Utilize a separate pipeline for release tasks

1es-azure-pipeline.yml

@@ -25,6 +25,8 @@ variables:
   value: true
 - name: MicroBuildOutputFolderOverride
   value: '$(Agent.TempDirectory)'
+- name: TestBuild
+  value: $[eq(variables['Build.Reason'], 'Manual')]
 
 resources:
   repositories:
@@ -58,8 +60,6 @@ extends:
         name: NetCore1ESPool-Internal
         image: 1es-windows-2022
         os: windows
-      sbom:
-        enabled: false # SBOM requires a special setup for node.js projects to ensure all dependencies are included.
       policheck:
         enabled: true
         exclusionsFile: $(System.DefaultWorkingDirectory)\PoliCheckExclusions.xml
@@ -103,6 +103,7 @@ extends:
             os: windows
           useOneEngineeringPool: true
           SignType: Real
+          TestBuild: $(TestBuild)
       - template: pipeline-templates/sbom.yaml@self
         parameters:
           pool:

msbuild/signJs/signJs.proj

@@ -7,13 +7,19 @@
     <IsPackable>false</IsPackable>
     <OutDir>$(MSBuildProjectDirectory)\$(JSOutputPath)\</OutDir>
     <MicroBuild_SigningEnabled>true</MicroBuild_SigningEnabled>
+    <ShouldSign>true</ShouldSign>
   </PropertyGroup>
 
   <PropertyGroup Condition="'$(SignType)' == ''">
       <SignType>test</SignType>
   </PropertyGroup>
 
-  <ItemGroup>
+  <PropertyGroup Condition="$([System.String]::Equals('$(TestBuild)', 'true', StringComparison.OrdinalIgnoreCase))">
+    <ShouldSign>false</ShouldSign>
+    <MicroBuild_SigningEnabled>false</MicroBuild_SigningEnabled>
+  </PropertyGroup>
+
+  <ItemGroup Condition="'$(ShouldSign)' == 'true'">
     <FilesToSign Include="$(OutDir)*.js">
       <Authenticode>MicrosoftSHA2</Authenticode>
     </FilesToSign>

msbuild/signVsix/signVsix.proj

@@ -6,8 +6,15 @@
     <MicroBuild_DoNotStrongNameSign>true</MicroBuild_DoNotStrongNameSign>
     <IsPackable>false</IsPackable>
     <OutDir>$(RepoRoot)packages\</OutDir>
+    <ShouldSign>true</ShouldSign>
   </PropertyGroup>
-  <ItemGroup>
+
+  <PropertyGroup Condition="$([System.String]::Equals('$(TestBuild)', 'true', StringComparison.OrdinalIgnoreCase))">
+    <ShouldSign>false</ShouldSign>
+    <MicroBuild_SigningEnabled>false</MicroBuild_SigningEnabled>
+  </PropertyGroup>
+
+  <ItemGroup Condition="'$(ShouldSign)' == 'true'">
     <FilesToSign Include="$(OutDir)*.signature.p7s">
       <Authenticode>VSCodePublisher</Authenticode>
     </FilesToSign>

package.json

@@ -27,7 +27,7 @@
 		"@types/source-map-support": "^0.5.6",
 		"@typescript-eslint/eslint-plugin": "^8.0.0",
 		"@typescript-eslint/parser": "^8.0.0",
-		"@vscode/vsce": "^3.6.0",
+		"@vscode/vsce": "^3.7.1",
 		"eslint": "^8.57.0",
 		"eslint-config-prettier": "^9.1.0",
 		"eslint-import-resolver-node": "^0.3.9",

pipeline-templates/list-file-structure.yaml

@@ -6,6 +6,8 @@ parameters:
         title: "🏠 SYSTEM DEFAULT WORKING DIRECTORY"
       - path: $(Build.ArtifactStagingDirectory)
         title: "🎯 BUILD ARTIFACT STAGING DIRECTORY"
+      - path: $(Pipeline.Workspace)
+        title: "🔧 PIPELINE WORKSPACE"
   - name: displayName
     type: string
     default: '📋 List All Files Recursively'

pipeline-templates/package-vsix.yaml

@@ -1,6 +1,7 @@
 parameters:
   pool: ''
   SignType: ''
+  TestBuild: 'false'
 
 jobs:
 - job: ${{ parameters.pool.os }}_Package
@@ -18,6 +19,10 @@ jobs:
       displayName: '📂 Publish .VSIX'
       targetPath: '$(Build.ArtifactStagingDirectory)'
       artifactName: '$(dir-name)'
+    - output: pipelineArtifact
+      displayName: '🗂️ Publish Package Files'
+      targetPath: '$(Build.ArtifactStagingDirectory)/package_files'
+      artifactName: 'package_files'
   steps:
   - template: install-node.yaml
   - bash: |
@@ -65,11 +70,29 @@ jobs:
     workingDirectory: $(dir-name)
     env:
       SignType: ${{ parameters.SignType }}
+      TestBuild: ${{ parameters.TestBuild }}
   - template: list-file-structure.yaml
+  - pwsh: |
+      $target = Join-Path '$(Build.ArtifactStagingDirectory)' 'package_files'
+      if (-not (Test-Path $target)) {
+        New-Item -ItemType Directory -Path $target | Out-Null
+      }
+
+      $source = Join-Path '$(Build.SourcesDirectory)' '$(dir-name)'
+      $files = @('package.json', 'package-lock.json', '.npmrc', 'yarn.lock', '.yarnrc')
+
+      foreach ($file in $files) {
+        $sourcePath = Join-Path $source $file
+        if (Test-Path $sourcePath) {
+          Copy-Item -Path $sourcePath -Destination (Join-Path $target $file) -Force
+        }
+      }
+    displayName: '📁 Stage Package Files for Consumption to Enable NPM CI'
   - script: dotnet build msbuild/signVsix -v:normal
     displayName: 🖊️ Sign VSIXes
     env:
       SignType: ${{ parameters.SignType }}
+      TestBuild: ${{ parameters.TestBuild }}
   - ${{ if eq(variables['Build.Reason'], 'IndividualCI') }}:
     - pwsh: |
         Function Spawn-Tool($command, $commandArgs, $retryCount=0) {
@@ -111,10 +134,6 @@ jobs:
         }
       displayName: 🔑 Verify VSIX Signature Files
       workingDirectory: $(dir-name)
-  - task: CmdLine@2
-    displayName: 🤌 Rename Signed VSIX
-    inputs:
-      script: rename ".\packages\$(package-name)-$(GetVersion.version).vsix" $(package-name)-$(GetVersion.version)-signed.vsix
   - task: CopyFiles@2
     displayName: '📩 Copy Artifact'
     inputs:
@@ -128,11 +147,4 @@ jobs:
       SourceFolder: '$(Build.SourcesDirectory)'
       Contents: '**\*.binlog'
       TargetFolder: '$(Build.ArtifactStagingDirectory)'
-      flattenFolders: false
-- ${{ if eq(parameters.useOneEngineeringPool, 'true') }}:
-  - template: publish.yaml
-    parameters:
-      pool: ${{ parameters.pool }}
-      SignType: ${{ parameters.SignType }}
-      version: $(GetVersion.version)
-      useOneEngineeringPool: true
+      flattenFolders: false

release.yml

@@ -0,0 +1,121 @@
+trigger: none
+pr: none
+
+parameters:
+  - name: test
+    type: boolean
+    default: true
+
+variables:
+# This is expected to provide the PAT used to tag the release.
+- group: DncEng-Partners-Tokens
+
+resources:
+  repositories:
+  - repository: 1ESPipelineTemplates
+    type: git
+    name: 1ESPipelineTemplates/1ESPipelineTemplates
+    ref: refs/tags/release
+  pipelines:
+  - pipeline: officialBuildCI
+    source: dotnet-vscode-dotnet-runtime
+    branch: main
+extends:
+  template: v1/1ES.Official.PipelineTemplate.yml@1ESPipelineTemplates
+  parameters:
+    pool:
+      name: NetCore1ESPool-Internal
+      image: 1es-windows-2022
+      os: windows
+    customBuildTags:
+    - ES365AIMigrationTooling
+    stages:
+    - stage: PublishStage
+      jobs:
+      - deployment: PublishToMarketplace
+        displayName: PublishToMarketplace
+        environment: vscode-dotnetcore-extension-releases
+        pool:
+          name: NetCore1ESPool-Internal
+          image: 1es-windows-2022
+          os: windows
+        templateContext:
+          type: releaseJob
+          isProduction: true
+          inputs:
+          - input: pipelineArtifact
+            pipeline: officialBuildCI
+            artifactName: vscode-dotnet-runtime-extension
+            destinationPath: $(Pipeline.Workspace)
+          - input: pipelineArtifact
+            pipeline: officialBuildCI
+            artifactName: package_files
+            destinationPath: $(Pipeline.Workspace)/package_files
+        strategy:
+          runOnce:
+            deploy:
+              steps:
+              - template: pipeline-templates/install-node.yaml@self
+              - template: pipeline-templates/list-file-structure.yaml@self
+              - bash: |
+                  ARTIFACT_DIR="$(Pipeline.Workspace)"
+                  VSIX_PATH=$(find "$ARTIFACT_DIR" -type f -name 'vscode-dotnet-runtime-*.vsix' | head -n 1)
+                  if [ -z "$VSIX_PATH" ]; then
+                    echo "##vso[task.logissue type=error]Unable to locate vscode-dotnet-runtime-*.vsix under $ARTIFACT_DIR"
+                    exit 1
+                  fi
+
+                  FILE_NAME=$(basename "$VSIX_PATH")
+                  VERSION=${FILE_NAME#vscode-dotnet-runtime-}
+                  VERSION=${VERSION%.vsix}
+
+                  echo "Using version $VERSION derived from artifact $FILE_NAME"
+
+                  PACKAGE_FILES_DIR="$ARTIFACT_DIR/package_files"
+                  if [ -f "$PACKAGE_FILES_DIR/package.json" ]; then
+                    (cd "$PACKAGE_FILES_DIR" && npm version "$VERSION" --allow-same-version)
+                  fi
+
+                  echo "##vso[task.setvariable variable=version;isOutput=true]$VERSION"
+                name: GetVersion
+                displayName: '❓ Get Version'
+              - pwsh: |
+                  $packageFilesDir = Join-Path '$(Pipeline.Workspace)' 'package_files'
+                  if (-not (Test-Path $packageFilesDir)) {
+                    Write-Error "package_files artifact was not downloaded."
+                    exit 1
+                  }
+
+                  Push-Location $packageFilesDir
+                  try {
+                    npm ci
+                  }
+                  finally {
+                    Pop-Location
+                  }
+                displayName: '⬇️ Restore Node Dependencies'
+              - task: AzureCLI@2
+                displayName: '🚀 Publish to Marketplace'
+                inputs:
+                  azureSubscription: 'VSCode Marketplace Publishing'
+                  scriptType: "pscore"
+                  scriptLocation: 'inlineScript'
+                  workingDirectory: '$(Pipeline.Workspace)/package_files'
+                  inlineScript: |
+                    $packagePath = Join-Path '$(Pipeline.Workspace)' 'vscode-dotnet-runtime-$(GetVersion.version).vsix'
+                    $manifestPath = Join-Path '$(Pipeline.Workspace)' 'vscode-dotnet-runtime-$(GetVersion.version).manifest'
+                    $signaturePath = Join-Path '$(Pipeline.Workspace)' 'vscode-dotnet-runtime-$(GetVersion.version).signature.p7s'
+
+                    $publishArgs = @('publish', '--azure-credential', '--packagePath', $packagePath, '--manifestPath', $manifestPath, '--signaturePath', $signaturePath)
+                    $publishArgsString = $publishArgs -join ' '
+                    If (${{ parameters.test }}) {
+                      Write-Host "With a test-signed build, the command to publish is printed instead of run."
+                      Write-Host "##[command]npx vsce $publishArgsString"
+
+                      Write-Host "🔒 Verify PAT."
+                      npx vsce verify-pat --azure-credential ms-dotnettools
+                    }
+                    Else {
+                      Write-Host "##[command]npx vsce $publishArgsString"
+                      npx vsce $publishArgs
+                    }