Conveting npm packaging pipeline to 1ES

tools/ci_build/github/azure-pipelines/mac-react-native-ci-pipeline.yml

@@ -27,6 +27,12 @@ pr:
     - 'js/web'
     - 'onnxruntime/core/providers/js'
 #### end trigger ####
+resources:
+  repositories:
+  - repository: 1esPipelines
+    type: git
+    name: 1ESPipelineTemplates/1ESPipelineTemplates
+    ref: refs/tags/release
 
 parameters:
 - name: NpmPublish
@@ -50,10 +56,20 @@ variables:
   ${{ if eq(parameters.NpmPublish, 'custom') }}:
     NpmPackagingMode: '$(VersionSuffix)'
 
-stages:
-- template: templates/react-native-ci.yml
+extends:
+  # The pipeline extends the 1ES PT which will inject different SDL and compliance tasks.
+  # For non-production pipelines, use "Unofficial" as defined below.
+  # For productions pipelines, use "Official".
+  template: v1/1ES.Official.PipelineTemplate.yml@1esPipelines
   parameters:
-    NpmPackagingMode: ${{ variables.NpmPackagingMode }}
-    BuildConfig: 'Release'
-    PoolName: 'onnxruntime-Ubuntu2204-AMD-CPU'
-    enable_code_sign: false
+    sdl:
+      sourceAnalysisPool:
+        name: onnxruntime-Win-CPU-2022
+        os: windows
+    stages:
+    - template: templates/react-native-ci.yml
+      parameters:
+        NpmPackagingMode: ${{ variables.NpmPackagingMode }}
+        BuildConfig: 'Release'
+        PoolName: 'onnxruntime-Ubuntu2204-AMD-CPU'
+        enable_code_sign: false

tools/ci_build/github/azure-pipelines/npm-packaging-pipeline.yml

@@ -35,71 +35,87 @@ resources:
     endpoint: Microsoft
     name: pypa/manylinux
     ref: 5eda9aded5462201e6310105728d33016e637ea7
-
-stages:
-- template: templates/web-ci.yml
+  - repository: 1esPipelines
+    type: git
+    name: 1ESPipelineTemplates/1ESPipelineTemplates
+    ref: refs/tags/release
+extends:
+  # The pipeline extends the 1ES PT which will inject different SDL and compliance tasks.
+  # For non-production pipelines, use "Unofficial" as defined below.
+  # For productions pipelines, use "Official".
+  template: v1/1ES.Official.PipelineTemplate.yml@1esPipelines
   parameters:
-    NpmPackagingMode: ${{ variables.NpmPackagingMode }}
-    IsReleasePipeline: true
-    PoolName: 'onnxruntime-Ubuntu2204-AMD-CPU'
-    PackageName: 'onnxruntime-web'
-    ExtraBuildArgs: ''
-    UseWebPoolName: true
-    RunWebGpuTestsForDebugBuild: false
-    RunWebGpuTestsForReleaseBuild: true
-    WebGpuPoolName: 'onnxruntime-Win2022-VS2022-webgpu-A10'
-    WebCpuPoolName: 'onnxruntime-Win2022-VS2022-webgpu-A10'
+    # Update the pool with your team's 1ES hosted pool.
+    sdl:
+      sourceAnalysisPool:
+        name: onnxruntime-Win-CPU-2022
+        os: windows
+    stages:
+    - template: templates/web-ci.yml
+      parameters:
+        NpmPackagingMode: ${{ variables.NpmPackagingMode }}
+        IsReleasePipeline: true
+        PoolName: 'onnxruntime-Ubuntu2204-AMD-CPU'
+        PackageName: 'onnxruntime-web'
+        ExtraBuildArgs: ''
+        UseWebPoolName: true
+        RunWebGpuTestsForDebugBuild: false
+        RunWebGpuTestsForReleaseBuild: true
+        WebGpuPoolName: 'onnxruntime-Win2022-VS2022-webgpu-A10'
+        WebCpuPoolName: 'onnxruntime-Win2022-VS2022-webgpu-A10'
+        is1ES: true
 
-- template: templates/react-native-ci.yml
-  parameters:
-    NpmPackagingMode: ${{ variables.NpmPackagingMode }}
-    BuildConfig: 'Release'
-    PoolName: 'onnxruntime-Ubuntu2204-AMD-CPU'
-    PackageName: 'onnxruntime-react-native'
-    InitialStageDependsOn: 'Precheck_and_extract_commit'
-    enable_code_sign: false
+    - template: templates/react-native-ci.yml
+      parameters:
+        NpmPackagingMode: ${{ variables.NpmPackagingMode }}
+        BuildConfig: 'Release'
+        PoolName: 'onnxruntime-Ubuntu2204-AMD-CPU'
+        PackageName: 'onnxruntime-react-native'
+        InitialStageDependsOn: 'Precheck_and_extract_commit'
+        enable_code_sign: false
+        is1ES: true
 
-- stage: Download_Node_Package_And_Publish_Validation_Script
-  dependsOn:
-  - ReactNative_CI_Android
-  - ReactNative_CI_iOS
-  - Build_web_Release
-  - Build_web_Debug
-  jobs:
-  - job: Download_Node_Package_And_Publish_Validation_Script
-    pool: 'Onnxruntime-Win-CPU-2022'
-    variables:
-      runCodesignValidationInjection: false
-    timeoutInMinutes: 10
-    steps:
-#    This pipeline usually are triggered by Zip-Nuget-Java-Nodejs Packaging Pipeline,
-#    The NPM_packages is from Android_Java_API_AAR_Packaging_QNN, not from RN_CI
-    - download: build
-      artifact: 'NPM_packages'
-      displayName: 'Download NPM_packages from Zip-Nuget-Java-Nodejs Packaging Pipeline Pipeline Artifact'
+    - stage: Download_Node_Package_And_Publish_Validation_Script
+      dependsOn:
+      - ReactNative_CI_Android
+      - ReactNative_CI_iOS
+      - Build_web_Release
+      - Build_web_Debug
+      jobs:
+      - job: Download_Node_Package_And_Publish_Validation_Script
+        pool: 'Onnxruntime-Win-CPU-2022'
+        variables:
+          runCodesignValidationInjection: false
+        timeoutInMinutes: 10
+        steps:
+    #    This pipeline usually are triggered by Zip-Nuget-Java-Nodejs Packaging Pipeline,
+    #    The NPM_packages is from Android_Java_API_AAR_Packaging_QNN, not from RN_CI
+        - download: build
+          artifact: 'NPM_packages'
+          displayName: 'Download NPM_packages from Zip-Nuget-Java-Nodejs Packaging Pipeline Pipeline Artifact'
 
-    - task: CopyFiles@2
-      inputs:
-        sourceFolder: '$(Pipeline.Workspace)\build\NPM_packages'
-        contents: onnxruntime-*.tgz
-        targetFolder: $(Build.ArtifactStagingDirectory)\node-artifacts
-      displayName: 'Copy onnxruntime-node Artifacts'
+        - task: CopyFiles@2
+          inputs:
+            sourceFolder: '$(Pipeline.Workspace)\build\NPM_packages'
+            contents: onnxruntime-*.tgz
+            targetFolder: $(Build.ArtifactStagingDirectory)\node-artifacts
+          displayName: 'Copy onnxruntime-node Artifacts'
 
-    - task: PublishPipelineArtifact@0
-      inputs:
-        artifactName: 'onnxruntime-node'
-        targetPath: '$(Build.ArtifactStagingDirectory)\node-artifacts'
-      displayName: 'Publish onnxruntime-node Pipeline Artifact'
+        - task: 1ES.PublishPipelineArtifact@1
+          inputs:
+            artifactName: 'onnxruntime-node'
+            targetPath: '$(Build.ArtifactStagingDirectory)\node-artifacts'
+          displayName: 'Publish onnxruntime-node Pipeline Artifact'
 
-    - task: CopyFiles@2
-      inputs:
-        sourceFolder: $(Build.SourcesDirectory)\tools\ci_build\github\js
-        contents: validate-npm-packages.py
-        targetFolder: $(Build.ArtifactStagingDirectory)\validation-scripts
-      displayName: 'Copy validation scripts'
+        - task: CopyFiles@2
+          inputs:
+            sourceFolder: $(Build.SourcesDirectory)\tools\ci_build\github\js
+            contents: validate-npm-packages.py
+            targetFolder: $(Build.ArtifactStagingDirectory)\validation-scripts
+          displayName: 'Copy validation scripts'
 
-    - task: PublishPipelineArtifact@0
-      inputs:
-        artifactName: 'validation_scripts'
-        targetPath: '$(Build.ArtifactStagingDirectory)\validation-scripts'
-      displayName: 'Publish validation scripts'
+        - task: 1ES.PublishPipelineArtifact@1
+          inputs:
+            artifactName: 'validation_scripts'
+            targetPath: '$(Build.ArtifactStagingDirectory)\validation-scripts'
+          displayName: 'Publish validation scripts'

tools/ci_build/github/azure-pipelines/stages/jobs/react-natvie-andriod-e2e-test-job.yml

@@ -12,10 +12,14 @@ parameters:
   displayName: 'NPM packages publish configuration'
   type: string
   default: 'dev'
-
+- name: is1ES
+  type: boolean
+  default: false
 jobs:
 - job: ReactNative_CI_Android
-  pool: 'onnxruntime-Ubuntu2204-AMD-CPU'
+  pool:
+    name: onnxruntime-Ubuntu2204-AMD-CPU
+    os: linux
   variables:
     runCodesignValidationInjection: false
     ANDROID_AVD_HOME: $(Agent.TempDirectory)
@@ -195,18 +199,30 @@ jobs:
       contents: onnxruntime-react-native*.tgz
       targetFolder: $(Build.ArtifactStagingDirectory)
     displayName: Create Artifacts onnxruntime-react-native
-
-  - task: PublishPipelineArtifact@1
-    inputs:
-      artifact: android_e2e_test_logs_$(Build.BuildId)_$(Build.BuildNumber)_$(System.JobAttempt)
-      targetPath: '$(Build.SourcesDirectory)/js/react_native/e2e/artifacts'
-    condition: succeededOrFailed()
-    displayName: Publish React Native Detox E2E test logs
-
-  - task: PublishPipelineArtifact@0
-    inputs:
-      artifactName: '${{parameters.PackageName}}'
-      targetPath: '$(Build.ArtifactStagingDirectory)'
-    displayName: Publish Pipeline Artifact
+  - ${{ if eq(parameters.is1ES, true) }}:
+    - task: 1ES.PublishPipelineArtifact@1
+      inputs:
+        artifact: android_e2e_test_logs_$(Build.BuildId)_$(Build.BuildNumber)_$(System.JobAttempt)
+        targetPath: '$(Build.SourcesDirectory)/js/react_native/e2e/artifacts'
+      condition: succeededOrFailed()
+      displayName: Publish React Native Detox E2E test logs
+    - task: 1ES.PublishPipelineArtifact@1
+      inputs:
+        artifactName: '${{parameters.PackageName}}'
+        targetPath: '$(Build.ArtifactStagingDirectory)'
+      displayName: Publish Pipeline Artifact
+
+  - ${{ if eq(parameters.is1ES, false) }}:
+    - task: PublishPipelineArtifact@1
+      inputs:
+        artifact: android_e2e_test_logs_$(Build.BuildId)_$(Build.BuildNumber)_$(System.JobAttempt)
+        targetPath: '$(Build.SourcesDirectory)/js/react_native/e2e/artifacts'
+      condition: succeededOrFailed()
+      displayName: Publish React Native Detox E2E test logs
+    - task: PublishPipelineArtifact@1
+      inputs:
+        artifactName: '${{parameters.PackageName}}'
+        targetPath: '$(Build.ArtifactStagingDirectory)'
+      displayName: Publish Pipeline Artifact
 
   - template: ../../templates/explicitly-defined-final-tasks.yml

tools/ci_build/github/azure-pipelines/templates/android-java-api-aar.yml

@@ -53,12 +53,25 @@ parameters:
   type: string
   default: '2.31.0.250130'
 
+- name: is1ES
+  displayName: Is 1ES pipeline
+  type: boolean
+  default: false
+
 jobs:
 - job: Android_Java_API_AAR_Packaging_${{ parameters.job_name_suffix }}
   timeoutInMinutes: 120
   workspace:
     clean: all
-  pool: ${{parameters.pool_name}}
+  pool:
+    name: ${{ parameters.pool_name }}
+    ${{ if or(contains(parameters.pool_name, 'ubuntu'), contains(parameters.PoolName, 'linux')) }}:
+      os: linux
+    ${{ if contains(parameters.pool_name, 'win')}}:
+      os: windows
+    ${{ if contains(parameters.pool_name, 'mac')}}:
+      os: macOS
+
 
   variables:
     artifacts_directory: $(Build.BinariesDirectory)/.artifacts
@@ -135,8 +148,13 @@ jobs:
     - template: jar-maven-signing-linux.yml
       parameters:
         JarFileDirectory: '$(artifacts_directory)'
-
-  - task: PublishBuildArtifacts@1
-    inputs:
-      pathtoPublish: '$(artifacts_directory)'
-      artifactName: '${{parameters.artifactName}}'
+  - ${{ if eq(parameters.is1ES, false) }}:
+    - task: PublishPipelineArtifact@1
+      inputs:
+        targetPath: '$(artifacts_directory)'
+        artifactName: '${{parameters.artifactName}}'
+  - ${{ if eq(parameters.is1ES, true) }}:
+    - task: 1ES.PublishPipelineArtifact@1
+      inputs:
+        targetPath: '$(artifacts_directory)'
+        artifactName: '${{parameters.artifactName}}'

tools/ci_build/github/azure-pipelines/templates/linux-wasm-ci.yml

@@ -39,10 +39,16 @@ parameters:
   type: boolean
   default: false
 
+- name: is1ES
+  displayName: 'Is 1ES pipeline'
+  type: boolean
+  default: false
+
 jobs:
 - job: build_WASM
   pool:
     name: ${{ parameters.PoolName }}
+    os: linux
   variables:
     buildArch: x64
     CommonBuildArgs: '--parallel --use_vcpkg --config ${{ parameters.BuildConfig }} --skip_submodule_sync --build_wasm --enable_wasm_simd --enable_wasm_threads ${{ parameters.ExtraBuildArgs }}'
@@ -61,15 +67,15 @@ jobs:
     displayName: 'Get commit SHA'
     condition: eq('${{ parameters.CommitOverride }}', 'true')
   - script: |
-     export __commit__=<$(Pipeline.Workspace)/__commit.txt
-     git fetch origin +$__commit__:refs/remotes/origin/$__commit__
-     git checkout --force $__commit__
+      export __commit__=<$(Pipeline.Workspace)/__commit.txt
+      git fetch origin +$__commit__:refs/remotes/origin/$__commit__
+      git checkout --force $__commit__
     workingDirectory: '$(Build.SourcesDirectory)'
     displayName: 'Read commit SHA and checkout'
     condition: eq('${{ parameters.CommitOverride }}', 'true')
   - script: |
-     git submodule sync --recursive
-     git submodule update --init --recursive
+      git submodule sync --recursive
+      git submodule update --init --recursive
     workingDirectory: '$(Build.SourcesDirectory)'
     displayName: 'Checkout submodules'
   - task: UsePythonVersion@0
@@ -79,19 +85,19 @@ jobs:
       architecture: $(buildArch)
 
   - ${{if eq(parameters.WithCache, true)}}:
-      - script: |
-          set -ex
-          cd '$(Build.SourcesDirectory)/cmake/external/emsdk'
-          ./emsdk install 4.0.3 ccache-git-emscripten-64bit
-          ./emsdk activate 4.0.3 ccache-git-emscripten-64bit
-        displayName: 'emsdk install and activate ccache for emscripten'
+    - script: |
+        set -ex
+        cd '$(Build.SourcesDirectory)/cmake/external/emsdk'
+        ./emsdk install 4.0.3 ccache-git-emscripten-64bit
+        ./emsdk activate 4.0.3 ccache-git-emscripten-64bit
+      displayName: 'emsdk install and activate ccache for emscripten'
   - ${{if eq(parameters.WithCache, false)}}:
-      - script: |
-          set -ex
-          cd '$(Build.SourcesDirectory)/cmake/external/emsdk'
-          ./emsdk install 4.0.3
-          ./emsdk activate 4.0.3
-        displayName: 'emsdk install and activate ccache for emscripten'
+    - script: |
+        set -ex
+        cd '$(Build.SourcesDirectory)/cmake/external/emsdk'
+        ./emsdk install 4.0.3
+        ./emsdk activate 4.0.3
+      displayName: 'emsdk install and activate ccache for emscripten'
 
   - template: build-linux-wasm-step.yml
     parameters:
@@ -145,12 +151,18 @@ jobs:
           cp $(Build.BinariesDirectory)/wasm_inferencing_jsep/${{ parameters.BuildConfig }}/ort-wasm-simd-threaded.jsep.mjs $(Build.ArtifactStagingDirectory)
         fi
       displayName: 'Create Artifacts'
-  - ${{ if eq(parameters.SkipPublish, false) }}:
-    - task: PublishPipelineArtifact@0
-      displayName: 'Publish Pipeline Artifact'
-      inputs:
-        artifactName: '${{ parameters.BuildConfig }}_wasm'
-        targetPath: '$(Build.ArtifactStagingDirectory)'
+    - ${{ if eq(parameters.is1ES, false) }}:
+      - task: PublishPipelineArtifact@1
+        displayName: 'Publish Pipeline Artifact'
+        inputs:
+          artifactName: '${{ parameters.BuildConfig }}_wasm'
+          targetPath: '$(Build.ArtifactStagingDirectory)'
+    - ${{ if eq(parameters.is1ES, true) }}:
+      - task: 1ES.PublishPipelineArtifact@1
+        displayName: 'Publish Pipeline Artifact'
+        inputs:
+          artifactName: '${{ parameters.BuildConfig }}_wasm'
+          targetPath: '$(Build.ArtifactStagingDirectory)'
   - task: PublishTestResults@2
     displayName: 'Publish unit test results'
     inputs:
@@ -159,5 +171,5 @@ jobs:
       testRunTitle: 'Unit Test Run'
     condition: and(succeededOrFailed(), eq('${{ parameters.BuildConfig }}', 'Debug'))
   - template: component-governance-component-detection-steps.yml
-    parameters :
-      condition : 'succeeded'
+    parameters:
+      condition: 'succeeded'