### These steps clone the VMR (https://github.com/dotnet/dotnet) into $(Agent.BuildDirectory)/vmr
### Component Governance scan is also triggered over the VMR's non-repo sources

parameters:
- name: vmrBranch
  displayName: dotnet/dotnet branch to use
  type: string
  default: $(Build.SourceBranchName)

- name: installerBuildResourceId
  displayName: Installer build to get the commit hash to check out from
  type: string
  default: current

- name: skipComponentGovernanceDetection
  type: boolean
  default: false

steps:
- checkout: vmr
  displayName: Clone dotnet/dotnet
  path: vmr
  clean: true
  fetchDepth: 0 # We need this so that we can check out the new commit

- ${{ if ne(parameters.installerBuildResourceId, 'current') }}:
  - download: ${{ parameters.installerBuildResourceId }}
    artifact: VmrRevision
    displayName: Download VmrRevision

  - script: |
      set -ex
      sha=`head -n 1 $(Pipeline.Workspace)/${{ parameters.installerBuildResourceId }}/VmrRevision/VmrRevision.txt`
      git checkout $sha
    displayName: Check out dotnet/dotnet commit
    workingDirectory: $(Agent.BuildDirectory)/vmr
- ${{ else }}:
  - script: |
      git switch -c ${{ parameters.vmrBranch }}
    displayName: Checkout ${{ parameters.vmrBranch }}
    workingDirectory: $(Agent.BuildDirectory)/vmr

# TODO (https://github.com/dotnet/arcade/issues/11332): Allow full CG?
# Currently, we ignore dirs of individual repos - they have been scanned before
- ${{ if and(not(parameters.skipComponentGovernanceDetection), ne(variables['Build.Reason'], 'PullRequest'), eq(variables['System.TeamProject'], 'internal')) }}:
  - task: ComponentGovernanceComponentDetection@0
    inputs:
      sourceScanPath: $(Agent.BuildDirectory)/vmr
      ignoreDirectories: $(Agent.BuildDirectory)/vmr/src