    displayName: Capture winverify-private Artifacts
+    workingDirectory: '$(repoRoot)'
+    condition: succeededOrFailed()
+
+  - task: CodeQL3000Init@0 # Add CodeQL Init task right before your 'Build' step.
+    displayName: 🔏 CodeQL 3000 Init
+    condition: eq(variables['CODEQL_ENABLED'], 'true')
+    inputs:
+      Language: csharp
+
+  - pwsh: |
+      Import-Module $(repoRoot)/build.psm1 -Force
+      Start-Build -Configuration StaticAnalysis -Runtime fxdependent -Clean -Verbose
+
+      $outputJson = '$(repoRoot)/_build_output_.json'
+      if (-not (Test-Path $outputJson)) {
+        throw "'_build_output_.json' was not produced."
+      }
+
+      $result = Get-Content $outputJson | ConvertFrom-Json
+      Write-Verbose "App path: $($result.App)" -Verbose
+      $OutputFolder = $result.App
+
+      Write-Verbose -Verbose -Message "Deleting ref folder from output folder"
+      if (Test-Path $OutputFolder/ref) {
+        Remove-Item -Recurse -Force $OutputFolder/ref
+      }
+
+      Copy-Item -Path "$OutputFolder\*" -Destination '$(ob_outputDirectory)' -Recurse -Verbose
+    workingDirectory: '$(repoRoot)'
+    displayName: 'Build AIShell Source'
+
+  - pwsh: |
+      # Only key windows runtimes
+      Get-ChildItem -Path '$(ob_outputDirectory)\runtimes\*' -File -Recurse | Where-Object {$_.FullName -notmatch '.*\/runtimes\/win'} | Foreach-Object {
+        Write-Verbose -Verbose -Message "Deleting $($_.FullName)"
+        Remove-Item -Force -Verbose -Path $_.FullName
+      }
+
+      # Temporarily remove runtimes/win-x86 due to issues with that runtime
+      Get-ChildItem -Path '$(ob_outputDirectory)\runtimes\*' -File -Recurse | Where-Object {$_.FullName -match '.*\/runtimes\/win-x86\/'} | Foreach-Object {
+        Write-Verbose -Verbose -Message "Deleting $($_.FullName)"
+        Remove-Item -Force -Verbose -Path $_.FullName
+      }
+
+    workingDirectory: '$(repoRoot)'
+    displayName: 'Remove unused runtimes'
+
+  - task: CodeQL3000Finalize@0 # Add CodeQL Finalize task right after your 'Build' step.
+    displayName: 🔏 CodeQL 3000 Finalize
+    condition: eq(variables['CODEQL_ENABLED'], 'true')
+
+  - pwsh: |
+      Get-ChildItem -Path env: | Out-String -width 150 -Stream | write-Verbose -Verbose
+    workingDirectory: '$(repoRoot)'
+    displayName: Capture Environment
+    condition: succeededOrFailed()
+
+  # Explicitly download symbols for the drop since the SDL image doesn't have http://SymWeb access and APIScan cannot handle https yet.
+  - pwsh: |
+      $pat = '$(SymbolServerPAT)'
+      if ($pat -like '*PAT*' -or $pat -eq '') {
+        throw 'No PAT defined'
+      }
+      $url = 'https://microsoft.artifacts.visualstudio.com/defaultcollection/_apis/symbol/symsrv'
+      $(symbolToolPath) --authenticated-server-path $(SymbolServerPAT) $url --symbols -d "$env:ob_outputDirectory\*" --recurse-subdirectories
+    displayName: 'Download Symbols for binaries'
+    retryCountOnTaskFailure: 2
+    workingDirectory: '$(repoRoot)'
+
+  - pwsh: |
+      Get-ChildItem '$(ob_outputDirectory)' -File -Recurse |
+      Foreach-Object {
+        [pscustomobject]@{
+          Path = $_.FullName
+          Version = $_.VersionInfo.FileVersion
+          Md5Hash = (Get-FileHash -Algorithm MD5 -Path $_.FullName).Hash
+          Sha512Hash = (Get-FileHash -Algorithm SHA512 -Path $_.FullName).Hash
+        }
+      } | Export-Csv -Path '$(Build.SourcesDirectory)/ReleaseFileHash.csv'
+    workingDirectory: '$(repoRoot)'
+    displayName: 'Create release file hash artifact'
+
+  - pwsh: |
+      Copy-Item -Path '$(Build.SourcesDirectory)/ReleaseFileHash.csv' -Destination '$(ob_outputDirectory)' -Verbose
+    displayName: 'Publish Build File Hash artifact'
+
+  - pwsh: |
+      Get-ChildItem -Path env: | Out-String -width 150 -Stream | write-Verbose -Verbose
+    displayName: Capture Environment
+    condition: succeededOrFailed()
+    workingDirectory: '$(repoRoot)'

build.psm1

@@ -13,11 +13,11 @@ function Start-Build
     [CmdletBinding()]
     param (
         [Parameter()]
-        [ValidateSet('Debug', 'Release')]
+        [ValidateSet('Debug', 'Release', 'StaticAnalysis')]
         [string] $Configuration = "Debug",
 
         [Parameter()]
-        [ValidateSet('win-x86', 'win-x64', 'win-arm64', 'linux-x64', 'linux-arm64', 'osx-x64', 'osx-arm64')]
+        [ValidateSet('win-x86', 'win-x64', 'win-arm64', 'linux-x64', 'linux-arm64', 'osx-x64', 'osx-arm64', 'fxdependent')]
         [string] $Runtime = [NullString]::Value,
 
         [Parameter()]
@@ -97,7 +97,11 @@ function Start-Build
 
     Write-Host "`n[Build AI Shell ...]`n" -ForegroundColor Green
     $app_csproj = GetProjectFile $app_dir
-    dotnet publish $app_csproj -c $Configuration -o $app_out_dir -r $RID --sc
+    if ($RID -eq 'fxdependent') {
+        dotnet publish $app_csproj -c $Configuration -o $app_out_dir --no-self-contained
+    } else {
+        dotnet publish $app_csproj -c $Configuration -o $app_out_dir -r $RID --sc
+    }
 
     ## Move the 'Modules' folder to the appbase folder.
     if ($LASTEXITCODE -eq 0) {

shell/agents/AIShell.Interpreter.Agent/AIShell.Interpreter.Agent.csproj

@@ -13,6 +13,13 @@
     <!-- Disable PDB generation for the Release build -->
     <DebugSymbols>false</DebugSymbols>
     <DebugType>None</DebugType>
+    <Optimize>true</Optimize>
+  </PropertyGroup>
+
+  <PropertyGroup Condition=" '$(Configuration)' == 'StaticAnalysis' ">
+    <Optimize>true</Optimize>
+    <!-- This is required to be full for compliance tools !-->
+    <DebugType>full</DebugType>
   </PropertyGroup>
 
   <ItemGroup>

shell/agents/AIShell.Ollama.Agent/AIShell.Ollama.Agent.csproj

@@ -14,6 +14,13 @@
     <!-- Disable PDB generation for the Release build -->
     <DebugSymbols>false</DebugSymbols>
     <DebugType>None</DebugType>
+    <Optimize>true</Optimize>
+  </PropertyGroup>
+
+  <PropertyGroup Condition=" '$(Configuration)' == 'StaticAnalysis' ">
+    <Optimize>true</Optimize>
+    <!-- This is required to be full for compliance tools !-->
+    <DebugType>full</DebugType>
   </PropertyGroup>
 
   <ItemGroup>

shell/agents/AIShell.OpenAI.Agent/AIShell.OpenAI.Agent.csproj

@@ -13,6 +13,13 @@
     <!-- Disable PDB generation for the Release build -->
     <DebugSymbols>false</DebugSymbols>
     <DebugType>None</DebugType>
+    <Optimize>true</Optimize>
+  </PropertyGroup>
+
+  <PropertyGroup Condition=" '$(Configuration)' == 'StaticAnalysis' ">
+    <Optimize>true</Optimize>
+    <!-- This is required to be full for compliance tools !-->
+    <DebugType>full</DebugType>
   </PropertyGroup>
 
   <PropertyGroup>

shell/agents/Microsoft.Azure.Agent/Microsoft.Azure.Agent.csproj

@@ -13,6 +13,13 @@
     <!-- Disable PDB generation for the Release build -->
     <DebugSymbols>false</DebugSymbols>
     <DebugType>None</DebugType>
+    <Optimize>true</Optimize>
+  </PropertyGroup>
+
+  <PropertyGroup Condition=" '$(Configuration)' == 'StaticAnalysis' ">
+    <Optimize>true</Optimize>
+    <!-- This is required to be full for compliance tools !-->
+    <DebugType>full</DebugType>
   </PropertyGroup>
 
   <ItemGroup>

shell/shell.common.props

@@ -24,4 +24,10 @@
     <Optimize>true</Optimize>
   </PropertyGroup>
 
+  <PropertyGroup Condition=" '$(Configuration)' == 'StaticAnalysis' ">
+    <Optimize>true</Optimize>
+    <!-- This is required to be full for compliance tools !-->
+    <DebugType>full</DebugType>
+  </PropertyGroup>
+
 </Project>