Skip to content

NPM publishing#563

Merged
tnaum-ms merged 27 commits into
mainfrom
dev/tnaum/npm-publishing
Jul 7, 2026
Merged

NPM publishing#563
tnaum-ms merged 27 commits into
mainfrom
dev/tnaum/npm-publishing

Conversation

@tnaum-ms

@tnaum-ms tnaum-ms commented Apr 9, 2026

Copy link
Copy Markdown
Collaborator

Work in progress: Preparing the repository for npm package releases.

Changes

Azure Pipelines (build + release)

  • Replaced dummy pipeline stubs with real build and release configurations
  • Build pipeline: packaging, testing, and artifact staging
  • Release pipeline: validation and ESRP publishing steps
  • .real backup files for pipeline configuration reference

Target package

This PR prepares the infrastructure to publish @microsoft/vscode-ext-webview to npm — webview infrastructure for VS Code extensions with type-safe tRPC RPC over postMessage, React hooks, and pluggable telemetry middleware.

Status

Once the pipelines are validated against @microsoft/vscode-ext-webview, other packages can follow the same pattern.

@tnaum-ms tnaum-ms requested a review from a team as a code owner April 9, 2026 11:36
@tnaum-ms tnaum-ms marked this pull request as draft April 9, 2026 11:41
@tnaum-ms tnaum-ms added this to the 0.8.0 milestone Apr 9, 2026
Base automatically changed from feature/shell-integration to rel/release_0.8.0 April 13, 2026 10:47
Base automatically changed from rel/release_0.8.0 to next April 24, 2026 09:32
@tnaum-ms tnaum-ms modified the milestones: 0.8.0, 0.8.1 May 8, 2026
@tnaum-ms

tnaum-ms commented May 8, 2026

Copy link
Copy Markdown
Collaborator Author

Note: we will not merge this PR. We're using it only to debug our release pipelines.

@tnaum-ms tnaum-ms changed the base branch from next to main May 21, 2026 10:37
@tnaum-ms tnaum-ms force-pushed the dev/tnaum/npm-publishing branch from 8f7e48b to aefd635 Compare May 27, 2026 17:13
@tnaum-ms tnaum-ms modified the milestones: 0.8.1, 0.8.2 Jun 1, 2026
@tnaum-ms tnaum-ms modified the milestones: 0.8.2, 0.9.1 Jun 10, 2026
guanzhousongmicrosoft and others added 2 commits June 10, 2026 10:23
Refine the npm build/release pipelines for ESRP-based publishing of
@microsoft/vscode-ext-react-webview to npmjs.org.

Build pipeline:
- Pack only the release-bound @microsoft package; still build/test all
  workspaces so the monorepo stays healthy.

Release pipeline:
- Replace dryRun bool with a three-way mode (validate-only / test-esrp-auth /
  publish); validate-only excludes the publish job at compile time.
- Use EsrpRelease@11 with managed-identity auth, signing cert from Key Vault,
  and the ESRPRELPACMAN OSS publisher.
- test-esrp-auth submits with contenttype=Maven to smoke-test the full ESRP
  auth/publisher path without publishing anything.
- Restrict the package picklist to vscode-ext-react-webview; bake in the
  non-secret ESRP config (KV name, sign cert name, publisher client id).
- Add source-build provenance and .tgz content-safety inspection steps.
- Remove the stray *.real reference files and emoji from task display names.

Verified end-to-end via test-esrp-auth: auth, Key Vault, upload, publisher
authorization (ESRPRELPACMAN), and the content-validation stage all pass; the
smoke test correctly stops at content validation without publishing.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
- Relabel the source-build banner field "Source repository" -> "Source
  provider"; it prints sourceProvider (the SCM provider), not the repo name.
- Correct the ESRP auth comment: with usemanagedidentity:true, WIF handles
  auth to Azure/Key Vault and only the signing cert is read (no auth cert).
- Move ESRP owners/approvers into overridable EsrpReleaseOwners /
  EsrpReleaseApprovers variables (default unchanged) so releases can target a
  team security group instead of a single personal alias.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Signed-off-by: Guanzhou Song <guanzhousong@microsoft.com>
@tnaum-ms tnaum-ms modified the milestones: 0.9.1, 0.9.2 Jun 26, 2026
@tnaum-ms tnaum-ms force-pushed the dev/tnaum/npm-publishing branch from aefd635 to 12aed61 Compare July 6, 2026 11:50
@tnaum-ms

tnaum-ms commented Jul 6, 2026

Copy link
Copy Markdown
Collaborator Author

Synced with @guanzhousongmicrosoft's finalized pipeline work

While picking this PR back up, I noticed the branch had fallen behind. Digging into the history:

  • My original commits here (ba7cdabf wip, then a later feat: commit) added build-npm-packages.yml / release-npm-packages.yml as placeholder pipelines, plus .yml.real "parked" copies containing the fully-wired ESRP release config, meant to be swapped in once the ESRP service connection was ready.
  • @guanzhousongmicrosoft continued this work on dev/guanzhousong/npm-publishing (now on origin, kept in sync with main): aca95e6e finalized the ESRP integration (managed-identity auth, EsrpRelease@11, three-way validate-only / test-esrp-auth / publish mode, verified end-to-end) and explicitly removed the .yml.real files as stray leftovers, and b2d0226e addressed follow-up review feedback.
  • That branch was rebased onto current main, while this PR branch was still sitting on an old base — so my one commit here was fully superseded (and improved upon) by that work.

Action taken: rebased this branch (dev/tnaum/npm-publishing) onto origin/dev/guanzhousong/npm-publishing. My old commit dropped out cleanly as empty/patch-equivalent (its whole content is already included and improved upon there), so this branch now points at the exact same, up-to-date commit as Guanzhou's branch — no work lost on either side. Force-pushed.

No .yml.real files remain; the real ESRP-based pipelines are directly in build-npm-packages.yml / release-npm-packages.yml now.

tnaum-ms added 6 commits July 6, 2026 13:14
The build/test work is already covered on every push by GitHub Actions CI
and the main extension ADO build pipeline. The only unique output of this
pipeline is the packed .tgz release artifact, consumed solely by
release-npm-packages.yml, so it does not need to run continuously.
The old packages/vscode-ext-react-webview was replaced by
packages/vscode-ext-webview (published as @microsoft/vscode-ext-webview).
Update the pack list, release picklist, staging copy path, and example
filenames in both npm pipelines accordingly.
Previously only the 'test-esrp-auth' smoke-test path printed a warning
banner; the real publish path was silent up to the EsrpRelease task. Add a
symmetric '##[warning]' banner for 'publish' mode announcing the exact
package@version being pushed to npmjs.org.
EsrpRelease uses waitforreleasecompletion: true, which blocks on the ESRP
submission. Add timeoutInMinutes so a stalled ESRP approval/submission
cannot hold a release agent indefinitely.
Surface the selected mode (validate-only / test-esrp-auth / publish) in the
ADO stage list itself, so a run's intent is visible without opening logs or
reading the build number.
Surface key run info at the top of the ADO run (Extensions tab) via
##vso[task.uploadsummary] so it is visible without opening step logs:

- build: table of packed packages (name, version, .tgz filename, size)
- release (validation): package/version/mode/source-build intent summary
  for approvers
- release (publish): ESRP publish outcome summary; runs with always() so a
  failure (expected in test-esrp-auth mode) is still reported clearly
@tnaum-ms tnaum-ms changed the title [WIP] NPM publishing preparation NPM publishing Jul 6, 2026
@tnaum-ms tnaum-ms marked this pull request as ready for review July 6, 2026 13:44
Copilot AI review requested due to automatic review settings July 6, 2026 13:44

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR replaces the prior Azure Pipelines stubs with a real build + release pipeline flow to package and publish selected workspace packages (currently packages/vscode-ext-webview) to npm via ESRP Release, including validation, safety checks, and run-summary output for approvers.

Changes:

  • Added a manual build-npm-packages.yml pipeline to install deps, build/test workspaces, and produce .tgz artifacts.
  • Added a release-npm-packages.yml pipeline that validates a selected build artifact, prepares/inspects the .tgz, and (optionally) publishes via ESRP in controlled modes.
  • Introduced several PowerShell helper scripts for version validation, .tgz discovery/inspection, build-numbering, and ADO run summaries.

Reviewed changes

Copilot reviewed 11 out of 11 changed files in this pull request and generated 7 comments.

Show a summary per file
File Description
.azure-pipelines/build-npm-packages.yml Manual pipeline to install/build/test workspaces and pack npm release artifacts.
.azure-pipelines/release-npm-packages.yml Release pipeline with validation + (optional) ESRP publish flow and safety rails.
.azure-pipelines/scripts/pack-npm-packages.ps1 Packs publishable workspace packages into .tgz and emits a packaging summary.
.azure-pipelines/scripts/find-tgz.ps1 Locates the .tgz for the selected package and exposes it as an output variable.
.azure-pipelines/scripts/prepare-package.ps1 Copies only the selected .tgz into an isolated publish folder for ESRP.
.azure-pipelines/scripts/inspect-tgz.ps1 Inspects tarball contents and fails on obviously sensitive files.
.azure-pipelines/scripts/verify-package-version.ps1 Validates semver + publish version matches package.json + blocks private packages.
.azure-pipelines/scripts/show-source-build-metadata.ps1 Prints source pipeline resource metadata for operator verification.
.azure-pipelines/scripts/set-release-build-number.ps1 Sets a descriptive ADO build number encoding package/version/mode/build id.
.azure-pipelines/scripts/write-release-summary.ps1 Uploads a pre-publish markdown summary (intent/mode/source build info).
.azure-pipelines/scripts/write-publish-outcome-summary.ps1 Uploads a post-publish outcome summary (including smoke-test expectations).

Comment thread .azure-pipelines/scripts/verify-package-version.ps1 Outdated
Comment thread .azure-pipelines/scripts/pack-npm-packages.ps1 Outdated
Comment thread .azure-pipelines/scripts/pack-npm-packages.ps1 Outdated
Comment thread .azure-pipelines/scripts/pack-npm-packages.ps1 Outdated
Comment thread .azure-pipelines/scripts/find-tgz.ps1 Outdated
Comment thread .azure-pipelines/release-npm-packages.yml Outdated
Comment thread .azure-pipelines/build-npm-packages.yml
tnaum-ms added 15 commits July 6, 2026 14:07
…ding)

The ADO Windows agent runs Windows PowerShell 5.1, which reads .ps1 files
without a BOM as ANSI/Windows-1252. The UTF-8 emoji bytes in the summary
markdown headers were misread and corrupted string parsing, failing the
'Pack npm packages' step with 'Missing expression after unary operator'.

(The pre-extraction inline scripts worked because the PowerShell@2 task
writes inline scripts to a temp file WITH a BOM; our checked-out files have
none.) Keep pipeline scripts ASCII-only. Summary boxes render fine without
the emoji.
Add a root 'name:' (npm-build-$(Date).$(Rev) / npm-release-$(Date).$(Rev))
and appendCommitMessageToRunName: false to both npm pipelines, matching the
style of build.yml so the ADO run list is readable. The release pipeline's
'Set build number' step still refines its run name at runtime.
##vso[task.uploadsummary] is blocked by OneBranch policy, so remove it from
the pipeline scripts. The pack/release/publish summary content is now written
to the step log via Write-Output instead of an uploaded summary box:
- pack-npm-packages.ps1: drop the summary table + SummaryPath param (the .tgz
  list is already logged above)
- write-release-summary.ps1 / write-publish-outcome-summary.ps1: log the same
  fields as plain text; drop SummaryPath param
Update the task 'arguments' and comments accordingly.
The release pipeline runs on a 'release' pool that consumes the build
artifact and does NOT check out the repo, so the extracted .ps1 scripts it
invokes were not present (task failed with 'Invalid file path ...
show-source-build-metadata.ps1').

Stage .azure-pipelines/scripts/*.ps1 into the build artifact so they travel
to the release job at $(System.DefaultWorkingDirectory)/.azure-pipelines/
scripts (where the release steps already reference them). Also exclude .ps1
from the build's code-sign validation (they are not signed binaries).

NOTE: a fresh build pipeline run is required before the next release run so
the artifact contains the scripts.
The release pipeline runs on a 'release' pool that does not check out the
repo, which made the extracted .ps1 scripts unavailable there. Rather than
ship the scripts inside the build artifact (an extra moving part + coupling +
rebuild-before-release ordering trap), inline the release steps so the
release pipeline is self-contained again.

- release-npm-packages.yml: all 8 steps back to targetType: inline
- delete the 8 now-unused release-only scripts
- build-npm-packages.yml: remove the 'Stage pipeline scripts' CopyFiles step
  and the .ps1 code-sign-validation exclude

The build pipeline keeps pack-npm-packages.ps1 extracted: build jobs check out
source, so it runs from $(Build.SourcesDirectory) with no moving parts.
The test-esrp-auth picklist value now carries an inline explanation:
'test-esrp-auth (submits an invalid Maven job that ESRP rejects; nothing is
published)'. To keep control flow decoupled from that descriptive text, match
on the leading key instead of exact equality:
- template guards use startsWith(parameters.mode, 'test-esrp-auth'|'publish')
- PowerShell uses 'switch -Wildcard' with 'key*' patterns and -like 'key*'

This way the human-readable suffix can change freely without risk of a missed
comparison flipping a smoke-test run into a real publish.
EsrpRelease@11 splits owners/approvers on ',' - a ';' was treated as part of
a single address and rejected ('Invalid email: a@x;b@x'). Switch the
delimiter to a comma and add tnaumowicz@microsoft.com.
…script

Get-Content without -Raw returns a string array under Windows PowerShell 5.1
(PowerShell@2 tasks run without pwsh:true), which breaks ConvertFrom-Json on
multi-line package.json. Addresses Copilot review feedback.
…cript

Defensive @() wrapping so the count check is robust regardless of how many
files Get-ChildItem returns. Addresses Copilot review feedback.
…se pipeline

Get-Content without -Raw returns a string array under Windows PowerShell 5.1,
which breaks ConvertFrom-Json on multi-line package.json during version
validation. Addresses Copilot review feedback.
Defensive @() wrapping so .Count and [0] indexing behave consistently whether
Get-ChildItem returns zero, one, or many matches. Addresses Copilot review
feedback.
@tnaum-ms tnaum-ms enabled auto-merge July 7, 2026 10:38
@tnaum-ms

tnaum-ms commented Jul 7, 2026

Copy link
Copy Markdown
Collaborator Author

@guanzhousongmicrosoft we made it! thank you 🔥🚀

@github-actions

github-actions Bot commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

✅ Code Quality Checks

Check Status How to fix
Localization (l10n) ✅ Passed
ESLint ✅ Passed
Prettier formatting ✅ Passed

This comment is updated automatically on each push.

@github-actions

github-actions Bot commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

📦 Build Size Report

Metric Base (main) PR Delta
VSIX (vscode-documentdb-0.9.1.vsix) 8.01 MB 8.01 MB ✅ 0 KB (0.0%)
Webview bundle (views.js) 5.88 MB 5.88 MB ✅ 0 KB (0.0%)

Download artifact · updated automatically on each push.

@tnaum-ms tnaum-ms merged commit 189f42a into main Jul 7, 2026
8 checks passed
@tnaum-ms tnaum-ms deleted the dev/tnaum/npm-publishing branch July 7, 2026 10:45
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

Development

Successfully merging this pull request may close these issues.

4 participants