product-build-darwin.yml

steps:
  - script: |
      mkdir -p .build
      echo -n $BUILD_SOURCEVERSION > .build/commit
      echo -n $VSCODE_QUALITY > .build/quality
      echo -n $ENABLE_TERRAPIN > .build/terrapin
    displayName: Prepare compilation cache flags

  - task: 1ESLighthouseEng.PipelineArtifactCaching.RestoreCacheV1.RestoreCache@1
    inputs:
      keyfile: "build/.cachesalt, .build/commit, .build/quality, .build/terrapin"
      targetfolder: ".build, out-build, out-vscode-min, out-vscode-reh-min, out-vscode-reh-web-min"
      vstsFeed: "npm-vscode"
      platformIndependent: true
      alias: "Compilation"

  - script: |
      set -e
      exit 1
    displayName: Check RestoreCache
    condition: and(succeeded(), ne(variables['CacheRestored-Compilation'], 'true'))

  - task: NodeTool@0
    inputs:
      versionSpec: "12.18.3"

  - task: geeklearningio.gl-vsts-tasks-yarn.yarn-installer-task.YarnInstaller@2
    inputs:
      versionSpec: "1.x"

  - task: AzureKeyVault@1
    displayName: "Azure Key Vault: Get Secrets"
    inputs:
      azureSubscription: "vscode-builds-subscription"
      KeyVaultName: vscode

  - script: |
      set -e

      cat << EOF > ~/.netrc
      machine github.com
      login vscode
      password $(github-distro-mixin-password)
      EOF

      git config user.email "vscode@microsoft.com"
      git config user.name "VSCode"
    displayName: Prepare tooling

  - script: |
      set -e
      sudo xcode-select -s /Applications/Xcode_12.2.app
    displayName: Switch to Xcode 12
    condition: and(succeeded(), eq(variables['VSCODE_ARCH'], 'arm64'))

  - script: |
      set -e
      git remote add distro "https://github.com/$(VSCODE_MIXIN_REPO).git"
      git fetch distro
      git merge $(node -p "require('./package.json').distro")
    displayName: Merge distro

  - script: |
      npx https://aka.ms/enablesecurefeed standAlone
    displayName: Switch to Terrapin packages
    timeoutInMinutes: 5
    condition: and(succeeded(), eq(variables['ENABLE_TERRAPIN'], 'true'))

  - script: |
      echo -n $(VSCODE_ARCH) > .build/arch
    displayName: Prepare yarn cache flags

  - task: 1ESLighthouseEng.PipelineArtifactCaching.RestoreCacheV1.RestoreCache@1
    inputs:
      keyfile: ".build/arch, .build/terrapin, build/.cachesalt, .yarnrc, remote/.yarnrc, **/yarn.lock, !**/node_modules/**/yarn.lock, !**/.*/**/yarn.lock"
      targetfolder: "**/node_modules, !**/node_modules/**/node_modules"
      vstsFeed: "npm-vscode"

  - script: |
      set -e
      npm install -g node-gyp@latest
      node-gyp --version
    displayName: Update node-gyp

  - script: |
      set -e
      export npm_config_arch=$(VSCODE_ARCH)
      export npm_config_node_gyp=$(which node-gyp)
      export SDKROOT=/Applications/Xcode_12.2.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX11.0.sdk
      export CHILD_CONCURRENCY="1"

      for i in {1..3}; do # try 3 times, for Terrapin
        yarn --frozen-lockfile && break
        if [ $i -eq 3 ]; then
          echo "Yarn failed too many times" >&2
          exit 1
        fi
        echo "Yarn failed $i, trying again..."
      done
    env:
      ELECTRON_SKIP_BINARY_DOWNLOAD: 1
      PLAYWRIGHT_SKIP_BROWSER_DOWNLOAD: 1
    displayName: Install dependencies
    condition: and(succeeded(), ne(variables['CacheRestored'], 'true'))

  - task: 1ESLighthouseEng.PipelineArtifactCaching.SaveCacheV1.SaveCache@1
    inputs:
      keyfile: ".build/arch, .build/terrapin, build/.cachesalt, .yarnrc, remote/.yarnrc, **/yarn.lock, !**/node_modules/**/yarn.lock, !**/.*/**/yarn.lock"
      targetfolder: "**/node_modules, !**/node_modules/**/node_modules"
      vstsFeed: "npm-vscode"
    condition: and(succeeded(), ne(variables['CacheRestored'], 'true'))

  - script: |
      set -e
      export npm_config_arch=$(VSCODE_ARCH)
      export npm_config_node_gyp=$(which node-gyp)
      export npm_config_build_from_source=true
      export SDKROOT=/Applications/Xcode_12.2.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX11.0.sdk
      ls /Applications/Xcode_12.2.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/
      yarn electron-rebuild
      cd ./node_modules/keytar
      node-gyp rebuild
    displayName: Rebuild native modules for ARM64
    condition: eq(variables['VSCODE_ARCH'], 'arm64')

  - script: |
      set -e
      node build/azure-pipelines/mixin
    displayName: Mix in quality

  - script: |
      set -e
      VSCODE_MIXIN_PASSWORD="$(github-distro-mixin-password)" \
        yarn gulp vscode-darwin-$(VSCODE_ARCH)-min-ci
    displayName: Build

  - script: |
      set -e
      VSCODE_MIXIN_PASSWORD="$(github-distro-mixin-password)" \
        yarn gulp vscode-reh-darwin-min-ci
      VSCODE_MIXIN_PASSWORD="$(github-distro-mixin-password)" \
        yarn gulp vscode-reh-web-darwin-min-ci
    displayName: Build Server
    condition: and(succeeded(), eq(variables['VSCODE_ARCH'], 'x64'))

  - script: |
      set -e
      yarn npm-run-all -lp "electron $(VSCODE_ARCH)" "playwright-install"
    displayName: Download Electron and Playwright
    condition: and(succeeded(), eq(variables['VSCODE_STEP_ON_IT'], 'false'))

  - script: |
      set -e
      security create-keychain -p pwd $(agent.tempdirectory)/buildagent.keychain
      security default-keychain -s $(agent.tempdirectory)/buildagent.keychain
      security unlock-keychain -p pwd $(agent.tempdirectory)/buildagent.keychain
      echo "$(macos-developer-certificate)" | base64 -D > $(agent.tempdirectory)/cert.p12
      security import $(agent.tempdirectory)/cert.p12 -k $(agent.tempdirectory)/buildagent.keychain -P "$(macos-developer-certificate-key)" -T /usr/bin/codesign
      security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k pwd $(agent.tempdirectory)/buildagent.keychain
      VSCODE_ARCH="$(VSCODE_ARCH)" DEBUG=electron-osx-sign* node build/darwin/sign.js
    displayName: Set Hardened Entitlements
    condition: and(succeeded(), ne(variables['VSCODE_PUBLISH'], 'false'))

  - script: |
      set -e
      ./scripts/test.sh --build --tfs "Unit Tests"
    displayName: Run unit tests (Electron)
    condition: and(succeeded(), eq(variables['VSCODE_ARCH'], 'x64'), eq(variables['VSCODE_STEP_ON_IT'], 'false'))

  - script: |
      set -e
      yarn test-browser --build --browser chromium --browser webkit --browser firefox --tfs "Browser Unit Tests"
    displayName: Run unit tests (Browser)
    condition: and(succeeded(), eq(variables['VSCODE_ARCH'], 'x64'), eq(variables['VSCODE_STEP_ON_IT'], 'false'))

  - script: |
      # Figure out the full absolute path of the product we just built
      # including the remote server and configure the integration tests
      # to run with these builds instead of running out of sources.
      set -e
      APP_ROOT=$(agent.builddirectory)/VSCode-darwin-$(VSCODE_ARCH)
      APP_NAME="`ls $APP_ROOT | head -n 1`"
      INTEGRATION_TEST_ELECTRON_PATH="$APP_ROOT/$APP_NAME/Contents/MacOS/Electron" \
      VSCODE_REMOTE_SERVER_PATH="$(agent.builddirectory)/vscode-reh-darwin" \
      ./scripts/test-integration.sh --build --tfs "Integration Tests"
    displayName: Run integration tests (Electron)
    condition: and(succeeded(),  eq(variables['VSCODE_ARCH'], 'x64'), eq(variables['VSCODE_STEP_ON_IT'], 'false'))

  - script: |
      set -e
      VSCODE_REMOTE_SERVER_PATH="$(agent.builddirectory)/vscode-reh-web-darwin" \
      ./resources/server/test/test-web-integration.sh --browser webkit
    displayName: Run integration tests (Browser)
    condition: and(succeeded(), eq(variables['VSCODE_ARCH'], 'x64'), eq(variables['VSCODE_STEP_ON_IT'], 'false'))

  - script: |
      set -e
      APP_ROOT=$(agent.builddirectory)/VSCode-darwin-$(VSCODE_ARCH)
      APP_NAME="`ls $APP_ROOT | head -n 1`"
      INTEGRATION_TEST_ELECTRON_PATH="$APP_ROOT/$APP_NAME/Contents/MacOS/Electron" \
      VSCODE_REMOTE_SERVER_PATH="$(agent.builddirectory)/vscode-reh-darwin" \
      ./resources/server/test/test-remote-integration.sh
    displayName: Run remote integration tests (Electron)
    condition: and(succeeded(), eq(variables['VSCODE_ARCH'], 'x64'), eq(variables['VSCODE_STEP_ON_IT'], 'false'))

  - script: |
      set -e
      APP_ROOT=$(agent.builddirectory)/VSCode-darwin-$(VSCODE_ARCH)
      APP_NAME="`ls $APP_ROOT | head -n 1`"
      yarn smoketest --build "$APP_ROOT/$APP_NAME"
    continueOnError: true
    displayName: Run smoke tests (Electron)
    condition: and(succeeded(), eq(variables['VSCODE_ARCH'], 'x64'), eq(variables['VSCODE_STEP_ON_IT'], 'false'))

  - script: |
      set -e
      VSCODE_REMOTE_SERVER_PATH="$(agent.builddirectory)/vscode-reh-web-darwin" \
      yarn smoketest --web --headless
    continueOnError: true
    displayName: Run smoke tests (Browser)
    condition: and(succeeded(), eq(variables['VSCODE_ARCH'], 'x64'), eq(variables['VSCODE_STEP_ON_IT'], 'false'))

  - task: PublishPipelineArtifact@0
    inputs:
      artifactName: crash-dump-macos-$(VSCODE_ARCH)
      targetPath: .build/crashes
    displayName: "Publish Crash Reports"
    continueOnError: true
    condition: failed()

  - task: PublishTestResults@2
    displayName: Publish Tests Results
    inputs:
      testResultsFiles: "*-results.xml"
      searchFolder: "$(Build.ArtifactStagingDirectory)/test-results"
    condition: succeededOrFailed()

  - script: |
      set -e
      pushd $(agent.builddirectory)/VSCode-darwin-$(VSCODE_ARCH) && zip -r -X -y $(agent.builddirectory)/VSCode-darwin-$(VSCODE_ARCH).zip * && popd
    displayName: Archive build
    condition: and(succeeded(), ne(variables['VSCODE_PUBLISH'], 'false'))

  - task: SFP.build-tasks.custom-build-task-1.EsrpCodeSigning@1
    inputs:
      ConnectedServiceName: "ESRP CodeSign"
      FolderPath: "$(agent.builddirectory)"
      Pattern: "VSCode-darwin-$(VSCODE_ARCH).zip"
      signConfigType: inlineSignParams
      inlineOperation: |
        [
          {
            "keyCode": "CP-401337-Apple",
            "operationSetCode": "MacAppDeveloperSign",
            "parameters": [
              {
                "parameterName": "Hardening",
                "parameterValue": "--options=runtime"
              }
            ],
            "toolName": "sign",
            "toolVersion": "1.0"
          }
        ]
      SessionTimeout: 60
    displayName: Codesign
    condition: and(succeeded(), ne(variables['VSCODE_PUBLISH'], 'false'))

  - script: |
      zip -d $(agent.builddirectory)/VSCode-darwin-$(VSCODE_ARCH).zip "*.pkg"
    displayName: Clean
    condition: and(succeeded(), ne(variables['VSCODE_PUBLISH'], 'false'))

  - script: |
      APP_ROOT=$(agent.builddirectory)/VSCode-darwin-$(VSCODE_ARCH)
      APP_NAME="`ls $APP_ROOT | head -n 1`"
      BUNDLE_IDENTIFIER=$(node -p "require(\"$APP_ROOT/$APP_NAME/Contents/Resources/app/product.json\").darwinBundleIdentifier")
      echo "##vso[task.setvariable variable=BundleIdentifier]$BUNDLE_IDENTIFIER"
    displayName: Export bundle identifier
    condition: and(succeeded(), ne(variables['VSCODE_PUBLISH'], 'false'))

  - task: SFP.build-tasks.custom-build-task-1.EsrpCodeSigning@1
    inputs:
      ConnectedServiceName: "ESRP CodeSign"
      FolderPath: "$(agent.builddirectory)"
      Pattern: "VSCode-darwin-$(VSCODE_ARCH).zip"
      signConfigType: inlineSignParams
      inlineOperation: |
        [
          {
            "keyCode": "CP-401337-Apple",
            "operationSetCode": "MacAppNotarize",
            "parameters": [
              {
                "parameterName": "BundleId",
                "parameterValue": "$(BundleIdentifier)"
              }
            ],
            "toolName": "sign",
            "toolVersion": "1.0"
          }
        ]
      SessionTimeout: 60
    displayName: Notarization
    condition: and(succeeded(), ne(variables['VSCODE_PUBLISH'], 'false'))

  - script: |
      set -e
      APP_ROOT=$(agent.builddirectory)/VSCode-darwin-$(VSCODE_ARCH)
      APP_NAME="`ls $APP_ROOT | head -n 1`"
      "$APP_ROOT/$APP_NAME/Contents/Resources/app/bin/code" --export-default-configuration=.build
    displayName: Verify start after signing (export configuration)
    condition: and(succeeded(), eq(variables['VSCODE_ARCH'], 'x64'), ne(variables['VSCODE_PUBLISH'], 'false'))

  - script: |
      set -e
      VSCODE_MIXIN_PASSWORD="$(github-distro-mixin-password)" \
      AZURE_DOCUMENTDB_MASTERKEY="$(builds-docdb-key-readwrite)" \
      AZURE_STORAGE_ACCESS_KEY="$(ticino-storage-key)" \
      AZURE_STORAGE_ACCESS_KEY_2="$(vscode-storage-key)" \
      VSCODE_ARCH="$(VSCODE_ARCH)" \
      ./build/azure-pipelines/darwin/publish.sh
    displayName: Publish
    condition: and(succeeded(), ne(variables['VSCODE_PUBLISH'], 'false'))

  - script: |
      AZURE_STORAGE_ACCESS_KEY="$(ticino-storage-key)" \
      VSCODE_ARCH="$(VSCODE_ARCH)" \
      yarn gulp upload-vscode-configuration
    displayName: Upload configuration (for Bing settings search)
    condition: and(succeeded(), eq(variables['VSCODE_ARCH'], 'x64'), ne(variables['VSCODE_PUBLISH'], 'false'))
    continueOnError: true

  - task: ms.vss-governance-buildtask.governance-build-task-component-detection.ComponentGovernanceComponentDetection@0
    displayName: "Component Detection"
    continueOnError: true