From cef1e914b3bdb2d8cf594c7fade638cf26c2d6f9 Mon Sep 17 00:00:00 2001
From: deepak1556 <hop2deep@gmail.com>
Date: Mon, 15 Feb 2021 20:35:01 -0800
Subject: [PATCH 01/21] ci: [mac] Unify tasks between different flavors

---
 .../darwin/product-build-darwin.yml           | 87 +++++++++++--------
 .../azure-pipelines/darwin/publish-client.sh  | 23 +++++
 .../darwin/{publish.sh => publish-server.sh}  | 14 ---
 .../publish-types/update-types.js             |  2 +-
 build/darwin/create-universal-app.js          |  4 +-
 build/darwin/create-universal-app.ts          |  4 +-
 6 files changed, 79 insertions(+), 55 deletions(-)
 create mode 100755 build/azure-pipelines/darwin/publish-client.sh
 rename build/azure-pipelines/darwin/{publish.sh => publish-server.sh} (57%)

diff --git a/build/azure-pipelines/darwin/product-build-darwin.yml b/build/azure-pipelines/darwin/product-build-darwin.yml
index 2c6cf3ddea187..439726aa20e91 100644
--- a/build/azure-pipelines/darwin/product-build-darwin.yml
+++ b/build/azure-pipelines/darwin/product-build-darwin.yml
@@ -119,16 +119,6 @@ steps:
     displayName: Rebuild native modules for ARM64
     condition: and(succeeded(), eq(variables['VSCODE_ARCH'], 'arm64'))
 
-  - download: current
-    artifact: vscode-darwin-x64
-    displayName: Download x64 artifact
-    condition: and(succeeded(), eq(variables['VSCODE_ARCH'], 'universal'))
-
-  - download: current
-    artifact: vscode-darwin-arm64
-    displayName: Download arm64 artifact
-    condition: and(succeeded(), eq(variables['VSCODE_ARCH'], 'universal'))
-
   - script: |
       set -e
       node build/azure-pipelines/mixin
@@ -138,7 +128,7 @@ steps:
       set -e
       VSCODE_MIXIN_PASSWORD="$(github-distro-mixin-password)" \
         yarn gulp vscode-darwin-$(VSCODE_ARCH)-min-ci
-    displayName: Build
+    displayName: Build client
     condition: and(succeeded(), ne(variables['VSCODE_ARCH'], 'universal'))
 
   - script: |
@@ -150,14 +140,6 @@ steps:
     displayName: Build Server
     condition: and(succeeded(), eq(variables['VSCODE_ARCH'], 'x64'))
 
-  - script: |
-      set -e
-      unzip $(Pipeline.Workspace)/vscode-darwin-x64/VSCode-darwin-x64.zip -d $(agent.builddirectory)/vscode-x64
-      unzip $(Pipeline.Workspace)/vscode-darwin-arm64/VSCode-darwin-arm64.zip -d $(agent.builddirectory)/vscode-arm64
-      DEBUG=* node build/darwin/create-universal-app.js
-    displayName: Create Universal App
-    condition: and(succeeded(), eq(variables['VSCODE_ARCH'], 'universal'))
-
   - script: |
       set -e
       VSCODE_MIXIN_PASSWORD="$(github-distro-mixin-password)" \
@@ -165,6 +147,26 @@ steps:
     displayName: Download Electron and Playwright
     condition: and(succeeded(), ne(variables['VSCODE_ARCH'], 'universal'), eq(variables['VSCODE_STEP_ON_IT'], 'false'))
 
+  - download: current
+    artifact: vscode-darwin-x64
+    displayName: Download x64 artifact
+    condition: and(succeeded(), eq(variables['VSCODE_ARCH'], 'universal'))
+
+  - download: current
+    artifact: vscode-darwin-arm64
+    displayName: Download arm64 artifact
+    condition: and(succeeded(), eq(variables['VSCODE_ARCH'], 'universal'))
+
+  - script: |
+      set -e
+      cp $(Pipeline.Workspace)/vscode-darwin-x64/VSCode-darwin-x64.zip $(agent.builddirectory)/VSCode-darwin-x64.zip
+      cp $(Pipeline.Workspace)/vscode-darwin-arm64/VSCode-darwin-arm64.zip $(agent.builddirectory)/VSCode-darwin-arm64.zip
+      unzip $(agent.builddirectory)/VSCode-darwin-x64.zip -d $(agent.builddirectory)/VSCode-darwin-x64
+      unzip $(agent.builddirectory)/VSCode-darwin-arm64.zip -d $(agent.builddirectory)/VSCode-darwin-arm64
+      DEBUG=* node build/darwin/create-universal-app.js
+    displayName: Create Universal App
+    condition: and(succeeded(), eq(variables['VSCODE_ARCH'], 'universal'))
+
   - script: |
       set -e
       security create-keychain -p pwd $(agent.tempdirectory)/buildagent.keychain
@@ -173,9 +175,11 @@ steps:
       echo "$(macos-developer-certificate)" | base64 -D > $(agent.tempdirectory)/cert.p12
       security import $(agent.tempdirectory)/cert.p12 -k $(agent.tempdirectory)/buildagent.keychain -P "$(macos-developer-certificate-key)" -T /usr/bin/codesign
       security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k pwd $(agent.tempdirectory)/buildagent.keychain
-      VSCODE_ARCH="$(VSCODE_ARCH)" DEBUG=electron-osx-sign* node build/darwin/sign.js
+      VSCODE_ARCH=x64 DEBUG=electron-osx-sign* node build/darwin/sign.js
+      VSCODE_ARCH=arm64 DEBUG=electron-osx-sign* node build/darwin/sign.js
+      VSCODE_ARCH=universal DEBUG=electron-osx-sign* node build/darwin/sign.js
     displayName: Set Hardened Entitlements
-    condition: and(succeeded(), ne(variables['VSCODE_PUBLISH'], 'false'))
+    condition: and(succeeded(), eq(variables['VSCODE_ARCH'], 'universal'), ne(variables['VSCODE_PUBLISH'], 'false'))
 
   - script: |
       set -e
@@ -288,7 +292,7 @@ steps:
     inputs:
       ConnectedServiceName: "ESRP CodeSign"
       FolderPath: "$(agent.builddirectory)"
-      Pattern: "VSCode-darwin-$(VSCODE_ARCH).zip"
+      Pattern: "VSCode-darwin-*.zip"
       signConfigType: inlineSignParams
       inlineOperation: |
         [
@@ -307,12 +311,14 @@ steps:
         ]
       SessionTimeout: 60
     displayName: Codesign
-    condition: and(succeeded(), ne(variables['VSCODE_PUBLISH'], 'false'))
+    condition: and(succeeded(), eq(variables['VSCODE_ARCH'], 'universal'), ne(variables['VSCODE_PUBLISH'], 'false'))
 
   - script: |
-      zip -d $(agent.builddirectory)/VSCode-darwin-$(VSCODE_ARCH).zip "*.pkg"
+      zip -d $(agent.builddirectory)/VSCode-darwin-x64.zip "*.pkg"
+      zip -d $(agent.builddirectory)/VSCode-darwin-arm64.zip "*.pkg"
+      zip -d $(agent.builddirectory)/VSCode-darwin-universal.zip "*.pkg"
     displayName: Clean
-    condition: and(succeeded(), ne(variables['VSCODE_PUBLISH'], 'false'))
+    condition: and(succeeded(), eq(variables['VSCODE_ARCH'], 'universal'), ne(variables['VSCODE_PUBLISH'], 'false'))
 
   - script: |
       APP_ROOT=$(agent.builddirectory)/VSCode-darwin-$(VSCODE_ARCH)
@@ -320,13 +326,13 @@ steps:
       BUNDLE_IDENTIFIER=$(node -p "require(\"$APP_ROOT/$APP_NAME/Contents/Resources/app/product.json\").darwinBundleIdentifier")
       echo "##vso[task.setvariable variable=BundleIdentifier]$BUNDLE_IDENTIFIER"
     displayName: Export bundle identifier
-    condition: and(succeeded(), ne(variables['VSCODE_PUBLISH'], 'false'))
+    condition: and(succeeded(), eq(variables['VSCODE_ARCH'], 'universal'), ne(variables['VSCODE_PUBLISH'], 'false'))
 
   - task: SFP.build-tasks.custom-build-task-1.EsrpCodeSigning@1
     inputs:
       ConnectedServiceName: "ESRP CodeSign"
       FolderPath: "$(agent.builddirectory)"
-      Pattern: "VSCode-darwin-$(VSCODE_ARCH).zip"
+      Pattern: "VSCode-darwin-*.zip"
       signConfigType: inlineSignParams
       inlineOperation: |
         [
@@ -345,7 +351,7 @@ steps:
         ]
       SessionTimeout: 60
     displayName: Notarization
-    condition: and(succeeded(), ne(variables['VSCODE_PUBLISH'], 'false'))
+    condition: and(succeeded(), eq(variables['VSCODE_ARCH'], 'universal'), ne(variables['VSCODE_PUBLISH'], 'false'))
 
   - script: |
       set -e
@@ -353,7 +359,7 @@ steps:
       APP_NAME="`ls $APP_ROOT | head -n 1`"
       "$APP_ROOT/$APP_NAME/Contents/Resources/app/bin/code" --export-default-configuration=.build
     displayName: Verify start after signing (export configuration)
-    condition: and(succeeded(), ne(variables['VSCODE_ARCH'], 'arm64'), ne(variables['VSCODE_PUBLISH'], 'false'))
+    condition: and(succeeded(), eq(variables['VSCODE_ARCH'], 'universal'), ne(variables['VSCODE_PUBLISH'], 'false'))
 
   - script: |
       set -e
@@ -361,15 +367,24 @@ steps:
       AZURE_DOCUMENTDB_MASTERKEY="$(builds-docdb-key-readwrite)" \
       AZURE_STORAGE_ACCESS_KEY="$(ticino-storage-key)" \
       AZURE_STORAGE_ACCESS_KEY_2="$(vscode-storage-key)" \
-      VSCODE_ARCH="$(VSCODE_ARCH)" \
-      ./build/azure-pipelines/darwin/publish.sh
-    displayName: Publish
-    condition: and(succeeded(), ne(variables['VSCODE_PUBLISH'], 'false'))
+      ./build/azure-pipelines/darwin/publish-client.sh
+    displayName: Publish Clients
+    condition: and(succeeded(), eq(variables['VSCODE_ARCH'], 'universal'), ne(variables['VSCODE_PUBLISH'], 'false'))
+
+  - script: |
+      set -e
+      VSCODE_MIXIN_PASSWORD="$(github-distro-mixin-password)" \
+      AZURE_DOCUMENTDB_MASTERKEY="$(builds-docdb-key-readwrite)" \
+      AZURE_STORAGE_ACCESS_KEY="$(ticino-storage-key)" \
+      AZURE_STORAGE_ACCESS_KEY_2="$(vscode-storage-key)" \
+      VSCODE_ARCH="$(VSCODE_ARCH)" ./build/azure-pipelines/darwin/publish-server.sh
+    displayName: Publish Servers
+    condition: and(succeeded(), eq(variables['VSCODE_ARCH'], 'x64'), ne(variables['VSCODE_PUBLISH'], 'false'))
 
   - publish: $(Agent.BuildDirectory)/VSCode-darwin-$(VSCODE_ARCH).zip
     artifact: vscode-darwin-$(VSCODE_ARCH)
-    displayName: Publish archive
-    condition: and(succeeded(), ne(variables['VSCODE_PUBLISH'], 'false'))
+    displayName: Publish client archive
+    condition: and(succeeded(), ne(variables['VSCODE_ARCH'], 'universal'), ne(variables['VSCODE_PUBLISH'], 'false'))
 
   - publish: $(Agent.BuildDirectory)/vscode-server-darwin.zip
     artifact: vscode-server-darwin-$(VSCODE_ARCH)
@@ -386,5 +401,5 @@ steps:
       VSCODE_ARCH="$(VSCODE_ARCH)" \
       yarn gulp upload-vscode-configuration
     displayName: Upload configuration (for Bing settings search)
-    condition: and(succeeded(), eq(variables['VSCODE_ARCH'], 'x64'), ne(variables['VSCODE_PUBLISH'], 'false'))
+    condition: and(succeeded(), eq(variables['VSCODE_ARCH'], 'universal'), ne(variables['VSCODE_PUBLISH'], 'false'))
     continueOnError: true
diff --git a/build/azure-pipelines/darwin/publish-client.sh b/build/azure-pipelines/darwin/publish-client.sh
new file mode 100755
index 0000000000000..7159f824ceaa6
--- /dev/null
+++ b/build/azure-pipelines/darwin/publish-client.sh
@@ -0,0 +1,23 @@
+#!/usr/bin/env bash
+set -e
+
+# publish the x64 build
+node build/azure-pipelines/common/createAsset.js \
+	"darwin" \
+	archive \
+	"VSCode-darwin.zip" \
+	../VSCode-darwin-x64.zip
+
+# publish the arm64 build
+node build/azure-pipelines/common/createAsset.js \
+	"darwin-arm64" \
+	archive \
+	"VSCode-darwin-arm64.zip" \
+	../VSCode-darwin-arm64.zip
+
+# publish the universal build
+node build/azure-pipelines/common/createAsset.js \
+	"darwin-universal" \
+	archive \
+	"VSCode-darwin-universal.zip" \
+	../VSCode-darwin-universal.zip
diff --git a/build/azure-pipelines/darwin/publish.sh b/build/azure-pipelines/darwin/publish-server.sh
similarity index 57%
rename from build/azure-pipelines/darwin/publish.sh
rename to build/azure-pipelines/darwin/publish-server.sh
index df5b9770c1e5b..72a85942d5a54 100755
--- a/build/azure-pipelines/darwin/publish.sh
+++ b/build/azure-pipelines/darwin/publish-server.sh
@@ -1,20 +1,6 @@
 #!/usr/bin/env bash
 set -e
 
-# Publish DEB
-case $VSCODE_ARCH in
-	x64) ASSET_ID="darwin" ;;
-	arm64) ASSET_ID="darwin-arm64" ;;
-	universal) ASSET_ID="darwin-universal" ;;
-esac
-
-# publish the build
-node build/azure-pipelines/common/createAsset.js \
-	"$ASSET_ID" \
-	archive \
-	"VSCode-$ASSET_ID.zip" \
-	../VSCode-darwin-$VSCODE_ARCH.zip
-
 if [ "$VSCODE_ARCH" == "x64" ]; then
 	# package Remote Extension Host
 	pushd .. && mv vscode-reh-darwin vscode-server-darwin && zip -Xry vscode-server-darwin.zip vscode-server-darwin && popd
diff --git a/build/azure-pipelines/publish-types/update-types.js b/build/azure-pipelines/publish-types/update-types.js
index 0957c5a894e0c..3ceb35bdb5c02 100644
--- a/build/azure-pipelines/publish-types/update-types.js
+++ b/build/azure-pipelines/publish-types/update-types.js
@@ -60,7 +60,7 @@ function getNewFileHeader(tag) {
         `/*---------------------------------------------------------------------------------------------`,
         ` *  Copyright (c) Microsoft Corporation. All rights reserved.`,
         ` *  Licensed under the MIT License.`,
-        ` *  See https://github.com/microsoft/vscode/blob/master/LICENSE.txt for license information.`,
+        ` *  See https://github.com/microsoft/vscode/blob/main/LICENSE.txt for license information.`,
         ` *--------------------------------------------------------------------------------------------*/`,
         ``,
         `/**`,
diff --git a/build/darwin/create-universal-app.js b/build/darwin/create-universal-app.js
index bcd51d37057e6..6e4acb28f3527 100644
--- a/build/darwin/create-universal-app.js
+++ b/build/darwin/create-universal-app.js
@@ -16,8 +16,8 @@ async function main() {
         throw new Error('$AGENT_BUILDDIRECTORY not set');
     }
     const appName = product.nameLong + '.app';
-    const x64AppPath = path.join(buildDir, 'vscode-x64', appName);
-    const arm64AppPath = path.join(buildDir, 'vscode-arm64', appName);
+    const x64AppPath = path.join(buildDir, 'VSCode-darwin-x64', appName);
+    const arm64AppPath = path.join(buildDir, 'VSCode-darwin-arm64', appName);
     const x64AsarPath = path.join(x64AppPath, 'Contents', 'Resources', 'app', 'node_modules.asar');
     const arm64AsarPath = path.join(arm64AppPath, 'Contents', 'Resources', 'app', 'node_modules.asar');
     const outAppPath = path.join(buildDir, `VSCode-darwin-${arch}`, appName);
diff --git a/build/darwin/create-universal-app.ts b/build/darwin/create-universal-app.ts
index c42d43c78a6ba..0ec9e2a587799 100644
--- a/build/darwin/create-universal-app.ts
+++ b/build/darwin/create-universal-app.ts
@@ -20,8 +20,8 @@ async function main() {
 	}
 
 	const appName = product.nameLong + '.app';
-	const x64AppPath = path.join(buildDir, 'vscode-x64', appName);
-	const arm64AppPath = path.join(buildDir, 'vscode-arm64', appName);
+	const x64AppPath = path.join(buildDir, 'VSCode-darwin-x64', appName);
+	const arm64AppPath = path.join(buildDir, 'VSCode-darwin-arm64', appName);
 	const x64AsarPath = path.join(x64AppPath, 'Contents', 'Resources', 'app', 'node_modules.asar');
 	const arm64AsarPath = path.join(arm64AppPath, 'Contents', 'Resources', 'app', 'node_modules.asar');
 	const outAppPath = path.join(buildDir, `VSCode-darwin-${arch}`, appName);

From abb35f6962814e958d9dd386de0fd0c6738b68b4 Mon Sep 17 00:00:00 2001
From: Tyler James Leonhardt <tylerl0706@gmail.com>
Date: Wed, 17 Feb 2021 23:23:34 +0000
Subject: [PATCH 02/21] take 3

---
 .../darwin/product-build-darwin-sign.yml      | 181 +++++++++++++
 .../darwin/product-build-darwin.yml           | 254 +++++++++---------
 build/azure-pipelines/product-build.yml       |  27 ++
 3 files changed, 339 insertions(+), 123 deletions(-)
 create mode 100644 build/azure-pipelines/darwin/product-build-darwin-sign.yml

diff --git a/build/azure-pipelines/darwin/product-build-darwin-sign.yml b/build/azure-pipelines/darwin/product-build-darwin-sign.yml
new file mode 100644
index 0000000000000..507e3bb9d0a23
--- /dev/null
+++ b/build/azure-pipelines/darwin/product-build-darwin-sign.yml
@@ -0,0 +1,181 @@
+steps:
+  - task: NodeTool@0
+    inputs:
+      versionSpec: "12.18.3"
+
+  - task: AzureKeyVault@1
+    displayName: "Azure Key Vault: Get Secrets"
+    inputs:
+      azureSubscription: "vscode-builds-subscription"
+      KeyVaultName: vscode
+
+  - script: |
+      set -e
+      cat << EOF > ~/.netrc
+      machine github.com
+      login vscode
+      password $(github-distro-mixin-password)
+      EOF
+
+      git config user.email "vscode@microsoft.com"
+      git config user.name "VSCode"
+    displayName: Prepare tooling
+
+  - script: |
+      set -e
+      git pull --no-rebase https://github.com/$(VSCODE_MIXIN_REPO).git $(node -p "require('./package.json').distro")
+    displayName: Merge distro
+
+  - script: |
+      mkdir -p .build
+      node build/azure-pipelines/common/computeNodeModulesCacheKey.js $VSCODE_ARCH $ENABLE_TERRAPIN > .build/yarnlockhash
+    displayName: Prepare yarn cache flags
+
+  - task: Cache@2
+    inputs:
+      key: 'nodeModules | $(Agent.OS) | .build/yarnlockhash'
+      path: .build/node_modules_cache
+      cacheHitVar: NODE_MODULES_RESTORED
+    displayName: Restore node_modules cache
+
+  - script: |
+      set -e
+      tar -xzf .build/node_modules_cache/cache.tgz
+    condition: and(succeeded(), eq(variables.NODE_MODULES_RESTORED, 'true'))
+    displayName: Extract node_modules cache
+
+  - script: |
+      set -e
+      npm install -g node-gyp@latest
+      node-gyp --version
+    displayName: Update node-gyp
+    condition: and(succeeded(), ne(variables.NODE_MODULES_RESTORED, 'true'))
+
+  - script: |
+      set -e
+      npx https://aka.ms/enablesecurefeed standAlone
+    timeoutInMinutes: 5
+    condition: and(succeeded(), ne(variables.NODE_MODULES_RESTORED, 'true'), eq(variables['ENABLE_TERRAPIN'], 'true'))
+    displayName: Switch to Terrapin packages
+
+  - script: |
+      set -e
+      export npm_config_arch=$(VSCODE_ARCH)
+      export npm_config_node_gyp=$(which node-gyp)
+      export SDKROOT=/Applications/Xcode_12.2.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX11.0.sdk
+
+      for i in {1..3}; do # try 3 times, for Terrapin
+        yarn --frozen-lockfile && break
+        if [ $i -eq 3 ]; then
+          echo "Yarn failed too many times" >&2
+          exit 1
+        fi
+        echo "Yarn failed $i, trying again..."
+      done
+    env:
+      ELECTRON_SKIP_BINARY_DOWNLOAD: 1
+      PLAYWRIGHT_SKIP_BROWSER_DOWNLOAD: 1
+    displayName: Install dependencies
+    condition: and(succeeded(), ne(variables.NODE_MODULES_RESTORED, 'true'))
+
+  - script: |
+      set -e
+      node build/azure-pipelines/common/listNodeModules.js .build/node_modules_list.txt
+      mkdir -p .build/node_modules_cache
+      tar -czf .build/node_modules_cache/cache.tgz --files-from .build/node_modules_list.txt
+    condition: and(succeeded(), ne(variables.NODE_MODULES_RESTORED, 'true'))
+    displayName: Create node_modules archive
+
+  - script: |
+      set -e
+      node build/azure-pipelines/mixin
+    displayName: Mix in quality
+
+  - download: current
+    artifact: vscode-darwin-$(VSCODE_ARCH)
+    displayName: Download $(VSCODE_ARCH) artifact
+
+# hmmmm
+  - script: |
+      set -e
+      cp $(Pipeline.Workspace)/vscode-darwin-$(VSCODE_ARCH)/VSCode-darwin-$(VSCODE_ARCH).zip $(agent.builddirectory)/VSCode-darwin-$(VSCODE_ARCH).zip
+      unzip $(agent.builddirectory)/VSCode-darwin-$(VSCODE_ARCH).zip -d $(agent.builddirectory)/VSCode-darwin-$(VSCODE_ARCH)
+    displayName: Unzip
+
+# hmmmm
+  - script: |
+      set -e
+      security create-keychain -p pwd $(agent.tempdirectory)/buildagent.keychain
+      security default-keychain -s $(agent.tempdirectory)/buildagent.keychain
+      security unlock-keychain -p pwd $(agent.tempdirectory)/buildagent.keychain
+      echo "$(macos-developer-certificate)" | base64 -D > $(agent.tempdirectory)/cert.p12
+      security import $(agent.tempdirectory)/cert.p12 -k $(agent.tempdirectory)/buildagent.keychain -P "$(macos-developer-certificate-key)" -T /usr/bin/codesign
+      security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k pwd $(agent.tempdirectory)/buildagent.keychain
+      VSCODE_ARCH=$(VSCODE_ARCH) DEBUG=electron-osx-sign* node build/darwin/sign.js
+    displayName: Set Hardened Entitlements
+
+#FIX THIS
+  - script: |
+      set -e
+      pushd $(agent.builddirectory)/VSCode-darwin-$(VSCODE_ARCH) && zip -r -X -y $(agent.builddirectory)/VSCode-darwin-$(VSCODE_ARCH).zip * && popd
+    displayName: Archive build
+
+  - task: SFP.build-tasks.custom-build-task-1.EsrpCodeSigning@1
+    inputs:
+      ConnectedServiceName: "ESRP CodeSign"
+      FolderPath: "$(agent.builddirectory)"
+      Pattern: "VSCode-darwin-$(VSCODE_ARCH).zip"
+      signConfigType: inlineSignParams
+      inlineOperation: |
+        [
+          {
+            "keyCode": "CP-401337-Apple",
+            "operationSetCode": "MacAppDeveloperSign",
+            "parameters": [
+              {
+                "parameterName": "Hardening",
+                "parameterValue": "--options=runtime"
+              }
+            ],
+            "toolName": "sign",
+            "toolVersion": "1.0"
+          }
+        ]
+      SessionTimeout: 60
+    displayName: Codesign
+
+# what is this doing
+  - script: |
+      zip -d $(agent.builddirectory)/VSCode-darwin-$(VSCODE_ARCH).zip "*.pkg"
+    displayName: Clean
+
+  - script: |
+      APP_ROOT=$(agent.builddirectory)/VSCode-darwin-$(VSCODE_ARCH)
+      APP_NAME="`ls $APP_ROOT | head -n 1`"
+      BUNDLE_IDENTIFIER=$(node -p "require(\"$APP_ROOT/$APP_NAME/Contents/Resources/app/product.json\").darwinBundleIdentifier")
+      echo "##vso[task.setvariable variable=BundleIdentifier]$BUNDLE_IDENTIFIER"
+    displayName: Export bundle identifier
+
+  - task: SFP.build-tasks.custom-build-task-1.EsrpCodeSigning@1
+    inputs:
+      ConnectedServiceName: "ESRP CodeSign"
+      FolderPath: "$(agent.builddirectory)"
+      Pattern: "VSCode-darwin-$(VSCODE_ARCH).zip"
+      signConfigType: inlineSignParams
+      inlineOperation: |
+        [
+          {
+            "keyCode": "CP-401337-Apple",
+            "operationSetCode": "MacAppNotarize",
+            "parameters": [
+              {
+                "parameterName": "BundleId",
+                "parameterValue": "$(BundleIdentifier)"
+              }
+            ],
+            "toolName": "sign",
+            "toolVersion": "1.0"
+          }
+        ]
+      SessionTimeout: 60
+    displayName: Notarization
diff --git a/build/azure-pipelines/darwin/product-build-darwin.yml b/build/azure-pipelines/darwin/product-build-darwin.yml
index 439726aa20e91..a67dbbf88ad6b 100644
--- a/build/azure-pipelines/darwin/product-build-darwin.yml
+++ b/build/azure-pipelines/darwin/product-build-darwin.yml
@@ -167,19 +167,19 @@ steps:
     displayName: Create Universal App
     condition: and(succeeded(), eq(variables['VSCODE_ARCH'], 'universal'))
 
-  - script: |
-      set -e
-      security create-keychain -p pwd $(agent.tempdirectory)/buildagent.keychain
-      security default-keychain -s $(agent.tempdirectory)/buildagent.keychain
-      security unlock-keychain -p pwd $(agent.tempdirectory)/buildagent.keychain
-      echo "$(macos-developer-certificate)" | base64 -D > $(agent.tempdirectory)/cert.p12
-      security import $(agent.tempdirectory)/cert.p12 -k $(agent.tempdirectory)/buildagent.keychain -P "$(macos-developer-certificate-key)" -T /usr/bin/codesign
-      security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k pwd $(agent.tempdirectory)/buildagent.keychain
-      VSCODE_ARCH=x64 DEBUG=electron-osx-sign* node build/darwin/sign.js
-      VSCODE_ARCH=arm64 DEBUG=electron-osx-sign* node build/darwin/sign.js
-      VSCODE_ARCH=universal DEBUG=electron-osx-sign* node build/darwin/sign.js
-    displayName: Set Hardened Entitlements
-    condition: and(succeeded(), eq(variables['VSCODE_ARCH'], 'universal'), ne(variables['VSCODE_PUBLISH'], 'false'))
+  # - script: |
+  #     set -e
+  #     security create-keychain -p pwd $(agent.tempdirectory)/buildagent.keychain
+  #     security default-keychain -s $(agent.tempdirectory)/buildagent.keychain
+  #     security unlock-keychain -p pwd $(agent.tempdirectory)/buildagent.keychain
+  #     echo "$(macos-developer-certificate)" | base64 -D > $(agent.tempdirectory)/cert.p12
+  #     security import $(agent.tempdirectory)/cert.p12 -k $(agent.tempdirectory)/buildagent.keychain -P "$(macos-developer-certificate-key)" -T /usr/bin/codesign
+  #     security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k pwd $(agent.tempdirectory)/buildagent.keychain
+  #     VSCODE_ARCH=x64 DEBUG=electron-osx-sign* node build/darwin/sign.js
+  #     VSCODE_ARCH=arm64 DEBUG=electron-osx-sign* node build/darwin/sign.js
+  #     VSCODE_ARCH=universal DEBUG=electron-osx-sign* node build/darwin/sign.js
+  #   displayName: Set Hardened Entitlements
+  #   condition: and(succeeded(), eq(variables['VSCODE_ARCH'], 'universal'), ne(variables['VSCODE_PUBLISH'], 'false'))
 
   - script: |
       set -e
@@ -288,118 +288,126 @@ steps:
     displayName: Archive build
     condition: and(succeeded(), ne(variables['VSCODE_PUBLISH'], 'false'))
 
-  - task: SFP.build-tasks.custom-build-task-1.EsrpCodeSigning@1
-    inputs:
-      ConnectedServiceName: "ESRP CodeSign"
-      FolderPath: "$(agent.builddirectory)"
-      Pattern: "VSCode-darwin-*.zip"
-      signConfigType: inlineSignParams
-      inlineOperation: |
-        [
-          {
-            "keyCode": "CP-401337-Apple",
-            "operationSetCode": "MacAppDeveloperSign",
-            "parameters": [
-              {
-                "parameterName": "Hardening",
-                "parameterValue": "--options=runtime"
-              }
-            ],
-            "toolName": "sign",
-            "toolVersion": "1.0"
-          }
-        ]
-      SessionTimeout: 60
-    displayName: Codesign
-    condition: and(succeeded(), eq(variables['VSCODE_ARCH'], 'universal'), ne(variables['VSCODE_PUBLISH'], 'false'))
-
-  - script: |
-      zip -d $(agent.builddirectory)/VSCode-darwin-x64.zip "*.pkg"
-      zip -d $(agent.builddirectory)/VSCode-darwin-arm64.zip "*.pkg"
-      zip -d $(agent.builddirectory)/VSCode-darwin-universal.zip "*.pkg"
-    displayName: Clean
-    condition: and(succeeded(), eq(variables['VSCODE_ARCH'], 'universal'), ne(variables['VSCODE_PUBLISH'], 'false'))
-
-  - script: |
-      APP_ROOT=$(agent.builddirectory)/VSCode-darwin-$(VSCODE_ARCH)
-      APP_NAME="`ls $APP_ROOT | head -n 1`"
-      BUNDLE_IDENTIFIER=$(node -p "require(\"$APP_ROOT/$APP_NAME/Contents/Resources/app/product.json\").darwinBundleIdentifier")
-      echo "##vso[task.setvariable variable=BundleIdentifier]$BUNDLE_IDENTIFIER"
-    displayName: Export bundle identifier
-    condition: and(succeeded(), eq(variables['VSCODE_ARCH'], 'universal'), ne(variables['VSCODE_PUBLISH'], 'false'))
-
-  - task: SFP.build-tasks.custom-build-task-1.EsrpCodeSigning@1
-    inputs:
-      ConnectedServiceName: "ESRP CodeSign"
-      FolderPath: "$(agent.builddirectory)"
-      Pattern: "VSCode-darwin-*.zip"
-      signConfigType: inlineSignParams
-      inlineOperation: |
-        [
-          {
-            "keyCode": "CP-401337-Apple",
-            "operationSetCode": "MacAppNotarize",
-            "parameters": [
-              {
-                "parameterName": "BundleId",
-                "parameterValue": "$(BundleIdentifier)"
-              }
-            ],
-            "toolName": "sign",
-            "toolVersion": "1.0"
-          }
-        ]
-      SessionTimeout: 60
-    displayName: Notarization
-    condition: and(succeeded(), eq(variables['VSCODE_ARCH'], 'universal'), ne(variables['VSCODE_PUBLISH'], 'false'))
-
-  - script: |
-      set -e
-      APP_ROOT=$(agent.builddirectory)/VSCode-darwin-$(VSCODE_ARCH)
-      APP_NAME="`ls $APP_ROOT | head -n 1`"
-      "$APP_ROOT/$APP_NAME/Contents/Resources/app/bin/code" --export-default-configuration=.build
-    displayName: Verify start after signing (export configuration)
-    condition: and(succeeded(), eq(variables['VSCODE_ARCH'], 'universal'), ne(variables['VSCODE_PUBLISH'], 'false'))
-
-  - script: |
-      set -e
-      VSCODE_MIXIN_PASSWORD="$(github-distro-mixin-password)" \
-      AZURE_DOCUMENTDB_MASTERKEY="$(builds-docdb-key-readwrite)" \
-      AZURE_STORAGE_ACCESS_KEY="$(ticino-storage-key)" \
-      AZURE_STORAGE_ACCESS_KEY_2="$(vscode-storage-key)" \
-      ./build/azure-pipelines/darwin/publish-client.sh
-    displayName: Publish Clients
-    condition: and(succeeded(), eq(variables['VSCODE_ARCH'], 'universal'), ne(variables['VSCODE_PUBLISH'], 'false'))
-
-  - script: |
-      set -e
-      VSCODE_MIXIN_PASSWORD="$(github-distro-mixin-password)" \
-      AZURE_DOCUMENTDB_MASTERKEY="$(builds-docdb-key-readwrite)" \
-      AZURE_STORAGE_ACCESS_KEY="$(ticino-storage-key)" \
-      AZURE_STORAGE_ACCESS_KEY_2="$(vscode-storage-key)" \
-      VSCODE_ARCH="$(VSCODE_ARCH)" ./build/azure-pipelines/darwin/publish-server.sh
-    displayName: Publish Servers
-    condition: and(succeeded(), eq(variables['VSCODE_ARCH'], 'x64'), ne(variables['VSCODE_PUBLISH'], 'false'))
+  # - task: SFP.build-tasks.custom-build-task-1.EsrpCodeSigning@1
+  #   inputs:
+  #     ConnectedServiceName: "ESRP CodeSign"
+  #     FolderPath: "$(agent.builddirectory)"
+  #     Pattern: "VSCode-darwin-*.zip"
+  #     signConfigType: inlineSignParams
+  #     inlineOperation: |
+  #       [
+  #         {
+  #           "keyCode": "CP-401337-Apple",
+  #           "operationSetCode": "MacAppDeveloperSign",
+  #           "parameters": [
+  #             {
+  #               "parameterName": "Hardening",
+  #               "parameterValue": "--options=runtime"
+  #             }
+  #           ],
+  #           "toolName": "sign",
+  #           "toolVersion": "1.0"
+  #         }
+  #       ]
+  #     SessionTimeout: 60
+  #   displayName: Codesign
+  #   condition: and(succeeded(), eq(variables['VSCODE_ARCH'], 'universal'), ne(variables['VSCODE_PUBLISH'], 'false'))
+
+  # - script: |
+  #     zip -d $(agent.builddirectory)/VSCode-darwin-x64.zip "*.pkg"
+  #     zip -d $(agent.builddirectory)/VSCode-darwin-arm64.zip "*.pkg"
+  #     zip -d $(agent.builddirectory)/VSCode-darwin-universal.zip "*.pkg"
+  #   displayName: Clean
+  #   condition: and(succeeded(), eq(variables['VSCODE_ARCH'], 'universal'), ne(variables['VSCODE_PUBLISH'], 'false'))
+
+  # - script: |
+  #     APP_ROOT=$(agent.builddirectory)/VSCode-darwin-$(VSCODE_ARCH)
+  #     APP_NAME="`ls $APP_ROOT | head -n 1`"
+  #     BUNDLE_IDENTIFIER=$(node -p "require(\"$APP_ROOT/$APP_NAME/Contents/Resources/app/product.json\").darwinBundleIdentifier")
+  #     echo "##vso[task.setvariable variable=BundleIdentifier]$BUNDLE_IDENTIFIER"
+  #   displayName: Export bundle identifier
+  #   condition: and(succeeded(), eq(variables['VSCODE_ARCH'], 'universal'), ne(variables['VSCODE_PUBLISH'], 'false'))
+
+  # - task: SFP.build-tasks.custom-build-task-1.EsrpCodeSigning@1
+  #   inputs:
+  #     ConnectedServiceName: "ESRP CodeSign"
+  #     FolderPath: "$(agent.builddirectory)"
+  #     Pattern: "VSCode-darwin-*.zip"
+  #     signConfigType: inlineSignParams
+  #     inlineOperation: |
+  #       [
+  #         {
+  #           "keyCode": "CP-401337-Apple",
+  #           "operationSetCode": "MacAppNotarize",
+  #           "parameters": [
+  #             {
+  #               "parameterName": "BundleId",
+  #               "parameterValue": "$(BundleIdentifier)"
+  #             }
+  #           ],
+  #           "toolName": "sign",
+  #           "toolVersion": "1.0"
+  #         }
+  #       ]
+  #     SessionTimeout: 60
+  #   displayName: Notarization
+  #   condition: and(succeeded(), eq(variables['VSCODE_ARCH'], 'universal'), ne(variables['VSCODE_PUBLISH'], 'false'))
+
+  # - script: |
+  #     set -e
+  #     APP_ROOT=$(agent.builddirectory)/VSCode-darwin-$(VSCODE_ARCH)
+  #     APP_NAME="`ls $APP_ROOT | head -n 1`"
+  #     "$APP_ROOT/$APP_NAME/Contents/Resources/app/bin/code" --export-default-configuration=.build
+  #   displayName: Verify start after signing (export configuration)
+  #   condition: and(succeeded(), eq(variables['VSCODE_ARCH'], 'universal'), ne(variables['VSCODE_PUBLISH'], 'false'))
+
+  # - script: |
+  #     set -e
+  #     VSCODE_MIXIN_PASSWORD="$(github-distro-mixin-password)" \
+  #     AZURE_DOCUMENTDB_MASTERKEY="$(builds-docdb-key-readwrite)" \
+  #     AZURE_STORAGE_ACCESS_KEY="$(ticino-storage-key)" \
+  #     AZURE_STORAGE_ACCESS_KEY_2="$(vscode-storage-key)" \
+  #     node build/azure-pipelines/common/createAsset.js \
+  #       "darwin-universal" \
+  #       archive \
+  #       "VSCode-darwin-universal.zip" \
+  #       ../VSCode-darwin-universal.zip
+  #   displayName: Publish Clients
+  #   condition: and(succeeded(), eq(variables['VSCODE_ARCH'], 'universal'), ne(variables['VSCODE_PUBLISH'], 'false'))
+
+  # - script: |
+  #     set -e
+  #     VSCODE_MIXIN_PASSWORD="$(github-distro-mixin-password)" \
+  #     AZURE_DOCUMENTDB_MASTERKEY="$(builds-docdb-key-readwrite)" \
+  #     AZURE_STORAGE_ACCESS_KEY="$(ticino-storage-key)" \
+  #     AZURE_STORAGE_ACCESS_KEY_2="$(vscode-storage-key)" \
+  #     VSCODE_ARCH="$(VSCODE_ARCH)" ./build/azure-pipelines/darwin/publish-server.sh
+  #   displayName: Publish Servers
+  #   condition: and(succeeded(), eq(variables['VSCODE_ARCH'], 'x64'), ne(variables['VSCODE_PUBLISH'], 'false'))
 
   - publish: $(Agent.BuildDirectory)/VSCode-darwin-$(VSCODE_ARCH).zip
     artifact: vscode-darwin-$(VSCODE_ARCH)
     displayName: Publish client archive
-    condition: and(succeeded(), ne(variables['VSCODE_ARCH'], 'universal'), ne(variables['VSCODE_PUBLISH'], 'false'))
-
-  - publish: $(Agent.BuildDirectory)/vscode-server-darwin.zip
-    artifact: vscode-server-darwin-$(VSCODE_ARCH)
-    displayName: Publish server archive
-    condition: and(succeeded(), eq(variables['VSCODE_ARCH'], 'x64'), ne(variables['VSCODE_PUBLISH'], 'false'))
-
-  - publish: $(Agent.BuildDirectory)/vscode-server-darwin-web.zip
-    artifact: vscode-server-darwin-$(VSCODE_ARCH)-web
-    displayName: Publish web server archive
-    condition: and(succeeded(), eq(variables['VSCODE_ARCH'], 'x64'), ne(variables['VSCODE_PUBLISH'], 'false'))
+    condition: and(succeeded(), ne(variables['VSCODE_PUBLISH'], 'false'))
 
-  - script: |
-      AZURE_STORAGE_ACCESS_KEY="$(ticino-storage-key)" \
-      VSCODE_ARCH="$(VSCODE_ARCH)" \
-      yarn gulp upload-vscode-configuration
-    displayName: Upload configuration (for Bing settings search)
-    condition: and(succeeded(), eq(variables['VSCODE_ARCH'], 'universal'), ne(variables['VSCODE_PUBLISH'], 'false'))
-    continueOnError: true
+  # - publish: $(Agent.BuildDirectory)/vscode-server-darwin.zip
+  #   artifact: vscode-server-darwin-$(VSCODE_ARCH)
+  #   displayName: Publish server archive
+  #   condition: and(succeeded(), eq(variables['VSCODE_ARCH'], 'x64'), ne(variables['VSCODE_PUBLISH'], 'false'))
+
+  # - publish: $(Agent.BuildDirectory)/vscode-server-darwin-web.zip
+  #   artifact: vscode-server-darwin-$(VSCODE_ARCH)-web
+  #   displayName: Publish web server archive
+  #   condition: and(succeeded(), eq(variables['VSCODE_ARCH'], 'x64'), ne(variables['VSCODE_PUBLISH'], 'false'))
+
+  # - script: |
+  #     AZURE_STORAGE_ACCESS_KEY="$(ticino-storage-key)" \
+  #     VSCODE_ARCH="$(VSCODE_ARCH)" \
+  #     yarn gulp upload-vscode-configuration
+  #   displayName: Upload configuration (for Bing settings search)
+  #   condition: and(succeeded(), eq(variables['VSCODE_ARCH'], 'universal'), ne(variables['VSCODE_PUBLISH'], 'false'))
+  #   continueOnError: true
+
+  # - task: ms.vss-governance-buildtask.governance-build-task-component-detection.ComponentGovernanceComponentDetection@0
+  #   displayName: "Component Detection"
+  #   continueOnError: true
diff --git a/build/azure-pipelines/product-build.yml b/build/azure-pipelines/product-build.yml
index 42ca74bda54ab..4cb5eed6556fe 100644
--- a/build/azure-pipelines/product-build.yml
+++ b/build/azure-pipelines/product-build.yml
@@ -254,6 +254,15 @@ stages:
               VSCODE_ARCH: x64
             steps:
               - template: darwin/product-build-darwin.yml
+          - ${{ if ne(variables['VSCODE_PUBLISH'], 'false') }}:
+            - job: macOSSign
+              dependsOn:
+                - macOS
+              timeoutInMinutes: 90
+              variables:
+                VSCODE_ARCH: x64
+              steps:
+                - template: darwin/product-build-darwin-sign.yml
 
         - ${{ if and(eq(variables['VSCODE_CIBUILD'], false), eq(parameters.VSCODE_BUILD_MACOS_ARM64, true)) }}:
           - job: macOSARM64
@@ -262,6 +271,15 @@ stages:
               VSCODE_ARCH: arm64
             steps:
               - template: darwin/product-build-darwin.yml
+        - ${{ if ne(variables['VSCODE_PUBLISH'], 'false') }}:
+            - job: macOSARM64Sign
+              dependsOn:
+                - macOSARM64
+              timeoutInMinutes: 90
+              variables:
+                VSCODE_ARCH: arm64
+              steps:
+                - template: darwin/product-build-darwin-sign.yml
 
         - ${{ if eq(variables['VSCODE_BUILD_MACOS_UNIVERSAL'], true) }}:
           - job: macOSUniversal
@@ -273,6 +291,15 @@ stages:
               VSCODE_ARCH: universal
             steps:
               - template: darwin/product-build-darwin.yml
+          - ${{ if ne(variables['VSCODE_PUBLISH'], 'false') }}:
+            - job: macOSUniversalSign
+              dependsOn:
+                - macOSUniversal
+              timeoutInMinutes: 90
+              variables:
+                VSCODE_ARCH: universal
+              steps:
+                - template: darwin/product-build-darwin-sign.yml
 
   - ${{ if and(eq(variables['VSCODE_PUBLISH'], true), eq(parameters.VSCODE_COMPILE_ONLY, false)) }}:
     - stage: Mooncake

From f3c90df8392ee68679dd1c89ce48ec950efffb33 Mon Sep 17 00:00:00 2001
From: Tyler James Leonhardt <tylerl0706@gmail.com>
Date: Thu, 18 Feb 2021 00:03:00 +0000
Subject: [PATCH 03/21] remove zip

---
 build/azure-pipelines/darwin/product-build-darwin-sign.yml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/build/azure-pipelines/darwin/product-build-darwin-sign.yml b/build/azure-pipelines/darwin/product-build-darwin-sign.yml
index 507e3bb9d0a23..86e1c5f0b3b55 100644
--- a/build/azure-pipelines/darwin/product-build-darwin-sign.yml
+++ b/build/azure-pipelines/darwin/product-build-darwin-sign.yml
@@ -145,9 +145,9 @@ steps:
     displayName: Codesign
 
 # what is this doing
-  - script: |
-      zip -d $(agent.builddirectory)/VSCode-darwin-$(VSCODE_ARCH).zip "*.pkg"
-    displayName: Clean
+  # - script: |
+  #     zip -d $(agent.builddirectory)/VSCode-darwin-$(VSCODE_ARCH).zip "*.pkg"
+  #   displayName: Clean
 
   - script: |
       APP_ROOT=$(agent.builddirectory)/VSCode-darwin-$(VSCODE_ARCH)

From a47f94724871a129b78a1feb2eb5301a3aa4d5e8 Mon Sep 17 00:00:00 2001
From: Tyler James Leonhardt <tylerl0706@gmail.com>
Date: Thu, 18 Feb 2021 01:18:19 +0000
Subject: [PATCH 04/21] unzip in place

---
 build/azure-pipelines/darwin/product-build-darwin-sign.yml | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/build/azure-pipelines/darwin/product-build-darwin-sign.yml b/build/azure-pipelines/darwin/product-build-darwin-sign.yml
index 86e1c5f0b3b55..881b2526f2aad 100644
--- a/build/azure-pipelines/darwin/product-build-darwin-sign.yml
+++ b/build/azure-pipelines/darwin/product-build-darwin-sign.yml
@@ -98,8 +98,7 @@ steps:
 # hmmmm
   - script: |
       set -e
-      cp $(Pipeline.Workspace)/vscode-darwin-$(VSCODE_ARCH)/VSCode-darwin-$(VSCODE_ARCH).zip $(agent.builddirectory)/VSCode-darwin-$(VSCODE_ARCH).zip
-      unzip $(agent.builddirectory)/VSCode-darwin-$(VSCODE_ARCH).zip -d $(agent.builddirectory)/VSCode-darwin-$(VSCODE_ARCH)
+      unzip $(Pipeline.Workspace)/vscode-darwin-$(VSCODE_ARCH)/VSCode-darwin-$(VSCODE_ARCH).zip -d $(agent.builddirectory)/VSCode-darwin-$(VSCODE_ARCH)
     displayName: Unzip
 
 # hmmmm

From 7e1ec6a2416887982edfb9c55d699d2f51af34cd Mon Sep 17 00:00:00 2001
From: Tyler James Leonhardt <tylerl0706@gmail.com>
Date: Thu, 18 Feb 2021 01:27:53 +0000
Subject: [PATCH 05/21] logging

---
 build/azure-pipelines/darwin/product-build-darwin-sign.yml | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/build/azure-pipelines/darwin/product-build-darwin-sign.yml b/build/azure-pipelines/darwin/product-build-darwin-sign.yml
index 881b2526f2aad..ed04b24c849b9 100644
--- a/build/azure-pipelines/darwin/product-build-darwin-sign.yml
+++ b/build/azure-pipelines/darwin/product-build-darwin-sign.yml
@@ -147,6 +147,12 @@ steps:
   # - script: |
   #     zip -d $(agent.builddirectory)/VSCode-darwin-$(VSCODE_ARCH).zip "*.pkg"
   #   displayName: Clean
+  - script: |
+      APP_ROOT=$(agent.builddirectory)/VSCode-darwin-$(VSCODE_ARCH)
+      echo "asdf"
+      ls $APP_ROOT
+      echo "asdfasdf"
+      ls $(agent.builddirectory)
 
   - script: |
       APP_ROOT=$(agent.builddirectory)/VSCode-darwin-$(VSCODE_ARCH)

From ec6697b32dfc3f680e0f6a8abaa84ae281d8fc3d Mon Sep 17 00:00:00 2001
From: Tyler James Leonhardt <tylerl0706@gmail.com>
Date: Thu, 18 Feb 2021 03:40:10 +0000
Subject: [PATCH 06/21] log

---
 .../darwin/product-build-darwin-sign.yml          | 15 +++++++++------
 1 file changed, 9 insertions(+), 6 deletions(-)

diff --git a/build/azure-pipelines/darwin/product-build-darwin-sign.yml b/build/azure-pipelines/darwin/product-build-darwin-sign.yml
index ed04b24c849b9..4db45c522bce9 100644
--- a/build/azure-pipelines/darwin/product-build-darwin-sign.yml
+++ b/build/azure-pipelines/darwin/product-build-darwin-sign.yml
@@ -119,6 +119,15 @@ steps:
       pushd $(agent.builddirectory)/VSCode-darwin-$(VSCODE_ARCH) && zip -r -X -y $(agent.builddirectory)/VSCode-darwin-$(VSCODE_ARCH).zip * && popd
     displayName: Archive build
 
+  - script: |
+      echo "workspace"
+      ls $(Pipeline.Workspace)
+      APP_ROOT=$(agent.builddirectory)/VSCode-darwin-$(VSCODE_ARCH)
+      echo "AppRoot"
+      ls $APP_ROOT
+      echo "builddirectory"
+      ls $(agent.builddirectory)
+
   - task: SFP.build-tasks.custom-build-task-1.EsrpCodeSigning@1
     inputs:
       ConnectedServiceName: "ESRP CodeSign"
@@ -147,12 +156,6 @@ steps:
   # - script: |
   #     zip -d $(agent.builddirectory)/VSCode-darwin-$(VSCODE_ARCH).zip "*.pkg"
   #   displayName: Clean
-  - script: |
-      APP_ROOT=$(agent.builddirectory)/VSCode-darwin-$(VSCODE_ARCH)
-      echo "asdf"
-      ls $APP_ROOT
-      echo "asdfasdf"
-      ls $(agent.builddirectory)
 
   - script: |
       APP_ROOT=$(agent.builddirectory)/VSCode-darwin-$(VSCODE_ARCH)

From 5025b9cd8d13fbe1b4fd0f02d3781adbe96f6452 Mon Sep 17 00:00:00 2001
From: Tyler James Leonhardt <tylerl0706@gmail.com>
Date: Thu, 18 Feb 2021 04:07:53 +0000
Subject: [PATCH 07/21] rm zip

---
 build/azure-pipelines/darwin/product-build-darwin-sign.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/build/azure-pipelines/darwin/product-build-darwin-sign.yml b/build/azure-pipelines/darwin/product-build-darwin-sign.yml
index 4db45c522bce9..7f0c9035d129c 100644
--- a/build/azure-pipelines/darwin/product-build-darwin-sign.yml
+++ b/build/azure-pipelines/darwin/product-build-darwin-sign.yml
@@ -99,6 +99,7 @@ steps:
   - script: |
       set -e
       unzip $(Pipeline.Workspace)/vscode-darwin-$(VSCODE_ARCH)/VSCode-darwin-$(VSCODE_ARCH).zip -d $(agent.builddirectory)/VSCode-darwin-$(VSCODE_ARCH)
+      rm $(Pipeline.Workspace)/vscode-darwin-$(VSCODE_ARCH)/VSCode-darwin-$(VSCODE_ARCH).zip
     displayName: Unzip
 
 # hmmmm

From 8ac7cde17ce8a1a0cfa3162689feccc93bf8b443 Mon Sep 17 00:00:00 2001
From: Tyler James Leonhardt <tylerl0706@gmail.com>
Date: Thu, 18 Feb 2021 04:50:28 +0000
Subject: [PATCH 08/21] all the things

---
 .../darwin/product-build-darwin-sign.yml      | 53 +++++++++++++++++++
 1 file changed, 53 insertions(+)

diff --git a/build/azure-pipelines/darwin/product-build-darwin-sign.yml b/build/azure-pipelines/darwin/product-build-darwin-sign.yml
index 7f0c9035d129c..0895f59d0378e 100644
--- a/build/azure-pipelines/darwin/product-build-darwin-sign.yml
+++ b/build/azure-pipelines/darwin/product-build-darwin-sign.yml
@@ -188,3 +188,56 @@ steps:
         ]
       SessionTimeout: 60
     displayName: Notarization
+
+  - script: |
+      set -e
+      APP_ROOT=$(agent.builddirectory)/VSCode-darwin-$(VSCODE_ARCH)
+      APP_NAME="`ls $APP_ROOT | head -n 1`"
+      "$APP_ROOT/$APP_NAME/Contents/Resources/app/bin/code" --export-default-configuration=.build
+    displayName: Verify start after signing (export configuration)
+
+# hmm
+  - script: |
+      set -e
+      VSCODE_MIXIN_PASSWORD="$(github-distro-mixin-password)" \
+      AZURE_DOCUMENTDB_MASTERKEY="$(builds-docdb-key-readwrite)" \
+      AZURE_STORAGE_ACCESS_KEY="$(ticino-storage-key)" \
+      AZURE_STORAGE_ACCESS_KEY_2="$(vscode-storage-key)" \
+      node build/azure-pipelines/common/createAsset.js \
+        "darwin-$(VSCODE_ARCH)" \
+        archive \
+        "VSCode-darwin-$(VSCODE_ARCH).zip" \
+        ../VSCode-darwin-$(VSCODE_ARCH).zip
+    displayName: Publish Clients
+
+  - script: |
+      set -e
+      VSCODE_MIXIN_PASSWORD="$(github-distro-mixin-password)" \
+      AZURE_DOCUMENTDB_MASTERKEY="$(builds-docdb-key-readwrite)" \
+      AZURE_STORAGE_ACCESS_KEY="$(ticino-storage-key)" \
+      AZURE_STORAGE_ACCESS_KEY_2="$(vscode-storage-key)" \
+      VSCODE_ARCH="$(VSCODE_ARCH)" ./build/azure-pipelines/darwin/publish-server.sh
+    displayName: Publish Servers
+    condition: and(succeeded(), eq(variables['VSCODE_ARCH'], 'x64'))
+
+  - publish: $(Agent.BuildDirectory)/vscode-server-darwin.zip
+    artifact: vscode-server-darwin-$(VSCODE_ARCH)
+    displayName: Publish server archive
+    condition: and(succeeded(), eq(variables['VSCODE_ARCH'], 'x64'))
+
+  - publish: $(Agent.BuildDirectory)/vscode-server-darwin-web.zip
+    artifact: vscode-server-darwin-$(VSCODE_ARCH)-web
+    displayName: Publish web server archive
+    condition: and(succeeded(), eq(variables['VSCODE_ARCH'], 'x64'))
+
+  - script: |
+      AZURE_STORAGE_ACCESS_KEY="$(ticino-storage-key)" \
+      VSCODE_ARCH="$(VSCODE_ARCH)" \
+      yarn gulp upload-vscode-configuration
+    displayName: Upload configuration (for Bing settings search)
+    condition: and(succeeded(), eq(variables['VSCODE_ARCH'], 'universal'))
+    continueOnError: true
+
+  - task: ms.vss-governance-buildtask.governance-build-task-component-detection.ComponentGovernanceComponentDetection@0
+    displayName: "Component Detection"
+    continueOnError: true

From cadfbfaa7e559c6209aafaeed1f75e26c7b36b5e Mon Sep 17 00:00:00 2001
From: Tyler James Leonhardt <tylerl0706@gmail.com>
Date: Thu, 18 Feb 2021 05:53:19 +0000
Subject: [PATCH 09/21] remove thing to trigger another build

---
 build/azure-pipelines/darwin/product-build-darwin-sign.yml | 1 -
 1 file changed, 1 deletion(-)

diff --git a/build/azure-pipelines/darwin/product-build-darwin-sign.yml b/build/azure-pipelines/darwin/product-build-darwin-sign.yml
index 0895f59d0378e..9b6d1bc5a91fa 100644
--- a/build/azure-pipelines/darwin/product-build-darwin-sign.yml
+++ b/build/azure-pipelines/darwin/product-build-darwin-sign.yml
@@ -196,7 +196,6 @@ steps:
       "$APP_ROOT/$APP_NAME/Contents/Resources/app/bin/code" --export-default-configuration=.build
     displayName: Verify start after signing (export configuration)
 
-# hmm
   - script: |
       set -e
       VSCODE_MIXIN_PASSWORD="$(github-distro-mixin-password)" \

From 6314428be53d23db087b2157a522cc7e079700bc Mon Sep 17 00:00:00 2001
From: Tyler James Leonhardt <tylerl0706@gmail.com>
Date: Thu, 18 Feb 2021 17:39:13 +0000
Subject: [PATCH 10/21] publish server for x64 only and only start on non-arm

---
 .../darwin/product-build-darwin-sign.yml      | 21 +-----------
 .../darwin/product-build-darwin.yml           | 34 +++++++++----------
 2 files changed, 18 insertions(+), 37 deletions(-)

diff --git a/build/azure-pipelines/darwin/product-build-darwin-sign.yml b/build/azure-pipelines/darwin/product-build-darwin-sign.yml
index 9b6d1bc5a91fa..f79052642870f 100644
--- a/build/azure-pipelines/darwin/product-build-darwin-sign.yml
+++ b/build/azure-pipelines/darwin/product-build-darwin-sign.yml
@@ -195,6 +195,7 @@ steps:
       APP_NAME="`ls $APP_ROOT | head -n 1`"
       "$APP_ROOT/$APP_NAME/Contents/Resources/app/bin/code" --export-default-configuration=.build
     displayName: Verify start after signing (export configuration)
+    condition: and(succeeded(), ne(variables['VSCODE_ARCH'], 'arm64'))
 
   - script: |
       set -e
@@ -209,26 +210,6 @@ steps:
         ../VSCode-darwin-$(VSCODE_ARCH).zip
     displayName: Publish Clients
 
-  - script: |
-      set -e
-      VSCODE_MIXIN_PASSWORD="$(github-distro-mixin-password)" \
-      AZURE_DOCUMENTDB_MASTERKEY="$(builds-docdb-key-readwrite)" \
-      AZURE_STORAGE_ACCESS_KEY="$(ticino-storage-key)" \
-      AZURE_STORAGE_ACCESS_KEY_2="$(vscode-storage-key)" \
-      VSCODE_ARCH="$(VSCODE_ARCH)" ./build/azure-pipelines/darwin/publish-server.sh
-    displayName: Publish Servers
-    condition: and(succeeded(), eq(variables['VSCODE_ARCH'], 'x64'))
-
-  - publish: $(Agent.BuildDirectory)/vscode-server-darwin.zip
-    artifact: vscode-server-darwin-$(VSCODE_ARCH)
-    displayName: Publish server archive
-    condition: and(succeeded(), eq(variables['VSCODE_ARCH'], 'x64'))
-
-  - publish: $(Agent.BuildDirectory)/vscode-server-darwin-web.zip
-    artifact: vscode-server-darwin-$(VSCODE_ARCH)-web
-    displayName: Publish web server archive
-    condition: and(succeeded(), eq(variables['VSCODE_ARCH'], 'x64'))
-
   - script: |
       AZURE_STORAGE_ACCESS_KEY="$(ticino-storage-key)" \
       VSCODE_ARCH="$(VSCODE_ARCH)" \
diff --git a/build/azure-pipelines/darwin/product-build-darwin.yml b/build/azure-pipelines/darwin/product-build-darwin.yml
index a67dbbf88ad6b..53c3ae453b4f6 100644
--- a/build/azure-pipelines/darwin/product-build-darwin.yml
+++ b/build/azure-pipelines/darwin/product-build-darwin.yml
@@ -375,30 +375,30 @@ steps:
   #   displayName: Publish Clients
   #   condition: and(succeeded(), eq(variables['VSCODE_ARCH'], 'universal'), ne(variables['VSCODE_PUBLISH'], 'false'))
 
-  # - script: |
-  #     set -e
-  #     VSCODE_MIXIN_PASSWORD="$(github-distro-mixin-password)" \
-  #     AZURE_DOCUMENTDB_MASTERKEY="$(builds-docdb-key-readwrite)" \
-  #     AZURE_STORAGE_ACCESS_KEY="$(ticino-storage-key)" \
-  #     AZURE_STORAGE_ACCESS_KEY_2="$(vscode-storage-key)" \
-  #     VSCODE_ARCH="$(VSCODE_ARCH)" ./build/azure-pipelines/darwin/publish-server.sh
-  #   displayName: Publish Servers
-  #   condition: and(succeeded(), eq(variables['VSCODE_ARCH'], 'x64'), ne(variables['VSCODE_PUBLISH'], 'false'))
+  - script: |
+      set -e
+      VSCODE_MIXIN_PASSWORD="$(github-distro-mixin-password)" \
+      AZURE_DOCUMENTDB_MASTERKEY="$(builds-docdb-key-readwrite)" \
+      AZURE_STORAGE_ACCESS_KEY="$(ticino-storage-key)" \
+      AZURE_STORAGE_ACCESS_KEY_2="$(vscode-storage-key)" \
+      VSCODE_ARCH="$(VSCODE_ARCH)" ./build/azure-pipelines/darwin/publish-server.sh
+    displayName: Publish Servers
+    condition: and(succeeded(), eq(variables['VSCODE_ARCH'], 'x64'), ne(variables['VSCODE_PUBLISH'], 'false'))
 
   - publish: $(Agent.BuildDirectory)/VSCode-darwin-$(VSCODE_ARCH).zip
     artifact: vscode-darwin-$(VSCODE_ARCH)
     displayName: Publish client archive
     condition: and(succeeded(), ne(variables['VSCODE_PUBLISH'], 'false'))
 
-  # - publish: $(Agent.BuildDirectory)/vscode-server-darwin.zip
-  #   artifact: vscode-server-darwin-$(VSCODE_ARCH)
-  #   displayName: Publish server archive
-  #   condition: and(succeeded(), eq(variables['VSCODE_ARCH'], 'x64'), ne(variables['VSCODE_PUBLISH'], 'false'))
+  - publish: $(Agent.BuildDirectory)/vscode-server-darwin.zip
+    artifact: vscode-server-darwin-$(VSCODE_ARCH)
+    displayName: Publish server archive
+    condition: and(succeeded(), eq(variables['VSCODE_ARCH'], 'x64'), ne(variables['VSCODE_PUBLISH'], 'false'))
 
-  # - publish: $(Agent.BuildDirectory)/vscode-server-darwin-web.zip
-  #   artifact: vscode-server-darwin-$(VSCODE_ARCH)-web
-  #   displayName: Publish web server archive
-  #   condition: and(succeeded(), eq(variables['VSCODE_ARCH'], 'x64'), ne(variables['VSCODE_PUBLISH'], 'false'))
+  - publish: $(Agent.BuildDirectory)/vscode-server-darwin-web.zip
+    artifact: vscode-server-darwin-$(VSCODE_ARCH)-web
+    displayName: Publish web server archive
+    condition: and(succeeded(), eq(variables['VSCODE_ARCH'], 'x64'), ne(variables['VSCODE_PUBLISH'], 'false'))
 
   # - script: |
   #     AZURE_STORAGE_ACCESS_KEY="$(ticino-storage-key)" \

From 941493676a171ed988f1a629ea86a75f277c023c Mon Sep 17 00:00:00 2001
From: Tyler James Leonhardt <tylerl0706@gmail.com>
Date: Thu, 18 Feb 2021 18:40:17 +0000
Subject: [PATCH 11/21] delete commented out code

---
 .../darwin/product-build-darwin-sign.yml      |  17 ---
 .../darwin/product-build-darwin.yml           | 113 ------------------
 2 files changed, 130 deletions(-)

diff --git a/build/azure-pipelines/darwin/product-build-darwin-sign.yml b/build/azure-pipelines/darwin/product-build-darwin-sign.yml
index f79052642870f..1b98d4be5719e 100644
--- a/build/azure-pipelines/darwin/product-build-darwin-sign.yml
+++ b/build/azure-pipelines/darwin/product-build-darwin-sign.yml
@@ -95,14 +95,12 @@ steps:
     artifact: vscode-darwin-$(VSCODE_ARCH)
     displayName: Download $(VSCODE_ARCH) artifact
 
-# hmmmm
   - script: |
       set -e
       unzip $(Pipeline.Workspace)/vscode-darwin-$(VSCODE_ARCH)/VSCode-darwin-$(VSCODE_ARCH).zip -d $(agent.builddirectory)/VSCode-darwin-$(VSCODE_ARCH)
       rm $(Pipeline.Workspace)/vscode-darwin-$(VSCODE_ARCH)/VSCode-darwin-$(VSCODE_ARCH).zip
     displayName: Unzip
 
-# hmmmm
   - script: |
       set -e
       security create-keychain -p pwd $(agent.tempdirectory)/buildagent.keychain
@@ -114,21 +112,11 @@ steps:
       VSCODE_ARCH=$(VSCODE_ARCH) DEBUG=electron-osx-sign* node build/darwin/sign.js
     displayName: Set Hardened Entitlements
 
-#FIX THIS
   - script: |
       set -e
       pushd $(agent.builddirectory)/VSCode-darwin-$(VSCODE_ARCH) && zip -r -X -y $(agent.builddirectory)/VSCode-darwin-$(VSCODE_ARCH).zip * && popd
     displayName: Archive build
 
-  - script: |
-      echo "workspace"
-      ls $(Pipeline.Workspace)
-      APP_ROOT=$(agent.builddirectory)/VSCode-darwin-$(VSCODE_ARCH)
-      echo "AppRoot"
-      ls $APP_ROOT
-      echo "builddirectory"
-      ls $(agent.builddirectory)
-
   - task: SFP.build-tasks.custom-build-task-1.EsrpCodeSigning@1
     inputs:
       ConnectedServiceName: "ESRP CodeSign"
@@ -153,11 +141,6 @@ steps:
       SessionTimeout: 60
     displayName: Codesign
 
-# what is this doing
-  # - script: |
-  #     zip -d $(agent.builddirectory)/VSCode-darwin-$(VSCODE_ARCH).zip "*.pkg"
-  #   displayName: Clean
-
   - script: |
       APP_ROOT=$(agent.builddirectory)/VSCode-darwin-$(VSCODE_ARCH)
       APP_NAME="`ls $APP_ROOT | head -n 1`"
diff --git a/build/azure-pipelines/darwin/product-build-darwin.yml b/build/azure-pipelines/darwin/product-build-darwin.yml
index 53c3ae453b4f6..db5f005e51f63 100644
--- a/build/azure-pipelines/darwin/product-build-darwin.yml
+++ b/build/azure-pipelines/darwin/product-build-darwin.yml
@@ -167,20 +167,6 @@ steps:
     displayName: Create Universal App
     condition: and(succeeded(), eq(variables['VSCODE_ARCH'], 'universal'))
 
-  # - script: |
-  #     set -e
-  #     security create-keychain -p pwd $(agent.tempdirectory)/buildagent.keychain
-  #     security default-keychain -s $(agent.tempdirectory)/buildagent.keychain
-  #     security unlock-keychain -p pwd $(agent.tempdirectory)/buildagent.keychain
-  #     echo "$(macos-developer-certificate)" | base64 -D > $(agent.tempdirectory)/cert.p12
-  #     security import $(agent.tempdirectory)/cert.p12 -k $(agent.tempdirectory)/buildagent.keychain -P "$(macos-developer-certificate-key)" -T /usr/bin/codesign
-  #     security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k pwd $(agent.tempdirectory)/buildagent.keychain
-  #     VSCODE_ARCH=x64 DEBUG=electron-osx-sign* node build/darwin/sign.js
-  #     VSCODE_ARCH=arm64 DEBUG=electron-osx-sign* node build/darwin/sign.js
-  #     VSCODE_ARCH=universal DEBUG=electron-osx-sign* node build/darwin/sign.js
-  #   displayName: Set Hardened Entitlements
-  #   condition: and(succeeded(), eq(variables['VSCODE_ARCH'], 'universal'), ne(variables['VSCODE_PUBLISH'], 'false'))
-
   - script: |
       set -e
       ./scripts/test.sh --build --tfs "Unit Tests"
@@ -288,93 +274,6 @@ steps:
     displayName: Archive build
     condition: and(succeeded(), ne(variables['VSCODE_PUBLISH'], 'false'))
 
-  # - task: SFP.build-tasks.custom-build-task-1.EsrpCodeSigning@1
-  #   inputs:
-  #     ConnectedServiceName: "ESRP CodeSign"
-  #     FolderPath: "$(agent.builddirectory)"
-  #     Pattern: "VSCode-darwin-*.zip"
-  #     signConfigType: inlineSignParams
-  #     inlineOperation: |
-  #       [
-  #         {
-  #           "keyCode": "CP-401337-Apple",
-  #           "operationSetCode": "MacAppDeveloperSign",
-  #           "parameters": [
-  #             {
-  #               "parameterName": "Hardening",
-  #               "parameterValue": "--options=runtime"
-  #             }
-  #           ],
-  #           "toolName": "sign",
-  #           "toolVersion": "1.0"
-  #         }
-  #       ]
-  #     SessionTimeout: 60
-  #   displayName: Codesign
-  #   condition: and(succeeded(), eq(variables['VSCODE_ARCH'], 'universal'), ne(variables['VSCODE_PUBLISH'], 'false'))
-
-  # - script: |
-  #     zip -d $(agent.builddirectory)/VSCode-darwin-x64.zip "*.pkg"
-  #     zip -d $(agent.builddirectory)/VSCode-darwin-arm64.zip "*.pkg"
-  #     zip -d $(agent.builddirectory)/VSCode-darwin-universal.zip "*.pkg"
-  #   displayName: Clean
-  #   condition: and(succeeded(), eq(variables['VSCODE_ARCH'], 'universal'), ne(variables['VSCODE_PUBLISH'], 'false'))
-
-  # - script: |
-  #     APP_ROOT=$(agent.builddirectory)/VSCode-darwin-$(VSCODE_ARCH)
-  #     APP_NAME="`ls $APP_ROOT | head -n 1`"
-  #     BUNDLE_IDENTIFIER=$(node -p "require(\"$APP_ROOT/$APP_NAME/Contents/Resources/app/product.json\").darwinBundleIdentifier")
-  #     echo "##vso[task.setvariable variable=BundleIdentifier]$BUNDLE_IDENTIFIER"
-  #   displayName: Export bundle identifier
-  #   condition: and(succeeded(), eq(variables['VSCODE_ARCH'], 'universal'), ne(variables['VSCODE_PUBLISH'], 'false'))
-
-  # - task: SFP.build-tasks.custom-build-task-1.EsrpCodeSigning@1
-  #   inputs:
-  #     ConnectedServiceName: "ESRP CodeSign"
-  #     FolderPath: "$(agent.builddirectory)"
-  #     Pattern: "VSCode-darwin-*.zip"
-  #     signConfigType: inlineSignParams
-  #     inlineOperation: |
-  #       [
-  #         {
-  #           "keyCode": "CP-401337-Apple",
-  #           "operationSetCode": "MacAppNotarize",
-  #           "parameters": [
-  #             {
-  #               "parameterName": "BundleId",
-  #               "parameterValue": "$(BundleIdentifier)"
-  #             }
-  #           ],
-  #           "toolName": "sign",
-  #           "toolVersion": "1.0"
-  #         }
-  #       ]
-  #     SessionTimeout: 60
-  #   displayName: Notarization
-  #   condition: and(succeeded(), eq(variables['VSCODE_ARCH'], 'universal'), ne(variables['VSCODE_PUBLISH'], 'false'))
-
-  # - script: |
-  #     set -e
-  #     APP_ROOT=$(agent.builddirectory)/VSCode-darwin-$(VSCODE_ARCH)
-  #     APP_NAME="`ls $APP_ROOT | head -n 1`"
-  #     "$APP_ROOT/$APP_NAME/Contents/Resources/app/bin/code" --export-default-configuration=.build
-  #   displayName: Verify start after signing (export configuration)
-  #   condition: and(succeeded(), eq(variables['VSCODE_ARCH'], 'universal'), ne(variables['VSCODE_PUBLISH'], 'false'))
-
-  # - script: |
-  #     set -e
-  #     VSCODE_MIXIN_PASSWORD="$(github-distro-mixin-password)" \
-  #     AZURE_DOCUMENTDB_MASTERKEY="$(builds-docdb-key-readwrite)" \
-  #     AZURE_STORAGE_ACCESS_KEY="$(ticino-storage-key)" \
-  #     AZURE_STORAGE_ACCESS_KEY_2="$(vscode-storage-key)" \
-  #     node build/azure-pipelines/common/createAsset.js \
-  #       "darwin-universal" \
-  #       archive \
-  #       "VSCode-darwin-universal.zip" \
-  #       ../VSCode-darwin-universal.zip
-  #   displayName: Publish Clients
-  #   condition: and(succeeded(), eq(variables['VSCODE_ARCH'], 'universal'), ne(variables['VSCODE_PUBLISH'], 'false'))
-
   - script: |
       set -e
       VSCODE_MIXIN_PASSWORD="$(github-distro-mixin-password)" \
@@ -399,15 +298,3 @@ steps:
     artifact: vscode-server-darwin-$(VSCODE_ARCH)-web
     displayName: Publish web server archive
     condition: and(succeeded(), eq(variables['VSCODE_ARCH'], 'x64'), ne(variables['VSCODE_PUBLISH'], 'false'))
-
-  # - script: |
-  #     AZURE_STORAGE_ACCESS_KEY="$(ticino-storage-key)" \
-  #     VSCODE_ARCH="$(VSCODE_ARCH)" \
-  #     yarn gulp upload-vscode-configuration
-  #   displayName: Upload configuration (for Bing settings search)
-  #   condition: and(succeeded(), eq(variables['VSCODE_ARCH'], 'universal'), ne(variables['VSCODE_PUBLISH'], 'false'))
-  #   continueOnError: true
-
-  # - task: ms.vss-governance-buildtask.governance-build-task-component-detection.ComponentGovernanceComponentDetection@0
-  #   displayName: "Component Detection"
-  #   continueOnError: true

From 4994f8a2b616850968053a186e11ca5a32fba1ca Mon Sep 17 00:00:00 2001
From: Tyler James Leonhardt <tylerl0706@gmail.com>
Date: Thu, 18 Feb 2021 20:48:38 +0000
Subject: [PATCH 12/21] remove unused sh script

---
 .../azure-pipelines/darwin/publish-client.sh  | 23 -------------------
 1 file changed, 23 deletions(-)
 delete mode 100755 build/azure-pipelines/darwin/publish-client.sh

diff --git a/build/azure-pipelines/darwin/publish-client.sh b/build/azure-pipelines/darwin/publish-client.sh
deleted file mode 100755
index 7159f824ceaa6..0000000000000
--- a/build/azure-pipelines/darwin/publish-client.sh
+++ /dev/null
@@ -1,23 +0,0 @@
-#!/usr/bin/env bash
-set -e
-
-# publish the x64 build
-node build/azure-pipelines/common/createAsset.js \
-	"darwin" \
-	archive \
-	"VSCode-darwin.zip" \
-	../VSCode-darwin-x64.zip
-
-# publish the arm64 build
-node build/azure-pipelines/common/createAsset.js \
-	"darwin-arm64" \
-	archive \
-	"VSCode-darwin-arm64.zip" \
-	../VSCode-darwin-arm64.zip
-
-# publish the universal build
-node build/azure-pipelines/common/createAsset.js \
-	"darwin-universal" \
-	archive \
-	"VSCode-darwin-universal.zip" \
-	../VSCode-darwin-universal.zip

From f5a73abc1853746801e54b0128360ec6109b4d3c Mon Sep 17 00:00:00 2001
From: Tyler James Leonhardt <tylerl0706@gmail.com>
Date: Thu, 18 Feb 2021 23:15:23 +0000
Subject: [PATCH 13/21] address main changes

---
 build/azure-pipelines/darwin/product-build-darwin-sign.yml | 6 +-----
 1 file changed, 1 insertion(+), 5 deletions(-)

diff --git a/build/azure-pipelines/darwin/product-build-darwin-sign.yml b/build/azure-pipelines/darwin/product-build-darwin-sign.yml
index 1b98d4be5719e..db1f2c628bc72 100644
--- a/build/azure-pipelines/darwin/product-build-darwin-sign.yml
+++ b/build/azure-pipelines/darwin/product-build-darwin-sign.yml
@@ -198,9 +198,5 @@ steps:
       VSCODE_ARCH="$(VSCODE_ARCH)" \
       yarn gulp upload-vscode-configuration
     displayName: Upload configuration (for Bing settings search)
-    condition: and(succeeded(), eq(variables['VSCODE_ARCH'], 'universal'))
-    continueOnError: true
-
-  - task: ms.vss-governance-buildtask.governance-build-task-component-detection.ComponentGovernanceComponentDetection@0
-    displayName: "Component Detection"
+    condition: and(succeeded(), eq(variables['VSCODE_ARCH'], 'x64'))
     continueOnError: true

From fc1f74afa6f5d077c7285260d70906eff86d1a17 Mon Sep 17 00:00:00 2001
From: Tyler James Leonhardt <tylerl0706@gmail.com>
Date: Fri, 19 Feb 2021 01:28:22 +0000
Subject: [PATCH 14/21] address feedback

---
 .../darwin/product-build-darwin-sign.yml      | 22 ++++++++-----------
 .../darwin/product-build-darwin.yml           | 11 ++++++++++
 2 files changed, 20 insertions(+), 13 deletions(-)

diff --git a/build/azure-pipelines/darwin/product-build-darwin-sign.yml b/build/azure-pipelines/darwin/product-build-darwin-sign.yml
index db1f2c628bc72..7e11873e682ef 100644
--- a/build/azure-pipelines/darwin/product-build-darwin-sign.yml
+++ b/build/azure-pipelines/darwin/product-build-darwin-sign.yml
@@ -101,17 +101,6 @@ steps:
       rm $(Pipeline.Workspace)/vscode-darwin-$(VSCODE_ARCH)/VSCode-darwin-$(VSCODE_ARCH).zip
     displayName: Unzip
 
-  - script: |
-      set -e
-      security create-keychain -p pwd $(agent.tempdirectory)/buildagent.keychain
-      security default-keychain -s $(agent.tempdirectory)/buildagent.keychain
-      security unlock-keychain -p pwd $(agent.tempdirectory)/buildagent.keychain
-      echo "$(macos-developer-certificate)" | base64 -D > $(agent.tempdirectory)/cert.p12
-      security import $(agent.tempdirectory)/cert.p12 -k $(agent.tempdirectory)/buildagent.keychain -P "$(macos-developer-certificate-key)" -T /usr/bin/codesign
-      security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k pwd $(agent.tempdirectory)/buildagent.keychain
-      VSCODE_ARCH=$(VSCODE_ARCH) DEBUG=electron-osx-sign* node build/darwin/sign.js
-    displayName: Set Hardened Entitlements
-
   - script: |
       set -e
       pushd $(agent.builddirectory)/VSCode-darwin-$(VSCODE_ARCH) && zip -r -X -y $(agent.builddirectory)/VSCode-darwin-$(VSCODE_ARCH).zip * && popd
@@ -182,14 +171,21 @@ steps:
 
   - script: |
       set -e
+
+      case $VSCODE_ARCH in
+        x64) ASSET_ID="darwin" ;;
+        arm64) ASSET_ID="darwin-arm64" ;;
+        universal) ASSET_ID="darwin-universal" ;;
+      esac
+
       VSCODE_MIXIN_PASSWORD="$(github-distro-mixin-password)" \
       AZURE_DOCUMENTDB_MASTERKEY="$(builds-docdb-key-readwrite)" \
       AZURE_STORAGE_ACCESS_KEY="$(ticino-storage-key)" \
       AZURE_STORAGE_ACCESS_KEY_2="$(vscode-storage-key)" \
       node build/azure-pipelines/common/createAsset.js \
-        "darwin-$(VSCODE_ARCH)" \
+        "$ASSET_ID" \
         archive \
-        "VSCode-darwin-$(VSCODE_ARCH).zip" \
+        "VSCode-$ASSET_ID.zip" \
         ../VSCode-darwin-$(VSCODE_ARCH).zip
     displayName: Publish Clients
 
diff --git a/build/azure-pipelines/darwin/product-build-darwin.yml b/build/azure-pipelines/darwin/product-build-darwin.yml
index db5f005e51f63..5f15dddec5621 100644
--- a/build/azure-pipelines/darwin/product-build-darwin.yml
+++ b/build/azure-pipelines/darwin/product-build-darwin.yml
@@ -167,6 +167,17 @@ steps:
     displayName: Create Universal App
     condition: and(succeeded(), eq(variables['VSCODE_ARCH'], 'universal'))
 
+  - script: |
+      set -e
+      security create-keychain -p pwd $(agent.tempdirectory)/buildagent.keychain
+      security default-keychain -s $(agent.tempdirectory)/buildagent.keychain
+      security unlock-keychain -p pwd $(agent.tempdirectory)/buildagent.keychain
+      echo "$(macos-developer-certificate)" | base64 -D > $(agent.tempdirectory)/cert.p12
+      security import $(agent.tempdirectory)/cert.p12 -k $(agent.tempdirectory)/buildagent.keychain -P "$(macos-developer-certificate-key)" -T /usr/bin/codesign
+      security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k pwd $(agent.tempdirectory)/buildagent.keychain
+      VSCODE_ARCH=$(VSCODE_ARCH) DEBUG=electron-osx-sign* node build/darwin/sign.js
+    displayName: Set Hardened Entitlements
+
   - script: |
       set -e
       ./scripts/test.sh --build --tfs "Unit Tests"

From 915a7e542395038ea30d41d063eca91eb233f32d Mon Sep 17 00:00:00 2001
From: Tyler James Leonhardt <tylerl0706@gmail.com>
Date: Fri, 19 Feb 2021 19:15:39 +0000
Subject: [PATCH 15/21] add a comment

---
 build/azure-pipelines/darwin/product-build-darwin-sign.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/build/azure-pipelines/darwin/product-build-darwin-sign.yml b/build/azure-pipelines/darwin/product-build-darwin-sign.yml
index 7e11873e682ef..57ad043bf817f 100644
--- a/build/azure-pipelines/darwin/product-build-darwin-sign.yml
+++ b/build/azure-pipelines/darwin/product-build-darwin-sign.yml
@@ -172,6 +172,7 @@ steps:
   - script: |
       set -e
 
+      # For legacy purposes, arch for x64 is just 'darwin'
       case $VSCODE_ARCH in
         x64) ASSET_ID="darwin" ;;
         arm64) ASSET_ID="darwin-arm64" ;;

From 4f3e209e82067682db7adee5b99050d981ef8d69 Mon Sep 17 00:00:00 2001
From: Tyler James Leonhardt <tylerl0706@gmail.com>
Date: Tue, 23 Feb 2021 00:22:40 +0000
Subject: [PATCH 16/21] try slimming down yarn

---
 .../darwin/product-build-darwin-sign.yml      | 60 +------------------
 1 file changed, 2 insertions(+), 58 deletions(-)

diff --git a/build/azure-pipelines/darwin/product-build-darwin-sign.yml b/build/azure-pipelines/darwin/product-build-darwin-sign.yml
index 57ad043bf817f..b573cea9a7394 100644
--- a/build/azure-pipelines/darwin/product-build-darwin-sign.yml
+++ b/build/azure-pipelines/darwin/product-build-darwin-sign.yml
@@ -27,64 +27,8 @@ steps:
     displayName: Merge distro
 
   - script: |
-      mkdir -p .build
-      node build/azure-pipelines/common/computeNodeModulesCacheKey.js $VSCODE_ARCH $ENABLE_TERRAPIN > .build/yarnlockhash
-    displayName: Prepare yarn cache flags
-
-  - task: Cache@2
-    inputs:
-      key: 'nodeModules | $(Agent.OS) | .build/yarnlockhash'
-      path: .build/node_modules_cache
-      cacheHitVar: NODE_MODULES_RESTORED
-    displayName: Restore node_modules cache
-
-  - script: |
-      set -e
-      tar -xzf .build/node_modules_cache/cache.tgz
-    condition: and(succeeded(), eq(variables.NODE_MODULES_RESTORED, 'true'))
-    displayName: Extract node_modules cache
-
-  - script: |
-      set -e
-      npm install -g node-gyp@latest
-      node-gyp --version
-    displayName: Update node-gyp
-    condition: and(succeeded(), ne(variables.NODE_MODULES_RESTORED, 'true'))
-
-  - script: |
-      set -e
-      npx https://aka.ms/enablesecurefeed standAlone
-    timeoutInMinutes: 5
-    condition: and(succeeded(), ne(variables.NODE_MODULES_RESTORED, 'true'), eq(variables['ENABLE_TERRAPIN'], 'true'))
-    displayName: Switch to Terrapin packages
-
-  - script: |
-      set -e
-      export npm_config_arch=$(VSCODE_ARCH)
-      export npm_config_node_gyp=$(which node-gyp)
-      export SDKROOT=/Applications/Xcode_12.2.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX11.0.sdk
-
-      for i in {1..3}; do # try 3 times, for Terrapin
-        yarn --frozen-lockfile && break
-        if [ $i -eq 3 ]; then
-          echo "Yarn failed too many times" >&2
-          exit 1
-        fi
-        echo "Yarn failed $i, trying again..."
-      done
-    env:
-      ELECTRON_SKIP_BINARY_DOWNLOAD: 1
-      PLAYWRIGHT_SKIP_BROWSER_DOWNLOAD: 1
-    displayName: Install dependencies
-    condition: and(succeeded(), ne(variables.NODE_MODULES_RESTORED, 'true'))
-
-  - script: |
-      set -e
-      node build/azure-pipelines/common/listNodeModules.js .build/node_modules_list.txt
-      mkdir -p .build/node_modules_cache
-      tar -czf .build/node_modules_cache/cache.tgz --files-from .build/node_modules_list.txt
-    condition: and(succeeded(), ne(variables.NODE_MODULES_RESTORED, 'true'))
-    displayName: Create node_modules archive
+      pushd build && yarn && yarn compile && popd
+    displayName: Restore modules for just build folder and compile it
 
   - script: |
       set -e

From d202097c80d46cdab6c1710ec70722c381e8bda5 Mon Sep 17 00:00:00 2001
From: Tyler James Leonhardt <tylerl0706@gmail.com>
Date: Tue, 23 Feb 2021 02:13:58 +0000
Subject: [PATCH 17/21] only compile createAsset

---
 .../darwin/product-build-darwin-sign.yml      | 24 +++----------------
 .../darwin/product-build-darwin.yml           |  8 +++++++
 2 files changed, 11 insertions(+), 21 deletions(-)

diff --git a/build/azure-pipelines/darwin/product-build-darwin-sign.yml b/build/azure-pipelines/darwin/product-build-darwin-sign.yml
index b573cea9a7394..1091c22be6dec 100644
--- a/build/azure-pipelines/darwin/product-build-darwin-sign.yml
+++ b/build/azure-pipelines/darwin/product-build-darwin-sign.yml
@@ -27,14 +27,9 @@ steps:
     displayName: Merge distro
 
   - script: |
-      pushd build && yarn && yarn compile && popd
+      pushd build && yarn && tsc azure-pipelines/common/createAsset.ts && popd
     displayName: Restore modules for just build folder and compile it
 
-  - script: |
-      set -e
-      node build/azure-pipelines/mixin
-    displayName: Mix in quality
-
   - download: current
     artifact: vscode-darwin-$(VSCODE_ARCH)
     displayName: Download $(VSCODE_ARCH) artifact
@@ -42,13 +37,8 @@ steps:
   - script: |
       set -e
       unzip $(Pipeline.Workspace)/vscode-darwin-$(VSCODE_ARCH)/VSCode-darwin-$(VSCODE_ARCH).zip -d $(agent.builddirectory)/VSCode-darwin-$(VSCODE_ARCH)
-      rm $(Pipeline.Workspace)/vscode-darwin-$(VSCODE_ARCH)/VSCode-darwin-$(VSCODE_ARCH).zip
-    displayName: Unzip
-
-  - script: |
-      set -e
-      pushd $(agent.builddirectory)/VSCode-darwin-$(VSCODE_ARCH) && zip -r -X -y $(agent.builddirectory)/VSCode-darwin-$(VSCODE_ARCH).zip * && popd
-    displayName: Archive build
+      mv $(Pipeline.Workspace)/vscode-darwin-$(VSCODE_ARCH)/VSCode-darwin-$(VSCODE_ARCH).zip $(agent.builddirectory)/VSCode-darwin-$(VSCODE_ARCH)/VSCode-darwin-$(VSCODE_ARCH).zip
+    displayName: Unzip & move
 
   - task: SFP.build-tasks.custom-build-task-1.EsrpCodeSigning@1
     inputs:
@@ -133,11 +123,3 @@ steps:
         "VSCode-$ASSET_ID.zip" \
         ../VSCode-darwin-$(VSCODE_ARCH).zip
     displayName: Publish Clients
-
-  - script: |
-      AZURE_STORAGE_ACCESS_KEY="$(ticino-storage-key)" \
-      VSCODE_ARCH="$(VSCODE_ARCH)" \
-      yarn gulp upload-vscode-configuration
-    displayName: Upload configuration (for Bing settings search)
-    condition: and(succeeded(), eq(variables['VSCODE_ARCH'], 'x64'))
-    continueOnError: true
diff --git a/build/azure-pipelines/darwin/product-build-darwin.yml b/build/azure-pipelines/darwin/product-build-darwin.yml
index 5f15dddec5621..622b311aa542d 100644
--- a/build/azure-pipelines/darwin/product-build-darwin.yml
+++ b/build/azure-pipelines/darwin/product-build-darwin.yml
@@ -309,3 +309,11 @@ steps:
     artifact: vscode-server-darwin-$(VSCODE_ARCH)-web
     displayName: Publish web server archive
     condition: and(succeeded(), eq(variables['VSCODE_ARCH'], 'x64'), ne(variables['VSCODE_PUBLISH'], 'false'))
+
+  - script: |
+      AZURE_STORAGE_ACCESS_KEY="$(ticino-storage-key)" \
+      VSCODE_ARCH="$(VSCODE_ARCH)" \
+      yarn gulp upload-vscode-configuration
+    displayName: Upload configuration (for Bing settings search)
+    condition: and(succeeded(), eq(variables['VSCODE_ARCH'], 'universal'))
+    continueOnError: true

From 373eba2998305c5d6061691ee8cf88c93b23ed6f Mon Sep 17 00:00:00 2001
From: Tyler James Leonhardt <tylerl0706@gmail.com>
Date: Tue, 23 Feb 2021 02:39:12 +0000
Subject: [PATCH 18/21] install typescript

---
 build/azure-pipelines/darwin/product-build-darwin-sign.yml | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/build/azure-pipelines/darwin/product-build-darwin-sign.yml b/build/azure-pipelines/darwin/product-build-darwin-sign.yml
index 1091c22be6dec..ccde8745de541 100644
--- a/build/azure-pipelines/darwin/product-build-darwin-sign.yml
+++ b/build/azure-pipelines/darwin/product-build-darwin-sign.yml
@@ -27,7 +27,11 @@ steps:
     displayName: Merge distro
 
   - script: |
-      pushd build && yarn && tsc azure-pipelines/common/createAsset.ts && popd
+      pushd build \
+      && yarn \
+      && npm install -g typescript \
+      && tsc azure-pipelines/common/createAsset.ts \
+      && popd
     displayName: Restore modules for just build folder and compile it
 
   - download: current

From cbfb62a9d54f2e57cbfcb43b4d01eeb646b85d4c Mon Sep 17 00:00:00 2001
From: Tyler James Leonhardt <tylerl0706@gmail.com>
Date: Tue, 23 Feb 2021 03:19:05 +0000
Subject: [PATCH 19/21] move build to correct location

---
 build/azure-pipelines/darwin/product-build-darwin-sign.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/build/azure-pipelines/darwin/product-build-darwin-sign.yml b/build/azure-pipelines/darwin/product-build-darwin-sign.yml
index ccde8745de541..b978cf57c6491 100644
--- a/build/azure-pipelines/darwin/product-build-darwin-sign.yml
+++ b/build/azure-pipelines/darwin/product-build-darwin-sign.yml
@@ -41,7 +41,7 @@ steps:
   - script: |
       set -e
       unzip $(Pipeline.Workspace)/vscode-darwin-$(VSCODE_ARCH)/VSCode-darwin-$(VSCODE_ARCH).zip -d $(agent.builddirectory)/VSCode-darwin-$(VSCODE_ARCH)
-      mv $(Pipeline.Workspace)/vscode-darwin-$(VSCODE_ARCH)/VSCode-darwin-$(VSCODE_ARCH).zip $(agent.builddirectory)/VSCode-darwin-$(VSCODE_ARCH)/VSCode-darwin-$(VSCODE_ARCH).zip
+      mv $(Pipeline.Workspace)/vscode-darwin-$(VSCODE_ARCH)/VSCode-darwin-$(VSCODE_ARCH).zip $(agent.builddirectory)/VSCode-darwin-$(VSCODE_ARCH).zip
     displayName: Unzip & move
 
   - task: SFP.build-tasks.custom-build-task-1.EsrpCodeSigning@1

From 665b71dc8b401dca1ac345c0bf7cbc51052c746d Mon Sep 17 00:00:00 2001
From: Tyler James Leonhardt <tylerl0706@gmail.com>
Date: Tue, 23 Feb 2021 05:26:27 +0000
Subject: [PATCH 20/21] change to 64

---
 build/azure-pipelines/darwin/product-build-darwin.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/build/azure-pipelines/darwin/product-build-darwin.yml b/build/azure-pipelines/darwin/product-build-darwin.yml
index 622b311aa542d..eee79fe0b7caa 100644
--- a/build/azure-pipelines/darwin/product-build-darwin.yml
+++ b/build/azure-pipelines/darwin/product-build-darwin.yml
@@ -315,5 +315,5 @@ steps:
       VSCODE_ARCH="$(VSCODE_ARCH)" \
       yarn gulp upload-vscode-configuration
     displayName: Upload configuration (for Bing settings search)
-    condition: and(succeeded(), eq(variables['VSCODE_ARCH'], 'universal'))
+    condition: and(succeeded(), eq(variables['VSCODE_ARCH'], 'x64'))
     continueOnError: true

From b7448275b770712bb70090f1dc4ecfd2a7dcc1e5 Mon Sep 17 00:00:00 2001
From: Tyler James Leonhardt <tylerl0706@gmail.com>
Date: Fri, 5 Mar 2021 18:30:28 +0000
Subject: [PATCH 21/21] add useful comments based on joao

---
 build/azure-pipelines/darwin/product-build-darwin.yml | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/build/azure-pipelines/darwin/product-build-darwin.yml b/build/azure-pipelines/darwin/product-build-darwin.yml
index eee79fe0b7caa..d3346552077a5 100644
--- a/build/azure-pipelines/darwin/product-build-darwin.yml
+++ b/build/azure-pipelines/darwin/product-build-darwin.yml
@@ -22,6 +22,8 @@ steps:
     displayName: Extract compilation output
     condition: and(succeeded(), ne(variables['VSCODE_ARCH'], 'universal'))
 
+  # Set up the credentials to retrieve distro repo and setup git persona
+  # to create a merge commit for when we merge distro into oss
   - script: |
       set -e
       cat << EOF > ~/.netrc
@@ -119,6 +121,7 @@ steps:
     displayName: Rebuild native modules for ARM64
     condition: and(succeeded(), eq(variables['VSCODE_ARCH'], 'arm64'))
 
+  # This script brings in the right resources (images, icons, etc) based on the quality (insiders, stable, exploration)
   - script: |
       set -e
       node build/azure-pipelines/mixin
@@ -167,6 +170,9 @@ steps:
     displayName: Create Universal App
     condition: and(succeeded(), eq(variables['VSCODE_ARCH'], 'universal'))
 
+  # Setting hardened entitlements is a requirement for:
+  # * Apple notarization
+  # * Running tests on Big Sur (because Big Sur has additional security precautions)
   - script: |
       set -e
       security create-keychain -p pwd $(agent.tempdirectory)/buildagent.keychain