1
jobs:
2
  - job: macOSUniversal
3
    displayName: macOS (UNIVERSAL)
4
    timeoutInMinutes: 90
5
    variables:
6
      VSCODE_ARCH: universal
7
      BUILDS_API_URL: $(System.CollectionUri)$(System.TeamProject)/_apis/build/builds/$(Build.BuildId)/
8
    templateContext:
9
      outputs:
10
        - output: pipelineArtifact
11
          targetPath: $(Build.ArtifactStagingDirectory)/out/vscode_client_darwin_$(VSCODE_ARCH)_archive/VSCode-darwin-universal.zip
12
          artifactName: vscode_client_darwin_$(VSCODE_ARCH)_archive
13
          displayName: Publish client archive
14
          sbomBuildDropPath: $(Build.ArtifactStagingDirectory)/VSCode-darwin-$(VSCODE_ARCH)
15
          sbomPackageName: "VS Code macOS $(VSCODE_ARCH)"
16
          sbomPackageVersion: $(Build.SourceVersion)
17
        - output: pipelineArtifact
18
          targetPath: $(Build.ArtifactStagingDirectory)/out/vscode_client_darwin_$(VSCODE_ARCH)_dmg/VSCode-darwin-$(VSCODE_ARCH).dmg
19
          artifactName: vscode_client_darwin_$(VSCODE_ARCH)_dmg
20
          displayName: Publish client DMG
21
          sbomBuildDropPath: $(Build.ArtifactStagingDirectory)/VSCode-darwin-$(VSCODE_ARCH)
22
          sbomPackageName: "VS Code macOS $(VSCODE_ARCH)"
23
          sbomPackageVersion: $(Build.SourceVersion)
24
    steps:
25
      - template: ../common/checkout.yml@self
26

27
      - task: NodeTool@0
28
        inputs:
29
          versionSource: fromFile
30
          versionFilePath: .nvmrc
31

32
      - template: ../distro/download-distro.yml@self
33

34
      - task: AzureKeyVault@2
35
        displayName: "Azure Key Vault: Get Secrets"
36
        inputs:
37
          azureSubscription: vscode
38
          KeyVaultName: vscode-build-secrets
39
          SecretsFilter: "github-distro-mixin-password,macos-developer-certificate,macos-developer-certificate-key"
40

41
      - script: node build/setup-npm-registry.ts $NPM_REGISTRY build
42
        condition: and(succeeded(), ne(variables['NPM_REGISTRY'], 'none'))
43
        displayName: Setup NPM Registry
44

45
      - script: |
46
          set -e
47
          # Set the private NPM registry to the global npmrc file
48
          # so that authentication works for subfolders like build/, remote/, extensions/ etc
49
          # which does not have their own .npmrc file
50
          npm config set registry "$NPM_REGISTRY"
51
          echo "##vso[task.setvariable variable=NPMRC_PATH]$(npm config get userconfig)"
52
        condition: and(succeeded(), ne(variables['NPM_REGISTRY'], 'none'))
53
        displayName: Setup NPM
54

55
      - task: npmAuthenticate@0
56
        inputs:
57
          workingFile: $(NPMRC_PATH)
58
        condition: and(succeeded(), ne(variables['NPM_REGISTRY'], 'none'))
59
        displayName: Setup NPM Authentication
60

61
      - script: |
62
          set -e
63

64
          for i in {1..5}; do # try 5 times
65
            npm ci && break
66
            if [ $i -eq 5 ]; then
67
              echo "Npm install failed too many times" >&2
68
              exit 1
69
            fi
70
            echo "Npm install failed $i, trying again..."
71
          done
72
        workingDirectory: build
73
        env:
74
          GITHUB_TOKEN: "$(github-distro-mixin-password)"
75
        displayName: Install build dependencies
76

77
      - pwsh: node -- build/azure-pipelines/common/waitForArtifacts.ts unsigned_vscode_client_darwin_x64_archive unsigned_vscode_client_darwin_arm64_archive
78
        env:
79
          SYSTEM_ACCESSTOKEN: $(System.AccessToken)
80
        displayName: Wait for x64 and arm64 artifacts
81

82
      - download: current
83
        artifact: unsigned_vscode_client_darwin_x64_archive
84
        displayName: Download x64 artifact
85

86
      - download: current
87
        artifact: unsigned_vscode_client_darwin_arm64_archive
88
        displayName: Download arm64 artifact
89

90
      - script: node build/azure-pipelines/distro/mixin-quality.ts
91
        displayName: Mixin distro quality
92

93
      - script: |
94
          set -e
95
          unzip $(Pipeline.Workspace)/unsigned_vscode_client_darwin_x64_archive/VSCode-darwin-x64.zip -d $(agent.builddirectory)/VSCode-darwin-x64 &
96
          unzip $(Pipeline.Workspace)/unsigned_vscode_client_darwin_arm64_archive/VSCode-darwin-arm64.zip -d $(agent.builddirectory)/VSCode-darwin-arm64 &
97
          wait
98
          DEBUG=* node build/darwin/create-universal-app.ts $(agent.builddirectory)
99
        displayName: Create Universal App
100

101
      - script: |
102
          set -e
103
          APP_ROOT="$(Agent.BuildDirectory)/VSCode-darwin-$(VSCODE_ARCH)"
104
          APP_NAME="`ls $APP_ROOT | head -n 1`"
105
          APP_PATH="$APP_ROOT/$APP_NAME"
106
          EXEC_NAME=$(node -p "require(\"$APP_PATH/Contents/Resources/app/product.json\").nameShort")
107
          # Create a symlink from 'Electron' to the actual executable for backward compatibility
108
          # This ensures apps that relied on the hardcoded path 'Contents/MacOS/Electron' continue to work
109
          # Remove this step once main branch is on 1.112 release.
110
          if [ "$EXEC_NAME" != "Electron" ] && [ ! -L "$APP_PATH/Contents/MacOS/Electron" ]; then
111
            ln -s "$EXEC_NAME" "$APP_PATH/Contents/MacOS/Electron"
112
          fi
113
        displayName: Create Electron symlink for backward compatibility
114

115
      - script: |
116
          set -e
117
          APP_ROOT="$(Agent.BuildDirectory)/VSCode-darwin-$(VSCODE_ARCH)"
118
          APP_NAME="`ls $APP_ROOT | head -n 1`"
119
          APP_PATH="$APP_ROOT/$APP_NAME" node build/darwin/verify-macho.ts universal
120
        displayName: Verify arch of Mach-O objects
121

122
      - script: |
123
          set -e
124
          security create-keychain -p pwd $(agent.tempdirectory)/buildagent.keychain
125
          security default-keychain -s $(agent.tempdirectory)/buildagent.keychain
126
          security unlock-keychain -p pwd $(agent.tempdirectory)/buildagent.keychain
127
          echo "$(macos-developer-certificate)" | base64 -D > $(agent.tempdirectory)/cert.p12
128
          security import $(agent.tempdirectory)/cert.p12 -k $(agent.tempdirectory)/buildagent.keychain -P "$(macos-developer-certificate-key)" -T /usr/bin/codesign
129
          export CODESIGN_IDENTITY=$(security find-identity -v -p codesigning $(agent.tempdirectory)/buildagent.keychain | grep -oEi "([0-9A-F]{40})" | head -n 1)
130
          security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k pwd $(agent.tempdirectory)/buildagent.keychain
131
          DEBUG=electron-osx-sign* node build/darwin/sign.ts $(agent.builddirectory)
132
        displayName: Set Hardened Entitlements
133

134
      - script: |
135
          set -e
136
          DMG_OUT="$(Pipeline.Workspace)/vscode_client_darwin_$(VSCODE_ARCH)_dmg"
137
          mkdir -p $DMG_OUT
138
          node build/darwin/create-dmg.ts $(agent.builddirectory) $DMG_OUT
139
          python3 build/darwin/patch-dmg.py $DMG_OUT/VSCode-darwin-$(VSCODE_ARCH).dmg resources/darwin/disk.icns
140
          echo "##vso[task.setvariable variable=DMG_PATH]$DMG_OUT/VSCode-darwin-$(VSCODE_ARCH).dmg"
141
        displayName: Create DMG installer
142

143
      - script: |
144
          set -e
145
          mkdir -p $(Pipeline.Workspace)/vscode_client_darwin_$(VSCODE_ARCH)_archive
146
          pushd $(agent.builddirectory)/VSCode-darwin-$(VSCODE_ARCH) && zip -r -X -y $(Pipeline.Workspace)/vscode_client_darwin_$(VSCODE_ARCH)_archive/VSCode-darwin-$(VSCODE_ARCH).zip * && popd
147
        displayName: Archive build
148

149
      - task: UseDotNet@2
150
        inputs:
151
          version: 6.x
152

153
      - task: EsrpCodeSigning@5
154
        inputs:
155
          UseMSIAuthentication: true
156
          ConnectedServiceName: vscode-esrp
157
          AppRegistrationClientId: $(ESRP_CLIENT_ID)
158
          AppRegistrationTenantId: $(ESRP_TENANT_ID)
159
          AuthAKVName: vscode-esrp
160
          AuthSignCertName: esrp-sign
161
          FolderPath: .
162
          Pattern: noop
163
        displayName: 'Install ESRP Tooling'
164

165
      - pwsh: |
166
          . build/azure-pipelines/win32/exec.ps1
167
          $ErrorActionPreference = "Stop"
168
          $EsrpCodeSigningTool = (gci -directory -filter EsrpCodeSigning_* $(Agent.RootDirectory)/_tasks | Select-Object -last 1).FullName
169
          $Version = (gci -directory $EsrpCodeSigningTool | Select-Object -last 1).FullName
170
          echo "##vso[task.setvariable variable=EsrpCliDllPath]$Version/net6.0/esrpcli.dll"
171
        displayName: Find ESRP CLI
172

173
      - script: node build/azure-pipelines/darwin/codesign.ts
174
        env:
175
          EsrpCliDllPath: $(EsrpCliDllPath)
176
          SYSTEM_ACCESSTOKEN: $(System.AccessToken)
177
        displayName: ✍️ Codesign & Notarize
178

179
      - script: unzip $(Pipeline.Workspace)/vscode_client_darwin_$(VSCODE_ARCH)_archive/VSCode-darwin-$(VSCODE_ARCH).zip -d $(Build.ArtifactStagingDirectory)/VSCode-darwin-$(VSCODE_ARCH)
180
        displayName: Extract signed app
181

182
      - script: |
183
          set -e
184
          APP_ROOT="$(Build.ArtifactStagingDirectory)/VSCode-darwin-$(VSCODE_ARCH)"
185
          APP_NAME="`ls $APP_ROOT | head -n 1`"
186
          APP_PATH="$APP_ROOT/$APP_NAME"
187
          codesign -dv --deep --verbose=4 "$APP_PATH"
188
          "$APP_PATH/Contents/Resources/app/bin/code" --export-default-configuration=.build
189
        displayName: Verify signature
190

191
      - script: |
192
          set -e
193
          mkdir -p $(Build.ArtifactStagingDirectory)/out/vscode_client_darwin_$(VSCODE_ARCH)_archive
194
          mv $(Pipeline.Workspace)/vscode_client_darwin_$(VSCODE_ARCH)_archive/VSCode-darwin-$(VSCODE_ARCH).zip $(Build.ArtifactStagingDirectory)/out/vscode_client_darwin_$(VSCODE_ARCH)_archive/VSCode-darwin-$(VSCODE_ARCH).zip
195

196
          mkdir -p $(Build.ArtifactStagingDirectory)/out/vscode_client_darwin_$(VSCODE_ARCH)_dmg
197
          mv $(DMG_PATH) $(Build.ArtifactStagingDirectory)/out/vscode_client_darwin_$(VSCODE_ARCH)_dmg/VSCode-darwin-$(VSCODE_ARCH).dmg
198
        displayName: Move artifact to out directory
199

200