@@ -56,6 +56,15 @@ variables:
5656 value : next
5757 ${{ else }} :
5858 value : latest
59+ # TODO: Replace with your actual Azure Artifacts feed URL
60+ - name : AzureArtifactsFeedUrl
61+ value : ' https://pkgs.dev.azure.com/azure-public/vside/_packaging/python-environments/npm/registry/'
62+ # Same URL without the https:// prefix (used in .npmrc auth lines)
63+ - name : AzureArtifactsFeedUrlNoProtocol
64+ value : ' pkgs.dev.azure.com/azure-public/vside/_packaging/python-environments/npm/registry/'
65+ # Managed Identity service connection for Azure Artifacts auth (shared with Pylance)
66+ - name : AzureServiceConnection
67+ value : ' PylanceSecureVsIdePublishWithManagedIdentity'
5968
6069extends :
6170 template : azure-pipelines/MicroBuild.1ES.Official.yml@MicroBuildTemplate
@@ -97,30 +106,66 @@ extends:
97106 targetFolder : $(Build.ArtifactStagingDirectory)
98107
99108 - stage : Publish
100- displayName : Publish to npm
109+ displayName : Publish to Azure Artifacts
101110 dependsOn : Build
102111 condition : and(succeeded(), eq('${{ parameters.publishPackage }}', 'true'))
103112 jobs :
104113 - job : PublishPackage
105114 displayName : Publish $(PackageName)
106- steps :
107- - task : DownloadPipelineArtifact@2
108- displayName : Download build artifact
109- inputs :
115+ templateContext :
116+ type : releaseJob
117+ isProduction : true
118+ inputs :
119+ - input : pipelineArtifact
110120 artifactName : npm-package
111- targetPath : $(Build.ArtifactStagingDirectory)/npm-package
121+ targetPath : $(Pipeline.Workspace)/npm-package
122+ steps :
123+ - checkout : none
112124
113125 - task : NodeTool@0
114126 inputs :
115127 versionSpec : ' 22.21.1'
116128 displayName : Select Node version
117129
118- - bash : echo '//registry.npmjs.org/:_authToken=${NODE_AUTH_TOKEN}' > .npmrc
119- workingDirectory : $(Build.SourcesDirectory)/pythonEnvironmentsApi
120- displayName : Configure npm auth
121-
122- - bash : npm publish $(Build.ArtifactStagingDirectory)/npm-package/*.tgz --tag $(npmTag) --access public --ignore-scripts
123- displayName : Publish to npm (${{ parameters.quality }})
124- workingDirectory : $(Build.SourcesDirectory)/pythonEnvironmentsApi
130+ # Acquire a short-lived AAD token via Managed Identity (no stored secrets)
131+ # SEE https://eng.ms/docs/cloud-ai-platform/devdiv/one-engineering-system-1es/1es-docs/1es-security-configuration/configuration-guides/pat-burndown-guidance
132+ - task : AzureCLI@2
133+ displayName : Acquire AAD token via Managed Identity
134+ inputs :
135+ azureSubscription : ' $(AzureServiceConnection)'
136+ scriptType : ' pscore'
137+ scriptLocation : ' inlineScript'
138+ inlineScript : |
139+ $token = az account get-access-token --query accessToken --resource 499b84ac-1321-427f-aa17-267ca6975798 -o tsv
140+ Write-Host "##vso[task.setvariable variable=AzdoToken;issecret=true]$token"
141+
142+ powershell : |
143+ @"
144+ registry=$(AzureArtifactsFeedUrl)
145+ always-auth=true
146+ "@ | Out-File -FilePath .npmrc
147+
148+ @"
149+ ; begin auth token
150+ //$(AzureArtifactsFeedUrlNoProtocol):username=VssSessionToken
151+ //$(AzureArtifactsFeedUrlNoProtocol):_authToken=$env:AZDO_TOKEN
152+ //$(AzureArtifactsFeedUrlNoProtocol):email=not-used@example.com
153+ ; end auth token
154+ "@ | Out-File -FilePath $HOME/.npmrc
125155 env:
126- NODE_AUTH_TOKEN : $(NpmAuthToken)
156+ AZDO_TOKEN: $(AzdoToken)
157+ displayName: Create .npmrc files
158+
159+ powershell : |
160+ $tgz = Get-ChildItem "$(Pipeline.Workspace)/npm-package/*.tgz" | Select-Object -First 1
161+ if (-not $tgz) {
162+ Write-Error "No .tgz file found in $(Pipeline.Workspace)/npm-package/"
163+ exit 1
164+ }
165+ Write-Host "Publishing: $($tgz.FullName)"
166+ if ("$(npmTag)" -eq "next") {
167+ npm publish $tgz.FullName --registry $(AzureArtifactsFeedUrl) --tag next --ignore-scripts
168+ } else {
169+ npm publish $tgz.FullName --registry $(AzureArtifactsFeedUrl) --ignore-scripts
170+ }
171+ displayName: npm publish (${{ parameters.quality }})
0 commit comments