Merge pull request #2402 from microsoftgraph/ci/migration-to-esrp-release

ci: draft migration to ESRP release

Author: baywet

.azure-pipelines/ci-build.yml

@@ -0,0 +1,242 @@
+# Copyright (c) Microsoft Corporation. All rights reserved.
+# Licensed under the MIT License.
+
+name: $(BuildDefinitionName)_$(SourceBranchName)_$(Date:yyyyMMdd)$(Rev:.r)
+
+trigger:
+  tags:
+    include:
+      - "v*"
+  branches:
+    include:
+      - main
+
+parameters:
+  - name: previewBranch
+    type: string
+    default: "refs/heads/main"
+
+resources:
+  repositories:
+    - repository: 1ESPipelineTemplates
+      type: git
+      name: 1ESPipelineTemplates/1ESPipelineTemplates
+      ref: refs/tags/release
+
+extends:
+  template: v1/1ES.Official.PipelineTemplate.yml@1ESPipelineTemplates
+  parameters:
+    sdl:
+      sourceAnalysisPool:
+        name: Azure-Pipelines-1ESPT-ExDShared
+        os: windows
+        image: windows-latest
+
+    stages:
+      - stage: build
+        jobs:
+          - job: build
+            pool:
+              name: Azure-Pipelines-1ESPT-ExDShared
+              os: linux
+              image: ubuntu-latest
+            #TODO maybe missing template context with sdl baselines?
+            steps:
+              - checkout: self
+                persistCredentials: true
+
+              - task: JavaToolInstaller@1
+                inputs:
+                  versionSpec: '21'
+                  jdkArchitectureOption: 'x64'
+                  jdkSourceOption: 'PreInstalled'
+
+              - task: DownloadSecureFile@1
+                name: downloadLocalProperties
+                inputs:
+                  secureFile: 'local.properties'
+
+              - task: DownloadSecureFile@1
+                name: downloadSecringGpg
+                inputs:
+                  secureFile: 'secring.gpg'
+              
+              - pwsh: |
+                  Copy-Item $(downloadSecringGpg.secureFilePath) secring.gpg -Verbose
+                  Copy-Item $(downloadLocalProperties.secureFilePath) local.properties -Verbose
+                displayName: Copy secring and 'local.properties'
+
+              - script: ./gradlew --no-daemon publishToMavenLocal -PmavenCentralPublishingEnabled=true -PmavenCentralSnapshotArtifactSuffix=""
+                displayName: Publish to local Maven for verification
+                # condition: contains(variables['build.sourceBranch'], 'refs/tags/v')
+
+              # - script: ./gradlew --no-daemon publishToMavenLocal -PmavenCentralPublishingEnabled=true
+              #   displayName: Publish to local Maven for verification
+              #   condition: not(contains(variables['build.sourceBranch'], 'refs/tags/v'))
+
+              - script: ./gradlew --no-daemon publishMavenPublicationToADORepository -PmavenCentralPublishingEnabled=true -PmavenCentralSnapshotArtifactSuffix=""
+                displayName: Publish to local Maven ADO for ESRP
+                # condition: contains(variables['build.sourceBranch'], 'refs/tags/v')
+
+              # - script: ./gradlew --no-daemon publishMavenPublicationToADORepository -PmavenCentralPublishingEnabled=true
+              #   displayName: Publish to local Maven ADO for ESRP
+              #   condition: not(contains(variables['build.sourceBranch'], 'refs/tags/v'))
+
+              - pwsh: |
+                  $contents = Get-Content gradle.properties -Raw
+                  $major = $contents | Select-String -Pattern 'mavenMajorVersion = ([0-9]+)' | ForEach-Object { $_.Matches.Groups[1].Value }
+                  $minor = $contents | Select-String -Pattern 'mavenMinorVersion = ([0-9]+)' | ForEach-Object { $_.Matches.Groups[1].Value }
+                  $patch = $contents | Select-String -Pattern 'mavenPatchVersion = ([0-9]+)' | ForEach-Object { $_.Matches.Groups[1].Value }
+                  # $snapshot_suffix = if ($Env:BRANCH_NAME.StartsWith('refs/tags/v')) { '' } else { '-SNAPSHOT' }
+                  $version = "$major.$minor.$patch$snapshot_suffix"
+                  echo "Current version is $version"
+                  echo "##vso[task.setvariable variable=PACKAGE_VERSION;]$version"
+                displayName: Get current version
+                name: GetVersion
+                env:
+                  BRANCH_NAME: $(Build.SourceBranchName)
+
+              - pwsh: |
+                  .\scripts\validatePackageContents.ps1 -ArtifactId microsoft-graph -Version $(PACKAGE_VERSION) -ValidateMavenMetadata $false
+                displayName: Inspect contents of local Maven cache
+
+              - pwsh: |
+                  .\scripts\zipPackageContent.ps1 -OutputDirectory $Env:OUTPUT_DIRECTORY -ArtifactId microsoft-graph -PackageSegment abstractions -Version $(PACKAGE_VERSION)
+                  echo "list of zips:"
+                  Get-ChildItem -Path $Env:OUTPUT_DIRECTORY -Filter "*.zip" | ForEach-Object { Write-Host $_.FullName }
+                displayName: Zip contents of local Maven cache
+                env:
+                  OUTPUT_DIRECTORY: $(Build.ArtifactStagingDirectory)
+              
+              - task: 1ES.PublishPipelineArtifact@1
+                displayName: "Publish Artifact: jars"
+                inputs:
+                  artifactName: jars
+                  targetPath: "$(Build.ArtifactStagingDirectory)"
+
+      - stage: deploy
+        # condition: and(or(contains(variables['build.sourceBranch'], 'refs/tags/v'), eq(variables['build.sourceBranch'], '${{ parameters.previewBranch }}')), succeeded())
+        dependsOn: build
+        jobs:
+          - deployment: deploy_github
+            condition: and(contains(variables['build.sourceBranch'], 'refs/tags/v'), succeeded())
+            pool:
+              name: Azure-Pipelines-1ESPT-ExDShared
+              os: linux
+              image: ubuntu-latest
+            templateContext:
+              type: releaseJob
+              isProduction: true
+              inputs:
+                - input: pipelineArtifact
+                  artifactName: jars
+                  targetPath: "$(Pipeline.Workspace)"
+            environment: kiota-github-releases
+            strategy:
+              runOnce:
+                deploy:
+                  steps:
+                    - pwsh: |
+                        $zips = Get-ChildItem -Path "$(Pipeline.Workspace)" -Filter "*.zip"
+                        $zip = $zips | Select-Object -First 1
+                        $zipName = $zip.Name
+                        if ($zipName -match "\d+.\d+.\d+")
+                        {
+                          $version = $matches[0]
+                          echo "Current version is $version"
+                          echo "##vso[task.setvariable variable=artifactVersion;]$version"
+                        }
+                        else
+                        {
+                          Write-Error "No valid version found in zip file name."
+                          exit 1
+                        }
+
+                    - pwsh: |
+                        $zips = Get-ChildItem -Path "$(Pipeline.Workspace)" -Filter "*.zip"
+                        foreach ($zip in $zips) {
+                            $targetPath = $zip.FullName.Replace(".zip", "")
+                            Expand-Archive -Path $zip.FullName -DestinationPath $targetPath
+                            Remove-Item -Path $zip.FullName -Force
+                        }
+                      displayName: Unzip artifacts
+                        
+                    - task: GitHubRelease@1
+                      inputs:
+                        gitHubConnection: "microsoftkiota"
+                        tagSource: userSpecifiedTag
+                        tag: "v$(artifactVersion)"
+                        title: "v$(artifactVersion)"
+                        assets: |
+                          $(Pipeline.Workspace)/**/*.jar
+                          $(Pipeline.Workspace)/**/*.jar.md5
+                          $(Pipeline.Workspace)/**/*.jar.sha1
+                          $(Pipeline.Workspace)/**/*.jar.sha256
+                          $(Pipeline.Workspace)/**/*.jar.sha512
+                          $(Pipeline.Workspace)/**/*.jar.asc
+                          $(Pipeline.Workspace)/**/*.jar.asc.md5
+                          $(Pipeline.Workspace)/**/*.jar.asc.sha1
+                          $(Pipeline.Workspace)/**/*.jar.asc.sha256
+                          $(Pipeline.Workspace)/**/*.jar.asc.sha512
+                          $(Pipeline.Workspace)/**/*.pom
+                          $(Pipeline.Workspace)/**/*.pom.md5
+                          $(Pipeline.Workspace)/**/*.pom.sha1
+                          $(Pipeline.Workspace)/**/*.pom.sha256
+                          $(Pipeline.Workspace)/**/*.pom.sha512
+                          $(Pipeline.Workspace)/**/*.pom.asc
+                          $(Pipeline.Workspace)/**/*.pom.asc.md5
+                          $(Pipeline.Workspace)/**/*.pom.asc.sha1
+                          $(Pipeline.Workspace)/**/*.pom.asc.sha256
+                          $(Pipeline.Workspace)/**/*.pom.asc.sha512
+                          $(Pipeline.Workspace)/**/*.module
+                          $(Pipeline.Workspace)/**/*.module.md5
+                          $(Pipeline.Workspace)/**/*.module.sha1
+                          $(Pipeline.Workspace)/**/*.module.sha256
+                          $(Pipeline.Workspace)/**/*.module.sha512
+                          $(Pipeline.Workspace)/**/*.module.asc
+                          $(Pipeline.Workspace)/**/*.module.asc.md5
+                          $(Pipeline.Workspace)/**/*.module.asc.sha1
+                          $(Pipeline.Workspace)/**/*.module.asc.sha256
+                          $(Pipeline.Workspace)/**/*.module.asc.sha512
+
+                        addChangeLog: false
+                        action: edit
+            
+          - deployment: deploy_maven
+            # snapshots are not supported by ESRP release for now, but they are planning to add support. When it happens, simply remove the condition
+            # condition: and(contains(variables['build.sourceBranch'], 'refs/tags/v'), succeeded())
+            pool:
+              name: Azure-Pipelines-1ESPT-ExDShared
+              os: linux
+              image: ubuntu-latest
+            templateContext:
+              type: releaseJob
+              isProduction: true
+              inputs:
+                - input: pipelineArtifact
+                  artifactName: jars
+                  targetPath: "$(Pipeline.Workspace)"
+            dependsOn: []
+            environment: maven_central
+            strategy:
+              runOnce:
+                deploy:
+                  steps:
+                    - task: EsrpRelease@9
+                      inputs:
+                        connectedservicename: "Federated DevX ESRP Managed Identity Connection"
+                        usemanagedidentity: false
+                        keyvaultname: "akv-prod-eastus"
+                        authcertname: "ReferenceLibraryPrivateCert"
+                        signcertname: "ReferencePackagePublisherCertificate"
+                        clientid: "65035b7f-7357-4f29-bf25-c5ee5c3949f8"
+                        intent: "PackageDistribution"
+                        contenttype: "Maven"
+                        contentsource: "Folder"
+                        folderlocation: "$(Pipeline.Workspace)"
+                        waitforreleasecompletion: true
+                        owners: vibiret@microsoft.com
+                        approvers: mmainer@microsoft.com
+                        serviceendpointurl: "https://api.esrp.microsoft.com"
+                        mainpublisher: "ESRPRELPACMAN"
+                        domaintenantid: "cdc5aeea-15c5-4db6-b079-fcadd2505dc2"

.github/workflows/preview-and-release.yml

@@ -1,5 +1,7 @@
 name: Maven Preview/Release and GitHub Release
 
+# TODO: remove the todo entries in build.gradle
+
 on:
   push:
     branches: [main]

build.gradle

@@ -12,6 +12,7 @@ plugins {
     id 'eclipse'
     id 'maven-publish'
     id 'signing'
+    // TODO remove this dependency once we remove the GH WF
     id 'io.github.gradle-nexus.publish-plugin' version '2.0.0'
 }
 
@@ -79,8 +80,16 @@ publishing {
         	}
 		}
     }
+
+    repositories {
+        maven {
+            name = "ADO"
+            url = layout.buildDirectory.dir("publishing-repository")
+        }
+    }
 }
 
+// TODO remove this configuration once we remove the GH WF
 nexusPublishing {
     repositories {
         sonatype {

scripts/validatePackageContents.ps1

@@ -3,7 +3,8 @@ param(
   [Parameter(Mandatory=$true)][string] $ArtifactId,
   [Parameter(Mandatory=$true)][string] $Version,
   [Parameter()][string] $GroupId = "com.microsoft.graph",
-  [Parameter()][string] $MavenLocalCachePath = "~" + [System.IO.Path]::DirectorySeparatorChar + ".m2" + [System.IO.Path]::DirectorySeparatorChar + "repository"
+  [Parameter()][string] $MavenLocalCachePath = "~" + [System.IO.Path]::DirectorySeparatorChar + ".m2" + [System.IO.Path]::DirectorySeparatorChar + "repository",
+  [Parameter()][bool] $ValidateMavenMetadata = $true
 )
 
 $groupIdPath = $GroupId -replace "\.", [System.IO.Path]::DirectorySeparatorChar
@@ -48,7 +49,7 @@ foreach($file in $expectedFiles) {
 }
 
 $mavenMetadataFiles = Get-ChildItem -Path $packageFullPath -Filter "maven-metadata*.xml"
-if($mavenMetadataFiles.Count -eq 0) {
+if($mavenMetadataFiles.Count -eq 0 -and $ValidateMavenMetadata -eq $true) {
   Write-Output "No maven-metadata*.xml files found in package."
   exit 1
 }

scripts/zipPackageContent.ps1

@@ -0,0 +1,31 @@
+# Checks that expected files are present & have contents after the publish process to the local cache
+param(
+  [Parameter(Mandatory=$true)][string] $ArtifactId,
+  [Parameter(Mandatory=$true)][string] $PackageSegment,
+  [Parameter(Mandatory=$true)][string] $Version,
+  [Parameter(Mandatory=$true)][string] $OutputDirectory,
+  [Parameter()][string] $GroupId = "com.microsoft.kiota",
+  [Parameter()][string] $ComponentsSegment = "..\components",
+  [Parameter()][string] $buildOutDir = "build\publishing-repository"
+)
+
+#components\bundle\build\publishing-repository\com\microsoft\kiota\microsoft-kiota-bundle\1.8.5\
+
+$groupIdPath = $GroupId -replace "\.", [System.IO.Path]::DirectorySeparatorChar
+$packageFullPath = Join-Path -Path $PSScriptRoot -ChildPath $ComponentsSegment -AdditionalChildPath $PackageSegment, $buildOutDir, $groupIdPath, $ArtifactId, $Version
+
+Write-Output "---------------------------------------------------"
+Write-Output "Zipping package contents at $packageFullPath"
+
+if(-not (Test-Path -Path $packageFullPath)) {
+  Write-Output "Package not found in local cache."
+  exit 1
+}
+
+$outputFilePath = Join-Path -Path $OutputDirectory -ChildPath "$ArtifactId-$Version.zip"
+# removing any existing file
+Remove-Item -Path $outputFilePath -ErrorAction SilentlyContinue
+# removing any xml files that are not expected in ESRP release
+Compress-Archive -Path "$packageFullPath\*" -DestinationPath $outputFilePath
+
+exit 0