try to add actual publish

bschnurr · bschnurr · commit f170f8026865 · 2025-10-28T14:58:41.000-07:00
diff --git a/build/azure-devdiv-pipeline.pre-release.yml b/build/azure-devdiv-pipeline.pre-release.yml
@@ -130,11 +130,37 @@ extends:
                 displayName: Prepare manifest for signing
 
               # Conditionally invoke signing template (encapsulates inspection + msbuild + verification)
-              - ${{ if eq(parameters.publishExtension, true) }}:
-                - template: build/templates/sign.yml@self
+              - template: build/templates/sign.yml@self
+                parameters:
+                  vsixName: $(VSIX_NAME)
+                  workingDirectory: $(Build.StagingDirectory)\drop
+                  signType: real
+                  verifySignature: true
+
+      - ${{ if eq(parameters.publishExtension, true) }}:
+        - stage: Publish
+          displayName: Publish Extension
+          dependsOn: Build
+          jobs:
+            - job: Publish
+              displayName: Marketplace Publish Job
+              templateContext:
+                type: releaseJob
+                isProduction: true
+                inputs:
+                  - input: pipelineArtifact
+                    # Single consolidated artifact produced in Build stage
+                    artifactName: drop
+                    # Download into the expected publishFolder path used by publish.yml
+                    targetPath: $(Build.ArtifactStagingDirectory)\drop
+              steps:
+                - template: build/templates/publish.yml@self
                   parameters:
-                    vsixName: $(VSIX_NAME)
-                    workingDirectory: $(Build.StagingDirectory)\drop
-                    signType: real
-                    verifySignature: true
+                    azureSubscription: PylancePublishPipelineSecureConnectionWithManagedIdentity
+                    vsixName: autopep8.vsix
+                    manifestName: extension.manifest
+                    signatureName: extension.signature.p7s
+                    publishFolder: drop
+                    preRelease: false
+                    noVerify: true
 
diff --git a/build/templates/publish.yml b/build/templates/publish.yml
@@ -0,0 +1,102 @@
+# Template (steps): PublishMarketplace for autopep8 extension
+# Expects working directory already populated (or artifact previously downloaded) with: autopep8.vsix, extension.manifest, extension.signature.p7s
+# Provides optional prerelease publishing via parameter.
+#
+# Usage (example inside a stage job):
+# steps:
+# - template: build/templates/publish.yml@self
+#   parameters:
+#     azureSubscription: Autopep8PublishServiceConnection
+#     artifactName: drop
+#     vsixName: autopep8.vsix
+#     manifestName: extension.manifest
+#     signatureName: extension.signature.p7s
+#     publishFolder: vscode-autopep8
+#     preRelease: true
+#     noVerify: true
+#
+# Notes:
+# - Azure DevOps Marketplace resource GUID (499b84ac-1321-427f-aa17-267ca6975798) is hardcoded in publish script.
+# - This uses Managed Identity via AzureCLI@2 to acquire an AAD token and passes it as a PAT.
+# - Requires extension artifacts already signed (signature file present).
+
+parameters:
+  - name: azureSubscription
+    type: string
+  - name: vsixName
+    type: string
+    default: autopep8.vsix
+  - name: manifestName
+    type: string
+    default: extension.manifest
+  - name: signatureName
+    type: string
+    default: extension.signature.p7s
+  - name: publishFolder
+    type: string
+    default: vscode-autopep8
+  - name: preRelease
+    type: boolean
+    default: false
+  - name: noVerify
+    type: boolean
+    default: true
+
+steps:
+  # Assumes files already present at $(Build.ArtifactStagingDirectory)/publishFolder
+
+  - task: AzureCLI@2
+    displayName: Acquire token & publish extension
+    inputs:
+      azureSubscription: ${{ parameters.azureSubscription }}
+      scriptType: pscore
+      scriptLocation: inlineScript
+      inlineScript: |
+        # Hardcoded Azure DevOps Marketplace resource GUID
+        $resource = "499b84ac-1321-427f-aa17-267ca6975798"
+        Write-Host "Acquiring AAD token for resource: $resource"
+        az rest -u https://app.vssps.visualstudio.com/_apis/profile/profiles/me --resource $resource | Out-Null
+        $aadToken = az account get-access-token --query accessToken --resource $resource -o tsv
+        if (-not $aadToken) { Write-Error 'Failed to acquire AAD token.'; exit 1 }
+
+        $root = "$(Build.ArtifactStagingDirectory)/${{ parameters.publishFolder }}"
+        $vsixPath = Join-Path $root "${{ parameters.vsixName }}"
+        $manifestPath = Join-Path $root "${{ parameters.manifestName }}"
+        $signaturePath = Join-Path $root "${{ parameters.signatureName }}"
+
+        Write-Host "VSIX Path: $vsixPath"
+        Write-Host "Manifest Path: $manifestPath"
+        Write-Host "Signature Path: $signaturePath"
+
+        if (-not (Test-Path $vsixPath)) { Write-Error "VSIX file not found: $vsixPath"; exit 1 }
+        if (-not (Test-Path $manifestPath)) { Write-Error "Manifest file not found: $manifestPath"; exit 1 }
+        if (-not (Test-Path $signaturePath)) { Write-Error "Signature file not found: $signaturePath"; exit 1 }
+
+        Write-Host "Listing publish folder contents: $root"
+        Get-ChildItem -Recurse $root | Select-Object FullName,Length | Format-Table -AutoSize
+
+        $extraFlags = ''
+        if ('${{ parameters.noVerify }}' -eq 'True') { $extraFlags = "$extraFlags --noVerify" }
+
+        if ('${{ parameters.preRelease }}' -eq 'True') {
+          Write-Host 'Publishing as pre-release'
+          # npx @vscode/vsce@latest publish --pat $aadToken --packagePath $vsixPath --manifestPath $manifestPath --signaturePath $signaturePath $extraFlags --pre-release
+        } else {
+          Write-Host 'Publishing as stable release'
+          # npx @vscode/vsce@latest publish --pat $aadToken --packagePath $vsixPath --manifestPath $manifestPath --signaturePath $signaturePath $extraFlags
+        }
+
+        if ($LASTEXITCODE -ne 0) {
+          Write-Error "vsce publish failed with exit code $LASTEXITCODE"
+          exit $LASTEXITCODE
+        }
+        Write-Host 'Publish succeeded ✅'
+
+  - task: PowerShell@2
+    displayName: Post-publish summary
+    inputs:
+      targetType: inline
+      script: |
+        Write-Host 'Published extension artifacts:'
+        Get-ChildItem "$(Build.ArtifactStagingDirectory)/${{ parameters.publishFolder }}" -File | Select-Object Name,Length | Format-Table -AutoSize
+        Write-Host "Pre-release parameter: ${{ parameters.preRelease }}"
diff --git a/build/templates/sign.yml b/build/templates/sign.yml
@@ -97,6 +97,21 @@ steps:
       solution: '$(Build.SourcesDirectory)/sign.proj'
       msbuildArguments: '/verbosity:minimal /p:SignType=${{ parameters.signType }}'
 
+  - task: PowerShell@2
+    displayName: Copy signed signature back to working directory
+    inputs:
+      targetType: inline
+      script: |
+        $wd = "${{ parameters.workingDirectory }}"
+        $root = "$(Build.SourcesDirectory)"
+        $signatureName = "${{ parameters.signatureName }}"
+        $rootSig = Join-Path $root $signatureName
+        if (!(Test-Path $rootSig)) { Write-Error "Signed signature not found at root: $rootSig"; exit 1 }
+        $wdSig = Join-Path $wd $signatureName
+        Copy-Item $rootSig $wdSig -Force
+        Write-Host "Copied signed signature to working directory: $wdSig"
+        Get-Item $rootSig,$wdSig | Select-Object FullName,Length,LastWriteTime | Format-Table -AutoSize
+
   - task: PowerShell@2
     displayName: Post-sign inspection
     inputs:
@@ -113,6 +128,26 @@ steps:
           Write-Warning "Signature file NOT present after signing step."; exit 0
         }
 
+  - task: PowerShell@2
+    displayName: Validate signature differs from manifest (hash check)
+    inputs:
+      targetType: inline
+      script: |
+        $wd = "${{ parameters.workingDirectory }}"
+        $manifest = Join-Path $wd "${{ parameters.manifestName }}"
+        $signature = Join-Path $wd "${{ parameters.signatureName }}"
+        if (!(Test-Path $manifest)) { Write-Error "Manifest missing for hash comparison: $manifest"; exit 1 }
+        if (!(Test-Path $signature)) { Write-Error "Signature missing for hash comparison: $signature"; exit 1 }
+        $manifestHash = (Get-FileHash -Algorithm SHA256 $manifest).Hash
+        $signatureHash = (Get-FileHash -Algorithm SHA256 $signature).Hash
+        Write-Host "Manifest SHA256 : $manifestHash"
+        Write-Host "Signature SHA256: $signatureHash"
+        if ($manifestHash -eq $signatureHash) {
+          Write-Error "Signature file is identical to manifest (placeholder detected). Failing build."; exit 1
+        } else {
+          Write-Host "Hashes differ ✅ (signature not a direct copy of manifest)"
+        }
+
   - ${{ if eq(parameters.verifySignature, true) }}:
     - task: PowerShell@2
       displayName: Verify VSIX signature
