add azure pipeline

.npmrc

@@ -0,0 +1,4 @@
+# Force public npm registry to avoid CI auth (E401) when no token is provided
+registry=https://registry.npmjs.org/
+# Do not require auth for public installs
+always-auth=false

build/azure-devdiv-pipeline.pre-release.yml

@@ -0,0 +1,125 @@
+# Run on a schedule
+trigger: none
+pr: none
+
+schedules:
+  - cron: '0 10 * * 1-5' # 10AM UTC (2AM PDT) MON-FRI (VS Code Pre-release builds at 9PM PDT)
+    displayName: Nightly Pre-Release Schedule
+    always: false # only run if there are source code changes
+    branches:
+      include:
+        - main
+
+resources:
+  repositories:
+    - repository: MicroBuildTemplate
+      type: git
+      name: 1ESPipelineTemplates/MicroBuildTemplate
+      ref: refs/tags/release
+variables:
+  - name: TeamName
+    value: VSCode-python-debugger
+  - name: VsixName
+    value: python-debugger.vsix
+  - name: AZURE_ARTIFACTS_FEED
+    value: 'https://devdiv.pkgs.visualstudio.com/DevDiv/_packaging/Pylance_PublicPackages/npm/registry/'
+parameters:
+  - name: publishExtension
+    displayName: 🚀 Publish Extension
+    type: boolean
+    default: false
+
+extends:
+  template: azure-pipelines/MicroBuild.1ES.Official.yml@MicroBuildTemplate
+  parameters:
+    sdl:
+      sourceAnalysisPool: VSEngSS-MicroBuild2022-1ES
+      codeSignValidation:
+        enabled: true
+      sbom:
+        enabled: false # Disable global SBOM generation; we'll enable selectively per artifact output
+    pool:
+      name: AzurePipelines-EO
+      os: windows
+
+    customBuildTags:
+      - ES365AIMigrationTooling
+    stages:
+      - stage: Build
+        displayName: Build & Package Extension
+        jobs:
+          - job: Build
+            displayName: Build Job
+            pool:
+              name: VSEngSS-MicroBuild2022-1ES # use windows for codesigning to make things easier https://dev.azure.com/devdiv/DevDiv/_wiki/wikis/DevDiv.wiki/650/MicroBuild-Signing
+              os: windows
+            templateContext:
+              mb:
+                signing:
+                  enabled: true
+                  signType: real
+                  signWithProd: true
+              outputs:
+                - output: pipelineArtifact
+                  displayName: 'Publish Drop Artifact'
+                  targetPath: '$(Build.StagingDirectory)\drop'
+                  artifactName: drop
+                  sbomEnabled: true
+            steps:
+              - task: npmAuthenticate@0
+                inputs:
+                  workingFile: .npmrc
+
+              - script: npm config get registry
+                displayName: Verify NPM Registry
+
+              - task: NodeTool@0
+                inputs:
+                  versionSpec: '22.x'
+                  checkLatest: true
+                displayName: Select Node 22 LTS
+
+              - task: UsePythonVersion@0
+                inputs:
+                  versionSpec: '3.9' # note Install Python dependencies step below relies on Python 3.9
+                  addToPath: true
+                  architecture: 'x64'
+                displayName: Select Python version
+
+              - script: npm ci
+                displayName: Install NPM dependencies
+
+              - script: python -m pip install -U pip
+                displayName: Upgrade pip
+
+              - script: python -m pip install wheel
+                displayName: Install wheel
+
+              - script: python -m pip install nox
+                displayName: Install nox
+
+              - script: python -m nox --session install_bundled_libs
+                displayName: Install Python dependencies
+
+              - script: python ./build/update_ext_version.py --for-publishing
+                displayName: Update build number
+
+              - script: npm run vsce-package-pre
+                displayName: Build VSIX
+
+              - template: build/templates/sign.yml@self
+                parameters:
+                  vsixName: $(VsixName)
+                  workingDirectory: $(Build.StagingDirectory)\drop
+                  signType: real
+                  verifySignature: true
+
+              - ${{ if eq(parameters.publishExtension, true) }}:
+                  - template: build/templates/publish.yml@self
+                    parameters:
+                      azureSubscription: PylancePublishPipelineSecureConnectionWithManagedIdentity
+                      vsixName: $(VsixName)
+                      manifestName: extension.manifest
+                      signatureName: extension.signature.p7s
+                      publishFolder: drop
+                      preRelease: true

build/azure-devdiv-pipeline.stable.yml

@@ -0,0 +1,110 @@
+name: Publish Release
+trigger:
+  branches:
+    include:
+      - refs/tags/*
+
+resources:
+  repositories:
+    - repository: MicroBuildTemplate
+      type: git
+      name: 1ESPipelineTemplates/MicroBuildTemplate
+      ref: refs/tags/release
+variables:
+  - name: TeamName
+    value: VSCode-python-debugger
+  - name: VsixName
+    value: python-debugger.vsix
+
+parameters:
+  - name: publishExtension
+    displayName: 🚀 Publish Extension
+    type: boolean
+    default: false
+
+extends:
+  template: azure-pipelines/MicroBuild.1ES.Official.yml@MicroBuildTemplate
+  parameters:
+    sdl:
+      sourceAnalysisPool: VSEngSS-MicroBuild2022-1ES
+      codeSignValidation:
+        enabled: true
+      sbom:
+        enabled: false # Disable global SBOM generation; we'll enable selectively per artifact output
+    pool:
+      name: AzurePipelines-EO
+      os: windows
+
+    customBuildTags:
+      - ES365AIMigrationTooling
+    stages:
+      - stage: Build
+        displayName: Build & Package Extension
+        jobs:
+          - job: Build
+            displayName: Build Job
+            pool:
+              name: VSEngSS-MicroBuild2022-1ES # use windows for codesigning to make things easier https://dev.azure.com/devdiv/DevDiv/_wiki/wikis/DevDiv.wiki/650/MicroBuild-Signing
+              os: windows
+            templateContext:
+              mb:
+                signing:
+                  enabled: true
+                  signType: real
+                  signWithProd: true
+              outputs:
+                - output: pipelineArtifact
+                  displayName: 'Publish Drop Artifact'
+                  targetPath: '$(Build.StagingDirectory)\drop'
+                  artifactName: drop
+                  sbomEnabled: true
+            steps:
+              - task: NodeTool@0
+                inputs:
+                  versionSpec: '22.x'
+                  checkLatest: true
+                displayName: Select Node 22 LTS
+              - task: UsePythonVersion@0
+                inputs:
+                  versionSpec: '3.9' # note Install Python dependencies step below relies on Python 3.9
+                  addToPath: true
+                  architecture: 'x64'
+                displayName: Select Python version
+
+              - script: npm ci
+                displayName: Install NPM dependencies
+
+              - script: python -m pip install -U pip
+                displayName: Upgrade pip
+
+              - script: python -m pip install wheel
+                displayName: Install wheel
+
+              - script: python -m pip install nox
+                displayName: Install nox
+
+              - script: python -m nox --session install_bundled_libs
+                displayName: Install Python dependencies
+
+              - script: python ./build/update_ext_version.py --release --for-publishing
+                displayName: Update build number
+
+              - script: npm run vsce-package
+                displayName: Build VSIX
+
+              - template: build/templates/sign.yml@self
+                parameters:
+                  vsixName: $(VsixName)
+                  workingDirectory: $(Build.StagingDirectory)\drop
+                  signType: real
+                  verifySignature: true
+
+              - ${{ if eq(parameters.publishExtension, true) }}:
+                  - template: build/templates/publish.yml@self
+                    parameters:
+                      azureSubscription: PylancePublishPipelineSecureConnectionWithManagedIdentity
+                      vsixName: $(VsixName)
+                      manifestName: extension.manifest
+                      signatureName: extension.signature.p7s
+                      publishFolder: drop
+                      preRelease: false

build/templates/publish.yml

@@ -0,0 +1,118 @@
+# Template (steps): PublishMarketplace for autopep8 extension
+# Expects working directory already populated (or artifact previously downloaded) with: autopep8.vsix, extension.manifest, extension.signature.p7s
+# Provides optional prerelease publishing via parameter.
+#
+# Usage (example inside a stage job):
+# steps:
+# - template: build/templates/publish.yml@self
+#   parameters:
+#     azureSubscription: Autopep8PublishServiceConnection
+#     artifactName: drop
+#     vsixName: autopep8.vsix
+#     manifestName: extension.manifest
+#     signatureName: extension.signature.p7s
+#     publishFolder: vscode-autopep8
+#     preRelease: true
+#     noVerify: true
+#
+# Notes:
+# - Azure DevOps Marketplace resource GUID (499b84ac-1321-427f-aa17-267ca6975798) is hardcoded in publish script.
+# - This uses Managed Identity via AzureCLI@2 to acquire an AAD token and passes it as a PAT.
+# - Requires extension artifacts already signed (signature file present).
+# - Node & vsce expected to be prepared by parent pipeline; omit local installation here.
+
+parameters:
+  - name: azureSubscription
+    type: string
+  - name: vsixName
+    type: string
+    default: autopep8.vsix
+  - name: manifestName
+    type: string
+    default: extension.manifest
+  - name: signatureName
+    type: string
+    default: extension.signature.p7s
+  - name: publishFolder
+    type: string
+    default: vscode-autopep8
+  - name: preRelease
+    type: boolean
+    default: false
+  - name: noVerify
+    type: boolean
+    default: true
+
+steps:
+  # Node & vsce expected to be prepared by parent pipeline; omit local installation.
+
+  # Assumes files already present at $(Build.ArtifactStagingDirectory)/publishFolder
+
+  # Step 1: Acquire token only (store secret variable MarketplaceAADToken)
+  - task: AzureCLI@2
+    displayName: Acquire Marketplace AAD token
+    inputs:
+      azureSubscription: ${{ parameters.azureSubscription }}
+      scriptType: pscore
+      scriptLocation: inlineScript
+      inlineScript: |
+        $resource = "499b84ac-1321-427f-aa17-267ca6975798"
+        Write-Host "Acquiring AAD token for resource: $resource"
+        az rest -u https://app.vssps.visualstudio.com/_apis/profile/profiles/me --resource $resource | Out-Null
+        $aadToken = az account get-access-token --query accessToken --resource $resource -o tsv
+        if (-not $aadToken) { Write-Error 'Failed to acquire AAD token.'; exit 1 }
+        Write-Host "##vso[task.setvariable variable=MarketplaceAADToken;isSecret=true]$aadToken"
+        Write-Host "Token stored in secret variable MarketplaceAADToken"
+
+  # Step 2: Validate artifacts & publish
+  - task: PowerShell@2
+    displayName: Publish extension (vsce)
+    inputs:
+      targetType: inline
+      script: |
+        $aadToken = "$(MarketplaceAADToken)"
+        if (-not $aadToken) { Write-Error 'MarketplaceAADToken is empty (token acquisition failed).'; exit 1 }
+
+        $root = "$(Build.ArtifactStagingDirectory)/${{ parameters.publishFolder }}"
+        $vsixPath = Join-Path $root "${{ parameters.vsixName }}"
+        $manifestPath = Join-Path $root "${{ parameters.manifestName }}"
+        $signaturePath = Join-Path $root "${{ parameters.signatureName }}"
+
+        Write-Host "VSIX Path: $vsixPath"
+        Write-Host "Manifest Path: $manifestPath"
+        Write-Host "Signature Path: $signaturePath"
+
+        if (-not (Test-Path $vsixPath)) { Write-Error "VSIX file not found: $vsixPath"; exit 1 }
+        if (-not (Test-Path $manifestPath)) { Write-Error "Manifest file not found: $manifestPath"; exit 1 }
+        if (-not (Test-Path $signaturePath)) { Write-Error "Signature file not found: $signaturePath"; exit 1 }
+
+        Write-Host "Listing publish folder contents: $root"
+        Get-ChildItem -Recurse $root | Select-Object FullName,Length | Format-Table -AutoSize
+
+        $extraFlags = ''
+        if ('${{ parameters.noVerify }}' -eq 'True') { $extraFlags = "$extraFlags --noVerify" }
+
+        if ('${{ parameters.preRelease }}' -eq 'True') {
+          Write-Host 'Publishing as pre-release'
+          # disabled for now; uncomment when ready
+          npx vsce publish --pat $aadToken --packagePath $vsixPath --manifestPath $manifestPath --signaturePath $signaturePath $extraFlags --pre-release
+        } else {
+          Write-Host 'Publishing as stable release'
+          # disabled for now; uncomment when ready
+          npx vsce publish --pat $aadToken --packagePath $vsixPath --manifestPath $manifestPath --signaturePath $signaturePath $extraFlags
+        }
+
+        if ($LASTEXITCODE -ne 0) {
+          Write-Error "vsce publish failed with exit code $LASTEXITCODE"
+          exit $LASTEXITCODE
+        }
+        Write-Host 'Publish step completed (publish command currently disabled).'
+
+  - task: PowerShell@2
+    displayName: Post-publish summary
+    inputs:
+      targetType: inline
+      script: |
+        Write-Host 'Published extension artifacts:'
+        Get-ChildItem "$(Build.ArtifactStagingDirectory)/${{ parameters.publishFolder }}" -File | Select-Object Name,Length | Format-Table -AutoSize
+        Write-Host "Pre-release parameter: ${{ parameters.preRelease }}"