mirror of
https://github.com/digital-asset/daml.git
synced 2024-11-08 21:34:22 +03:00
179d85362d
* update copyright * undo hack from #18168 * update hash in platform-independence-pre-check
200 lines
9.4 KiB
YAML
200 lines
9.4 KiB
YAML
# Copyright (c) 2024 Digital Asset (Switzerland) GmbH and/or its affiliates. All rights reserved.
|
|
# SPDX-License-Identifier: Apache-2.0
|
|
|
|
jobs:
|
|
- job: blackduck_scan
|
|
timeoutInMinutes: 120
|
|
condition: or(and(or(eq(variables['Build.SourceBranchName'], 'main'),
|
|
eq(variables['Build.SourceBranchName'], 'main-2.x')),
|
|
eq(variables['Build.DefinitionName'], 'digital-asset.daml-daily-compat')),
|
|
and(eq(variables['Build.DefinitionName'], 'PRs'),
|
|
startsWith(variables['Build.SourceBranchName'], 'bump-blackduck-script-')))
|
|
pool:
|
|
name: ubuntu_20_04
|
|
demands: assignment -equals default
|
|
variables:
|
|
blackduck_script_sha: bee7a8c6c04af059fa446efcd697cc097eded1cf
|
|
steps:
|
|
- checkout: self
|
|
persistCredentials: true
|
|
- bash: ci/dev-env-install.sh
|
|
displayName: 'Build/Install the Developer Environment'
|
|
- bash: |
|
|
set -euo pipefail
|
|
eval "$(dev-env/bin/dade assist)"
|
|
export LC_ALL=en_US.UTF-8
|
|
|
|
bazel build //...
|
|
# Make sure that Bazel query works
|
|
bazel query 'deps(//...)' >/dev/null
|
|
displayName: 'Build'
|
|
- bash: |
|
|
set -euo pipefail
|
|
eval "$(dev-env/bin/dade-assist)"
|
|
|
|
#needs to be specified since blackduck can not scan all bazel
|
|
#dependency types in one go, haskell has to be scanned separatey and
|
|
#code location name uniquely identified to avoid stomping
|
|
BAZEL_DEPENDENCY_TYPE="haskell_cabal_library"
|
|
|
|
bash <(curl -s https://raw.githubusercontent.com/DACH-NY/security-blackduck/$(blackduck_script_sha)/synopsys-detect) \
|
|
ci-build digital-asset_daml $(Build.SourceBranchName) \
|
|
--logging.level.com.synopsys.integration=DEBUG \
|
|
--detect.tools=BAZEL \
|
|
--detect.bazel.target=//... \
|
|
--detect.bazel.workspace.rules=${BAZEL_DEPENDENCY_TYPE} \
|
|
--detect.notices.report=true \
|
|
--detect.code.location.name=digital-asset_daml_${BAZEL_DEPENDENCY_TYPE} \
|
|
--detect.timeout=1500
|
|
displayName: 'Blackduck Bazel Haskell Scan'
|
|
env:
|
|
BLACKDUCK_HUBDETECT_TOKEN: $(BLACKDUCK_HUBDETECT_TOKEN)
|
|
- bash: |
|
|
set -euo pipefail
|
|
eval "$(dev-env/bin/dade-assist)"
|
|
|
|
#needs to be specified since blackduck can not scan all bazel
|
|
#dependency types in one go, java has to be scanned separatey and
|
|
#code location name uniquely identified to avoid stomping
|
|
BAZEL_DEPENDENCY_TYPE="maven_install"
|
|
|
|
bash <(curl -s https://raw.githubusercontent.com/DACH-NY/security-blackduck/$(blackduck_script_sha)/synopsys-detect) \
|
|
ci-build digital-asset_daml $(Build.SourceBranchName) \
|
|
--logging.level.com.synopsys.integration=DEBUG \
|
|
--detect.tools=BAZEL \
|
|
--detect.bazel.target=//... \
|
|
--detect.bazel.workspace.rules=${BAZEL_DEPENDENCY_TYPE} \
|
|
--detect.notices.report=true \
|
|
--detect.code.location.name=digital-asset_daml_${BAZEL_DEPENDENCY_TYPE} \
|
|
--detect.timeout=1500
|
|
displayName: 'Blackduck Bazel JVM Scan'
|
|
env:
|
|
BLACKDUCK_HUBDETECT_TOKEN: $(BLACKDUCK_HUBDETECT_TOKEN)
|
|
- bash: |
|
|
set -euo pipefail
|
|
eval "$(dev-env/bin/dade-assist)"
|
|
|
|
(cd language-support/ts && yarn install)
|
|
|
|
bash <(curl -s https://raw.githubusercontent.com/DACH-NY/security-blackduck/$(blackduck_script_sha)/synopsys-detect) \
|
|
ci-build digital-asset_daml $(Build.SourceBranchName) \
|
|
--logging.level.com.synopsys.integration=DEBUG \
|
|
--detect.tools=DETECTOR \
|
|
--detect.included.detector.types=YARN,NPM,CLANG \
|
|
--detect.npm.dependency.types.excluded=DEV \
|
|
--detect.yarn.dependency.types.excluded=NON_PRODUCTION \
|
|
--detect.follow.symbolic.links=false \
|
|
--detect.excluded.directories=language-support/ts/daml-ledger,language-support/ts/daml-types,language-support/ts/daml-react,language-support/ts/codegen/tests/ts,bazel-out,bazel-bin,.bazel-cache,bazel-testlogs,bazel-daml,bazel-s,node_modules,dev-env,result-*\
|
|
--detect.blackduck.signature.scanner.exclusion.name.patterns=language-support/ts/daml-ledger,language-support/ts/daml-types,language-support/ts/daml-react.bazel-out,bazel-bin,.bazel-cache,bazel-testlogs,bazel-daml,bazel-s,node_modules,dev-env,result-* \
|
|
--detect.detector.search.exclusion.paths=language-support/ts/daml-ledger,language-support/ts/daml-types,language-support/ts/daml-react,bazel-out,bazel-bin,.bazel-cache,bazel-testlogs,bazel-daml,bazel-s,node_modules,dev-env,result-* \
|
|
--detect.notices.report=true \
|
|
--detect.code.location.name=digital-asset_daml_npm \
|
|
--detect.timeout=1500
|
|
displayName: 'Blackduck Npm Scan'
|
|
env:
|
|
BLACKDUCK_HUBDETECT_TOKEN: $(BLACKDUCK_HUBDETECT_TOKEN)
|
|
- bash: |
|
|
set -euo pipefail
|
|
eval "$(dev-env/bin/dade-assist)"
|
|
|
|
bash <(curl -s https://raw.githubusercontent.com/DACH-NY/security-blackduck/$(blackduck_script_sha)/synopsys-detect) \
|
|
ci-build digital-asset_daml $(Build.SourceBranchName) \
|
|
--logging.level.com.synopsys.integration=DEBUG \
|
|
--detect.tools=DETECTOR \
|
|
--detect.included.detector.types=PIP,POETRY \
|
|
--detect.follow.symbolic.links=false \
|
|
--detect.excluded.directories=bazel-out,bazel-bin,.bazel-cache,bazel-testlogs,bazel-daml,bazel-s,node_modules,dev-env,result-* \
|
|
--detect.blackduck.signature.scanner.exclusion.name.patterns=.bazel-out,bazel-bin,.bazel-cache,bazel-testlogs,bazel-daml,bazel-s,node_modules,dev-env,result-*,*_bazel_vsts* \
|
|
--detect.detector.search.exclusion.paths=bazel-out,bazel-bin,.bazel-cache,bazel-testlogs,bazel-daml,bazel-s,node_modules,dev-env,result-*,*_bazel_vsts* \
|
|
--detect.notices.report=true \
|
|
--detect.code.location.name=digital-asset_daml_python \
|
|
--detect.timeout=1500
|
|
displayName: 'Blackduck Python Scan'
|
|
env:
|
|
BLACKDUCK_HUBDETECT_TOKEN: $(BLACKDUCK_HUBDETECT_TOKEN)
|
|
- bash: |
|
|
set -euo pipefail
|
|
eval "$(dev-env/bin/dade-assist)"
|
|
|
|
bash <(curl -s https://raw.githubusercontent.com/DACH-NY/security-blackduck/$(blackduck_script_sha)/synopsys-detect) \
|
|
ci-build digital-asset_daml $(Build.SourceBranchName) \
|
|
--logging.level.com.synopsys.integration=DEBUG \
|
|
--detect.tools=DETECTOR \
|
|
--detect.included.detector.types=GIT,GO_MOD,GO_DEP,GO_VNDR,GO_VENDOR,GO_GRADLE \
|
|
--detect.follow.symbolic.links=false \
|
|
--detect.go.path=$(bazel info execution_root)/external/go_sdk/bin/go \
|
|
--detect.excluded.directories=bazel-out,bazel-bin,.bazel-cache,bazel-testlogs,bazel-daml,bazel-s,node_modules,dev-env,result-* \
|
|
--detect.detector.search.exclusion.paths=bazel-out,bazel-bin,.bazel-cache,bazel-testlogs,bazel-daml,bazel-s,node_modules,dev-env,result-*\
|
|
--detect.policy.check.fail.on.severities=MAJOR,CRITICAL,BLOCKER \
|
|
--detect.code.location.name=digital-asset_daml_go \
|
|
--detect.timeout=1500
|
|
displayName: 'Blackduck Go Scan'
|
|
env:
|
|
BLACKDUCK_HUBDETECT_TOKEN: $(BLACKDUCK_HUBDETECT_TOKEN)
|
|
- template: bash-lib.yml
|
|
parameters:
|
|
var_name: bash_lib
|
|
- bash: |
|
|
set -euo pipefail
|
|
eval "$(./dev-env/bin/dade-assist)"
|
|
source $(bash_lib)
|
|
|
|
branch="notices-update-$(Build.BuildId)"
|
|
|
|
tr -d '\015' < digital_asset_daml_$(Build.SourceBranchName)_Black_Duck_Notices_Report.txt | grep -v digital-asset_daml > NOTICES
|
|
if git diff --exit-code -- NOTICES; then
|
|
echo "NOTICES file already up-to-date."
|
|
setvar need_to_build false
|
|
else
|
|
git add NOTICES
|
|
open_pr "$branch" "update NOTICES file"
|
|
setvar need_to_build true
|
|
fi
|
|
displayName: open PR
|
|
name: out
|
|
condition: and(succeeded(),
|
|
or(eq(variables['Build.SourceBranchName'], 'main'),
|
|
eq(variables['Build.SourceBranchName'], 'main-2.x')))
|
|
|
|
- job: bump_blackduck_if_needed
|
|
timeoutInMinutes: 10
|
|
condition: and(or(eq(variables['Build.SourceBranchName'], 'main'),
|
|
eq(variables['Build.SourceBranchName'], 'main-2.x')),
|
|
eq(variables['Build.DefinitionName'], 'digital-asset.daml-daily-compat'))
|
|
pool:
|
|
name: ubuntu_20_04
|
|
demands: assignment -equals default
|
|
steps:
|
|
- checkout: self
|
|
persistCredentials: true
|
|
- bash: ci/dev-env-install.sh
|
|
displayName: 'Build/Install the Developer Environment'
|
|
- template: bash-lib.yml
|
|
parameters:
|
|
var_name: bash_lib
|
|
- bash: |
|
|
set -euo pipefail
|
|
eval "$(dev-env/bin/dade-assist)"
|
|
source $(bash_lib)
|
|
|
|
latest=$(git ls-remote https://github.com/DACH-NY/security-blackduck.git master | awk '{print $1}')
|
|
current=$(cat ci/blackduck.yml | grep blackduck_script_sha: | head -1 | cut -f2 -d: | cut -c2- )
|
|
|
|
branch="bump-blackduck-script-${latest:0:8}"
|
|
|
|
if git ls-remote --exit-code --heads https://github.com/digital-asset/daml.git refs/heads/$branch >/dev/null; then
|
|
echo "$branch already exists, nothing to do."
|
|
elif [ "$current" != "$latest" ]; then
|
|
echo "s|blackduck_script_sha: $current|blackduck_script_sha: $latest|"
|
|
sed -i "s|blackduck_script_sha: $current|blackduck_script_sha: $latest|" ci/blackduck.yml
|
|
git add ci/blackduck.yml
|
|
open_pr "$branch" "bump blackduck script to ${latest:0:8}"
|
|
az extension add --name azure-devops
|
|
trap "az devops logout" EXIT
|
|
echo "$(System.AccessToken)" | az devops login --org "https://dev.azure.com/digitalasset"
|
|
az pipelines build queue --branch "$branch" \
|
|
--definition-name "PRs" \
|
|
--org "https://dev.azure.com/digitalasset" \
|
|
--project daml
|
|
fi
|