Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
microsoft
GitHub Repository: microsoft/vscode
 Path: blob/main/build/azure-pipelines/darwin/steps/product-build-darwin-compile.yml
4774 views
1
parameters:

2
  - name: VSCODE_ARCH

3
    type: string

4
  - name: VSCODE_CIBUILD

5
    type: boolean

6
  - name: VSCODE_RUN_ELECTRON_TESTS

7
    type: boolean

8
    default: false

9
  - name: VSCODE_RUN_BROWSER_TESTS

10
    type: boolean

11
    default: false

12
  - name: VSCODE_RUN_REMOTE_TESTS

13
    type: boolean

14
    default: false

15


16
steps:

17
  - template: ../../common/checkout.yml@self

18


19
  - task: NodeTool@0

20
    inputs:

21
      versionSource: fromFile

22
      versionFilePath: .nvmrc

23


24
  - template: ../../distro/download-distro.yml@self

25


26
  - task: AzureKeyVault@2

27
    displayName: "Azure Key Vault: Get Secrets"

28
    inputs:

29
      azureSubscription: vscode

30
      KeyVaultName: vscode-build-secrets

31
      SecretsFilter: "github-distro-mixin-password,macos-developer-certificate,macos-developer-certificate-key"

32


33
  - task: DownloadPipelineArtifact@2

34
    inputs:

35
      artifact: Compilation

36
      path: $(Build.ArtifactStagingDirectory)

37
    displayName: Download compilation output

38


39
  - script: tar -xzf $(Build.ArtifactStagingDirectory)/compilation.tar.gz

40
    displayName: Extract compilation output

41


42
  - script: node build/setup-npm-registry.ts $NPM_REGISTRY

43
    condition: and(succeeded(), ne(variables['NPM_REGISTRY'], 'none'))

44
    displayName: Setup NPM Registry

45


46
  - script: mkdir -p .build && node build/azure-pipelines/common/computeNodeModulesCacheKey.ts darwin $VSCODE_ARCH $(node -p process.arch) > .build/packagelockhash

47
    displayName: Prepare node_modules cache key

48


49
  - task: Cache@2

50
    inputs:

51
      key: '"node_modules" | .build/packagelockhash'

52
      path: .build/node_modules_cache

53
      cacheHitVar: NODE_MODULES_RESTORED

54
    displayName: Restore node_modules cache

55


56
  - script: tar -xzf .build/node_modules_cache/cache.tgz

57
    condition: and(succeeded(), eq(variables.NODE_MODULES_RESTORED, 'true'))

58
    displayName: Extract node_modules cache

59


60
  - script: |

61
      set -e

62
      # Set the private NPM registry to the global npmrc file

63
      # so that authentication works for subfolders like build/, remote/, extensions/ etc

64
      # which does not have their own .npmrc file

65
      npm config set registry "$NPM_REGISTRY"

66
      echo "##vso[task.setvariable variable=NPMRC_PATH]$(npm config get userconfig)"

67
    condition: and(succeeded(), ne(variables.NODE_MODULES_RESTORED, 'true'), ne(variables['NPM_REGISTRY'], 'none'))

68
    displayName: Setup NPM

69


70
  - task: npmAuthenticate@0

71
    inputs:

72
      workingFile: $(NPMRC_PATH)

73
    condition: and(succeeded(), ne(variables.NODE_MODULES_RESTORED, 'true'), ne(variables['NPM_REGISTRY'], 'none'))

74
    displayName: Setup NPM Authentication

75


76
  - script: |

77
      set -e

78
      c++ --version

79
      xcode-select -print-path

80
      python3 -m pip install setuptools

81


82
      for i in {1..5}; do # try 5 times

83
        npm ci && break

84
        if [ $i -eq 5 ]; then

85
          echo "Npm install failed too many times" >&2

86
          exit 1

87
        fi

88
        echo "Npm install failed $i, trying again..."

89
      done

90
    env:

91
      npm_config_arch: $(VSCODE_ARCH)

92
      ELECTRON_SKIP_BINARY_DOWNLOAD: 1

93
      PLAYWRIGHT_SKIP_BROWSER_DOWNLOAD: 1

94
      GITHUB_TOKEN: "$(github-distro-mixin-password)"

95
      # Avoid using dlopen to load Kerberos on macOS which can cause missing libraries

96
      # https://github.com/mongodb-js/kerberos/commit/04044d2814ad1d01e77f1ce87f26b03d86692cf2

97
      # flipped the default to support legacy linux distros which shouldn't happen

98
      # on macOS.

99
      GYP_DEFINES: "kerberos_use_rtld=false"

100
    displayName: Install dependencies

101
    condition: and(succeeded(), ne(variables.NODE_MODULES_RESTORED, 'true'))

102


103
  - script: node build/azure-pipelines/distro/mixin-npm.ts

104
    condition: and(succeeded(), ne(variables.NODE_MODULES_RESTORED, 'true'))

105
    displayName: Mixin distro node modules

106


107
  - script: |

108
      set -e

109
      node build/azure-pipelines/common/listNodeModules.ts .build/node_modules_list.txt

110
      mkdir -p .build/node_modules_cache

111
      tar -czf .build/node_modules_cache/cache.tgz --files-from .build/node_modules_list.txt

112
    condition: and(succeeded(), ne(variables.NODE_MODULES_RESTORED, 'true'))

113
    displayName: Create node_modules archive

114


115
  - script: node build/azure-pipelines/distro/mixin-quality.ts

116
    displayName: Mixin distro quality

117


118
  - template: ../../common/install-builtin-extensions.yml@self

119


120
  - ${{ if ne(parameters.VSCODE_CIBUILD, true) }}:

121
    - script: npm run copy-policy-dto --prefix build && node build/lib/policies/policyGenerator.ts build/lib/policies/policyData.jsonc darwin

122
      displayName: Generate policy definitions

123
      retryCountOnTaskFailure: 3

124


125
  - script: |

126
      set -e

127
      npm run gulp vscode-darwin-$(VSCODE_ARCH)-min-ci

128
      echo "##vso[task.setvariable variable=BUILT_CLIENT]true"

129
    env:

130
      GITHUB_TOKEN: "$(github-distro-mixin-password)"

131
    displayName: Build client

132


133
  - script: |

134
      set -e

135
      npm run gulp vscode-reh-darwin-$(VSCODE_ARCH)-min-ci

136
      mv ../vscode-reh-darwin-$(VSCODE_ARCH) ../vscode-server-darwin-$(VSCODE_ARCH) # TODO@joaomoreno

137
      ARCHIVE_PATH=".build/darwin/server/vscode-server-darwin-$(VSCODE_ARCH).zip"

138
      mkdir -p $(dirname $ARCHIVE_PATH)

139
      (cd .. && zip -Xry $(Build.SourcesDirectory)/$ARCHIVE_PATH vscode-server-darwin-$(VSCODE_ARCH))

140
      echo "##vso[task.setvariable variable=SERVER_PATH]$ARCHIVE_PATH"

141
    env:

142
      GITHUB_TOKEN: "$(github-distro-mixin-password)"

143
    displayName: Build server

144


145
  - script: |

146
      set -e

147
      npm run gulp vscode-reh-web-darwin-$(VSCODE_ARCH)-min-ci

148
      mv ../vscode-reh-web-darwin-$(VSCODE_ARCH) ../vscode-server-darwin-$(VSCODE_ARCH)-web # TODO@joaomoreno

149
      ARCHIVE_PATH=".build/darwin/server/vscode-server-darwin-$(VSCODE_ARCH)-web.zip"

150
      mkdir -p $(dirname $ARCHIVE_PATH)

151
      (cd .. && zip -Xry $(Build.SourcesDirectory)/$ARCHIVE_PATH vscode-server-darwin-$(VSCODE_ARCH)-web)

152
      echo "##vso[task.setvariable variable=WEB_PATH]$ARCHIVE_PATH"

153
    env:

154
      GITHUB_TOKEN: "$(github-distro-mixin-password)"

155
    displayName: Build server (web)

156


157
  - ${{ if ne(parameters.VSCODE_CIBUILD, true) }}:

158
    - task: DownloadPipelineArtifact@2

159
      inputs:

160
        artifact: unsigned_vscode_cli_darwin_$(VSCODE_ARCH)_cli

161
        patterns: "**"

162
        path: $(Build.ArtifactStagingDirectory)/cli

163
      displayName: Download VS Code CLI

164


165
    - script: |

166
        set -e

167
        APP_ROOT="$(Agent.BuildDirectory)/VSCode-darwin-$(VSCODE_ARCH)"

168
        APP_NAME="`ls $APP_ROOT | head -n 1`"

169
        APP_PATH="$APP_ROOT/$APP_NAME"

170
        unzip $(Build.ArtifactStagingDirectory)/cli/*.zip -d $(Build.ArtifactStagingDirectory)/cli

171
        CLI_APP_NAME=$(node -p "require(\"$APP_PATH/Contents/Resources/app/product.json\").tunnelApplicationName")

172
        APP_NAME=$(node -p "require(\"$APP_PATH/Contents/Resources/app/product.json\").applicationName")

173
        mv "$(Build.ArtifactStagingDirectory)/cli/$APP_NAME" "$APP_PATH/Contents/Resources/app/bin/$CLI_APP_NAME"

174
        chmod +x "$APP_PATH/Contents/Resources/app/bin/$CLI_APP_NAME"

175
      displayName: Make CLI executable

176


177
    - script: |

178
        set -e

179
        APP_ROOT="$(Agent.BuildDirectory)/VSCode-darwin-$(VSCODE_ARCH)"

180
        APP_NAME="`ls $APP_ROOT | head -n 1`"

181
        APP_PATH="$APP_ROOT/$APP_NAME" node build/darwin/verify-macho.ts $(VSCODE_ARCH)

182
        APP_PATH="$(Agent.BuildDirectory)/vscode-server-darwin-$(VSCODE_ARCH)" node build/darwin/verify-macho.ts $(VSCODE_ARCH)

183
      displayName: Verify arch of Mach-O objects

184


185
    - script: |

186
        set -e

187
        ARCHIVE_PATH="$(Pipeline.Workspace)/unsigned_vscode_client_darwin_$(VSCODE_ARCH)_archive/VSCode-darwin-$(VSCODE_ARCH).zip"

188
        mkdir -p $(dirname $ARCHIVE_PATH)

189
        (cd ../VSCode-darwin-$(VSCODE_ARCH) && zip -Xry $ARCHIVE_PATH *)

190
        echo "##vso[task.setvariable variable=CLIENT_PATH]$ARCHIVE_PATH"

191
      condition: eq(variables['BUILT_CLIENT'], 'true')

192
      displayName: Package client

193


194
    - pwsh: node build/azure-pipelines/common/checkForArtifact.ts CLIENT_ARCHIVE_UPLOADED unsigned_vscode_client_darwin_$(VSCODE_ARCH)_archive

195
      env:

196
        SYSTEM_ACCESSTOKEN: $(System.AccessToken)

197
      displayName: Check for client artifact

198


199
    # We are publishing the unsigned client artifact before running tests

200
    # since the macOS (UNIVERSAL) job is blocked waiting for the artifact.

201
    - template: ../../common/publish-artifact.yml@self

202
      parameters:

203
        targetPath: $(CLIENT_PATH)

204
        artifactName: unsigned_vscode_client_darwin_$(VSCODE_ARCH)_archive

205
        displayName: Publish client archive (unsigned)

206
        sbomEnabled: false

207
        condition: and(ne(variables['CLIENT_PATH'], ''), eq(variables['CLIENT_ARCHIVE_UPLOADED'], 'false'))

208


209
    # Hardened entitlements should be set after publishing unsigned client artifacts

210
    # to ensure entitlement signing doesn't modify sha that would affect universal build.

211
    #

212
    # Setting hardened entitlements is a requirement for:

213
    # * Apple notarization

214
    # * Running tests on Big Sur (because Big Sur has additional security precautions)

215
    - script: |

216
        set -e

217
        security create-keychain -p pwd $(agent.tempdirectory)/buildagent.keychain

218
        security default-keychain -s $(agent.tempdirectory)/buildagent.keychain

219
        security unlock-keychain -p pwd $(agent.tempdirectory)/buildagent.keychain

220
        echo "$(macos-developer-certificate)" | base64 -D > $(agent.tempdirectory)/cert.p12

221
        security import $(agent.tempdirectory)/cert.p12 -k $(agent.tempdirectory)/buildagent.keychain -P "$(macos-developer-certificate-key)" -T /usr/bin/codesign

222
        export CODESIGN_IDENTITY=$(security find-identity -v -p codesigning $(agent.tempdirectory)/buildagent.keychain | grep -oEi "([0-9A-F]{40})" | head -n 1)

223
        security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k pwd $(agent.tempdirectory)/buildagent.keychain

224
        DEBUG=electron-osx-sign* node build/darwin/sign.ts $(agent.builddirectory)

225
      displayName: Set Hardened Entitlements

226


227
    - script: |

228
        set -e

229
        ARCHIVE_PATH="$(Pipeline.Workspace)/vscode_client_darwin_$(VSCODE_ARCH)_archive/VSCode-darwin-$(VSCODE_ARCH).zip"

230
        mkdir -p $(dirname $ARCHIVE_PATH)

231
        (cd ../VSCode-darwin-$(VSCODE_ARCH) && zip -Xry $ARCHIVE_PATH *)

232
        echo "##vso[task.setvariable variable=CLIENT_PATH]$ARCHIVE_PATH"

233
      condition: eq(variables['BUILT_CLIENT'], 'true')

234
      displayName: Re-package client after entitlement

235


236
    - task: UseDotNet@2

237
      inputs:

238
        version: 6.x

239


240
    - task: EsrpCodeSigning@5

241
      inputs:

242
        UseMSIAuthentication: true

243
        ConnectedServiceName: vscode-esrp

244
        AppRegistrationClientId: $(ESRP_CLIENT_ID)

245
        AppRegistrationTenantId: $(ESRP_TENANT_ID)

246
        AuthAKVName: vscode-esrp

247
        AuthSignCertName: esrp-sign

248
        FolderPath: .

249
        Pattern: noop

250
      displayName: 'Install ESRP Tooling'

251


252
    - pwsh: |

253
        . build/azure-pipelines/win32/exec.ps1

254
        $ErrorActionPreference = "Stop"

255
        $EsrpCodeSigningTool = (gci -directory -filter EsrpCodeSigning_* $(Agent.RootDirectory)/_tasks | Select-Object -last 1).FullName

256
        $Version = (gci -directory $EsrpCodeSigningTool | Select-Object -last 1).FullName

257
        echo "##vso[task.setvariable variable=EsrpCliDllPath]$Version/net6.0/esrpcli.dll"

258
      displayName: Find ESRP CLI

259


260
    - script: npx deemon --detach --wait node build/azure-pipelines/darwin/codesign.ts

261
      env:

262
        EsrpCliDllPath: $(EsrpCliDllPath)

263
        SYSTEM_ACCESSTOKEN: $(System.AccessToken)

264
      displayName:  Codesign & Notarize

265


266
  - ${{ if or(eq(parameters.VSCODE_RUN_ELECTRON_TESTS, true), eq(parameters.VSCODE_RUN_BROWSER_TESTS, true), eq(parameters.VSCODE_RUN_REMOTE_TESTS, true)) }}:

267
    - template: product-build-darwin-test.yml@self

268
      parameters:

269
        VSCODE_RUN_ELECTRON_TESTS: ${{ parameters.VSCODE_RUN_ELECTRON_TESTS }}

270
        VSCODE_RUN_BROWSER_TESTS: ${{ parameters.VSCODE_RUN_BROWSER_TESTS }}

271
        VSCODE_RUN_REMOTE_TESTS: ${{ parameters.VSCODE_RUN_REMOTE_TESTS }}

272


273
  - ${{ if ne(parameters.VSCODE_CIBUILD, true) }}:

274
    - script: npx deemon --attach node build/azure-pipelines/darwin/codesign.ts

275
      condition: succeededOrFailed()

276
      displayName: "Post-job: ✍️ Codesign & Notarize"

277


278
    - script: unzip $(Pipeline.Workspace)/vscode_client_darwin_$(VSCODE_ARCH)_archive/VSCode-darwin-$(VSCODE_ARCH).zip -d $(Build.ArtifactStagingDirectory)/VSCode-darwin-$(VSCODE_ARCH)

279
      displayName: Extract signed app

280


281
    - script: |

282
        set -e

283
        APP_ROOT="$(Build.ArtifactStagingDirectory)/VSCode-darwin-$(VSCODE_ARCH)"

284
        APP_NAME="`ls $APP_ROOT | head -n 1`"

285
        APP_PATH="$APP_ROOT/$APP_NAME"

286
        codesign -dv --deep --verbose=4 "$APP_PATH"

287
        "$APP_PATH/Contents/Resources/app/bin/code" --export-default-configuration=.build

288
      displayName: Verify signature

289


290
    - script: |

291
        set -e

292


293
        mkdir -p $(Build.ArtifactStagingDirectory)/out/vscode_client_darwin_$(VSCODE_ARCH)_archive

294
        if [ "$VSCODE_ARCH" == "x64" ]; then

295
          # Use legacy name for x64 builds

296
          mv $(CLIENT_PATH) $(Build.ArtifactStagingDirectory)/out/vscode_client_darwin_$(VSCODE_ARCH)_archive/VSCode-darwin.zip

297
        else

298
          mv $(CLIENT_PATH) $(Build.ArtifactStagingDirectory)/out/vscode_client_darwin_$(VSCODE_ARCH)_archive/VSCode-darwin-$(VSCODE_ARCH).zip

299
        fi

300


301
        mkdir -p $(Build.ArtifactStagingDirectory)/out/vscode_server_darwin_$(VSCODE_ARCH)_archive

302
        mv $(SERVER_PATH) $(Build.ArtifactStagingDirectory)/out/vscode_server_darwin_$(VSCODE_ARCH)_archive/vscode-server-darwin-$(VSCODE_ARCH).zip

303


304
        mkdir -p $(Build.ArtifactStagingDirectory)/out/vscode_web_darwin_$(VSCODE_ARCH)_archive

305
        mv $(WEB_PATH) $(Build.ArtifactStagingDirectory)/out/vscode_web_darwin_$(VSCODE_ARCH)_archive/vscode-server-darwin-$(VSCODE_ARCH)-web.zip

306
      displayName: Move artifacts to out directory

307


308