Update Release Pipeline (#176)

Update release pipeline to sign extension before publishing
microsoft · Nov 4, 2024 · 0a0bc9e · 0a0bc9e
1 parent a479713
commit 0a0bc9e
Show file tree

Hide file tree

Showing 8 changed files with 227 additions and 101 deletions.
diff --git a/.azure/azure-pipelines-release.yml b/.azure/azure-pipelines-release.yml
@@ -4,48 +4,51 @@ name: vscode-makecode Release
 trigger: none
 pr: none
 
-pool:
-  vmImage: 'ubuntu-latest'
+parameters:
+- name: nodeVersion
+  type: string
+  default: '20.x'
+- name: isPreRelease
+  type: boolean
+  default: false
+
+resources:
+  repositories:
+  - repository: CustomPipelineTemplates
+    type: git
+    name: 1ESPipelineTemplates/MicroBuildTemplate
 
 variables:
 - group: 'makecode-marketplace-pat'
 
-stages:
-  # Stage to build the VSIX and publish it
-- stage: Build
-  displayName: Build the VSIX
-  jobs:
-  - job: Build
-    steps:
-    - template: templates/build.yml
+extends:
+  template: azure-pipelines/MicroBuild.1ES.Official.yml@CustomPipelineTemplates
+  parameters:
+    pool:
+      name: AzurePipelines-EO
+      image: 1ESPT-Ubuntu22.04
+      os: linux
+    sdl:
+      sourceAnalysisPool:
+        name: AzurePipelines-EO
+        image: 1ESPT-Windows2022
+    stages:
+      # Stage to build the VSIX and publish it
+    - template: stages/build.yml
       parameters:
-        isPreRelease: false
-
-  # Stage provides a manual approval step before the publish stage is run
-- stage: Approval
-  displayName: Approve the release
-  jobs:
-  - deployment: ApproveRelease
-    displayName: "Approve Release"
-    environment: "makecode" # Defined in AzDO Pipeline environments
-    strategy:
-      runOnce:
-        deploy:
-          steps:
-            - checkout: none
-
-  # Publish the VSIX to the extension marketplace 
-- stage: Publish
-  displayName: Publish the VSIX
-  dependsOn:
-    - Build
-    - Approval
-  jobs:
-  - job: Publish
-    variables:
-    - name: vsixName
-      value: $[ stageDependencies.Build.Build.outputs['SetExtensionName.VSIX'] ]
-    steps:
-    - template: templates/publish.yml
+        isPreRelease: ${{ parameters.isPreRelease }}
+        nodeVersion: ${{ parameters.nodeVersion }}
+        signType: 'real'
+
+    # - template: stages/sign.yml
+    #   parameters:
+    #     signType: 'real'
+    #     nodeVersion: ${{ parameters.nodeVersion }}
+
+    # Stage provides a manual approval step before the publish stage is run
+    - template: stages/approval.yml
+
+    # Publish the VSIX to the extension marketplace
+    - template: stages/publish.yml
       parameters:
-        isPreRelease: false
+        isPreRelease: ${{ parameters.isPreRelease }}
diff --git a/.azure/stages/approval.yml b/.azure/stages/approval.yml
@@ -0,0 +1,15 @@
+stages:
+- stage: Approval
+  displayName: Approve the release
+  dependsOn: Build
+  jobs:
+  - job: ApproveRelease
+    displayName: "Approve Release"
+    pool: server
+    timeoutInMinutes: 120
+    steps:
+      - task: ManualValidation@0
+        inputs:
+          notifyUsers: ''
+          instructions: 'Please approve the release before continuing'
+          onTimeout: 'reject'
diff --git a/.azure/stages/build.yml b/.azure/stages/build.yml
@@ -0,0 +1,52 @@
+parameters:
+  - name: isPreRelease
+    type: boolean
+  - name: nodeVersion
+    type: string
+  - name: signType
+    type: string
+
+stages:
+- stage: Build
+  displayName: Build the VSIX & sign it
+  jobs:
+  - job: Build
+    steps:
+    - checkout: self
+
+    - task: NodeTool@0
+      displayName: 🔨 Install Node.js
+      inputs:
+        versionSpec: ${{ parameters.nodeVersion }}
+
+    # Create a unique filename for the extension vsix to match the verison number
+    - bash: |
+        VSIX=$(node -p "require(\"./package.json\").publisher + \".\" + require(\"./package.json\").name + \".\" + require(\"./package.json\").version + \".vsix\"")
+        echo "##vso[task.setvariable variable=VSIX;isOutput=true]$VSIX"
+      name: SetExtensionName
+      displayName: Set VSIX file name
+
+    # Yarn package script to build the vsix file
+    - bash: |
+        echo "Compiling Production Webpack"
+        yarn && yarn package-web
+        echo "Compiled Production Webpack"
+      displayName: Compile
+
+    - ${{ if parameters.isPreRelease }}:
+      - script: npx @vscode/vsce@latest package -o $(Build.ArtifactStagingDirectory)/$(SetExtensionName.VSIX) --pre-release
+        displayName: Package pre-release extension VSIX
+
+    - ${{ else }}:
+      - script: npx @vscode/vsce@latest package -o $(Build.ArtifactStagingDirectory)/$(SetExtensionName.VSIX)
+        displayName: Package extension VSIX
+
+    - task: 1ES.PublishPipelineArtifact@1
+      inputs:
+        path: $(Build.ArtifactStagingDirectory)/$(SetExtensionName.VSIX)
+        artifact: extension
+        sbomBuildDropPath: $(Build.ArtifactStagingDirectory)
+
+    - template: ../steps/sign.yml
+      parameters:
+        signType: ${{ parameters.signType }}
diff --git a/.azure/stages/publish.yml b/.azure/stages/publish.yml
@@ -0,0 +1,43 @@
+parameters:
+  - name: isPreRelease
+    type: boolean
+
+stages:
+- stage: Publish
+  displayName: Publish the VSIX
+  dependsOn:
+    - Build
+    - Approval
+  jobs:
+  - job: Publish
+    variables:
+    - name: vsixName
+      value: $[ stageDependencies.Build.Build.outputs['SetExtensionName.VSIX'] ]
+    steps:
+    - download: current
+      artifact: extension
+      displayName: 🚚 Download extension artifact
+
+    - download: current
+      artifact: extension-manifest
+      displayName: 🚚 Download extension manifest artifact
+
+    - download: current
+      artifact: extension-signature
+      displayName: 🚚 Download extension signature artifact
+
+
+    - ${{ if parameters.isPreRelease }}:
+      - bash: echo "Publishing PreRelease"
+      - script: npx @vscode/vsce@latest publish --packagePath $(Pipeline.Workspace)/extension/$(vsixName) --manifestPath $(Pipeline.Workspace)/extension-manifest/$(vsixName).manifest --signaturePath $(Pipeline.Workspace)/extension-signature/$(vsixName).signature.p7s --pre-release
+        displayName: Publish pre-release extension
+        env:
+          # Marketplace PAT needs to be uploaded as a pipeline variable
+          VSCE_PAT: $(marketplace-pat)
+
+    - ${{ else }}:
+      - bash: echo "Publishing Release"
+      - script: npx @vscode/vsce@latest publish --packagePath $(Pipeline.Workspace)/extension/$(vsixName) --manifestPath $(Pipeline.Workspace)/extension-manifest/$(vsixName).manifest --signaturePath $(Pipeline.Workspace)/extension-signature/$(vsixName).signature.p7s
+        displayName: Publish extension
+        env:
+          VSCE_PAT: $(marketplace-pat)
diff --git a/.azure/steps/sign.yml b/.azure/steps/sign.yml
@@ -0,0 +1,74 @@
+parameters:
+  - name: signType
+    type: string
+
+steps:
+- task: UseDotNet@2
+  displayName: "Install dotnet SDK"
+  inputs:
+    packageType: "sdk"
+    version: "6.0.x"
+
+# Need this to run signing plugins
+- task: UseDotNet@2
+  displayName: "Install dotnet 3.1.0 SDK"
+  inputs:
+    packageType: "sdk"
+    version: "3.1.x"
+
+- task: NuGetAuthenticate@0
+- task: MicroBuildSigningPlugin@4
+  displayName: "Install Signing Plugin"
+  inputs:
+    signType: ${{ parameters.signType }}
+    azureSubscription: "MicroBuild Signing Task (DevDiv)"
+    feedSource: "https://devdiv.pkgs.visualstudio.com/DefaultCollection/_packaging/MicroBuildToolset/nuget/v3/index.json"
+  env:
+    TeamName: "$(TeamName)"
+
+- script: npx @vscode/vsce@latest generate-manifest -i $(SetExtensionName.VSIX) -o $(SetExtensionName.VSIX).manifest
+  displayName: 'Generate extension manifest'
+  workingDirectory: $(Build.ArtifactStagingDirectory)
+
+- script: cp $(SetExtensionName.VSIX).manifest $(SetExtensionName.VSIX).signature.p7s
+  displayName: 'Prepare manifest for signing'
+  workingDirectory: $(Build.ArtifactStagingDirectory)
+
+- script: |
+    cat <<EOT >> signfilelist-extension.xml
+    <?xml version="1.0" encoding="utf-8" ?>
+    <!--
+    This file is used by the public release pipelines to specify the files to be signed and the certificate to be used.
+    For the cert number used, see https://dev.azure.com/devdiv/DevDiv/_wiki/wikis/DevDiv.wiki/658/Signing-Cert-Guidance
+    -->
+    <filelist>
+      <certificate certnumbers="4014052">
+        <file srcpath="$(Build.ArtifactStagingDirectory)/$(SetExtensionName.VSIX).signature.p7s"></file>
+      </certificate>
+    </filelist>
+    EOT
+  displayName: "Create the signfilelist"
+
+# Sign Files
+- powershell: |
+    dotnet (get-item $(Build.ArtifactStagingDirectory)/MicroBuild/Plugins/MicroBuild.Plugins.Signing.*/build/DDSignFiles.dll).FullName -- /filelist:signfilelist-extension.xml
+  displayName: "Sign VSIX"
+
+# Clean up MicroBuild
+- task: MicroBuildCleanup@1
+
+- powershell: |
+    Remove-Item -Recurse -Force $(Build.ArtifactStagingDirectory)/MicroBuild
+  displayName: "Clean up MicroBuild folder"
+
+- task: 1ES.PublishPipelineArtifact@1
+  inputs:
+    path: $(Build.ArtifactStagingDirectory)/$(SetExtensionName.VSIX).manifest
+    artifact: extension-manifest
+    sbomBuildDropPath: $(Build.ArtifactStagingDirectory)
+
+- task: 1ES.PublishPipelineArtifact@1
+  inputs:
+    path: $(Build.ArtifactStagingDirectory)/$(SetExtensionName.VSIX).signature.p7s
+    artifact: extension-signature
+    sbomBuildDropPath: $(Build.ArtifactStagingDirectory)
diff --git a/.azure/templates/build.yml b/.azure/templates/build.yml
diff --git a/.azure/templates/publish.yml b/.azure/templates/publish.yml
diff --git a/package.json b/package.json
@@ -347,7 +347,7 @@
     "@typescript-eslint/eslint-plugin": "^5.38.1",
     "@typescript-eslint/parser": "^5.38.1",
     "@vscode/l10n-dev": "^0.0.22",
-    "@vscode/test-web": "^0.0.30",
+    "@vscode/test-web": "^0.0.63",
     "assert": "^2.0.0",
     "eslint": "^8.24.0",
     "mocha": "^10.0.0",