# Overridden in the UI
trigger: none
pr: none

parameters:
  - name: runCompliance
    displayName: 'Run post-build compliance tasks (such as API Scan)'
    type: boolean
    default: false
  - name: buildAgent
    displayName: 'The build agent to use'
    type: object
    default:
      name: Maui-1ESPT
      image: 1ESPT-Windows2022
      os: windows

variables:
  - template: /scripts/azure-pipelines-variables.yml@self

resources:
  repositories:
    - repository: internal-templates
      type: github
      name: xamarin/yaml-templates
      endpoint: xamarin
      ref: refs/heads/main
    - repository: 1ESPipelineTemplates
      type: git
      name: 1ESPipelineTemplates/1ESPipelineTemplates
      ref: refs/tags/release

extends:
  template: v1/1ES.Official.PipelineTemplate.yml@1ESPipelineTemplates
  parameters:
    pool: ${{ parameters.buildAgent }}
    customBuildTags:
      - ES365AIMigrationTooling
    stages:

      - stage: build
        displayName: Build
        jobs:
          - job: build
            displayName: Build
            templateContext:
              sdl:
                apiscan:
                  enabled: true
                binskim:
                  enabled: true
                  break: false
                codeInspector:
                  enabled: true
                credscan:
                  enabled: true
                policheck:
                  enabled: true
                spotBugs:
                  enabled: false
              outputParentDirectory: 'output'
              outputs:
                - output: pipelineArtifact
                  displayName: 'Upload NuGets'
                  artifactName: 'nuget'
                  targetPath: 'output/nugets'
            steps:
              - template: /scripts/azure-pipelines-steps-prepare.yml@self
              - pwsh: dotnet cake --target=pack
                displayName: Pack NuGets
                env:
                  JavaSdkDirectory: $(JAVA_HOME)

      - stage: signing
        displayName: Sign NuGets
        dependsOn: build
        jobs:
          - template: sign-artifacts/jobs/v2.yml@internal-templates
            parameters:
              usePipelineArtifactTasks: true
              use1ESTemplate: true
              ${{ if or( eq(variables['Build.SourceBranch'], 'refs/heads/main'), startsWith(variables['Build.SourceBranch'], 'refs/heads/release/') ) }}:
                signType: 'Real'
              ${{ else }}:
                signType: 'Test'

      - ${{ if or( eq(variables['Build.Reason'], 'Schedule'), parameters.runCompliance ) }}:
        - template: security/apiscan/v0.yml@internal-templates
          parameters:
            windowsPoolName: ${{ parameters.buildAgent.name }}
            windowsImageOverride: ${{ parameters.buildAgent.image }}
            timeoutInMinutes: 480
            stageDependsOn:
             - build
            scanArtifacts:
             - nuget
            apiScanSoftwareName: SkiaSharp
            apiScanSoftwareVersionNum: $(MAJOR_VERSION)
            apiScanAuthConnectionString: 'runAs=App;AppId=$(ApiScanClientId)'
            preScanSteps:
              - pwsh: |
                  $nupkgs = (Get-ChildItem "$(Build.ArtifactStagingDirectory)\binaries-to-scan\*\*.*nupkg")
                  foreach ($nupkg in $nupkgs) {
                    $filename = $nupkg.Name.TrimEnd('.nupkg')
                    $dest = "$(Build.ArtifactStagingDirectory)\binaries-to-scan\nuget_symbols-extracted\$filename"
                    Write-Host "Extracting '$nupkg' to '$dest'..."
                    Expand-Archive $nupkg $dest
                    Remove-Item $nupkg
                  }
                displayName: Extract all the .nupkg files