build: switch to ESRP v5, which supports managed identities #17134
Conversation
This required me to push a bunch more parameters through the build pipeline, but it gave me the opportunity to define them as variables that can be set at queue time.
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
This comment has been minimized.
This comment has been minimized.
This comment was marked as resolved.
This comment was marked as resolved.
|
|
|
|
| @@ -27,6 +27,9 @@ parameters: | |||
| - name: publishArtifacts | |||
| type: boolean | |||
| default: true | |||
| - name: signingIdentity | |||
There was a problem hiding this comment.
heck at this rate, we should almost have a do-codesign.yml template that takes one of these signingIdentity objects we're passing around
| ConnectedServiceName: ${{ parameters.signingIdentity.serviceName }} | ||
| AppRegistrationClientId: ${{ parameters.signingIdentity.appId }} | ||
| AppRegistrationTenantId: ${{ parameters.signingIdentity.tenantId }} | ||
| AuthAKVName: ${{ parameters.signingIdentity.akvName }} | ||
| AuthCertName: ${{ parameters.signingIdentity.authCertName }} | ||
| AuthSignCertName: ${{ parameters.signingIdentity.signCertName }} |
There was a problem hiding this comment.
After googling a bit, I wonder if you can do
inputs:
${{ each var in parameters.signingIdentity }}:
${{var.name}}: ${{ var.value }}
FolderPath: $(Build.ArtifactStagingDirectory)/nupkgThere was a problem hiding this comment.
Probably, yeah. I'm going to reach for something more like Mike's recommendation though - and maybe do both of these at the same time.
There was a problem hiding this comment.
wait that sounds like a way to leak secrets. Like, if we add params, forget that we did this, and now we're passing all sorts of stuff to esrp that it wasn't expecting
There was a problem hiding this comment.
I did this in powertoys because they have 300 copies of the signing step...
This required me to push a bunch more parameters through the build pipeline, but it gave me the opportunity to define them as variables that can be set at queue time.