Restore two publish targets: Preview (test.pypi.org) and ESRP Production (pypi.org)

RyAuld · RyAuld · commit 525416368daa · 2026-03-30T09:38:06.000-07:00
diff --git a/.Pipelines/pipeline-publish.yml b/.Pipelines/pipeline-publish.yml
@@ -3,12 +3,31 @@
 # Release pipeline for the msal Python package — manually triggered only.
 # Source: https://github.com/AzureAD/microsoft-authentication-library-for-python
 #
-# Runs SDL security scans (PreBuildCheck) and the full test matrix (CI).
-# Package publishing is handled via the ESRP release path.
+# Publish targets:
+#   test.pypi.org (Preview / RC) — preview releases via MSAL-Test-Python-Upload SC
+#                                   (SC creation pending test.pypi.org API token)
+#   pypi.org (ESRP Production)   — production releases via ESRP
+#
 # For one-time ADO setup, see ADO-PUBLISH-SETUP.md.
 
+parameters:
+- name: packageVersion
+  displayName: 'Package version to publish (must match msal/sku.py, e.g. 1.36.0 or 1.36.0rc1)'
+  type: string
+
+- name: publishTarget
+  displayName: 'Publish target'
+  type: string
+  values:
+  - 'test.pypi.org (Preview / RC)'
+  - 'pypi.org (ESRP Production)'
+
 trigger: none    # manual runs only — no automatic branch or tag triggers
 pr: none
 
 stages:
 - template: template-pipeline-stages.yml
+  parameters:
+    packageVersion: ${{ parameters.packageVersion }}
+    publishTarget: ${{ parameters.publishTarget }}
+    runPublish: true
diff --git a/.Pipelines/template-pipeline-stages.yml b/.Pipelines/template-pipeline-stages.yml
@@ -3,14 +3,33 @@
 # Unified pipeline stages template for the msal Python package.
 #
 # Called from:
-#   pipeline-publish.yml — release build (SDL scans + test matrix)
-#   azure-pipelines.yml  — PR gate and post-merge CI
+#   pipeline-publish.yml — release build (runPublish: true)
+#   azure-pipelines.yml  — PR gate and post-merge CI (runPublish: false)
 #
-# Package publishing is handled via the ESRP release path (not in this template).
+# Parameters:
+#   packageVersion  - Version to validate against msal/sku.py
+#                     Required when runPublish is true; unused otherwise.
+#   publishTarget   - 'test.pypi.org (Preview / RC)' or 'pypi.org (Pre-ESRP)'
+#                     Required when runPublish is true; unused otherwise.
+#   runPublish      - When true: also run Validate, Build, and Publish stages.
+#                     When false (PR / merge builds): only PreBuildCheck + CI run.
 #
 # Stage flow:
 #
-#   PreBuildCheck ─► CI
+#   runPublish: true  → PreBuildCheck ─► Validate ─► CI ─► Build ─► PublishMSALPython
+#                                                                   └─► PublishPyPI
+#   runPublish: false → PreBuildCheck ─► CI  (Validate / Build / Publish are skipped)
+
+parameters:
+- name: packageVersion
+  type: string
+  default: ''
+- name: publishTarget
+  type: string
+  default: ''
+- name: runPublish
+  type: boolean
+  default: false
 
 stages:
 
@@ -53,12 +72,55 @@ stages:
         GdnBreakGdnToolPoliCheck: true
 
 # ══════════════════════════════════════════════════════════════════════════════
-# Stage 1 · CI — run the full test matrix across all supported Python versions.
+# Stage 1 · Validate — verify packageVersion matches msal/sku.py __version__
+#           Skipped when runPublish is false (PR / merge builds).
+# ══════════════════════════════════════════════════════════════════════════════
+- stage: Validate
+  displayName: 'Validate version'
+  dependsOn: PreBuildCheck
+  condition: and(${{ parameters.runPublish }}, eq(dependencies.PreBuildCheck.result, 'Succeeded'))
+  jobs:
+  - job: ValidateVersion
+    displayName: 'Check version matches source'
+    pool:
+      vmImage: ubuntu-latest
+    steps:
+    - task: UsePythonVersion@0
+      inputs:
+        versionSpec: '3.12'
+      displayName: 'Set up Python'
+
+    - bash: |
+        PARAM_VER="${{ parameters.packageVersion }}"
+        SKU_VER=$(grep '__version__' msal/sku.py | sed 's/.*"\(.*\)".*/\1/')
+
+        if [ -z "$PARAM_VER" ]; then
+          echo "##vso[task.logissue type=error]packageVersion is required. Enter the version to publish (must match msal/sku.py __version__)."
+          exit 1
+        elif [ "$PARAM_VER" != "$SKU_VER" ]; then
+          echo "##vso[task.logissue type=error]Version mismatch: parameter '$PARAM_VER' != msal/sku.py '$SKU_VER'"
+          echo "Update msal/sku.py __version__ to match the packageVersion parameter, or correct the parameter."
+          exit 1
+        else
+          echo "Version validated: $PARAM_VER"
+        fi
+      displayName: 'Verify version parameter matches msal/sku.py'
+
+# ══════════════════════════════════════════════════════════════════════════════
+# Stage 2 · CI — run the full test matrix across all supported Python versions.
+#           Always runs. Waits for Validate when runPublish is true;
+#           runs immediately when Validate is skipped (PR / merge builds).
 # ══════════════════════════════════════════════════════════════════════════════
 - stage: CI
   displayName: 'Run tests'
-  dependsOn: PreBuildCheck
-  condition: eq(dependencies.PreBuildCheck.result, 'Succeeded')
+  dependsOn:
+  - PreBuildCheck
+  - Validate
+  condition: |
+    and(
+      eq(dependencies.PreBuildCheck.result, 'Succeeded'),
+      in(dependencies.Validate.result, 'Succeeded', 'Skipped')
+    )
   jobs:
   - job: Test
     displayName: 'Run unit tests'
@@ -130,7 +192,12 @@ stages:
 
     - bash: rm -f "$(Agent.TempDirectory)/lab-auth.pfx"
       displayName: 'Clean up lab certificate'
-      condition: and(always(), ne(variables['LAB_APP_CLIENT_ID'], ''))
+      condition: always()
+
+# ══════════════════════════════════════════════════════════════════════════════
+# Stage 3 · Build — build sdist + wheel (release only)
+# ══════════════════════════════════════════════════════════════════════════════
+- stage: Build
   displayName: 'Build package'
   dependsOn: CI
   condition: and(eq(dependencies.CI.result, 'Succeeded'), eq(${{ parameters.runPublish }}, true))
@@ -166,6 +233,7 @@ stages:
 # ══════════════════════════════════════════════════════════════════════════════
 # Stage 4a · Publish to test.pypi.org (Preview / RC)
 #   Runs when: runPublish is true AND publishTarget == 'test.pypi.org (Preview / RC)'
+#   Note: requires MSAL-Test-Python-Upload SC in ADO (pending test.pypi.org token)
 # ══════════════════════════════════════════════════════════════════════════════
 - stage: PublishMSALPython
   displayName: 'Publish to test.pypi.org (Preview)'
@@ -216,16 +284,16 @@ stages:
             displayName: 'Upload to MSAL-Test-Python-Upload (skip existing)'
 
 # ══════════════════════════════════════════════════════════════════════════════
-# Stage 4b · Publish to PyPI (Production)
-#   Runs when: runPublish is true AND publishTarget == 'pypi.org (Production)'
+# Stage 4b · Publish to PyPI (ESRP Production)
+#   Runs when: runPublish is true AND publishTarget == 'pypi.org (ESRP Production)'
 # ══════════════════════════════════════════════════════════════════════════════
 - stage: PublishPyPI
-  displayName: 'Publish to PyPI (Production)'
+  displayName: 'Publish to PyPI (ESRP Production)'
   dependsOn: Build
   condition: >
     and(
       eq(dependencies.Build.result, 'Succeeded'),
-      eq('${{ parameters.publishTarget }}', 'pypi.org (Production)')
+      eq('${{ parameters.publishTarget }}', 'pypi.org (ESRP Production)')
     )
   jobs:
   - deployment: DeployPyPI
@@ -265,4 +333,4 @@ stages:
                 -r "MSAL-Prod-Python-Upload" \
                 --config-file $(PYPIRC_PATH) \
                 $(Pipeline.Workspace)/python-dist/*
-            displayName: 'Upload to MSAL-Prod-Python-Upload'
+            displayName: 'Upload to PyPI (ESRP Production)'
