[CI] Perform the classic sign-notarize of each pkg in parallel. (#14932)

Co-authored-by: Rolf Bjarne Kvinge <rolf@xamarin.com> Co-authored-by: TJ Lambert <50846373+tj-devel709@users.noreply.github.com>
2022-05-10 07:21:40 -04:00 · 2022-05-10 07:21:40 -04:00 · fb77743c21
--- a/tools/devops/automation/templates/sign-and-notarized/dotnet-signing.yml
+++ b/tools/devops/automation/templates/sign-and-notarized/dotnet-signing.yml
@ -49,11 +49,10 @@ steps:

 - template: publish-nugets.yml

-# upload each of the pkgs into the pipeline artifacts
+# always upload no matter what, since if we are not signing we need the artifact in the pipeline
 - task: PublishPipelineArtifact@1
  displayName: 'Publish Notarized Dotnet Artifacts'
  inputs:
    targetPath: $(Build.SourcesDirectory)/package
    artifactName: dotnet-signed
  continueOnError: true
-  condition: ${{ parameters.condition }}
--- a/tools/devops/automation/templates/sign-and-notarized/funnel.yml
+++ b/tools/devops/automation/templates/sign-and-notarized/funnel.yml
@ -1,4 +1,8 @@
 # funnel job that will download all the signed artifacts and puts them in the final location
+parameters:
+- name: packages
+  type: object
+
 steps:

 # DO NOT USE THE checkout.yml template. The reason is that the template changes the hash which results in a problem with the artifacts scripts
@ -17,19 +21,33 @@ steps:
 - checkout: release-scripts
  clean: true

+- bash: |
+    mkdir -p $(Build.SourcesDirectory)/package/notarized
+  displayName: 'Create target directories.'
+
 - task: DownloadPipelineArtifact@2
-  displayName: Download not notarized build
+  displayName: Download notarized build dotnet
  inputs:
    artifact: 'dotnet-signed'
    allowFailedBuilds: true
    path: $(Build.SourcesDirectory)/package

- task: DownloadPipelineArtifact@2
-  displayName: Download not notarized build
-  inputs:
-    artifact: 'classic-signed'
-    allowFailedBuilds: true
-    path: $(Build.SourcesDirectory)/package
+- ${{ each pkg in parameters.packages }}:
+  - task: DownloadPipelineArtifact@2
+    displayName: Download notarized build ${{ pkg.name }}
+    inputs:
+      artifact: 'classic-${{ pkg.name }}-signed'
+      allowFailedBuilds: true
+      path: '$(Build.ArtifactStagingDirectory)/classic-${{ pkg.name }}-signed'
+
+  - bash: |
+      set -x
+      set -e
+
+      FULL_PATH="$(Build.ArtifactStagingDirectory)/classic-${{ pkg.name }}-signed"
+      ls -lR $FULL_PATH
+      cp -a "$FULL_PATH/." "$(Build.SourcesDirectory)/package"
+    displayName: 'Move pkg ${{ pkg.name }} to its final destination'

 - template: generate-workspace-info.yml@templates
  parameters:
--- a/tools/devops/automation/templates/sign-and-notarized/prepare-pkg-stage.yml
+++ b/tools/devops/automation/templates/sign-and-notarized/prepare-pkg-stage.yml
@ -11,6 +11,41 @@ parameters:
  type: boolean
  default: false # only to be used when testing the CI and we do not need a signed pkg

+- name: packages
+  type: object
+  default: [
+    {
+      job: 'xamarin_ios_sign_notarize',
+      name: 'Xamarin.iOS',
+      pattern: 'xamarin.ios-*',
+    },
+    {
+      job: 'xamarin_mac_sing_notarie',
+      name: 'Xamarin.Mac',
+      pattern: 'xamarin.mac-*',
+    },
+    {
+      job: 'microsoft_ios_sign_notarize',
+      name: 'Microsoft.iOS',
+      pattern: 'Microsoft.iOS.Bundle*.pkg',
+    },
+    {
+      job: 'microsoft_tvos_sign_notarize',
+      name: 'Microsoft.tvOS',
+      pattern: 'Microsoft.tvOS.Bundle*.pkg',
+    },
+    {
+      job: 'microsoft_mac_sign_notarize',
+      name: 'Microsoft.macOS',
+      pattern: 'Microsoft.macOS.Bundle*.pkg',
+    },
+    {
+      job: 'microsoft_maccatalyst_sign_notarize',
+      name: 'Microsoft.MacCatalyst',
+      pattern: 'Microsoft.MacCatalyst.Bundle*.pkg',
+    },
+  ]
+
 jobs:
 - job: configure
  displayName: 'Configure build'
@ -24,21 +59,24 @@ jobs:
  steps:
  - template: ../common/configure.yml

- job: sign_notarize_classic
-  dependsOn:
-  - configure
-  displayName: 'Sign & Notarize Classic'
-  timeoutInMinutes: 1000
-  pool:
-    vmImage: internal-macos-11
-  workspace:
-    clean: all
+- ${{ each pkg in parameters.packages }}:
+  - job: ${{ pkg.job }}
+    dependsOn:
+    - configure
+    displayName: 'Sign & Notarize ${{ pkg.name }}'
+    timeoutInMinutes: 1000
+    pool:
+      vmImage: internal-macos-11
+    workspace:
+      clean: all

-  steps:
-  - template: sign-and-notarized.yml
-    parameters:
-      keyringPass: ${{ parameters.keyringPass }}
-      skipESRP: ${{ parameters.skipESRP }}
+    steps:
+    - template: sign-and-notarized.yml
+      parameters:
+        keyringPass: ${{ parameters.keyringPass }}
+        skipESRP: ${{ parameters.skipESRP }}
+        packageName: ${{ pkg.name }}
+        packagePattern: ${{ pkg.pattern }}

 - ${{ if eq(parameters.enableDotnet, true) }}:
  - job: sign_notarize_dotnet
@ -56,9 +94,10 @@ jobs:

 - job: funnel_job
  dependsOn:
-  - sign_notarize_classic
  - ${{ if eq(parameters.enableDotnet, true) }}:
-    - sign_notarize_dotnet 
+    - sign_notarize_dotnet
+  - ${{ each pkg in parameters.packages }}:
+    - ${{ pkg.job }}
  displayName: 'Collect signed artifacts'
  timeoutInMinutes: 1000
  pool:
@ -68,6 +107,8 @@ jobs:

  steps:
  - template: funnel.yml
+    parameters:
+      packages: ${{ parameters.packages }}


 # This job uploads the pkgs generated by the build step in the azure blob storage. This has to be done in a different job
@ -100,6 +141,7 @@ jobs:
  displayName: 'Publish GitHub Comment - Artifacts'
  timeoutInMinutes: 1000
  dependsOn:
+  - configure
  - upload_azure_blob
  condition: succeededOrFailed()
  variables:
--- a/tools/devops/automation/templates/sign-and-notarized/sign-and-notarized.yml
+++ b/tools/devops/automation/templates/sign-and-notarized/sign-and-notarized.yml
@ -12,6 +12,12 @@ parameters:
 - name: keyringPass
  type: string

+- name: packageName
+  type: string
+
+- name: packagePattern
+  type: string
+
 - name: condition
  default: and(succeeded(), eq(variables['IsPRBuild'], 'False'))

@ -23,7 +29,7 @@ steps:
  displayName: Download not notarized build
  inputs:
    artifact: 'not-signed-package'
-    patterns: '*.pkg'
+    patterns: ${{ parameters.packagePattern }}
    allowFailedBuilds: true
    path: $(Build.SourcesDirectory)/package

@ -31,68 +37,15 @@ steps:
    set -x
    set -e

-    # output vars for other steps to use and not need to recomputed the paths
-    IOS_PKG=$(find $(Build.SourcesDirectory)/package -type f -name "xamarin.ios-*" | xargs basename)
-    if [ -z "$IOS_PKG" ]; then
-      echo "Xamarin.iOS package not found."
+    PACKAGES=$(find $(Build.SourcesDirectory)/package -type f -name "${{ parameters.packagePattern }}" | xargs basename)
+    if [ -z "$PACKAGES" ]; then
+      echo "Packages ${{ parameters.packageName }} not found."
    else
-      IOS_PKG="$(Build.SourcesDirectory)/package/$IOS_PKG"
-      echo "##vso[task.setvariable variable=IOS_PKG;]$IOS_PKG"
-      echo "Xamarin.iOS package found at $IOS_PKG"
-    fi
-
-    MAC_PKG=$(find $(Build.SourcesDirectory)/package -type f -name "xamarin.mac-*" | xargs basename)
-    if [ -z "$MAC_PKG" ]; then
-      echo "Xamarin.Mac package not found."
-    else
-      MAC_PKG="$(Build.SourcesDirectory)/package/$MAC_PKG"
-      echo "##vso[task.setvariable variable=MAC_PKG;]$MAC_PKG"
-      echo "Xamarin.Mac package found at $MAC_PKG"
-    fi
-
-    IOS_DOTNET_PKG=$(find $(Build.SourcesDirectory)/package -type f -name "Microsoft.iOS.Bundle*.pkg" | xargs basename)
-    if [ -z "$IOS_DOTNET_PKG" ]; then
-      echo "Microsoft.iOS bundle not found."
-    else
-      IOS_DOTNET_PKG="$(Build.SourcesDirectory)/package/$IOS_DOTNET_PKG"
-      echo "##vso[task.setvariable variable=IOS_DOTNET_PKG;]$IOS_DOTNET_PKG"
-      echo "Microsoft.iOS bundle found at $IOS_DOTNET_PKG"
-    fi
-
-    TVOS_DOTNET_PKG=$(find $(Build.SourcesDirectory)/package -type f -name "Microsoft.tvOS.Bundle*.pkg" | xargs basename)
-    if [ -z "$TVOS_DOTNET_PKG" ]; then
-      echo "Microsoft.tvOS bundle not found."
-    else
-      TVOS_DOTNET_PKG="$(Build.SourcesDirectory)/package/$TVOS_DOTNET_PKG"
-      echo "##vso[task.setvariable variable=TVOS_DOTNET_PKG;]$TVOS_DOTNET_PKG"
-      echo "Microsoft.tvOS package found at $TVOS_DOTNET_PKG"
-    fi
-
-    WATCHOS_DOTNET_PKG=$(find $(Build.SourcesDirectory)/package -type f -name "Microsoft.watchOS.Bundle*.pkg" | xargs basename)
-    if [ -z "$WATCHOS_DOTNET_PKG" ]; then
-      echo "Microsoft.watchOS bundle not found."
-    else
-      WATCHOS_DOTNET_PKG="$(Build.SourcesDirectory)/package/$WATCHOS_DOTNET_PKG"
-      echo "##vso[task.setvariable variable=WATCHOS_DOTNET_PKG;]$WATCHOS_DOTNET_PKG"
-      echo "Microsoft.watchOS package found at $WATCHOS_DOTNET_PKG"
-    fi
-
-    MACOS_DOTNET_PKG=$(find $(Build.SourcesDirectory)/package -type f -name "Microsoft.macOS.Bundle*.pkg" | xargs basename)
-    if [ -z "$MACOS_DOTNET_PKG" ]; then
-      echo "Microsoft.macOS bundle not found."
-    else
-      MACOS_DOTNET_PKG="$(Build.SourcesDirectory)/package/$MACOS_DOTNET_PKG"
-      echo "##vso[task.setvariable variable=MACOS_DOTNET_PKG;]$MACOS_DOTNET_PKG"
-      echo "Microsoft.macOS package found at $MACOS_DOTNET_PKG"
-    fi
-
-    MACCATALYST_DOTNET_PKG=$(find $(Build.SourcesDirectory)/package -type f -name "Microsoft.MacCatalyst.Bundle*.pkg" | xargs basename)
-    if [ -z "$MACCATALYST_DOTNET_PKG" ]; then
-      echo "Microsoft.MacCatalyst bundle not found."
-    else
-      MACCATALYST_DOTNET_PKG="$(Build.SourcesDirectory)/package/$MACCATALYST_DOTNET_PKG"
-      echo "##vso[task.setvariable variable=MACCATALYST_DOTNET_PKG;]$MACCATALYST_DOTNET_PKG"
-      echo "Microsoft.MacCatalyst package found at $MACCATALYST_DOTNET_PKG"
+      PACKAGES_PATH="$(Build.SourcesDirectory)/package/$PACKAGES"
+      set +x
+      echo "##vso[task.setvariable variable=PACKAGES;]$PACKAGES_PATH"
+      echo "${{ parameters.packageName }} package found at $PACKAGES_PATH"
+      set -x
    fi
  displayName: 'Retrieve packages to sign'
  condition: ${{ parameters.condition }}
@ -101,9 +54,6 @@ steps:
 - ${{ if or(eq(parameters.skipESRP, true), eq(variables['IsPR'], 'True')) }}:
  - bash: |
      security unlock-keychain -p $PRODUCTSIGN_KEYCHAIN_PASSWORD builder.keychain
-      PACKAGES="$IOS_PKG $MAC_PKG $IOS_DOTNET_PKG $TVOS_DOTNET_PKG $WATCHOS_DOTNET_PKG $MACOS_DOTNET_PKG $MACCATALYST_DOTNET_PKG"
-      echo "Packages found at $PACKAGES"
-
      echo "$PACKAGES" | xargs python $(Build.SourcesDirectory)/release-scripts/sign_and_notarize.py --no_notarization -a "$APP_ID" -i "$INSTALL_ID" -u "$APPLE_ACCOUNT" -p "$APPLE_PASS" -t "$TEAM_ID" -d $(Build.SourcesDirectory)/package/notarized -e "$MAC_ENTITLEMENTS" -k "$KEYCHAIN"
    env:
      PRODUCTSIGN_KEYCHAIN_PASSWORD: ${{ parameters.keyringPass }}
@ -122,8 +72,6 @@ steps:
 - ${{ else }}:
  - bash: |
      security unlock-keychain -p $PRODUCTSIGN_KEYCHAIN_PASSWORD builder.keychain
-      PACKAGES="$IOS_PKG $MAC_PKG $IOS_DOTNET_PKG $TVOS_DOTNET_PKG $WATCHOS_DOTNET_PKG $MACOS_DOTNET_PKG $MACCATALYST_DOTNET_PKG"
-      echo "Packages found at $PACKAGES"
      if [[ "$SYSTEM_DEBUG" == "true" ]]; then
        export ESRP_TEMP="$WORKING_DIR/esrp"
        echo "Temp dir is $ESRP_TEMP"
@ -155,7 +103,7 @@ steps:
  displayName: 'Publish Artifact: ESRP temp'
  inputs:
    targetPath: '$(Build.ArtifactStagingDirectory)/esrp.zip'
-    artifactName: ESRP-tmp
+    artifactName: ESRP-tmp-${{ parameters.packageName }}
  continueOnError: true
  condition: and(${{ parameters.condition }}, eq(variables['System.debug'], 'true'))

@ -165,11 +113,10 @@ steps:
  displayName: 'Notarize & verify packages (ESRP)'
  condition: ${{ parameters.condition }}

-# upload each of the pkgs into the pipeline artifacts
+# always upload no matter what, since if we are not signing we need the artifact in the pipeline
 - task: PublishPipelineArtifact@1
  displayName: 'Publish Notarized Classic Artifacts'
  inputs:
    targetPath: $(Build.SourcesDirectory)/package
-    artifactName: classic-signed
+    artifactName: classic-${{ parameters.packageName }}-signed
  continueOnError: true
-  condition: ${{ parameters.condition }}