From 002eeddaf42a4b8c56631cc98d5f072a89926083 Mon Sep 17 00:00:00 2001
From: Manuel de la Pena <mandel@microsoft.com>
Date: Thu, 27 Jun 2024 23:44:24 -0400
Subject: [PATCH] [CI] Fix credscan by checking out all the repos used for
 buildng. (#20788)

We fixed the credscan issue in two diff ways:
1. When the job allows it, we checkout all repos using our own checkout template.
2. When the jib does not allow it, we create an empty json file. In the future we can add any needed exception.

We also needed to fix the signature because the VS code moved to net core which changed the extension of their build.exe to build.dll.
---
 dotnet/Workloads/SignList.xml                  |  2 +-
 .../templates/release/vs-insertion-prep.yml    | 18 ++++++++++++++++++
 2 files changed, 19 insertions(+), 1 deletion(-)

diff --git a/dotnet/Workloads/SignList.xml b/dotnet/Workloads/SignList.xml
index e587ae15fde..52dec0b0782 100644
--- a/dotnet/Workloads/SignList.xml
+++ b/dotnet/Workloads/SignList.xml
@@ -108,7 +108,7 @@
     <FirstParty Include="Broker.exe" />
     <FirstParty Include="Broker.resources.dll" />
     <!-- Build.zip -->
-    <FirstParty Include="Build.exe" />
+    <FirstParty Include="Build.dll" />
     <FirstParty Include="Microsoft.Build*.dll" />
     <FirstParty Include="Microsoft.NET.StringTools.dll" />
     <FirstParty Include="System.IO.Abstractions.dll" />
diff --git a/tools/devops/automation/templates/release/vs-insertion-prep.yml b/tools/devops/automation/templates/release/vs-insertion-prep.yml
index fddb03634d5..9f136f23372 100644
--- a/tools/devops/automation/templates/release/vs-insertion-prep.yml
+++ b/tools/devops/automation/templates/release/vs-insertion-prep.yml
@@ -54,11 +54,18 @@ stages:
     parameters:
       use1ESTemplate: true
       enabledCredScan: false
+      checkoutType: ${{ parameters.repositoryAlias }}
       signedArtifactName: '${{ parameters.uploadPrefix }}nuget-signed'
       artifactName: '${{ parameters.uploadPrefix }}not-signed-package'
       signType: Real
       usePipelineArtifactTasks: true
       condition: "ne(stageDependencies.configure_build.configure.outputs['configure_platforms.ENABLE_DOTNET'],'')"
+      setupSteps:
+      - template: tools/devops/automation/templates/common/checkout.yml@${{ parameters.repositoryAlias }}
+        parameters:
+          isPR: ${{ parameters.isPR }}
+          repositoryAlias: ${{ parameters.repositoryAlias }}
+          commit: ${{ parameters.commit }}
 
   # Check - "xamarin-macios (Prepare Release Convert NuGet to MSI)"
   - template: nuget-msi-convert/job/v3.yml@yaml-templates
@@ -75,6 +82,12 @@ stages:
       signType: Real
       useDateTimeVersion: true
       condition: "ne(stageDependencies.configure_build.configure.outputs['configure_platforms.ENABLE_DOTNET'],'')"
+      setupSteps:
+      - pwsh: |
+          New-Item "$(System.DefaultWorkingDirectory)/xamarin-macios/tools/devops/governance" -ItemType Directory -ea 0
+          New-Item -Path "$(System.DefaultWorkingDirectory)/xamarin-macios/tools/devops/governance" -Name "CredScanSuppressions.json" -Value '{"tool":"Crendential Scanner", "supressions":[]}'
+        displayName: Create credscan dummy ignore file
+
       postConvertSteps:
       - task: DownloadPipelineArtifact@2
         inputs:
@@ -116,6 +129,11 @@ stages:
         demands:
         - ImageOverride -equals 1ESPT-Windows2022
       steps:
+      - pwsh: |
+          New-Item "$(System.DefaultWorkingDirectory)/xamarin-macios/tools/devops/governance" -ItemType Directory -ea 0
+          New-Item -Path "$(System.DefaultWorkingDirectory)/xamarin-macios/tools/devops/governance" -Name "CredScanSuppressions.json" -Value '{"tool":"Crendential Scanner", "supressions":[]}'
+        displayName: Create credscan dummy ignore file
+
       - task: DownloadPipelineArtifact@2
         inputs:
           artifactName: '${{ parameters.uploadPrefix }}nuget-signed'