DevSecOps pipeline with GitHub Actions #760
Conversation
Add Dependabot AB#174
Add CodeQL workflow AB#181
Add Dependabot entry to the docs AB#178
* Add SonarCloud and Testspace.
Add CodeQL entry to documentation
Add Manual Run entry to documentation AB#198
Add Code Scanning alerts bulk dismissal workflow AB#196 AB#203 AB#209 AB#210
Add initial entry for the release sequence to the documentation AB#202
duplicate of CI-CD Documentation.md
|
@Jasonstein, would you like to set the values of Package.StoreAssociation.xml using GitHub secrets? |
I am fine with that, but what about putting the AppCenter's secret token in the Github secrets? How it can be applied to the code since it is actually a code change whenever I build the release package? |
| Lines="$([System.IO.File]::ReadAllText($(InputFile)).Replace('AppCenterSecret = null','AppCenterSecret = "$(AppCenterSecret)"'))" | ||
| Overwrite="true" | ||
| Encoding="Unicode"/> | ||
| </Target> |
There was a problem hiding this comment.
@Jasonstein This target will handle replacing AppCenterSecret with actual value. The actual value is passed on to MSBuild as an environment variable with the same name from Github secrets.
There was a problem hiding this comment.
Awesome! I will add a comment in the code as well.
| /p:AppxPackageDir=$env:ARTIFACTS_DIR ` | ||
| /p:PackageCertificateKeyFile=$env:PACKAGE_CERTIFICATE_KEYFILE ` | ||
| /p:PackageCertificatePassword=$env:PACKAGE_CERTIFICATE_PASSWORD ` | ||
| /p:AppCenterSecret=$env:APP_CENTER_SECRET |
There was a problem hiding this comment.
@Jasonstein you just have to store the AppCenterSecret as APP_CENTER_SECRET in Github secrets.
|
@Jasonstein Also store upload task could be automated, @kulov are you interested in providing this?? |
Update and revert PF/devsecops
add previous feedback changes
@kulov PM me an email address and I will send you the Package.StoreAssociation.xml file. |
|
@soumyamahunt Absolutely! |
|
@Jasonstein, I've just sent you email. |
|
@Jasonstein Is there any security concern of keeping |
I am actually thinking of it. There is no harm since there is no actual secret or certificate-related information stored as part of the store association.xml anyway. |
src/Notepads/Package.targets
Outdated
| @@ -69,6 +69,17 @@ | |||
| </ItemGroup> | |||
| </Target> | |||
|
|
|||
| <Target Name="AssignAppCenterSecret" BeforeTargets="BeforeBuild" Condition=" $(AppCenterSecret) != '' "> | |||
There was a problem hiding this comment.
@aleks-ivanov Don't put this target in Package.targets, put it in the project file instead. The reason I created this separate file for targets is because of #523 and these common targets will be both imported by UWP project and packaging project. Since the AssignAppCenterSecret target is project specific it doesn't make any sense to put it in a separate file.
There was a problem hiding this comment.
@soumyamahunt understood, I will move it back to the project file with the next feature merge 🙂
* add publish-to-store feature, add necessary files and changes and move AppCenterSecret to project file * update version in appxmanifest * add publish-to-store automation and documentation for it
|
Please review the latest changes and let me know if everything is done correctly in terms of the project, manifest and association files, and if there is anything I've missed 🙂 I've thoroughly tested the automated submission creation in the Microsoft Partner Center and with the proper setup it works without a hitch. In the CI-CD_DOCUMENTATION.md under entry 6 (line 268), I've written the setup instructions. There are a few prerequisites, but they are all quite straight forward. Either way, let me know if you need any further assistance with the setup. |
.github/workflows/main.yml
Outdated
|
|
||
| - name: Publish to Windows Store | ||
| id: publish_to_store | ||
| uses: isaacrlevin/windows-store-action@main |
There was a problem hiding this comment.
Replace with isaacrlevin/[email protected].
|
@aleks-ivanov @kulov is there any reason for separate @Jasonstein the previous |
|
@soumyamahunt my reasoning for the separation is to allow the CodeQL analysis to run on a CRON schedule of Also since the |
Sure, we can remove the build. |
|
The automatic incrementing is certainly possible with the following changes to the pipeline use:
If that sounds good, we can create a separate PR with the change to automatic versioning, so you can compare the two implementations and see which one is more suitable to you ? 🙂 For further details, this is how the process works currently:
So if the |
Thanks, makes total sense. We can do it in a separate PR. Btw, really appreciate your work here for improving the CI/CD pipeline for Notepads and this looks awesome. @kulov @aleks-ivanov @soumyamahunt |
Resolves #750
DevSecOps pipeline with GitHub Actions to increase project confidence and maturity level.
This would increase project adoption to professional developers and enterprises who are much more willing to use secure and reliable OSS components but afraid of meeting quality and security bars.
PR Type
This PR adds new improved GitHub workflow to enable static code analysis, automatic releases and code signing using pfx file stored in GH Secrets.
This PR also adds GitHub Dependabot checks, runs CodeQL analysis and SonarCloud static source analysis.
This PR also provides all required documentation to configure all implemented tools and results with related screenshots.
Other information
Work still in progress.
This is no obligation, no strings attached work delivered to you and built with ❤ by Pipeline Foundation.
Any feedback will be taken in detailed consideration.
Support of final delivery will be provided for one year after PR approval.