diff --git a/azure-pipelines/1esmain.yml b/azure-pipelines/1esmain.yml index f6bfd1e070..e5d88f4bd6 100644 --- a/azure-pipelines/1esmain.yml +++ b/azure-pipelines/1esmain.yml @@ -19,6 +19,13 @@ parameters: - name: npmFeed type: string default: DevDiv/azcode + # Azure Artifacts feed for a private NuGet mirror used during the signing step + # (the SignExtension.signproj references Microsoft.VisualStudioEng.MicroBuild.Core). + # Configure this feed in Azure DevOps to upstream api.nuget.org/v3/index.json + # so that builds don't reach out to public nuget.org. + - name: nugetFeed + type: string + default: DevDiv/azcode - name: additionalPostPackageSteps type: stepList default: [] @@ -74,6 +81,7 @@ extends: bamiVariablesGroupName: ${{ parameters.bamiVariablesGroupName }} additionalSetupSteps: ${{ parameters.additionalSetupSteps }} npmFeed: ${{ parameters.npmFeed }} + nugetFeed: ${{ parameters.nugetFeed }} additionalPostPackageSteps: ${{ parameters.additionalPostPackageSteps }} enableSigning: ${{ parameters.enableSigning }} vsixFileNames: ${{ parameters.vsixFileNames }} diff --git a/azure-pipelines/1esstages.yml b/azure-pipelines/1esstages.yml index 164d15034e..4a72febf9b 100644 --- a/azure-pipelines/1esstages.yml +++ b/azure-pipelines/1esstages.yml @@ -20,6 +20,10 @@ parameters: - name: npmFeed type: string default: DevDiv/azcode + # Azure Artifacts feed for a private NuGet mirror (used by the signing step) + - name: nugetFeed + type: string + default: DevDiv/azcode - name: additionalPostPackageSteps type: stepList default: [] @@ -65,6 +69,7 @@ stages: vsixFileNames: ${{ parameters.vsixFileNames }} workingDirectory: ${{ job.working_directory }} npmFeed: ${{ parameters.npmFeed }} + nugetFeed: ${{ parameters.nugetFeed }} - template: ./templates/stage-artifacts.yml - template: ./templates/test.yml diff --git a/azure-pipelines/README.md b/azure-pipelines/README.md index 73777d516d..7fdc3a9392 100644 --- a/azure-pipelines/README.md +++ b/azure-pipelines/README.md @@ -120,6 +120,18 @@ extends: ``` +> **NuGet feed prerequisite for signing:** The signing step runs `dotnet` against +> `SignExtension.signproj`, which has a `PackageReference` on +> `Microsoft.VisualStudioEng.MicroBuild.Core`. To avoid the build reaching out +> to public `nuget.org`, the templates restore that package from the Azure +> Artifacts feed identified by the `nugetFeed` parameter (defaults to +> `DevDiv/azcode`). That feed must be configured in Azure DevOps to have +> `api.nuget.org/v3/index.json` as an upstream source. If your feed does not +> mirror NuGet, either (a) add a NuGet upstream to the feed, or (b) override +> the `nugetFeed` parameter when extending the template (set it to `''` to +> fall back to the default NuGet sources, or to a different `Project/Feed` +> name). + ### Extension release pipeline This pipeline downloads and releases signed VSIX artifacts from the specified build pipeline. diff --git a/azure-pipelines/templates/sign.yml b/azure-pipelines/templates/sign.yml index 41838bc019..fccfc98e4f 100644 --- a/azure-pipelines/templates/sign.yml +++ b/azure-pipelines/templates/sign.yml @@ -11,6 +11,17 @@ parameters: - name: npmFeed type: string default: DevDiv/azcode + # Azure Artifacts feed for a private NuGet mirror used when restoring the + # SignExtension.signproj project. This avoids reaching out to nuget.org from + # the signing step. Set to '' to fall back to the default NuGet sources. + - name: nugetFeed + type: string + default: DevDiv/azcode + # Internal NuGet v3 index used to force restore to a single source via + # command-line arguments without requiring a repo-local NuGet.config. + - name: nugetFeedUrl + type: string + default: https://devdiv.pkgs.visualstudio.com/DevDiv/_packaging/azcode/nuget/v3/index.json steps: # Check if the SignExtension.signproj file exists and set a variable using PowerShell @@ -56,6 +67,23 @@ steps: customRegistry: useFeed customFeed: ${{ parameters.npmFeed }} + # Restore the signing project's NuGet packages (e.g. Microsoft.VisualStudioEng.MicroBuild.Core) + # from the internal Azure Artifacts feed rather than nuget.org. The build steps below pass + # --no-restore so they don't trigger an implicit restore against the public feed. + - task: DotNetCoreCLI@2 + condition: and(succeeded(), eq(variables['signprojExists'], True)) + displayName: "\U0001F449 Restore signing project from internal NuGet feed" + inputs: + command: "restore" + projects: $(signprojPath) + ${{ if ne(parameters.nugetFeed, '') }}: + feedsToUse: "select" + vstsFeed: ${{ parameters.nugetFeed }} + includeNuGetOrg: false + restoreArguments: >- + --source ${{ parameters.nugetFeedUrl }} + /p:NuGetAudit=false + # Sign single vsix file if vsixFileNames are not provided - ${{ if eq(join('', parameters.vsixFileNames), '') }}: - script: vsce generate-manifest -i $(package.name)-$(package.version).vsix -o $(Build.SourcesDirectory)/${{ parameters.workingDirectory }}/extension.manifest @@ -70,7 +98,7 @@ steps: inputs: command: "build" projects: $(signprojPath) - arguments: "/p:ProjectDir=$(Build.SourcesDirectory)/${{ parameters.workingDirectory }}/.azure-pipelines/" + arguments: "/p:ProjectDir=$(Build.SourcesDirectory)/${{ parameters.workingDirectory }}/.azure-pipelines/ --no-restore" env: SYSTEM_ACCESSTOKEN: $(System.AccessToken) @@ -104,7 +132,7 @@ steps: inputs: command: "build" projects: $(signprojPath) - arguments: "/p:ProjectDir=$(Build.SourcesDirectory)/${{ parameters.workingDirectory }}/.azure-pipelines/" + arguments: "/p:ProjectDir=$(Build.SourcesDirectory)/${{ parameters.workingDirectory }}/.azure-pipelines/ --no-restore" env: SYSTEM_ACCESSTOKEN: $(System.AccessToken)