vscode/build/azure-pipelines/sdl-scan.yml

parameters:
  - name: NPM_REGISTRY
    displayName: "Custom NPM Registry"
    type: string
    default: "https://pkgs.dev.azure.com/monacotools/Monaco/_packaging/vscode/npm/registry/"
  - name: NPM_ARCH
    type: string
    default: x64
  - name: VSCODE_ARCH
    type: string
    default: x64

steps:
  - task: NodeTool@0
    inputs:
      versionSource: fromFile
      versionFilePath: .nvmrc
      nodejsMirror: https://github.com/joaomoreno/node-mirror/releases/download

  - template: ./distro/download-distro.yml

  - task: AzureKeyVault@1
    displayName: "Azure Key Vault: Get Secrets"
    inputs:
      azureSubscription: "vscode-builds-subscription"
      KeyVaultName: vscode-build-secrets
      SecretsFilter: "github-distro-mixin-password"

  - powershell: |
      . build/azure-pipelines/win32/exec.ps1
      $ErrorActionPreference = "Stop"
      exec { npm config set registry "${{ parameters.NPM_REGISTRY }}" --location=project }
      # npm >v7 deprecated the `always-auth` config option, refs npm/cli@72a7eeb
      # following is a workaround for yarn to send authorization header
      # for GET requests to the registry.
      exec { Add-Content -Path .npmrc -Value "always-auth=true" }
      exec { yarn config set registry "${{ parameters.NPM_REGISTRY }}" }      
    condition: and(succeeded(), ne(variables.NODE_MODULES_RESTORED, 'true'), ne('${{ parameters.NPM_REGISTRY }}', 'none'))
    displayName: Setup NPM & Yarn

  - task: npmAuthenticate@0
    inputs:
      workingFile: .npmrc
    condition: and(succeeded(), ne(variables.NODE_MODULES_RESTORED, 'true'), ne('${{ parameters.NPM_REGISTRY }}', 'none'))
    displayName: Setup NPM Authentication

  - powershell: |
      . build/azure-pipelines/win32/exec.ps1
      $ErrorActionPreference = "Stop"
      exec { node build/setup-npm-registry.js "${{ parameters.NPM_REGISTRY }}" }      
    condition: and(succeeded(), ne(variables.NODE_MODULES_RESTORED, 'true'), ne('${{ parameters.NPM_REGISTRY }}', 'none'))
    displayName: Setup NPM Registry

  - pwsh: |
      $includes = @'
        {
          'target_defaults': {
            'conditions': [
              ['OS=="win"', {
                'msvs_configuration_attributes': {
                  'SpectreMitigation': 'Spectre'
                },
                'msvs_settings': {
                  'VCCLCompilerTool': {
                    'AdditionalOptions': [
                      '/Zi',
                      '/FS'
                    ],
                  },
                  'VCLinkerTool': {
                    'AdditionalOptions': [
                      '/profile'
                    ]
                  }
                }
              }]
            ]
          }
        }
      '@

      if (!(Test-Path "~/.gyp")) {
        mkdir "~/.gyp"
      }
      echo $includes > "~/.gyp/include.gypi"      
    displayName: Create include.gypi

  - powershell: |
      . build/azure-pipelines/win32/exec.ps1
      . build/azure-pipelines/win32/retry.ps1
      $ErrorActionPreference = "Stop"
      retry { exec { yarn --frozen-lockfile --check-files } }      
    env:
      PLAYWRIGHT_SKIP_BROWSER_DOWNLOAD: 1
      GITHUB_TOKEN: "$(github-distro-mixin-password)"
      CHILD_CONCURRENCY: 1
    displayName: Install dependencies

  - script: node build/azure-pipelines/distro/mixin-npm
    displayName: Mixin distro node modules

  - script: node build/azure-pipelines/distro/mixin-quality
    displayName: Mixin distro quality
    env:
      VSCODE_QUALITY: stable

  - powershell: yarn compile
    displayName: Compile

  - powershell: yarn gulp "vscode-symbols-win32-${{ parameters.VSCODE_ARCH }}"
    env:
      GITHUB_TOKEN: "$(github-distro-mixin-password)"
    displayName: Download Symbols

  - task: BinSkim@4
    inputs:
      InputType: "Basic"
      Function: "analyze"
      TargetPattern: "guardianGlob"
      AnalyzeIgnorePdbLoadError: true
      AnalyzeTargetGlob: '$(agent.builddirectory)\scanbin\**.dll;$(agent.builddirectory)\scanbin\**.exe;$(agent.builddirectory)\scanbin\**.node'
      AnalyzeLocalSymbolDirectories: '$(agent.builddirectory)\scanbin\VSCode-win32-${{ parameters.VSCODE_ARCH }}\pdb'

  - task: CopyFiles@2
    displayName: 'Collect Symbols for API Scan'
    inputs:
      SourceFolder: $(Agent.BuildDirectory)
      Contents: 'scanbin\**\*.pdb'
      TargetFolder: '$(agent.builddirectory)\symbols'
      flattenFolders: true
    condition: succeeded()

  # - task: APIScan@2
  #   inputs:
  #     softwareFolder: $(agent.builddirectory)\scanbin
  #     softwareName: 'vscode-client'
  #     softwareVersionNum: '1'
  #     symbolsFolder: 'SRV*http://symweb;$(agent.builddirectory)\symbols'
  #     isLargeApp: false
  #     toolVersion: 'Latest'
  #   displayName: Run ApiScan
  #   condition: succeeded()
  #   env:
  #     AzureServicesAuthConnectionString: $(apiscan-connectionstring)

  - task: PublishSecurityAnalysisLogs@3
    inputs:
      ArtifactName: CodeAnalysisLogs
      ArtifactType: Container
      PublishProcessedResults: false
      AllTools: true