|
1 | | -## Contributing |
| 1 | +# Contributing |
2 | 2 |
|
3 | | -See [https://docs.microsoft.com/en-us/azure/devops/extend/develop/add-build-task?view=azure-devops](https://docs.microsoft.com/en-us/azure/devops/extend/develop/add-build-task?view=azure-devops) for more information about working on this extension. |
| 3 | +## Contributions From Aqua |
| 4 | + |
| 5 | +### What you need |
| 6 | + |
| 7 | +- Your own Azure DevOps Organisation (for testing) |
| 8 | +- Access to the Aqua Security Azure DevOps Organisation (for publishing) |
| 9 | +- A GitHub account with write access to this repository. |
| 10 | + |
| 11 | +There are two published versions of this extension - the real, public version, and a private, test version. You cannot have both versions installed to your test organisation at the same time, so you must uninstall one before installing the other. |
| 12 | + |
| 13 | +The test version exists so we can publish a version and test it amongst ourselves before publishing to the real version. |
| 14 | + |
| 15 | +- Test: https://marketplace.visualstudio.com/items?itemName=AquaSecurityOfficial.tfsec-official-dev |
| 16 | +- Real: https://marketplace.visualstudio.com/items?itemName=AquaSecurityOfficial.tfsec-official |
| 17 | + |
| 18 | +You'll need to give your test organisation with access to the test version, which you can do by adding to the `--share-with` flag in `scripts/dev.sh`. |
| 19 | + |
| 20 | +You can follow the [guide](marketplace.md) to install the extension to your test organisation. |
| 21 | + |
| 22 | +### Updating the Publisher Token |
| 23 | + |
| 24 | +The extension is published using an API which requires an _Azure Publisher Token_. This is [stored as a secret](https://github.com/aquasecurity/tfsec-azure-pipelines-task/settings/secrets/actions) named `PUBLISHER_TOKEN` in the GitHub repository. |
| 25 | + |
| 26 | + |
| 27 | + |
| 28 | +To update the token, you'll need to create a personal access token in _Azure Dev Ops_ with access to publish extensions to the Aqua organisation. You can then update the secret in the GitHub repository with this key. Setting it to expire after a short period is good practice. |
| 29 | + |
| 30 | +### Testing a New Version |
| 31 | + |
| 32 | +Create a tag that is prefixed with `dev` on your branch, such as `dev1.2.3`, and push it. This will trigger a GitHub action that will publish a test version of the extension. Wait a few minutes and then try running the extension in your test organisation. |
| 33 | + |
| 34 | +### Publishing a New Version |
| 35 | + |
| 36 | +After ensuring you have published a test version of the extension, and tested it, you can publish the real version. |
| 37 | + |
| 38 | +After merging your changes to the `main` branch, create a semver tag that is prefixed with `v` on your branch, such as `v1.2.3`, and push it. This will trigger a GitHub action that will publish a new version of the extension. Wait a few minutes and then try running the extension in your test organisation to confirm it works. |
0 commit comments