XS⚠️ ◾ Release v1.7.4: Adding Code Signing (#619)

muiriswoulfe · web-flow · commit e7b545be1ba0 · 2025-07-09T16:56:19.000+01:00
## Summary

This changes includes updates to the release pipeline, the inclusion of
code signing, a version bump for the `PR Metrics` tool, and minor
formatting improvements to configuration files. Below is a summary of
the most important changes:

### Release Pipeline Enhancements:
* Updated the Azure DevOps release pipeline to use a static IP pool
(`Azure-Pipelines-1ESPT-ExDShared-StaticIP`) and added a variable group
for `PR Metrics`. (`.github/azure-devops/release.yml`,
[.github/azure-devops/release.ymlL61-R65](diffhunk://#diff-25f998e817515523e95edd3b4e0eb06fad5909deec7e3d4b7d57f4912cb39349L61-R65))
* Introduced the `EsrpCodeSigning@5` task for signing `.vsix` files with
ESRP code signing credentials. (`.github/azure-devops/release.yml`,
[.github/azure-devops/release.ymlR95-R127](diffhunk://#diff-25f998e817515523e95edd3b4e0eb06fad5909deec7e3d4b7d57f4912cb39349R95-R127))

### Version Updates:
* Incremented the version of `PR Metrics` from `1.7.3` to `1.7.4` across
multiple files, including `package.json`, `README.md`, `task.json`, and
`vss-extension.json`.
[[1]](diffhunk://#diff-7ae45ad102eab3b6d7e7896acd08c427a9b25b346470d7bc6507b6481575d519L5-R5)
[[2]](diffhunk://#diff-b335630551682c19a781afebcf4d07bf978fb1f8ac04c6bf87428ed5106870f5L130-R130)
[[3]](diffhunk://#diff-65a89cd0ee689cbea9b9b09f50ce9df6f2af4d46936e7b185e82892495732362L5-R5)
[[4]](diffhunk://#diff-22ee61dc67ccb9df83b5d37d8e3dc5031b27d5c5defb40371d3abdd043414ea7L6-R6)

### Configuration and Metadata Improvements:
* Reformatted JSON arrays and objects in `vss-extension.json` for better
readability. (`src/vss-extension.json`,
[[1]](diffhunk://#diff-22ee61dc67ccb9df83b5d37d8e3dc5031b27d5c5defb40371d3abdd043414ea7L29-R37)
[[2]](diffhunk://#diff-22ee61dc67ccb9df83b5d37d8e3dc5031b27d5c5defb40371d3abdd043414ea7L77-R85)
* Updated the `userAgent` string in `gitHubReposInvoker.ts` and its
associated test to reflect the new version.
(`src/task/src/repos/gitHubReposInvoker.ts`,
[[1]](diffhunk://#diff-f940089e58c7285d97fbb04b132d2827a8aaf024094dfcd7ba27351b7ae6b4a3L291-R291);
`src/task/tests/repos/gitHubReposInvoker.spec.ts`,
[[2]](diffhunk://#diff-b59d2e18f2819be803f73a843d0a11f129b972aef7c779280faa03ed5c63867dL37-R37)

## Testing

### Test Types

- [ ] Unit tests
- [X] Manual tests
diff --git a/.github/azure-devops/release.yml b/.github/azure-devops/release.yml
@@ -58,9 +58,11 @@ extends:
 
           - job: Release
             pool:
-              name: Azure-Pipelines-1ESPT-ExDShared
+              name: Azure-Pipelines-1ESPT-ExDShared-StaticIP
               os: linux
               image: ubuntu-latest
+            variables:
+              - group: PR Metrics
             steps:
               - checkout: self
                 displayName: Checkout
@@ -90,6 +92,39 @@ extends:
                 displayName: Release – Create
                 workingDirectory: $(Build.SourcesDirectory)/release
 
+              - task: EsrpCodeSigning@5
+                displayName: ESRP CodeSigning
+                inputs:
+                  # Signing details are stored within the PR Metrics variable group.
+                  ConnectedServiceName: OmexCodeSigningESRP-Torus
+                  AppRegistrationClientId: $(CodeSigningAppRegistrationClientId)
+                  AppRegistrationTenantId: $(CodeSigningAppRegistrationTenantId)
+                  AuthAKVName: $(CodeSigningAuthAKVName)
+                  AuthSignCertName: $(CodeSigningAuthSignCertName)
+                  EsrpClientId: $(CodeSigningEsrpClientId)
+                  UseMSIAuthentication: true
+                  FolderPath: $(Build.SourcesDirectory)
+                  Pattern: "*.vsix"
+                  signConfigType: inlineSignParams
+                  inlineOperation: |-
+                    [
+                      {
+                        "KeyCode": "CP-500813",
+                        "OperationCode": "AdoExtensionSign",
+                        "ToolName": "sign",
+                        "ToolVersion": "1.0",
+                        "Parameters": {}
+                      },
+                      {
+                        "KeyCode": "CP-500813",
+                        "OperationCode": "AdoExtensionVerify",
+                        "ToolName": "sign",
+                        "ToolVersion": "1.0",
+                        "Parameters": {}
+                      }
+                    ]
+                  SessionTimeout: 30
+
               - task: AzureCLI@2
                 displayName: Release – Publish
                 inputs:
diff --git a/.github/workflows/release-phase-1.yml b/.github/workflows/release-phase-1.yml
@@ -21,4 +21,4 @@ jobs:
     with:
       major: 1
       minor: 7
-      patch: 4
+      patch: 5
diff --git a/.github/workflows/support/release-trigger.txt b/.github/workflows/support/release-trigger.txt
@@ -1 +1 @@
-1.7.3
+1.7.4
diff --git a/README.md b/README.md
@@ -127,7 +127,7 @@ The default input values are expected to be appropriate for most builds.
 Therefore, the following YAML definition is recommended:
 
 ```YAML
-uses: microsoft/PR-Metrics@v1.7.3
+uses: microsoft/PR-Metrics@v1.7.4
 name: PR Metrics
 env:
   PR_METRICS_ACCESS_TOKEN: ${{ secrets.GITHUB_TOKEN }}
@@ -137,7 +137,7 @@ continue-on-error: true
 If you wish to modify the inputs, YAML akin the to the following can be used:
 
 ```YAML
-uses: microsoft/PR-Metrics@v1.7.3
+uses: microsoft/PR-Metrics@v1.7.4
 name: PR Metrics
 env:
   PR_METRICS_ACCESS_TOKEN: ${{ secrets.GITHUB_TOKEN }}
diff --git a/dist/index.mjs b/dist/index.mjs
diff --git a/dist/resources.resjson b/dist/resources.resjson
@@ -2,7 +2,7 @@
   "$schema": "https://json.schemastore.org/resjson.json",
   "loc.description": "Augments pull request titles to let reviewers quickly determine PR size and test coverage.",
   "loc.description.comment": "The description of the task.",
-  "loc.friendlyName": "PR Metrics v1.7.3",
+  "loc.friendlyName": "PR Metrics v1.7.4",
   "loc.friendlyName.comment": "The name of the task.",
   "loc.helpMarkDown": "[More information](https://aka.ms/PRMetrics/README)",
   "loc.helpMarkDown.comment": "The Markdown-formatted help text of the task.",
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -2,7 +2,7 @@
   "$schema": "https://json.schemastore.org/package.json",
   "name": "prmetrics",
   "publisher": "ms-omex",
-  "version": "1.7.3",
+  "version": "1.7.4",
   "description": "Augments pull request titles to let reviewers quickly determine PR size and test coverage.",
   "main": "dist/index.mjs",
   "type": "module",
diff --git a/src/task/Strings/resources.resjson/en-US/resources.resjson b/src/task/Strings/resources.resjson/en-US/resources.resjson
@@ -2,7 +2,7 @@
   "$schema": "https://json.schemastore.org/resjson.json",
   "loc.description": "Augments pull request titles to let reviewers quickly determine PR size and test coverage.",
   "loc.description.comment": "The description of the task.",
-  "loc.friendlyName": "PR Metrics v1.7.3",
+  "loc.friendlyName": "PR Metrics v1.7.4",
   "loc.friendlyName.comment": "The name of the task.",
   "loc.helpMarkDown": "[More information](https://aka.ms/PRMetrics/README)",
   "loc.helpMarkDown.comment": "The Markdown-formatted help text of the task.",
diff --git a/src/task/src/repos/gitHubReposInvoker.ts b/src/task/src/repos/gitHubReposInvoker.ts
@@ -288,7 +288,7 @@ export default class GitHubReposInvoker extends BaseReposInvoker {
           this._logger.logWarning(`Octokit – ${message}`);
         },
       },
-      userAgent: "PRMetrics/v1.7.3",
+      userAgent: "PRMetrics/v1.7.4",
     };
 
     if (RunnerInvoker.isGitHub) {
diff --git a/src/task/task.json b/src/task/task.json
@@ -2,7 +2,7 @@
   "$schema": "https://raw.githubusercontent.com/microsoft/azure-pipelines-task-lib/master/tasks.schema.json",
   "id": "907d3b28-6b37-4ac7-ac75-9631ee53e512",
   "name": "PRMetrics",
-  "friendlyName": "PR Metrics v1.7.3",
+  "friendlyName": "PR Metrics v1.7.4",
   "description": "Augments pull request titles to let reviewers quickly determine PR size and test coverage.",
   "helpUrl": "https://aka.ms/PRMetrics/README",
   "helpMarkDown": "[More information](https://aka.ms/PRMetrics/README)",
@@ -13,7 +13,7 @@
   "version": {
     "Major": 1,
     "Minor": 7,
-    "Patch": 3
+    "Patch": 4
   },
   "instanceNameFormat": "PR Metrics",
   "showEnvironmentVariables": true,
diff --git a/src/task/task.loc.json b/src/task/task.loc.json
@@ -13,7 +13,7 @@
   "version": {
     "Major": 1,
     "Minor": 7,
-    "Patch": 3
+    "Patch": 4
   },
   "instanceNameFormat": "ms-resource:loc.instanceNameFormat",
   "showEnvironmentVariables": true,
diff --git a/src/task/tests/repos/gitHubReposInvoker.spec.ts b/src/task/tests/repos/gitHubReposInvoker.spec.ts
@@ -34,7 +34,7 @@ describe("gitHubReposInvoker.ts", (): void => {
   let octokitWrapper: OctokitWrapper;
   let runnerInvoker: RunnerInvoker;
 
-  const expectedUserAgent = "PRMetrics/v1.7.3";
+  const expectedUserAgent = "PRMetrics/v1.7.4";
 
   beforeEach((): void => {
     process.env.PR_METRICS_ACCESS_TOKEN = "PAT";
diff --git a/src/vss-extension.json b/src/vss-extension.json
@@ -3,7 +3,7 @@
   "manifestVersion": 1,
   "id": "PRMetrics",
   "name": "PR Metrics",
-  "version": "1.7.3",
+  "version": "1.7.4",
   "publisher": "ms-omex",
   "description": "Augments pull request titles to let reviewers quickly determine PR size and test coverage.",
   "public": true,
