[ci] Build and sign in a DevDiv pipeline (#7)

The production build has been moved in to Azure Pipelines for security
and compliance reasons.  The build is now located at:

    https://devdiv.visualstudio.com/DevDiv/_build?definitionId=17684&_a=summary

Authenticode signing has also been enabled for the required macOS and
Windows binaries in this pipeline.

We can continue to use GitHub actions for PR validation.

Author: pjcollins

.gitignore

@@ -41,3 +41,15 @@
 .ccls-cache
 .projectile
 compile_commands.json
+
+# User-specific files
+*.rsuser
+*.suo
+*.user
+*.userosscache
+*.sln.docstates
+.DS_Store
+
+# Build results
+[Bb]in/
+[Oo]bj/

1cs-pipeline.yml

@@ -0,0 +1,243 @@
+trigger:
+- main
+- release/*
+- dev/*
+
+pr:
+- none
+
+resources:
+  repositories:
+  - repository: yaml-templates
+    type: github
+    name: xamarin/yaml-templates
+    ref: refs/heads/main
+    endpoint: xamarin
+  - repository: xa-yaml
+    type: github
+    name: xamarin/xamarin-android
+    ref: refs/heads/main
+    endpoint: xamarin
+
+variables:
+- name: TeamName
+  value: XamarinAndroid
+- name: BUILD_DIR
+  value: xa-build
+- name: Codeql.Enabled
+  value: true
+
+stages:
+- stage: build
+  displayName: Build Stage
+  jobs:
+  - job: build_linux
+    displayName: Build Linux
+    timeoutInMinutes: 240
+    pool:
+      name: android-devdiv-ubuntu-vmss
+    steps:
+    - checkout: self
+      submodules: recursive
+
+    - script: >-
+        sudo apt-get update;
+        sudo apt-get -f -u install cmake ninja-build chrpath texinfo sharutils libffi-dev
+        lsb-release patchutils diffstat xz-utils python3-dev libedit-dev libncurses5-dev swig
+        python3-six python3-sphinx binutils-dev libxml2-dev libjsoncpp-dev pkg-config lcov
+        procps help2man zlib1g-dev g++-multilib libjs-mathjax python3-recommonmark libpfm4-dev
+        python3-setuptools libz3-dev ccache
+      displayName: Install LLVM build dependencies
+
+    - script: sudo apt-get -f -u install mingw-w64 libz-mingw-w64-dev
+      displayName: Install Xamarin.Android Utilities build dependencies
+
+    - script: ./build-llvm.sh
+      env:
+        CC: gcc-10
+        CXX: g++-10
+      displayName: Build LLVM
+
+    - script: ./build-xa-utils.sh
+      env:
+        CC: gcc-10
+        CXX: g++-10
+      displayName: Build utilities
+
+    - script: |
+        rsync -avm --include 'config.*' --include '*.log' --include '*.txt' --include='*/' --exclude='*' $(BUILD_DIR) $(Build.StagingDirectory)
+      displayName: Copy logs
+      condition: always()
+
+    - task: PublishPipelineArtifact@1
+      displayName: Upload logs
+      inputs:
+        artifactName: build-logs-linux
+        targetPath: $(Build.StagingDirectory)
+      condition: always()
+
+    - task: PublishPipelineArtifact@1
+      displayName: Upload artifacts
+      inputs:
+        artifactName: artifacts-linux-unsigned
+        targetPath: artifacts
+
+
+  - job: build_macos
+    displayName: Build macOS
+    timeoutInMinutes: 240
+    pool:
+      name: Azure Pipelines
+      vmImage: internal-macos12
+    steps:
+    - checkout: self
+      submodules: recursive
+
+    - script: |
+        brew update
+        brew install cmake ninja ccache
+      displayName: Install LLVM build dependencies
+
+    - script: brew install make xz
+      displayName: Install Xamarin.Android Utilities build dependencies
+
+    - script: bash ./build-llvm.sh
+      displayName: build LLVM
+
+    - script: bash ./build-xa-utils.sh
+      displayName: Build utilities
+
+    - script: |
+        rsync -avm --include 'config.*' --include '*.log' --include '*.txt' --include='*/' --exclude='*' $(BUILD_DIR) $(Build.StagingDirectory)
+      displayName: Copy logs
+      condition: always()
+
+    - task: PublishPipelineArtifact@1
+      displayName: Upload logs
+      inputs:
+        artifactName: build-logs-macos
+        targetPath: $(Build.StagingDirectory)
+      condition: always()
+
+    - task: PublishPipelineArtifact@1
+      displayName: Upload artifacts
+      inputs:
+        artifactName: artifacts-macos-unsigned
+        targetPath: artifacts
+
+
+  - job: build_windows
+    displayName: Build Windows
+    timeoutInMinutes: 300
+    pool:
+      name: AzurePipelines-EO
+      demands:
+      - ImageOverride -equals AzurePipelinesWindows2022compliant
+    steps:
+    - checkout: self
+      submodules: recursive
+
+    - script: ./build-llvm-azure.cmd
+      displayName: Build Windows LLVM
+
+    - task: PublishPipelineArtifact@1
+      displayName: Upload artifacts
+      inputs:
+        artifactName: artifacts-windows-unsigned
+        targetPath: artifacts
+
+
+- stage: package
+  displayName: Package Stage
+  dependsOn: build
+  variables:
+  - name: MicroBuildSignType
+    value: Real
+  jobs:
+  - job: pack_sign
+    displayName: Sign and Zip
+    timeoutInMinutes: 240
+    pool:
+      name: Azure Pipelines
+      vmImage: internal-macos12
+    steps:
+    - checkout: self
+      submodules: recursive
+
+    - template: build-tools/automation/yaml-templates/install-microbuild-tooling.yaml@xa-yaml
+      parameters:
+        condition: and(succeeded(), eq(variables['MicroBuildSignType'], 'Real'))
+
+    - task: DownloadPipelineArtifact@2
+      inputs:
+        artifactName: artifacts-linux-unsigned
+        downloadPath: artifacts
+
+    - task: DownloadPipelineArtifact@2
+      inputs:
+        artifactName: artifacts-macos-unsigned
+        downloadPath: artifacts
+
+    - task: DownloadPipelineArtifact@2
+      inputs:
+        artifactName: artifacts-windows-unsigned
+        downloadPath: artifacts
+
+    - task: CmdLine@2
+      inputs:
+        script: ./package.sh
+        workingDirectory: $(Build.SourcesDirectory)
+      displayName: Package artifacts
+
+    - task: DotNetCoreCLI@2
+      displayName: Sign and zip files
+      inputs:
+        projects: build-tools/automation/sign.proj
+        arguments: >-
+          -p:SignType=$(MicroBuildSignType)
+          -bl:$(Build.StagingDirectory)/sign-macos.binlog
+
+    - task: PublishPipelineArtifact@1
+      displayName: Upload artifact
+      inputs:
+        artifactName: sign-macos-binlog-$(System.JobAttempt)
+        targetPath: $(Build.StagingDirectory)/sign-macos.binlog
+      condition: always()
+
+    - template: build-tools/automation/yaml-templates/remove-microbuild-tooling.yaml@xa-yaml
+      parameters:
+        condition: and(succeededOrFailed(), eq(variables['MicroBuildSignType'], 'Real'))
+
+    - script: >
+        mkdir -p $(Build.StagingDirectory)/toolchain &&
+        ln artifacts/android-llvm-toolchain*.zip $(Build.StagingDirectory)/toolchain
+      displayName: copy toolchain artifact
+
+    - task: PublishPipelineArtifact@1
+      displayName: Upload artifact
+      inputs:
+        artifactName: android-llvm-toolchain-signed
+        targetPath: $(Build.StagingDirectory)/toolchain
+
+
+  - job: sign_verify
+    displayName: Verify Signing
+    dependsOn: pack_sign
+    timeoutInMinutes: 240
+    pool:
+      name: VSEngSS-MicroBuild2022-1ES
+    steps:
+    - checkout: self
+      submodules: recursive
+
+    - task: DownloadPipelineArtifact@2
+      inputs:
+        artifactName: android-llvm-toolchain-signed
+        downloadPath: $(Build.SourcesDirectory)\artifacts
+
+    - task: MicroBuildCodesignVerify@3
+      displayName: verify signed content
+      inputs:
+        TargetFolders: $(Build.SourcesDirectory)\artifacts
+        ExcludeSNVerify: true
+      condition: and(succeededOrFailed(), eq(variables['MicroBuildSignType'], 'Real'))