-
Notifications
You must be signed in to change notification settings - Fork 3
Expand file tree
/
Copy pathazure-pipelines-cd.yml
More file actions
143 lines (130 loc) · 6.28 KB
/
azure-pipelines-cd.yml
File metadata and controls
143 lines (130 loc) · 6.28 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
trigger: none
pr: none
schedules:
- cron: '0 * * * *'
displayName: Hourly deployment check
branches:
include:
- main
always: true # run even when there are no new commits — needed since we check an external GitHub release, not repo changes
# The `resources` specify the location and version of the 1ES PT.
resources:
repositories:
- repository: webuiPipelines
type: git
name: open-source/WebUIPipelineTemplates
ref: main
- repository: 1esPipelines
type: git
name: 1ESPipelineTemplates/1ESPipelineTemplates
ref: refs/tags/release
extends:
# The pipeline extends the 1ES PT which will inject different SDL and compliance tasks.
# For non-production pipelines, use "Unofficial" as defined below.
# For productions pipelines, use "Official".
template: v1/1ES.Official.PipelineTemplate.yml@1esPipelines
parameters:
# Update the pool with your team's 1ES hosted pool.
pool:
name: OneESPool # Name of your hosted pool
image: HostedPoolLinuxImage # Name of the image in your pool. If not specified, first image of the pool is used
os: linux # OS of the image. This value cannot be a variable. Allowed values: windows, linux, macOS
sdl:
sourceAnalysisPool:
name: OneESPool # Name of your hosted pool
image: HostedPoolWindowsImage # Name of the image in your pool. If not specified, first image of the pool is used
os: windows # OS of the image. Allowed values: windows, linux, macOS
settings:
networkIsolationPolicy: Permissive
stages:
# ── Stage 1: Lightweight version check (runs every hour, ~1-2 min) ──
# This stage is separate so that when no deployment is needed, the
# heavyweight Package stage (with all its 1ES SDL tasks) is skipped
# entirely — avoiding ~30 min of unnecessary agent provisioning and
# compliance scans on every hourly no-op run.
- stage: Check
jobs:
- job: CheckVersion
steps:
- checkout: self
persistCredentials: "true"
- task: DownloadGitHubRelease@0
displayName: Download latest GitHub release
inputs:
connection: fast
userRepository: microsoft/webui
defaultVersionType: 'latest'
downloadPath: '$(System.ArtifactsDirectory)'
# Extract the version number from the downloaded .crate filename,
# e.g. microsoft-webui-0.0.3.crate → 0.0.3
- script: |
CRATE_FILE=$(ls "$(System.ArtifactsDirectory)"/microsoft-webui-*.crate 2>/dev/null | head -1)
if [ -z "$CRATE_FILE" ]; then
echo "##vso[task.logissue type=error]No microsoft-webui-*.crate file found in $(System.ArtifactsDirectory)"
exit 1
fi
VERSION=$(basename "$CRATE_FILE" .crate | sed 's/^microsoft-webui-//')
echo "Detected version: ${VERSION}"
echo "##vso[task.setvariable variable=releaseVersion]${VERSION}"
echo "##vso[task.setvariable variable=releaseVersion;isOutput=true]${VERSION}"
echo "##vso[task.setvariable variable=releaseTag;isOutput=true]v${VERSION}"
displayName: Extract version from downloaded artifacts
name: resolveTag
# Check whether this version has already been deployed by looking
# for a "deployed/vX.Y.Z" git tag. This avoids external network
# calls to npm/crates.io which are unreachable from 1ES agents.
# The Deploy job pushes this tag after a successful deployment.
- script: |
set -euo pipefail
VERSION="$(releaseVersion)"
DEPLOY_TAG="deployed/v${VERSION}"
git fetch --tags --quiet
if git tag -l "${DEPLOY_TAG}" | grep -q .; then
echo "${DEPLOY_TAG} tag exists — version ${VERSION} already deployed"
echo "##vso[task.setvariable variable=needsDeployment;isOutput=true]false"
else
echo "${DEPLOY_TAG} tag not found — version ${VERSION} needs deployment"
echo "##vso[task.setvariable variable=needsDeployment;isOutput=true]true"
fi
displayName: Check if already deployed
name: deploymentCheck
# ── Stage 2: Download artifacts and deploy (entirely skipped if already deployed) ──
- stage: Package
dependsOn: Check
condition: eq(dependencies.Check.outputs['CheckVersion.deploymentCheck.needsDeployment'], 'true')
variables:
releaseTag: $[ stageDependencies.Check.CheckVersion.outputs['resolveTag.releaseTag'] ]
jobs:
- job: Deploy
steps:
- checkout: self
persistCredentials: "true"
- task: DownloadGitHubRelease@0
displayName: Download GitHub release artifacts
inputs:
connection: fast
userRepository: microsoft/webui
defaultVersionType: 'latest'
downloadPath: '$(System.ArtifactsDirectory)'
# Separate the downloaded files into the directories expected by the
# release pipeline template. .tgz → npm, .crate → crates. NuGet skipped.
- script: |
mkdir -p publish_artifacts_npm publish_artifacts_crates
find "$(System.ArtifactsDirectory)" -name "*.tgz" -exec cp {} publish_artifacts_npm/ \;
find "$(System.ArtifactsDirectory)" -name "*.crate" -exec cp {} publish_artifacts_crates/ \;
echo "npm artifacts:"
ls publish_artifacts_npm/
echo "crate artifacts:"
ls publish_artifacts_crates/
displayName: Separate release artifacts
- template: WebUI.Release.PipelineTemplate.yml@webuiPipelines # Template reference
# Mark this version as deployed so future pipeline runs skip it.
# Uses the releaseTag stage variable (e.g. "v0.0.8") to create
# a "deployed/v0.0.8" tag and push it back to the repo.
- script: |
set -euo pipefail
DEPLOY_TAG="deployed/$(releaseTag)"
echo "Tagging successful deployment: ${DEPLOY_TAG}"
git tag "${DEPLOY_TAG}"
git push origin "${DEPLOY_TAG}"
displayName: Tag successful deployment