vscode/build/azure-pipelines/cli/cli-win32-sign.yml

parameters:
  - name: VSCODE_CLI_ARTIFACTS
    type: object
    default: []

steps:
  - task: AzureKeyVault@2
    displayName: "Azure Key Vault: Get Secrets"
    inputs:
      azureSubscription: "vscode-builds-subscription"
      KeyVaultName: vscode-build-secrets
      SecretsFilter: "ESRP-PKI,esrp-aad-username,esrp-aad-password"

  - task: UseDotNet@2
    inputs:
      version: 6.x

  - task: EsrpClientTool@1
    displayName: "Use ESRP client"

  - ${{ each target in parameters.VSCODE_CLI_ARTIFACTS }}:
      - task: DownloadPipelineArtifact@2
        displayName: Download artifact
        inputs:
          artifact: ${{ target }}
          path: $(Build.ArtifactStagingDirectory)/pkg/${{ target }}

      - task: ExtractFiles@1
        displayName: Extract artifact
        inputs:
          archiveFilePatterns: $(Build.ArtifactStagingDirectory)/pkg/${{ target }}/*.zip
          destinationFolder: $(Build.ArtifactStagingDirectory)/sign/${{ target }}

  - powershell: |
      . build/azure-pipelines/win32/exec.ps1
      $ErrorActionPreference = "Stop"
      $EsrpClientTool = (gci -directory -filter EsrpClientTool_* $(Agent.RootDirectory)\_tasks | Select-Object -last 1).FullName
      $EsrpCliZip = (gci -recurse -filter esrpcli.*.zip $EsrpClientTool | Select-Object -last 1).FullName
      mkdir -p $(Agent.TempDirectory)\esrpcli
      Expand-Archive -Path $EsrpCliZip -DestinationPath $(Agent.TempDirectory)\esrpcli
      $EsrpCliDllPath = (gci -recurse -filter esrpcli.dll $(Agent.TempDirectory)\esrpcli | Select-Object -last 1).FullName
      echo "##vso[task.setvariable variable=EsrpCliDllPath]$EsrpCliDllPath"
    displayName: Find ESRP CLI

  - powershell: node build\azure-pipelines\common\sign $env:EsrpCliDllPath sign-windows $(ESRP-PKI) $(esrp-aad-username) $(esrp-aad-password) $(Build.ArtifactStagingDirectory)/sign "*.exe"
    displayName: Codesign

  - ${{ each target in parameters.VSCODE_CLI_ARTIFACTS }}:
      - powershell: |
          $ASSET_ID = "${{ target }}".replace("unsigned_", "");
          echo "##vso[task.setvariable variable=ASSET_ID]$ASSET_ID"
        displayName: Set asset id variable

      - task: ArchiveFiles@2
        displayName: Archive signed files
        inputs:
          rootFolderOrFile: $(Build.ArtifactStagingDirectory)/sign/${{ target }}
          includeRootFolder: false
          archiveType: zip
          archiveFile: $(Build.ArtifactStagingDirectory)/$(ASSET_ID).zip

      - task: 1ES.PublishPipelineArtifact@1
        inputs:
          targetPath: $(Build.ArtifactStagingDirectory)/$(ASSET_ID).zip
          artifactName: $(ASSET_ID)
          sbomBuildDropPath: $(Build.ArtifactStagingDirectory)/sign/${{ target }}
          sbomPackageName: "VS Code Windows ${{ target }} CLI"
          sbomPackageVersion: $(Build.SourceVersion)
        displayName: Publish signed artifact with ID $(ASSET_ID)
Initial commit 2024-11-15 06:29:18 +00:00			`parameters:`
			`- name: VSCODE_CLI_ARTIFACTS`
			`type: object`
			`default: []`

			`steps:`
			`- task: AzureKeyVault@2`
			`displayName: "Azure Key Vault: Get Secrets"`
			`inputs:`
			`azureSubscription: "vscode-builds-subscription"`
			`KeyVaultName: vscode-build-secrets`
			`SecretsFilter: "ESRP-PKI,esrp-aad-username,esrp-aad-password"`

			`- task: UseDotNet@2`
			`inputs:`
			`version: 6.x`

			`- task: EsrpClientTool@1`
			`displayName: "Use ESRP client"`

			`- ${{ each target in parameters.VSCODE_CLI_ARTIFACTS }}:`
			`- task: DownloadPipelineArtifact@2`
			`displayName: Download artifact`
			`inputs:`
			`artifact: ${{ target }}`
			`path: $(Build.ArtifactStagingDirectory)/pkg/${{ target }}`

			`- task: ExtractFiles@1`
			`displayName: Extract artifact`
			`inputs:`
			`archiveFilePatterns: $(Build.ArtifactStagingDirectory)/pkg/${{ target }}/*.zip`
			`destinationFolder: $(Build.ArtifactStagingDirectory)/sign/${{ target }}`

			`- powershell: \|`
			`. build/azure-pipelines/win32/exec.ps1`
			`$ErrorActionPreference = "Stop"`
			`$EsrpClientTool = (gci -directory -filter EsrpClientTool_* $(Agent.RootDirectory)\_tasks \| Select-Object -last 1).FullName`
			`$EsrpCliZip = (gci -recurse -filter esrpcli.*.zip $EsrpClientTool \| Select-Object -last 1).FullName`
			`mkdir -p $(Agent.TempDirectory)\esrpcli`
			`Expand-Archive -Path $EsrpCliZip -DestinationPath $(Agent.TempDirectory)\esrpcli`
			`$EsrpCliDllPath = (gci -recurse -filter esrpcli.dll $(Agent.TempDirectory)\esrpcli \| Select-Object -last 1).FullName`
			`echo "##vso[task.setvariable variable=EsrpCliDllPath]$EsrpCliDllPath"`
			`displayName: Find ESRP CLI`

			`- powershell: node build\azure-pipelines\common\sign $env:EsrpCliDllPath sign-windows $(ESRP-PKI) $(esrp-aad-username) $(esrp-aad-password) $(Build.ArtifactStagingDirectory)/sign "*.exe"`
			`displayName: Codesign`

			`- ${{ each target in parameters.VSCODE_CLI_ARTIFACTS }}:`
			`- powershell: \|`
			`$ASSET_ID = "${{ target }}".replace("unsigned_", "");`
			`echo "##vso[task.setvariable variable=ASSET_ID]$ASSET_ID"`
			`displayName: Set asset id variable`

			`- task: ArchiveFiles@2`
			`displayName: Archive signed files`
			`inputs:`
			`rootFolderOrFile: $(Build.ArtifactStagingDirectory)/sign/${{ target }}`
			`includeRootFolder: false`
			`archiveType: zip`
			`archiveFile: $(Build.ArtifactStagingDirectory)/$(ASSET_ID).zip`

			`- task: 1ES.PublishPipelineArtifact@1`
			`inputs:`
			`targetPath: $(Build.ArtifactStagingDirectory)/$(ASSET_ID).zip`
			`artifactName: $(ASSET_ID)`
			`sbomBuildDropPath: $(Build.ArtifactStagingDirectory)/sign/${{ target }}`
			`sbomPackageName: "VS Code Windows ${{ target }} CLI"`
			`sbomPackageVersion: $(Build.SourceVersion)`
			`displayName: Publish signed artifact with ID $(ASSET_ID)`