Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
microsoft
GitHub Repository: microsoft/vscode
 Path: blob/main/build/azure-pipelines/darwin/steps/product-build-darwin-compile.yml
5387 views
1
parameters:

2
  - name: VSCODE_ARCH

3
    type: string

4
  - name: VSCODE_CIBUILD

5
    type: boolean

6
  - name: VSCODE_RUN_ELECTRON_TESTS

7
    type: boolean

8
    default: false

9
  - name: VSCODE_RUN_BROWSER_TESTS

10
    type: boolean

11
    default: false

12
  - name: VSCODE_RUN_REMOTE_TESTS

13
    type: boolean

14
    default: false

15


16
steps:

17
  - template: ../../common/checkout.yml@self

18


19
  - task: NodeTool@0

20
    inputs:

21
      versionSource: fromFile

22
      versionFilePath: .nvmrc

23


24
  - template: ../../distro/download-distro.yml@self

25


26
  - task: AzureKeyVault@2

27
    displayName: "Azure Key Vault: Get Secrets"

28
    inputs:

29
      azureSubscription: vscode

30
      KeyVaultName: vscode-build-secrets

31
      SecretsFilter: "github-distro-mixin-password,macos-developer-certificate,macos-developer-certificate-key"

32


33
  - task: DownloadPipelineArtifact@2

34
    inputs:

35
      artifact: Compilation

36
      path: $(Build.ArtifactStagingDirectory)

37
    displayName: Download compilation output

38


39
  - script: tar -xzf $(Build.ArtifactStagingDirectory)/compilation.tar.gz

40
    displayName: Extract compilation output

41


42
  - script: node build/setup-npm-registry.ts $NPM_REGISTRY

43
    condition: and(succeeded(), ne(variables['NPM_REGISTRY'], 'none'))

44
    displayName: Setup NPM Registry

45


46
  - script: mkdir -p .build && node build/azure-pipelines/common/computeNodeModulesCacheKey.ts darwin $VSCODE_ARCH $(node -p process.arch) > .build/packagelockhash

47
    displayName: Prepare node_modules cache key

48


49
  - task: Cache@2

50
    inputs:

51
      key: '"node_modules" | .build/packagelockhash'

52
      path: .build/node_modules_cache

53
      cacheHitVar: NODE_MODULES_RESTORED

54
    displayName: Restore node_modules cache

55


56
  - script: tar -xzf .build/node_modules_cache/cache.tgz

57
    condition: and(succeeded(), eq(variables.NODE_MODULES_RESTORED, 'true'))

58
    displayName: Extract node_modules cache

59


60
  - script: |

61
      set -e

62
      # Set the private NPM registry to the global npmrc file

63
      # so that authentication works for subfolders like build/, remote/, extensions/ etc

64
      # which does not have their own .npmrc file

65
      npm config set registry "$NPM_REGISTRY"

66
      echo "##vso[task.setvariable variable=NPMRC_PATH]$(npm config get userconfig)"

67
    condition: and(succeeded(), ne(variables.NODE_MODULES_RESTORED, 'true'), ne(variables['NPM_REGISTRY'], 'none'))

68
    displayName: Setup NPM

69


70
  - task: npmAuthenticate@0

71
    inputs:

72
      workingFile: $(NPMRC_PATH)

73
    condition: and(succeeded(), ne(variables.NODE_MODULES_RESTORED, 'true'), ne(variables['NPM_REGISTRY'], 'none'))

74
    displayName: Setup NPM Authentication

75


76
  - script: |

77
      set -e

78
      c++ --version

79
      xcode-select -print-path

80
      python3 -m pip install setuptools

81


82
      for i in {1..5}; do # try 5 times

83
        npm ci && break

84
        if [ $i -eq 5 ]; then

85
          echo "Npm install failed too many times" >&2

86
          exit 1

87
        fi

88
        echo "Npm install failed $i, trying again..."

89
      done

90
    env:

91
      npm_config_arch: $(VSCODE_ARCH)

92
      ELECTRON_SKIP_BINARY_DOWNLOAD: 1

93
      PLAYWRIGHT_SKIP_BROWSER_DOWNLOAD: 1

94
      GITHUB_TOKEN: "$(github-distro-mixin-password)"

95
      # Avoid using dlopen to load Kerberos on macOS which can cause missing libraries

96
      # https://github.com/mongodb-js/kerberos/commit/04044d2814ad1d01e77f1ce87f26b03d86692cf2

97
      # flipped the default to support legacy linux distros which shouldn't happen

98
      # on macOS.

99
      GYP_DEFINES: "kerberos_use_rtld=false"

100
    displayName: Install dependencies

101
    condition: and(succeeded(), ne(variables.NODE_MODULES_RESTORED, 'true'))

102


103
  - script: node build/azure-pipelines/distro/mixin-npm.ts

104
    condition: and(succeeded(), ne(variables.NODE_MODULES_RESTORED, 'true'))

105
    displayName: Mixin distro node modules

106


107
  - script: |

108
      set -e

109
      node build/azure-pipelines/common/listNodeModules.ts .build/node_modules_list.txt

110
      mkdir -p .build/node_modules_cache

111
      tar -czf .build/node_modules_cache/cache.tgz --files-from .build/node_modules_list.txt

112
    condition: and(succeeded(), ne(variables.NODE_MODULES_RESTORED, 'true'))

113
    displayName: Create node_modules archive

114


115
  - script: node build/azure-pipelines/distro/mixin-quality.ts

116
    displayName: Mixin distro quality

117


118
  - template: ../../common/install-builtin-extensions.yml@self

119


120
  - ${{ if ne(parameters.VSCODE_CIBUILD, true) }}:

121
    - script: npm run copy-policy-dto --prefix build && node build/lib/policies/policyGenerator.ts build/lib/policies/policyData.jsonc darwin

122
      displayName: Generate policy definitions

123
      retryCountOnTaskFailure: 3

124


125
  - script: |

126
      set -e

127
      npm run gulp vscode-darwin-$(VSCODE_ARCH)-min-ci

128
      echo "##vso[task.setvariable variable=BUILT_CLIENT]true"

129
    env:

130
      GITHUB_TOKEN: "$(github-distro-mixin-password)"

131
    displayName: Build client

132


133
  - script: |

134
      set -e

135
      npm run gulp vscode-reh-darwin-$(VSCODE_ARCH)-min-ci

136
      mv ../vscode-reh-darwin-$(VSCODE_ARCH) ../vscode-server-darwin-$(VSCODE_ARCH) # TODO@joaomoreno

137
    env:

138
      GITHUB_TOKEN: "$(github-distro-mixin-password)"

139
    displayName: Build server

140


141
  - script: |

142
      set -e

143
      npm run gulp vscode-reh-web-darwin-$(VSCODE_ARCH)-min-ci

144
      mv ../vscode-reh-web-darwin-$(VSCODE_ARCH) ../vscode-server-darwin-$(VSCODE_ARCH)-web # TODO@joaomoreno

145
    env:

146
      GITHUB_TOKEN: "$(github-distro-mixin-password)"

147
    displayName: Build server (web)

148


149
  - ${{ if ne(parameters.VSCODE_CIBUILD, true) }}:

150
    - task: DownloadPipelineArtifact@2

151
      inputs:

152
        artifact: unsigned_vscode_cli_darwin_$(VSCODE_ARCH)_cli

153
        patterns: "**"

154
        path: $(Build.ArtifactStagingDirectory)/cli

155
      displayName: Download VS Code CLI

156


157
    - script: |

158
        set -e

159
        APP_ROOT="$(Agent.BuildDirectory)/VSCode-darwin-$(VSCODE_ARCH)"

160
        APP_NAME="`ls $APP_ROOT | head -n 1`"

161
        APP_PATH="$APP_ROOT/$APP_NAME"

162
        unzip $(Build.ArtifactStagingDirectory)/cli/*.zip -d $(Build.ArtifactStagingDirectory)/cli

163
        CLI_APP_NAME=$(node -p "require(\"$APP_PATH/Contents/Resources/app/product.json\").tunnelApplicationName")

164
        APP_NAME=$(node -p "require(\"$APP_PATH/Contents/Resources/app/product.json\").applicationName")

165
        mv "$(Build.ArtifactStagingDirectory)/cli/$APP_NAME" "$APP_PATH/Contents/Resources/app/bin/$CLI_APP_NAME"

166
        chmod +x "$APP_PATH/Contents/Resources/app/bin/$CLI_APP_NAME"

167
      displayName: Make CLI executable

168


169
    - script: |

170
        set -e

171
        APP_ROOT="$(Agent.BuildDirectory)/VSCode-darwin-$(VSCODE_ARCH)"

172
        APP_NAME="`ls $APP_ROOT | head -n 1`"

173
        APP_PATH="$APP_ROOT/$APP_NAME"

174
        EXEC_NAME=$(node -p "require(\"$APP_PATH/Contents/Resources/app/product.json\").nameShort")

175
        # Create a symlink from 'Electron' to the actual executable for backward compatibility

176
        # This ensures apps that relied on the hardcoded path 'Contents/MacOS/Electron' continue to work

177
        # Remove this step once main branch is on 1.112 release.

178
        if [ "$EXEC_NAME" != "Electron" ] && [ ! -L "$APP_PATH/Contents/MacOS/Electron" ]; then

179
          ln -s "$EXEC_NAME" "$APP_PATH/Contents/MacOS/Electron"

180
        fi

181
      condition: eq(variables['BUILT_CLIENT'], 'true')

182
      displayName: Create Electron symlink for backward compatibility

183


184
    - script: |

185
        set -e

186
        APP_ROOT="$(Agent.BuildDirectory)/VSCode-darwin-$(VSCODE_ARCH)"

187
        APP_NAME="`ls $APP_ROOT | head -n 1`"

188
        APP_PATH="$APP_ROOT/$APP_NAME" node build/darwin/verify-macho.ts $(VSCODE_ARCH)

189
        APP_PATH="$(Agent.BuildDirectory)/vscode-server-darwin-$(VSCODE_ARCH)" node build/darwin/verify-macho.ts $(VSCODE_ARCH)

190
      displayName: Verify arch of Mach-O objects

191


192
    - script: |

193
        set -e

194
        ARCHIVE_PATH="$(Pipeline.Workspace)/unsigned_vscode_client_darwin_$(VSCODE_ARCH)_archive/VSCode-darwin-$(VSCODE_ARCH).zip"

195
        mkdir -p $(dirname $ARCHIVE_PATH)

196
        (cd ../VSCode-darwin-$(VSCODE_ARCH) && zip -Xry $ARCHIVE_PATH *)

197
        echo "##vso[task.setvariable variable=CLIENT_PATH]$ARCHIVE_PATH"

198
      condition: eq(variables['BUILT_CLIENT'], 'true')

199
      displayName: Package client

200


201
    - pwsh: node build/azure-pipelines/common/checkForArtifact.ts CLIENT_ARCHIVE_UPLOADED unsigned_vscode_client_darwin_$(VSCODE_ARCH)_archive

202
      env:

203
        SYSTEM_ACCESSTOKEN: $(System.AccessToken)

204
      displayName: Check for client artifact

205


206
    # We are publishing the unsigned client artifact before running tests

207
    # since the macOS (UNIVERSAL) job is blocked waiting for the artifact.

208
    - template: ../../common/publish-artifact.yml@self

209
      parameters:

210
        targetPath: $(CLIENT_PATH)

211
        artifactName: unsigned_vscode_client_darwin_$(VSCODE_ARCH)_archive

212
        displayName: Publish client archive (unsigned)

213
        sbomEnabled: false

214
        condition: and(ne(variables['CLIENT_PATH'], ''), eq(variables['CLIENT_ARCHIVE_UPLOADED'], 'false'))

215


216
    # Hardened entitlements should be set after publishing unsigned client artifacts

217
    # to ensure entitlement signing doesn't modify sha that would affect universal build.

218
    #

219
    # Setting hardened entitlements is a requirement for:

220
    # * Apple notarization

221
    # * Running tests on Big Sur (because Big Sur has additional security precautions)

222
    - script: |

223
        set -e

224
        security create-keychain -p pwd $(agent.tempdirectory)/buildagent.keychain

225
        security default-keychain -s $(agent.tempdirectory)/buildagent.keychain

226
        security unlock-keychain -p pwd $(agent.tempdirectory)/buildagent.keychain

227
        echo "$(macos-developer-certificate)" | base64 -D > $(agent.tempdirectory)/cert.p12

228
        security import $(agent.tempdirectory)/cert.p12 -k $(agent.tempdirectory)/buildagent.keychain -P "$(macos-developer-certificate-key)" -T /usr/bin/codesign

229
        export CODESIGN_IDENTITY=$(security find-identity -v -p codesigning $(agent.tempdirectory)/buildagent.keychain | grep -oEi "([0-9A-F]{40})" | head -n 1)

230
        security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k pwd $(agent.tempdirectory)/buildagent.keychain

231
        DEBUG=electron-osx-sign* node build/darwin/sign.ts $(agent.builddirectory)

232
      displayName: Set Hardened Entitlements

233


234
    - script: |

235
        set -e

236
        export CODESIGN_IDENTITY=$(security find-identity -v -p codesigning $(agent.tempdirectory)/buildagent.keychain | grep -oEi "([0-9A-F]{40})" | head -n 1)

237
        node build/darwin/sign-server.ts $(Agent.BuildDirectory)/vscode-server-darwin-$(VSCODE_ARCH)

238
        node build/darwin/sign-server.ts $(Agent.BuildDirectory)/vscode-server-darwin-$(VSCODE_ARCH)-web

239
      displayName: Sign server binaries

240


241
    - script: |

242
        set -e

243
        # Needed for https://github.com/dmgbuild/dmgbuild/blob/main/src/dmgbuild/badge.py

244
        python3 -m pip install pyobjc-framework-Quartz

245
        DMG_OUT="$(Pipeline.Workspace)/vscode_client_darwin_$(VSCODE_ARCH)_dmg"

246
        mkdir -p $DMG_OUT

247
        node build/darwin/create-dmg.ts $(agent.builddirectory) $DMG_OUT

248
        python3 build/darwin/patch-dmg.py $DMG_OUT/VSCode-darwin-$(VSCODE_ARCH).dmg resources/darwin/disk.icns

249
        echo "##vso[task.setvariable variable=DMG_PATH]$DMG_OUT/VSCode-darwin-$(VSCODE_ARCH).dmg"

250
      condition: eq(variables['BUILT_CLIENT'], 'true')

251
      displayName: Create DMG installer

252


253
    - script: |

254
        set -e

255
        ARCHIVE_PATH="$(Pipeline.Workspace)/vscode_client_darwin_$(VSCODE_ARCH)_archive/VSCode-darwin-$(VSCODE_ARCH).zip"

256
        mkdir -p $(dirname $ARCHIVE_PATH)

257
        (cd ../VSCode-darwin-$(VSCODE_ARCH) && zip -Xry $ARCHIVE_PATH *)

258
        echo "##vso[task.setvariable variable=CLIENT_PATH]$ARCHIVE_PATH"

259
      condition: eq(variables['BUILT_CLIENT'], 'true')

260
      displayName: Re-package client after entitlement

261


262
    - script: |

263
        set -e

264
        ARCHIVE_PATH=".build/darwin/server/vscode-server-darwin-$(VSCODE_ARCH).zip"

265
        mkdir -p $(dirname $ARCHIVE_PATH)

266
        (cd .. && zip -Xry $(Build.SourcesDirectory)/$ARCHIVE_PATH vscode-server-darwin-$(VSCODE_ARCH))

267
        echo "##vso[task.setvariable variable=SERVER_PATH]$ARCHIVE_PATH"

268
      displayName: Package server

269


270
    - script: |

271
        set -e

272
        ARCHIVE_PATH=".build/darwin/server/vscode-server-darwin-$(VSCODE_ARCH)-web.zip"

273
        mkdir -p $(dirname $ARCHIVE_PATH)

274
        (cd .. && zip -Xry $(Build.SourcesDirectory)/$ARCHIVE_PATH vscode-server-darwin-$(VSCODE_ARCH)-web)

275
        echo "##vso[task.setvariable variable=WEB_PATH]$ARCHIVE_PATH"

276
      displayName: Package server (web)

277


278
    - task: UseDotNet@2

279
      inputs:

280
        version: 6.x

281


282
    - task: EsrpCodeSigning@5

283
      inputs:

284
        UseMSIAuthentication: true

285
        ConnectedServiceName: vscode-esrp

286
        AppRegistrationClientId: $(ESRP_CLIENT_ID)

287
        AppRegistrationTenantId: $(ESRP_TENANT_ID)

288
        AuthAKVName: vscode-esrp

289
        AuthSignCertName: esrp-sign

290
        FolderPath: .

291
        Pattern: noop

292
      displayName: 'Install ESRP Tooling'

293


294
    - pwsh: |

295
        . build/azure-pipelines/win32/exec.ps1

296
        $ErrorActionPreference = "Stop"

297
        $EsrpCodeSigningTool = (gci -directory -filter EsrpCodeSigning_* $(Agent.RootDirectory)/_tasks | Select-Object -last 1).FullName

298
        $Version = (gci -directory $EsrpCodeSigningTool | Select-Object -last 1).FullName

299
        echo "##vso[task.setvariable variable=EsrpCliDllPath]$Version/net6.0/esrpcli.dll"

300
      displayName: Find ESRP CLI

301


302
    - script: npx deemon --detach --wait node build/azure-pipelines/darwin/codesign.ts

303
      env:

304
        EsrpCliDllPath: $(EsrpCliDllPath)

305
        SYSTEM_ACCESSTOKEN: $(System.AccessToken)

306
        BUILD_SOURCESDIRECTORY: $(Build.SourcesDirectory)

307
      displayName:  Codesign & Notarize

308


309
  - ${{ if or(eq(parameters.VSCODE_RUN_ELECTRON_TESTS, true), eq(parameters.VSCODE_RUN_BROWSER_TESTS, true), eq(parameters.VSCODE_RUN_REMOTE_TESTS, true)) }}:

310
    - template: product-build-darwin-test.yml@self

311
      parameters:

312
        VSCODE_RUN_ELECTRON_TESTS: ${{ parameters.VSCODE_RUN_ELECTRON_TESTS }}

313
        VSCODE_RUN_BROWSER_TESTS: ${{ parameters.VSCODE_RUN_BROWSER_TESTS }}

314
        VSCODE_RUN_REMOTE_TESTS: ${{ parameters.VSCODE_RUN_REMOTE_TESTS }}

315


316
  - ${{ if ne(parameters.VSCODE_CIBUILD, true) }}:

317
    - script: npx deemon --attach node build/azure-pipelines/darwin/codesign.ts

318
      condition: succeededOrFailed()

319
      displayName: "Post-job: ✍️ Codesign & Notarize"

320


321
    - script: unzip $(Pipeline.Workspace)/vscode_client_darwin_$(VSCODE_ARCH)_archive/VSCode-darwin-$(VSCODE_ARCH).zip -d $(Build.ArtifactStagingDirectory)/VSCode-darwin-$(VSCODE_ARCH)

322
      displayName: Extract signed app

323


324
    - script: |

325
        set -e

326
        APP_ROOT="$(Build.ArtifactStagingDirectory)/VSCode-darwin-$(VSCODE_ARCH)"

327
        APP_NAME="`ls $APP_ROOT | head -n 1`"

328
        APP_PATH="$APP_ROOT/$APP_NAME"

329
        codesign -dv --deep --verbose=4 "$APP_PATH"

330
        "$APP_PATH/Contents/Resources/app/bin/code" --export-default-configuration=.build

331
      displayName: Verify signature

332


333
    - script: |

334
        set -e

335


336
        mkdir -p $(Build.ArtifactStagingDirectory)/out/vscode_client_darwin_$(VSCODE_ARCH)_archive

337
        if [ "$VSCODE_ARCH" == "x64" ]; then

338
          # Use legacy name for x64 builds

339
          mv $(CLIENT_PATH) $(Build.ArtifactStagingDirectory)/out/vscode_client_darwin_$(VSCODE_ARCH)_archive/VSCode-darwin.zip

340
        else

341
          mv $(CLIENT_PATH) $(Build.ArtifactStagingDirectory)/out/vscode_client_darwin_$(VSCODE_ARCH)_archive/VSCode-darwin-$(VSCODE_ARCH).zip

342
        fi

343


344
        mkdir -p $(Build.ArtifactStagingDirectory)/out/vscode_client_darwin_$(VSCODE_ARCH)_dmg

345
        mv $(DMG_PATH) $(Build.ArtifactStagingDirectory)/out/vscode_client_darwin_$(VSCODE_ARCH)_dmg/VSCode-darwin-$(VSCODE_ARCH).dmg

346


347
        mkdir -p $(Build.ArtifactStagingDirectory)/out/vscode_server_darwin_$(VSCODE_ARCH)_archive

348
        mv $(SERVER_PATH) $(Build.ArtifactStagingDirectory)/out/vscode_server_darwin_$(VSCODE_ARCH)_archive/vscode-server-darwin-$(VSCODE_ARCH).zip

349


350
        mkdir -p $(Build.ArtifactStagingDirectory)/out/vscode_web_darwin_$(VSCODE_ARCH)_archive

351
        mv $(WEB_PATH) $(Build.ArtifactStagingDirectory)/out/vscode_web_darwin_$(VSCODE_ARCH)_archive/vscode-server-darwin-$(VSCODE_ARCH)-web.zip

352
      displayName: Move artifacts to out directory

353


354