[CI] Split variables to reduce needed rights. (#21371)

Split the variables and document their usage. Because we are going to have to add more pipelines we want to limit the amount of secrets a new pipeline requests and uses. The split is as follows: - variables/common.yml: needed by all. - variables/api-scan.yml: needed by the api scan pipeline. - variables/signing.yml: needed by pipeline that need to perform signing. --------- Co-authored-by: Rolf Bjarne Kvinge <[email protected]>
xamarin · Oct 4, 2024 · 8bb8f6f · 8bb8f6f · vs-mobiletools-engineering-service2 · Oct 4, 2024
1 parent b7a317d
commit 8bb8f6f
Show file tree

Hide file tree

Showing 11 changed files with 85 additions and 71 deletions.
diff --git a/tools/devops/automation/build-cronjob.yml b/tools/devops/automation/build-cronjob.yml
@@ -16,7 +16,7 @@ parameters:
   default: false
 
 variables:
-- template: templates/variables.yml
+- template: templates/variables/common.yml
 - name: MaciosUploadPrefix
   value: ''
 

diff --git a/tools/devops/automation/build-lego.yml b/tools/devops/automation/build-lego.yml
@@ -12,9 +12,7 @@ parameters:
   default: true
 
 variables:
-- template: templates/variables.yml
-- name: MaciosUploadPrefix
-  value: ''
+- template: templates/variables/common.yml
 
 resources:
   repositories:

diff --git a/tools/devops/automation/build-pipeline.yml b/tools/devops/automation/build-pipeline.yml
@@ -169,11 +169,11 @@ variables:
   - ${{ if contains(variables['Build.DefinitionName'], 'private') }}:
       - template: templates/vsts-variables.yml
   - template: templates/common/vs-release-vars.yml@sdk-insertions
-  - template: templates/variables.yml
+  - template: templates/variables/common.yml
+  - template: templates/variables/api-scan.yml
+  - template: templates/variables/signing.yml
   - name: MicrobuildConnector
     value: 'MicroBuild Signing Task (DevDiv)'
-  - name: MaciosUploadPrefix
-    value: ''
   - name: DisablePipelineConfigDetector
     value: true
 

diff --git a/tools/devops/automation/build-pull-request.yml b/tools/devops/automation/build-pull-request.yml
@@ -157,12 +157,9 @@ resources:
     name: 1ESPipelineTemplates/MicroBuildTemplate
 
 variables:
-- template: templates/variables.yml
+- template: templates/variables/common.yml
+- template: templates/variables/api-scan.yml
 - template: templates/common/vs-release-vars.yml@sdk-insertions
-- name: MicrobuildConnector
-  value: ''
-- name: MaciosUploadPrefix
-  value: ''
 - name: Packaging.EnableSBOMSigning
   value: false
 

diff --git a/tools/devops/automation/templates/pipelines/api-diff-pipeline.yml b/tools/devops/automation/templates/pipelines/api-diff-pipeline.yml
@@ -57,18 +57,12 @@ resources:
     endpoint: xamarin
 
 variables:
-- ${{ if eq(parameters.isPR, false) }}:
-  - ${{ if contains(variables['Build.DefinitionName'], 'private') }}:
-    - template: ../vsts-variables.yml
-  - template: ../variables.yml
-  - name: MaciosUploadPrefix
-    value: ''
-  - name: DisablePipelineConfigDetector
+- template: ../variables/common.yml
+- name: DisablePipelineConfigDetector
+  ${{ if eq(parameters.isPR, false) }}:
     value: true
-- ${{ else }}:
-  - template: ../variables.yml
-  - name: MaciosUploadPrefix
-    value: ''
+  ${{ else }}:
+    value: false
 
 stages:
 - template: ../api-diff-stage.yml

diff --git a/tools/devops/automation/templates/pipelines/run-macos-tests-pipeline.yml b/tools/devops/automation/templates/pipelines/run-macos-tests-pipeline.yml
@@ -202,11 +202,7 @@ resources:
       endpoint: xamarin
 
 variables:
-  - ${{ if contains(variables['Build.DefinitionName'], 'private') }}:
-      - template: ../vsts-variables.yml
-  - template: ../variables.yml
-  - name: MaciosUploadPrefix
-    value: ''
+  - template: ../variables/common.yml
   - name: DisablePipelineConfigDetector
     value: true
 

diff --git a/tools/devops/automation/templates/pipelines/run-tests-pipeline.yml b/tools/devops/automation/templates/pipelines/run-tests-pipeline.yml
@@ -104,11 +104,7 @@ resources:
       endpoint: xamarin
 
 variables:
-  - ${{ if contains(variables['Build.DefinitionName'], 'private') }}:
-      - template: ../vsts-variables.yml
-  - template: ../variables.yml
-  - name: MaciosUploadPrefix
-    value: ''
+  - template: ../variables/common.yml
   - name: DisablePipelineConfigDetector
     value: true
 

diff --git a/tools/devops/automation/templates/variables.yml b/tools/devops/automation/templates/variables.yml
diff --git a/tools/devops/automation/templates/variables/api-scan.yml b/tools/devops/automation/templates/variables/api-scan.yml
@@ -0,0 +1,3 @@
+variables:
+- name: TeamName
+  value: 'xamarin-macios'
diff --git a/tools/devops/automation/templates/variables/common.yml b/tools/devops/automation/templates/variables/common.yml
@@ -0,0 +1,61 @@
+variables:
+# provisionator-uri setting
+- group: XamarinCompatLab
+
+# allow to override the provisionator channel via a paramter
+- name: PROVISIONATOR_CHANNEL
+  value: ${{ parameters.provisionatorChannel }}
+
+- group: xamops-azdev-secrets
+
+# needed to install the dev certificates in the build machine
+- group: Xamarin Notarization
+- group: Xamarin Signing
+
+# Override the GitHub.Token setting defined in the Xamarin Release group
+# Use a token dedicated to critical production workflows and help avoid GitHub throttling
+# this variable comes from the Xamarin-Secrets group, so we have do have both together
+- group: Xamarin-Secrets
+- name: GitHub.Token
+  value: $(github--pat--vs-mobiletools-engineering-service2)  
+
+# Overrude the azdo build access, as with the GitHub token, this variables depend on the
+# Xamarin-Secrets group.
+- name: AzDoBuildAccess.Token
+  value: $(pat--xamarinc--build-access)
+
+- name: AzDoBuildAccess.Token
+  value: $(pat--xamarinc--build-access)
+
+#  keying to use for the sining
+- name: SigningKeychain
+  value: "builder.keychain"
+
+# Needed to ensure that devices uses the usb cable to communicate with the devices to run the tests.
+- name: USE_TCP_TUNNEL                                        
+  value: true
+
+# pool information
+- name: PRBuildPool
+  value: 'VSEng-Xamarin-RedmondMacBuildPool-iOS-Untrusted'
+- name: PRBuildPoolUrl
+  value: 'https://devdiv.visualstudio.com/_settings/agentpools?poolId=366&view=agents'
+- name: CIBuildPool
+  value: 'VSEng-Xamarin-RedmondMacBuildPool-iOS-Trusted'
+- name: CIBuildPoolUrl
+  value: 'https://devdiv.visualstudio.com/_settings/agentpools?poolId=367&view=agents'
+
+# override the default build revision
+- name: BUILD_REVISION
+  value: azure-devops-$(Build.SourceVersion)
+
+- name: MaciosUploadPrefix
+  value: ''
+
+# set the pipeline to debug mode or not
+- name: system.debug
+  value: false
+
+# point to the vsdrops that we will be using for the diff uploads.
+- name: VSDropsPrefix
+  value: 'https://vsdrop.corp.microsoft.com/file/v1/xamarin-macios/device-tests'
diff --git a/tools/devops/automation/templates/variables/signing.yml b/tools/devops/automation/templates/variables/signing.yml
@@ -0,0 +1,7 @@
+# signing related variables
+variables:
+- group: Xamarin-Secrets
+- group: Xamarin Signing
+- group: Xamarin Release
+- group: Xamarin Notarization
+- group: VSEng DTL secrets