build-publish.yml

variables:
  - template: pipeline-templates/global-variables.yml
  - name: codeSigningCertFileName
    value: 'OneIdentityCodeSigning.pfx'
trigger:
  branches:
    include:
      - master
      - release-*
  paths:
    exclude:
      - README.md
pr: none
jobs:
  - job: Build_Windows
    displayName: "Windows - Build module and Docker image, publish to PowerShell Gallery, and publish to Docker Hub"
    pool:
      vmImage: 'windows-latest'
    steps:
      - template: pipeline-templates/build-windows-steps.yml
      - task: AzureKeyVault@2
        inputs:
          azureSubscription: 'SafeguardOpenSource'
          KeyVaultName: 'SafeguardBuildSecrets'
          SecretsFilter: 'PowerShellGalleryApiKey'
        displayName: 'Get PowerShell Gallery API key from Sandbox Azure Key Vault'
      - task: AzureKeyVault@2
        inputs:
          azureSubscription: 'Azure.Infrastructure.CodeSigning'
          KeyVaultName: 'CodeSigningCertificates'
          SecretsFilter: '*'
        displayName: 'Get code signing certificate from Azure Key Vault'
      - task: PowerShell@2
        inputs:
          targetType: inline
          failOnStderr: true
          script: |
            $kvSecretBytes = [System.Convert]::FromBase64String("$(OneIdentity-CodeSigning)")
            $certCollection = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2Collection
            $certCollection.Import($kvSecretBytes,$null,[System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::Exportable)
            $protectedCertificateBytes = $certCollection.Export([System.Security.Cryptography.X509Certificates.X509ContentType]::Pkcs12,"$(OneIdentity-CodeSigningCertPassword)")
            $certpath = '$(Build.BinariesDirectory)/$(codeSigningCertFileName)'
            Write-Verbose -Verbose $certpath
            [System.IO.File]::WriteAllBytes($certpath, $protectedCertificateBytes)
            $cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2 -ArgumentList "$certpath","$(OneIdentity-CodeSigningCertPassword)"
            Write-Verbose -Verbose "Subject: $($cert.Subject)"
            Write-Verbose -Verbose "Issuer: $($cert.Issuer)"
            $catalogfile = (Get-Module safeguard-ps -ListAvailable)[0].Path -replace "psd1","cat"
            Write-Verbose -Verbose $catalogfile
            Set-AuthenticodeSignature -Certificate $cert -FilePath $catalogfile -TimestampServer "http://timestamp.comodoca.com?td=sha256"
        displayName: 'Signing PowerShell module catalog file'
      - task: PowerShell@2
        inputs:
          targetType: inline
          failOnStderr: true
          script: |
            [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
            Install-PackageProvider Nuget -Force
            Get-PSRepository
            Publish-Module -Name safeguard-ps -NuGetApiKey "$(PowerShellGalleryApiKey)" -Verbose -SkipAutomaticTags -Force
        displayName: 'Publish PowerShell module to PowerShell Gallery'
      - task: AzureKeyVault@2
        inputs:
          azureSubscription: 'SafeguardOpenSource'
          KeyVaultName: 'SafeguardBuildSecrets'
          SecretsFilter: 'DockerHubAccessToken,DockerHubPassword'
        displayName: 'Get Docker Hub Access Token from Sandbox Azure Key Vault'
        continueOnError: false
        condition: and( succeeded(), eq( variables.shouldPublishDocker, true ) )
      - task: Bash@3
        inputs:
          targetType: 'inline'
          failOnStderr: true
          script: |
            docker login -u petrsnd --password-stdin <<<$(DockerHubAccessToken) 2>/dev/null
            docker push oneidentity/safeguard-ps:$(VersionString)-nanoserver
            docker logout
        displayName: 'Pushing Docker Windows Nano Server image to Docker Hub'
        condition: and( succeeded(), eq( variables.shouldPublishDocker, true ) )
  - job: Build_Linux
    displayName: "Linux - build module and Docker images, publish images to Docker Hub"
    pool:
      vmImage: 'ubuntu-latest'
    steps:
      - template: pipeline-templates/build-linux-steps.yml
      - task: AzureKeyVault@2
        inputs:
          azureSubscription: 'OneIdentity.RD.SBox.Safeguard-ServiceConnection'
          KeyVaultName: 'SafeguardBuildSecrets'
          SecretsFilter: 'DockerHubAccessToken,DockerHubPassword'
        displayName: 'Get Docker Hub Access Token from Sandbox Azure Key Vault'
        condition: and( succeeded(), eq( variables.shouldPublishDocker, true ) )
      - task: Bash@3
        inputs:
          targetType: 'inline'
          failOnStderr: true
          script: |
            docker login -u petrsnd --password-stdin <<<$(DockerHubAccessToken) 2>/dev/null
            docker push oneidentity/safeguard-ps:$(VersionString)-ubuntu18.04
            docker push oneidentity/safeguard-ps:$(VersionString)-ubuntu16.04
            docker push oneidentity/safeguard-ps:$(VersionString)-centos7
            docker push oneidentity/safeguard-ps:$(VersionString)-alpine3.8
            docker push oneidentity/safeguard-ps:$(VersionString)-opensuse42.3
            docker push oneidentity/safeguard-ps:$(VersionString)-fedora28
            docker push oneidentity/safeguard-ps:latest
            docker logout
        condition: and( succeeded(), eq(variables.shouldPublishDocker, true) )
        displayName: 'Pushing Linux Docker images to Docker Hub'