1
parameters:
2
  - name: VSCODE_ARCH
3
    type: string
4
  - name: VSCODE_QUALITY
5
    type: string
6

7
steps:
8
  - template: ../common/checkout.yml@self
9

10
  - task: NodeTool@0
11
    inputs:
12
      versionSource: fromFile
13
      versionFilePath: .nvmrc
14

15
  - task: UsePythonVersion@0
16
    inputs:
17
      versionSpec: "3.x"
18
      addToPath: true
19

20
  - template: ../distro/download-distro.yml@self
21

22
  - task: AzureKeyVault@2
23
    displayName: "Azure Key Vault: Get Secrets"
24
    inputs:
25
      azureSubscription: vscode
26
      KeyVaultName: vscode-build-secrets
27
      SecretsFilter: "github-distro-mixin-password"
28

29
  - powershell: node build/setup-npm-registry.ts $env:NPM_REGISTRY
30
    condition: and(succeeded(), ne(variables['NPM_REGISTRY'], 'none'))
31
    displayName: Setup NPM Registry
32

33
  - powershell: |
34
      . build/azure-pipelines/win32/exec.ps1
35
      $ErrorActionPreference = "Stop"
36
      # Set the private NPM registry to the global npmrc file
37
      # so that authentication works for subfolders like build/, remote/, extensions/ etc
38
      # which does not have their own .npmrc file
39
      exec { npm config set registry "$env:NPM_REGISTRY" }
40
      $NpmrcPath = (npm config get userconfig)
41
      echo "##vso[task.setvariable variable=NPMRC_PATH]$NpmrcPath"
42
    condition: and(succeeded(), ne(variables['NPM_REGISTRY'], 'none'))
43
    displayName: Setup NPM
44

45
  - task: npmAuthenticate@0
46
    inputs:
47
      workingFile: $(NPMRC_PATH)
48
    condition: and(succeeded(), ne(variables['NPM_REGISTRY'], 'none'))
49
    displayName: Setup NPM Authentication
50

51
  - pwsh: |
52
      $includes = @'
53
        {
54
          'target_defaults': {
55
            'conditions': [
56
              ['OS=="win"', {
57
                'msvs_settings': {
58
                  'VCCLCompilerTool': {
59
                    'AdditionalOptions': [
60
                      '/Zi',
61
                      '/FS'
62
                    ],
63
                  },
64
                  'VCLinkerTool': {
65
                    'AdditionalOptions': [
66
                      '/profile'
67
                    ]
68
                  }
69
                }
70
              }]
71
            ]
72
          }
73
        }
74
      '@
75

76
      if (!(Test-Path "~/.gyp")) {
77
        mkdir "~/.gyp"
78
      }
79
      echo $includes > "~/.gyp/include.gypi"
80
    displayName: Create include.gypi
81

82
  - powershell: |
83
      . build/azure-pipelines/win32/exec.ps1
84
      $ErrorActionPreference = "Stop"
85
      exec { npm ci }
86
    env:
87
      npm_config_arch: ${{ parameters.VSCODE_ARCH }}
88
      npm_config_foreground_scripts: "true"
89
      ELECTRON_SKIP_BINARY_DOWNLOAD: 1
90
      PLAYWRIGHT_SKIP_BROWSER_DOWNLOAD: 1
91
      GITHUB_TOKEN: "$(github-distro-mixin-password)"
92
    retryCountOnTaskFailure: 5
93
    displayName: Install dependencies
94

95
  - script: node build/azure-pipelines/distro/mixin-npm.ts
96
    displayName: Mixin distro node modules
97

98
  - script: node build/azure-pipelines/distro/mixin-quality.ts
99
    displayName: Mixin distro quality
100
    env:
101
      VSCODE_QUALITY: ${{ parameters.VSCODE_QUALITY }}
102

103
  - powershell: npm run compile
104
    displayName: Compile
105

106
  - powershell: npm run gulp "vscode-symbols-win32-${{ parameters.VSCODE_ARCH }}"
107
    env:
108
      GITHUB_TOKEN: "$(github-distro-mixin-password)"
109
    displayName: Download Symbols
110

111
  - powershell: |
112
      Get-ChildItem '$(Agent.BuildDirectory)\scanbin' -Recurse -Filter "*.exe"
113
      Get-ChildItem '$(Agent.BuildDirectory)\scanbin' -Recurse -Filter "*.dll"
114
      Get-ChildItem '$(Agent.BuildDirectory)\scanbin' -Recurse -Filter "*.node"
115
      Get-ChildItem '$(Agent.BuildDirectory)\scanbin' -Recurse -Filter "*.pdb"
116
    displayName: List files
117

118
  - task: PublishSymbols@2
119
    displayName: 'Publish Symbols to Artifacts'
120
    inputs:
121
      SymbolsFolder: '$(Agent.BuildDirectory)\scanbin'
122
      SearchPattern: '**/*.pdb'
123
      IndexSources: false
124
      PublishSymbols: true
125
      SymbolServerType: 'TeamServices'
126
      SymbolsProduct: 'vscode-client'
127

128
  - task: CopyFiles@2
129
    displayName: 'Collect Symbols for API Scan'
130
    inputs:
131
      SourceFolder: $(Agent.BuildDirectory)
132
      Contents: 'scanbin\**\*.pdb'
133
      TargetFolder: '$(Agent.BuildDirectory)\symbols'
134
      flattenFolders: true
135
    condition: succeeded()
136

137
  - task: APIScan@2
138
    inputs:
139
      softwareFolder: $(Agent.BuildDirectory)\scanbin
140
      softwareName: 'vscode-client'
141
      softwareVersionNum: '1'
142
      symbolsFolder: 'srv*https://symweb.azurefd.net;$(Agent.BuildDirectory)\symbols'
143
      isLargeApp: false
144
      toolVersion: 'Latest'
145
      azureSubscription: 'vscode-apiscan'
146
    displayName: Run ApiScan
147
    condition: succeeded()
148
    env:
149
      AzureServicesAuthConnectionString: RunAs=App;AppId=c0940da5-8bd3-4dd3-8af1-40774b50edbd;TenantId=72f988bf-86f1-41af-91ab-2d7cd011db47;ServiceConnectionId=3e55d992-b60d-414d-9071-e4fad359c748;
150
      SYSTEM_ACCESSTOKEN: $(System.AccessToken)
151

152
  - task: PublishSecurityAnalysisLogs@3
153
    inputs:
154
      ArtifactName: CodeAnalysisLogs
155
      ArtifactType: Container
156
      PublishProcessedResults: false
157
      AllTools: true
158

159
  # TSA Upload
160
  - task: securedevelopmentteam.vss-secure-development-tools.build-task-uploadtotsa.TSAUpload@2
161
    displayName: TSA Upload
162
    continueOnError: true
163
    inputs:
164
      GdnPublishTsaOnboard: true
165
      GdnPublishTsaConfigFile: '$(Build.SourcesDirectory)/build/azure-pipelines/config/tsaoptions.json'
166

167