product-build-darwin.yml
  - script: |
      mkdir -p .build
      echo -n $BUILD_SOURCEVERSION > .build/commit
      echo -n $VSCODE_QUALITY > .build/quality
    displayName: Prepare cache flag

  - task: 1ESLighthouseEng.PipelineArtifactCaching.RestoreCacheV1.RestoreCache@1
      keyfile: "build/.cachesalt, .build/commit, .build/quality"
      targetfolder: ".build, out-build, out-vscode-min, out-vscode-reh-min, out-vscode-reh-web-min"
      vstsFeed: "npm-vscode"
      platformIndependent: true
      alias: "Compilation"

  - script: |
      set -e
      exit 1
    displayName: Check RestoreCache
    condition: and(succeeded(), ne(variables['CacheRestored-Compilation'], 'true'))

  - task: NodeTool@0
      versionSpec: "12.18.3"

  - task:
      versionSpec: "1.x"

  - task: AzureKeyVault@1
    displayName: "Azure Key Vault: Get Secrets"
      azureSubscription: "vscode-builds-subscription"
      KeyVaultName: vscode

  - script: |
      set -e

      cat << EOF > ~/.netrc
      login vscode
      password $(github-distro-mixin-password)

      git config ""
      git config "VSCode"
    displayName: Prepare tooling

  - script: |
      set -e
      git remote add distro "$(VSCODE_MIXIN_REPO).git"
      git fetch distro
      git merge $(node -p "require('./package.json').distro")
    displayName: Merge distro

  - script: |
      echo -n $VSCODE_ARCH > .build/arch
    displayName: Prepare arch cache flag

  - script: |
      npx standAlone
    displayName: Switch to Terrapin packages

  - task: 1ESLighthouseEng.PipelineArtifactCaching.RestoreCacheV1.RestoreCache@1
      keyfile: ".build/arch, build/.cachesalt, .yarnrc, remote/.yarnrc, **/yarn.lock, !**/node_modules/**/yarn.lock, !**/.*/**/yarn.lock"
      targetfolder: "**/node_modules, !**/node_modules/**/node_modules"
      vstsFeed: "npm-vscode"

  - script: |
      set -e
      sudo xcode-select -s /Applications/
    displayName: Switch to Xcode 12
    condition: eq(variables['VSCODE_ARCH'], 'arm64')

  - script: |
      set -e
      npm install -g node-gyp@7.1.0
      node-gyp --version
    displayName: Update node-gyp
    condition: and(succeeded(), ne(variables['CacheRestored'], 'true'))

  - script: |
      set -e
      export npm_config_arch=$(VSCODE_ARCH)
      export npm_config_node_gyp=$(which node-gyp)
      export SDKROOT=/Applications/
      ls /Applications/
      CHILD_CONCURRENCY=1 yarn --frozen-lockfile --verbose
    displayName: Install dependencies
    condition: and(succeeded(), ne(variables['CacheRestored'], 'true'))

  - task: 1ESLighthouseEng.PipelineArtifactCaching.SaveCacheV1.SaveCache@1
      keyfile: ".build/arch, build/.cachesalt, .yarnrc, remote/.yarnrc, **/yarn.lock, !**/node_modules/**/yarn.lock, !**/.*/**/yarn.lock"
      targetfolder: "**/node_modules, !**/node_modules/**/node_modules"
      vstsFeed: "npm-vscode"
    condition: and(succeeded(), ne(variables['CacheRestored'], 'true'))

  - script: |
      set -e
      export npm_config_arch=$(VSCODE_ARCH)
      export npm_config_node_gyp=$(which node-gyp)
      export SDKROOT=/Applications/
      ls /Applications/
      yarn postinstall
    displayName: Run postinstall scripts
    condition: and(succeeded(), eq(variables['CacheRestored'], 'true'))

  - script: |
      set -e
      export SDKROOT=/Applications/
      ls /Applications/
      yarn electron-rebuild
    displayName: Rebuild native modules for ARM64
    condition: eq(variables['VSCODE_ARCH'], 'arm64')

  - script: |
      set -e
      node build/azure-pipelines/mixin
    displayName: Mix in quality

  - script: |
      set -e
      VSCODE_MIXIN_PASSWORD="$(github-distro-mixin-password)" \
        yarn gulp vscode-darwin-$(VSCODE_ARCH)-min-ci
    displayName: Build

  - script: |
      set -e
      VSCODE_MIXIN_PASSWORD="$(github-distro-mixin-password)" \
        yarn gulp vscode-reh-darwin-min-ci
      VSCODE_MIXIN_PASSWORD="$(github-distro-mixin-password)" \
        yarn gulp vscode-reh-web-darwin-min-ci
    displayName: Build reh
    condition: and(succeeded(), eq(variables['VSCODE_ARCH'], 'x64'))

  - script: |
      set -e
      yarn electron $(VSCODE_ARCH)
    displayName: Download Electron
    condition: and(succeeded(), eq(variables['VSCODE_STEP_ON_IT'], 'false'))

  - script: |
      set -e
      security create-keychain -p pwd $(agent.tempdirectory)/buildagent.keychain
      security default-keychain -s $(agent.tempdirectory)/buildagent.keychain
      security unlock-keychain -p pwd $(agent.tempdirectory)/buildagent.keychain
      echo "$(macos-developer-certificate)" | base64 -D > $(agent.tempdirectory)/cert.p12
      security import $(agent.tempdirectory)/cert.p12 -k $(agent.tempdirectory)/buildagent.keychain -P "$(macos-developer-certificate-key)" -T /usr/bin/codesign
      security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k pwd $(agent.tempdirectory)/buildagent.keychain
      VSCODE_ARCH="$(VSCODE_ARCH)" DEBUG=electron-osx-sign* node build/darwin/sign.js
    displayName: Set Hardened Entitlements

  - script: |
      set -e
      ./scripts/ --build --tfs "Unit Tests"
    displayName: Run unit tests (Electron)
    condition: and(succeeded(), eq(variables['VSCODE_ARCH'], 'x64'), eq(variables['VSCODE_STEP_ON_IT'], 'false'))

  - script: |
      set -e
      yarn test-browser --build --browser chromium --browser webkit --browser firefox --tfs "Browser Unit Tests"
    displayName: Run unit tests (Browser)
    condition: and(succeeded(), eq(variables['VSCODE_ARCH'], 'x64'), eq(variables['VSCODE_STEP_ON_IT'], 'false'))

  - script: |
      # Figure out the full absolute path of the product we just built
      # including the remote server and configure the integration tests
      # to run with these builds instead of running out of sources.
      set -e
      APP_NAME="`ls $APP_ROOT | head -n 1`"
      VSCODE_REMOTE_SERVER_PATH="$(agent.builddirectory)/vscode-reh-darwin" \
      ./scripts/ --build --tfs "Integration Tests"
    displayName: Run integration tests (Electron)
    condition: and(succeeded(),  eq(variables['VSCODE_ARCH'], 'x64'), eq(variables['VSCODE_STEP_ON_IT'], 'false'))

  - script: |
      set -e
      VSCODE_REMOTE_SERVER_PATH="$(agent.builddirectory)/vscode-reh-web-darwin" \
      ./resources/server/test/ --browser webkit
    displayName: Run integration tests (Browser)
    condition: and(succeeded(), eq(variables['VSCODE_ARCH'], 'x64'), eq(variables['VSCODE_STEP_ON_IT'], 'false'))

  - script: |
      set -e
      APP_NAME="`ls $APP_ROOT | head -n 1`"
      VSCODE_REMOTE_SERVER_PATH="$(agent.builddirectory)/vscode-reh-darwin" \
    displayName: Run remote integration tests (Electron)
    condition: and(succeeded(), eq(variables['VSCODE_ARCH'], 'x64'), eq(variables['VSCODE_STEP_ON_IT'], 'false'))

  - script: |
      set -e
      APP_NAME="`ls $APP_ROOT | head -n 1`"
      yarn smoketest --build "$APP_ROOT/$APP_NAME"
    continueOnError: true
    displayName: Run smoke tests (Electron)
    condition: and(succeeded(), eq(variables['VSCODE_ARCH'], 'x64'), eq(variables['VSCODE_STEP_ON_IT'], 'false'))

  - script: |
      set -e
      VSCODE_REMOTE_SERVER_PATH="$(agent.builddirectory)/vscode-reh-web-darwin" \
      yarn smoketest --web --headless
    continueOnError: true
    displayName: Run smoke tests (Browser)
    condition: and(succeeded(), eq(variables['VSCODE_ARCH'], 'x64'), eq(variables['VSCODE_STEP_ON_IT'], 'false'))

  - task: PublishPipelineArtifact@0
      artifactName: crash-dump-macos-$(VSCODE_ARCH)
      targetPath: .build/crashes
    displayName: "Publish Crash Reports"
    continueOnError: true
    condition: failed()

  - task: PublishTestResults@2
    displayName: Publish Tests Results
      testResultsFiles: "*-results.xml"
      searchFolder: "$(Build.ArtifactStagingDirectory)/test-results"
    condition: succeededOrFailed()

  - script: |
      set -e
      pushd $(agent.builddirectory)/VSCode-darwin-$(VSCODE_ARCH) && zip -r -X -y $(agent.builddirectory)/VSCode-darwin-$(VSCODE_ARCH).zip * && popd
    displayName: Archive build

  - task:
      ConnectedServiceName: "ESRP CodeSign"
      FolderPath: "$(agent.builddirectory)"
      Pattern: "VSCode-darwin-$(VSCODE_ARCH).zip"
      signConfigType: inlineSignParams
      inlineOperation: |
            "keyCode": "CP-401337-Apple",
            "operationSetCode": "MacAppDeveloperSign",
            "parameters": [
                "parameterName": "Hardening",
                "parameterValue": "--options=runtime"
            "toolName": "sign",
            "toolVersion": "1.0"
      SessionTimeout: 60
    displayName: Codesign

  - script: |
      zip -d $(agent.builddirectory)/VSCode-darwin-$(VSCODE_ARCH).zip "*.pkg"
    displayName: Clean Archive

  - script: |
      APP_NAME="`ls $APP_ROOT | head -n 1`"
      BUNDLE_IDENTIFIER=$(node -p "require(\"$APP_ROOT/$APP_NAME/Contents/Resources/app/product.json\").darwinBundleIdentifier")
      echo "##vso[task.setvariable variable=BundleIdentifier]$BUNDLE_IDENTIFIER"
    displayName: Export bundle identifier

  - task:
      ConnectedServiceName: "ESRP CodeSign"
      FolderPath: "$(agent.builddirectory)"
      Pattern: "VSCode-darwin-$(VSCODE_ARCH).zip"
      signConfigType: inlineSignParams
      inlineOperation: |
            "keyCode": "CP-401337-Apple",
            "operationSetCode": "MacAppNotarize",
            "parameters": [
                "parameterName": "BundleId",
                "parameterValue": "$(BundleIdentifier)"
            "toolName": "sign",
            "toolVersion": "1.0"
      SessionTimeout: 60
    displayName: Notarization

  - script: |
      set -e
      APP_NAME="`ls $APP_ROOT | head -n 1`"
    displayName: Verify start after signing (export configuration)
    condition: and(succeeded(), eq(variables['VSCODE_ARCH'], 'x64'))

  - script: |
      set -e
      VSCODE_MIXIN_PASSWORD="$(github-distro-mixin-password)" \
      AZURE_DOCUMENTDB_MASTERKEY="$(builds-docdb-key-readwrite)" \
      AZURE_STORAGE_ACCESS_KEY="$(ticino-storage-key)" \
      AZURE_STORAGE_ACCESS_KEY_2="$(vscode-storage-key)" \
    displayName: Publish

  - script: |
      AZURE_STORAGE_ACCESS_KEY="$(ticino-storage-key)" \
      yarn gulp upload-vscode-configuration
    displayName: Upload configuration (for Bing settings search)
    condition: and(succeeded(), eq(variables['VSCODE_ARCH'], 'x64'))
    continueOnError: true

  - task: ms.vss-governance-buildtask.governance-build-task-component-detection.ComponentGovernanceComponentDetection@0
    displayName: "Component Detection"
    continueOnError: true