CoCalc -- product-build-darwin-universal.yml

GitHub Repository: microsoft/vscode
Path: blob/main/build/azure-pipelines/darwin/product-build-darwin-universal.yml
³⁵²⁰ views
1
steps:
2
  - template: ../common/checkout.yml@self
3

4
  - task: NodeTool@0
5
    inputs:
6
      versionSource: fromFile
7
      versionFilePath: .nvmrc
8

9
  - template: ../distro/download-distro.yml@self
10

11
  - task: AzureKeyVault@2
12
    displayName: "Azure Key Vault: Get Secrets"
13
    inputs:
14
      azureSubscription: vscode
15
      KeyVaultName: vscode-build-secrets
16
      SecretsFilter: "github-distro-mixin-password,macos-developer-certificate,macos-developer-certificate-key"
17

18
  - script: node build/setup-npm-registry.js $NPM_REGISTRY build
19
    condition: and(succeeded(), ne(variables['NPM_REGISTRY'], 'none'))
20
    displayName: Setup NPM Registry
21

22
  - script: |
23
      set -e
24
      # Set the private NPM registry to the global npmrc file
25
      # so that authentication works for subfolders like build/, remote/, extensions/ etc
26
      # which does not have their own .npmrc file
27
      npm config set registry "$NPM_REGISTRY"
28
      echo "##vso[task.setvariable variable=NPMRC_PATH]$(npm config get userconfig)"
29
    condition: and(succeeded(), ne(variables['NPM_REGISTRY'], 'none'))
30
    displayName: Setup NPM
31

32
  - task: npmAuthenticate@0
33
    inputs:
34
      workingFile: $(NPMRC_PATH)
35
    condition: and(succeeded(), ne(variables['NPM_REGISTRY'], 'none'))
36
    displayName: Setup NPM Authentication
37

38
  - script: |
39
      set -e
40

41
      for i in {1..5}; do # try 5 times
42
        npm ci && break
43
        if [ $i -eq 5 ]; then
44
          echo "Npm install failed too many times" >&2
45
          exit 1
46
        fi
47
        echo "Npm install failed $i, trying again..."
48
      done
49
    workingDirectory: build
50
    env:
51
      GITHUB_TOKEN: "$(github-distro-mixin-password)"
52
    displayName: Install build dependencies
53

54
  - pwsh: node build/azure-pipelines/common/waitForArtifacts.js unsigned_vscode_client_darwin_x64_archive unsigned_vscode_client_darwin_arm64_archive
55
    env:
56
      SYSTEM_ACCESSTOKEN: $(System.AccessToken)
57
    displayName: Wait for x64 and arm64 artifacts
58

59
  - download: current
60
    artifact: unsigned_vscode_client_darwin_x64_archive
61
    displayName: Download x64 artifact
62

63
  - download: current
64
    artifact: unsigned_vscode_client_darwin_arm64_archive
65
    displayName: Download arm64 artifact
66

67
  - script: node build/azure-pipelines/distro/mixin-quality
68
    displayName: Mixin distro quality
69

70
  - script: |
71
      set -e
72
      unzip $(Pipeline.Workspace)/unsigned_vscode_client_darwin_x64_archive/VSCode-darwin-x64.zip -d $(agent.builddirectory)/VSCode-darwin-x64 &
73
      unzip $(Pipeline.Workspace)/unsigned_vscode_client_darwin_arm64_archive/VSCode-darwin-arm64.zip -d $(agent.builddirectory)/VSCode-darwin-arm64 &
74
      wait
75
      DEBUG=* node build/darwin/create-universal-app.js $(agent.builddirectory)
76
    displayName: Create Universal App
77

78
  - script: |
79
      set -e
80
      APP_ROOT="$(Agent.BuildDirectory)/VSCode-darwin-$(VSCODE_ARCH)"
81
      APP_NAME="`ls $APP_ROOT | head -n 1`"
82
      APP_PATH="$APP_ROOT/$APP_NAME" node build/darwin/verify-macho.js universal
83
    displayName: Verify arch of Mach-O objects
84

85
  - script: |
86
      set -e
87
      security create-keychain -p pwd $(agent.tempdirectory)/buildagent.keychain
88
      security default-keychain -s $(agent.tempdirectory)/buildagent.keychain
89
      security unlock-keychain -p pwd $(agent.tempdirectory)/buildagent.keychain
90
      echo "$(macos-developer-certificate)" | base64 -D > $(agent.tempdirectory)/cert.p12
91
      security import $(agent.tempdirectory)/cert.p12 -k $(agent.tempdirectory)/buildagent.keychain -P "$(macos-developer-certificate-key)" -T /usr/bin/codesign
92
      export CODESIGN_IDENTITY=$(security find-identity -v -p codesigning $(agent.tempdirectory)/buildagent.keychain | grep -oEi "([0-9A-F]{40})" | head -n 1)
93
      security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k pwd $(agent.tempdirectory)/buildagent.keychain
94
      DEBUG=electron-osx-sign* node build/darwin/sign.js $(agent.builddirectory)
95
    displayName: Set Hardened Entitlements
96

97
  - script: |
98
      set -e
99
      mkdir -p $(Pipeline.Workspace)/unsigned_vscode_client_darwin_$(VSCODE_ARCH)_archive
100
      pushd $(agent.builddirectory)/VSCode-darwin-$(VSCODE_ARCH) && zip -r -X -y $(Pipeline.Workspace)/unsigned_vscode_client_darwin_$(VSCODE_ARCH)_archive/VSCode-darwin-$(VSCODE_ARCH).zip * && popd
101
    displayName: Archive build
102

103
  - task: UseDotNet@2
104
    inputs:
105
      version: 6.x
106

107
  - task: EsrpCodeSigning@5
108
    inputs:
109
      UseMSIAuthentication: true
110
      ConnectedServiceName: vscode-esrp
111
      AppRegistrationClientId: $(ESRP_CLIENT_ID)
112
      AppRegistrationTenantId: $(ESRP_TENANT_ID)
113
      AuthAKVName: vscode-esrp
114
      AuthSignCertName: esrp-sign
115
      FolderPath: .
116
      Pattern: noop
117
    displayName: 'Install ESRP Tooling'
118

119
  - script: node build/azure-pipelines/common/sign $(Agent.RootDirectory)/_tasks/EsrpCodeSigning_*/*/net6.0/esrpcli.dll sign-darwin $(Pipeline.Workspace)/unsigned_vscode_client_darwin_$(VSCODE_ARCH)_archive VSCode-darwin-$(VSCODE_ARCH).zip
120
    env:
121
      SYSTEM_ACCESSTOKEN: $(System.AccessToken)
122
    displayName: ✍️ Codesign
123

124
  - script: node build/azure-pipelines/common/sign $(Agent.RootDirectory)/_tasks/EsrpCodeSigning_*/*/net6.0/esrpcli.dll notarize-darwin $(Pipeline.Workspace)/unsigned_vscode_client_darwin_$(VSCODE_ARCH)_archive VSCode-darwin-$(VSCODE_ARCH).zip
125
    env:
126
      SYSTEM_ACCESSTOKEN: $(System.AccessToken)
127
    displayName: ✍️ Notarize
128

129
  - script: unzip $(Pipeline.Workspace)/unsigned_vscode_client_darwin_$(VSCODE_ARCH)_archive/VSCode-darwin-$(VSCODE_ARCH).zip -d $(Build.ArtifactStagingDirectory)/VSCode-darwin-$(VSCODE_ARCH)
130
    displayName: Extract signed app
131

132
  - script: |
133
      set -e
134
      APP_ROOT="$(Build.ArtifactStagingDirectory)/VSCode-darwin-$(VSCODE_ARCH)"
135
      APP_NAME="`ls $APP_ROOT | head -n 1`"
136
      APP_PATH="$APP_ROOT/$APP_NAME"
137
      codesign -dv --deep --verbose=4 "$APP_PATH"
138
      "$APP_PATH/Contents/Resources/app/bin/code" --export-default-configuration=.build
139
    displayName: Verify signature
140
    condition: and(succeeded(), ne(variables['VSCODE_ARCH'], 'arm64'))
141

142
  - script: mv $(Pipeline.Workspace)/unsigned_vscode_client_darwin_$(VSCODE_ARCH)_archive/VSCode-darwin-x64.zip $(Pipeline.Workspace)/unsigned_vscode_client_darwin_$(VSCODE_ARCH)_archive/VSCode-darwin.zip
143
    displayName: Rename x64 build to its legacy name
144
    condition: and(succeeded(), eq(variables['VSCODE_ARCH'], 'x64'))
145

146
  - template: ../common/publish-artifact.yml@self
147
    parameters:
148
      targetPath: $(Pipeline.Workspace)/unsigned_vscode_client_darwin_$(VSCODE_ARCH)_archive/VSCode-darwin-universal.zip
149
      artifactName: vscode_client_darwin_$(VSCODE_ARCH)_archive
150
      displayName: Publish client archive
151
      sbomBuildDropPath: $(Build.ArtifactStagingDirectory)/VSCode-darwin-$(VSCODE_ARCH)
152
      sbomPackageName: "VS Code macOS $(VSCODE_ARCH)"
153
      sbomPackageVersion: $(Build.SourceVersion)
154

155
Product

Resources

Company
