From 6e1900c0a7e6c02af1f5020dba4ad0b0b50b34e5 Mon Sep 17 00:00:00 2001 From: Vladimir Morozov Date: Tue, 26 May 2026 17:30:40 -0700 Subject: [PATCH 1/2] Fix publish and release pipelines --- .ado/publish.yml | 26 +++++++++++++++++++++++--- .ado/release.yml | 39 ++++++++++++++++++++++++++++++++++----- 2 files changed, 57 insertions(+), 8 deletions(-) diff --git a/.ado/publish.yml b/.ado/publish.yml index e7ca17e4..18de97b4 100644 --- a/.ado/publish.yml +++ b/.ado/publish.yml @@ -386,7 +386,19 @@ extends: displayName: Show RID list - ${{ if ne(variables.DisableSigning, true) }}: - - task: SFP.build-tasks.custom-build-task-1.EsrpCodeSigning@5 + # ESRP's PendingAnalysis stage rejects the .node extension, so rename to .dll + # for signing and rename back after. The signing task below picks it up via the + # **/Microsoft.JavaScript.NodeApi.dll glob. + - task: PowerShell@2 + displayName: Rename .node to .dll for ESRP signing + inputs: + targetType: inline + script: | + Rename-Item ` + -Path "$(Build.SourcesDirectory)/out/bin/Release/NodeApi/aot/win-x64/publish/Microsoft.JavaScript.NodeApi.node" ` + -NewName "Microsoft.JavaScript.NodeApi.dll" + + - task: EsrpCodeSigning@6 displayName: CodeSign Binaries inputs: ConnectedServiceName: 'ESRP-JSHost3' @@ -398,7 +410,6 @@ extends: FolderPath: $(Build.SourcesDirectory)/out/bin/Release # Recursively finds files matching these patterns: Pattern: | - NodeApi/aot/win-x64/publish/Microsoft.JavaScript.NodeApi.node **/Microsoft.JavaScript.NodeApi.dll **/Microsoft.JavaScript.NodeApi.DotNetHost.dll **/Microsoft.JavaScript.NodeApi.Generator.dll @@ -429,6 +440,15 @@ extends: } ] + - task: PowerShell@2 + displayName: Rename signed .dll back to .node + inputs: + targetType: inline + script: | + Rename-Item ` + -Path "$(Build.SourcesDirectory)/out/bin/Release/NodeApi/aot/win-x64/publish/Microsoft.JavaScript.NodeApi.dll" ` + -NewName "Microsoft.JavaScript.NodeApi.node" + # Make symbols available through http://symweb. - task: PublishSymbols@2 displayName: Publish symbols @@ -450,7 +470,7 @@ extends: RuntimeIdentifierList: $(TargetRuntimeList) - ${{ if ne(variables.DisableSigning, true) }}: - - task: SFP.build-tasks.custom-build-task-1.EsrpCodeSigning@5 + - task: EsrpCodeSigning@6 displayName: CodeSign NuGets inputs: ConnectedServiceName: 'ESRP-JSHost3' diff --git a/.ado/release.yml b/.ado/release.yml index 3100c66d..52f8a361 100644 --- a/.ado/release.yml +++ b/.ado/release.yml @@ -19,20 +19,18 @@ resources: - main repositories: - - repository: CustomPipelineTemplates + - repository: OfficePipelineTemplates type: git name: 1ESPipelineTemplates/OfficePipelineTemplates ref: refs/tags/release extends: - template: v1/Office.Official.PipelineTemplate.yml@CustomPipelineTemplates + template: v1/Office.Official.PipelineTemplate.yml@OfficePipelineTemplates parameters: pool: name: Azure-Pipelines-1ESPT-ExDShared vmImage: windows-latest os: windows - customBuildTags: - - ES365AIMigrationTooling-BulkMigrated-Release sdl: eslint: enableExclusions: true @@ -63,6 +61,20 @@ extends: - script: dotnet nuget list source displayName: Show Nuget sources + - task: AzureCLI@2 + displayName: Override NuGet credentials with Managed Identity + inputs: + azureSubscription: 'Office-Hermes-Windows-Bot' + visibleAzLogin: false + scriptType: 'pscore' + scriptLocation: 'inlineScript' + inlineScript: | + $accessToken = az account get-access-token --query accessToken --resource 499b84ac-1321-427f-aa17-267ca6975798 -o tsv + # Set the access token as a secret, so it doesn't get leaked in the logs + Write-Host "##vso[task.setsecret]$accessToken" + # Override the apitoken of the nuget service connection, for the duration of this stage + Write-Host "##vso[task.setendpoint id=29e4c04c-ae69-4453-b9f3-bfef7a4c8d32;field=authParameter;key=apitoken]$accessToken" + - task: 1ES.PublishNuGet@1 displayName: NuGet push inputs: @@ -85,7 +97,10 @@ extends: artifactName: 'published-packages' targetPath: $(Pipeline.Workspace)\published-packages - # Use the NPM utility to authenticate and publish to ADO ms/react-native feed + # Use the NPM utility to authenticate and publish to ADO ms/react-native feed. + # PAT-based auth is no longer permitted, so override the service connection's + # token with an AAD access token obtained via Managed Identity, mirroring the + # NuGet job above. steps: - task: NodeTool@0 displayName: Use Node 22.x @@ -99,6 +114,20 @@ extends: echo registry=https://pkgs.dev.azure.com/ms/_packaging/react-native/npm/registry/ > $(Pipeline.Workspace)\published-packages\.npmrc echo always-auth=true >> $(Pipeline.Workspace)\published-packages\.npmrc + - task: AzureCLI@2 + displayName: Override npm credentials with Managed Identity + inputs: + azureSubscription: 'Office-Hermes-Windows-Bot' + visibleAzLogin: false + scriptType: 'pscore' + scriptLocation: 'inlineScript' + inlineScript: | + $accessToken = az account get-access-token --query accessToken --resource 499b84ac-1321-427f-aa17-267ca6975798 -o tsv + # Set the access token as a secret, so it doesn't get leaked in the logs + Write-Host "##vso[task.setsecret]$accessToken" + # Override the apitoken of the npm service connection, for the duration of this stage. + Write-Host "##vso[task.setendpoint id=9991cb9c-14ba-4683-9a34-100f96f80607;field=authParameter;key=apitoken]$accessToken" + - task: npmAuthenticate@0 displayName: npm Authenticate .npmrc inputs: From 7a48b6326dba146617322eb17a84889fe6e62041 Mon Sep 17 00:00:00 2001 From: Vladimir Morozov Date: Wed, 27 May 2026 09:32:49 -0700 Subject: [PATCH 2/2] Avoid naming conflicts when renaming DLL --- .ado/publish.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/.ado/publish.yml b/.ado/publish.yml index 18de97b4..ced192aa 100644 --- a/.ado/publish.yml +++ b/.ado/publish.yml @@ -396,7 +396,7 @@ extends: script: | Rename-Item ` -Path "$(Build.SourcesDirectory)/out/bin/Release/NodeApi/aot/win-x64/publish/Microsoft.JavaScript.NodeApi.node" ` - -NewName "Microsoft.JavaScript.NodeApi.dll" + -NewName "Microsoft.JavaScript.NodeApi.node.dll" - task: EsrpCodeSigning@6 displayName: CodeSign Binaries @@ -410,6 +410,7 @@ extends: FolderPath: $(Build.SourcesDirectory)/out/bin/Release # Recursively finds files matching these patterns: Pattern: | + NodeApi/aot/win-x64/publish/Microsoft.JavaScript.NodeApi.node.dll **/Microsoft.JavaScript.NodeApi.dll **/Microsoft.JavaScript.NodeApi.DotNetHost.dll **/Microsoft.JavaScript.NodeApi.Generator.dll @@ -446,7 +447,7 @@ extends: targetType: inline script: | Rename-Item ` - -Path "$(Build.SourcesDirectory)/out/bin/Release/NodeApi/aot/win-x64/publish/Microsoft.JavaScript.NodeApi.dll" ` + -Path "$(Build.SourcesDirectory)/out/bin/Release/NodeApi/aot/win-x64/publish/Microsoft.JavaScript.NodeApi.node.dll" ` -NewName "Microsoft.JavaScript.NodeApi.node" # Make symbols available through http://symweb.