mirror of
https://github.com/digital-asset/daml.git
synced 2024-09-19 16:57:40 +03:00
39f0c5c6c8
This job runs on both `main` and `main-2.x`, and generates the same branch name. This results in only the first of the two that runs generating a PR. With this change the branch name will be different so when an update is needed we'll update both on the same day.
200 lines
9.5 KiB
YAML
200 lines
9.5 KiB
YAML
# Copyright (c) 2024 Digital Asset (Switzerland) GmbH and/or its affiliates. All rights reserved.
|
|
# SPDX-License-Identifier: Apache-2.0
|
|
|
|
jobs:
|
|
- job: blackduck_scan
|
|
timeoutInMinutes: 120
|
|
condition: or(and(or(eq(variables['Build.SourceBranchName'], 'main'),
|
|
eq(variables['Build.SourceBranchName'], 'main-2.x')),
|
|
eq(variables['Build.DefinitionName'], 'digital-asset.daml-daily-compat')),
|
|
and(eq(variables['Build.DefinitionName'], 'PRs'),
|
|
startsWith(variables['Build.SourceBranchName'], 'bump-blackduck-script-')))
|
|
pool:
|
|
name: ubuntu_20_04
|
|
demands: assignment -equals default
|
|
variables:
|
|
blackduck_script_sha: 745a1566cee2367270a8c27c05859b34c3ba447a
|
|
steps:
|
|
- checkout: self
|
|
persistCredentials: true
|
|
- bash: ci/dev-env-install.sh
|
|
displayName: 'Build/Install the Developer Environment'
|
|
- bash: |
|
|
set -euo pipefail
|
|
eval "$(dev-env/bin/dade assist)"
|
|
export LC_ALL=en_US.UTF-8
|
|
|
|
bazel build //...
|
|
# Make sure that Bazel query works
|
|
bazel query 'deps(//...)' >/dev/null
|
|
displayName: 'Build'
|
|
- bash: |
|
|
set -euo pipefail
|
|
eval "$(dev-env/bin/dade-assist)"
|
|
|
|
#needs to be specified since blackduck can not scan all bazel
|
|
#dependency types in one go, haskell has to be scanned separatey and
|
|
#code location name uniquely identified to avoid stomping
|
|
BAZEL_DEPENDENCY_TYPE="haskell_cabal_library"
|
|
|
|
bash <(curl -s https://raw.githubusercontent.com/DACH-NY/security-blackduck/$(blackduck_script_sha)/synopsys-detect) \
|
|
ci-build digital-asset_daml $(Build.SourceBranchName) \
|
|
--logging.level.com.synopsys.integration=DEBUG \
|
|
--detect.tools=BAZEL \
|
|
--detect.bazel.target=//... \
|
|
--detect.bazel.workspace.rules=${BAZEL_DEPENDENCY_TYPE} \
|
|
--detect.notices.report=true \
|
|
--detect.code.location.name=digital-asset_daml_${BAZEL_DEPENDENCY_TYPE} \
|
|
--detect.timeout=1500
|
|
displayName: 'Blackduck Bazel Haskell Scan'
|
|
env:
|
|
BLACKDUCK_HUBDETECT_TOKEN: $(BLACKDUCK_HUBDETECT_TOKEN)
|
|
- bash: |
|
|
set -euo pipefail
|
|
eval "$(dev-env/bin/dade-assist)"
|
|
|
|
#needs to be specified since blackduck can not scan all bazel
|
|
#dependency types in one go, java has to be scanned separatey and
|
|
#code location name uniquely identified to avoid stomping
|
|
BAZEL_DEPENDENCY_TYPE="maven_install"
|
|
|
|
bash <(curl -s https://raw.githubusercontent.com/DACH-NY/security-blackduck/$(blackduck_script_sha)/synopsys-detect) \
|
|
ci-build digital-asset_daml $(Build.SourceBranchName) \
|
|
--logging.level.com.synopsys.integration=DEBUG \
|
|
--detect.tools=BAZEL \
|
|
--detect.bazel.target=//... \
|
|
--detect.bazel.workspace.rules=${BAZEL_DEPENDENCY_TYPE} \
|
|
--detect.notices.report=true \
|
|
--detect.code.location.name=digital-asset_daml_${BAZEL_DEPENDENCY_TYPE} \
|
|
--detect.timeout=1500
|
|
displayName: 'Blackduck Bazel JVM Scan'
|
|
env:
|
|
BLACKDUCK_HUBDETECT_TOKEN: $(BLACKDUCK_HUBDETECT_TOKEN)
|
|
- bash: |
|
|
set -euo pipefail
|
|
eval "$(dev-env/bin/dade-assist)"
|
|
|
|
(cd language-support/ts && yarn install)
|
|
|
|
bash <(curl -s https://raw.githubusercontent.com/DACH-NY/security-blackduck/$(blackduck_script_sha)/synopsys-detect) \
|
|
ci-build digital-asset_daml $(Build.SourceBranchName) \
|
|
--logging.level.com.synopsys.integration=DEBUG \
|
|
--detect.tools=DETECTOR \
|
|
--detect.included.detector.types=YARN,NPM,CLANG \
|
|
--detect.npm.dependency.types.excluded=DEV \
|
|
--detect.yarn.dependency.types.excluded=NON_PRODUCTION \
|
|
--detect.follow.symbolic.links=false \
|
|
--detect.excluded.directories=language-support/ts/daml-ledger,language-support/ts/daml-types,language-support/ts/daml-react,language-support/ts/codegen/tests/ts,bazel-out,bazel-bin,.bazel-cache,bazel-testlogs,bazel-daml,bazel-s,node_modules,dev-env,result-*\
|
|
--detect.blackduck.signature.scanner.exclusion.name.patterns=language-support/ts/daml-ledger,language-support/ts/daml-types,language-support/ts/daml-react.bazel-out,bazel-bin,.bazel-cache,bazel-testlogs,bazel-daml,bazel-s,node_modules,dev-env,result-* \
|
|
--detect.detector.search.exclusion.paths=language-support/ts/daml-ledger,language-support/ts/daml-types,language-support/ts/daml-react,bazel-out,bazel-bin,.bazel-cache,bazel-testlogs,bazel-daml,bazel-s,node_modules,dev-env,result-* \
|
|
--detect.notices.report=true \
|
|
--detect.code.location.name=digital-asset_daml_npm \
|
|
--detect.timeout=1500
|
|
displayName: 'Blackduck Npm Scan'
|
|
env:
|
|
BLACKDUCK_HUBDETECT_TOKEN: $(BLACKDUCK_HUBDETECT_TOKEN)
|
|
- bash: |
|
|
set -euo pipefail
|
|
eval "$(dev-env/bin/dade-assist)"
|
|
|
|
bash <(curl -s https://raw.githubusercontent.com/DACH-NY/security-blackduck/$(blackduck_script_sha)/synopsys-detect) \
|
|
ci-build digital-asset_daml $(Build.SourceBranchName) \
|
|
--logging.level.com.synopsys.integration=DEBUG \
|
|
--detect.tools=DETECTOR \
|
|
--detect.included.detector.types=PIP,POETRY \
|
|
--detect.follow.symbolic.links=false \
|
|
--detect.excluded.directories=bazel-out,bazel-bin,.bazel-cache,bazel-testlogs,bazel-daml,bazel-s,node_modules,dev-env,result-* \
|
|
--detect.blackduck.signature.scanner.exclusion.name.patterns=.bazel-out,bazel-bin,.bazel-cache,bazel-testlogs,bazel-daml,bazel-s,node_modules,dev-env,result-*,*_bazel_vsts* \
|
|
--detect.detector.search.exclusion.paths=bazel-out,bazel-bin,.bazel-cache,bazel-testlogs,bazel-daml,bazel-s,node_modules,dev-env,result-*,*_bazel_vsts* \
|
|
--detect.notices.report=true \
|
|
--detect.code.location.name=digital-asset_daml_python \
|
|
--detect.timeout=1500
|
|
displayName: 'Blackduck Python Scan'
|
|
env:
|
|
BLACKDUCK_HUBDETECT_TOKEN: $(BLACKDUCK_HUBDETECT_TOKEN)
|
|
- bash: |
|
|
set -euo pipefail
|
|
eval "$(dev-env/bin/dade-assist)"
|
|
|
|
bash <(curl -s https://raw.githubusercontent.com/DACH-NY/security-blackduck/$(blackduck_script_sha)/synopsys-detect) \
|
|
ci-build digital-asset_daml $(Build.SourceBranchName) \
|
|
--logging.level.com.synopsys.integration=DEBUG \
|
|
--detect.tools=DETECTOR \
|
|
--detect.included.detector.types=GIT,GO_MOD,GO_DEP,GO_VNDR,GO_VENDOR,GO_GRADLE \
|
|
--detect.follow.symbolic.links=false \
|
|
--detect.go.path=$(bazel info execution_root)/external/go_sdk/bin/go \
|
|
--detect.excluded.directories=bazel-out,bazel-bin,.bazel-cache,bazel-testlogs,bazel-daml,bazel-s,node_modules,dev-env,result-* \
|
|
--detect.detector.search.exclusion.paths=bazel-out,bazel-bin,.bazel-cache,bazel-testlogs,bazel-daml,bazel-s,node_modules,dev-env,result-*\
|
|
--detect.policy.check.fail.on.severities=MAJOR,CRITICAL,BLOCKER \
|
|
--detect.code.location.name=digital-asset_daml_go \
|
|
--detect.timeout=1500
|
|
displayName: 'Blackduck Go Scan'
|
|
env:
|
|
BLACKDUCK_HUBDETECT_TOKEN: $(BLACKDUCK_HUBDETECT_TOKEN)
|
|
- template: bash-lib.yml
|
|
parameters:
|
|
var_name: bash_lib
|
|
- bash: |
|
|
set -euo pipefail
|
|
eval "$(./dev-env/bin/dade-assist)"
|
|
source $(bash_lib)
|
|
|
|
branch="notices-update-$(Build.BuildId)"
|
|
|
|
tr -d '\015' < digital_asset_daml_$(Build.SourceBranchName)_Black_Duck_Notices_Report.txt | grep -v digital-asset_daml > NOTICES
|
|
if git diff --exit-code -- NOTICES; then
|
|
echo "NOTICES file already up-to-date."
|
|
setvar need_to_build false
|
|
else
|
|
git add NOTICES
|
|
open_pr "$branch" "update NOTICES file"
|
|
setvar need_to_build true
|
|
fi
|
|
displayName: open PR
|
|
name: out
|
|
condition: and(succeeded(),
|
|
or(eq(variables['Build.SourceBranchName'], 'main'),
|
|
eq(variables['Build.SourceBranchName'], 'main-2.x')))
|
|
|
|
- job: bump_blackduck_if_needed
|
|
timeoutInMinutes: 10
|
|
condition: and(or(eq(variables['Build.SourceBranchName'], 'main'),
|
|
eq(variables['Build.SourceBranchName'], 'main-2.x')),
|
|
eq(variables['Build.DefinitionName'], 'digital-asset.daml-daily-compat'))
|
|
pool:
|
|
name: ubuntu_20_04
|
|
demands: assignment -equals default
|
|
steps:
|
|
- checkout: self
|
|
persistCredentials: true
|
|
- bash: ci/dev-env-install.sh
|
|
displayName: 'Build/Install the Developer Environment'
|
|
- template: bash-lib.yml
|
|
parameters:
|
|
var_name: bash_lib
|
|
- bash: |
|
|
set -euo pipefail
|
|
eval "$(dev-env/bin/dade-assist)"
|
|
source $(bash_lib)
|
|
|
|
latest=$(git ls-remote https://github.com/DACH-NY/security-blackduck.git master | awk '{print $1}')
|
|
current=$(cat ci/blackduck.yml | grep blackduck_script_sha: | head -1 | cut -f2 -d: | cut -c2- )
|
|
|
|
branch="bump-blackduck-script-${latest:0:8}-$(Build.SourceBranchName)"
|
|
|
|
if git ls-remote --exit-code --heads https://github.com/digital-asset/daml.git refs/heads/$branch >/dev/null; then
|
|
echo "$branch already exists, nothing to do."
|
|
elif [ "$current" != "$latest" ]; then
|
|
echo "s|blackduck_script_sha: $current|blackduck_script_sha: $latest|"
|
|
sed -i "s|blackduck_script_sha: $current|blackduck_script_sha: $latest|" ci/blackduck.yml
|
|
git add ci/blackduck.yml
|
|
open_pr "$branch" "bump blackduck script to ${latest:0:8}"
|
|
az extension add --name azure-devops
|
|
trap "az devops logout" EXIT
|
|
echo "$(System.AccessToken)" | az devops login --org "https://dev.azure.com/digitalasset"
|
|
az pipelines build queue --branch "$branch" \
|
|
--definition-name "PRs" \
|
|
--org "https://dev.azure.com/digitalasset" \
|
|
--project daml
|
|
fi
|