2022-06-14 14:37:10 +08:00
|
|
|
trigger: none
|
|
|
|
|
pr: none
|
|
|
|
|
|
|
|
|
|
parameters:
|
2024-04-30 20:57:13 +08:00
|
|
|
- name: NPM_REGISTRY
|
|
|
|
|
displayName: "Custom NPM Registry"
|
|
|
|
|
type: string
|
|
|
|
|
default: "https://pkgs.dev.azure.com/monacotools/Monaco/_packaging/vscode/npm/registry/"
|
2022-06-14 14:37:10 +08:00
|
|
|
- name: SCAN_WINDOWS
|
|
|
|
|
displayName: "Scan Windows"
|
|
|
|
|
type: boolean
|
|
|
|
|
default: true
|
|
|
|
|
- name: SCAN_LINUX
|
|
|
|
|
displayName: "Scan Linux"
|
|
|
|
|
type: boolean
|
|
|
|
|
default: false
|
|
|
|
|
|
|
|
|
|
variables:
|
2024-04-30 20:57:13 +08:00
|
|
|
- name: NPM_REGISTRY
|
|
|
|
|
value: ${{ parameters.NPM_REGISTRY }}
|
2022-06-14 14:37:10 +08:00
|
|
|
- name: SCAN_WINDOWS
|
|
|
|
|
value: ${{ eq(parameters.SCAN_WINDOWS, true) }}
|
|
|
|
|
- name: SCAN_LINUX
|
|
|
|
|
value: ${{ eq(parameters.SCAN_LINUX, true) }}
|
|
|
|
|
- name: VSCODE_MIXIN_REPO
|
|
|
|
|
value: microsoft/vscode-distro
|
|
|
|
|
- name: skipComponentGovernanceDetection
|
|
|
|
|
value: true
|
|
|
|
|
- name: NPM_ARCH
|
|
|
|
|
value: x64
|
|
|
|
|
- name: VSCODE_ARCH
|
|
|
|
|
value: x64
|
2024-04-30 20:57:13 +08:00
|
|
|
- name: Codeql.enabled
|
|
|
|
|
value: true
|
|
|
|
|
- name: Codeql.TSAEnabled
|
|
|
|
|
value: true
|
|
|
|
|
- name: Codeql.TSAOptionsPath
|
|
|
|
|
value: '$(Build.SourcesDirectory)\build\azure-pipelines\config\tsaoptions.json'
|
2022-06-14 14:37:10 +08:00
|
|
|
|
|
|
|
|
stages:
|
|
|
|
|
- stage: Windows
|
|
|
|
|
condition: eq(variables.SCAN_WINDOWS, 'true')
|
2024-04-30 20:57:13 +08:00
|
|
|
pool: 1es-windows-2019-x64
|
2022-06-14 14:37:10 +08:00
|
|
|
jobs:
|
|
|
|
|
- job: WindowsJob
|
|
|
|
|
timeoutInMinutes: 0
|
|
|
|
|
steps:
|
|
|
|
|
- task: CredScan@3
|
|
|
|
|
continueOnError: true
|
|
|
|
|
inputs:
|
|
|
|
|
scanFolder: "$(Build.SourcesDirectory)"
|
|
|
|
|
outputFormat: "pre"
|
2024-04-30 20:57:13 +08:00
|
|
|
|
2022-06-14 14:37:10 +08:00
|
|
|
- task: NodeTool@0
|
|
|
|
|
inputs:
|
2024-04-30 20:57:13 +08:00
|
|
|
versionSource: fromFile
|
|
|
|
|
versionFilePath: .nvmrc
|
|
|
|
|
nodejsMirror: https://github.com/joaomoreno/node-mirror/releases/download
|
|
|
|
|
|
|
|
|
|
- template: ./distro/download-distro.yml
|
2022-06-14 14:37:10 +08:00
|
|
|
|
|
|
|
|
- task: AzureKeyVault@1
|
|
|
|
|
displayName: "Azure Key Vault: Get Secrets"
|
|
|
|
|
inputs:
|
|
|
|
|
azureSubscription: "vscode-builds-subscription"
|
2024-04-30 20:57:13 +08:00
|
|
|
KeyVaultName: vscode-build-secrets
|
2022-06-14 14:37:10 +08:00
|
|
|
SecretsFilter: "github-distro-mixin-password"
|
|
|
|
|
|
|
|
|
|
- powershell: |
|
|
|
|
|
. build/azure-pipelines/win32/exec.ps1
|
|
|
|
|
$ErrorActionPreference = "Stop"
|
2024-04-30 20:57:13 +08:00
|
|
|
exec { npm config set registry "$env:NPM_REGISTRY" --location=project }
|
|
|
|
|
# npm >v7 deprecated the `always-auth` config option, refs npm/cli@72a7eeb
|
|
|
|
|
# following is a workaround for yarn to send authorization header
|
|
|
|
|
# for GET requests to the registry.
|
|
|
|
|
exec { Add-Content -Path .npmrc -Value "always-auth=true" }
|
|
|
|
|
exec { yarn config set registry "$env:NPM_REGISTRY" }
|
|
|
|
|
condition: and(succeeded(), ne(variables.NODE_MODULES_RESTORED, 'true'), ne(variables['NPM_REGISTRY'], 'none'))
|
|
|
|
|
displayName: Setup NPM & Yarn
|
2022-06-14 14:37:10 +08:00
|
|
|
|
2024-04-30 20:57:13 +08:00
|
|
|
- task: npmAuthenticate@0
|
|
|
|
|
inputs:
|
|
|
|
|
workingFile: .npmrc
|
|
|
|
|
condition: and(succeeded(), ne(variables.NODE_MODULES_RESTORED, 'true'), ne(variables['NPM_REGISTRY'], 'none'))
|
|
|
|
|
displayName: Setup NPM Authentication
|
2022-06-14 14:37:10 +08:00
|
|
|
|
|
|
|
|
- powershell: |
|
|
|
|
|
. build/azure-pipelines/win32/exec.ps1
|
|
|
|
|
$ErrorActionPreference = "Stop"
|
2024-04-30 20:57:13 +08:00
|
|
|
exec { node build/setup-npm-registry.js $env:NPM_REGISTRY }
|
|
|
|
|
condition: and(succeeded(), ne(variables.NODE_MODULES_RESTORED, 'true'), ne(variables['NPM_REGISTRY'], 'none'))
|
|
|
|
|
displayName: Setup NPM Registry
|
|
|
|
|
|
|
|
|
|
- task: CodeQL3000Init@0
|
|
|
|
|
displayName: CodeQL Initialize
|
|
|
|
|
condition: eq(variables['Codeql.enabled'], 'True')
|
2022-06-14 14:37:10 +08:00
|
|
|
|
|
|
|
|
- powershell: |
|
2024-04-30 20:57:13 +08:00
|
|
|
mkdir -Force .build/node-gyp
|
|
|
|
|
displayName: Create custom node-gyp directory
|
|
|
|
|
condition: and(succeeded(), ne(variables.NODE_MODULES_RESTORED, 'true'))
|
2022-06-14 14:37:10 +08:00
|
|
|
|
2024-04-30 20:57:13 +08:00
|
|
|
- powershell: |
|
|
|
|
|
. ../../build/azure-pipelines/win32/exec.ps1
|
|
|
|
|
$ErrorActionPreference = "Stop"
|
|
|
|
|
# TODO: Should be replaced with upstream URL once https://github.com/nodejs/node-gyp/pull/2825
|
|
|
|
|
# gets merged.
|
|
|
|
|
exec { git clone https://github.com/rzhao271/node-gyp.git . } "Cloning rzhao271/node-gyp failed"
|
|
|
|
|
exec { git checkout 102b347da0c92c29f9c67df22e864e70249cf086 } "Checking out 102b347 failed"
|
|
|
|
|
exec { npm install } "Building rzhao271/node-gyp failed"
|
|
|
|
|
exec { python3 -m pip install setuptools } "Installing setuptools failed"
|
|
|
|
|
displayName: Install custom node-gyp
|
|
|
|
|
workingDirectory: .build/node-gyp
|
|
|
|
|
condition: and(succeeded(), ne(variables.NODE_MODULES_RESTORED, 'true'))
|
2022-06-14 14:37:10 +08:00
|
|
|
|
|
|
|
|
- powershell: |
|
|
|
|
|
. build/azure-pipelines/win32/exec.ps1
|
|
|
|
|
. build/azure-pipelines/win32/retry.ps1
|
|
|
|
|
$ErrorActionPreference = "Stop"
|
2024-04-30 20:57:13 +08:00
|
|
|
$env:npm_config_node_gyp = "$(Join-Path $pwd.Path '.build/node-gyp/bin/node-gyp.js')"
|
|
|
|
|
$env:npm_config_arch = "$(NPM_ARCH)"
|
2022-06-14 14:37:10 +08:00
|
|
|
retry { exec { yarn --frozen-lockfile --check-files } }
|
|
|
|
|
env:
|
|
|
|
|
PLAYWRIGHT_SKIP_BROWSER_DOWNLOAD: 1
|
|
|
|
|
GITHUB_TOKEN: "$(github-distro-mixin-password)"
|
|
|
|
|
CHILD_CONCURRENCY: 1
|
|
|
|
|
displayName: Install dependencies
|
|
|
|
|
|
2024-04-30 20:57:13 +08:00
|
|
|
- script: node build/azure-pipelines/distro/mixin-npm
|
|
|
|
|
displayName: Mixin distro node modules
|
|
|
|
|
|
|
|
|
|
- script: node build/azure-pipelines/distro/mixin-quality
|
|
|
|
|
displayName: Mixin distro quality
|
|
|
|
|
env:
|
|
|
|
|
VSCODE_QUALITY: stable
|
|
|
|
|
|
|
|
|
|
- powershell: yarn compile
|
|
|
|
|
displayName: Compile
|
|
|
|
|
|
|
|
|
|
- task: CodeQL3000Finalize@0
|
|
|
|
|
displayName: CodeQL Finalize
|
|
|
|
|
condition: eq(variables['Codeql.enabled'], 'True')
|
|
|
|
|
|
|
|
|
|
- powershell: yarn gulp "vscode-symbols-win32-$(VSCODE_ARCH)"
|
|
|
|
|
env:
|
|
|
|
|
GITHUB_TOKEN: "$(github-distro-mixin-password)"
|
2022-06-14 14:37:10 +08:00
|
|
|
displayName: Download Symbols
|
|
|
|
|
|
2024-04-30 20:57:13 +08:00
|
|
|
- task: PSScriptAnalyzer@1
|
|
|
|
|
inputs:
|
|
|
|
|
Path: '$(Build.SourcesDirectory)'
|
|
|
|
|
Settings: required
|
|
|
|
|
Recurse: true
|
|
|
|
|
|
2022-06-14 14:37:10 +08:00
|
|
|
- task: BinSkim@4
|
|
|
|
|
inputs:
|
|
|
|
|
InputType: "Basic"
|
|
|
|
|
Function: "analyze"
|
|
|
|
|
TargetPattern: "guardianGlob"
|
2024-04-30 20:57:13 +08:00
|
|
|
AnalyzeIgnorePdbLoadError: true
|
2022-06-14 14:37:10 +08:00
|
|
|
AnalyzeTargetGlob: '$(agent.builddirectory)\scanbin\**.dll;$(agent.builddirectory)\scanbin\**.exe;$(agent.builddirectory)\scanbin\**.node'
|
|
|
|
|
AnalyzeLocalSymbolDirectories: '$(agent.builddirectory)\scanbin\VSCode-win32-$(VSCODE_ARCH)\pdb'
|
|
|
|
|
|
2024-04-30 20:57:13 +08:00
|
|
|
- task: AntiMalware@4
|
|
|
|
|
inputs:
|
|
|
|
|
InputType: Basic
|
|
|
|
|
ScanType: CustomScan
|
|
|
|
|
FileDirPath: '$(Build.SourcesDirectory)'
|
|
|
|
|
EnableServices: true
|
|
|
|
|
SupportLogOnError: false
|
|
|
|
|
TreatSignatureUpdateFailureAs: 'Warning'
|
|
|
|
|
SignatureFreshness: 'OneDay'
|
|
|
|
|
TreatStaleSignatureAs: 'Error'
|
|
|
|
|
|
|
|
|
|
- task: PublishSecurityAnalysisLogs@3
|
|
|
|
|
inputs:
|
|
|
|
|
ArtifactName: CodeAnalysisLogs
|
|
|
|
|
ArtifactType: Container
|
|
|
|
|
PublishProcessedResults: false
|
|
|
|
|
AllTools: true
|
|
|
|
|
|
2022-06-14 14:37:10 +08:00
|
|
|
- task: TSAUpload@2
|
|
|
|
|
inputs:
|
|
|
|
|
GdnPublishTsaOnboard: true
|
2024-04-30 20:57:13 +08:00
|
|
|
GdnPublishTsaConfigFile: '$(Build.SourcesDirectory)\build\azure-pipelines\config\tsaoptions.json'
|
2022-06-14 14:37:10 +08:00
|
|
|
|
|
|
|
|
- stage: Linux
|
|
|
|
|
dependsOn: []
|
|
|
|
|
condition: eq(variables.SCAN_LINUX, 'true')
|
|
|
|
|
pool:
|
|
|
|
|
vmImage: "Ubuntu-18.04"
|
|
|
|
|
jobs:
|
|
|
|
|
- job: LinuxJob
|
|
|
|
|
steps:
|
|
|
|
|
- task: CredScan@2
|
|
|
|
|
inputs:
|
|
|
|
|
toolMajorVersion: "V2"
|
|
|
|
|
- task: NodeTool@0
|
|
|
|
|
inputs:
|
2024-04-30 20:57:13 +08:00
|
|
|
versionSource: fromFile
|
|
|
|
|
versionFilePath: .nvmrc
|
|
|
|
|
nodejsMirror: https://github.com/joaomoreno/node-mirror/releases/download
|
|
|
|
|
|
|
|
|
|
- template: ./distro/download-distro.yml
|
2022-06-14 14:37:10 +08:00
|
|
|
|
|
|
|
|
- task: AzureKeyVault@1
|
|
|
|
|
displayName: "Azure Key Vault: Get Secrets"
|
|
|
|
|
inputs:
|
|
|
|
|
azureSubscription: "vscode-builds-subscription"
|
2024-04-30 20:57:13 +08:00
|
|
|
KeyVaultName: vscode-build-secrets
|
2022-06-14 14:37:10 +08:00
|
|
|
SecretsFilter: "github-distro-mixin-password"
|
|
|
|
|
|
|
|
|
|
- script: |
|
|
|
|
|
set -e
|
2024-04-30 20:57:13 +08:00
|
|
|
npm config set registry "$NPM_REGISTRY" --location=project
|
|
|
|
|
# npm >v7 deprecated the `always-auth` config option, refs npm/cli@72a7eeb
|
|
|
|
|
# following is a workaround for yarn to send authorization header
|
|
|
|
|
# for GET requests to the registry.
|
|
|
|
|
echo "always-auth=true" >> .npmrc
|
|
|
|
|
yarn config set registry "$NPM_REGISTRY"
|
|
|
|
|
condition: and(succeeded(), ne(variables.NODE_MODULES_RESTORED, 'true'), ne(variables['NPM_REGISTRY'], 'none'))
|
|
|
|
|
displayName: Setup NPM & Yarn
|
2022-06-14 14:37:10 +08:00
|
|
|
|
2024-04-30 20:57:13 +08:00
|
|
|
- task: npmAuthenticate@0
|
|
|
|
|
inputs:
|
|
|
|
|
workingFile: .npmrc
|
|
|
|
|
condition: and(succeeded(), ne(variables.NODE_MODULES_RESTORED, 'true'), ne(variables['NPM_REGISTRY'], 'none'))
|
|
|
|
|
displayName: Setup NPM Authentication
|
2022-06-14 14:37:10 +08:00
|
|
|
|
2024-04-30 20:57:13 +08:00
|
|
|
- script: node build/setup-npm-registry.js $NPM_REGISTRY
|
|
|
|
|
condition: and(succeeded(), ne(variables.NODE_MODULES_RESTORED, 'true'), ne(variables['NPM_REGISTRY'], 'none'))
|
|
|
|
|
displayName: Setup NPM Registry
|
2022-06-14 14:37:10 +08:00
|
|
|
|
|
|
|
|
- script: |
|
|
|
|
|
set -e
|
2024-04-30 20:57:13 +08:00
|
|
|
for i in {1..5}; do # try 5 times
|
2022-06-14 14:37:10 +08:00
|
|
|
yarn --cwd build --frozen-lockfile --check-files && break
|
|
|
|
|
if [ $i -eq 3 ]; then
|
|
|
|
|
echo "Yarn failed too many times" >&2
|
|
|
|
|
exit 1
|
|
|
|
|
fi
|
|
|
|
|
echo "Yarn failed $i, trying again..."
|
|
|
|
|
done
|
|
|
|
|
displayName: Install build dependencies
|
|
|
|
|
|
|
|
|
|
- script: |
|
|
|
|
|
set -e
|
|
|
|
|
export npm_config_arch=$(NPM_ARCH)
|
|
|
|
|
|
|
|
|
|
if [ -z "$CC" ] || [ -z "$CXX" ]; then
|
|
|
|
|
# Download clang based on chromium revision used by vscode
|
|
|
|
|
curl -s https://raw.githubusercontent.com/chromium/chromium/96.0.4664.110/tools/clang/scripts/update.py | python - --output-dir=$PWD/.build/CR_Clang --host-os=linux
|
|
|
|
|
# Download libcxx headers and objects from upstream electron releases
|
|
|
|
|
DEBUG=libcxx-fetcher \
|
|
|
|
|
VSCODE_LIBCXX_OBJECTS_DIR=$PWD/.build/libcxx-objects \
|
|
|
|
|
VSCODE_LIBCXX_HEADERS_DIR=$PWD/.build/libcxx_headers \
|
|
|
|
|
VSCODE_LIBCXXABI_HEADERS_DIR=$PWD/.build/libcxxabi_headers \
|
|
|
|
|
VSCODE_ARCH="$(NPM_ARCH)" \
|
|
|
|
|
node build/linux/libcxx-fetcher.js
|
|
|
|
|
# Set compiler toolchain
|
|
|
|
|
export CC=$PWD/.build/CR_Clang/bin/clang
|
|
|
|
|
export CXX=$PWD/.build/CR_Clang/bin/clang++
|
2024-04-30 20:57:13 +08:00
|
|
|
export CXXFLAGS="-std=c++17 -nostdinc++ -D__NO_INLINE__ -I$PWD/.build/libcxx_headers -isystem$PWD/.build/libcxx_headers/include -isystem$PWD/.build/libcxxabi_headers/include -fPIC -flto=thin -fsplit-lto-unit -D_LIBCPP_ABI_NAMESPACE=Cr"
|
2022-06-14 14:37:10 +08:00
|
|
|
export LDFLAGS="-stdlib=libc++ -fuse-ld=lld -flto=thin -fsplit-lto-unit -L$PWD/.build/libcxx-objects -lc++abi"
|
|
|
|
|
export VSCODE_REMOTE_CC=$(which gcc)
|
|
|
|
|
export VSCODE_REMOTE_CXX=$(which g++)
|
|
|
|
|
fi
|
|
|
|
|
|
2024-04-30 20:57:13 +08:00
|
|
|
for i in {1..5}; do # try 5 times
|
2022-06-14 14:37:10 +08:00
|
|
|
yarn --frozen-lockfile --check-files && break
|
|
|
|
|
if [ $i -eq 3 ]; then
|
|
|
|
|
echo "Yarn failed too many times" >&2
|
|
|
|
|
exit 1
|
|
|
|
|
fi
|
|
|
|
|
echo "Yarn failed $i, trying again..."
|
|
|
|
|
done
|
|
|
|
|
env:
|
|
|
|
|
PLAYWRIGHT_SKIP_BROWSER_DOWNLOAD: 1
|
|
|
|
|
GITHUB_TOKEN: "$(github-distro-mixin-password)"
|
|
|
|
|
displayName: Install dependencies
|
|
|
|
|
|
2024-04-30 20:57:13 +08:00
|
|
|
- script: yarn --frozen-lockfile --check-files
|
|
|
|
|
workingDirectory: .build/distro/npm
|
|
|
|
|
env:
|
|
|
|
|
npm_config_arch: $(NPM_ARCH)
|
|
|
|
|
displayName: Install distro node modules
|
|
|
|
|
|
|
|
|
|
- script: node build/azure-pipelines/distro/mixin-npm
|
|
|
|
|
displayName: Mixin distro node modules
|
|
|
|
|
|
|
|
|
|
- script: node build/azure-pipelines/distro/mixin-quality
|
|
|
|
|
displayName: Mixin distro quality
|
|
|
|
|
env:
|
|
|
|
|
VSCODE_QUALITY: stable
|
|
|
|
|
|
|
|
|
|
- script: yarn gulp vscode-symbols-linux-$(VSCODE_ARCH)
|
|
|
|
|
env:
|
|
|
|
|
GITHUB_TOKEN: "$(github-distro-mixin-password)"
|
2022-06-14 14:37:10 +08:00
|
|
|
displayName: Build
|
|
|
|
|
|
|
|
|
|
- task: BinSkim@3
|
|
|
|
|
inputs:
|
|
|
|
|
toolVersion: Latest
|
|
|
|
|
InputType: CommandLine
|
|
|
|
|
arguments: analyze $(agent.builddirectory)\scanbin\exe\*.* --recurse --local-symbol-directories $(agent.builddirectory)\scanbin\VSCode-linux-$(VSCODE_ARCH)\pdb
|
|
|
|
|
|
|
|
|
|
- task: TSAUpload@2
|
|
|
|
|
inputs:
|
2024-04-30 20:57:13 +08:00
|
|
|
GdnPublishTsaConfigFile: '$(Build.SourceDirectory)\build\azure-pipelines\config\tsaoptions.json'
|
