From 5a52dbf8bb6dec37b1b76c99555896d631947091 Mon Sep 17 00:00:00 2001
From: Daniel Jurek <djurek@microsoft.com>
Date: Tue, 26 Nov 2024 18:35:06 -0500
Subject: [PATCH] vscode signing (#4533)

* Set up signing

* Use branch for build-tools

* ref naming

* Path/Pattern

* Add vsce publishing

* Revert 1es-redirect.yml

* Add file paths explicitly
---
 .../stages/vscode-publish-manual.yml          |  1 +
 .../templates/stages/vscode-sign.yml          | 11 ++++++++-
 .../templates/steps/publish-vscode.yml        | 23 ++++++++++++++++++
 eng/scripts/New-VsixSigningManifest.ps1       | 24 +++++++++++++++++++
 4 files changed, 58 insertions(+), 1 deletion(-)
 create mode 100644 eng/scripts/New-VsixSigningManifest.ps1

diff --git a/eng/pipelines/templates/stages/vscode-publish-manual.yml b/eng/pipelines/templates/stages/vscode-publish-manual.yml
index 866dbb9e1..fc11d67f7 100644
--- a/eng/pipelines/templates/stages/vscode-publish-manual.yml
+++ b/eng/pipelines/templates/stages/vscode-publish-manual.yml
@@ -42,6 +42,7 @@ stages:
                     PublishLocations: vscode/release/$(VSIX_VERSION);vscode/release/latest
                     TagRepository: true
                     UpdateShield: true
+                    PublishToMarketplace: true
 
       - deployment: Increment_Version
         condition: >-
diff --git a/eng/pipelines/templates/stages/vscode-sign.yml b/eng/pipelines/templates/stages/vscode-sign.yml
index fee8d2193..cf33c73d7 100644
--- a/eng/pipelines/templates/stages/vscode-sign.yml
+++ b/eng/pipelines/templates/stages/vscode-sign.yml
@@ -22,10 +22,19 @@ stages:
               artifact: vsix
               path: vsix
 
+          - task: PowerShell@2
+            inputs:
+              targetType: filePath
+              filePath: eng/scripts/New-VsixSigningManifest.ps1
+              arguments: -Path $(Build.SourcesDirectory)\vsix
+              pwsh: true
+            displayName: Create signing manifest
+
           - ${{ if in(variables['Build.Reason'], 'IndividualCI', 'BatchedCI', 'Manual') }}:
             - template: pipelines/steps/azd-vscode-signing.yml@azure-sdk-build-tools
               parameters:
-                VsixPath: vsix
+                Path: $(Build.SourcesDirectory)\vsix
+                Pattern: '*.signature.p7s'
 
           - ${{ else }}:
             - pwsh: Write-Host "Skipping signing. Build reason - $(Build.Reason)"
diff --git a/eng/pipelines/templates/steps/publish-vscode.yml b/eng/pipelines/templates/steps/publish-vscode.yml
index 88ad52d99..72dcabbcd 100644
--- a/eng/pipelines/templates/steps/publish-vscode.yml
+++ b/eng/pipelines/templates/steps/publish-vscode.yml
@@ -3,6 +3,7 @@ parameters:
   VsixVersion: $(VSIX_VERSION)
   UpdateShield: false
   StorageContainerName: azd
+  PublishToMarketplace: false
 
 steps:
   - task: DownloadPipelineArtifact@2
@@ -26,8 +27,13 @@ steps:
   - pwsh: |
       New-Item -ItemType Directory -Path release -Force
       Copy-Item signed/vsix/*.vsix release/
+      Copy-Item signed/vsix/*.p7s release/
+      Copy-Item signed/vsix/*.manifest release/
       Write-Host "Signed:"
       Get-ChildItem signed/
+
+      Write-Host "Release:"
+      Get-ChildItem release/
     displayName: Copy signed vsix to release location
 
   - task: AzurePowerShell@5
@@ -76,3 +82,20 @@ steps:
       displayName: Create GitHub Release and upload artifacts
       env:
         GH_TOKEN: $(azuresdk-github-pat)
+
+  - ${{ if eq('true', parameters.PublishToMarketplace) }}:
+    - task: AzureCLI@2
+      displayName: Publish (using vsce)
+      inputs:
+        azureSubscription: azure-sdk-vsmarketplace
+        scriptType: pscore
+        scriptLocation: inlineScript
+        workingDirectory: release
+        inlineScript: |
+          npm install -g @vscode/vsce
+          $baseName = "azure-dev-${{ parameters.VsixVersion }}"
+          vsce publish `
+            --azure-credential `
+            --packagePath "$($baseName).vsix" `
+            --manifestPath "$($baseName).manifest" `
+            --signaturePath "$($baseName).p7s"
diff --git a/eng/scripts/New-VsixSigningManifest.ps1 b/eng/scripts/New-VsixSigningManifest.ps1
new file mode 100644
index 000000000..1ecd25122
--- /dev/null
+++ b/eng/scripts/New-VsixSigningManifest.ps1
@@ -0,0 +1,24 @@
+param(
+    [string]$Path = "$PSScriptRoot../../vsix"
+)
+
+$originalLocation = Get-Location
+try {
+    Set-Location $Path
+    $extensions = Get-ChildItem -Filter *.vsix -Recurse -File
+    foreach ($extension in $extensions) {
+        Write-Host "Generating signing manifest for $extension"
+        $manifestName = "$($extension.BaseName).manifest"
+        $signatureName = "$($extension.BaseName).signature.p7s"
+
+        npm exec --yes @vscode/vsce@latest -- generate-manifest --packagePath "$($extension.FullName)" -o $manifestName | Write-Host
+        if ($LASTEXITCODE) {
+            Write-Host "Failed to generate signing manifest for $extension"
+            exit $LASTEXITCODE
+        }
+
+        Copy-Item $manifestName $signatureName
+    }
+} finally {
+    Set-Location $originalLocation
+}