steps:
  - task: NodeTool@0
    inputs:
      versionSpec: "14.x"

  - task: geeklearningio.gl-vsts-tasks-yarn.yarn-installer-task.YarnInstaller@2
    inputs:
      versionSpec: "1.x"

  - task: AzureKeyVault@1
    displayName: "Azure Key Vault: Get Secrets"
    inputs:
      azureSubscription: "vscode-builds-subscription"
      KeyVaultName: vscode

  - script: |
      set -e
      cat << EOF > ~/.netrc
      machine github.com
      login vscode
      password $(github-distro-mixin-password)
      EOF

      git config user.email "vscode@microsoft.com"
      git config user.name "VSCode"
    displayName: Prepare tooling

  - script: |
      set -e
      git pull --no-rebase https://github.com/$(VSCODE_MIXIN_REPO).git $(node -p "require('./package.json').distro")
    displayName: Merge distro

  - script: |
      mkdir -p .build
      node build/azure-pipelines/common/computeNodeModulesCacheKey.js $VSCODE_ARCH $ENABLE_TERRAPIN > .build/yarnlockhash
    displayName: Prepare yarn cache flags

  # using `genericNodeModules` instead of `nodeModules` here to avoid sharing the cache with builds running inside containers
  - task: Cache@2
    inputs:
      key: 'genericNodeModules | $(Agent.OS) | .build/yarnlockhash'
      path: .build/node_modules_cache
      cacheHitVar: NODE_MODULES_RESTORED
    displayName: Restore node_modules cache

  - script: |
      set -e
      tar -xzf .build/node_modules_cache/cache.tgz
    condition: and(succeeded(), eq(variables.NODE_MODULES_RESTORED, 'true'))
    displayName: Extract node_modules cache

  - script: |
      set -e
      npx https://aka.ms/enablesecurefeed standAlone
    timeoutInMinutes: 5
    condition: and(succeeded(), ne(variables.NODE_MODULES_RESTORED, 'true'), eq(variables['ENABLE_TERRAPIN'], 'true'))
    displayName: Switch to Terrapin packages

  - script: |
      set -e
      sudo apt update -y
      sudo apt install -y build-essential pkg-config libx11-dev libx11-xcb-dev libxkbfile-dev libsecret-1-dev libnotify-bin
    displayName: Install build tools
    condition: and(succeeded(), ne(variables.NODE_MODULES_RESTORED, 'true'))

  - script: |
      set -e
      for i in {1..3}; do # try 3 times, for Terrapin
        yarn --frozen-lockfile && break
        if [ $i -eq 3 ]; then
          echo "Yarn failed too many times" >&2
          exit 1
        fi
        echo "Yarn failed $i, trying again..."
      done
    env:
      ELECTRON_SKIP_BINARY_DOWNLOAD: 1
      PLAYWRIGHT_SKIP_BROWSER_DOWNLOAD: 1
    displayName: Install dependencies
    condition: and(succeeded(), ne(variables.NODE_MODULES_RESTORED, 'true'))

  - script: |
      set -e
      node build/azure-pipelines/common/listNodeModules.js .build/node_modules_list.txt
      mkdir -p .build/node_modules_cache
      tar -czf .build/node_modules_cache/cache.tgz --files-from .build/node_modules_list.txt
    condition: and(succeeded(), ne(variables.NODE_MODULES_RESTORED, 'true'))
    displayName: Create node_modules archive

  # Mixin must run before optimize, because the CSS loader will inline small SVGs
  - script: |
      set -e
      node build/azure-pipelines/mixin
    displayName: Mix in quality

  - script: |
      set -e
      yarn npm-run-all -lp core-ci extensions-ci hygiene eslint valid-layers-check
    displayName: Compile & Hygiene

  - script: |
      set -e
      AZURE_STORAGE_ACCESS_KEY="$(ticino-storage-key)" \
        node build/azure-pipelines/upload-sourcemaps
    displayName: Upload sourcemaps
    condition: and(succeeded(), ne(variables['VSCODE_PUBLISH'], 'false'))

  - script: |
      set -
      ./build/azure-pipelines/common/extract-telemetry.sh
    displayName: Extract Telemetry
    condition: and(succeeded(), ne(variables['VSCODE_PUBLISH'], 'false'))

  - script: |
      set -e
      AZURE_WEBVIEW_STORAGE_ACCESS_KEY="$(vscode-webview-storage-key)" \
      ./build/azure-pipelines/common/publish-webview.sh
    displayName: Publish Webview
    condition: and(succeeded(), ne(variables['VSCODE_PUBLISH'], 'false'))

  - script: |
      set -e
      VERSION=`node -p "require(\"./package.json\").version"`
      AZURE_DOCUMENTDB_MASTERKEY="$(builds-docdb-key-readwrite)" \
        node build/azure-pipelines/common/createBuild.js $VERSION
    displayName: Create build
    condition: and(succeeded(), ne(variables['VSCODE_PUBLISH'], 'false'))

  # we gotta tarball everything in order to preserve file permissions
  - script: |
      set -e
      tar -czf $(Build.ArtifactStagingDirectory)/compilation.tar.gz .build out-*
    displayName: Compress compilation artifact

  - task: PublishPipelineArtifact@1
    inputs:
      targetPath: $(Build.ArtifactStagingDirectory)/compilation.tar.gz
      artifactName: Compilation
    displayName: Publish compilation artifact

  - script: |
      set -e
      VSCODE_MIXIN_PASSWORD="$(github-distro-mixin-password)" \
        yarn download-builtin-extensions-cg
    displayName: Built-in extensions component details

  - task: ms.vss-governance-buildtask.governance-build-task-component-detection.ComponentGovernanceComponentDetection@0
    displayName: "Component Detection"
    inputs:
      sourceScanPath: $(Build.SourcesDirectory)
    continueOnError: true