parameters:
  # Enable install tasks for MicroBuild
  enableMicrobuild: false
  # Enable install tasks for MicroBuild on Mac and Linux
  # Will be ignored if 'enableMicrobuild' is false or 'Agent.Os' is 'Windows_NT'
  enableMicrobuildForMacAndLinux: false
  # Determines whether the ESRP service connection information should be passed to the signing plugin.
  # This overlaps with _SignType to some degree. We only need the service connection for real signing.
  # It's important that the service connection not be passed to the MicroBuildSigningPlugin task in this place.
  # Doing so will cause the service connection to be authorized for the pipeline, which isn't allowed and won't work for non-prod.
  # Unfortunately, _SignType can't be used to exclude the use of the service connection in non-real sign scenarios. The
  # variable is not available in template expression. _SignType has a very large proliferation across .NET, so replacing it is tough.
  microbuildUseESRP: true

  continueOnError: false

steps:
  - ${{ if eq(parameters.enableMicrobuild, 'true') }}:
    - ${{ if eq(parameters.enableMicrobuildForMacAndLinux, 'true') }}:
      # Installing .NET 8 is required to use the MicroBuild signing plugin on non-Windows platforms
      - task: UseDotNet@2
        displayName: Install .NET 8.0 SDK for MicroBuild Plugin
        inputs:
          packageType: sdk
          version: 8.0.x
          # Installing the SDK in a '.dotnet-microbuild' directory is required for signing.
          # See target FindDotNetPathForMicroBuild in arcade/src/Microsoft.DotNet.Arcade.Sdk/tools/Sign.proj
          # Do not remove '.dotnet-microbuild' from the path without changing the corresponding logic.
          installationPath: $(Agent.TempDirectory)/.dotnet-microbuild
        condition: and(succeeded(), ne(variables['Agent.Os'], 'Windows_NT'))

    - script: |
        REM Check if ESRP is disabled while SignType is real
        if /I "${{ parameters.microbuildUseESRP }}"=="false" if /I "$(_SignType)"=="real" (
          echo Error: ESRP must be enabled when SignType is real.
          exit /b 1
        )
      displayName: 'Validate ESRP usage (Windows)'
      condition: and(succeeded(), eq(variables['Agent.Os'], 'Windows_NT'))
    - script: |
        # Check if ESRP is disabled while SignType is real
        if [ "${{ parameters.microbuildUseESRP }}" = "false" ] && [ "$(_SignType)" = "real" ]; then
          echo "Error: ESRP must be enabled when SignType is real."
          exit 1
        fi
      displayName: 'Validate ESRP usage (Non-Windows)'
      condition: and(succeeded(), ne(variables['Agent.Os'], 'Windows_NT'))

    # Two different MB install steps. This is due to not being able to use the agent OS during
    # YAML expansion, and Windows vs. Linux/Mac uses different service connections. However,
    # we can avoid including the MB install step if not enabled at all. This avoids a bunch of
    # extra pipeline authorizations, since most pipelines do not sign on non-Windows.
    - task: MicroBuildSigningPlugin@4
      displayName: Install MicroBuild plugin (Windows)
      inputs:
        signType: $(_SignType)
        zipSources: false
        feedSource: https://dnceng.pkgs.visualstudio.com/_packaging/MicroBuildToolset/nuget/v3/index.json
        ${{ if eq(parameters.microbuildUseESRP, true) }}:
          ConnectedServiceName: 'MicroBuild Signing Task (DevDiv)'
          ${{ if eq(variables['System.TeamProject'], 'DevDiv') }}:
            ConnectedPMEServiceName: 6cc74545-d7b9-4050-9dfa-ebefcc8961ea
          ${{ else }}:
            ConnectedPMEServiceName: 248d384a-b39b-46e3-8ad5-c2c210d5e7ca
      env:
        TeamName: $(_TeamName)
        MicroBuildOutputFolderOverride: $(Agent.TempDirectory)/MicroBuild
        SYSTEM_ACCESSTOKEN: $(System.AccessToken)
      continueOnError: ${{ parameters.continueOnError }}
      condition: and(succeeded(), eq(variables['Agent.Os'], 'Windows_NT'), in(variables['_SignType'], 'real', 'test'))

    - ${{ if eq(parameters.enableMicrobuildForMacAndLinux, true) }}:
      - task: MicroBuildSigningPlugin@4
        displayName: Install MicroBuild plugin (non-Windows)
        inputs:
          signType: $(_SignType)
          zipSources: false
          feedSource: https://dnceng.pkgs.visualstudio.com/_packaging/MicroBuildToolset/nuget/v3/index.json
          ${{ if eq(parameters.microbuildUseESRP, true) }}:
            ConnectedServiceName: 'MicroBuild Signing Task (DevDiv)'
            ${{ if eq(variables['System.TeamProject'], 'DevDiv') }}:
              ConnectedPMEServiceName: beb8cb23-b303-4c95-ab26-9e44bc958d39
            ${{ else }}:
              ConnectedPMEServiceName: c24de2a5-cc7a-493d-95e4-8e5ff5cad2bc
        env:
          TeamName: $(_TeamName)
          MicroBuildOutputFolderOverride: $(Agent.TempDirectory)/MicroBuild
          SYSTEM_ACCESSTOKEN: $(System.AccessToken)
        continueOnError: ${{ parameters.continueOnError }}
        condition: and(succeeded(), ne(variables['Agent.Os'], 'Windows_NT'),  eq(variables['_SignType'], 'real'))