Use actual configuration for policy export

.github/workflows/policy-check.yml

@@ -0,0 +1,281 @@
+name: Enterprise Configuration Policy Check
+
+on:
+  push:
+    branches:
+      - main
+      - release/*
+  pull_request:
+    branches:
+      - main
+      - release/*
+
+permissions: {}
+
+jobs:
+  darwin-policy:
+    name: Enterprise Configuration Policy Check (macOS)
+    runs-on: macos-14-xlarge
+    timeout-minutes: 40
+    env:
+      GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      VSCODE_ARCH: arm64
+      NPM_ARCH: arm64
+    steps:
+      - name: Checkout microsoft/vscode
+        uses: actions/checkout@v5
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v5
+        with:
+          node-version-file: .nvmrc
+
+      - name: Prepare node_modules cache key
+        run: mkdir -p .build && node build/azure-pipelines/common/computeNodeModulesCacheKey.js darwin $VSCODE_ARCH $(node -p process.arch) > .build/packagelockhash
+
+      - name: Restore node_modules cache
+        id: cache-node-modules
+        uses: actions/cache/restore@v4
+        with:
+          path: .build/node_modules_cache
+          key: "node_modules-macos-${{ hashFiles('.build/packagelockhash') }}"
+
+      - name: Extract node_modules cache
+        if: steps.cache-node-modules.outputs.cache-hit == 'true'
+        run: tar -xzf .build/node_modules_cache/cache.tgz
+
+      - name: Install dependencies
+        if: steps.cache-node-modules.outputs.cache-hit != 'true'
+        run: |
+          set -e
+          c++ --version
+          xcode-select -print-path
+          python3 -m pip install --break-system-packages setuptools
+
+          for i in {1..5}; do # try 5 times
+            npm ci && break
+            if [ $i -eq 5 ]; then
+              echo "Npm install failed too many times" >&2
+              exit 1
+            fi
+            echo "Npm install failed $i, trying again..."
+          done
+        env:
+          npm_config_arch: ${{ env.NPM_ARCH }}
+          ELECTRON_SKIP_BINARY_DOWNLOAD: 1
+          PLAYWRIGHT_SKIP_BROWSER_DOWNLOAD: 1
+          # Avoid using dlopen to load Kerberos on macOS which can cause missing libraries
+          # https://github.com/mongodb-js/kerberos/commit/04044d2814ad1d01e77f1ce87f26b03d86692cf2
+          # flipped the default to support legacy linux distros which shouldn't happen
+          # on macOS.
+          GYP_DEFINES: "kerberos_use_rtld=false"
+
+      - name: Create node_modules archive
+        if: steps.cache-node-modules.outputs.cache-hit != 'true'
+        run: |
+          set -e
+          node build/azure-pipelines/common/listNodeModules.js .build/node_modules_list.txt
+          mkdir -p .build/node_modules_cache
+          tar -czf .build/node_modules_cache/cache.tgz --files-from .build/node_modules_list.txt
+
+      - name: Create .build folder
+        run: mkdir -p .build
+
+      - name: Prepare built-in extensions cache key
+        run: node build/azure-pipelines/common/computeBuiltInDepsCacheKey.js > .build/builtindepshash
+
+      - name: Restore built-in extensions cache
+        id: cache-builtin-extensions
+        uses: actions/cache/restore@v4
+        with:
+          enableCrossOsArchive: true
+          path: .build/builtInExtensions
+          key: "builtin-extensions-${{ hashFiles('.build/builtindepshash') }}"
+
+      - name: Download built-in extensions
+        if: steps.cache-builtin-extensions.outputs.cache-hit != 'true'
+        run: node build/lib/builtInExtensions.js
+
+      - name: Transpile client and extensions
+        run: npm run gulp transpile-client-esbuild transpile-extensions
+
+      - name: Download Electron
+        run: |
+          set -e
+          for i in {1..3}; do # try 3 times
+            if npm run electron $VSCODE_ARCH; then
+              echo "Download successful on attempt $i"
+              break
+            fi
+            if [ $i -eq 3 ]; then
+              echo "Download failed after 3 attempts" >&2
+              exit 1
+            fi
+            echo "Download failed on attempt $i, retrying..."
+            sleep 5
+          done
+
+      - name: Generate policy definitions
+        run: ./scripts/code.sh --disable-gpu --wait --transient --export-policy-type=darwin
+        timeout-minutes: 5
+
+      - name: Verify policy files
+        run: |
+          set -e
+          if [ ! -d ".build/policies" ] || [ -z "$(ls -A .build/policies)" ]; then
+            echo "ERROR: Policy files were not generated"
+            exit 1
+          fi
+          echo "Policy files generated successfully:"
+          ls -la .build/policies/
+
+      - name: Publish policy artifacts
+        uses: actions/upload-artifact@v4
+        if: always()
+        with:
+          name: policy-darwin-${{ env.VSCODE_ARCH }}
+          path: .build/policies
+          if-no-files-found: error
+
+  win32-policy:
+    name: Enterprise Configuration Policy Check (Windows)
+    runs-on: [ self-hosted, 1ES.Pool=1es-vscode-oss-windows-2022-x64 ]
+    timeout-minutes: 40
+    env:
+      GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      NPM_ARCH: x64
+      VSCODE_ARCH: x64
+    steps:
+      - name: Checkout microsoft/vscode
+        uses: actions/checkout@v5
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v5
+        with:
+          node-version-file: .nvmrc
+
+      - name: Prepare node_modules cache key
+        shell: pwsh
+        run: |
+          mkdir .build -ea 0
+          node build/azure-pipelines/common/computeNodeModulesCacheKey.js win32 ${{ env.VSCODE_ARCH }} $(node -p process.arch) > .build/packagelockhash
+
+      - name: Restore node_modules cache
+        uses: actions/cache/restore@v4
+        id: node-modules-cache
+        with:
+          path: .build/node_modules_cache
+          key: "node_modules-windows-${{ hashFiles('.build/packagelockhash') }}"
+
+      - name: Extract node_modules cache
+        if: steps.node-modules-cache.outputs.cache-hit == 'true'
+        shell: pwsh
+        run: 7z.exe x .build/node_modules_cache/cache.7z -aoa
+
+      - name: Install dependencies
+        if: steps.node-modules-cache.outputs.cache-hit != 'true'
+        shell: pwsh
+        run: |
+          . build/azure-pipelines/win32/exec.ps1
+          $ErrorActionPreference = "Stop"
+
+          for ($i = 1; $i -le 5; $i++) {
+            try {
+              exec { npm ci }
+              break
+            }
+            catch {
+              if ($i -eq 5) {
+                Write-Error "npm ci failed after 5 attempts"
+                throw
+              }
+              Write-Host "npm ci failed attempt $i, retrying..."
+              Start-Sleep -Seconds 2
+            }
+          }
+        env:
+          npm_config_arch: ${{ env.NPM_ARCH }}
+          npm_config_foreground_scripts: "true"
+          VSCODE_ARCH: ${{ env.VSCODE_ARCH }}
+          ELECTRON_SKIP_BINARY_DOWNLOAD: 1
+          PLAYWRIGHT_SKIP_BROWSER_DOWNLOAD: 1
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Create node_modules archive
+        if: steps.node-modules-cache.outputs.cache-hit != 'true'
+        shell: pwsh
+        run: |
+          . build/azure-pipelines/win32/exec.ps1
+          $ErrorActionPreference = "Stop"
+          exec { node build/azure-pipelines/common/listNodeModules.js .build/node_modules_list.txt }
+          exec { mkdir -Force .build/node_modules_cache }
+          exec { 7z.exe a .build/node_modules_cache/cache.7z -mx3 `@.build/node_modules_list.txt }
+
+      - name: Create .build folder
+        shell: pwsh
+        run: mkdir .build -ea 0
+
+      - name: Prepare built-in extensions cache key
+        shell: pwsh
+        run: node build/azure-pipelines/common/computeBuiltInDepsCacheKey.js > .build/builtindepshash
+
+      - name: Restore built-in extensions cache
+        id: cache-builtin-extensions
+        uses: actions/cache/restore@v4
+        with:
+          enableCrossOsArchive: true
+          path: .build/builtInExtensions
+          key: "builtin-extensions-${{ hashFiles('.build/builtindepshash') }}"
+
+      - name: Download built-in extensions
+        if: steps.cache-builtin-extensions.outputs.cache-hit != 'true'
+        run: node build/lib/builtInExtensions.js
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Transpile client and extensions
+        shell: pwsh
+        run: npm run gulp "transpile-client-esbuild" "transpile-extensions"
+
+      - name: Download Electron
+        shell: pwsh
+        run: |
+          $ErrorActionPreference = "Stop"
+          $maxAttempts = 3
+          for ($i = 1; $i -le $maxAttempts; $i++) {
+            try {
+              npm run electron $env:VSCODE_ARCH
+              Write-Host "Download successful on attempt $i"
+              break
+            } catch {
+              if ($i -eq $maxAttempts) {
+                throw "Download failed after $maxAttempts attempts"
+              }
+              Write-Host "Download failed on attempt $i, retrying..."
+              Start-Sleep -Seconds 5
+            }
+          }
+
+      - name: Generate policy definitions
+        shell: pwsh
+        timeout-minutes: 5
+        run: .\scripts\code.bat --disable-gpu --wait --transient --export-policy-type="win32"
+
+      - name: Verify policy files
+        shell: pwsh
+        run: |
+          $ErrorActionPreference = "Stop"
+          if (-not (Test-Path ".build/policies/win32") -or ((Get-ChildItem ".build/policies/win32" -ErrorAction SilentlyContinue | Measure-Object).Count -eq 0)) {
+            Write-Error "ERROR: Policy files were not generated"
+            exit 1
+          }
+          Write-Host "Policy files generated successfully:"
+          Get-ChildItem .build/policies/win32
+
+      - name: Publish policy artifacts
+        uses: actions/upload-artifact@v4
+        if: always()
+        with:
+          name: policy-win32-${{ env.VSCODE_ARCH }}
+          path: .build/policies
+          if-no-files-found: error

build/azure-pipelines/darwin/steps/product-build-darwin-compile.yml

@@ -117,11 +117,6 @@ steps:
 
   - template: ../../common/install-builtin-extensions.yml@self
 
-  - ${{ if ne(parameters.VSCODE_CIBUILD, true) }}:
-    - script: node build/lib/policies darwin
-      displayName: Generate policy definitions
-      retryCountOnTaskFailure: 3
-
   - script: |
       set -e
       npm run gulp vscode-darwin-$(VSCODE_ARCH)-min-ci
@@ -182,6 +177,21 @@ steps:
         APP_PATH="$(Agent.BuildDirectory)/vscode-server-darwin-$(VSCODE_ARCH)" node build/darwin/verify-macho.js $(VSCODE_ARCH)
       displayName: Verify arch of Mach-O objects
 
+    - ${{ if ne(parameters.VSCODE_CIBUILD, true) }}:
+      - script: |
+          set -e
+          APP_ROOT="$(Agent.BuildDirectory)/VSCode-darwin-$(VSCODE_ARCH)"
+          APP_NAME="`ls $APP_ROOT | head -n 1`"
+          APP_PATH="$APP_ROOT/$APP_NAME"
+          "$APP_PATH/Contents/Resources/app/bin/code" --disable-gpu --wait --transient --export-policy-type=darwin
+        displayName: Generate policy definitions
+        retryCountOnTaskFailure: 3
+
+      - script: |
+          set -e
+          npm run gulp copy-policies-darwin-$(VSCODE_ARCH)-min
+        displayName: Copy policies to package
+
     - script: |
         set -e
         ARCHIVE_PATH="$(Pipeline.Workspace)/unsigned_vscode_client_darwin_$(VSCODE_ARCH)_archive/VSCode-darwin-$(VSCODE_ARCH).zip"

build/azure-pipelines/win32/steps/product-build-win32-compile.yml

@@ -119,11 +119,6 @@ steps:
 
   - template: ../../common/install-builtin-extensions.yml@self
 
-  - ${{ if ne(parameters.VSCODE_CIBUILD, true) }}:
-    - powershell: node build\lib\policies win32
-      displayName: Generate Group Policy definitions
-      retryCountOnTaskFailure: 3
-
   - ${{ if and(ne(parameters.VSCODE_CIBUILD, true), ne(parameters.VSCODE_QUALITY, 'exploration')) }}:
     - powershell: node build/win32/explorer-dll-fetcher .build/win32/appx
       displayName: Download Explorer dll
@@ -196,6 +191,23 @@ steps:
         Move-Item -Path "$(Build.ArtifactStagingDirectory)/cli/$AppName.exe" -Destination "$(Agent.BuildDirectory)/VSCode-win32-$(VSCODE_ARCH)/bin/$CliAppName.exe"
       displayName: Move VS Code CLI
 
+    - ${{ if ne(parameters.VSCODE_CIBUILD, true) }}:
+      - powershell: |
+          . build/azure-pipelines/win32/exec.ps1
+          $ErrorActionPreference = "Stop"
+          # Create policies directory
+          exec { mkdir -Force .build }
+          $VSCodePath = "$(Agent.BuildDirectory)\VSCode-win32-$(VSCODE_ARCH)\Code.exe"
+          & $VSCodePath --disable-gpu --wait --transient --export-policy-type="win32"
+        displayName: Generate policy definitions
+        retryCountOnTaskFailure: 3
+
+      - powershell: |
+          . build/azure-pipelines/win32/exec.ps1
+          $ErrorActionPreference = "Stop"
+          exec { npm run gulp copy-policies-win32-$(VSCODE_ARCH)-min }
+        displayName: Copy policies to package
+
     - task: UseDotNet@2
       inputs:
         version: 6.x