-
Notifications
You must be signed in to change notification settings - Fork 77
/
.cirrus.yaml
168 lines (161 loc) · 9.35 KB
/
.cirrus.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
env:
ARTIFACTORY_PASSWORD: VAULT[development/artifactory/token/${CIRRUS_REPO_OWNER}-${CIRRUS_REPO_NAME}-private-reader access_token]
ARTIFACTORY_URL: VAULT[development/kv/data/repox data.url]
ARTIFACTORY_USER: VAULT[development/artifactory/token/${CIRRUS_REPO_OWNER}-${CIRRUS_REPO_NAME}-private-reader username]
CIRRUS_SHELL: bash
USERPROFILE: C:\sonar-ci # Fixes error MSB3073 and path too long issue with restored packages
TMP_DIR: C:\sonar-ci\temp
ec2_instance_definition: &INSTANCE_DEFINITION
region: eu-central-1
type: c6i.xlarge
image: sonarlint-visualstudio-v*
platform: windows
calculate_version_script_definition: &CALCULATE_VERSION_SCRIPT_DEFINITION |
versionProps=$(cat build/Version.props)
sonarProjectVersion=$(echo "$versionProps" | sed -n 's:.*<MainVersion>\(.*\)</MainVersion>.*:\1:p')
echo "SHORT_VERSION=${sonarProjectVersion}" >> $CIRRUS_ENV
echo "PROJECT_VERSION=${sonarProjectVersion}.${CI_BUILD_NUMBER}" >> $CIRRUS_ENV
only_sonarsource_qa: &ONLY_SONARSOURCE_QA
$CIRRUS_USER_COLLABORATOR == "true" && $CIRRUS_TAG == "" && ($CIRRUS_PR != "" || $CIRRUS_BRANCH == "master" || $CIRRUS_BRANCH == "ci-images-verifier" || $CIRRUS_BRANCH =~ "branch-.*" || $CIRRUS_BRANCH =~ "dogfood-on-.*")
build_task:
ec2_instance: *INSTANCE_DEFINITION
only_if: *ONLY_SONARSOURCE_QA
env:
ARTIFACTORY_DEPLOY_TOKEN: VAULT[development/artifactory/token/${CIRRUS_REPO_OWNER}-${CIRRUS_REPO_NAME}-qa-deployer access_token]
COVERAGE_FILE: coverage.xml
LOCALAPPDATA: C:\sonar-ci\AppData\Local # Fixes unit test error
SIGN_KEY: VAULT[development/kv/data/sign data.key]
SIGN_PASSPHRASE: VAULT[development/kv/data/sign data.passphrase]
SM_API_KEY: VAULT[development/team/sonarlint/kv/data/codesigning/2023-2025 data.apikey]
SM_CERT_FP: VAULT[development/team/sonarlint/kv/data/codesigning/2023-2025 data.cert_fp]
SM_CERT: VAULT[development/team/sonarlint/kv/data/codesigning/2023-2025 data.cert]
SM_CLIENT_CERT_FILE_BASE64: VAULT[development/team/sonarlint/kv/data/codesigning/2023-2025 data.client_cert_file_base64]
SM_CLIENT_CERT_FILE: ${TMP_DIR}\digicert_signing_certificate.p12
SM_CLIENT_CERT_PASSWORD: VAULT[development/team/sonarlint/kv/data/codesigning/2023-2025 data.client_cert_password]
SM_CLIENT_CRT_FILE: ${TMP_DIR}\digicert_signing_certificate.crt
SM_CLIENT_CRT: VAULT[development/team/sonarlint/kv/data/codesigning/2023-2025 data.cert]
SM_HOST: VAULT[development/team/sonarlint/kv/data/codesigning/2023-2025 data.host]
SM_KP: key_525594307
SOLUTION_PATH: SonarLint.VisualStudio.Integration.sln
SONAR_TOKEN: VAULT[development/kv/data/sonarcloud data.token]
SONAR_URL: VAULT[development/kv/data/sonarcloud data.url]
SONARSOURCE_SNK_FILE: ${TMP_DIR}\SonarSource.snk
SONARSOURCE_SNK: VAULT[development/team/languages/kv/data/strong_named_key data.SonarSourceSecret_snk]
clone_script: |
git config --global core.autocrlf true
if [ -z "$CIRRUS_PR" ]; then
git clone --recursive --branch=$CIRRUS_BRANCH https://x-access-token:${CIRRUS_REPO_CLONE_TOKEN}@github.com/${CIRRUS_REPO_FULL_NAME}.git $CIRRUS_WORKING_DIR
git reset --hard $CIRRUS_CHANGE_IN_REPO
else
git clone --recursive https://x-access-token:${CIRRUS_REPO_CLONE_TOKEN}@github.com/${CIRRUS_REPO_FULL_NAME}.git $CIRRUS_WORKING_DIR
git fetch origin pull/$CIRRUS_PR/head:pull/$CIRRUS_PR
git checkout pull/$CIRRUS_PR
git reset --hard $CIRRUS_CHANGE_IN_REPO
fi
calculate_version_script: *CALCULATE_VERSION_SCRIPT_DEFINITION
prepare_signing_script: |
if [[ "${CIRRUS_BRANCH}" == "${CIRRUS_DEFAULT_BRANCH}" ]] || echo "${CIRRUS_BRANCH}" | grep -qE "^branch-.*" || echo "${CIRRUS_BRANCH}" | grep -qE "^sign-.*"; then
mkdir -p "${TMP_DIR}"
mkdir -p "${LOCALAPPDATA}"
echo "${SONARSOURCE_SNK}" | base64 -d > "${SONARSOURCE_SNK_FILE}"
echo "${SM_CLIENT_CERT_FILE_BASE64}" | base64 -d > "${SM_CLIENT_CERT_FILE}"
echo "${SM_CLIENT_CRT}" > "${SM_CLIENT_CRT_FILE}"
smctl windows certsync
echo "SHOULD_SIGN=true" >> $CIRRUS_ENV
else
echo "SHOULD_SIGN=false" >> $CIRRUS_ENV
fi
set_project_version_script: |
msbuild.exe build/ChangeVersion.proj -p:Sha1=${CIRRUS_CHANGE_IN_REPO} -p:BranchName=${CIRRUS_BRANCH} -p:BuildNumber=${CI_BUILD_NUMBER} -p:BuildConfiguration=Release
download_jar_dependencies_script: |
msbuild.exe build/DownloadDependencies -p:VsVersion=17.0 -p:VsTargetVersion=2022
dotnet_restore_script: |
dotnet restore "${SOLUTION_PATH}" --locked-mode
prepare_analysis_script: |
.cirrus/sonarqube-cloud-analysis.sh
build_solution_script: |
msbuild.exe "${SOLUTION_PATH}" -p:VsVersion=17.0 -p:VsTargetVersion=2022 -p:SignArtifacts=${SHOULD_SIGN} -p:AssemblyOriginatorKeyFile="${SONARSOURCE_SNK_FILE}" -p:DeployExtension=false -p:Sha1="${CIRRUS_CHANGE_IN_REPO}" -p:BuildNumber="${CI_BUILD_NUMBER}" -p:Configuration=Release
sign_artifact_script: |
if [[ "${SHOULD_SIGN}" == "true" ]]; then
nuget sign "binaries/SonarLint.VSIX-${PROJECT_VERSION}-2022.vsix" -HashAlgorithm SHA256 -CertificateFingerprint ${SM_CERT_FP} -Timestamper http://timestamp.digicert.com -TimestampHashAlgorithm SHA256
else
echo "Artifact not signed"
fi
generate_sbom_script: |
if [[ "${SHOULD_SIGN}" == "true" ]]; then
sbomname="SonarLint.visualstudio.sbom-${PROJECT_VERSION}-2022.json"
gpg --batch --passphrase "$SIGN_PASSPHRASE" --allow-secret-key-import --import <(echo "$SIGN_KEY")
gpg --list-secret-keys
dotnet CycloneDX SonarLint.VisualStudio.Integration.sln -t -j -o binaries
cd binaries
mv bom.json $sbomname
gpg --pinentry-mode loopback --passphrase "$SIGN_PASSPHRASE" --armor --detach-sig --default-key infra@sonarsource.com "$sbomname"
echo "signed $sbomname"
ls -al
fi
binaries_artifacts:
path: "binaries/*"
publish_to_repox_script: |
jf config add repox --artifactory-url ${ARTIFACTORY_URL} --access-token "${ARTIFACTORY_DEPLOY_TOKEN}"
jf rt upload "binaries/*" sonarsource-public-qa/org/sonarsource/sonarlint/visualstudio/${CIRRUS_REPO_NAME}/${PROJECT_VERSION}/ --flat --build-name ${CIRRUS_REPO_NAME} --build-number ${CI_BUILD_NUMBER} --module="org.sonarsource.sonarlint.visualstudio:${CIRRUS_REPO_NAME}:${PROJECT_VERSION}"
jf rt bp ${CIRRUS_REPO_NAME} ${CI_BUILD_NUMBER}
tests_script: |
vstest.console.exe --EnableCodeCoverage --Logger:trx --ResultsDirectory:"TestResults" src/**/bin/**/Sonar*.*Tests.dll
collect_coverage_script: |
dotnet-coverage merge -o "${COVERAGE_FILE}" -f xml "**\*.coverage"
sonarcloud_analysis_script: |
dotnet sonarscanner end -d:sonar.token="${SONAR_TOKEN}"
on_failure:
asmref_artifacts:
path: "src/Integration.Vsix/**/AsmRef_*.txt"
dogfood_task:
depends_on:
- build
only_if: $CIRRUS_USER_COLLABORATOR == "true" && $CIRRUS_TAG == "" && ($CIRRUS_BRANCH == $CIRRUS_DEFAULT_BRANCH || $CIRRUS_BRANCH =~ "branch-.*" || $CIRRUS_BRANCH =~ "dogfood-on-.*")
ec2_instance: *INSTANCE_DEFINITION
env:
AWS_ACCESS_KEY_ID: VAULT[development/aws/sts/downloads access_key]
AWS_SECRET_ACCESS_KEY: VAULT[development/aws/sts/downloads secret_key]
AWS_SESSION_TOKEN: VAULT[development/aws/sts/downloads security_token]
AWS_DEFAULT_REGION: eu-central-1
get_binaries_script: |
curl -O "https://api.cirrus-ci.com/v1/artifact/build/${CIRRUS_BUILD_ID}/build/binaries.zip"
unzip binaries.zip
calculate_version_script: *CALCULATE_VERSION_SCRIPT_DEFINITION
dogfood_script: |
mkdir -p /tmp/dogfood/${PROJECT_VERSION}
PrivateGalleryCreator.exe --input=binaries --terminate --source="https://binaries.sonarsource.com/SonarLint-for-VisualStudio/dogfood/${PROJECT_VERSION}/" --output=/tmp/dogfood/feed.xml
cp binaries/SonarLint.VSIX-${PROJECT_VERSION}-2022.vsix /tmp/dogfood/${PROJECT_VERSION}/
.cirrus/publish-dogfood-site.sh /tmp/dogfood
mend_scan_task:
ec2_instance: *INSTANCE_DEFINITION
only_if: $CIRRUS_USER_COLLABORATOR == "true" && $CIRRUS_TAG == "" && ($CIRRUS_BRANCH == $CIRRUS_DEFAULT_BRANCH || $CIRRUS_BRANCH =~ "branch-.*" || $CIRRUS_BRANCH == "ci-images-verifier" || $CIRRUS_BRANCH =~ "mend-.*")
depends_on:
- build
env:
WS_APIKEY: VAULT[development/kv/data/mend data.apikey]
calculate_version_script: *CALCULATE_VERSION_SCRIPT_DEFINITION
mend_scan_script: |
source cirrus-env QA
export WS_PRODUCTNAME="SonarLint/VisualStudio"
export WS_PROJECTNAME="${CIRRUS_REPO_FULL_NAME} ${SHORT_VERSION}"
export WS_PROJECTVERSION=${SHORT_VERSION}
ws_scan.sh -c build/whitesource/wss-unified-agent.config
allow_failures: true
always:
ws_artifacts:
path: "whitesource/**/*"
promote_task:
ec2_instance: *INSTANCE_DEFINITION
only_if: $CIRRUS_USER_COLLABORATOR == "true" && $CIRRUS_TAG == "" && ($CIRRUS_BRANCH == $CIRRUS_DEFAULT_BRANCH || $CIRRUS_BRANCH =~ "branch-.*")
depends_on:
- build
env:
ARTIFACTORY_PROMOTE_ACCESS_TOKEN: VAULT[development/artifactory/token/${CIRRUS_REPO_OWNER}-${CIRRUS_REPO_NAME}-promoter access_token]
GITHUB_TOKEN: VAULT[development/github/token/${CIRRUS_REPO_OWNER}-${CIRRUS_REPO_NAME}-promotion token]
calculate_version_script: *CALCULATE_VERSION_SCRIPT_DEFINITION
promote_script: |
jf config add repox --artifactory-url ${ARTIFACTORY_URL} --access-token "${ARTIFACTORY_PROMOTE_ACCESS_TOKEN}"
jf rt bpr --status "it-passed" "${CIRRUS_REPO_NAME}" "${CI_BUILD_NUMBER}" "sonarsource-public-builds"
source cirrus-env PROMOTE
github-notify-promotion