Setup publish stage in release pipeline

This splits the release into three stages: build, sign, and publish. The
last stage requires a manual approval on its deployment job's associated
environment. When approved, it creates a draft GitHub release using our
ReleaseTools module and securely uploads the artifacts directly from the
build agent, thus taking developer machines out of the release process.

Author: andyleejordan

.vsts-ci/azure-pipelines-release.yml

@@ -18,24 +18,43 @@ resources:
   repositories:
   - repository: ComplianceRepo
     type: github
-    endpoint: ComplianceGHRepo
+    endpoint: GitHub
     name: PowerShell/compliance
+  - repository: vscode-powershell
+    type: git
+    name: vscode-powershell
 
-jobs:
-- job: 'ReleaseBuild'
-  displayName: 'Build release'
-  pool:
-    vmImage: 'vs2017-win2016'
-  steps:
-  - template: templates/ci-general.yml
-
-- job: 'SignBuild'
-  displayName: Signing Build
-  dependsOn: 'ReleaseBuild'
-  pool:
-    name: '1ES'
-    demands: ImageOverride -equals MMS2019
-  variables:
-  - group: ESRP
-  steps:
-  - template: templates/release-general.yml
+stages:
+- stage: Build
+  displayName: Build the release
+  jobs:
+  - job: Build
+    pool:
+      vmImage: vs2017-win2016
+    steps:
+    - template: templates/ci-general.yml
+- stage: Sign
+  displayName: Sign the release
+  jobs:
+  - job: Sign
+    pool:
+      name: 1ES
+      demands: ImageOverride -equals MMS2019
+    variables:
+    - group: ESRP
+    steps:
+    - template: templates/release-general.yml
+- stage: Publish
+  displayName: Publish the draft release
+  jobs:
+  - deployment: Publish
+    environment: PowerShellEditorServices
+    pool:
+      name: 1ES
+    variables:
+    - group: Publish
+    strategy:
+      runOnce:
+        deploy:
+          steps:
+          - template: templates/publish-general.yml

.vsts-ci/templates/publish-general.yml

@@ -0,0 +1,12 @@
+steps:
+- checkout: self
+- checkout: vscode-powershell
+- pwsh: |
+    Set-PSRepository -Name PSGallery -InstallationPolicy Trusted | Out-Null
+    Install-Module -Name PowerShellForGitHub -Scope CurrentUser -Force -Confirm:$false
+    Import-Module '$(Build.SourcesDirectory)/vscode-powershell/tools/ReleaseTools.psm1'
+    Set-GitHubConfiguration -SuppressTelemetryReminder
+    $password = ConvertTo-SecureString -String '$(GitHubToken)' -AsPlainText -Force
+    Set-GitHubAuthentication -Credential (New-Object System.Management.Automation.PSCredential ("token", $password))
+    New-DraftRelease -RepositoryName PowerShellEditorServices -Assets '$(Pipeline.Workspace)/PowerShellEditorServices/PowerShellEditorServices.zip'
+  displayName: Drafting a GitHub Release

.vsts-ci/templates/release-general.yml

@@ -1,27 +1,29 @@
 steps:
 
+# TODO: Replace build artifacts with pipeline artifacts
 - task: DownloadBuildArtifacts@0
-  displayName: 'Download Build Artifacts'
+  displayName: Download build artifacts
   inputs:
     downloadType: specific
 
 - task: ExtractFiles@1
-  displayName: 'Extract Build Zip'
+  displayName: Unzip build artifacts
   inputs:
-    archiveFilePatterns: '$(Build.ArtifactStagingDirectory)/PowerShellEditorServices-CI/PowerShellEditorServices*.zip'
-    destinationFolder: '$(Build.ArtifactStagingDirectory)/PowerShellEditorServices'
+    archiveFilePatterns: $(Build.ArtifactStagingDirectory)/PowerShellEditorServices-CI/PowerShellEditorServices*.zip
+    destinationFolder: $(Build.ArtifactStagingDirectory)/Unsigned
 
 - checkout: ComplianceRepo
-  displayName: 'Checkout the ComplianceRepo'
 
+# NOTE: The signing templates explicitly copy everything along as they run, so
+# the last output path has every signed (and intentionally unsigned) file.
 - template: EsrpSign.yml@ComplianceRepo
   parameters:
-    buildOutputPath: '$(Build.ArtifactStagingDirectory)/PowerShellEditorServices'
-    signOutputPath: '$(Build.ArtifactStagingDirectory)/FirstPartySigned'
-    alwaysCopy: true # So publishing works
-    certificateId: 'CP-230012' # Authenticode certificate
-    useMinimatch: true # This enables the use of globbing
+    buildOutputPath: $(Build.ArtifactStagingDirectory)/Unsigned
+    signOutputPath: $(Build.ArtifactStagingDirectory)/FirstPartySigned
+    alwaysCopy: true
+    certificateId: CP-230012 # Authenticode certificate
     shouldSign: true # We always want to sign
+    useMinimatch: true # This enables the use of globbing
     pattern: |
       # PowerShellEditorServices Script
       PowerShellEditorServices/*.{ps1,psd1,psm1,ps1xml}
@@ -35,12 +37,12 @@ steps:
 
 - template: EsrpSign.yml@ComplianceRepo
   parameters:
-    buildOutputPath: '$(Build.ArtifactStagingDirectory)/FirstPartySigned'
-    signOutputPath: '$(Build.ArtifactStagingDirectory)/ThirdPartySigned'
-    alwaysCopy: true # So publishing works
-    certificateId: 'CP-231522' # Third-party certificate
-    useMinimatch: true # This enables the use of globbing
+    buildOutputPath: $(Build.ArtifactStagingDirectory)/FirstPartySigned
+    signOutputPath: $(Build.ArtifactStagingDirectory)/ThirdPartySigned
+    alwaysCopy: true
+    certificateId: CP-231522 # Third-party certificate
     shouldSign: true # We always want to sign
+    useMinimatch: true # This enables the use of globbing
     pattern: |
       **/MediatR.dll
       **/Nerdbank.Streams.dll
@@ -49,9 +51,19 @@ steps:
       **/Serilog*.dll
       **/UnixConsoleEcho.dll
 
-- publish: $(Build.ArtifactStagingDirectory)/ThirdPartySigned
+- task: ArchiveFiles@2
+  displayName: Zip finished assets
+  inputs:
+    rootFolderOrFile: $(Build.ArtifactStagingDirectory)/ThirdPartySigned
+    includeRootFolder: false
+    archiveType: zip
+    archiveFile: $(Build.ArtifactStagingDirectory)/PowerShellEditorServices.zip
+    replaceExistingArchive: true
+    verbose: true
+
+- publish: $(Build.ArtifactStagingDirectory)/PowerShellEditorServices.zip
   artifact: PowerShellEditorServices
-  displayName: 'Publish signed (and unsigned) artifacts'
+  displayName: Publish signed pipeline artifacts
 
 - checkout: self