Skip to content

ESRP and PMC migration to MI #1891

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 11 commits into from
Jul 29, 2025
+109 −90
Merged

ESRP and PMC migration to MI #1891

Changes from 10 commits
Commits
Show all changes
11 commits
Select commit Hold shift + click to select a range
661c89d
migrate esrp and pmc to MI
souravgupta-msft Jul 23, 2025
a366a72
uncommenting publish stage
souravgupta-msft Jul 23, 2025
82d24ba
updating pmc command
souravgupta-msft Jul 23, 2025
f080666
test
souravgupta-msft Jul 23, 2025
7fad86c
fix
souravgupta-msft Jul 23, 2025
72ea241
using working directory parameter
souravgupta-msft Jul 24, 2025
9602bd5
uncomment
souravgupta-msft Jul 24, 2025
40a46dc
uncomment
souravgupta-msft Jul 24, 2025
6b5f3dd
Merge branch 'main' of https://github.com/Azure/azure-storage-fuse in…
souravgupta-msft Jul 24, 2025
a5471c3
Merge branch 'main' of https://github.com/Azure/azure-storage-fuse in…
souravgupta-msft Jul 29, 2025
f175756
fix for mariner preview release
souravgupta-msft Jul 29, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
202 changes: 114 additions & 88 deletions blobfuse2-release.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -327,16 +327,23 @@ stages:
sudo dpkg -i packages-microsoft-prod.deb
sudo apt update
sudo apt install apt-transport-https -y
sudo apt install dotnet-sdk-3.1 -y
sudo apt install dotnet-sdk-9.0 -y
displayName: "Update dependencies"

# Send images for signing
- task: SFP.build-tasks.custom-build-task-1.EsrpCodeSigning@1
displayName: 'ESRP CodeSigning blobfuse2'
- task: SFP.build-tasks.custom-build-task-1.EsrpCodeSigning@5
displayName: 'ESRP CodeSigning Blobfuse2'
inputs:
ConnectedServiceName: 'PMC ESRP Blobfuse2 Signing'
ConnectedServiceName: 'WIF_MI_ESRP_V5'
AppRegistrationClientId: $(ESRP_V5_APP_REGISTRATION_CLIENT_ID)
AppRegistrationTenantId: $(ESRP_V5_APP_REGISTRATION_TENANT_ID)
AuthAKVName: $(ESRP_V5_KEY_VAULT_NAME)
AuthCertName: $(ESRP_V5_AUTH_CERT_NAME)
AuthSignCertName: $(ESRP_V5_SIGN_CERT_NAME)
FolderPath: '$(Build.ArtifactStagingDirectory)/blobfuse2-temp'
Pattern: '*.rpm, *.deb'
ServiceEndpointUrl: 'https://api.esrp.microsoft.com/api/v2'
MaxConcurrency: 25
signConfigType: inlineSignParams
VerboseLogin: true
inlineOperation: |
Expand All @@ -350,12 +357,19 @@ stages:
}
]

- task: SFP.build-tasks.custom-build-task-1.EsrpCodeSigning@1
displayName: 'ESRP CodeSigning blobfuse2 mariner'
- task: SFP.build-tasks.custom-build-task-1.EsrpCodeSigning@5
displayName: 'ESRP CodeSigning Blobfuse2 for Mariner'
inputs:
ConnectedServiceName: 'PMC ESRP Blobfuse2 Signing'
ConnectedServiceName: 'WIF_MI_ESRP_V5'
AppRegistrationClientId: $(ESRP_V5_APP_REGISTRATION_CLIENT_ID)
AppRegistrationTenantId: $(ESRP_V5_APP_REGISTRATION_TENANT_ID)
AuthAKVName: $(ESRP_V5_KEY_VAULT_NAME)
AuthCertName: $(ESRP_V5_AUTH_CERT_NAME)
AuthSignCertName: $(ESRP_V5_SIGN_CERT_NAME)
FolderPath: '$(Build.ArtifactStagingDirectory)/mariner'
Pattern: '*.rpm'
ServiceEndpointUrl: 'https://api.esrp.microsoft.com/api/v2'
MaxConcurrency: 25
signConfigType: inlineSignParams
VerboseLogin: true
inlineOperation: |
Expand Down Expand Up @@ -1644,25 +1658,19 @@ stages:
pip install pmc-cli
displayName: 'Install pmc-cli'

- task: DownloadSecureFile@1
name: pmcCertificate
displayName: 'Download pmc pem file'
inputs:
secureFile: 'azstorage-devex-kv-blobfuse-release-pmc1-10102025.pem'

- task: DownloadSecureFile@1
name: settings
displayName: 'Download settings.toml file'
inputs:
secureFile: 'settings.toml'

- script: |
pmc --version
pmc --msal-cert-path $(pmcCertificate.secureFilePath) --config $(settings.secureFilePath) repo list --limit 1
if [ $? -ne 0 ]; then
exit 1
fi
- task: AzureCLI@2
displayName: 'Test PMC installation'
inputs:
addSpnToEnvironment: true
azureSubscription: 'WIF_MI_ESRP_V5'
scriptType: bash
scriptLocation: inlineScript
inlineScript: |
pmc --version
pmc --auth-type wif --base-url "https://pmc-ingest.trafficmanager.net/api/v4" repo list --limit 1
if [ $? -ne 0 ]; then
exit 1
fi

# download artifacts that need to be published
- task: DownloadBuildArtifacts@0
Expand Down Expand Up @@ -1692,97 +1700,115 @@ stages:
workingDirectory: $(Build.ArtifactStagingDirectory)/blobfuse2-signed/

- script: |
sudo ls -lRt $(Build.ArtifactStagingDirectory)
ls -lRt $(Build.ArtifactStagingDirectory)
displayName: 'List Artifacts'

- script: |
pmc --msal-cert-path $(pmcCertificate.secureFilePath) --config $(settings.secureFilePath) package upload blobfuse2-signed
- task: AzureCLI@2
displayName: 'Upload packages'
workingDirectory: $(Build.ArtifactStagingDirectory)/
inputs:
addSpnToEnvironment: true
azureSubscription: 'WIF_MI_ESRP_V5'
scriptType: bash
scriptLocation: inlineScript
inlineScript: |
pmc --auth-type wif --base-url "https://pmc-ingest.trafficmanager.net/api/v4" package upload blobfuse2-signed
workingDirectory: $(Build.ArtifactStagingDirectory)/

- script: |
wget https://raw.githubusercontent.com/Azure/azure-storage-fuse/`echo $(Build.SourceBranch) | cut -d "/" -f 1,2 --complement`/setup/packages.csv -O packages.csv
cat ./packages.csv
displayName: 'Fetch packages.csv'
workingDirectory: $(Build.ArtifactStagingDirectory)/

- script: |
fuse3AmdDeb=`pmc --msal-cert-path $(pmcCertificate.secureFilePath) --config $(settings.secureFilePath) --id-only package upload blobfuse2*fuse3.x86_64.deb`
echo "Fuse3 AMD DEB ID: $fuse3AmdDeb"
- task: AzureCLI@2
displayName: 'Add uploaded packages to repository'
inputs:
addSpnToEnvironment: true
azureSubscription: 'WIF_MI_ESRP_V5'
scriptType: bash
scriptLocation: inlineScript
inlineScript: |
fuse3AmdDeb=`pmc --auth-type wif --base-url "https://pmc-ingest.trafficmanager.net/api/v4" --id-only package upload blobfuse2*fuse3.x86_64.deb`
echo "Fuse3 AMD DEB ID: $fuse3AmdDeb"

fuse3ArmDeb=`pmc --msal-cert-path $(pmcCertificate.secureFilePath) --config $(settings.secureFilePath) --id-only package upload blobfuse2*fuse3.arm64.deb`
echo "Fuse3 ARM DEB ID: $fuse3ArmDeb"
fuse3ArmDeb=`pmc --auth-type wif --base-url "https://pmc-ingest.trafficmanager.net/api/v4" --id-only package upload blobfuse2*fuse3.arm64.deb`
echo "Fuse3 ARM DEB ID: $fuse3ArmDeb"

fuse3AmdRpm=`pmc --msal-cert-path $(pmcCertificate.secureFilePath) --config $(settings.secureFilePath) --id-only package upload blobfuse2*fuse3.x86_64.rpm`
echo "Fuse3 AMD RPM ID: $fuse3AmdRpm"
fuse3AmdRpm=`pmc --auth-type wif --base-url "https://pmc-ingest.trafficmanager.net/api/v4" --id-only package upload blobfuse2*fuse3.x86_64.rpm`
echo "Fuse3 AMD RPM ID: $fuse3AmdRpm"

fuse3ArmRpm=`pmc --msal-cert-path $(pmcCertificate.secureFilePath) --config $(settings.secureFilePath) --id-only package upload blobfuse2*fuse3.aarch64.rpm`
echo "Fuse3 ARM RPM ID: $fuse3ArmRpm"
fuse3ArmRpm=`pmc --auth-type wif --base-url "https://pmc-ingest.trafficmanager.net/api/v4" --id-only package upload blobfuse2*fuse3.aarch64.rpm`
echo "Fuse3 ARM RPM ID: $fuse3ArmRpm"

fuse2AmdDeb=`pmc --msal-cert-path $(pmcCertificate.secureFilePath) --config $(settings.secureFilePath) --id-only package upload blobfuse2*fuse2.x86_64.deb`
echo "Fuse2 AMD DEB ID: $fuse2AmdDeb"
fuse2AmdDeb=`pmc --auth-type wif --base-url "https://pmc-ingest.trafficmanager.net/api/v4" --id-only package upload blobfuse2*fuse2.x86_64.deb`
echo "Fuse2 AMD DEB ID: $fuse2AmdDeb"

fuse2AmdRpm=`pmc --msal-cert-path $(pmcCertificate.secureFilePath) --config $(settings.secureFilePath) --id-only package upload blobfuse2*fuse2.x86_64.rpm`
echo "Fuse2 AMD RPM ID: $fuse2AmdRpm"
fuse2AmdRpm=`pmc --auth-type wif --base-url "https://pmc-ingest.trafficmanager.net/api/v4" --id-only package upload blobfuse2*fuse2.x86_64.rpm`
echo "Fuse2 AMD RPM ID: $fuse2AmdRpm"

marinerAmdRpmFile=$(ls blobfuse2* | grep 'cm2\.x86_64\.rpm')
marinerFuse3AmdRpm=`pmc --msal-cert-path $(pmcCertificate.secureFilePath) --config $(settings.secureFilePath) --id-only package upload blobfuse2*cm2.x86_64.rpm`
echo "Mariner fuse3 AMD RPM ID: $marinerFuse3AmdRpm"
echo "Mariner fuse3 AMD RPM $marinerAmdRpmFile"
marinerAmdRpmFile=$(ls blobfuse2* | grep 'cm2\.x86_64\.rpm')
marinerFuse3AmdRpm=`pmc --auth-type wif --base-url "https://pmc-ingest.trafficmanager.net/api/v4" --id-only package upload blobfuse2*cm2.x86_64.rpm`
echo "Mariner fuse3 AMD RPM ID: $marinerFuse3AmdRpm"
echo "Mariner fuse3 AMD RPM $marinerAmdRpmFile"

marinerAarchRpmFile=$(ls blobfuse2* | grep 'cm2\.aarch64\.rpm')
marinerFuse3AarchRpm=`pmc --msal-cert-path $(pmcCertificate.secureFilePath) --config $(settings.secureFilePath) --id-only package upload blobfuse2*cm2.aarch64.rpm`
echo "Mariner fuse3 ARM RPM ID: $marinerFuse3AarchRpm"
echo "Mariner fuse3 ARM RPM: $marinerAarchRpmFile"
marinerAarchRpmFile=$(ls blobfuse2* | grep 'cm2\.aarch64\.rpm')
marinerFuse3AarchRpm=`pmc --auth-type wif --base-url "https://pmc-ingest.trafficmanager.net/api/v4" --id-only package upload blobfuse2*cm2.aarch64.rpm`
echo "Mariner fuse3 ARM RPM ID: $marinerFuse3AarchRpm"
echo "Mariner fuse3 ARM RPM: $marinerAarchRpmFile"

is_preview="false"
echo "##vso[task.setvariable variable=is_preview]$is_preview"
if [[ $marinerAmdRpmFile == *"preview"* ]]; then
is_preview="true"
is_preview="false"
echo "##vso[task.setvariable variable=is_preview]$is_preview"
fi
if [[ $marinerAmdRpmFile == *"preview"* ]]; then
is_preview="true"
echo "##vso[task.setvariable variable=is_preview]$is_preview"
fi

is_preview="false"
echo "##vso[task.setvariable variable=is_preview]$is_preview"
if [[ $marinerFuse3AmdRpm == *"preview"* ]]; then
is_preview="true"
is_preview="false"
echo "##vso[task.setvariable variable=is_preview]$is_preview"
fi

while IFS=, read -r distro fuseArchType repoName releaseName; do

# If the package is preview, publish to mariner preview package
if [[ $distro == *"Mariner-"* ]]; then
if [ $is_preview = "true" ]; then
repoName=$(echo $repoName | sed 's/prod/preview/')
fi
if [[ $marinerFuse3AmdRpm == *"preview"* ]]; then
is_preview="true"
echo "##vso[task.setvariable variable=is_preview]$is_preview"
fi

echo "Uploading packages for $distro"
pmc --msal-cert-path $(pmcCertificate.secureFilePath) --config $(settings.secureFilePath) repo package update --add-packages ${!fuseArchType} $repoName $releaseName
done < <(tail -n +3 ../packages.csv)
displayName: 'Add uploaded packages to repository'
workingDirectory: $(Build.ArtifactStagingDirectory)/blobfuse2-signed/
while IFS=, read -r distro fuseArchType repoName releaseName; do

- script: |
while IFS=, read -r distro fuseArchType repoName releaseName; do
if [[ $fuseArchType == *"Arm"* ]]
then
echo "Skipping for ARM type on $distro"
else
# If the package is preview, publish to mariner preview package
if [[ $distro == *"Mariner-"* ]]; then
if [ "$is_preview" = "true" ]; then
repoName=$(echo $repoName | sed 's/prod/preview/')
fi
if [ $is_preview = "true" ]; then
repoName=$(echo $repoName | sed 's/prod/preview/')
fi
fi
echo "Repository Name: $repoName"

echo "Publishing for $distro"
pmc --msal-cert-path $(pmcCertificate.secureFilePath) --config $(settings.secureFilePath) repo publish $repoName
fi
done < <(tail -n +3 ../packages.csv)
echo "Uploading packages for $distro"
pmc --auth-type wif --base-url "https://pmc-ingest.trafficmanager.net/api/v4" repo package update --add-packages ${!fuseArchType} $repoName $releaseName
done < <(tail -n +3 ../packages.csv)
workingDirectory: $(Build.ArtifactStagingDirectory)/blobfuse2-signed/

- task: AzureCLI@2
displayName: 'Publish the repository'
workingDirectory: $(Build.ArtifactStagingDirectory)/blobfuse2-signed/
inputs:
addSpnToEnvironment: true
azureSubscription: 'WIF_MI_ESRP_V5'
scriptType: bash
scriptLocation: inlineScript
inlineScript: |
while IFS=, read -r distro fuseArchType repoName releaseName; do
if [[ $fuseArchType == *"Arm"* ]]
then
echo "Skipping for ARM type on $distro"
else
if [[ $distro == *"Mariner-"* ]]; then
if [ "$is_preview" = "true" ]; then
repoName=$(echo $repoName | sed 's/prod/preview/')
fi
fi
echo "Repository Name: $repoName"

echo "Publishing for $distro"
pmc --auth-type wif --base-url "https://pmc-ingest.trafficmanager.net/api/v4" repo publish $repoName
fi
done < <(tail -n +3 ../packages.csv)
workingDirectory: $(Build.ArtifactStagingDirectory)/blobfuse2-signed/

- stage: UpdateLatestVersion
dependsOn: ReleaseArtifacts
Expand Down
Loading