search

microsoft / axe-windows

Automated accessibility testing engine for Windows applications
MIT License
134 stars 62 forks source link

feat(Pipeline Migration to 1ES Template): migrated signed build to 1ES micro build template #994

Closed v-viyada closed 7 months ago

v-viyada commented 7 months ago

Details

This PR is for migrating Microsoft.axe-windows(signed) pipeline to 1ES MicroBuild Template.

Old run link: https://dev.azure.com/mseng/1ES/_build/results?buildId=25829758&view=results New run link: https://dev.azure.com/mseng/1ES/_build/results?buildId=25904428&view=results

Below are details:

  1. Test cases are less in the new pipeline as we are filtering UI test cases in debug and release compliance job. These test cases are already filtered in Signed Release job as the agent pool used for micro build do not support it. After migration debug and release compliance jobs will also run on the same agent pool instead of default ADO agent pool. These test cases are running successfully in PR and CI Pipelines. Filter used is --filter TestCategory!=Integration.
  2. We have to keep running compliance jobs as we are running TSA upload task. Currently 1ES template do not support dynamic TSA config file.
  3. Binskim task is running twice in Signed Release job. One is auto injected by 1ES template and another one we added manually for TSA Upload. 1ES template do not support TSA upload for specific job in the pipeline. If we enable TSA in the template than it will inject TSA task in all the jobs including source SDL job. We cannot enable TSA for sourceSDL job because it require to hardcore tsa config in the repo.
  4. Compared the output artifacts between old and new run. Below are the differences.
    • _manifest folder in all the artifacts. This contains SBOM Manifest for the artifact. For Official template (used for production pipeline), this task is enabled by default. This folder is also available in Nuget artifact which is used in "Deploy Axe-Windows to NuGet" release pipeline. I think it will not impact the release pipeline as per pattern specified to get the nuget files.
    • DebugDrop has extra files as there are more SDL task running due to auto injection from the template.
    • MicroBuild folder missing from drop artifacts. This is because MicroBuild plugins are now installed using auto injected task which is define to download the plugins in Temporary directory instead of source directory. I tried copying them into artifacts but credscan task for artifact folders fails as this contains some secret. Also we are not using this into our release pipeline so it is not a required output. Pipeline run link for credscan task failure.

  5. [warning]1ES PT Warning: Failed to fetch default repository branch.

    This is an existing issue. Please refer Bug 2119901: Address issue "Failed to fetch default branch"

Motivation

User Story 2136518: Migrate Microsoft.axe-windows(signed) to 1ES template

Context

Pull request checklist