windows: add Windows release build for AzPipelines

mjcheetham · mjcheetham · commit b911f269f726 · 2025-09-23T14:57:24.000+01:00
Add an incomplete build stage for Windows. ESRP is not yet enabled.

Signed-off-by: Matthew John Cheetham &lt;mjcheetham@outlook.com&gt;
diff --git a/.azure-pipelines/release.yml b/.azure-pipelines/release.yml
@@ -15,9 +15,31 @@ parameters:
     default: false
     displayName: 'Enable ESRP code signing'
 
+variables:
+  - name: 'esrpConnectionName'
+    value: 'ESRP-1ESGitClient'
+  - name: 'esrpEndpointUrl'
+    value: 'https://api.esrp.microsoft.com/api/v2'
+  - name: 'esrpClientId'
+    value: 'TODO'
+  - name: 'esrpTenantId'
+    value: 'TODO'
+  - name: 'esrpAuthAkvName'
+    value: 'TODO'
+  - name: 'esrpAuthCertName'
+    value: 'TODO'
+  - name: 'esrpAuthSignCertName'
+    value: 'TODO'
+
 extends:
   template: v1/1ES.Official.PipelineTemplate.yml@1ESPipelines
   parameters:
+    sdl:
+      # SDL source analysis tasks only run on Windows images
+      sourceAnalysisPool:
+        name: GitClient-1ESHostedPool-intel-pc
+        image: win-x86_64-ado1es
+        os: windows
     stages:
       - stage: windows
         displayName: 'Windows'
@@ -28,5 +50,114 @@ extends:
               name: GitClient-1ESHostedPool-intel-pc
               image: win-x86_64-ado1es
               os: windows
+            templateContext:
+              outputs:
+                - output: pipelineArtifact
+                  targetPath: '$(Build.ArtifactStagingDirectory)/payload'
+                  artifactName: 'win-x86_payload'
+                - output: pipelineArtifact
+                  targetPath: '$(Build.ArtifactStagingDirectory)/installers'
+                  artifactName: 'win-x86_installers'
             steps:
               - checkout: self
+              - task: UseDotNet@2
+                displayName: 'Use .NET 8 SDK'
+                inputs:
+                  packageType: sdk
+                  version: '8.x'
+              - task: PowerShell@2
+                displayName: 'Build payload'
+                inputs:
+                  pwsh: true
+                  targetType: filePath
+                  filePath: '.\src\windows\Installer.Windows\layout.ps1'
+                  arguments: |
+                    -Configuration Release `
+                    -Output $(Build.ArtifactStagingDirectory)\payload `
+                    -SymbolOutput $(Build.ArtifactStagingDirectory)\symbols
+              - task: EsrpCodeSigning@5
+                condition: and(succeeded(), eq('${{ parameters.esrp }}', true))
+                displayName: 'Sign payload'
+                inputs:
+                  connectedServiceName: '$(esrpConnectionName)'
+                  appRegistrationClientId: '$(esrpClientId)'
+                  appRegistrationTenantId: '$(esrpTenantId)'
+                  authAkvName: '$(esrpAuthAkvName)'
+                  authCertName: '$(esrpAuthCertName)'
+                  authSignCertName: '$(esrpAuthSignCertName)'
+                  serviceEndpointUrl: '$(esrpEndpointUrl)'
+                  folderPath: '$(Build.ArtifactStagingDirectory)\payload'
+                  pattern: '**\*.exe;**\*.dll'
+                  signConfigType: inlineSignParams
+                  inlineOperation: |
+                    [
+                      {
+                         "keyCode": "TODO",
+                         "operationCode": "SigntoolSign"
+                         "parameters": {
+                            "OpusName": "Microsoft",
+                            "OpusInfo": "http://microsoft.com",
+                            "FileDigest": "/fd \"SHA256\"",
+                            "PageHash": "/NPH",
+                            "Timestamp": "/tr \"http://rfc3161.gtm.corp.microsoft.com/TSS/HttpTspServer\" /td sha256"
+                         },
+                         "toolName": "sign",
+                         "toolVersion": "1.0"
+                      },
+                      {
+                        "keyCode": "TODO",
+                        "operationCode": "SigntoolVerify",
+                        "parameters": {},
+                        "toolName": "sign",
+                        "toolVersion": "1.0"
+                      }
+                    ]
+              - task: PowerShell@2
+                displayName: 'Build installers'
+                inputs:
+                  pwsh: true
+                  targetType: inline
+                  script: |
+                    dotnet build '.\src\windows\Installer.Windows\Installer.Windows.csproj' `
+                      --configuration Release `
+                      --no-dependencies `
+                      -p:NoLayout=true `
+                      -p:PayloadPath="$(Build.ArtifactStagingDirectory)\payload"
+                      -p:OutputPath="$(Build.ArtifactStagingDirectory)\installers"
+              - task: EsrpCodeSigning@5
+                condition: and(succeeded(), eq('${{ parameters.esrp }}', true))
+                displayName: 'Sign installers'
+                inputs:
+                  connectedServiceName: '$(esrpConnectionName)'
+                  appRegistrationClientId: '$(esrpClientId)'
+                  appRegistrationTenantId: '$(esrpTenantId)'
+                  authAkvName: '$(esrpAuthAkvName)'
+                  authCertName: '$(esrpAuthCertName)'
+                  authSignCertName: '$(esrpAuthSignCertName)'
+                  serviceEndpointUrl: '$(esrpEndpointUrl)'
+                  folderPath: '$(Build.ArtifactStagingDirectory)\installers'
+                  pattern: '**\*.exe'
+                  signConfigType: inlineSignParams
+                  inlineOperation: |
+                    [
+                      {
+                         "keyCode": "TODO",
+                         "operationCode": "SigntoolSign"
+                         "parameters": {
+                            "OpusName": "Microsoft",
+                            "OpusInfo": "http://microsoft.com",
+                            "FileDigest": "/fd \"SHA256\"",
+                            "PageHash": "/NPH",
+                            "Timestamp": "/tr \"http://rfc3161.gtm.corp.microsoft.com/TSS/HttpTspServer\" /td sha256"
+                         },
+                         "toolName": "sign",
+                         "toolVersion": "1.0"
+                      },
+                      {
+                        "keyCode": "TODO",
+                        "operationCode": "SigntoolVerify",
+                        "parameters": {},
+                        "toolName": "sign",
+                        "toolVersion": "1.0"
+                      }
+                    ]
