NPM publishing#563
Conversation
|
8f7e48b to
aefd635
Compare
Refine the npm build/release pipelines for ESRP-based publishing of @microsoft/vscode-ext-react-webview to npmjs.org. Build pipeline: - Pack only the release-bound @microsoft package; still build/test all workspaces so the monorepo stays healthy. Release pipeline: - Replace dryRun bool with a three-way mode (validate-only / test-esrp-auth / publish); validate-only excludes the publish job at compile time. - Use EsrpRelease@11 with managed-identity auth, signing cert from Key Vault, and the ESRPRELPACMAN OSS publisher. - test-esrp-auth submits with contenttype=Maven to smoke-test the full ESRP auth/publisher path without publishing anything. - Restrict the package picklist to vscode-ext-react-webview; bake in the non-secret ESRP config (KV name, sign cert name, publisher client id). - Add source-build provenance and .tgz content-safety inspection steps. - Remove the stray *.real reference files and emoji from task display names. Verified end-to-end via test-esrp-auth: auth, Key Vault, upload, publisher authorization (ESRPRELPACMAN), and the content-validation stage all pass; the smoke test correctly stops at content validation without publishing. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
- Relabel the source-build banner field "Source repository" -> "Source provider"; it prints sourceProvider (the SCM provider), not the repo name. - Correct the ESRP auth comment: with usemanagedidentity:true, WIF handles auth to Azure/Key Vault and only the signing cert is read (no auth cert). - Move ESRP owners/approvers into overridable EsrpReleaseOwners / EsrpReleaseApprovers variables (default unchanged) so releases can target a team security group instead of a single personal alias. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> Signed-off-by: Guanzhou Song <guanzhousong@microsoft.com>
aefd635 to
12aed61
Compare
Synced with @guanzhousongmicrosoft's finalized pipeline workWhile picking this PR back up, I noticed the branch had fallen behind. Digging into the history:
Action taken: rebased this branch ( No |
The build/test work is already covered on every push by GitHub Actions CI and the main extension ADO build pipeline. The only unique output of this pipeline is the packed .tgz release artifact, consumed solely by release-npm-packages.yml, so it does not need to run continuously.
The old packages/vscode-ext-react-webview was replaced by packages/vscode-ext-webview (published as @microsoft/vscode-ext-webview). Update the pack list, release picklist, staging copy path, and example filenames in both npm pipelines accordingly.
Previously only the 'test-esrp-auth' smoke-test path printed a warning banner; the real publish path was silent up to the EsrpRelease task. Add a symmetric '##[warning]' banner for 'publish' mode announcing the exact package@version being pushed to npmjs.org.
EsrpRelease uses waitforreleasecompletion: true, which blocks on the ESRP submission. Add timeoutInMinutes so a stalled ESRP approval/submission cannot hold a release agent indefinitely.
Surface the selected mode (validate-only / test-esrp-auth / publish) in the ADO stage list itself, so a run's intent is visible without opening logs or reading the build number.
Surface key run info at the top of the ADO run (Extensions tab) via ##vso[task.uploadsummary] so it is visible without opening step logs: - build: table of packed packages (name, version, .tgz filename, size) - release (validation): package/version/mode/source-build intent summary for approvers - release (publish): ESRP publish outcome summary; runs with always() so a failure (expected in test-esrp-auth mode) is still reported clearly
There was a problem hiding this comment.
Pull request overview
This PR replaces the prior Azure Pipelines stubs with a real build + release pipeline flow to package and publish selected workspace packages (currently packages/vscode-ext-webview) to npm via ESRP Release, including validation, safety checks, and run-summary output for approvers.
Changes:
- Added a manual
build-npm-packages.ymlpipeline to install deps, build/test workspaces, and produce.tgzartifacts. - Added a
release-npm-packages.ymlpipeline that validates a selected build artifact, prepares/inspects the.tgz, and (optionally) publishes via ESRP in controlled modes. - Introduced several PowerShell helper scripts for version validation,
.tgzdiscovery/inspection, build-numbering, and ADO run summaries.
Reviewed changes
Copilot reviewed 11 out of 11 changed files in this pull request and generated 7 comments.
Show a summary per file
| File | Description |
|---|---|
| .azure-pipelines/build-npm-packages.yml | Manual pipeline to install/build/test workspaces and pack npm release artifacts. |
| .azure-pipelines/release-npm-packages.yml | Release pipeline with validation + (optional) ESRP publish flow and safety rails. |
| .azure-pipelines/scripts/pack-npm-packages.ps1 | Packs publishable workspace packages into .tgz and emits a packaging summary. |
| .azure-pipelines/scripts/find-tgz.ps1 | Locates the .tgz for the selected package and exposes it as an output variable. |
| .azure-pipelines/scripts/prepare-package.ps1 | Copies only the selected .tgz into an isolated publish folder for ESRP. |
| .azure-pipelines/scripts/inspect-tgz.ps1 | Inspects tarball contents and fails on obviously sensitive files. |
| .azure-pipelines/scripts/verify-package-version.ps1 | Validates semver + publish version matches package.json + blocks private packages. |
| .azure-pipelines/scripts/show-source-build-metadata.ps1 | Prints source pipeline resource metadata for operator verification. |
| .azure-pipelines/scripts/set-release-build-number.ps1 | Sets a descriptive ADO build number encoding package/version/mode/build id. |
| .azure-pipelines/scripts/write-release-summary.ps1 | Uploads a pre-publish markdown summary (intent/mode/source build info). |
| .azure-pipelines/scripts/write-publish-outcome-summary.ps1 | Uploads a post-publish outcome summary (including smoke-test expectations). |
…ding) The ADO Windows agent runs Windows PowerShell 5.1, which reads .ps1 files without a BOM as ANSI/Windows-1252. The UTF-8 emoji bytes in the summary markdown headers were misread and corrupted string parsing, failing the 'Pack npm packages' step with 'Missing expression after unary operator'. (The pre-extraction inline scripts worked because the PowerShell@2 task writes inline scripts to a temp file WITH a BOM; our checked-out files have none.) Keep pipeline scripts ASCII-only. Summary boxes render fine without the emoji.
Add a root 'name:' (npm-build-$(Date).$(Rev) / npm-release-$(Date).$(Rev)) and appendCommitMessageToRunName: false to both npm pipelines, matching the style of build.yml so the ADO run list is readable. The release pipeline's 'Set build number' step still refines its run name at runtime.
##vso[task.uploadsummary] is blocked by OneBranch policy, so remove it from the pipeline scripts. The pack/release/publish summary content is now written to the step log via Write-Output instead of an uploaded summary box: - pack-npm-packages.ps1: drop the summary table + SummaryPath param (the .tgz list is already logged above) - write-release-summary.ps1 / write-publish-outcome-summary.ps1: log the same fields as plain text; drop SummaryPath param Update the task 'arguments' and comments accordingly.
The release pipeline runs on a 'release' pool that consumes the build artifact and does NOT check out the repo, so the extracted .ps1 scripts it invokes were not present (task failed with 'Invalid file path ... show-source-build-metadata.ps1'). Stage .azure-pipelines/scripts/*.ps1 into the build artifact so they travel to the release job at $(System.DefaultWorkingDirectory)/.azure-pipelines/ scripts (where the release steps already reference them). Also exclude .ps1 from the build's code-sign validation (they are not signed binaries). NOTE: a fresh build pipeline run is required before the next release run so the artifact contains the scripts.
The release pipeline runs on a 'release' pool that does not check out the repo, which made the extracted .ps1 scripts unavailable there. Rather than ship the scripts inside the build artifact (an extra moving part + coupling + rebuild-before-release ordering trap), inline the release steps so the release pipeline is self-contained again. - release-npm-packages.yml: all 8 steps back to targetType: inline - delete the 8 now-unused release-only scripts - build-npm-packages.yml: remove the 'Stage pipeline scripts' CopyFiles step and the .ps1 code-sign-validation exclude The build pipeline keeps pack-npm-packages.ps1 extracted: build jobs check out source, so it runs from $(Build.SourcesDirectory) with no moving parts.
The test-esrp-auth picklist value now carries an inline explanation: 'test-esrp-auth (submits an invalid Maven job that ESRP rejects; nothing is published)'. To keep control flow decoupled from that descriptive text, match on the leading key instead of exact equality: - template guards use startsWith(parameters.mode, 'test-esrp-auth'|'publish') - PowerShell uses 'switch -Wildcard' with 'key*' patterns and -like 'key*' This way the human-readable suffix can change freely without risk of a missed comparison flipping a smoke-test run into a real publish.
EsrpRelease@11 splits owners/approvers on ',' - a ';' was treated as part of
a single address and rejected ('Invalid email: a@x;b@x'). Switch the
delimiter to a comma and add tnaumowicz@microsoft.com.
…script Get-Content without -Raw returns a string array under Windows PowerShell 5.1 (PowerShell@2 tasks run without pwsh:true), which breaks ConvertFrom-Json on multi-line package.json. Addresses Copilot review feedback.
…cript Defensive @() wrapping so the count check is robust regardless of how many files Get-ChildItem returns. Addresses Copilot review feedback.
…se pipeline Get-Content without -Raw returns a string array under Windows PowerShell 5.1, which breaks ConvertFrom-Json on multi-line package.json during version validation. Addresses Copilot review feedback.
Defensive @() wrapping so .Count and [0] indexing behave consistently whether Get-ChildItem returns zero, one, or many matches. Addresses Copilot review feedback.
|
@guanzhousongmicrosoft we made it! thank you 🔥🚀 |
✅ Code Quality Checks
This comment is updated automatically on each push. |
📦 Build Size Report
Download artifact · updated automatically on each push. |
Work in progress: Preparing the repository for npm package releases.
Changes
Azure Pipelines (build + release)
.realbackup files for pipeline configuration referenceTarget package
This PR prepares the infrastructure to publish
@microsoft/vscode-ext-webviewto npm — webview infrastructure for VS Code extensions with type-safe tRPC RPC overpostMessage, React hooks, and pluggable telemetry middleware.Status
Once the pipelines are validated against
@microsoft/vscode-ext-webview, other packages can follow the same pattern.