"use strict";
* Copyright (c) Microsoft Corporation. All rights reserved.
* Licensed under the MIT License. See License.txt in the project root for license information.
Object.defineProperty(exports, "__esModule", { value: true });
const fs = require("fs");
const path = require("path");
const stream_1 = require("stream");
const promises_1 = require("node:stream/promises");
const yauzl = require("yauzl");
const crypto = require("crypto");
const retry_1 = require("./retry");
const storage_blob_1 = require("@azure/storage-blob");
const mime = require("mime");
const cosmos_1 = require("@azure/cosmos");
const identity_1 = require("@azure/identity");
const cp = require("child_process");
const os = require("os");
const node_worker_threads_1 = require("node:worker_threads");
function e(name) {
const result = process.env[name];
if (typeof result !== 'string') {
throw new Error(`Missing env: ${name}`);
return result;
class Temp {
_files = [];
tmpNameSync() {
const file = path.join(os.tmpdir(), crypto.randomBytes(20).toString('hex'));
return file;
dispose() {
for (const file of this._files) {
try {
catch (err) {
// noop
class ProvisionService {
constructor(log, accessToken) {
this.log = log;
this.accessToken = accessToken;
async provision(releaseId, fileId, fileName) {
const body = JSON.stringify({
ReleaseId: releaseId,
PortalName: 'VSCode',
PublisherCode: 'VSCode',
ProvisionedFilesCollection: [{
PublisherKey: fileId,
IsStaticFriendlyFileName: true,
FriendlyFileName: fileName,
MaxTTL: '1440',
CdnMappings: ['ECN']
this.log(`Provisioning ${fileName} (releaseId: ${releaseId}, fileId: ${fileId})...`);
const res = await (0, retry_1.retry)(() => this.request('POST', '/api/v2/ProvisionedFiles/CreateProvisionedFiles', { body }));
if (!res.IsSuccess) {
throw new Error(`Failed to submit provisioning request: ${JSON.stringify(res.ErrorDetails)}`);
this.log(`Successfully provisioned ${fileName}`);
async request(method, url, options) {
const opts = {
body: options?.body,
headers: {
Authorization: `Bearer ${this.accessToken}`,
'Content-Type': 'application/json'
const res = await fetch(`https://dsprovisionapi.microsoft.com${url}`, opts);
if (!res.ok || res.status < 200 || res.status >= 500) {
throw new Error(`Unexpected status code: ${res.status}`);
return await res.json();
function hashStream(hashName, stream) {
return new Promise((c, e) => {
const shasum = crypto.createHash(hashName);
.on('data', shasum.update.bind(shasum))
.on('error', e)
.on('close', () => c(shasum.digest('hex')));
class ESRPClient {
constructor(log, tmp, tenantId, clientId, authCertSubjectName, requestSigningCertSubjectName) {
this.log = log;
this.tmp = tmp;
this.authPath = this.tmp.tmpNameSync();
fs.writeFileSync(this.authPath, JSON.stringify({
Version: '1.0.0',
AuthenticationType: 'AAD_CERT',
TenantId: tenantId,
ClientId: clientId,
AuthCert: {
SubjectName: authCertSubjectName,
StoreLocation: 'LocalMachine',
StoreName: 'My',
SendX5c: 'true'
RequestSigningCert: {
SubjectName: requestSigningCertSubjectName,
StoreLocation: 'LocalMachine',
StoreName: 'My'
async release(version, filePath) {
this.log(`Submitting release for ${version}: ${filePath}`);
const submitReleaseResult = await this.SubmitRelease(version, filePath);
if (submitReleaseResult.submissionResponse.statusCode !== 'pass') {
throw new Error(`Unexpected status code: ${submitReleaseResult.submissionResponse.statusCode}`);
const releaseId = submitReleaseResult.submissionResponse.operationId;
this.log(`Successfully submitted release ${releaseId}. Polling for completion...`);
let details;
// Poll every 5 seconds, wait 60 minutes max -> poll 60/5*60=720 times
for (let i = 0; i < 720; i++) {
details = await this.ReleaseDetails(releaseId);
if (details.releaseDetails[0].statusCode === 'pass') {
else if (details.releaseDetails[0].statusCode !== 'inprogress') {
throw new Error(`Failed to submit release: ${JSON.stringify(details)}`);
await new Promise(c => setTimeout(c, 5000));
if (details.releaseDetails[0].statusCode !== 'pass') {
throw new Error(`Timed out waiting for release ${releaseId}: ${JSON.stringify(details)}`);
const fileId = details.releaseDetails[0].fileDetails[0].publisherKey;
this.log('Release completed successfully with fileId: ', fileId);
return { releaseId, fileId };
async SubmitRelease(version, filePath) {
const policyPath = this.tmp.tmpNameSync();
fs.writeFileSync(policyPath, JSON.stringify({
Version: '1.0.0',
Audience: 'InternalLimited',
Intent: 'distribution',
ContentType: 'InstallPackage'
const inputPath = this.tmp.tmpNameSync();
const size = fs.statSync(filePath).size;
const istream = fs.createReadStream(filePath);
const sha256 = await hashStream('sha256', istream);
fs.writeFileSync(inputPath, JSON.stringify({
Version: '1.0.0',
ReleaseInfo: {
ReleaseMetadata: {
Title: 'VS Code',
Properties: {
ReleaseContentType: 'InstallPackage'
MinimumNumberOfApprovers: 1
ProductInfo: {
Name: 'VS Code',
Version: version,
Description: path.basename(filePath, path.extname(filePath)),
Owners: [
Owner: {
UserPrincipalName: 'jomo@microsoft.com'
Approvers: [
Approver: {
UserPrincipalName: 'jomo@microsoft.com'
IsAutoApproved: true,
IsMandatory: false
AccessPermissions: {
MainPublisher: 'VSCode',
ChannelDownloadEntityDetails: {
Consumer: ['VSCode']
CreatedBy: {
UserPrincipalName: 'jomo@microsoft.com'
ReleaseBatches: [
ReleaseRequestFiles: [
SizeInBytes: size,
SourceHash: sha256,
HashType: 'SHA256',
SourceLocation: path.basename(filePath)
SourceLocationType: 'UNC',
SourceRootDirectory: path.dirname(filePath),
DestinationLocationType: 'AzureBlob'
const outputPath = this.tmp.tmpNameSync();
cp.execSync(`ESRPClient SubmitRelease -a ${this.authPath} -p ${policyPath} -i ${inputPath} -o ${outputPath}`, { stdio: 'inherit' });
const output = fs.readFileSync(outputPath, 'utf8');
return JSON.parse(output);
async ReleaseDetails(releaseId) {
const inputPath = this.tmp.tmpNameSync();
fs.writeFileSync(inputPath, JSON.stringify({
Version: '1.0.0',
OperationIds: [releaseId]
const outputPath = this.tmp.tmpNameSync();
cp.execSync(`ESRPClient ReleaseDetails -a ${this.authPath} -i ${inputPath} -o ${outputPath}`, { stdio: 'inherit' });
const output = fs.readFileSync(outputPath, 'utf8');
return JSON.parse(output);
async function releaseAndProvision(log, releaseTenantId, releaseClientId, releaseAuthCertSubjectName, releaseRequestSigningCertSubjectName, provisionTenantId, provisionAADUsername, provisionAADPassword, version, quality, filePath) {
const fileName = `${quality}/${version}/${path.basename(filePath)}`;
const result = `${e('PRSS_CDN_URL')}/${fileName}`;
const res = await (0, retry_1.retry)(() => fetch(result));
if (res.status === 200) {
log(`Already released and provisioned: ${result}`);
return result;
const tmp = new Temp();
process.on('exit', () => tmp.dispose());
const esrpclient = new ESRPClient(log, tmp, releaseTenantId, releaseClientId, releaseAuthCertSubjectName, releaseRequestSigningCertSubjectName);
const release = await esrpclient.release(version, filePath);
const credential = new identity_1.ClientSecretCredential(provisionTenantId, provisionAADUsername, provisionAADPassword);
const accessToken = await credential.getToken(['https://microsoft.onmicrosoft.com/DS.Provisioning.WebApi/.default']);
const service = new ProvisionService(log, accessToken.token);
await service.provision(release.releaseId, release.fileId, fileName);
return result;
class State {
set = new Set();
constructor() {
const pipelineWorkspacePath = e('PIPELINE_WORKSPACE');
const previousState = fs.readdirSync(pipelineWorkspacePath)
.map(name => /^artifacts_processed_(\d+)$/.exec(name))
.filter((match) => !!match)
.map(match => ({ name: match[0], attempt: Number(match[1]) }))
.sort((a, b) => b.attempt - a.attempt)[0];
if (previousState) {
const previousStatePath = path.join(pipelineWorkspacePath, previousState.name, previousState.name + '.txt');
fs.readFileSync(previousStatePath, 'utf8').split(/\n/).filter(name => !!name).forEach(name => this.set.add(name));
const stageAttempt = e('SYSTEM_STAGEATTEMPT');
this.statePath = path.join(pipelineWorkspacePath, `artifacts_processed_${stageAttempt}`, `artifacts_processed_${stageAttempt}.txt`);
fs.mkdirSync(path.dirname(this.statePath), { recursive: true });
fs.writeFileSync(this.statePath, [...this.set.values()].map(name => `${name}\n`).join(''));
get size() {
return this.set.size;
has(name) {
return this.set.has(name);
add(name) {
fs.appendFileSync(this.statePath, `${name}\n`);
[Symbol.iterator]() {
return this.set[Symbol.iterator]();
const azdoFetchOptions = {
headers: {
// Pretend we're a web browser to avoid download rate limits
'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/ Safari/537.36 Edg/',
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7',
'Accept-Encoding': 'gzip, deflate, br',
'Accept-Language': 'en-US,en;q=0.9',
'Referer': 'https://dev.azure.com',
Authorization: `Bearer ${e('SYSTEM_ACCESSTOKEN')}`
async function requestAZDOAPI(path) {
const abortController = new AbortController();
const timeout = setTimeout(() => abortController.abort(), 2 * 60 * 1000);
try {
const res = await fetch(`${e('BUILDS_API_URL')}${path}?api-version=6.0`, { ...azdoFetchOptions, signal: abortController.signal });
if (!res.ok) {
throw new Error(`Unexpected status code: ${res.status}`);
return await res.json();
finally {
async function getPipelineArtifacts() {
const result = await requestAZDOAPI('artifacts');
return result.value.filter(a => /^vscode_/.test(a.name) && !/sbom$/.test(a.name));
async function getPipelineTimeline() {
return await requestAZDOAPI('timeline');
async function downloadArtifact(artifact, downloadPath) {
const abortController = new AbortController();
const timeout = setTimeout(() => abortController.abort(), 4 * 60 * 1000);
try {
const res = await fetch(artifact.resource.downloadUrl, { ...azdoFetchOptions, signal: abortController.signal });
if (!res.ok) {
throw new Error(`Unexpected status code: ${res.status}`);
await (0, promises_1.pipeline)(stream_1.Readable.fromWeb(res.body), fs.createWriteStream(downloadPath));
finally {
async function unzip(packagePath, outputPath) {
return new Promise((resolve, reject) => {
yauzl.open(packagePath, { lazyEntries: true }, (err, zipfile) => {
if (err) {
return reject(err);
zipfile.on('entry', entry => {
if (/\/$/.test(entry.fileName)) {
else {
zipfile.openReadStream(entry, (err, istream) => {
if (err) {
return reject(err);
const filePath = path.join(outputPath, entry.fileName);
fs.mkdirSync(path.dirname(filePath), { recursive: true });
const ostream = fs.createWriteStream(filePath);
ostream.on('finish', () => {
istream?.on('error', err => reject(err));
// Contains all of the logic for mapping details to our actual product names in CosmosDB
function getPlatform(product, os, arch, type) {
switch (os) {
case 'win32':
switch (product) {
case 'client': {
switch (type) {
case 'archive':
return `win32-${arch}-archive`;
case 'setup':
return `win32-${arch}`;
case 'user-setup':
return `win32-${arch}-user`;
throw new Error(`Unrecognized: ${product} ${os} ${arch} ${type}`);
case 'server':
if (arch === 'arm64') {
throw new Error(`Unrecognized: ${product} ${os} ${arch} ${type}`);
return `server-win32-${arch}`;
case 'web':
if (arch === 'arm64') {
throw new Error(`Unrecognized: ${product} ${os} ${arch} ${type}`);
return `server-win32-${arch}-web`;
case 'cli':
return `cli-win32-${arch}`;
throw new Error(`Unrecognized: ${product} ${os} ${arch} ${type}`);
case 'alpine':
switch (product) {
case 'server':
return `server-alpine-${arch}`;
case 'web':
return `server-alpine-${arch}-web`;
case 'cli':
return `cli-alpine-${arch}`;
throw new Error(`Unrecognized: ${product} ${os} ${arch} ${type}`);
case 'linux':
switch (type) {
case 'snap':
return `linux-snap-${arch}`;
case 'archive-unsigned':
switch (product) {
case 'client':
return `linux-${arch}`;
case 'server':
return `server-linux-${arch}`;
case 'web':
return arch === 'standalone' ? 'web-standalone' : `server-linux-${arch}-web`;
throw new Error(`Unrecognized: ${product} ${os} ${arch} ${type}`);
case 'deb-package':
return `linux-deb-${arch}`;
case 'rpm-package':
return `linux-rpm-${arch}`;
case 'cli':
return `cli-linux-${arch}`;
throw new Error(`Unrecognized: ${product} ${os} ${arch} ${type}`);
case 'darwin':
switch (product) {
case 'client':
if (arch === 'x64') {
return 'darwin';
return `darwin-${arch}`;
case 'server':
if (arch === 'x64') {
return 'server-darwin';
return `server-darwin-${arch}`;
case 'web':
if (arch === 'x64') {
return 'server-darwin-web';
return `server-darwin-${arch}-web`;
case 'cli':
return `cli-darwin-${arch}`;
throw new Error(`Unrecognized: ${product} ${os} ${arch} ${type}`);
throw new Error(`Unrecognized: ${product} ${os} ${arch} ${type}`);
// Contains all of the logic for mapping types to our actual types in CosmosDB
function getRealType(type) {
switch (type) {
case 'user-setup':
return 'setup';
case 'deb-package':
case 'rpm-package':
return 'package';
return type;
async function uploadAssetLegacy(log, quality, commit, filePath) {
const fileName = path.basename(filePath);
const blobName = commit + '/' + fileName;
const credential = new identity_1.ClientSecretCredential(e('AZURE_TENANT_ID'), e('AZURE_CLIENT_ID'), e('AZURE_CLIENT_SECRET'));
const blobServiceClient = new storage_blob_1.BlobServiceClient(`https://vscode.blob.core.windows.net`, credential, { retryOptions: { retryPolicyType: storage_blob_1.StorageRetryPolicyType.FIXED, tryTimeoutInMs: 2 * 60 * 1000 } });
const containerClient = blobServiceClient.getContainerClient(quality);
const blobClient = containerClient.getBlockBlobClient(blobName);
const blobOptions = {
blobHTTPHeaders: {
blobContentType: mime.lookup(filePath),
blobContentDisposition: `attachment; filename="${fileName}"`,
blobCacheControl: 'max-age=31536000, public'
log(`Checking for blob in Azure...`);
if (await blobClient.exists()) {
log(`Blob ${quality}, ${blobName} already exists, not publishing again.`);
else {
log(`Uploading blobs to Azure storage...`);
await blobClient.uploadFile(filePath, blobOptions);
log('Blob successfully uploaded to Azure storage.');
return `${e('AZURE_CDN_URL')}/${quality}/${blobName}`;
async function processArtifact(artifact, artifactFilePath) {
const log = (...args) => console.log(`[${artifact.name}]`, ...args);
const match = /^vscode_(?<product>[^_]+)_(?<os>[^_]+)_(?<arch>[^_]+)_(?<unprocessedType>[^_]+)$/.exec(artifact.name);
if (!match) {
throw new Error(`Invalid artifact name: ${artifact.name}`);
// getPlatform needs the unprocessedType
const quality = e('VSCODE_QUALITY');
const commit = e('BUILD_SOURCEVERSION');
const { product, os, arch, unprocessedType } = match.groups;
const platform = getPlatform(product, os, arch, unprocessedType);
const type = getRealType(unprocessedType);
const size = fs.statSync(artifactFilePath).size;
const stream = fs.createReadStream(artifactFilePath);
const [sha1hash, sha256hash] = await Promise.all([hashStream('sha1', stream), hashStream('sha256', stream)]);
const [assetUrl, prssUrl] = await Promise.all([
uploadAssetLegacy(log, quality, commit, artifactFilePath),
const asset = { platform, type, url: assetUrl, hash: sha1hash, mooncakeUrl: prssUrl, prssUrl, sha256hash, size, supportsFastUpdate: true };
log('Creating asset...', JSON.stringify(asset));
await (0, retry_1.retry)(async (attempt) => {
log(`Creating asset in Cosmos DB (attempt ${attempt})...`);
const aadCredentials = new identity_1.ClientSecretCredential(e('AZURE_TENANT_ID'), e('AZURE_CLIENT_ID'), e('AZURE_CLIENT_SECRET'));
const client = new cosmos_1.CosmosClient({ endpoint: e('AZURE_DOCUMENTDB_ENDPOINT'), aadCredentials });
const scripts = client.database('builds').container(quality).scripts;
await scripts.storedProcedure('createAsset').execute('', [commit, asset, true]);
log('Asset successfully created');
// It is VERY important that we don't download artifacts too much too fast from AZDO.
// AZDO throttles us SEVERELY if we do. Not just that, but they also close open
// sockets, so the whole things turns to a grinding halt. So, downloading and extracting
// happens serially in the main thread, making the downloads are spaced out
// properly. For each extracted artifact, we spawn a worker thread to upload it to
// the CDN and finally update the build in Cosmos DB.
async function main() {
if (!node_worker_threads_1.isMainThread) {
const { artifact, artifactFilePath } = node_worker_threads_1.workerData;
await processArtifact(artifact, artifactFilePath);
const done = new State();
const processing = new Set();
for (const name of done) {
console.log(`\u2705 ${name}`);
const stages = new Set(['Compile', 'CompileCLI']);
if (e('VSCODE_BUILD_STAGE_WINDOWS') === 'True') {
if (e('VSCODE_BUILD_STAGE_LINUX') === 'True') {
if (e('VSCODE_BUILD_STAGE_ALPINE') === 'True') {
if (e('VSCODE_BUILD_STAGE_MACOS') === 'True') {
if (e('VSCODE_BUILD_STAGE_WEB') === 'True') {
let resultPromise = Promise.resolve([]);
const operations = [];
while (true) {
const [timeline, artifacts] = await Promise.all([(0, retry_1.retry)(() => getPipelineTimeline()), (0, retry_1.retry)(() => getPipelineArtifacts())]);
const stagesCompleted = new Set(timeline.records.filter(r => r.type === 'Stage' && r.state === 'completed' && stages.has(r.name)).map(r => r.name));
const stagesInProgress = [...stages].filter(s => !stagesCompleted.has(s));
const artifactsInProgress = artifacts.filter(a => processing.has(a.name));
if (stagesInProgress.length === 0 && artifacts.length === done.size + processing.size) {
else if (stagesInProgress.length > 0) {
console.log('Stages in progress:', stagesInProgress.join(', '));
else if (artifactsInProgress.length > 0) {
console.log('Artifacts in progress:', artifactsInProgress.map(a => a.name).join(', '));
else {
console.log(`Waiting for a total of ${artifacts.length}, ${done.size} done, ${processing.size} in progress...`);
for (const artifact of artifacts) {
if (done.has(artifact.name) || processing.has(artifact.name)) {
console.log(`[${artifact.name}] Found new artifact`);
const artifactZipPath = path.join(e('AGENT_TEMPDIRECTORY'), `${artifact.name}.zip`);
await (0, retry_1.retry)(async (attempt) => {
const start = Date.now();
console.log(`[${artifact.name}] Downloading (attempt ${attempt})...`);
await downloadArtifact(artifact, artifactZipPath);
const archiveSize = fs.statSync(artifactZipPath).size;
const downloadDurationS = (Date.now() - start) / 1000;
const downloadSpeedKBS = Math.round((archiveSize / 1024) / downloadDurationS);
console.log(`[${artifact.name}] Successfully downloaded after ${Math.floor(downloadDurationS)} seconds(${downloadSpeedKBS} KB/s).`);
const artifactFilePath = await unzip(artifactZipPath, e('AGENT_TEMPDIRECTORY'));
const artifactSize = fs.statSync(artifactFilePath).size;
if (artifactSize !== Number(artifact.resource.properties.artifactsize)) {
console.log(`[${artifact.name}] Artifact size mismatch.Expected ${artifact.resource.properties.artifactsize}. Actual ${artifactSize} `);
throw new Error(`Artifact size mismatch.`);
const promise = new Promise((resolve, reject) => {
const worker = new node_worker_threads_1.Worker(__filename, { workerData: { artifact, artifactFilePath } });
worker.on('error', reject);
worker.on('exit', code => {
if (code === 0) {
else {
reject(new Error(`[${artifact.name}] Worker stopped with exit code ${code}`));
const operation = promise.then(() => {
console.log(`\u2705 ${artifact.name} `);
operations.push({ name: artifact.name, operation });
resultPromise = Promise.allSettled(operations.map(o => o.operation));
await new Promise(c => setTimeout(c, 10000));
console.log(`Found all ${done.size + processing.size} artifacts, waiting for ${processing.size} artifacts to finish publishing...`);
const artifactsInProgress = operations.filter(o => processing.has(o.name));
if (artifactsInProgress.length > 0) {
console.log('Artifacts in progress:', artifactsInProgress.map(a => a.name).join(', '));
const results = await resultPromise;
for (let i = 0; i < operations.length; i++) {
const result = results[i];
if (result.status === 'rejected') {
console.error(`[${operations[i].name}]`, result.reason);
if (results.some(r => r.status === 'rejected')) {
throw new Error('Some artifacts failed to publish');
console.log(`All ${done.size} artifacts published!`);
if (require.main === module) {
main().then(() => {
}, err => {
