trigger: none pr: none parameters: - name: ENABLE_TERRAPIN displayName: "Enable Terrapin" type: boolean default: true - name: SCAN_WINDOWS displayName: "Scan Windows" type: boolean default: true - name: SCAN_LINUX displayName: "Scan Linux" type: boolean default: false variables: - name: ENABLE_TERRAPIN value: ${{ eq(parameters.ENABLE_TERRAPIN, true) }} - name: SCAN_WINDOWS value: ${{ eq(parameters.SCAN_WINDOWS, true) }} - name: SCAN_LINUX value: ${{ eq(parameters.SCAN_LINUX, true) }} - name: VSCODE_MIXIN_REPO value: microsoft/vscode-distro - name: skipComponentGovernanceDetection value: true - name: NPM_ARCH value: x64 - name: VSCODE_ARCH value: x64 stages: - stage: Windows condition: eq(variables.SCAN_WINDOWS, 'true') pool: vmImage: windows-latest jobs: - job: WindowsJob timeoutInMinutes: 0 steps: - task: CredScan@3 continueOnError: true inputs: scanFolder: "$(Build.SourcesDirectory)" outputFormat: "pre" - task: NodeTool@0 inputs: versionSpec: "16.x" - task: AzureKeyVault@1 displayName: "Azure Key Vault: Get Secrets" inputs: azureSubscription: "vscode-builds-subscription" KeyVaultName: vscode SecretsFilter: "github-distro-mixin-password" - powershell: | . build/azure-pipelines/win32/exec.ps1 $ErrorActionPreference = "Stop" "machine github.com`nlogin vscode`npassword $(github-distro-mixin-password)" | Out-File "$env:USERPROFILE\_netrc" -Encoding ASCII exec { git config user.email "vscode@microsoft.com" } exec { git config user.name "VSCode" } displayName: Prepare tooling # - powershell: | # . build/azure-pipelines/win32/exec.ps1 # $ErrorActionPreference = "Stop" # exec { git fetch https://github.com/$(VSCODE_MIXIN_REPO).git $(VSCODE_DISTRO_REF) } # exec { git checkout FETCH_HEAD } # condition: and(succeeded(), ne(variables.VSCODE_DISTRO_REF, ' ')) # displayName: Checkout override commit - powershell: | . build/azure-pipelines/win32/exec.ps1 $ErrorActionPreference = "Stop" exec { git pull --no-rebase https://github.com/$(VSCODE_MIXIN_REPO).git $(node -p "require('./package.json').distro") } displayName: Merge distro - powershell: | . build/azure-pipelines/win32/exec.ps1 $ErrorActionPreference = "Stop" exec { npx https://aka.ms/enablesecurefeed standAlone } timeoutInMinutes: 5 retryCountOnTaskFailure: 3 condition: and(succeeded(), eq(variables['ENABLE_TERRAPIN'], 'true')) displayName: Switch to Terrapin packages - task: Semmle@1 inputs: sourceCodeDirectory: "$(Build.SourcesDirectory)" language: "cpp" buildCommandsString: "yarn --frozen-lockfile --check-files" querySuite: "Required" timeout: "1800" ram: "16384" addProjectDirToScanningExclusionList: true env: npm_config_arch: "$(NPM_ARCH)" PLAYWRIGHT_SKIP_BROWSER_DOWNLOAD: 1 GITHUB_TOKEN: "$(github-distro-mixin-password)" displayName: CodeQL - powershell: | . build/azure-pipelines/win32/exec.ps1 . build/azure-pipelines/win32/retry.ps1 $ErrorActionPreference = "Stop" retry { exec { yarn --frozen-lockfile --check-files } } env: npm_config_arch: "$(NPM_ARCH)" PLAYWRIGHT_SKIP_BROWSER_DOWNLOAD: 1 GITHUB_TOKEN: "$(github-distro-mixin-password)" CHILD_CONCURRENCY: 1 displayName: Install dependencies - powershell: | . build/azure-pipelines/win32/exec.ps1 $ErrorActionPreference = "Stop" exec { yarn gulp "vscode-symbols-win32-$(VSCODE_ARCH)" } displayName: Download Symbols - task: BinSkim@4 inputs: InputType: "Basic" Function: "analyze" TargetPattern: "guardianGlob" AnalyzeTargetGlob: '$(agent.builddirectory)\scanbin\**.dll;$(agent.builddirectory)\scanbin\**.exe;$(agent.builddirectory)\scanbin\**.node' AnalyzeLocalSymbolDirectories: '$(agent.builddirectory)\scanbin\VSCode-win32-$(VSCODE_ARCH)\pdb' - task: TSAUpload@2 inputs: GdnPublishTsaOnboard: true GdnPublishTsaConfigFile: '$(Build.SourcesDirectory)\build\azure-pipelines\.gdntsa' - stage: Linux dependsOn: [] condition: eq(variables.SCAN_LINUX, 'true') pool: vmImage: "Ubuntu-18.04" jobs: - job: LinuxJob steps: - task: CredScan@2 inputs: toolMajorVersion: "V2" - task: NodeTool@0 inputs: versionSpec: "16.x" - task: AzureKeyVault@1 displayName: "Azure Key Vault: Get Secrets" inputs: azureSubscription: "vscode-builds-subscription" KeyVaultName: vscode SecretsFilter: "github-distro-mixin-password" - script: | set -e cat << EOF > ~/.netrc machine github.com login vscode password $(github-distro-mixin-password) EOF git config user.email "vscode@microsoft.com" git config user.name "VSCode" displayName: Prepare tooling # - script: | # set -e # git fetch https://github.com/$(VSCODE_MIXIN_REPO).git $VSCODE_DISTRO_REF # echo "##vso[task.setvariable variable=VSCODE_DISTRO_COMMIT;]$(git rev-parse FETCH_HEAD)" # git checkout FETCH_HEAD # condition: and(succeeded(), ne(variables.VSCODE_DISTRO_REF, ' ')) # displayName: Checkout override commit - script: | set -e git pull --no-rebase https://github.com/$(VSCODE_MIXIN_REPO).git $(node -p "require('./package.json').distro") displayName: Merge distro - script: | set -e npx https://aka.ms/enablesecurefeed standAlone timeoutInMinutes: 5 retryCountOnTaskFailure: 3 condition: and(succeeded(), ne(variables.NODE_MODULES_RESTORED, 'true'), eq(variables['ENABLE_TERRAPIN'], 'true')) displayName: Switch to Terrapin packages - script: | set -e for i in {1..3}; do # try 3 times, for Terrapin yarn --cwd build --frozen-lockfile --check-files && break if [ $i -eq 3 ]; then echo "Yarn failed too many times" >&2 exit 1 fi echo "Yarn failed $i, trying again..." done displayName: Install build dependencies - script: | set -e export npm_config_arch=$(NPM_ARCH) if [ -z "$CC" ] || [ -z "$CXX" ]; then # Download clang based on chromium revision used by vscode curl -s https://raw.githubusercontent.com/chromium/chromium/96.0.4664.110/tools/clang/scripts/update.py | python - --output-dir=$PWD/.build/CR_Clang --host-os=linux # Download libcxx headers and objects from upstream electron releases DEBUG=libcxx-fetcher \ VSCODE_LIBCXX_OBJECTS_DIR=$PWD/.build/libcxx-objects \ VSCODE_LIBCXX_HEADERS_DIR=$PWD/.build/libcxx_headers \ VSCODE_LIBCXXABI_HEADERS_DIR=$PWD/.build/libcxxabi_headers \ VSCODE_ARCH="$(NPM_ARCH)" \ node build/linux/libcxx-fetcher.js # Set compiler toolchain export CC=$PWD/.build/CR_Clang/bin/clang export CXX=$PWD/.build/CR_Clang/bin/clang++ export CXXFLAGS="-nostdinc++ -D__NO_INLINE__ -isystem$PWD/.build/libcxx_headers -isystem$PWD/.build/libcxx_headers/include -isystem$PWD/.build/libcxxabi_headers/include -fPIC -flto=thin -fsplit-lto-unit" export LDFLAGS="-stdlib=libc++ -fuse-ld=lld -flto=thin -fsplit-lto-unit -L$PWD/.build/libcxx-objects -lc++abi" export VSCODE_REMOTE_CC=$(which gcc) export VSCODE_REMOTE_CXX=$(which g++) fi for i in {1..3}; do # try 3 times, for Terrapin yarn --frozen-lockfile --check-files && break if [ $i -eq 3 ]; then echo "Yarn failed too many times" >&2 exit 1 fi echo "Yarn failed $i, trying again..." done env: PLAYWRIGHT_SKIP_BROWSER_DOWNLOAD: 1 GITHUB_TOKEN: "$(github-distro-mixin-password)" displayName: Install dependencies - script: | set -e yarn gulp vscode-symbols-linux-$(VSCODE_ARCH) displayName: Build - task: BinSkim@3 inputs: toolVersion: Latest InputType: CommandLine arguments: analyze $(agent.builddirectory)\scanbin\exe\*.* --recurse --local-symbol-directories $(agent.builddirectory)\scanbin\VSCode-linux-$(VSCODE_ARCH)\pdb - task: TSAUpload@2 inputs: GdnPublishTsaConfigFile: '$(Build.SourceDirectory)\build\azure-pipelines\.gdntsa'