Pipeline-ify release process

andyleejordan · andyleejordan · commit 35704b8474a3 · 2021-07-28T14:59:51.000-07:00
This sets up the Azure DevOps release pipeline to not only build, test,
and sign the bits for a release (and to do so using signed
PowerShellEditorServices bits), but to automatically create the GitHub
draft release where it directly uploads the artifacts. After manual
approval, it will automatically publish the extension and installation
script to their respective registries (the Visual Studio Code
marketplace and the PowerShell Gallery). Best of all, this process is
kicked off automatically after a successful release build of
PowerShellEditorServices.
diff --git a/.vsts-ci/azure-pipelines-release.yml b/.vsts-ci/azure-pipelines-release.yml
@@ -14,21 +14,71 @@ resources:
   repositories:
   - repository: ComplianceRepo
     type: github
-    endpoint: ComplianceGHRepo
+    endpoint: GitHub
     name: PowerShell/Compliance
+
+  - repository: PowerShellEditorServices
+    type: git
+    name: PowerShellEditorServices
+    ref: release
+
   pipelines:
   - pipeline: PowerShellEditorServices
     source: PowerShellEditorServices
-    trigger: true
-
-
-jobs:
-- job: 'ReleaseBuild'
-  displayName: 'Build release'
-  pool:
-    name: '1ES'
-    demands: ImageOverride -equals MMS2019
-  variables:
-  - group: ESRP
-  steps:
-  - template: templates/release-general.yml
+    trigger:
+      branches:
+      - release
+
+stages:
+- stage: Build
+  displayName: Build the release
+  jobs:
+  - job: Build
+    pool:
+      vmImage: windows-2019
+    steps:
+    - template: templates/ci-general.yml
+      parameters:
+        usePipelineArtifact: true
+
+- stage: Sign
+  displayName: Sign the release
+  jobs:
+  - job: Sign
+    pool:
+      name: 1ES
+      demands: ImageOverride -equals MMS2019
+    variables:
+    - group: ESRP
+    steps:
+    - template: templates/release-general.yml
+
+- stage: PublishGitHub
+  displayName: Publish the draft release
+  jobs:
+  - deployment: Publish
+    environment: vscode-powershell-github
+    pool:
+      vmImage: ubuntu-latest
+    variables:
+    - group: Publish
+    strategy:
+      runOnce:
+        deploy:
+          steps:
+          - template: templates/publish-github.yml
+
+- stage: PublishMarkets
+  displayName: Publish to marketplace and gallery
+  jobs:
+  - deployment: Publish
+    environment: vscode-powershell-markets
+    pool:
+      vmImage: ubuntu-latest
+    variables:
+    - group: Publish
+    strategy:
+      runOnce:
+        deploy:
+          steps:
+          - template: templates/publish-markets.yml
diff --git a/.vsts-ci/templates/publish-github.yml b/.vsts-ci/templates/publish-github.yml
@@ -0,0 +1,11 @@
+steps:
+- checkout: self
+
+- download: current
+  artifact: vscode-powershell
+  displayName: Download signed artifacts
+
+- pwsh: |
+    $(Build.SourcesDirectory)/tools/setupReleaseTools.ps1 -Token $(GitHubToken)
+    New-DraftRelease -RepositoryName vscode-powershell -Assets $(Pipeline.Workspace)/vscode-powershell/powershell-*.vsix,$(Pipeline.Workspace)/vscode-powershell/Install-VSCode.ps1
+  displayName: Drafting a GitHub Release
diff --git a/.vsts-ci/templates/publish-markets.yml b/.vsts-ci/templates/publish-markets.yml
@@ -0,0 +1,17 @@
+steps:
+- checkout: self
+
+- download: current
+  artifact: vscode-powershell
+  displayName: Download signed artifacts
+
+- pwsh: |
+    npm install -g vsce
+    vsce publish --packagePath $(Pipeline.Workspace)/powershell-*.vsix --pat $(VsceToken)
+  displayName: Publishing VSIX to VS Code Marketplace
+
+# NOTE: We rarely update this script, so we can ignore errors from the gallery
+# caused by us trying to re-publish an updated script.
+- pwsh: |
+    Publish-Script -Path $(Pipeline.Workspace)/Install-VSCode.ps1 -ErrorAction Continue -NuGetApiKey $(GalleryToken)
+  displayName: Publishing Install-VSCode.ps1 to PowerShell Gallery
diff --git a/.vsts-ci/templates/release-general.yml b/.vsts-ci/templates/release-general.yml
@@ -1,70 +1,47 @@
 steps:
-- checkout: self
-
-- pwsh: |
-    Get-ChildItem -Path env:
-  displayName: Capture environment
-  condition: succeededOrFailed()
-
-- task: DownloadPipelineArtifact@2
-  displayName: 'Download Artifacts from PowerShellEditorServices'
-  inputs:
-    source: specific
-    project: 'PowerShellEditorServices'
-    pipeline: 36
-    preferTriggeringPipeline: true
-    allowPartiallySucceededBuilds: true
-    artifact: 'PowerShellEditorServices'
-    path: '$(Build.SourcesDirectory)/PowerShellEditorServices/module/'
-
-- pwsh: |
-    New-Item -ItemType Directory $(Build.ArtifactStagingDirectory)/vscode-powershell
-    Install-Module InvokeBuild -Force
-    Invoke-Build Release
-  workingDirectory: '$(Build.SourcesDirectory)/vscode-powershell'
-
-- task: PublishTestResults@2
-  inputs:
-    testRunner: JUnit
-    testResultsFiles: '**/test-results.xml'
-  condition: succeededOrFailed()
+- download: current
+  displayName: Download pipeline artifacts
 
 - checkout: ComplianceRepo
 
 - template: EsrpSign.yml@ComplianceRepo
   parameters:
-    buildOutputPath: '$(Build.ArtifactStagingDirectory)/vscode-powershell'
-    signOutputPath: '$(Build.ArtifactStagingDirectory)/Signed'
-    alwaysCopy: true # So publishing works
-    certificateId: 'CP-230012' # Authenticode certificate
-    useMinimatch: true # This enables the use of globbing
+    buildOutputPath: $(Pipeline.Workspace)/vscode-powershell-unsigned-script-*
+    signOutputPath: $(Pipeline.Workspace)/signed
+    alwaysCopy: true
+    certificateId: CP-230012 # Authenticode certificate
     shouldSign: true # We always want to sign
     # NOTE: Code AKA *.vsix files are not signed
-    pattern: |
-      Install-VSCode.ps1
+    pattern: Install-VSCode.ps1
+
+# NOTE: Because the scan template doesn't copy (unlike the sign template), we do
+# it ourselves so that we can publish one finished artifact.
+- pwsh: Copy-Item -Path $(Pipeline.Workspace)/vscode-powershell-vsix-*/*.vsix -Destination $(Pipeline.Workspace)/signed -Verbose
+  displayName: Copy extension to signed folder
 
 - template: EsrpScan.yml@ComplianceRepo
   parameters:
-      scanPath: $(Build.ArtifactStagingDirectory)/Signed
-      pattern: |
-        *.vsix
+    scanPath: $(Pipeline.Workspace)/signed
+    pattern: powershell-*.vsix
 
-- publish: $(Build.ArtifactStagingDirectory)/Signed
-  artifact: vscode-powershell
-  displayName: 'Publish signed (and unsigned) artifacts'
+- checkout: self
 
 - template: script-module-compliance.yml@ComplianceRepo
   parameters:
     # component-governance
-    sourceScanPath: '$(Build.SourcesDirectory)/vscode-powershell'
+    sourceScanPath: $(Build.SourcesDirectory)/vscode-powershell
     # credscan
-    suppressionsFile: '$(Build.SourcesDirectory)/vscode-powershell/tools/credScan/suppress.json'
+    suppressionsFile: $(Build.SourcesDirectory)/vscode-powershell/tools/credScan/suppress.json
     # TermCheck AKA PoliCheck
-    targetArgument: '$(Build.SourcesDirectory)/vscode-powershell'
-    optionsUEPATH: '$(Build.SourcesDirectory)/vscode-powershell/tools/terms/UserExclusions.xml'
+    targetArgument: $(Build.SourcesDirectory)/vscode-powershell
+    optionsUEPATH: $(Build.SourcesDirectory)/vscode-powershell/tools/terms/UserExclusions.xml
     optionsRulesDBPath: ''
-    optionsFTPath: '$(Build.SourcesDirectory)/vscode-powershell/tools/terms/FileTypeSet.xml'
+    optionsFTPath: $(Build.SourcesDirectory)/vscode-powershell/tools/terms/FileTypeSet.xml
     # tsa-upload
-    codeBaseName: 'PowerShell_PowerShellEditorServices_20210201'
+    codeBaseName: PowerShell_PowerShellEditorServices_20210201
     # We don't use any Windows APIs directly, so we don't need API scan
     APIScan: false
+
+- publish: $(Pipeline.Workspace)/signed
+  artifact: vscode-powershell
+  displayName: Publish signed artifacts
