Replace PackageES with ESRP template

This isn't done, but I need to start a pipeline run to see where it's at.

Author: andyleejordan

.vsts-ci/azure-pipelines-release.yml

@@ -32,12 +32,21 @@ trigger:
       - /LICENSE
       - /CODE_OF_CONDUCT.md
 
+resources:
+  repositories:
+  - repository: ComplianceRepo
+    type: github
+    endpoint: ComplianceGHRepo
+    name: PowerShell/Compliance
+
 jobs:
 
 - job: 'ReleaseBuild'
   displayName: 'Build release'
   pool:
-    name: 'Package ES CodeHub Lab E'
+    name: 'Package ES Standard Build'
     demands: DotNetFramework
+  variables:
+  - group: ESRP
   steps:
   - template: templates/release-general.yml

.vsts-ci/templates/release-general.yml

@@ -1,18 +1,5 @@
 steps:
-- powershell: |
-    Write-Host "Installing pwsh..."
-    if (Get-Command pwsh -ErrorAction Ignore)
-    {
-        Write-Host "pwsh already installed, skipping"
-        return
-    }
-    $powerShellPath = Join-Path -Path $env:AGENT_TEMPDIRECTORY -ChildPath 'powershell'
-    Invoke-WebRequest -Uri https://raw.githubusercontent.com/PowerShell/PowerShell/master/tools/install-powershell.ps1 -outfile ./install-powershell.ps1
-    ./install-powershell.ps1 -Destination $powerShellPath
-    $vstsCommandString = "vso[task.setvariable variable=PATH]$powerShellPath;$env:PATH"
-    Write-Host "sending " + $vstsCommandString
-    Write-Host "##$vstsCommandString"
-  displayName: Install PowerShell Core
+- checkout: self
 
 - pwsh: Write-Host "##vso[build.updatebuildnumber]$env:BUILD_SOURCEBRANCHNAME-$env:BUILD_SOURCEVERSION-$((get-date).ToString("yyyyMMddhhmmss"))"
   displayName: Set Build Name for Non-PR
@@ -23,25 +10,20 @@ steps:
   displayName: Capture environment
   condition: succeededOrFailed()
 
-- task: PkgESSetupBuild@10
-  displayName: 'Package ES - Setup Build'
-  inputs:
-    productName: vscode-powershell
-    useDFS: false
-
+# TODO: Use modern resources for these variables.
 - task: PowerShell@2
   displayName: 'Set environment variables for VSTS (Phase 1)'
   inputs:
     targetType: filePath
-    filePath: ./tools/releaseBuild/setVstsVariables.ps1
+    filePath: ./vscode-powershell/tools/releaseBuild/setVstsVariables.ps1
 
 - task: PowerShell@2
   displayName: 'Find PowerShellEditorServices build'
   env:
     SYSTEM_ACCESSTOKEN: $(System.AccessToken)
   inputs:
     targetType: filePath
-    filePath: ./tools/releaseBuild/findPsesBuild.ps1
+    filePath: ./vscode-powershell/tools/releaseBuild/findPsesBuild.ps1
 
 - task: DownloadBuildArtifacts@0
   displayName: 'Download Build Artifacts from PowerShell Editor Services'
@@ -56,89 +38,55 @@ steps:
     downloadPath: '$(Build.SourcesDirectory)'
 
 - pwsh: |
+    New-Item -ItemType Directory $(Build.ArtifactStagingDirectory)/vscode-powershell
     Install-Module InvokeBuild -Force
     Invoke-Build Release
+  workingDirectory: '$(Build.SourcesDirectory)/vscode-powershell'
 
 - task: PublishTestResults@2
   inputs:
     testRunner: JUnit
     testResultsFiles: '**/test-results.xml'
   condition: succeededOrFailed()
 
-- task: PkgESCodeSign@10
-  displayName: 'CodeSign tools/releaseBuild/signing.xml'
-  env:
-    SYSTEM_ACCESSTOKEN: $(System.AccessToken)
-  inputs:
-    signConfigXml: tools/releaseBuild/signing.xml
-    inPathRoot: '$(Build.ArtifactStagingDirectory)'
-    outPathRoot: '$(Build.ArtifactStagingDirectory)\Signed'
-
-- task: ms.vss-governance-buildtask.governance-build-task-component-detection.ComponentGovernanceComponentDetection@0
-  displayName: 'Component Detection'
-
-- task: AntiMalware@3
-  inputs:
-    InputType: 'Basic'
-    ScanType: 'CustomScan'
-    FileDirPath: '$(Build.ArtifactStagingDirectory)'
-    EnableServices: false
-    SupportLogOnError: false
-    TreatSignatureUpdateFailureAs: 'Warning'
-    SignatureFreshness: 'UpToDate'
-    TreatStaleSignatureAs: 'Error'
-
-- task: PoliCheck@1
-  condition: succeededOrFailed()
-  inputs:
-    targetType: F
-    optionsFC: 0
-    optionsXS: 0
-    optionsPE: '1|2|3|4'
-    optionsHMENABLE: 0
-    optionsFTPATH: '$(Build.SourcesDirectory)\tools\terms\FileTypeSet.xml'
-    # toolVersion: 5.8.2.1
-
-- pwsh: |
-    Get-ChildItem -Exclude node_modules | Get-ChildItem -Recurse | ForEach-Object FullName > "$env:BUILD_SOURCESDIRECTORY/credscan.tsv"
-  displayName: Create credscan.tsv as the list of files to scan
-
-- task: CredScan@2
-  condition: succeededOrFailed()
-  inputs:
-    debugMode: false
-    scanFolder: '$(Build.SourcesDirectory)/credscan.tsv'
-
-# Publish results as artifacts
-- task: PublishSecurityAnalysisLogs@3
-  condition: succeededOrFailed()
-  inputs:
-    ArtifactName: 'CodeAnalysisLogs'
-    ArtifactType: 'Container'
-
-# Publish to TSA server
-- task: TSAUpload@1
-  condition: succeededOrFailed()
-  continueOnError: true
-  inputs:
-    tsaVersion: 'TsaV2'
-    codebase: 'Existing'
-    tsaEnvironment: 'PROD'
-    codeBaseName: 'PowerShell_PowerShellEditorServices_20190917'
-    uploadAPIScan: false
-    uploadBinSkim: false
-    uploadCredScan: true
-    uploadFortifySCA: false
-    uploadFxCop: false
-    uploadModernCop: false
-    uploadPoliCheck: true
-    uploadPREfast: false
-    uploadRoslyn: false
-    uploadTSLint: false
-    uploadAsync: true
-
-- task: PowerShell@1
-  displayName: 'Upload artifacts'
-  inputs:
-    scriptType: inlineScript
-    inlineScript: 'Write-Host "##vso[artifact.upload containerfolder=vscode-powershell;artifactname=vscode-powershell]$(System.ArtifactsDirectory)\Signed"'
+- checkout: ComplianceRepo
+
+- template: EsrpSign.yml@ComplianceRepo
+  parameters:
+    buildOutputPath: '$(Build.ArtifactStagingDirectory)/vscode-powershell'
+    signOutputPath: '$(Build.ArtifactStagingDirectory)/ScriptSigned'
+    alwaysCopy: true # So publishing works
+    certificateId: 'CP-230012' # Authenticode certificate
+    useMinimatch: true # This enables the use of globbing
+    pattern: |
+      Install-VSCode.ps1
+
+- template: EsrpSign.yml@ComplianceRepo
+  parameters:
+    buildOutputPath: '$(Build.ArtifactStagingDirectory)/ScriptSigned'
+    signOutputPath: '$(Build.ArtifactStagingDirectory)/ExtensionSigned'
+    alwaysCopy: true # So publishing works
+    certificateId: 'CP-233016' # Microsoft OPC Publisher (VSIX) certificate
+    useMinimatch: true # This enables the use of globbing
+    pattern: |
+      PowerShell-insiders.vsix
+
+- publish: $(Build.ArtifactsDirectory)/ExtensionSigned
+  artifact: vscode-powershell
+  displayName: 'Publish signed (and unsigned) artifacts'
+
+- template: script-module-compliance.yml@ComplianceRepo
+  parameters:
+    # component-governance
+    sourceScanPath: '$(Build.SourcesDirectory)/vscode-powershell'
+    # credscan
+    suppressionsFile: '$(Build.SourcesDirectory)/vscode-powershell/tools/credScan/suppress.json'
+    # TermCheck AKA PoliCheck
+    targetArgument: '$(Build.SourcesDirectory)/vscode-powershell'
+    optionsUEPATH: '$(Build.SourcesDirectory)/vscode-powershell/tools/terms/UserExclusions.xml'
+    optionsRulesDBPath: ''
+    optionsFTPath: '$(Build.SourcesDirectory)/vscode-powershell/tools/terms/FileTypeSet.xml'
+    # tsa-upload
+    codeBaseName: 'PowerShell_PowerShellEditorServices_20210201'
+    # We don't use any Windows APIs directly, so we don't need API scan
+    APIScan: false

tools/credScan/suppress.json

@@ -0,0 +1,13 @@
+{
+  "tool": "Credential Scanner",
+  "suppressions": [
+    {
+      "folder": "node_modules",
+      "_justification": "Third-party code must not be scanned"
+    },
+    {
+      "folder": "PSScriptAnalyzer",
+      "_justification": "Bundled upstream project with false-positives"
+    }
+  ]
+}

tools/releaseBuild/signing.xml

@@ -0,0 +1,12 @@
+<PoliCheckExclusions>
+  <!-- All strings must be UPPER CASE -->
+  <!--Each of these exclusions is a folder name -if \[name]\exists in the file path, it will be skipped -->
+  <!--<Exclusion Type="FolderPathFull">ABC|XYZ</Exclusion>-->
+  <Exclusion Type="FolderPathFull">.GIT|NODE_MODULES</Exclusion>
+  <!--Each of these exclusions is a folder name -if any folder or file starts with "\[name]", it will be skipped -->
+  <!--<Exclusion Type="FolderPathStart">ABC|XYZ</Exclusion>-->
+  <!--Each of these file types will be completely skipped for the entire scan -->
+  <!--<Exclusion Type="FileType">.ABC|.XYZ</Exclusion>-->
+  <!--The specified file names will be skipped during the scan regardless which folder they are in -->
+  <!--<Exclusion Type="FileName">ABC.TXT|XYZ.CS</Exclusion>-->
+</PoliCheckExclusions>

tools/terms/UserExclusions.xml

@@ -191,8 +191,8 @@ task Package UpdateReadme, {
     Move-Item -Force .\$($script:PackageJson.name)-$($script:PackageJson.version).vsix .\PowerShell-insiders.vsix
 
     if ($env:TF_BUILD) {
-        Copy-Item -Verbose -Recurse "./PowerShell-insiders.vsix" "$env:BUILD_ARTIFACTSTAGINGDIRECTORY/PowerShell-insiders.vsix"
-        Copy-Item -Verbose -Recurse "./scripts/Install-VSCode.ps1" "$env:BUILD_ARTIFACTSTAGINGDIRECTORY/Install-VSCode.ps1"
+        Copy-Item -Verbose -Recurse "./PowerShell-insiders.vsix" "$env:BUILD_ARTIFACTSTAGINGDIRECTORY/vscode-powershell/PowerShell-insiders.vsix"
+        Copy-Item -Verbose -Recurse "./scripts/Install-VSCode.ps1" "$env:BUILD_ARTIFACTSTAGINGDIRECTORY/vscode-powershell/Install-VSCode.ps1"
     }
 }