[CI] Fix credscan by checking out all the repos used for buildng. (#2…

…0788) We fixed the credscan issue in two diff ways: 1. When the job allows it, we checkout all repos using our own checkout template. 2. When the jib does not allow it, we create an empty json file. In the future we can add any needed exception. We also needed to fix the signature because the VS code moved to net core which changed the extension of their build.exe to build.dll.
xamarin · Jun 28, 2024 · 002eedd · 002eedd
1 parent 5f7792a
commit 002eedd
Show file tree

Hide file tree

Showing 2 changed files with 19 additions and 1 deletion.
diff --git a/dotnet/Workloads/SignList.xml b/dotnet/Workloads/SignList.xml
@@ -108,7 +108,7 @@
     <FirstParty Include="Broker.exe" />
     <FirstParty Include="Broker.resources.dll" />
     <!-- Build.zip -->
-    <FirstParty Include="Build.exe" />
+    <FirstParty Include="Build.dll" />
     <FirstParty Include="Microsoft.Build*.dll" />
     <FirstParty Include="Microsoft.NET.StringTools.dll" />
     <FirstParty Include="System.IO.Abstractions.dll" />

diff --git a/tools/devops/automation/templates/release/vs-insertion-prep.yml b/tools/devops/automation/templates/release/vs-insertion-prep.yml
@@ -54,11 +54,18 @@ stages:
     parameters:
       use1ESTemplate: true
       enabledCredScan: false
+      checkoutType: ${{ parameters.repositoryAlias }}
       signedArtifactName: '${{ parameters.uploadPrefix }}nuget-signed'
       artifactName: '${{ parameters.uploadPrefix }}not-signed-package'
       signType: Real
       usePipelineArtifactTasks: true
       condition: "ne(stageDependencies.configure_build.configure.outputs['configure_platforms.ENABLE_DOTNET'],'')"
+      setupSteps:
+      - template: tools/devops/automation/templates/common/checkout.yml@${{ parameters.repositoryAlias }}
+        parameters:
+          isPR: ${{ parameters.isPR }}
+          repositoryAlias: ${{ parameters.repositoryAlias }}
+          commit: ${{ parameters.commit }}
 
   # Check - "xamarin-macios (Prepare Release Convert NuGet to MSI)"
   - template: nuget-msi-convert/job/v3.yml@yaml-templates
@@ -75,6 +82,12 @@ stages:
       signType: Real
       useDateTimeVersion: true
       condition: "ne(stageDependencies.configure_build.configure.outputs['configure_platforms.ENABLE_DOTNET'],'')"
+      setupSteps:
+      - pwsh: |
+          New-Item "$(System.DefaultWorkingDirectory)/xamarin-macios/tools/devops/governance" -ItemType Directory -ea 0
+          New-Item -Path "$(System.DefaultWorkingDirectory)/xamarin-macios/tools/devops/governance" -Name "CredScanSuppressions.json" -Value '{"tool":"Crendential Scanner", "supressions":[]}'
+        displayName: Create credscan dummy ignore file
+
       postConvertSteps:
       - task: DownloadPipelineArtifact@2
         inputs:
@@ -116,6 +129,11 @@ stages:
         demands:
         - ImageOverride -equals 1ESPT-Windows2022
       steps:
+      - pwsh: |
+          New-Item "$(System.DefaultWorkingDirectory)/xamarin-macios/tools/devops/governance" -ItemType Directory -ea 0
+          New-Item -Path "$(System.DefaultWorkingDirectory)/xamarin-macios/tools/devops/governance" -Name "CredScanSuppressions.json" -Value '{"tool":"Crendential Scanner", "supressions":[]}'
+        displayName: Create credscan dummy ignore file
+
       - task: DownloadPipelineArtifact@2
         inputs:
           artifactName: '${{ parameters.uploadPrefix }}nuget-signed'