20260330.2 Move Build/Publish stages to pipeline-publish.yml to avoid SC validation in PR build

Author: RyAuld

.Pipelines/pipeline-publish.yml

@@ -6,7 +6,7 @@
 # Publish targets:
 #   test.pypi.org (Preview / RC) — preview releases via MSAL-Test-Python-Upload SC
 #                                   (SC creation pending test.pypi.org API token)
-#   pypi.org (ESRP Production)   — production releases via ESRP
+#   pypi.org (ESRP Production)   — production releases via MSAL-Prod-Python-Upload SC
 #
 # For one-time ADO setup, see ADO-PUBLISH-SETUP.md.
 
@@ -25,9 +25,151 @@ parameters:
 trigger: none    # manual runs only — no automatic branch or tag triggers
 pr: none
 
+# Stage flow:
+#
+#   PreBuildCheck ─► Validate ─► CI ─► Build ─► PublishMSALPython  (publishTarget == Preview)
+#                                             └─► PublishPyPI       (publishTarget == ESRP Production)
+
 stages:
+
+# PreBuildCheck, Validate, and CI stages are defined in the shared template.
 - template: template-pipeline-stages.yml
   parameters:
     packageVersion: ${{ parameters.packageVersion }}
-    publishTarget: ${{ parameters.publishTarget }}
     runPublish: true
+
+# ══════════════════════════════════════════════════════════════════════════════
+# Stage 3 · Build — build sdist + wheel
+# ══════════════════════════════════════════════════════════════════════════════
+- stage: Build
+  displayName: 'Build package'
+  dependsOn: CI
+  condition: eq(dependencies.CI.result, 'Succeeded')
+  jobs:
+  - job: BuildDist
+    displayName: 'Build sdist + wheel (Python 3.12)'
+    pool:
+      vmImage: ubuntu-latest
+    steps:
+    - task: UsePythonVersion@0
+      inputs:
+        versionSpec: '3.12'
+      displayName: 'Use Python 3.12'
+
+    - script: |
+        python -m pip install --upgrade pip build twine
+      displayName: 'Install build toolchain'
+
+    - script: |
+        python -m build
+      displayName: 'Build sdist and wheel'
+
+    - script: |
+        python -m twine check dist/*
+      displayName: 'Verify distribution (twine check)'
+
+    - task: PublishPipelineArtifact@1
+      displayName: 'Publish dist/ as pipeline artifact'
+      inputs:
+        targetPath: dist/
+        artifact: python-dist
+
+# ══════════════════════════════════════════════════════════════════════════════
+# Stage 4a · Publish to test.pypi.org (Preview / RC)
+#   Note: requires MSAL-Test-Python-Upload SC in ADO (pending test.pypi.org API token)
+# ══════════════════════════════════════════════════════════════════════════════
+- stage: PublishMSALPython
+  displayName: 'Publish to test.pypi.org (Preview)'
+  dependsOn: Build
+  condition: >
+    and(
+      eq(dependencies.Build.result, 'Succeeded'),
+      eq('${{ parameters.publishTarget }}', 'test.pypi.org (Preview / RC)')
+    )
+  jobs:
+  - deployment: DeployMSALPython
+    displayName: 'Upload to test.pypi.org'
+    pool:
+      vmImage: ubuntu-latest
+    environment: MSAL-Python
+    strategy:
+      runOnce:
+        deploy:
+          steps:
+          - task: DownloadPipelineArtifact@2
+            displayName: 'Download python-dist artifact'
+            inputs:
+              artifactName: python-dist
+              targetPath: $(Pipeline.Workspace)/python-dist
+
+          - task: UsePythonVersion@0
+            inputs:
+              versionSpec: '3.12'
+            displayName: 'Use Python 3.12'
+
+          - script: |
+              python -m pip install --upgrade pip twine
+            displayName: 'Install twine'
+
+          - task: TwineAuthenticate@1
+            displayName: 'Authenticate with MSAL-Test-Python-Upload'
+            inputs:
+              pythonUploadServiceConnection: MSAL-Test-Python-Upload
+
+          - script: |
+              python -m twine upload \
+                -r "MSAL-Test-Python-Upload" \
+                --config-file $(PYPIRC_PATH) \
+                --skip-existing \
+                $(Pipeline.Workspace)/python-dist/*
+            displayName: 'Upload to test.pypi.org'
+
+# ══════════════════════════════════════════════════════════════════════════════
+# Stage 4b · Publish to PyPI (ESRP Production)
+#   IMPORTANT: configure a required manual approval on this environment in
+#   ADO → Pipelines → Environments → MSAL-Python-Release → Approvals and checks.
+# ══════════════════════════════════════════════════════════════════════════════
+- stage: PublishPyPI
+  displayName: 'Publish to PyPI (ESRP Production)'
+  dependsOn: Build
+  condition: >
+    and(
+      eq(dependencies.Build.result, 'Succeeded'),
+      eq('${{ parameters.publishTarget }}', 'pypi.org (ESRP Production)')
+    )
+  jobs:
+  - deployment: DeployPyPI
+    displayName: 'Upload to pypi.org'
+    pool:
+      vmImage: ubuntu-latest
+    environment: MSAL-Python-Release
+    strategy:
+      runOnce:
+        deploy:
+          steps:
+          - task: DownloadPipelineArtifact@2
+            displayName: 'Download python-dist artifact'
+            inputs:
+              artifactName: python-dist
+              targetPath: $(Pipeline.Workspace)/python-dist
+
+          - task: UsePythonVersion@0
+            inputs:
+              versionSpec: '3.12'
+            displayName: 'Use Python 3.12'
+
+          - script: |
+              python -m pip install --upgrade pip twine
+            displayName: 'Install twine'
+
+          - task: TwineAuthenticate@1
+            displayName: 'Authenticate with MSAL-Prod-Python-Upload'
+            inputs:
+              pythonUploadServiceConnection: MSAL-Prod-Python-Upload
+
+          - script: |
+              python -m twine upload \
+                -r "MSAL-Prod-Python-Upload" \
+                --config-file $(PYPIRC_PATH) \
+                $(Pipeline.Workspace)/python-dist/*
+            displayName: 'Upload to PyPI (ESRP Production)'

.Pipelines/template-pipeline-stages.yml

@@ -1,6 +1,6 @@
 # template-pipeline-stages.yml
 #
-# Unified pipeline stages template for the msal Python package.
+# Shared stages template for the msal Python package.
 #
 # Called from:
 #   pipeline-publish.yml — release build (runPublish: true)
@@ -9,24 +9,21 @@
 # Parameters:
 #   packageVersion  - Version to validate against msal/sku.py
 #                     Required when runPublish is true; unused otherwise.
-#   publishTarget   - 'test.pypi.org (Preview / RC)' or 'pypi.org (Pre-ESRP)'
-#                     Required when runPublish is true; unused otherwise.
-#   runPublish      - When true: also run Validate, Build, and Publish stages.
+#   runPublish      - When true: also runs the Validate stage before CI.
 #                     When false (PR / merge builds): only PreBuildCheck + CI run.
 #
 # Stage flow:
 #
-#   runPublish: true  → PreBuildCheck ─► Validate ─► CI ─► Build ─► PublishMSALPython
-#                                                                   └─► PublishPyPI
-#   runPublish: false → PreBuildCheck ─► CI  (Validate / Build / Publish are skipped)
+#   runPublish: true  → PreBuildCheck ─► Validate ─► CI
+#   runPublish: false → PreBuildCheck ─► CI  (Validate is skipped)
+#
+# Build and Publish stages are defined in pipeline-publish.yml (not here),
+# so that the PR build never references PyPI service connections.
 
 parameters:
 - name: packageVersion
   type: string
   default: ''
-- name: publishTarget
-  type: string
-  default: ''
 - name: runPublish
   type: boolean
   default: false
@@ -193,144 +190,3 @@ stages:
     - bash: rm -f "$(Agent.TempDirectory)/lab-auth.pfx"
       displayName: 'Clean up lab certificate'
       condition: always()
-
-# ══════════════════════════════════════════════════════════════════════════════
-# Stage 3 · Build — build sdist + wheel (release only)
-# ══════════════════════════════════════════════════════════════════════════════
-- stage: Build
-  displayName: 'Build package'
-  dependsOn: CI
-  condition: and(eq(dependencies.CI.result, 'Succeeded'), eq(${{ parameters.runPublish }}, true))
-  jobs:
-  - job: BuildDist
-    displayName: 'Build sdist + wheel (Python 3.12)'
-    pool:
-      vmImage: ubuntu-latest
-    steps:
-    - task: UsePythonVersion@0
-      inputs:
-        versionSpec: '3.12'
-      displayName: 'Use Python 3.12'
-
-    - script: |
-        python -m pip install --upgrade pip build twine
-      displayName: 'Install build toolchain'
-
-    - script: |
-        python -m build
-      displayName: 'Build sdist and wheel'
-
-    - script: |
-        python -m twine check dist/*
-      displayName: 'Verify distribution (twine check)'
-
-    - task: PublishPipelineArtifact@1
-      displayName: 'Publish dist/ as pipeline artifact'
-      inputs:
-        targetPath: dist/
-        artifact: python-dist
-
-# ══════════════════════════════════════════════════════════════════════════════
-# Stage 4a · Publish to test.pypi.org (Preview / RC)
-#   Runs when: runPublish is true AND publishTarget == 'test.pypi.org (Preview / RC)'
-#   Note: requires MSAL-Test-Python-Upload SC in ADO (pending test.pypi.org token)
-# ══════════════════════════════════════════════════════════════════════════════
-- stage: PublishMSALPython
-  displayName: 'Publish to test.pypi.org (Preview)'
-  dependsOn: Build
-  condition: >
-    and(
-      eq(dependencies.Build.result, 'Succeeded'),
-      eq('${{ parameters.publishTarget }}', 'test.pypi.org (Preview / RC)')
-    )
-  jobs:
-  - deployment: DeployMSALPython
-    displayName: 'Upload to test.pypi.org'
-    pool:
-      vmImage: ubuntu-latest
-    # Optional: add approval checks in ADO → Pipelines → Environments → MSAL-Python
-    environment: MSAL-Python
-    strategy:
-      runOnce:
-        deploy:
-          steps:
-          - task: DownloadPipelineArtifact@2
-            displayName: 'Download python-dist artifact'
-            inputs:
-              artifactName: python-dist
-              targetPath: $(Pipeline.Workspace)/python-dist
-
-          - task: UsePythonVersion@0
-            inputs:
-              versionSpec: '3.12'
-            displayName: 'Use Python 3.12'
-
-          - script: |
-              python -m pip install --upgrade pip
-              python -m pip install twine
-            displayName: 'Install twine'
-
-          - task: TwineAuthenticate@1
-            displayName: 'Authenticate with MSAL-Test-Python-Upload'
-            inputs:
-              pythonUploadServiceConnection: MSAL-Test-Python-Upload
-
-          - script: |
-              python -m twine upload \
-                -r "MSAL-Test-Python-Upload" \
-                --config-file $(PYPIRC_PATH) \
-                --skip-existing \
-                $(Pipeline.Workspace)/python-dist/*
-            displayName: 'Upload to MSAL-Test-Python-Upload (skip existing)'
-
-# ══════════════════════════════════════════════════════════════════════════════
-# Stage 4b · Publish to PyPI (ESRP Production)
-#   Runs when: runPublish is true AND publishTarget == 'pypi.org (ESRP Production)'
-# ══════════════════════════════════════════════════════════════════════════════
-- stage: PublishPyPI
-  displayName: 'Publish to PyPI (ESRP Production)'
-  dependsOn: Build
-  condition: >
-    and(
-      eq(dependencies.Build.result, 'Succeeded'),
-      eq('${{ parameters.publishTarget }}', 'pypi.org (ESRP Production)')
-    )
-  jobs:
-  - deployment: DeployPyPI
-    displayName: 'Upload to pypi.org'
-    pool:
-      vmImage: ubuntu-latest
-    # IMPORTANT: configure a required manual approval on this environment in
-    # ADO → Pipelines → Environments → MSAL-Python-Release → Approvals and checks.
-    environment: MSAL-Python-Release
-    strategy:
-      runOnce:
-        deploy:
-          steps:
-          - task: DownloadPipelineArtifact@2
-            displayName: 'Download python-dist artifact'
-            inputs:
-              artifactName: python-dist
-              targetPath: $(Pipeline.Workspace)/python-dist
-
-          - task: UsePythonVersion@0
-            inputs:
-              versionSpec: '3.12'
-            displayName: 'Use Python 3.12'
-
-          - script: |
-              python -m pip install --upgrade pip
-              python -m pip install twine
-            displayName: 'Install twine'
-
-          - task: TwineAuthenticate@1
-            displayName: 'Authenticate with MSAL-Prod-Python-Upload'
-            inputs:
-              pythonUploadServiceConnection: MSAL-Prod-Python-Upload
-
-          - script: |
-              python -m twine upload \
-                -r "MSAL-Prod-Python-Upload" \
-                --config-file $(PYPIRC_PATH) \
-                $(Pipeline.Workspace)/python-dist/*
-            displayName: 'Upload to PyPI (ESRP Production)'