Add SBoM manifest generation (microsoft#501)

Add generation of SBoM manifest to the AzDO extension as required for compliance.
skhilarimsft · Jan 27, 2022 · bceb971 · bceb971
1 parent b209ac6
commit bceb971
Showing 1 changed file with 19 additions and 4 deletions.
diff --git a/tools/pipelines-tasks/azure-pipelines/build-vsix.yml b/tools/pipelines-tasks/azure-pipelines/build-vsix.yml
@@ -19,6 +19,7 @@ variables:
   major: '1'
   minor: '1'
   patch: $[counter(variables['minor'], 0)]
+  buildOutRoot: $(Build.ArtifactStagingDirectory)\buildOutput
 
 steps:
 # Install the tools needed
@@ -57,7 +58,7 @@ steps:
   inputs:
     rootFolder: '$(tasksRoot)'
     patternManifest: 'vss-extension.json'
-    outputPath: '$(Build.ArtifactStagingDirectory)\MsixPackagingExtension.vsix'
+    outputPath: '$(buildOutRoot)\MsixPackagingExtension.vsix'
     publisherId: 'MSIX'
     extensionVersion: '$(major).$(minor).$(patch)'
     extensionVisibility: public
@@ -66,11 +67,25 @@ steps:
 - task: ms.vss-governance-buildtask.governance-build-task-component-detection.ComponentGovernanceComponentDetection@0
   displayName: 'Component Detection'
 
+- task: AzureArtifacts.manifest-generator-task.manifest-generator-task.ManifestGeneratorTask@0
+  displayName: 'Generate Software Bill of Material (SBoM)'
+  inputs:
+      BuildDropPath: $(buildOutRoot)
+      PackageName: 'MSIX Packaging Extension'
+      PackageVersion: '$(major).$(minor).$(patch)'
+
+- task: PublishPipelineArtifact@1
+  displayName: 'Publish SBoM'
+  inputs:
+    targetPath: '$(buildOutRoot)\_manifest'
+    artifact: 'SBoM'
+    publishLocation: 'pipeline'
+
 - task: SFP.build-tasks.custom-build-task-1.EsrpCodeSigning@1
   displayName: 'ESRP CodeSigning'
   inputs:
     ConnectedServiceName: 'ESRP CodeSigning'
-    FolderPath: '$(Build.ArtifactStagingDirectory)'
+    FolderPath: '$(buildOutRoot)'
     Pattern: MsixPackagingExtension.vsix
     signConfigType: inlineSignParams
     inlineOperation: |
@@ -96,7 +111,7 @@ steps:
 - task: PublishPipelineArtifact@1
   displayName: 'Publish VSIX artifact'
   inputs:
-    targetPath: '$(Build.ArtifactStagingDirectory)\MsixPackagingExtension.vsix'
+    targetPath: '$(buildOutRoot)\MsixPackagingExtension.vsix'
     artifact: 'VSIX'
     publishLocation: 'pipeline'
 
@@ -107,7 +122,7 @@ steps:
   inputs:
     connectedServiceName: 'Visual Studio Marketplace - MSIX'
     fileType: vsix
-    vsixFile: '$(Build.ArtifactStagingDirectory)\MsixPackagingExtension.vsix'
+    vsixFile: '$(buildOutRoot)\MsixPackagingExtension.vsix'
     extensionId: 'msix-ci-automation-task-dev'
     extensionName: 'MSIX Packaging (Preview)'
     extensionVersion: '$(major).$(minor).$(patch)'