diff --git a/.azure-pipelines-release.yml b/.azure-pipelines-release.yml new file mode 100644 index 000000000000..2b4d787284fa --- /dev/null +++ b/.azure-pipelines-release.yml @@ -0,0 +1,77 @@ +trigger: + batch: true + branches: + include: + - main + - "refs/tags/ccf-*" + +pr: + autoCancel: true + branches: + include: + - main + - "release/*" + paths: + include: + - "*" + +schedules: + - cron: "0 3 * * Mon-Fri" + displayName: Daily morning build + branches: + include: + - main + - "release/*" + exclude: + - "release/[0-2].x" + always: true + +resources: + containers: + - container: virtual + image: ccfmsrc.azurecr.io/ccf/ci:07-12-2023-virtual-clang15 + options: --publish-all --cap-add NET_ADMIN --cap-add NET_RAW --cap-add SYS_PTRACE -v /lib/modules:/lib/modules:ro + + - container: snp + image: ccfmsrc.azurecr.io/ccf/ci:07-12-2023-snp-clang15 + options: --publish-all --cap-add NET_ADMIN --cap-add NET_RAW --cap-add SYS_PTRACE -v /lib/modules:/lib/modules:ro + + - container: sgx + image: ccfmsrc.azurecr.io/ccf/ci:07-12-2023-sgx + options: --publish-all --cap-add NET_ADMIN --cap-add NET_RAW --device /dev/sgx_enclave:/dev/sgx_enclave --device /dev/sgx_provision:/dev/sgx_provision -v /dev/sgx:/dev/sgx -v /lib/modules:/lib/modules:ro + +variables: + ${{ if startsWith(variables['Build.SourceBranch'], 'refs/tags/ccf-') }}: + perf_or_release: release + perf_tests: no_run + ${{ if not(startsWith(variables['Build.SourceBranch'], 'refs/tags/ccf-')) }}: + perf_or_release: perf + perf_tests: run + +jobs: + - template: .azure-pipelines-templates/configure.yml + + - template: .azure-pipelines-templates/release-matrix.yml + parameters: + perf_or_release: ${{ variables['perf_or_release'] }} + perf_tests: ${{ variables['perf_tests'] }} + + - job: CredScan + variables: + Codeql.SkipTaskAutoInjection: true + skipComponentGovernanceDetection: true + pool: + vmImage: "ubuntu-20.04" + steps: + # Scan for credentials in the repo + - task: CredScan@3 + inputs: + suppressionsFile: .gdn/CredScanSuppressions.json + # To suppress folders, rather than individual files, we require both of the following options + debugMode: true + folderSuppression: true + + # Break the build if any credentials (or other Guardian scans) find issues + - task: PostAnalysis@2 + inputs: + GdnBreakAllTools: true diff --git a/.azure-pipelines-templates/matrix.yml b/.azure-pipelines-templates/matrix.yml index d0e76bdd84fc..fe780942d2ab 100644 --- a/.azure-pipelines-templates/matrix.yml +++ b/.azure-pipelines-templates/matrix.yml @@ -182,66 +182,3 @@ jobs: - SGX_Perf_MultiThreaded - Model_Checking - Simulation - - # Release - - ${{ if eq(parameters.perf_or_release, 'release') }}: - - template: checks.yml - parameters: - env: ${{ parameters.env.Hosted }} - - - template: common.yml - parameters: - target: SGX - env: ${{ parameters.env.SGX }} - cmake_args: "${{ parameters.build.common.cmake_args }} ${{ parameters.build.release.cmake_args }} ${{ parameters.build.SGX.cmake_args }}" - suffix: "Release" - artifact_name: "SGX_Release" - ctest_filter: "${{ parameters.test.release.ctest_args }}" - depends_on: configure - installExtendedTestingTools: true - - - template: common.yml - parameters: - target: SNPCC - env: ${{ parameters.env.SNPCC }} - cmake_args: "${{ parameters.build.common.cmake_args }} ${{ parameters.build.release.cmake_args }} ${{ parameters.build.SNPCC.cmake_args }}" - cmake_env: "${{ parameters.build.SNPCC.cmake_env }}" - suffix: "Release" - artifact_name: "SNPCC_Release" - ctest_filter: "${{ parameters.test.release.ctest_args }}" - depends_on: configure - installExtendedTestingTools: true - - - template: common.yml - parameters: - target: Virtual - env: ${{ parameters.env.Virtual }} - cmake_args: "${{ parameters.build.common.cmake_args }} ${{ parameters.build.release.cmake_args }} ${{ parameters.build.Virtual.cmake_args }}" - cmake_env: "${{ parameters.build.Virtual.cmake_env }}" - suffix: "Release" - artifact_name: "Virtual_Release" - ctest_filter: "${{ parameters.test.release.ctest_args }}" - depends_on: configure - installExtendedTestingTools: true - - # Build that produces unsafe binaries for troubleshooting purposes - - template: common.yml - parameters: - target: SGX - env: ${{ parameters.env.SGX }} - cmake_args: "${{ parameters.build.common.cmake_args }} ${{ parameters.build.unsafe.cmake_args }} ${{ parameters.build.SGX.cmake_args }}" - suffix: "Unsafe" - artifact_name: "SGX_Unsafe" - ctest_filter: "${{ parameters.test.release.ctest_args }}" - depends_on: configure - installExtendedTestingTools: false - - - template: release.yml - parameters: - env: ${{ parameters.env.Hosted }} - depends_on: - - Checks - - SGX_Release - - Virtual_Release - - SNPCC_Release - - SGX_Unsafe diff --git a/.azure-pipelines-templates/release-matrix.yml b/.azure-pipelines-templates/release-matrix.yml new file mode 100644 index 000000000000..50ac8bdaad80 --- /dev/null +++ b/.azure-pipelines-templates/release-matrix.yml @@ -0,0 +1,115 @@ +parameters: + target: ["Virtual", "SGX"] + + env: + Hosted: + container: virtual + pool: + vmImage: ubuntu-20.04 + Virtual: + container: virtual + pool: ado-virtual-release + SGX: + container: sgx + pool: ado-sgx-release + SNPCC: + container: snp + pool: ado-virtual-release + + build: + common: + cmake_args: "" + cmake_env: "" + ninja_targets: "default" + Virtual: + cmake_args: "-DCOMPILE_TARGET=virtual" + cmake_env: "CC=`which clang-15` CXX=`which clang++-15`" + ninja_targets: "default" + SGX: + cmake_args: "-DCOMPILE_TARGET=sgx" + cmake_env: "" + ninja_targets: "default" + SNPCC: + cmake_args: "-DCOMPILE_TARGET=snp -DLVI_MITIGATIONS=OFF -DLONG_TESTS=OFF" + cmake_env: "CC=`which clang-15` CXX=`which clang++-15`" + ninja_targets: "default" + release: + cmake_args: "-DCLIENT_PROTOCOLS_TEST=ON -DLONG_TESTS=ON" + cmake_env: "" + ninja_targets: "default" + unsafe: + cmake_args: "-DLVI_MITIGATIONS=OFF -DVERBOSE_LOGGING=ON -DUNSAFE_VERSION=ON" + cmake_env: "" + ninja_targets: "default" + + test: + Virtual: + ctest_args: '-LE "benchmark|perf|protocolstest|vegeta|suite"' + SGX: + ctest_args: '-LE "benchmark|perf|protocolstest|vegeta|suite"' + perf: + ctest_args: '-L "benchmark|perf|vegeta"' + release: + ctest_args: '-LE "benchmark|perf"' + +jobs: + - template: checks.yml + parameters: + env: ${{ parameters.env.Hosted }} + + - template: common.yml + parameters: + target: SGX + env: ${{ parameters.env.SGX }} + cmake_args: "${{ parameters.build.common.cmake_args }} ${{ parameters.build.release.cmake_args }} ${{ parameters.build.SGX.cmake_args }}" + suffix: "Release" + artifact_name: "SGX_Release" + ctest_filter: "${{ parameters.test.release.ctest_args }}" + depends_on: configure + installExtendedTestingTools: true + + - template: common.yml + parameters: + target: SNPCC + env: ${{ parameters.env.SNPCC }} + cmake_args: "${{ parameters.build.common.cmake_args }} ${{ parameters.build.release.cmake_args }} ${{ parameters.build.SNPCC.cmake_args }}" + cmake_env: "${{ parameters.build.SNPCC.cmake_env }}" + suffix: "Release" + artifact_name: "SNPCC_Release" + ctest_filter: "${{ parameters.test.release.ctest_args }}" + depends_on: configure + installExtendedTestingTools: true + + - template: common.yml + parameters: + target: Virtual + env: ${{ parameters.env.Virtual }} + cmake_args: "${{ parameters.build.common.cmake_args }} ${{ parameters.build.release.cmake_args }} ${{ parameters.build.Virtual.cmake_args }}" + cmake_env: "${{ parameters.build.Virtual.cmake_env }}" + suffix: "Release" + artifact_name: "Virtual_Release" + ctest_filter: "${{ parameters.test.release.ctest_args }}" + depends_on: configure + installExtendedTestingTools: true + + # Build that produces unsafe binaries for troubleshooting purposes + - template: common.yml + parameters: + target: SGX + env: ${{ parameters.env.SGX }} + cmake_args: "${{ parameters.build.common.cmake_args }} ${{ parameters.build.unsafe.cmake_args }} ${{ parameters.build.SGX.cmake_args }}" + suffix: "Unsafe" + artifact_name: "SGX_Unsafe" + ctest_filter: "${{ parameters.test.release.ctest_args }}" + depends_on: configure + installExtendedTestingTools: false + + - template: release.yml + parameters: + env: ${{ parameters.env.Hosted }} + depends_on: + - Checks + - SGX_Release + - Virtual_Release + - SNPCC_Release + - SGX_Unsafe diff --git a/.azure-pipelines-templates/release.yml b/.azure-pipelines-templates/release.yml index dbdc7814fc54..61f01010665a 100644 --- a/.azure-pipelines-templates/release.yml +++ b/.azure-pipelines-templates/release.yml @@ -20,9 +20,47 @@ jobs: - script: | set -ex cd $(Build.ArtifactStagingDirectory) + ls rename.ul + _ *+*.deb || true + ls displayName: Remove characters that break GitHubRelease + - script: | + set -ex + sudo apt update + sudo apt install -y wget + wget https://packages.microsoft.com/config/ubuntu/20.04/packages-microsoft-prod.deb -O packages-microsoft-prod.deb + sudo dpkg -i packages-microsoft-prod.deb + sudo apt update + sudo apt install -y dotnet-runtime-6.0 + displayName: Install dotnet runtime for ESRP task + - task: EsrpCodeSigning@4 + inputs: + ConnectedServiceName: "ESRP Code Signing 2023" + FolderPath: "$(Build.ArtifactStagingDirectory)" + Pattern: "*.deb" + signConfigType: "inlineSignParams" + inlineOperation: | + [ + { + "KeyCode" : "CP-500207-Pgp", + "OperationCode" : "LinuxSign", + "Parameters" : {}, + "ToolName" : "sign", + "ToolVersion" : "1.0" + } + ] + SessionTimeout: "60" + MaxConcurrency: "50" + MaxRetryAttempts: "5" + PendingAnalysisWaitTimeoutMinutes: "5" + + - script: | + set -ex + cd $(Build.ArtifactStagingDirectory) + ls + displayName: Display contents of artifact directory + - task: GitHubRelease@0 inputs: gitHubConnection: ccf_release diff --git a/.azure-pipelines.yml b/.azure-pipelines.yml index aa728b0dfd90..dbf33e3ef4d5 100644 --- a/.azure-pipelines.yml +++ b/.azure-pipelines.yml @@ -3,7 +3,6 @@ trigger: branches: include: - main - - "refs/tags/ccf-*" pr: autoCancel: true @@ -43,20 +42,16 @@ resources: options: --publish-all --cap-add NET_ADMIN --cap-add NET_RAW --device /dev/sgx_enclave:/dev/sgx_enclave --device /dev/sgx_provision:/dev/sgx_provision -v /dev/sgx:/dev/sgx -v /lib/modules:/lib/modules:ro variables: - ${{ if startsWith(variables['Build.SourceBranch'], 'refs/tags/ccf-') }}: - perf_or_release: release - perf_tests: no_run - ${{ if not(startsWith(variables['Build.SourceBranch'], 'refs/tags/ccf-')) }}: - perf_or_release: perf - perf_tests: run + perf_or_release: perf + perf_tests: run jobs: - template: .azure-pipelines-templates/configure.yml - template: .azure-pipelines-templates/matrix.yml parameters: - perf_or_release: ${{ variables['perf_or_release'] }} - perf_tests: ${{ variables['perf_tests'] }} + perf_or_release: perf + perf_tests: run - job: CredScan variables: