Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
microsoft
GitHub Repository: microsoft/vscode
 Path: blob/main/build/azure-pipelines/darwin/product-build-darwin.yml
3520 views
1
parameters:

2
  - name: VSCODE_ARCH

3
    type: string

4
  - name: VSCODE_CIBUILD

5
    type: boolean

6
  - name: VSCODE_RUN_ELECTRON_TESTS

7
    type: boolean

8
    default: false

9
  - name: VSCODE_RUN_BROWSER_TESTS

10
    type: boolean

11
    default: false

12
  - name: VSCODE_RUN_REMOTE_TESTS

13
    type: boolean

14
    default: false

15
  - name: VSCODE_TEST_ARTIFACT_NAME

16
    type: string

17
    default: ""

18


19
steps:

20
  - template: ../common/checkout.yml@self

21


22
  - task: NodeTool@0

23
    inputs:

24
      versionSource: fromFile

25
      versionFilePath: .nvmrc

26


27
  - template: ../distro/download-distro.yml@self

28


29
  - task: AzureKeyVault@2

30
    displayName: "Azure Key Vault: Get Secrets"

31
    inputs:

32
      azureSubscription: vscode

33
      KeyVaultName: vscode-build-secrets

34
      SecretsFilter: "github-distro-mixin-password,macos-developer-certificate,macos-developer-certificate-key"

35


36
  - task: DownloadPipelineArtifact@2

37
    inputs:

38
      artifact: Compilation

39
      path: $(Build.ArtifactStagingDirectory)

40
    displayName: Download compilation output

41


42
  - script: tar -xzf $(Build.ArtifactStagingDirectory)/compilation.tar.gz

43
    displayName: Extract compilation output

44


45
  - script: node build/setup-npm-registry.js $NPM_REGISTRY

46
    condition: and(succeeded(), ne(variables['NPM_REGISTRY'], 'none'))

47
    displayName: Setup NPM Registry

48


49
  - script: mkdir -p .build && node build/azure-pipelines/common/computeNodeModulesCacheKey.js darwin $VSCODE_ARCH $(node -p process.arch) > .build/packagelockhash

50
    displayName: Prepare node_modules cache key

51


52
  - task: Cache@2

53
    inputs:

54
      key: '"node_modules" | .build/packagelockhash'

55
      path: .build/node_modules_cache

56
      cacheHitVar: NODE_MODULES_RESTORED

57
    displayName: Restore node_modules cache

58


59
  - script: tar -xzf .build/node_modules_cache/cache.tgz

60
    condition: and(succeeded(), eq(variables.NODE_MODULES_RESTORED, 'true'))

61
    displayName: Extract node_modules cache

62


63
  - script: |

64
      set -e

65
      # Set the private NPM registry to the global npmrc file

66
      # so that authentication works for subfolders like build/, remote/, extensions/ etc

67
      # which does not have their own .npmrc file

68
      npm config set registry "$NPM_REGISTRY"

69
      echo "##vso[task.setvariable variable=NPMRC_PATH]$(npm config get userconfig)"

70
    condition: and(succeeded(), ne(variables.NODE_MODULES_RESTORED, 'true'), ne(variables['NPM_REGISTRY'], 'none'))

71
    displayName: Setup NPM

72


73
  - task: npmAuthenticate@0

74
    inputs:

75
      workingFile: $(NPMRC_PATH)

76
    condition: and(succeeded(), ne(variables.NODE_MODULES_RESTORED, 'true'), ne(variables['NPM_REGISTRY'], 'none'))

77
    displayName: Setup NPM Authentication

78


79
  - script: |

80
      set -e

81
      c++ --version

82
      xcode-select -print-path

83
      python3 -m pip install setuptools

84


85
      for i in {1..5}; do # try 5 times

86
        npm ci && break

87
        if [ $i -eq 5 ]; then

88
          echo "Npm install failed too many times" >&2

89
          exit 1

90
        fi

91
        echo "Npm install failed $i, trying again..."

92
      done

93
    env:

94
      npm_config_arch: $(VSCODE_ARCH)

95
      ELECTRON_SKIP_BINARY_DOWNLOAD: 1

96
      PLAYWRIGHT_SKIP_BROWSER_DOWNLOAD: 1

97
      GITHUB_TOKEN: "$(github-distro-mixin-password)"

98
      # Avoid using dlopen to load Kerberos on macOS which can cause missing libraries

99
      # https://github.com/mongodb-js/kerberos/commit/04044d2814ad1d01e77f1ce87f26b03d86692cf2

100
      # flipped the default to support legacy linux distros which shouldn't happen

101
      # on macOS.

102
      GYP_DEFINES: "kerberos_use_rtld=false"

103
    displayName: Install dependencies

104
    condition: and(succeeded(), ne(variables.NODE_MODULES_RESTORED, 'true'))

105


106
  - script: node build/azure-pipelines/distro/mixin-npm

107
    condition: and(succeeded(), ne(variables.NODE_MODULES_RESTORED, 'true'))

108
    displayName: Mixin distro node modules

109


110
  - script: |

111
      set -e

112
      node build/azure-pipelines/common/listNodeModules.js .build/node_modules_list.txt

113
      mkdir -p .build/node_modules_cache

114
      tar -czf .build/node_modules_cache/cache.tgz --files-from .build/node_modules_list.txt

115
    condition: and(succeeded(), ne(variables.NODE_MODULES_RESTORED, 'true'))

116
    displayName: Create node_modules archive

117


118
  - script: node build/azure-pipelines/distro/mixin-quality

119
    displayName: Mixin distro quality

120


121
  - template: ../common/install-builtin-extensions.yml@self

122


123
  - ${{ if ne(parameters.VSCODE_CIBUILD, true) }}:

124
    - script: node build/lib/policies darwin

125
      displayName: Generate policy definitions

126
      retryCountOnTaskFailure: 3

127


128
  - script: |

129
      set -e

130
      npm run gulp vscode-darwin-$(VSCODE_ARCH)-min-ci

131
      echo "##vso[task.setvariable variable=BUILT_CLIENT]true"

132
    env:

133
      GITHUB_TOKEN: "$(github-distro-mixin-password)"

134
    displayName: Build client

135


136
  - script: |

137
      set -e

138
      npm run gulp vscode-reh-darwin-$(VSCODE_ARCH)-min-ci

139
      mv ../vscode-reh-darwin-$(VSCODE_ARCH) ../vscode-server-darwin-$(VSCODE_ARCH) # TODO@joaomoreno

140
      ARCHIVE_PATH=".build/darwin/server/vscode-server-darwin-$(VSCODE_ARCH).zip"

141
      mkdir -p $(dirname $ARCHIVE_PATH)

142
      (cd .. && zip -Xry $(Build.SourcesDirectory)/$ARCHIVE_PATH vscode-server-darwin-$(VSCODE_ARCH))

143
      echo "##vso[task.setvariable variable=SERVER_PATH]$ARCHIVE_PATH"

144
    env:

145
      GITHUB_TOKEN: "$(github-distro-mixin-password)"

146
    displayName: Build server

147


148
  - script: |

149
      set -e

150
      npm run gulp vscode-reh-web-darwin-$(VSCODE_ARCH)-min-ci

151
      mv ../vscode-reh-web-darwin-$(VSCODE_ARCH) ../vscode-server-darwin-$(VSCODE_ARCH)-web # TODO@joaomoreno

152
      ARCHIVE_PATH=".build/darwin/server/vscode-server-darwin-$(VSCODE_ARCH)-web.zip"

153
      mkdir -p $(dirname $ARCHIVE_PATH)

154
      (cd .. && zip -Xry $(Build.SourcesDirectory)/$ARCHIVE_PATH vscode-server-darwin-$(VSCODE_ARCH)-web)

155
      echo "##vso[task.setvariable variable=WEB_PATH]$ARCHIVE_PATH"

156
    env:

157
      GITHUB_TOKEN: "$(github-distro-mixin-password)"

158
    displayName: Build server (web)

159


160
  - ${{ if ne(parameters.VSCODE_CIBUILD, true) }}:

161
    - task: DownloadPipelineArtifact@2

162
      inputs:

163
        artifact: unsigned_vscode_cli_darwin_$(VSCODE_ARCH)_cli

164
        patterns: "**"

165
        path: $(Build.ArtifactStagingDirectory)/cli

166
      displayName: Download VS Code CLI

167


168
    - script: |

169
        set -e

170
        APP_ROOT="$(Agent.BuildDirectory)/VSCode-darwin-$(VSCODE_ARCH)"

171
        APP_NAME="`ls $APP_ROOT | head -n 1`"

172
        APP_PATH="$APP_ROOT/$APP_NAME"

173
        unzip $(Build.ArtifactStagingDirectory)/cli/*.zip -d $(Build.ArtifactStagingDirectory)/cli

174
        CLI_APP_NAME=$(node -p "require(\"$APP_PATH/Contents/Resources/app/product.json\").tunnelApplicationName")

175
        APP_NAME=$(node -p "require(\"$APP_PATH/Contents/Resources/app/product.json\").applicationName")

176
        mv "$(Build.ArtifactStagingDirectory)/cli/$APP_NAME" "$APP_PATH/Contents/Resources/app/bin/$CLI_APP_NAME"

177
        chmod +x "$APP_PATH/Contents/Resources/app/bin/$CLI_APP_NAME"

178
      displayName: Make CLI executable

179


180
    - script: |

181
        set -e

182
        APP_ROOT="$(Agent.BuildDirectory)/VSCode-darwin-$(VSCODE_ARCH)"

183
        APP_NAME="`ls $APP_ROOT | head -n 1`"

184
        APP_PATH="$APP_ROOT/$APP_NAME" node build/darwin/verify-macho.js $(VSCODE_ARCH)

185
        APP_PATH="$(Agent.BuildDirectory)/vscode-server-darwin-$(VSCODE_ARCH)" node build/darwin/verify-macho.js $(VSCODE_ARCH)

186
      displayName: Verify arch of Mach-O objects

187


188
    - script: |

189
        set -e

190
        ARCHIVE_PATH="$(Pipeline.Workspace)/unsigned_vscode_client_darwin_$(VSCODE_ARCH)_archive/VSCode-darwin-$(VSCODE_ARCH).zip"

191
        mkdir -p $(dirname $ARCHIVE_PATH)

192
        (cd ../VSCode-darwin-$(VSCODE_ARCH) && zip -Xry $ARCHIVE_PATH *)

193
        echo "##vso[task.setvariable variable=CLIENT_PATH]$ARCHIVE_PATH"

194
      condition: and(succeededOrFailed(), eq(variables['BUILT_CLIENT'], 'true'))

195
      displayName: Package client

196


197
    - pwsh: node build/azure-pipelines/common/checkForArtifact.js CLIENT_ARCHIVE_UPLOADED unsigned_vscode_client_darwin_$(VSCODE_ARCH)_archive

198
      env:

199
        SYSTEM_ACCESSTOKEN: $(System.AccessToken)

200
      displayName: Check for client artifact

201


202
    - template: ../common/publish-artifact.yml@self

203
      parameters:

204
        targetPath: $(CLIENT_PATH)

205
        artifactName: unsigned_vscode_client_darwin_$(VSCODE_ARCH)_archive

206
        displayName: Publish client archive (unsigned)

207
        sbomBuildDropPath: $(Agent.BuildDirectory)/VSCode-darwin-$(VSCODE_ARCH)

208
        sbomPackageName: "VS Code macOS $(VSCODE_ARCH) (unsigned)"

209
        sbomPackageVersion: $(Build.SourceVersion)

210
        condition: and(succeeded(), ne(variables['CLIENT_PATH'], ''), eq(variables['CLIENT_ARCHIVE_UPLOADED'], 'false'))

211


212
    # Hardened entitlements should be set after publishing unsigned client artifacts

213
    # to ensure entitlement signing doesn't modify sha that would affect universal build.

214
    #

215
    # Setting hardened entitlements is a requirement for:

216
    # * Apple notarization

217
    # * Running tests on Big Sur (because Big Sur has additional security precautions)

218
    - script: |

219
        set -e

220
        security create-keychain -p pwd $(agent.tempdirectory)/buildagent.keychain

221
        security default-keychain -s $(agent.tempdirectory)/buildagent.keychain

222
        security unlock-keychain -p pwd $(agent.tempdirectory)/buildagent.keychain

223
        echo "$(macos-developer-certificate)" | base64 -D > $(agent.tempdirectory)/cert.p12

224
        security import $(agent.tempdirectory)/cert.p12 -k $(agent.tempdirectory)/buildagent.keychain -P "$(macos-developer-certificate-key)" -T /usr/bin/codesign

225
        export CODESIGN_IDENTITY=$(security find-identity -v -p codesigning $(agent.tempdirectory)/buildagent.keychain | grep -oEi "([0-9A-F]{40})" | head -n 1)

226
        security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k pwd $(agent.tempdirectory)/buildagent.keychain

227
        DEBUG=electron-osx-sign* node build/darwin/sign.js $(agent.builddirectory)

228
      displayName: Set Hardened Entitlements

229


230
    - script: |

231
        set -e

232
        ARCHIVE_PATH="$(Pipeline.Workspace)/vscode_client_darwin_$(VSCODE_ARCH)_archive/VSCode-darwin-$(VSCODE_ARCH).zip"

233
        mkdir -p $(dirname $ARCHIVE_PATH)

234
        (cd ../VSCode-darwin-$(VSCODE_ARCH) && zip -Xry $ARCHIVE_PATH *)

235
        echo "##vso[task.setvariable variable=CLIENT_PATH]$ARCHIVE_PATH"

236
      condition: and(succeededOrFailed(), eq(variables['BUILT_CLIENT'], 'true'))

237
      displayName: Re-package client after entitlement

238


239
    - task: UseDotNet@2

240
      inputs:

241
        version: 6.x

242


243
    - task: EsrpCodeSigning@5

244
      inputs:

245
        UseMSIAuthentication: true

246
        ConnectedServiceName: vscode-esrp

247
        AppRegistrationClientId: $(ESRP_CLIENT_ID)

248
        AppRegistrationTenantId: $(ESRP_TENANT_ID)

249
        AuthAKVName: vscode-esrp

250
        AuthSignCertName: esrp-sign

251
        FolderPath: .

252
        Pattern: noop

253
      displayName: 'Install ESRP Tooling'

254


255
    - pwsh: |

256
        . build/azure-pipelines/win32/exec.ps1

257
        $ErrorActionPreference = "Stop"

258
        $EsrpCodeSigningTool = (gci -directory -filter EsrpCodeSigning_* $(Agent.RootDirectory)/_tasks | Select-Object -last 1).FullName

259
        $Version = (gci -directory $EsrpCodeSigningTool | Select-Object -last 1).FullName

260
        echo "##vso[task.setvariable variable=EsrpCliDllPath]$Version/net6.0/esrpcli.dll"

261
      displayName: Find ESRP CLI

262


263
    - script: npx deemon --detach --wait node build/azure-pipelines/darwin/codesign.js

264
      env:

265
        EsrpCliDllPath: $(EsrpCliDllPath)

266
        SYSTEM_ACCESSTOKEN: $(System.AccessToken)

267
      displayName:  Codesign & Notarize

268


269
  - ${{ if or(eq(parameters.VSCODE_RUN_ELECTRON_TESTS, true), eq(parameters.VSCODE_RUN_BROWSER_TESTS, true), eq(parameters.VSCODE_RUN_REMOTE_TESTS, true)) }}:

270
    - template: product-build-darwin-test.yml@self

271
      parameters:

272
        VSCODE_TEST_ARTIFACT_NAME: ${{ parameters.VSCODE_TEST_ARTIFACT_NAME }}

273
        VSCODE_RUN_ELECTRON_TESTS: ${{ parameters.VSCODE_RUN_ELECTRON_TESTS }}

274
        VSCODE_RUN_BROWSER_TESTS: ${{ parameters.VSCODE_RUN_BROWSER_TESTS }}

275
        VSCODE_RUN_REMOTE_TESTS: ${{ parameters.VSCODE_RUN_REMOTE_TESTS }}

276


277
  - ${{ if ne(parameters.VSCODE_CIBUILD, true) }}:

278
    - script: npx deemon --attach node build/azure-pipelines/darwin/codesign.js

279
      condition: succeededOrFailed()

280
      displayName: "Post-job: ✍️ Codesign & Notarize"

281


282
    - script: unzip $(Pipeline.Workspace)/vscode_client_darwin_$(VSCODE_ARCH)_archive/VSCode-darwin-$(VSCODE_ARCH).zip -d $(Build.ArtifactStagingDirectory)/VSCode-darwin-$(VSCODE_ARCH)

283
      displayName: Extract signed app

284


285
    - script: |

286
        set -e

287
        APP_ROOT="$(Build.ArtifactStagingDirectory)/VSCode-darwin-$(VSCODE_ARCH)"

288
        APP_NAME="`ls $APP_ROOT | head -n 1`"

289
        APP_PATH="$APP_ROOT/$APP_NAME"

290
        codesign -dv --deep --verbose=4 "$APP_PATH"

291
        "$APP_PATH/Contents/Resources/app/bin/code" --export-default-configuration=.build

292
      displayName: Verify signature

293


294
    - script: mv $(Pipeline.Workspace)/vscode_client_darwin_$(VSCODE_ARCH)_archive/VSCode-darwin-x64.zip $(Pipeline.Workspace)/vscode_client_darwin_$(VSCODE_ARCH)_archive/VSCode-darwin.zip

295
      displayName: Rename x64 build to its legacy name

296
      condition: and(succeeded(), eq(variables['VSCODE_ARCH'], 'x64'))

297


298
    - template: ../common/publish-artifact.yml@self

299
      parameters:

300
        ${{ if eq(parameters.VSCODE_ARCH, 'arm64') }}:

301
          targetPath: $(Pipeline.Workspace)/vscode_client_darwin_$(VSCODE_ARCH)_archive/VSCode-darwin-arm64.zip

302
        ${{ else }}:

303
          targetPath: $(Pipeline.Workspace)/vscode_client_darwin_$(VSCODE_ARCH)_archive/VSCode-darwin.zip

304
        artifactName: vscode_client_darwin_$(VSCODE_ARCH)_archive

305
        displayName: Publish client archive

306
        sbomBuildDropPath: $(Build.ArtifactStagingDirectory)/VSCode-darwin-$(VSCODE_ARCH)

307
        sbomPackageName: "VS Code macOS $(VSCODE_ARCH)"

308
        sbomPackageVersion: $(Build.SourceVersion)

309


310
    - script: echo "##vso[task.setvariable variable=ARTIFACT_PREFIX]attempt$(System.JobAttempt)_"

311
      condition: and(succeededOrFailed(), notIn(variables['Agent.JobStatus'], 'Succeeded', 'SucceededWithIssues'))

312
      displayName: Generate artifact prefix

313


314
    - template: ../common/publish-artifact.yml@self

315
      parameters:

316
        targetPath: $(SERVER_PATH)

317
        artifactName: $(ARTIFACT_PREFIX)vscode_server_darwin_$(VSCODE_ARCH)_archive-unsigned

318
        displayName: Publish server archive

319
        sbomBuildDropPath: $(Agent.BuildDirectory)/vscode-server-darwin-$(VSCODE_ARCH)

320
        sbomPackageName: "VS Code macOS $(VSCODE_ARCH) Server"

321
        sbomPackageVersion: $(Build.SourceVersion)

322
        condition: and(succeededOrFailed(), ne(variables['SERVER_PATH'], ''))

323


324
    - template: ../common/publish-artifact.yml@self

325
      parameters:

326
        targetPath: $(WEB_PATH)

327
        artifactName: $(ARTIFACT_PREFIX)vscode_web_darwin_$(VSCODE_ARCH)_archive-unsigned

328
        displayName: Publish web server archive

329
        sbomBuildDropPath: $(Agent.BuildDirectory)/vscode-server-darwin-$(VSCODE_ARCH)-web

330
        sbomPackageName: "VS Code macOS $(VSCODE_ARCH) Web"

331
        sbomPackageVersion: $(Build.SourceVersion)

332
        condition: and(succeededOrFailed(), ne(variables['WEB_PATH'], ''))

333


334