arcade icon indicating copy to clipboard operation
arcade copied to clipboard
verified publisher icon dotnet

1ESPT conversion cleanup

Open chcosta opened this issue 1 year ago • 7 comments

  • As part of cleanup from 1ES PT conversion, we should examine whether the CodeQL template we provide is still necessary or we can just direct to the 1ES path.

    https://github.com/dotnet/arcade/pull/14525#discussion_r1507976118

  • Consider removing SDLValidationParameters - https://github.com/dotnet/arcade/pull/14525/files#r1508020331

  • Validate whether setup-maestro-vars.yml is any use. I think its usefulness died with the addition of --default-channels in add-build-to-channel

chcosta avatar Feb 29 '24 18:02 chcosta

Adding a few more items

  • Clean up any conditional that mentions running a PR, running as public, or running in the public project

  • Understand whether we still need to generate SBOMs with our own templates or can solely rely on the template injected sbom generation. This might not be possible, as the Microbuild guidance is to keep using the manifest generator task...

    SBOM: The Migration Tooling will remove the SBOM Manifest Builder Task. Please put this back. The SBOM tasks in the 1ES PT does not conform to the way that we package up SBOM's into manifest files in MicroBuild.

riarenas avatar Feb 29 '24 19:02 riarenas

re the CodeQL point: parameters.PackageVersion is a lousy name anyhow. we should at least fix that if the hook is still needed

dougbu avatar Feb 29 '24 23:02 dougbu

Understand whether we still need to generate SBOMs with our own templates or can solely rely on the template injected sbom generation. This might not be possible, as the Microbuild guidance is to keep using the manifest generator task...

if we keep our own SBOM task then we need to bump the package version since it wasn't bumped in main: https://github.com/dotnet/arcade/issues/14511

akoeplinger avatar Mar 01 '24 12:03 akoeplinger

As a more general cleanup point:

  • the public templates should only do public things
  • the official templates should only do official things

riarenas avatar Mar 01 '24 19:03 riarenas

Understand whether we still need to generate SBOMs with our own templates or can solely rely on the template injected sbom generation. This might not be possible, as the Microbuild guidance is to keep using the manifest generator task...

if we keep our own SBOM task then we need to bump the package version since it wasn't bumped in main: #14511

Especially because a certain @riarenas said we shouldn't update it in main yet😛

riarenas avatar Mar 01 '24 22:03 riarenas

@chcosta do you know what the status of the clean up is? Is there more that we need to clean up from the migration?

missymessa avatar Aug 08 '24 20:08 missymessa

This is done for main. Equivalent changes were never made to release branches because of wave 1 prioritization. I'm not certain that this is a high enough priority for release branches at this time or in the near future.

chcosta avatar Aug 12 '24 15:08 chcosta