Skip to content

Commit

Permalink
[Code Sign] Integrated ESRP Sign Step - AB#2218368 (#598)
Browse files Browse the repository at this point in the history
* Squashed Commits

* Incremented minor version
  • Loading branch information
AdityaMankal-MS authored Oct 18, 2024
1 parent 6c788db commit 6e88138
Show file tree
Hide file tree
Showing 7 changed files with 31,868 additions and 30,124 deletions.
44 changes: 42 additions & 2 deletions .azure-pipelines/common-steps.yml
Original file line number Diff line number Diff line change
Expand Up @@ -36,9 +36,47 @@ steps:
# Acquire the `vsce` tool and use it to package
- script: |
npm install -g @vscode/vsce
vsce package
displayName: Install VSCE

- script: |
npx @vscode/vsce package -o extension.vsix
displayName: Create VSIX

- script: |
npx @vscode/vsce generate-manifest -i extension.vsix -o extension.manifest
displayName: Create VSIX Manifest

- script: |
cp extension.manifest extension.signature.p7s
displayName: Prepare Manifest Signature

- task: SFP.build-tasks.custom-build-task-1.EsrpCodeSigning@5
inputs:
ConnectedServiceName: PipelinesAgentAndTasksESRP
AppRegistrationClientId: $(AppRegistrationClientId)
AppRegistrationTenantId: $(AppRegistrationTenantId)
AuthAKVName: $(AuthAKVName)
AuthCertName: $(AuthCertName)
AuthSignCertName: $(AuthSignCertName)
FolderPath: '$(Build.SourcesDirectory)'
Pattern: 'extension.signature.p7s'
signConfigType: inlineSignParams
inlineOperation: |
[
{
"keyCode": "CP-401405",
"operationSetCode": "VSCodePublisherSign",
"parameters" : [],
"toolName": "sign",
"toolVersion": "1.0"
}
]
SessionTimeout: 90
MaxConcurrency: 25
MaxRetryAttempts: 5
PendingAnalysisWaitTimeoutMinutes: 5
displayName: Sign Extension

- script: |
npm run vscode:prepublish
cat /home/vsts/.npm/_logs/*.log
Expand All @@ -59,8 +97,10 @@ steps:
displayName: Stage VSIX for publishing
inputs:
contents: |-
*.vsix
extension.vsix
version.txt
branch.txt
minichangelog.txt
extension.signature.p7s
extension.manifest
targetFolder: $(Build.ArtifactStagingDirectory)
51 changes: 47 additions & 4 deletions .azure-pipelines/github-release/github-release.js
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,9 @@ const DEBUG_LOGGING = process.env.SYSTEM_DEBUG && process.env.SYSTEM_DEBUG == 't
let vsixName = process.argv[2] || null;
let version = process.argv[3] || null;
let token = process.argv[4] || null
let signature = process.argv[5] || null
let manifest = process.argv[6] || null

if (token === null) {
console.log(`Usage:
Expand Down Expand Up @@ -59,12 +62,12 @@ async function createRelease() {
console.log(createReleaseResult);
}

// Upload the VSIX
const vsixSize = fs.statSync(vsixName).size;

console.log('Uploading VSIX...');
let uploadResult;
let vsixUploadResult;
try {
uploadResult = await octokit.repos.uploadAsset({
vsixUploadResult = await octokit.repos.uploadAsset({
url: createReleaseResult.data.upload_url,
headers: {
'content-length': vsixSize,
Expand All @@ -78,8 +81,48 @@ async function createRelease() {
}
console.log('Uploaded VSIX.');

// Upload the Manifest
const manifestSize = fs.statSync(manifest).size;
console.log('Uploading Manifest...');
let manifestUploadResult;
try {
manifestUploadResult = await octokit.repos.uploadAsset({
url: createReleaseResult.data.upload_url,
headers: {
'content-length': manifestSize,
'content-type': 'application/xml',
},
name: manifest,
file: fs.createReadStream(manifest)
});
} catch (e) {
throw e;
}
console.log('Uploaded Manifest.');

// Upload the Signature
const signatureSize = fs.statSync(signature).size;
console.log('Uploading Signature...');
let signatureUploadResult;
try {
signatureUploadResult = await octokit.repos.uploadAsset({
url: createReleaseResult.data.upload_url,
headers: {
'content-length': signatureSize,
'content-type': 'application/pkcs7-signature',
},
name: signature,
file: fs.createReadStream(signature)
});
} catch (e) {
throw e;
}
console.log('Uploaded Signature.');

if (DEBUG_LOGGING) {
console.log(uploadResult);
console.log("VISX Upload Result:" + vsixUploadResult);
console.log("Manifest Upload Result:" + manifestUploadResult);
console.log("Signature Upload Result:" + signatureUploadResult);
}
}

Expand Down
15 changes: 10 additions & 5 deletions .azure-pipelines/release-pipeline.yml
Original file line number Diff line number Diff line change
Expand Up @@ -4,17 +4,17 @@

# Only trigger manually

# This Yaml Document has been converted by ESAI Yaml Pipeline Conversion Tool.
# This pipeline will be extended to the OneESPT template

trigger: none

pr: none

resources:
repositories:
- repository: 1ESPipelineTemplates
type: git
name: 1ESPipelineTemplates/1ESPipelineTemplates
ref: refs/tags/release

extends:
template: v1/1ES.Official.PipelineTemplate.yml@1ESPipelineTemplates
parameters:
Expand All @@ -36,6 +36,7 @@ extends:
os: linux
customBuildTags:
- ES365AIMigrationTooling

stages:
- stage: stage
jobs:
Expand All @@ -46,6 +47,7 @@ extends:
displayName: 'Publish VSIX'
artifactName: azure-pipelines-vscode
targetPath: $(Build.ArtifactStagingDirectory)

steps:
# release version should be correctly set in package.json
- bash: |
Expand All @@ -72,11 +74,14 @@ extends:
npm install
displayName: Prepare to create GitHub Release
workingDirectory: '$(Build.SourcesDirectory)/.azure-pipelines/github-release'
- bash: |
SCRIPT=.azure-pipelines/github-release/github-release.js
VSIX=*.vsix
VSIX=extension.vsix
VERSION=$(node -p "require('./package.json').version")
node $SCRIPT $VSIX $VERSION $GITHUB_TOKEN
VSIX_SIGNATURE=extension.signature.p7s
VSIX_MANIFEST=extension.manifest
node $SCRIPT $VSIX $VERSION $GITHUB_TOKEN $VSIX_SIGNATURE $VSIX_MANIFEST
displayName: Create GitHub Release
env:
GITHUB_TOKEN: $(GitHubSecret)
6 changes: 6 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,12 @@ All notable changes to the Azure Pipelines extension will be documented in this

The format is based on [Keep a Changelog](http://keepachangelog.com/). Versioning follows an internal Azure DevOps format that is not compatible with SemVer.

## 1.247.3
### Added
- Added ESRP Esrp CodeSigning step
- Updated build generation to sign the VSIX
- Updated upload steps to upload VSIX, signature & manifest

## 1.237.0
### Added
- Added go-to-definition support for local templates (thanks @Stuart-Wilcox!)
Expand Down
4 changes: 2 additions & 2 deletions package-lock.json

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion package.json
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
"name": "azure-pipelines",
"displayName": "Azure Pipelines",
"description": "Syntax highlighting, IntelliSense, and more for Azure Pipelines YAML",
"version": "1.237.0",
"version": "1.247.3",
"publisher": "ms-azure-devops",
"aiKey": "AIF-d9b70cd4-b9f9-4d70-929b-a071c400b217",
"repository": {
Expand Down
Loading

0 comments on commit 6e88138

Please sign in to comment.