diff --git a/.vscodeignore b/.vscodeignore
index c4e16b01..5e07e3aa 100644
--- a/.vscodeignore
+++ b/.vscodeignore
@@ -15,4 +15,6 @@ gulpfile.js
*.log
webpack.config.js
node_modules/**
-vendor/**
\ No newline at end of file
+vendor/**
+azure-pipelines.yml
+build/**
\ No newline at end of file
diff --git a/azure-pipelines.yml b/azure-pipelines.yml
index 12fb0e64..49c67f56 100644
--- a/azure-pipelines.yml
+++ b/azure-pipelines.yml
@@ -3,6 +3,16 @@
name: $(Date:yyyyMMdd)$(Rev:.r).0-$(SourceBranchName)
+parameters:
+ - name: SignTypeOverride
+ displayName: Signing type override
+ type: string
+ default: default
+ values:
+ - default
+ - test
+ - real
+
pr:
- master
- dev
@@ -19,7 +29,27 @@ trigger:
pool:
name: VSEngSS-MicroBuild2019-1ES
+variables:
+ # MicroBuild requires TeamName to be set.
+ TeamName: C++ Cross Platform and Cloud
+ # If the user didn't override the signing type, then only real-sign on tags,
+ # master, or dev.
+ ${{ if ne(parameters.SignTypeOverride, 'default') }}:
+ SignType: ${{ parameters.SignTypeOverride }}
+ ${{ if and(eq(parameters.SignTypeOverride, 'default'), or(startsWith(variables['Build.SourceBranch'], 'refs/tags'), eq(variables['Build.SourceBranchName'], 'master'), eq(variables['Build.SourceBranchName'], 'dev'))) }}:
+ SignType: real
+ ${{ if and(eq(parameters.SignTypeOverride, 'default'), not(or(startsWith(variables['Build.SourceBranch'], 'refs/tags'), eq(variables['Build.SourceBranchName'], 'master'), eq(variables['Build.SourceBranchName'], 'dev')))) }}:
+ SignType: test
+
steps:
+ - task: MicroBuildSigningPlugin@3
+ displayName: Install MicroBuild Signing
+ inputs:
+ signType: $(SignType)
+ zipSources: false
+ # MicroBuild signing will always fail on public PRs.
+ condition: ne(variables['Build.Reason'], 'PullRequest')
+
# Run these scanners first so that they don't detect issues in dependencies.
# Failures won't break the build until "Check for compliance errors" step.
- task: CredScan@2
@@ -48,15 +78,54 @@ steps:
- script: gulp genAikey
displayName: Use production AI key
condition: and(succeeded(), startsWith(variables['Build.SourceBranch'], 'refs/tags'))
+ # Pack the extension now even though it's unsigned so that we ignore files
+ # from .vscodeignore. This will reduce load on the signing server later and
+ # ensure we only attempt to sign shipping files.
- script: vsce package --out vscode-arduino.vsix
displayName: Build and pack extension
- - publish: vscode-arduino.vsix
- artifact: VS Code extension VSIX
- displayName: Publish extension VSIX as artifact
- task: ComponentGovernanceComponentDetection@0
displayName: Detect components
+ # Extract the VSIX, sign what we can, then pack it back up and publish it.
+ - task: ExtractFiles@1
+ displayName: Extract extension for signing
+ inputs:
+ archiveFilePatterns: vscode-arduino.vsix
+ destinationFolder: $(Build.StagingDirectory)\vscode-arduino
+ - task: NuGetToolInstaller@1
+ displayName: Install NuGet
+ - task: NuGetAuthenticate@0
+ displayName: Authenticate NuGet
+ - script: nuget restore .\build\SignFiles.proj -PackagesDirectory .\build\packages
+ displayName: Restore MicroBuild Core
+ # MicroBuild signing will always fail on public PRs.
+ condition: ne(variables['Build.Reason'], 'PullRequest')
+ - task: MSBuild@1
+ displayName: Sign files
+ inputs:
+ solution: .\build\SignFiles.proj
+ msbuildArguments: /p:SignType=$(SignType)
+ # MicroBuild signing will always fail on public PRs.
+ condition: ne(variables['Build.Reason'], 'PullRequest')
+ - task: ArchiveFiles@2
+ displayName: Pack signed files
+ inputs:
+ rootFolderOrFile: $(Build.StagingDirectory)\vscode-arduino
+ includeRootFolder: false
+ archiveType: zip
+ archiveFile: $(Build.StagingDirectory)\vscode-arduino.vsix
+ - task: MSBuild@1
+ displayName: Sign VSIX
+ inputs:
+ solution: .\build\SignVsix.proj
+ msbuildArguments: /p:SignType=$(SignType)
+ # MicroBuild signing will always fail on public PRs.
+ condition: ne(variables['Build.Reason'], 'PullRequest')
+ - publish: $(Build.StagingDirectory)\vscode-arduino.vsix
+ artifact: VS Code extension VSIX
+ displayName: Publish extension VSIX as artifact
+
# Install the Arduino IDE and run tests.
- script: curl -LO https://downloads.arduino.cc/arduino-1.8.19-windows.zip
displayName: Download Arduino IDE
@@ -114,6 +183,9 @@ steps:
action: create
target: $(Build.SourceVersion)
tagSource: auto
- assets: $(Build.SourcesDirectory)\vscode-arduino.vsix
+ assets: $(Build.StagingDirectory)\vscode-arduino.vsix
isPreRelease: $[contains(variables['Build.SourceBranch'], '-rc')]
condition: and(succeeded(), startsWith(variables['Build.SourceBranch'], 'refs/tags'))
+
+ - task: MicroBuildCleanup@1
+ displayName: Clean up MicroBuild
diff --git a/build/SignFiles.proj b/build/SignFiles.proj
new file mode 100644
index 00000000..19a18ba7
--- /dev/null
+++ b/build/SignFiles.proj
@@ -0,0 +1,30 @@
+
+
+
+
+
+ $(BUILD_STAGINGDIRECTORY)\vscode-arduino\extension
+
+ $(BaseOutputDirectory)
+ $(BaseOutputDirectory)
+
+
+
+
+ Microsoft400
+
+
+
+ Microsoft400
+
+
+ Microsoft400
+
+
+ 3PartyScriptsSHA2
+
+
+
+
+
\ No newline at end of file
diff --git a/build/SignVsix.proj b/build/SignVsix.proj
new file mode 100644
index 00000000..bf9b6047
--- /dev/null
+++ b/build/SignVsix.proj
@@ -0,0 +1,19 @@
+
+
+
+
+
+ $(BUILD_STAGINGDIRECTORY)
+
+ $(BaseOutputDirectory)
+ $(BaseOutputDirectory)
+
+
+
+
+ VsixSHA2
+
+
+
+
+
\ No newline at end of file
diff --git a/build/packages.config b/build/packages.config
new file mode 100644
index 00000000..df03298c
--- /dev/null
+++ b/build/packages.config
@@ -0,0 +1,4 @@
+
+
+
+
\ No newline at end of file