microsoft · ecraig12345 · May 15, 2026 · May 16, 2026 · May 16, 2026 · May 16, 2026
diff --git a/.ado/publish.yml b/.ado/publish.yml
@@ -22,7 +22,7 @@ resources:
 
 variables:
   - name: nodeVersion
-    value: 20
+    value: 24
   - name: npmVersion
     value: 11
   - name: tags
@@ -56,10 +56,14 @@ extends:
               clean: all
 
             templateContext:
+              outputParentDirectory: $(Build.StagingDirectory)/out
               outputs:
                 - output: pipelineArtifact
-                  artifactName: published-packages
-                  targetPath: $(Build.StagingDirectory)/pkg
+                  artifactName: packed-packages
+                  path: $(Build.StagingDirectory)/out/packed-packages
+                - output: pipelineArtifact
+                  artifactName: release-api-tool
+                  path: $(Build.StagingDirectory)/out/release-api-tool
 
             steps:
               - checkout: self
@@ -68,11 +72,7 @@ extends:
                 displayName: Install Node.js ${{ variables.nodeVersion }}
                 retryCountOnTaskFailure: 1
                 inputs:
-                  # 👉 NOTE:
-                  # - we can use only versions that ship with container, otherwise we will run into nodejs installation issues.
-                  # - as 1es bumps those versions within container automatically we need to use `<major>.x` to not run into issues once they bump the versions.
-                  # https://github.com/actions/runner-images/blob/ubuntu20/20230924.1/images/linux/Ubuntu2004-Readme.md#nodejs
-                  version: '${{ variables.nodeVersion }}.x'
+                  version: ${{ variables.nodeVersion }}.x
                   checkLatest: false
 
               # For multiline scripts, we want the whole task to fail if any line of the script fails.
@@ -92,14 +92,19 @@ extends:
                 displayName: Show environment
 
               - script: node scripts/preparePublishRegistry.ts
-                displayName: Prepare npm feed
+                displayName: Prepare npm registry settings
 
               - task: npmAuthenticate@0
                 displayName: npm authenticate
                 inputs:
-                  workingFile: '$(Build.SourcesDirectory)/.npmrc'
+                  workingFile: $(Build.SourcesDirectory)/.npmrc
+
+              # This isn't used, it's just a clear way to check that auth is working
+              # (yarn install's auth errors can be very unclear)
+              - script: yarn npm info beachball
+                displayName: Get package to verify registry auth
 
-              - script: yarn --frozen-lockfile
+              - script: yarn --immutable
                 displayName: Install dependencies
 
               - script: yarn build --verbose
@@ -110,12 +115,17 @@ extends:
 
               # TODO: figure out if this should bump or not (currently does bump)
               # and currently uses a prerelease prefix of 'test' to avoid interfering with real versions
+              # TODO: update beachball to read the registry from .npmrc and/or .yarnrc.yml
               # TODO (release): change back to:
-              # yarn beachball publish --prerelease-prefix test -y --no-push --pack-to-path '$(Build.StagingDirectory)/pkg'
+              # yarn beachball publish --prerelease-prefix test -y --no-push --pack-to-path '$(Build.StagingDirectory)/packed-packages'
               - script: |
-                  yarn release:canary --no-push --pack-to-path '$(Build.StagingDirectory)/pkg'
-                displayName: 'Pack packages (canary)'
+                  yarn release:canary --no-push --verbose --pack-to-path '$(Build.StagingDirectory)/out/packed-packages' --registry https://pkgs.dev.azure.com/office/_packaging/Office/npm/registry/
+                displayName: Pack packages (canary)
 
               - script: |
-                  ls -R '$(Build.StagingDirectory)/pkg'
-                displayName: Show all files in pack directory
+                  mkdir -p $(Build.StagingDirectory)/out/release-api-tool
+                  cp -r packages/esrp-npm-release/dist/index.js $(Build.StagingDirectory)/out/release-api-tool
+                displayName: Copy release API tool to staging directory
+
+              - script: ls -R '$(Build.StagingDirectory)/out'
+                displayName: Show all output files
diff --git a/.ado/release.yml b/.ado/release.yml
@@ -9,9 +9,10 @@ trigger: none
 
 resources:
   pipelines:
-    - pipeline: 'beachball_publish'
-      project: 'ISS'
-      source: 'beachball - prepublish'
+    # must match publishPipelineAlias variable
+    - pipeline: prepublish
+      project: ISS
+      source: beachball - prepublish
       trigger:
         branches:
           include:
@@ -24,6 +25,12 @@ resources:
       name: 1ESPipelineTemplates/OfficePipelineTemplates
       ref: refs/tags/release
 
+variables:
+  nodeVersion: 24
+  publishPipelineAlias: prepublish
+  packagesArtifactName: packed-packages
+  releaseApiToolArtifactName: release-api-tool
+
 extends:
   template: v1/Office.Official.PipelineTemplate.yml@OfficePipelineTemplates
   parameters:
@@ -36,36 +43,75 @@ extends:
       - stage: main_release
         displayName: Publish packages
         jobs:
-          - job: npmjs_com_job
+          - job: npm_release
             displayName: NPM to npmjs.com
             templateContext:
               type: releaseJob
               isProduction: true
               inputs:
                 - input: pipelineArtifact
-                  pipeline: beachball_publish
-                  artifactName: published-packages
-                  targetPath: $(Pipeline.Workspace)\published-packages
+                  pipeline: ${{ variables.publishPipelineAlias }}
+                  artifactName: ${{ variables.packagesArtifactName }}
+                  targetPath: $(Agent.BuildDirectory)\${{ variables.packagesArtifactName }}
+                - input: pipelineArtifact
+                  pipeline: ${{ variables.publishPipelineAlias }}
+                  artifactName: ${{ variables.releaseApiToolArtifactName }}
+                  targetPath: $(Agent.BuildDirectory)\${{ variables.releaseApiToolArtifactName }}
 
             # Use ESRP Release to securely publish to npmjs.com.
             steps:
-              - script: dir /S $(Pipeline.Workspace)\published-packages
+              - task: UseNode@1
+                displayName: Install Node.js ${{ variables.nodeVersion }}
+                retryCountOnTaskFailure: 1
+                inputs:
+                  version: ${{ variables.nodeVersion }}.x
+                  checkLatest: false
+
+              - script: dir /S $(Agent.BuildDirectory)\${{ variables.packagesArtifactName }}
                 displayName: Show directory contents
 
-              - task: 'SFP.release-tasks.custom-build-release-task.EsrpRelease@9'
-                displayName: 'ESRP Release to npmjs.com'
+              # Get credentials that will be used to temporarily upload zips to ogxesrptempstorage
+              # in the OGX azure subscription
+              - task: AzureCLI@2
+                displayName: Get credentials for staging blob storage
                 inputs:
-                  connectedservicename: 'ESRP-JSHost3'
-                  usemanagedidentity: false
-                  keyvaultname: 'OGX-JSHost-KV'
-                  authcertname: 'OGX-JSHost-Auth4'
-                  signcertname: 'OGX-JSHost-Sign3'
-                  clientid: '0a35e01f-eadf-420a-a2bf-def002ba898d'
-                  domaintenantid: 'cdc5aeea-15c5-4db6-b079-fcadd2505dc2'
-                  contenttype: npm
-                  folderlocation: $(Pipeline.Workspace)\published-packages
-                  owners: 'elcraig@microsoft.com'
-                  approvers: 'dannyvv@microsoft.com'
-                  # npm tag
-                  # potentially can also be inferred from the publishConfig field within the package.json file.
-                  productstate: 'test'
+                  # this is the service connection name
+                  azureSubscription: ogx-esrp-infra-bot
+                  scriptType: pscore
+                  scriptLocation: inlineScript
+                  addSpnToEnvironment: true
+                  inlineScript: |
+                    Write-Host "##vso[task.setvariable variable=STAGING_TENANT_ID]$env:tenantId"
+                    Write-Host "##vso[task.setvariable variable=STAGING_CLIENT_ID]$env:servicePrincipalId"
+                    Write-Host "##vso[task.setvariable variable=STAGING_ID_TOKEN;issecret=true]$env:idToken"
+
+              # Fetch ESRP certificates from key vault in Torus
+              - task: AzureKeyVault@2
+                displayName: Get ESRP certificates from Key Vault
+                inputs:
+                  # torus service connection name ("connectedservicename" from EsrpRelease task)
+                  azureSubscription: ESRP-JSHost3
+                  # "keyvaultname" from EsrpRelease task
+                  KeyVaultName: OGX-JSHost-KV
+                  # "authcertname" and "signcertname" from EsrpRelease task
+                  SecretsFilter: OGX-JSHost-Auth4,OGX-JSHost-Sign3
+
+              - script: node $(Agent.BuildDirectory)\${{ variables.releaseApiToolArtifactName }}\index.js
+                displayName: Publish to npmjs.com using ESRP Release API wrapper
+                retryCountOnTaskFailure: 3
+                env:
+                  PACKED_PACKAGES_PATH: $(Agent.BuildDirectory)\${{ variables.packagesArtifactName }}
+                  ESRP_PRODUCT_NAME: beachball
+                  ESRP_NPM_TAG: test
+                  ESRP_USER: elcraig@microsoft.com
+                  ESRP_APPROVERS: dannyvv@microsoft.com
+                  # torus tenant ID ("domaintenantid" from EsrpRelease task, same as service connection "ESRP-JSHost3")
+                  ESRP_TENANT_ID: cdc5aeea-15c5-4db6-b079-fcadd2505dc2
+                  # "clientid" from EsrpRelease task
+                  ESRP_CLIENT_ID: 0a35e01f-eadf-420a-a2bf-def002ba898d
+                  ESRP_AUTH_CERT: $(OGX-JSHost-Auth4)
+                  ESRP_REQUEST_SIGNING_CERT: $(OGX-JSHost-Sign3)
+                  STAGING_STORAGE_ACCOUNT_NAME: ogxesrptempstorage
+                  STAGING_CLIENT_ID: $(STAGING_CLIENT_ID)
+                  STAGING_TENANT_ID: $(STAGING_TENANT_ID)
+                  STAGING_ID_TOKEN: $(STAGING_ID_TOKEN)
diff --git a/.ado/roleAssignments.bicep b/.ado/roleAssignments.bicep
@@ -0,0 +1,124 @@
+/*
+Apply changes:
+  az deployment group create \
+    --subscription "<sub>" \
+    --resource-group "<rg>" \
+    --template-file .ado/roleAssignments.bicep \
+    --parameters \
+        stagingStorageName=<storage> \
+        managedIdentityName=<uami-name>
+
+Preview changes:
+  az deployment group what-if ...
+*/
+
+// Name of the user-assigned managed identity to create and grant storage roles to.
+param managedIdentityName string
+
+param stagingStorageName string
+
+// Built-in role definition IDs.
+// See https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles
+var roleDefinitions = {
+  storageBlobDataContributor: 'ba92f5b4-2d11-453d-a403-e96b0029c9fe'
+  storageBlobDelegator: 'db58b8e5-c6ad-4a2a-8342-4190687cbf4a'
+}
+
+// If an account with this name already exists in the resource group, the deployment reconciles
+// its properties to match the values below — make sure they match the existing account, or run
+// `what-if` first to preview.
+resource stagingStorage 'Microsoft.Storage/storageAccounts@2023-05-01' = {
+  name: stagingStorageName
+  location: resourceGroup().location
+  kind: 'StorageV2'
+  sku: {
+    name: 'Standard_LRS'
+  }
+  properties: {
+    accessTier: 'Hot'
+    allowBlobPublicAccess: false
+    allowSharedKeyAccess: false
+    minimumTlsVersion: 'TLS1_2'
+    supportsHttpsTrafficOnly: true
+  }
+}
+
+// User-assigned managed identity that will be granted storage roles below.
+// UAMIs are service principals as far as role assignments are concerned.
+resource uami 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' = {
+  name: managedIdentityName
+  location: resourceGroup().location
+}
+
+resource blobDataContrib 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
+  scope: stagingStorage
+  name: guid(stagingStorage.id, managedIdentityName, 'StorageBlobDataContributor')
+  properties: {
+    principalId: uami.properties.principalId
+    principalType: 'ServicePrincipal'
+    roleDefinitionId: subscriptionResourceId(
+      'Microsoft.Authorization/roleDefinitions',
+      roleDefinitions.storageBlobDataContributor
+    )
+  }
+}
+
+resource blobDelegator 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
+  scope: stagingStorage
+  name: guid(stagingStorage.id, managedIdentityName, 'StorageBlobDelegator')
+  properties: {
+    principalId: uami.properties.principalId
+    principalType: 'ServicePrincipal'
+    roleDefinitionId: subscriptionResourceId(
+      'Microsoft.Authorization/roleDefinitions',
+      roleDefinitions.storageBlobDelegator
+    )
+  }
+}
+
+// Garbage-collect staged release artifacts and release-state markers.
+// The tool deletes staging blobs in a finally block after each release, but stragglers
+// can be left behind if the process is killed mid-release. release-state markers are
+// never deleted by the tool and would otherwise accumulate forever.
+resource lifecyclePolicy 'Microsoft.Storage/storageAccounts/managementPolicies@2023-05-01' = {
+  parent: stagingStorage
+  name: 'default'
+  properties: {
+    policy: {
+      rules: [
+        {
+          name: 'expire-staging-blobs'
+          enabled: true
+          type: 'Lifecycle'
+          definition: {
+            filters: {
+              blobTypes: ['blockBlob']
+              prefixMatch: ['staging/']
+            }
+            actions: {
+              baseBlob: {
+                delete: { daysAfterModificationGreaterThan: 3 }
+              }
+            }
+          }
+        }
+        {
+          name: 'expire-release-state'
+          enabled: true
+          type: 'Lifecycle'
+          definition: {
+            filters: {
+              blobTypes: ['blockBlob']
+              prefixMatch: ['release-state/']
+            }
+            actions: {
+              baseBlob: {
+                delete: { daysAfterModificationGreaterThan: 90 }
+              }
+            }
+          }
+        }
+      ]
+    }
+  }
+}
diff --git a/.gitignore b/.gitignore
@@ -22,6 +22,7 @@ docs/.yarn
 
 .yarn/*
 !.yarn/patches/
+!.yarn/plugins/
 !.yarn/releases/
 # Ignore this in case a local .npmrc is added with a token for publishing
 .npmrc
diff --git a/.prettierignore b/.prettierignore
@@ -1,4 +1,5 @@
 .yarn/
+*.bicep
 *.log
 *.patch
 *.snap

diff --git a/.yarn/patches/jws-npm-4.0.1-0d8c257cbe.patch b/.yarn/patches/jws-npm-4.0.1-0d8c257cbe.patch
@@ -0,0 +1,19 @@
+diff --git a/lib/tostring.js b/lib/tostring.js
+index f5a49a36548b1e299042c9e3d1cdd60c71d8ec0c..493dd5cdd98ad99f84fb740864f9dd54c73ab7a3 100644
+--- a/lib/tostring.js
++++ b/lib/tostring.js
+@@ -4,7 +4,11 @@ var Buffer = require('buffer').Buffer;
+ module.exports = function toString(obj) {
+   if (typeof obj === 'string')
+     return obj;
+-  if (typeof obj === 'number' || Buffer.isBuffer(obj))
++  if (typeof obj === 'number' || typeof obj === 'bigint' || Buffer.isBuffer(obj))
+     return obj.toString();
+-  return JSON.stringify(obj);
++  const marker = '__BIGINT_' + Math.random().toString(36).slice(2) + '__';
++  const json = JSON.stringify(obj, (_k, v) =>
++    typeof v === 'bigint' ? marker + v.toString() + marker : v
++  );
++  return json.replace(new RegExp('"' + marker + '(-?\\d+)' + marker + '"', 'g'), '$1');
+ };
+\ No newline at end of file
-Original file line number
+Diff line change
@@ -1,4 +1,5 @@
     .yarn/
+    *.bicep
     *.log
     *.patch
     *.snap
@@ Expand Down @@