product-build-darwin.yml

steps:
- script: |
    mkdir -p .build
    echo -n $BUILD_SOURCEVERSION > .build/commit
    echo -n $VSCODE_QUALITY > .build/quality
  displayName: Prepare cache flag

- task: 1ESLighthouseEng.PipelineArtifactCaching.RestoreCacheV1.RestoreCache@1
  inputs:
    keyfile: 'build/.cachesalt, .build/commit, .build/quality'
    targetfolder: '.build, out-build, out-vscode-min, out-vscode-reh-min, out-vscode-reh-web-min'
    vstsFeed: 'npm-vscode'
    platformIndependent: true
    alias: 'Compilation'

- script: |
    set -e
    exit 1
  displayName: Check RestoreCache
  condition: and(succeeded(), ne(variables['CacheRestored-Compilation'], 'true'))

- task: NodeTool@0
  inputs:
    versionSpec: "12.13.0"

- task: geeklearningio.gl-vsts-tasks-yarn.yarn-installer-task.YarnInstaller@2
  inputs:
    versionSpec: "1.x"

- task: AzureKeyVault@1
  displayName: 'Azure Key Vault: Get Secrets'
  inputs:
    azureSubscription: 'vscode-builds-subscription'
    KeyVaultName: vscode

- script: |
    set -e

    cat << EOF > ~/.netrc
    machine github.com
    login vscode
    password $(github-distro-mixin-password)
    EOF

    git config user.email "vscode@microsoft.com"
    git config user.name "VSCode"
  displayName: Prepare tooling

- script: |
    set -e
    git remote add distro "https://github.com/$(VSCODE_MIXIN_REPO).git"
    git fetch distro
    git merge $(node -p "require('./package.json').distro")
  displayName: Merge distro

- task: 1ESLighthouseEng.PipelineArtifactCaching.RestoreCacheV1.RestoreCache@1
  inputs:
    keyfile: 'build/.cachesalt, .yarnrc, remote/.yarnrc, **/yarn.lock, !**/node_modules/**/yarn.lock, !**/.*/**/yarn.lock'
    targetfolder: '**/node_modules, !**/node_modules/**/node_modules'
    vstsFeed: 'npm-vscode'

- script: |
    set -e
    CHILD_CONCURRENCY=1 yarn --frozen-lockfile
  displayName: Install dependencies
  condition: and(succeeded(), ne(variables['CacheRestored'], 'true'))

- task: 1ESLighthouseEng.PipelineArtifactCaching.SaveCacheV1.SaveCache@1
  inputs:
    keyfile: 'build/.cachesalt, .yarnrc, remote/.yarnrc, **/yarn.lock, !**/node_modules/**/yarn.lock, !**/.*/**/yarn.lock'
    targetfolder: '**/node_modules, !**/node_modules/**/node_modules'
    vstsFeed: 'npm-vscode'
  condition: and(succeeded(), ne(variables['CacheRestored'], 'true'))

- script: |
    set -e
    yarn postinstall
  displayName: Run postinstall scripts
  condition: and(succeeded(), eq(variables['CacheRestored'], 'true'))

- script: |
    set -e
    node build/azure-pipelines/mixin
  displayName: Mix in quality

- script: |
    set -e
    VSCODE_MIXIN_PASSWORD="$(github-distro-mixin-password)" \
      yarn gulp vscode-darwin-min-ci
    VSCODE_MIXIN_PASSWORD="$(github-distro-mixin-password)" \
      yarn gulp vscode-reh-darwin-min-ci
    VSCODE_MIXIN_PASSWORD="$(github-distro-mixin-password)" \
      yarn gulp vscode-reh-web-darwin-min-ci
  displayName: Build

- script: |
    set -e
    ./scripts/test.sh --build --tfs "Unit Tests"
  displayName: Run unit tests (Electron)
  condition: and(succeeded(), eq(variables['VSCODE_STEP_ON_IT'], 'false'))

- script: |
    # Figure out the full absolute path of the product we just built
    # including the remote server and configure the integration tests
    # to run with these builds instead of running out of sources.
    set -e
    APP_ROOT=$(agent.builddirectory)/VSCode-darwin
    APP_NAME="`ls $APP_ROOT | head -n 1`"
    INTEGRATION_TEST_ELECTRON_PATH="$APP_ROOT/$APP_NAME/Contents/MacOS/Electron" \
    VSCODE_REMOTE_SERVER_PATH="$(agent.builddirectory)/vscode-reh-darwin" \
    ./scripts/test-integration.sh --build --tfs "Integration Tests"
  displayName: Run integration tests (Electron)
  condition: and(succeeded(), eq(variables['VSCODE_STEP_ON_IT'], 'false'))

- script: |
    set -e
    VSCODE_REMOTE_SERVER_PATH="$(agent.builddirectory)/vscode-reh-web-darwin" \
    ./resources/server/test/test-web-integration.sh --browser webkit
  displayName: Run integration tests (Browser)
  condition: and(succeeded(), eq(variables['VSCODE_STEP_ON_IT'], 'false'))

- script: |
    set -e
    VSCODE_REMOTE_SERVER_PATH="$(agent.builddirectory)/vscode-reh-web-darwin" \
    yarn smoketest --web --headless --browser webkit
  continueOnError: true
  displayName: Run smoke tests (Browser)
  condition: and(succeeded(), eq(variables['VSCODE_STEP_ON_IT'], 'false'))

- script: |
    set -e
    security create-keychain -p pwd $(agent.tempdirectory)/buildagent.keychain
    security default-keychain -s $(agent.tempdirectory)/buildagent.keychain
    security unlock-keychain -p pwd $(agent.tempdirectory)/buildagent.keychain
    echo "$(macos-developer-certificate)" | base64 -D > $(agent.tempdirectory)/cert.p12
    security import $(agent.tempdirectory)/cert.p12 -k $(agent.tempdirectory)/buildagent.keychain -P "$(macos-developer-certificate-key)" -T /usr/bin/codesign
    security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k pwd $(agent.tempdirectory)/buildagent.keychain
    codesign -s 99FM488X57 --deep --force --options runtime --entitlements build/azure-pipelines/darwin/entitlements.plist $(agent.builddirectory)/VSCode-darwin/*.app
  displayName: Set Hardened Entitlements

- script: |
    set -e
    pushd $(agent.builddirectory)/VSCode-darwin && zip -r -X -y $(agent.builddirectory)/VSCode-darwin.zip * && popd
  displayName: Archive build

- task: SFP.build-tasks.custom-build-task-1.EsrpCodeSigning@1
  inputs:
    ConnectedServiceName: 'ESRP CodeSign'
    FolderPath: '$(agent.builddirectory)'
    Pattern: 'VSCode-darwin.zip'
    signConfigType: inlineSignParams
    inlineOperation: |
      [
        {
          "keyCode": "CP-401337-Apple",
          "operationSetCode": "MacAppDeveloperSign",
          "parameters": [
            {
              "parameterName": "Hardening",
              "parameterValue": "--options=runtime"
            }
          ],
          "toolName": "sign",
          "toolVersion": "1.0"
        }
      ]
    SessionTimeout: 60
  displayName: Codesign

- script: |
    zip -d $(agent.builddirectory)/VSCode-darwin.zip "*.pkg"
  displayName: Clean Archive

- script: |
    APP_ROOT=$(agent.builddirectory)/VSCode-darwin
    APP_NAME="`ls $APP_ROOT | head -n 1`"
    BUNDLE_IDENTIFIER=$(node -p "require(\"$APP_ROOT/$APP_NAME/Contents/Resources/app/product.json\").darwinBundleIdentifier")
    echo "##vso[task.setvariable variable=BundleIdentifier]$BUNDLE_IDENTIFIER"
  displayName: Export bundle identifier

- task: SFP.build-tasks.custom-build-task-1.EsrpCodeSigning@1
  inputs:
    ConnectedServiceName: 'ESRP CodeSign'
    FolderPath: '$(agent.builddirectory)'
    Pattern: 'VSCode-darwin.zip'
    signConfigType: inlineSignParams
    inlineOperation: |
      [
        {
          "keyCode": "CP-401337-Apple",
          "operationSetCode": "MacAppNotarize",
          "parameters": [
            {
              "parameterName": "BundleId",
              "parameterValue": "$(BundleIdentifier)"
            }
          ],
          "toolName": "sign",
          "toolVersion": "1.0"
        }
      ]
    SessionTimeout: 120
  displayName: Notarization

- script: |
    set -e
    VSCODE_MIXIN_PASSWORD="$(github-distro-mixin-password)" \
    AZURE_DOCUMENTDB_MASTERKEY="$(builds-docdb-key-readwrite)" \
    AZURE_STORAGE_ACCESS_KEY="$(ticino-storage-key)" \
    AZURE_STORAGE_ACCESS_KEY_2="$(vscode-storage-key)" \
    VSCODE_HOCKEYAPP_TOKEN="$(vscode-hockeyapp-token)" \
    ./build/azure-pipelines/darwin/publish.sh
  displayName: Publish

- task: ms.vss-governance-buildtask.governance-build-task-component-detection.ComponentGovernanceComponentDetection@0
  displayName: 'Component Detection'
  continueOnError: true