VMR vs MSFT signing comparison

Author: ellahathaway

eng/GatherDrops.ps1

@@ -9,15 +9,21 @@ param(
   [Parameter(Mandatory=$true)]
   [String]$githubPat,
   [Parameter(Mandatory=$true)]
-  [String]$azdevPat
+  [String]$azdevPat,
+  [Parameter(Mandatory=$false)]
+  [String]$assetFilter = ".*"
 )
 $jsonContent = Get-Content -Path $filePath -Raw | ConvertFrom-Json
+$assetFilters = $assetFilter -split ';' | ForEach-Object { $_.Trim() }
 foreach ($repo in $jsonContent.repositories) {
-    $remoteUri = $repo.remoteUri
-    $commitSha = $repo.commitSha
-    $path = "$outputPath$($repo.path)"
-    $darcCommand = "$darcPath gather-drop -c $commitSha -r $remoteUri --non-shipping --skip-existing --continue-on-error --use-azure-credential-for-blobs -o $path --github-pat $githubPat --azdev-pat $azdevPat --verbose --ci"
-    Write-Output "Gathering drop for $remoteUri"
-    Invoke-Expression $darcCommand
+  foreach ($filter in $assetFilters)
+  {
+      $remoteUri = $repo.remoteUri
+      $commitSha = $repo.commitSha
+      $path = "$outputPath$($repo.path)"
+      $darcCommand = "$darcPath gather-drop -c $commitSha -r $remoteUri --non-shipping --skip-existing --continue-on-error --use-azure-credential-for-blobs -o $path --github-pat $githubPat --azdev-pat $azdevPat --asset-filter $filter --verbose --ci"
+      Write-Output "Gathering drop for $remoteUri with filter $filter"
+      Invoke-Expression $darcCommand
+  }
 }
 exit 0

eng/pipelines/templates/stages/vmr-compare.yml

@@ -0,0 +1,118 @@
+### This stage builds https://github.com/dotnet/dotnet with varying parameters
+### If run in a PR, new changes are applied to a local copy of the VMR, then it is built and tested
+
+parameters:
+- name: unifiedBuildRunId
+  displayName: 'Specific dotnet-unified-build run ID number (e.g `2108850`)'
+  type: string
+  default: ''
+
+# These are not expected to be passed it but rather just object variables reused below
+- name: pool_Linux
+  type: object
+  default:
+    name: $(defaultPoolName)
+    image: $(poolImage_Linux)
+    demands: ImageOverride -equals $(poolImage_Linux)
+    os: linux
+
+- name: pool_Windows
+  type: object
+  default:
+    name: $(defaultPoolName)
+    image: $(poolImage_Windows)
+    demands: ImageOverride -equals $(poolImage_Windows)
+    os: windows
+
+- name: pool_LinuxArm64
+  type: object
+  default:
+    name: $(poolName_LinuxArm64)
+    image: $(poolImage_LinuxArm64)
+    demands: ImageOverride -equals $(poolImage_LinuxArm64)
+    hostArchitecture: Arm64
+    os: linux
+
+- name: pool_Mac
+  type: object
+  default:
+    name: Azure Pipelines
+    vmImage: $(poolImage_Mac)
+    os: macOS
+
+- name: pool_Linux_Shortstack
+  type: object
+  default:
+    name: $(shortStackPoolName)
+    image: $(poolImage_Linux)
+    demands: ImageOverride -equals $(poolImage_Linux)
+    os: linux
+
+stages:
+- stage: VMR_Comparison
+  displayName: VMR Comparison
+  variables:
+  - template: ../variables/vmr-build.yml
+  - group: Release-Pipeline
+  - group: DotNetBot-GitHub-AllBranches
+  jobs:
+  - job: CompareAssets
+    displayName: Compare Assets
+    pool: ${{ parameters.pool_Windows }}
+    timeoutInMinutes: 180
+    steps:
+    - template: ../steps/vmr-compare.yml
+      parameters:
+        continueOnError: false
+        unifiedBuildRunId: ${{ parameters.unifiedBuildRunId }}
+        command: assets
+
+  - job: CompareSigning_Windows
+    displayName: Compare Signing - Windows
+    pool: ${{ parameters.pool_Windows }}
+    timeoutInMinutes: 240
+    steps:
+    - template: ../steps/vmr-compare.yml
+      parameters:
+        continueOnError: false
+        unifiedBuildRunId: ${{ parameters.unifiedBuildRunId }}
+        command: signing
+        OS: Windows_NT
+
+  - job: CompareSigning_Mac_Blobs
+    displayName: Compare Signing - Mac (Blobs)
+    pool: ${{ parameters.pool_Mac }}
+    timeoutInMinutes: 240
+    steps:
+    - template: ../steps/vmr-compare.yml
+      parameters:
+        continueOnError: false
+        unifiedBuildRunId: ${{ parameters.unifiedBuildRunId }}
+        command: signing
+        assetType: Blob
+        OS: Darwin
+  
+  - job: CompareSigning_Mac_Packages
+    displayName: Compare Signing - Mac (Packages)
+    pool: ${{ parameters.pool_Mac }}
+    timeoutInMinutes: 240
+    steps:
+    - template: ../steps/vmr-compare.yml
+      parameters:
+        continueOnError: false
+        unifiedBuildRunId: ${{ parameters.unifiedBuildRunId }}
+        command: signing
+        assetType: Package
+        OS: Darwin
+
+  - job: CompareSigning_Linux
+    displayName: Compare Signing - Linux
+    pool: ${{ parameters.pool_Linux }}
+    timeoutInMinutes: 240
+    steps:
+    - template: ../steps/vmr-compare.yml
+      parameters:
+        continueOnError: false
+        unifiedBuildRunId: ${{ parameters.unifiedBuildRunId }}
+        command: signing
+        OS: Linux

eng/pipelines/templates/stages/vmr-validation.yml

@@ -57,14 +57,6 @@ stages:
   - group: Release-Pipeline
   - group: DotNetBot-GitHub-AllBranches
   jobs:
-  - job: ValidateAssetBaselines
-    displayName: Validate Asset Baselines
-    pool: ${{ parameters.pool_Windows }}
-    timeoutInMinutes: 180
-    steps:
-    - template: ../steps/vmr-validate-asset-baseline.yml
-      parameters:
-        continueOnError: true
   - job: ValidateInstallers_Linux_x64
     displayName: Validate Installers - Linux x64
     pool: ${{ parameters.pool_Linux }}

eng/pipelines/templates/steps/vmr-compare.yml

@@ -0,0 +1,198 @@
+parameters:
+- name: continueOnError
+  type: boolean
+  default: false
+
+- name: unifiedBuildRunId
+  type: string
+  default: ''
+
+- name: command
+  type: string
+  values:
+    - assets
+    - signing
+
+- name: OS
+  type: string
+  default: 'Windows_NT'
+  values:
+    - Windows_NT
+    - Linux
+    - Darwin
+
+# This parameter is used to determine the type of asset to compare.
+# This is used to workaround limitations with the available space
+# on the MacOS agents.
+- name: assetType
+  type: string
+  default: Unknown
+  values:
+    - Unknown
+    - Package
+    - Blob
+
+steps:
+- powershell: |
+    $build_id = '${{ parameters.unifiedBuildRunId }}'.Replace(' ', '')
+    $build_branch = ''
+
+    if ([string]::IsNullOrWhiteSpace($build_id)) {
+      $build_id = az pipelines runs list --branch '$(Build.SourceBranch)' --organization 'https://dev.azure.com/dnceng/' --project 'internal' --pipeline-ids '1330' --status completed --top 1 --query "[].id" --output tsv
+      $build_branch = '$(Build.SourceBranch)'
+    }
+
+    if ([string]::IsNullOrWhiteSpace($build_id)) {
+      Write-Host "Could not find a completed dotnet-unified-build build for branch '$(Build.SourceBranch)'"
+      exit 1
+    }
+
+    if ([string]::IsNullOrWhiteSpace($build_branch)) {
+      $build_branch = az pipelines runs show --id $build_id --organization 'https://dev.azure.com/dnceng/' --project 'internal' --query "sourceBranch" --output tsv
+    }
+
+    if ([string]::IsNullOrWhiteSpace($build_branch)) {
+      Write-Host "Could not find the branch for build id $build_id"
+      exit 1
+    }
+
+    Write-Host "Unified Build build: https://dev.azure.com/dnceng/internal/_build/results?buildId=$build_id&view=results"
+    Write-Host "Unified Build branch: $build_branch"
+
+    Write-Host "##vso[build.addbuildtag]dotnet-unified-build-id $build_id"
+    Write-Host "##vso[task.setvariable variable=UnifiedBuildRunId;isOutput=true]$build_id"
+    Write-Host "##vso[task.setvariable variable=UnifiedBuildBranch;isOutput=true]$build_branch"
+  displayName: Find associated build
+  name: GetBuildInfo
+  env:
+    AZURE_DEVOPS_EXT_PAT: $(System.AccessToken)
+
+- template: ../steps/vmr-download-artifact.yml
+  parameters:
+    displayName: Download Asset Manifest
+    buildId: $(GetBuildInfo.UnifiedBuildRunId)
+    artifactName: AssetManifests
+    itemPattern: '**/MergedManifest.xml'
+    downloadPath: '$(Build.ArtifactStagingDirectory)/AssetManifests'
+    continueOnError: ${{ parameters.continueOnError }}
+
+- ${{ if eq(parameters.OS, 'Windows_NT')}}:
+  - powershell: |
+      $(Build.SourcesDirectory)\eng\common\darc-init.ps1 -toolpath $(Build.SourcesDirectory)\artifacts\tools\darc
+      Write-Host "##vso[task.setvariable variable=darcPath;isOutput=true]$(Build.SourcesDirectory)\artifacts\tools\darc\darc.exe"
+      Write-Host "##vso[task.setvariable variable=dotnetPath;isOutput=true]$(Build.SourcesDirectory)/.dotnet/dotnet.exe"
+    name: InstallDarc
+    displayName: Install darc
+
+- ${{ else }}:
+  - script: |
+      $(Build.SourcesDirectory)/eng/common/darc-init.sh --toolpath $(Build.SourcesDirectory)/artifacts/tools/darc
+      echo "##vso[task.setvariable variable=darcPath;isOutput=true]$(Build.SourcesDirectory)/artifacts/tools/darc/darc"
+      echo "##vso[task.setvariable variable=dotnetPath;isOutput=true]$(Build.SourcesDirectory)/.dotnet/dotnet"
+    name: InstallDarc
+    displayName: Install darc
+
+- powershell: |
+    if ("${{ parameters.assetType }}" -eq "Package") {
+      $assetFilter = ".*packages\/.*;.*assets\/manifests\/.*\/MergedManifest\.xml"
+    } elseif ("${{ parameters.assetType }}" -eq "Blob") {
+      $assetFilter = ".*assets\/.*"
+    } else {
+      $assetFilter = ".*"
+    }
+
+    Write-Host "Asset filter: $assetFilter"
+    Write-Host "##vso[task.setvariable variable=assetFilter;isOutput=true]$assetFilter"
+  name: SetAssetFilter
+  displayName: Set asset filter
+
+- task: AzureCLI@2
+  displayName: 'Gather Drop'
+  continueOnError: true
+  inputs:
+    azureSubscription: DotNetStaging
+    scriptType: 'pscore'
+    scriptLocation: 'scriptPath'
+    scriptPath: $(Build.SourcesDirectory)/src/sdk/eng/GatherDrops.ps1
+    arguments: -filePath '$(Build.SourcesDirectory)/src/source-manifest.json' -outputPath '$(Build.ArtifactStagingDirectory)/base-assets/'
+      -darcPath $(InstallDarc.darcPath) -githubPat $(BotAccount-dotnet-bot-repo-PAT) -azdevPat $(dn-bot-all-drop-rw-code-rw-release-all)
+      -assetFilter $(SetAssetFilter.assetFilter)
+
+- ${{ if or(eq(parameters.assetType, 'Package'), eq(parameters.assetType, 'Unknown')) }}:
+  - template: ../steps/vmr-download-artifact.yml
+    parameters:
+      displayName: Download Package Artifacts
+      buildId: $(GetBuildInfo.UnifiedBuildRunId)
+      artifactName: PackageArtifacts
+      downloadPath: '$(Build.ArtifactStagingDirectory)/vmr-assets/PackageArtifacts'
+      continueOnError: ${{ parameters.continueOnError }}
+
+- ${{ if or(eq(parameters.assetType, 'Blob'), eq(parameters.assetType, 'Unknown')) }}:
+  - template: ../steps/vmr-download-artifact.yml
+    parameters:
+      displayName: Download Blob Artifacts
+      buildId: $(GetBuildInfo.UnifiedBuildRunId)
+      artifactName: BlobArtifacts
+      downloadPath: '$(Build.ArtifactStagingDirectory)/vmr-assets/BlobArtifacts'
+      continueOnError: ${{ parameters.continueOnError }}
+
+- ${{ if eq(parameters.command, 'signing') }}:
+  - template: ../steps/vmr-download-artifact.yml
+    parameters:
+      displayName: Download Exclusions File
+      buildId: $(GetBuildInfo.UnifiedBuildRunId)
+      artifactName: SignCheck_${{ parameters.OS }}
+      itemPattern: '**/SignCheckExclusionsFile.txt'
+      downloadPath: '$(Build.SourcesDirectory)/eng/'
+      continueOnError: ${{ parameters.continueOnError }}
+      condition: not(or(startsWith(variables['GetBuildInfo.UnifiedBuildBranch'], 'refs/heads/release/'), startsWith(variables['GetBuildInfo.UnifiedBuildBranch'], 'refs/heads/internal/release/')))
+
+- ${{ if eq(parameters.OS, 'Windows_NT') }}:
+  - powershell: |
+      $additionalArgs = ""
+      if ("${{ parameters.command }}" -eq "signing") {
+          $additionalArgs += " -exclusions `"$(Build.SourcesDirectory)/eng/SignCheckExclusionsFile.txt`""
+          $additionalArgs += " -sdkTaskScript `"$(Build.SourcesDirectory)/eng/common/sdk-task.ps1`""
+      }
+      Write-Host "##vso[task.setvariable variable=additionalArgs;isOutput=true]$additionalArgs"
+    name: SetAdditionalArgs
+    displayName: Set additional command arguments
+
+- ${{ else }}:
+  - script: |
+      additionalArgs=""
+      if [[ "${{ parameters.command }}" == "signing" ]]; then
+          additionalArgs+=" -exclusions \"$(Build.SourcesDirectory)/eng/SignCheckExclusionsFile.txt\""
+          additionalArgs+=" -sdkTaskScript \"$(Build.SourcesDirectory)/eng/common/sdk-task.sh\""
+      fi
+      echo "##vso[task.setvariable variable=additionalArgs;isOutput=true]$additionalArgs"
+    name: SetAdditionalArgs
+    displayName: Set additional command arguments
+
+- task: PowerShell@2
+  inputs:
+    filePath: $(Build.SourcesDirectory)/eng/common/build.ps1
+    arguments: -ci -projects $(Build.SourcesDirectory)/eng/tools/BuildComparer/BuildComparer.csproj -restore -build
+  displayName: Build BuildComparer
+
+- script: $(InstallDarc.dotnetPath)
+    $(Build.SourcesDirectory)/artifacts/bin/BuildComparer/Debug/BuildComparer.dll
+    ${{ parameters.command }}
+    -assetType ${{ parameters.assetType }}
+    -vmrManifestPath "$(Build.ArtifactStagingDirectory)/AssetManifests/MergedManifest.xml"
+    -vmrAssetBasePath "$(Build.ArtifactStagingDirectory)/vmr-assets"
+    -msftAssetBasePath "$(Build.ArtifactStagingDirectory)/base-assets"
+    -issuesReport "$(Build.SourcesDirectory)/artifacts/AssetBaselines/BaselineComparisonIssues.xml"
+    -noIssuesReport "$(Build.SourcesDirectory)/artifacts/AssetBaselines/BaselineComparisonNoIssues.xml"
+    -baseline "$(Build.SourcesDirectory)/src/sdk/eng/vmr-msft-comparison-baseline.json"
+    $(SetAdditionalArgs.additionalArgs)
+  displayName: Compare ${{ parameters.command}}
+
+- task: 1ES.PublishPipelineArtifact@1
+  displayName: Publish Baseline Files
+  continueOnError: true
+  inputs:
+    path: $(Build.SourcesDirectory)/artifacts/AssetBaselines/
+    artifactName: AssetBaselineFiles_$(Agent.JobName)
+    artifactType: Container
+    parallel: true