Split release pipeline and add signing (#5954)

.azure-pipelines-release.yml

@@ -0,0 +1,77 @@
+trigger:
+  batch: true
+  branches:
+    include:
+      - main
+      - "refs/tags/ccf-*"
+
+pr:
+  autoCancel: true
+  branches:
+    include:
+      - main
+      - "release/*"
+  paths:
+    include:
+      - "*"
+
+schedules:
+  - cron: "0 3 * * Mon-Fri"
+    displayName: Daily morning build
+    branches:
+      include:
+        - main
+        - "release/*"
+      exclude:
+        - "release/[0-2].x"
+    always: true
+
+resources:
+  containers:
+    - container: virtual
+      image: ccfmsrc.azurecr.io/ccf/ci:07-12-2023-virtual-clang15
+      options: --publish-all --cap-add NET_ADMIN --cap-add NET_RAW --cap-add SYS_PTRACE -v /lib/modules:/lib/modules:ro
+
+    - container: snp
+      image: ccfmsrc.azurecr.io/ccf/ci:07-12-2023-snp-clang15
+      options: --publish-all --cap-add NET_ADMIN --cap-add NET_RAW --cap-add SYS_PTRACE -v /lib/modules:/lib/modules:ro
+
+    - container: sgx
+      image: ccfmsrc.azurecr.io/ccf/ci:07-12-2023-sgx
+      options: --publish-all --cap-add NET_ADMIN --cap-add NET_RAW --device /dev/sgx_enclave:/dev/sgx_enclave --device /dev/sgx_provision:/dev/sgx_provision -v /dev/sgx:/dev/sgx -v /lib/modules:/lib/modules:ro
+
+variables:
+  ${{ if startsWith(variables['Build.SourceBranch'], 'refs/tags/ccf-') }}:
+    perf_or_release: release
+    perf_tests: no_run
+  ${{ if not(startsWith(variables['Build.SourceBranch'], 'refs/tags/ccf-')) }}:
+    perf_or_release: perf
+    perf_tests: run
+
+jobs:
+  - template: .azure-pipelines-templates/configure.yml
+
+  - template: .azure-pipelines-templates/release-matrix.yml
+    parameters:
+      perf_or_release: ${{ variables['perf_or_release'] }}
+      perf_tests: ${{ variables['perf_tests'] }}
+
+  - job: CredScan
+    variables:
+      Codeql.SkipTaskAutoInjection: true
+      skipComponentGovernanceDetection: true
+    pool:
+      vmImage: "ubuntu-20.04"
+    steps:
+      # Scan for credentials in the repo
+      - task: CredScan@3
+        inputs:
+          suppressionsFile: .gdn/CredScanSuppressions.json
+          # To suppress folders, rather than individual files, we require both of the following options
+          debugMode: true
+          folderSuppression: true
+
+      # Break the build if any credentials (or other Guardian scans) find issues
+      - task: PostAnalysis@2
+        inputs:
+          GdnBreakAllTools: true

.azure-pipelines-templates/matrix.yml

@@ -182,66 +182,3 @@ jobs:
             - SGX_Perf_MultiThreaded
             - Model_Checking
             - Simulation
-
-  # Release
-  - ${{ if eq(parameters.perf_or_release, 'release') }}:
-      - template: checks.yml
-        parameters:
-          env: ${{ parameters.env.Hosted }}
-
-      - template: common.yml
-        parameters:
-          target: SGX
-          env: ${{ parameters.env.SGX }}
-          cmake_args: "${{ parameters.build.common.cmake_args }} ${{ parameters.build.release.cmake_args }} ${{ parameters.build.SGX.cmake_args }}"
-          suffix: "Release"
-          artifact_name: "SGX_Release"
-          ctest_filter: "${{ parameters.test.release.ctest_args }}"
-          depends_on: configure
-          installExtendedTestingTools: true
-
-      - template: common.yml
-        parameters:
-          target: SNPCC
-          env: ${{ parameters.env.SNPCC }}
-          cmake_args: "${{ parameters.build.common.cmake_args }} ${{ parameters.build.release.cmake_args }} ${{ parameters.build.SNPCC.cmake_args }}"
-          cmake_env: "${{ parameters.build.SNPCC.cmake_env }}"
-          suffix: "Release"
-          artifact_name: "SNPCC_Release"
-          ctest_filter: "${{ parameters.test.release.ctest_args }}"
-          depends_on: configure
-          installExtendedTestingTools: true
-
-      - template: common.yml
-        parameters:
-          target: Virtual
-          env: ${{ parameters.env.Virtual }}
-          cmake_args: "${{ parameters.build.common.cmake_args }} ${{ parameters.build.release.cmake_args }} ${{ parameters.build.Virtual.cmake_args }}"
-          cmake_env: "${{ parameters.build.Virtual.cmake_env }}"
-          suffix: "Release"
-          artifact_name: "Virtual_Release"
-          ctest_filter: "${{ parameters.test.release.ctest_args }}"
-          depends_on: configure
-          installExtendedTestingTools: true
-
-      # Build that produces unsafe binaries for troubleshooting purposes
-      - template: common.yml
-        parameters:
-          target: SGX
-          env: ${{ parameters.env.SGX }}
-          cmake_args: "${{ parameters.build.common.cmake_args }} ${{ parameters.build.unsafe.cmake_args }} ${{ parameters.build.SGX.cmake_args }}"
-          suffix: "Unsafe"
-          artifact_name: "SGX_Unsafe"
-          ctest_filter: "${{ parameters.test.release.ctest_args }}"
-          depends_on: configure
-          installExtendedTestingTools: false
-
-      - template: release.yml
-        parameters:
-          env: ${{ parameters.env.Hosted }}
-          depends_on:
-            - Checks
-            - SGX_Release
-            - Virtual_Release
-            - SNPCC_Release
-            - SGX_Unsafe

.azure-pipelines-templates/release-matrix.yml

@@ -0,0 +1,115 @@
+parameters:
+  target: ["Virtual", "SGX"]
+
+  env:
+    Hosted:
+      container: virtual
+      pool:
+        vmImage: ubuntu-20.04
+    Virtual:
+      container: virtual
+      pool: ado-virtual-release
+    SGX:
+      container: sgx
+      pool: ado-sgx-release
+    SNPCC:
+      container: snp
+      pool: ado-virtual-release
+
+  build:
+    common:
+      cmake_args: ""
+      cmake_env: ""
+      ninja_targets: "default"
+    Virtual:
+      cmake_args: "-DCOMPILE_TARGET=virtual"
+      cmake_env: "CC=`which clang-15` CXX=`which clang++-15`"
+      ninja_targets: "default"
+    SGX:
+      cmake_args: "-DCOMPILE_TARGET=sgx"
+      cmake_env: ""
+      ninja_targets: "default"
+    SNPCC:
+      cmake_args: "-DCOMPILE_TARGET=snp -DLVI_MITIGATIONS=OFF -DLONG_TESTS=OFF"
+      cmake_env: "CC=`which clang-15` CXX=`which clang++-15`"
+      ninja_targets: "default"
+    release:
+      cmake_args: "-DCLIENT_PROTOCOLS_TEST=ON -DLONG_TESTS=ON"
+      cmake_env: ""
+      ninja_targets: "default"
+    unsafe:
+      cmake_args: "-DLVI_MITIGATIONS=OFF -DVERBOSE_LOGGING=ON -DUNSAFE_VERSION=ON"
+      cmake_env: ""
+      ninja_targets: "default"
+
+  test:
+    Virtual:
+      ctest_args: '-LE "benchmark|perf|protocolstest|vegeta|suite"'
+    SGX:
+      ctest_args: '-LE "benchmark|perf|protocolstest|vegeta|suite"'
+    perf:
+      ctest_args: '-L "benchmark|perf|vegeta"'
+    release:
+      ctest_args: '-LE "benchmark|perf"'
+
+jobs:
+  - template: checks.yml
+    parameters:
+      env: ${{ parameters.env.Hosted }}
+
+  - template: common.yml
+    parameters:
+      target: SGX
+      env: ${{ parameters.env.SGX }}
+      cmake_args: "${{ parameters.build.common.cmake_args }} ${{ parameters.build.release.cmake_args }} ${{ parameters.build.SGX.cmake_args }}"
+      suffix: "Release"
+      artifact_name: "SGX_Release"
+      ctest_filter: "${{ parameters.test.release.ctest_args }}"
+      depends_on: configure
+      installExtendedTestingTools: true
+
+  - template: common.yml
+    parameters:
+      target: SNPCC
+      env: ${{ parameters.env.SNPCC }}
+      cmake_args: "${{ parameters.build.common.cmake_args }} ${{ parameters.build.release.cmake_args }} ${{ parameters.build.SNPCC.cmake_args }}"
+      cmake_env: "${{ parameters.build.SNPCC.cmake_env }}"
+      suffix: "Release"
+      artifact_name: "SNPCC_Release"
+      ctest_filter: "${{ parameters.test.release.ctest_args }}"
+      depends_on: configure
+      installExtendedTestingTools: true
+
+  - template: common.yml
+    parameters:
+      target: Virtual
+      env: ${{ parameters.env.Virtual }}
+      cmake_args: "${{ parameters.build.common.cmake_args }} ${{ parameters.build.release.cmake_args }} ${{ parameters.build.Virtual.cmake_args }}"
+      cmake_env: "${{ parameters.build.Virtual.cmake_env }}"
+      suffix: "Release"
+      artifact_name: "Virtual_Release"
+      ctest_filter: "${{ parameters.test.release.ctest_args }}"
+      depends_on: configure
+      installExtendedTestingTools: true
+
+  # Build that produces unsafe binaries for troubleshooting purposes
+  - template: common.yml
+    parameters:
+      target: SGX
+      env: ${{ parameters.env.SGX }}
+      cmake_args: "${{ parameters.build.common.cmake_args }} ${{ parameters.build.unsafe.cmake_args }} ${{ parameters.build.SGX.cmake_args }}"
+      suffix: "Unsafe"
+      artifact_name: "SGX_Unsafe"
+      ctest_filter: "${{ parameters.test.release.ctest_args }}"
+      depends_on: configure
+      installExtendedTestingTools: false
+
+  - template: release.yml
+    parameters:
+      env: ${{ parameters.env.Hosted }}
+      depends_on:
+        - Checks
+        - SGX_Release
+        - Virtual_Release
+        - SNPCC_Release
+        - SGX_Unsafe

.azure-pipelines-templates/release.yml

@@ -20,9 +20,47 @@ jobs:
       - script: |
           set -ex
           cd $(Build.ArtifactStagingDirectory)
+          ls
           rename.ul + _ *+*.deb || true
+          ls
         displayName: Remove characters that break GitHubRelease
 
+      - script: |
+          set -ex
+          sudo apt update
+          sudo apt install -y wget
+          wget https://packages.microsoft.com/config/ubuntu/20.04/packages-microsoft-prod.deb -O packages-microsoft-prod.deb
+          sudo dpkg -i packages-microsoft-prod.deb
+          sudo apt update
+          sudo apt install -y dotnet-runtime-6.0
+        displayName: Install dotnet runtime for ESRP task
+      - task: EsrpCodeSigning@4
+        inputs:
+          ConnectedServiceName: "ESRP Code Signing 2023"
+          FolderPath: "$(Build.ArtifactStagingDirectory)"
+          Pattern: "*.deb"
+          signConfigType: "inlineSignParams"
+          inlineOperation: |
+            [
+              {
+                "KeyCode" : "CP-500207-Pgp",
+                "OperationCode" : "LinuxSign",
+                "Parameters" : {},
+                "ToolName" : "sign",
+                "ToolVersion" : "1.0"
+              }
+            ]
+          SessionTimeout: "60"
+          MaxConcurrency: "50"
+          MaxRetryAttempts: "5"
+          PendingAnalysisWaitTimeoutMinutes: "5"
+
+      - script: |
+          set -ex
+          cd $(Build.ArtifactStagingDirectory)
+          ls
+        displayName: Display contents of artifact directory
+
       - task: GitHubRelease@0
         inputs:
           gitHubConnection: ccf_release

.azure-pipelines.yml

@@ -3,7 +3,6 @@ trigger:
   branches:
     include:
       - main
-      - "refs/tags/ccf-*"
 
 pr:
   autoCancel: true
@@ -43,20 +42,16 @@ resources:
       options: --publish-all --cap-add NET_ADMIN --cap-add NET_RAW --device /dev/sgx_enclave:/dev/sgx_enclave --device /dev/sgx_provision:/dev/sgx_provision -v /dev/sgx:/dev/sgx -v /lib/modules:/lib/modules:ro
 
 variables:
-  ${{ if startsWith(variables['Build.SourceBranch'], 'refs/tags/ccf-') }}:
-    perf_or_release: release
-    perf_tests: no_run
-  ${{ if not(startsWith(variables['Build.SourceBranch'], 'refs/tags/ccf-')) }}:
-    perf_or_release: perf
-    perf_tests: run
+  perf_or_release: perf
+  perf_tests: run
 
 jobs:
   - template: .azure-pipelines-templates/configure.yml
 
   - template: .azure-pipelines-templates/matrix.yml
     parameters:
-      perf_or_release: ${{ variables['perf_or_release'] }}
-      perf_tests: ${{ variables['perf_tests'] }}
+      perf_or_release: perf
+      perf_tests: run
 
   - job: CredScan
     variables: