vscode signing (#4533)

* Set up signing

* Use branch for build-tools

* ref naming

* Path/Pattern

* Add vsce publishing

* Revert 1es-redirect.yml

* Add file paths explicitly

eng/pipelines/templates/stages/vscode-publish-manual.yml

@@ -42,6 +42,7 @@ stages:
                     PublishLocations: vscode/release/$(VSIX_VERSION);vscode/release/latest
                     TagRepository: true
                     UpdateShield: true
+                    PublishToMarketplace: true
 
       - deployment: Increment_Version
         condition: >-

eng/pipelines/templates/stages/vscode-sign.yml

@@ -22,10 +22,19 @@ stages:
               artifact: vsix
               path: vsix
 
+          - task: PowerShell@2
+            inputs:
+              targetType: filePath
+              filePath: eng/scripts/New-VsixSigningManifest.ps1
+              arguments: -Path $(Build.SourcesDirectory)\vsix
+              pwsh: true
+            displayName: Create signing manifest
+
           - ${{ if in(variables['Build.Reason'], 'IndividualCI', 'BatchedCI', 'Manual') }}:
             - template: pipelines/steps/azd-vscode-signing.yml@azure-sdk-build-tools
               parameters:
-                VsixPath: vsix
+                Path: $(Build.SourcesDirectory)\vsix
+                Pattern: '*.signature.p7s'
 
           - ${{ else }}:
             - pwsh: Write-Host "Skipping signing. Build reason - $(Build.Reason)"

eng/pipelines/templates/steps/publish-vscode.yml

@@ -3,6 +3,7 @@ parameters:
   VsixVersion: $(VSIX_VERSION)
   UpdateShield: false
   StorageContainerName: azd
+  PublishToMarketplace: false
 
 steps:
   - task: DownloadPipelineArtifact@2
@@ -26,8 +27,13 @@ steps:
   - pwsh: |
       New-Item -ItemType Directory -Path release -Force
       Copy-Item signed/vsix/*.vsix release/
+      Copy-Item signed/vsix/*.p7s release/
+      Copy-Item signed/vsix/*.manifest release/
       Write-Host "Signed:"
       Get-ChildItem signed/
+
+      Write-Host "Release:"
+      Get-ChildItem release/
     displayName: Copy signed vsix to release location
 
   - task: AzurePowerShell@5
@@ -76,3 +82,20 @@ steps:
       displayName: Create GitHub Release and upload artifacts
       env:
         GH_TOKEN: $(azuresdk-github-pat)
+
+  - ${{ if eq('true', parameters.PublishToMarketplace) }}:
+    - task: AzureCLI@2
+      displayName: Publish (using vsce)
+      inputs:
+        azureSubscription: azure-sdk-vsmarketplace
+        scriptType: pscore
+        scriptLocation: inlineScript
+        workingDirectory: release
+        inlineScript: |
+          npm install -g @vscode/vsce
+          $baseName = "azure-dev-${{ parameters.VsixVersion }}"
+          vsce publish `
+            --azure-credential `
+            --packagePath "$($baseName).vsix" `
+            --manifestPath "$($baseName).manifest" `
+            --signaturePath "$($baseName).p7s"

eng/scripts/New-VsixSigningManifest.ps1

@@ -0,0 +1,24 @@
+param(
+    [string]$Path = "$PSScriptRoot../../vsix"
+)
+
+$originalLocation = Get-Location
+try {
+    Set-Location $Path
+    $extensions = Get-ChildItem -Filter *.vsix -Recurse -File
+    foreach ($extension in $extensions) {
+        Write-Host "Generating signing manifest for $extension"
+        $manifestName = "$($extension.BaseName).manifest"
+        $signatureName = "$($extension.BaseName).signature.p7s"
+
+        npm exec --yes @vscode/vsce@latest -- generate-manifest --packagePath "$($extension.FullName)" -o $manifestName | Write-Host
+        if ($LASTEXITCODE) {
+            Write-Host "Failed to generate signing manifest for $extension"
+            exit $LASTEXITCODE
+        }
+
+        Copy-Item $manifestName $signatureName
+    }
+} finally {
+    Set-Location $originalLocation
+}