Updates "include-publish-npm-package-deployment" pipeline deployment job to be 1ES compliant #23913
+138
−24
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…o separate build step
…to test/seanimam/updatePublishNpmPackageDeployment1EsRelease
seanimam
requested review from
Copilot,
tylerbutler and
alexvy86
and removed request for
Copilot
github-actions
bot
added
area: build
seanimam
changed the title
seanimam
changed the title
tylerbutler
reviewed
Feb 24, 2025
| steps: | ||
| # Checkout the repository | ||
| - checkout: self | ||
| persistCredentials: true # Necessary for creation of git tags to work |
There was a problem hiding this comment.
Does this job actually tag the repo?
There was a problem hiding this comment.
I think tagging remains in the job that does it today (the deployment job that "becomes" a 1ES release job), this extra one wouldn't need this setting. But in https://github.com/microsoft/FluidFramework/pull/23913/files#r1968504949 I argue the new job probably isn't the right solution.
alexvy86
reviewed
Feb 24, 2025
Comment on lines
46
to
65
| # This job is necessary to be compliant with 1ES. | ||
| # 1ES does not allow checking out a code repo within a deployment job so instead we use this pattern | ||
| # of checking out the repo in separate job and uploading it as a pipeline artifact. | ||
| - job: checkoutAndUploadThisRepoAsArtifact | ||
| steps: | ||
| # Checkout the repository | ||
| - checkout: self | ||
| persistCredentials: true # Necessary for creation of git tags to work | ||
| # Copy required files to the artifact staging directory | ||
| - task: CopyFiles@2 | ||
| inputs: | ||
| SourceFolder: $(System.DefaultWorkingDirectory) | ||
| Contents: '**/*' | ||
| TargetFolder: $(Build.ArtifactStagingDirectory) | ||
| # Publish the artifact containing the required files from the repository | ||
| - task: 1ES.PublishPipelineArtifact@1 | ||
| inputs: | ||
| targetPath: $(Build.ArtifactStagingDirectory) | ||
| artifactName: fluidFrameworkRepo | ||
|
|
There was a problem hiding this comment.
Hmmm I think this would technically work, but still goes against the spirit of what we're trying to accomplish by complying with the 1ES suggestion, because we would still need to build the build-tools release group in the release job. That is ultimately what we're trying to not do: have to build any code in that job.
So in my mind, what we need to do is:
- From the build stage, publish the build output of the build-tools release group as an artifact.
- I don't remember if the current build stage also builds build-tools every time; I think it does it if the pipeline is run with the (default) setting to install/use build-tools from the repo. But we might need to ensure that always happens so we have the artifact available when publishing.
- In the release job, download that artifact and make the necessary updates to use it.
- I think instead of using
include-install-build-tools.yml, which does all the building and linking of build-tools, we just grab a couple of pieces from that template, adjust them if needed, and use them directly (might just need thenpm linkline).
- I think instead of using
…to test/seanimam/updatePublishNpmPackageDeployment1EsRelease
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
Updates include-publish-npm-package-deployment to be 1ES compliant.
The change moves the code checkout step to a separate job and uploads it as a pipeline artifact because 1ES compliant deployment jobs do not allow checking out a code repository.
Breaking Changes
Reviewer Guidance
templateContextsection?