product-build-darwin.yml

steps:
  - task: NodeTool@0
    inputs:
      versionSpec: "12.18.3"

  - task: AzureKeyVault@1
    displayName: "Azure Key Vault: Get Secrets"
    inputs:
      azureSubscription: "vscode-builds-subscription"
      KeyVaultName: vscode

  - task: DownloadPipelineArtifact@2
    inputs:
      artifact: Compilation
      path: $(Build.ArtifactStagingDirectory)
    displayName: Download compilation output

  - script: |
      set -e
      tar -xzf $(Build.ArtifactStagingDirectory)/compilation.tar.gz
    displayName: Extract compilation output

  - script: |
      set -e
      cat << EOF > ~/.netrc
      machine github.com
      login vscode
      password $(github-distro-mixin-password)
      EOF

      git config user.email "vscode@microsoft.com"
      git config user.name "VSCode"
    displayName: Prepare tooling

  - script: |
      set -e
      sudo xcode-select -s /Applications/Xcode_12.2.app
    displayName: Switch to Xcode 12
    condition: and(succeeded(), eq(variables['VSCODE_ARCH'], 'arm64'))

  - script: |
      set -e
      git pull --no-rebase https://github.com/$(VSCODE_MIXIN_REPO).git $(node -p "require('./package.json').distro")
    displayName: Merge distro

  - script: |
      mkdir -p .build
      node build/azure-pipelines/common/computeNodeModulesCacheKey.js $VSCODE_ARCH $ENABLE_TERRAPIN > .build/yarnlockhash
    displayName: Prepare yarn cache flags

  - task: Cache@2
    inputs:
      key: 'nodeModules | $(Agent.OS) | .build/yarnlockhash'
      path: .build/node_modules_cache
      cacheHitVar: NODE_MODULES_RESTORED
    displayName: Restore node_modules cache

  - script: |
      set -e
      tar -xzf .build/node_modules_cache/cache.tgz
    condition: and(succeeded(), eq(variables.NODE_MODULES_RESTORED, 'true'))
    displayName: Extract node_modules cache

  - script: |
      set -e
      npm install -g node-gyp@latest
      node-gyp --version
    displayName: Update node-gyp
    condition: and(succeeded(), ne(variables.NODE_MODULES_RESTORED, 'true'))

  - script: |
      npx https://aka.ms/enablesecurefeed standAlone
    timeoutInMinutes: 5
    condition: and(succeeded(), ne(variables.NODE_MODULES_RESTORED, 'true'), eq(variables['ENABLE_TERRAPIN'], 'true'))
    displayName: Switch to Terrapin packages

  - script: |
      set -e
      export npm_config_arch=$(VSCODE_ARCH)
      export npm_config_node_gyp=$(which node-gyp)
      export SDKROOT=/Applications/Xcode_12.2.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX11.0.sdk

      for i in {1..3}; do # try 3 times, for Terrapin
        yarn --frozen-lockfile && break
        if [ $i -eq 3 ]; then
          echo "Yarn failed too many times" >&2
          exit 1
        fi
        echo "Yarn failed $i, trying again..."
      done
    env:
      ELECTRON_SKIP_BINARY_DOWNLOAD: 1
      PLAYWRIGHT_SKIP_BROWSER_DOWNLOAD: 1
    displayName: Install dependencies
    condition: and(succeeded(), ne(variables.NODE_MODULES_RESTORED, 'true'))

  - script: |
      set -e
      node build/azure-pipelines/common/listNodeModules.js .build/node_modules_list.txt
      mkdir -p .build/node_modules_cache
      tar -czf .build/node_modules_cache/cache.tgz --files-from .build/node_modules_list.txt
    condition: and(succeeded(), ne(variables.NODE_MODULES_RESTORED, 'true'))
    displayName: Create node_modules archive

  - script: |
      set -e
      export npm_config_arch=$(VSCODE_ARCH)
      export npm_config_node_gyp=$(which node-gyp)
      export npm_config_build_from_source=true
      export SDKROOT=/Applications/Xcode_12.2.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX11.0.sdk
      ls /Applications/Xcode_12.2.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/
      yarn electron-rebuild
      cd ./node_modules/keytar
      node-gyp rebuild
    displayName: Rebuild native modules for ARM64
    condition: and(succeeded(), eq(variables['VSCODE_ARCH'], 'arm64'))

  - script: |
      set -e
      node build/azure-pipelines/mixin
    displayName: Mix in quality

  - script: |
      set -e
      VSCODE_MIXIN_PASSWORD="$(github-distro-mixin-password)" \
        yarn gulp vscode-darwin-$(VSCODE_ARCH)-min-ci
    displayName: Build

  - script: |
      set -e
      VSCODE_MIXIN_PASSWORD="$(github-distro-mixin-password)" \
        yarn gulp vscode-reh-darwin-min-ci
      VSCODE_MIXIN_PASSWORD="$(github-distro-mixin-password)" \
        yarn gulp vscode-reh-web-darwin-min-ci
    displayName: Build Server
    condition: and(succeeded(), eq(variables['VSCODE_ARCH'], 'x64'))

  - script: |
      set -e
      yarn npm-run-all -lp "electron $(VSCODE_ARCH)" "playwright-install"
    displayName: Download Electron and Playwright
    condition: and(succeeded(), eq(variables['VSCODE_STEP_ON_IT'], 'false'))

  - script: |
      set -e
      security create-keychain -p pwd $(agent.tempdirectory)/buildagent.keychain
      security default-keychain -s $(agent.tempdirectory)/buildagent.keychain
      security unlock-keychain -p pwd $(agent.tempdirectory)/buildagent.keychain
      echo "$(macos-developer-certificate)" | base64 -D > $(agent.tempdirectory)/cert.p12
      security import $(agent.tempdirectory)/cert.p12 -k $(agent.tempdirectory)/buildagent.keychain -P "$(macos-developer-certificate-key)" -T /usr/bin/codesign
      security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k pwd $(agent.tempdirectory)/buildagent.keychain
      VSCODE_ARCH="$(VSCODE_ARCH)" DEBUG=electron-osx-sign* node build/darwin/sign.js
    displayName: Set Hardened Entitlements
    condition: and(succeeded(), ne(variables['VSCODE_PUBLISH'], 'false'))

  - script: |
      set -e
      ./scripts/test.sh --build --tfs "Unit Tests"
    displayName: Run unit tests (Electron)
    timeoutInMinutes: 5
    condition: and(succeeded(), eq(variables['VSCODE_ARCH'], 'x64'), eq(variables['VSCODE_STEP_ON_IT'], 'false'))

  - script: |
      set -e
      yarn test-browser --build --browser chromium --browser webkit --browser firefox --tfs "Browser Unit Tests"
    displayName: Run unit tests (Browser)
    timeoutInMinutes: 5
    condition: and(succeeded(), eq(variables['VSCODE_ARCH'], 'x64'), eq(variables['VSCODE_STEP_ON_IT'], 'false'))

  - script: |
      set -e
      yarn --cwd test/integration/browser compile
    displayName: Compile integration tests
    condition: and(succeeded(), eq(variables['VSCODE_ARCH'], 'x64'), eq(variables['VSCODE_STEP_ON_IT'], 'false'))

  - script: |
      # Figure out the full absolute path of the product we just built
      # including the remote server and configure the integration tests
      # to run with these builds instead of running out of sources.
      set -e
      APP_ROOT=$(agent.builddirectory)/VSCode-darwin-$(VSCODE_ARCH)
      APP_NAME="`ls $APP_ROOT | head -n 1`"
      INTEGRATION_TEST_ELECTRON_PATH="$APP_ROOT/$APP_NAME/Contents/MacOS/Electron" \
      VSCODE_REMOTE_SERVER_PATH="$(agent.builddirectory)/vscode-reh-darwin" \
      ./scripts/test-integration.sh --build --tfs "Integration Tests"
    displayName: Run integration tests (Electron)
    timeoutInMinutes: 5
    condition: and(succeeded(), eq(variables['VSCODE_ARCH'], 'x64'), eq(variables['VSCODE_STEP_ON_IT'], 'false'))

  - script: |
      set -e
      VSCODE_REMOTE_SERVER_PATH="$(agent.builddirectory)/vscode-reh-web-darwin" \
      ./resources/server/test/test-web-integration.sh --browser webkit
    displayName: Run integration tests (Browser)
    timeoutInMinutes: 5
    condition: and(succeeded(), eq(variables['VSCODE_ARCH'], 'x64'), eq(variables['VSCODE_STEP_ON_IT'], 'false'))

  - script: |
      set -e
      APP_ROOT=$(agent.builddirectory)/VSCode-darwin-$(VSCODE_ARCH)
      APP_NAME="`ls $APP_ROOT | head -n 1`"
      INTEGRATION_TEST_ELECTRON_PATH="$APP_ROOT/$APP_NAME/Contents/MacOS/Electron" \
      VSCODE_REMOTE_SERVER_PATH="$(agent.builddirectory)/vscode-reh-darwin" \
      ./resources/server/test/test-remote-integration.sh
    displayName: Run remote integration tests (Electron)
    timeoutInMinutes: 5
    condition: and(succeeded(), eq(variables['VSCODE_ARCH'], 'x64'), eq(variables['VSCODE_STEP_ON_IT'], 'false'))

  - script: |
      set -e
      yarn --cwd test/smoke compile
    displayName: Compile smoke tests
    condition: and(succeeded(), eq(variables['VSCODE_ARCH'], 'x64'), eq(variables['VSCODE_STEP_ON_IT'], 'false'))

  - script: |
      set -e
      APP_ROOT=$(agent.builddirectory)/VSCode-darwin-$(VSCODE_ARCH)
      APP_NAME="`ls $APP_ROOT | head -n 1`"
      yarn smoketest-no-compile --build "$APP_ROOT/$APP_NAME"
    timeoutInMinutes: 5
    displayName: Run smoke tests (Electron)
    condition: and(succeeded(), eq(variables['VSCODE_ARCH'], 'x64'), eq(variables['VSCODE_STEP_ON_IT'], 'false'))

  - script: |
      set -e
      VSCODE_REMOTE_SERVER_PATH="$(agent.builddirectory)/vscode-reh-web-darwin" \
      yarn smoketest-no-compile --web --headless
    timeoutInMinutes: 5
    displayName: Run smoke tests (Browser)
    condition: and(succeeded(), eq(variables['VSCODE_ARCH'], 'x64'), eq(variables['VSCODE_STEP_ON_IT'], 'false'))

  - task: PublishPipelineArtifact@0
    inputs:
      artifactName: crash-dump-macos-$(VSCODE_ARCH)
      targetPath: .build/crashes
    displayName: "Publish Crash Reports"
    continueOnError: true
    condition: failed()

  - task: PublishTestResults@2
    displayName: Publish Tests Results
    inputs:
      testResultsFiles: "*-results.xml"
      searchFolder: "$(Build.ArtifactStagingDirectory)/test-results"
    condition: and(succeededOrFailed(), eq(variables['VSCODE_ARCH'], 'x64'), eq(variables['VSCODE_STEP_ON_IT'], 'false'))

  - script: |
      set -e
      pushd $(agent.builddirectory)/VSCode-darwin-$(VSCODE_ARCH) && zip -r -X -y $(agent.builddirectory)/VSCode-darwin-$(VSCODE_ARCH).zip * && popd
    displayName: Archive build
    condition: and(succeeded(), ne(variables['VSCODE_PUBLISH'], 'false'))

  - task: SFP.build-tasks.custom-build-task-1.EsrpCodeSigning@1
    inputs:
      ConnectedServiceName: "ESRP CodeSign"
      FolderPath: "$(agent.builddirectory)"
      Pattern: "VSCode-darwin-$(VSCODE_ARCH).zip"
      signConfigType: inlineSignParams
      inlineOperation: |
        [
          {
            "keyCode": "CP-401337-Apple",
            "operationSetCode": "MacAppDeveloperSign",
            "parameters": [
              {
                "parameterName": "Hardening",
                "parameterValue": "--options=runtime"
              }
            ],
            "toolName": "sign",
            "toolVersion": "1.0"
          }
        ]
      SessionTimeout: 60
    displayName: Codesign
    condition: and(succeeded(), ne(variables['VSCODE_PUBLISH'], 'false'))

  - script: |
      zip -d $(agent.builddirectory)/VSCode-darwin-$(VSCODE_ARCH).zip "*.pkg"
    displayName: Clean
    condition: and(succeeded(), ne(variables['VSCODE_PUBLISH'], 'false'))

  - script: |
      APP_ROOT=$(agent.builddirectory)/VSCode-darwin-$(VSCODE_ARCH)
      APP_NAME="`ls $APP_ROOT | head -n 1`"
      BUNDLE_IDENTIFIER=$(node -p "require(\"$APP_ROOT/$APP_NAME/Contents/Resources/app/product.json\").darwinBundleIdentifier")
      echo "##vso[task.setvariable variable=BundleIdentifier]$BUNDLE_IDENTIFIER"
    displayName: Export bundle identifier
    condition: and(succeeded(), ne(variables['VSCODE_PUBLISH'], 'false'))

  - task: SFP.build-tasks.custom-build-task-1.EsrpCodeSigning@1
    inputs:
      ConnectedServiceName: "ESRP CodeSign"
      FolderPath: "$(agent.builddirectory)"
      Pattern: "VSCode-darwin-$(VSCODE_ARCH).zip"
      signConfigType: inlineSignParams
      inlineOperation: |
        [
          {
            "keyCode": "CP-401337-Apple",
            "operationSetCode": "MacAppNotarize",
            "parameters": [
              {
                "parameterName": "BundleId",
                "parameterValue": "$(BundleIdentifier)"
              }
            ],
            "toolName": "sign",
            "toolVersion": "1.0"
          }
        ]
      SessionTimeout: 60
    displayName: Notarization
    condition: and(succeeded(), ne(variables['VSCODE_PUBLISH'], 'false'))

  - script: |
      set -e
      APP_ROOT=$(agent.builddirectory)/VSCode-darwin-$(VSCODE_ARCH)
      APP_NAME="`ls $APP_ROOT | head -n 1`"
      "$APP_ROOT/$APP_NAME/Contents/Resources/app/bin/code" --export-default-configuration=.build
    displayName: Verify start after signing (export configuration)
    condition: and(succeeded(), eq(variables['VSCODE_ARCH'], 'x64'), ne(variables['VSCODE_PUBLISH'], 'false'))

  - script: |
      set -e
      VSCODE_MIXIN_PASSWORD="$(github-distro-mixin-password)" \
      AZURE_DOCUMENTDB_MASTERKEY="$(builds-docdb-key-readwrite)" \
      AZURE_STORAGE_ACCESS_KEY="$(ticino-storage-key)" \
      AZURE_STORAGE_ACCESS_KEY_2="$(vscode-storage-key)" \
      VSCODE_ARCH="$(VSCODE_ARCH)" \
      ./build/azure-pipelines/darwin/publish.sh
    displayName: Publish
    condition: and(succeeded(), ne(variables['VSCODE_PUBLISH'], 'false'))

  - publish: $(Agent.BuildDirectory)/VSCode-darwin-$(VSCODE_ARCH).zip
    artifact: vscode-darwin-$(VSCODE_ARCH)
    displayName: Publish archive
    condition: and(succeeded(), ne(variables['VSCODE_PUBLISH'], 'false'))

  - publish: $(Agent.BuildDirectory)/vscode-server-darwin.zip
    artifact: vscode-server-darwin-$(VSCODE_ARCH)
    displayName: Publish server archive
    condition: and(succeeded(), eq(variables['VSCODE_ARCH'], 'x64'), ne(variables['VSCODE_PUBLISH'], 'false'))

  - publish: $(Agent.BuildDirectory)/vscode-server-darwin-web.zip
    artifact: vscode-server-darwin-$(VSCODE_ARCH)-web
    displayName: Publish web server archive
    condition: and(succeeded(), eq(variables['VSCODE_ARCH'], 'x64'), ne(variables['VSCODE_PUBLISH'], 'false'))

  - script: |
      AZURE_STORAGE_ACCESS_KEY="$(ticino-storage-key)" \
      VSCODE_ARCH="$(VSCODE_ARCH)" \
      yarn gulp upload-vscode-configuration
    displayName: Upload configuration (for Bing settings search)
    condition: and(succeeded(), eq(variables['VSCODE_ARCH'], 'x64'), ne(variables['VSCODE_PUBLISH'], 'false'))
    continueOnError: true

  - task: ms.vss-governance-buildtask.governance-build-task-component-detection.ComponentGovernanceComponentDetection@0
    displayName: "Component Detection"
    continueOnError: true