microsoft / win32metadata

Tooling to generate metadata for Win32 APIs in the Windows SDK.
Other
1.34k stars 116 forks source link

Move Azure build pipelines to OneBranch #1877

Closed getrou closed 3 months ago

getrou commented 7 months ago

As part of compliance with updated security requirements, production pipelines must run in a 1ES environment. To do this, pipelines are converting to use OneBranch pipeline templates.

This changes how artifacts are published and the build environment is slightly different, resulting in some small changes to the build files.

As a backup plan, the existing azure pipeline scripts are left in place. These will be removed in the future.

riverar commented 5 months ago

Does it make sense to migrate the pipeline to GitHub Actions and call out to a backend for signing?

mikebattista commented 5 months ago

No. It looks like we still have access to the existing pipelines, though, so I plan to push out a release this week.

AArnott commented 4 months ago

@georou What is your plan for a release pipeline? I don't see one introduced by this PR.

FWIW, for all the 1ES PT pipeline migrations I've done, I've just reused the existing YAML files for the 1ES PT variety, which kept me from having to create new pipelines in AzDO. It also avoided having YAML files for deprecated pipelines that could confuse folks who want to look at the new pipeline files.

riverar commented 4 months ago

Still unclear to me why this isn't just a normal GHA workflow.

AArnott commented 4 months ago

@riverar put simply, Microsoft has compliance requirements for shipping software that to date is only implemented on Azure Pipelines, AFAIK.

riverar commented 4 months ago

Are we shipping software in this repository though? It's a bunch of non-executable metadata. 😂 (I understand Microsoft is sensitive to this right now though!)

mikebattista commented 4 months ago

Yes we ship binary tools in addition to metadata and NuGet packages that are signed by Microsoft. GHA doesn't support our workflows.

getrou commented 4 months ago

@georou What is your plan for a release pipeline? I don't see one introduced by this PR.

FWIW, for all the 1ES PT pipeline migrations I've done, I've just reused the existing YAML files for the 1ES PT variety, which kept me from having to create new pipelines in AzDO. It also avoided having YAML files for deprecated pipelines that could confuse folks who want to look at the new pipeline files.

All these pipelines now run in the github-private/microsoft ADO project, which has its own (very slim) repo associated with it, and uses this github repository as a pipeline resource. The release pipeline YAML has moved there, but we could move it here if we want, I think.