parameters:
  parentJobs: []

jobs:
- job: WinPackageSigningJob
  displayName: Windows Package signing and upload
  dependsOn:
    ${{ parameters.parentJobs }}
  condition: succeeded()
  pool:
    name: PowerShell1ES
    demands:
    - ImageOverride -equals MMS2019
  variables:
    - name: DOTNET_SKIP_FIRST_TIME_EXPERIENCE
      value: 1
    - group: ESRP

  steps:
  - checkout: self
    clean: true

  - checkout: ComplianceRepo
    clean: true

  - template: SetVersionVariables.yml
    parameters:
      ReleaseTagVar: $(ReleaseTagVar)

  - template: shouldSign.yml

  - task: DownloadBuildArtifacts@0
    displayName: 'Download artifacts'
    inputs:
      buildType: current
      downloadType: single
      artifactName: signed
      downloadPath: '$(System.ArtifactsDirectory)'

  - powershell: |
      dir "$(System.ArtifactsDirectory)\*" -Recurse
    displayName: 'Capture Downloaded Artifacts'
    # Diagnostics is not critical it passes every time it runs
    continueOnError: true

  - template: EsrpSign.yml@ComplianceRepo
    parameters:
        buildOutputPath: $(System.ArtifactsDirectory)\signed
        signOutputPath: $(Build.StagingDirectory)\signedPackages
        certificateId: $(MSIX_CERT)
        pattern: |
          **\*.msix
        useMinimatch: true
        shouldSign: $(SHOULD_SIGN)
        displayName: Sign msix

  - template: EsrpSign.yml@ComplianceRepo
    parameters:
        buildOutputPath: $(System.ArtifactsDirectory)\signed
        signOutputPath: $(Build.StagingDirectory)\signedPackages
        certificateId: $(AUTHENTICODE_CERT)
        pattern: |
          **\*.exe
        useMinimatch: true
        shouldSign: $(SHOULD_SIGN)
        displayName: Sign exe

  - powershell: |
      new-item -itemtype Directory -path '$(Build.StagingDirectory)\signedPackages'
      Get-ChildItem "$(System.ArtifactsDirectory)\signed\PowerShell-$(Version)-win-*.msi*" | copy-item -Destination '$(Build.StagingDirectory)\signedPackages'
    displayName: 'Fake msi* Signing'
    condition: and(succeeded(), ne(variables['SHOULD_SIGN'], 'true'))

  - pwsh: |
      Get-ChildItem "$(System.ArtifactsDirectory)\signed\PowerShell-$(Version)-win-*.exe" | copy-item -Destination '$(Build.StagingDirectory)\signedPackages'
    displayName: 'Fake exe Signing'
    condition: and(succeeded(), ne(variables['SHOULD_SIGN'], 'true'))

  - template: upload.yml
    parameters:
      architecture: x86
      version: $(version)

  - template: upload.yml
    parameters:
      architecture: x64
      version: $(version)
      pdb: yes

  - template: upload.yml
    parameters:
      architecture: arm32
      version: $(version)
      msi: no

  - template: upload.yml
    parameters:
      architecture: arm64
      version: $(version)
      msi: no

  - template: upload.yml
    parameters:
      architecture: fxdependent
      version: $(version)
      msi: no
      msix: no

  - template: upload.yml
    parameters:
      architecture: fxdependentWinDesktop
      version: $(version)
      msi: no
      msix: no

  - template: EsrpScan.yml@ComplianceRepo
    parameters:
        scanPath: $(Build.StagingDirectory)
        pattern: |
          **\*.msix
          **\*.msi
          **\*.zip

  - task: ms.vss-governance-buildtask.governance-build-task-component-detection.ComponentGovernanceComponentDetection@0
    displayName: 'Component Detection'
    inputs:
      sourceScanPath: '$(Build.SourcesDirectory)'
      snapshotForceEnabled: true