AzureAD
diff --git a/‎.Pipelines/ADO-PUBLISH-SETUP.md‎
Lines changed: 209 additions & 0 deletions b/‎.Pipelines/ADO-PUBLISH-SETUP.md‎
Lines changed: 209 additions & 0 deletions
diff --git a/‎.Pipelines/pipeline-publish.yml‎
Lines changed: 179 additions & 0 deletions b/‎.Pipelines/pipeline-publish.yml‎
Lines changed: 179 additions & 0 deletions
@@ -0,0 +1,209 @@
+# ADO Pipeline Setup Guide — MSAL Python → PyPI
+
+This document describes every step needed to create an Azure DevOps (ADO)
+pipeline that checks out the GitHub repo, runs tests, builds distributions,
+and publishes to test.pypi.org (via the MSAL-Python environment) and PyPI.
+
+The `.Pipelines/` folder follows the same template convention as [MSAL.NET](https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/tree/main/build):
+
+| File | Purpose |
+|------|---------|
+| [`pipeline-publish.yml`](pipeline-publish.yml) | Top-level orchestrator — triggers, variables, stage wiring |
+| [`template-run-tests.yml`](template-run-tests.yml) | Reusable step template — pytest across Python version matrix |
+| [`template-build-package.yml`](template-build-package.yml) | Reusable step template — `python -m build` + `twine check` + artifact publish |
+| [`template-publish-package.yml`](template-publish-package.yml) | Reusable step template — `TwineAuthenticate` + `twine upload` (parameterized for MSAL-Python/PyPI) |
+
+---
+
+## Overview
+
+This pipeline is **manually triggered only** — no automatic branch or tag triggers.
+Every publish requires explicitly entering a version and selecting a destination.
+
+| Stage | Trigger | Target |
+|-------|---------|--------|
+| **Validate** | always | asserts `packageVersion` matches `msal/sku.py` |
+| **CI** (tests on Py 3.9–3.13) | after Validate | — |
+| **Build** (sdist + wheel) | after CI | dist artifact |
+| **PublishMSALPython** | `publishTarget = MSAL-Python` | test.pypi.org |
+| **PublishPyPI** | `publishTarget = pypi` | PyPI (production) |
+
+---
+
+## Step 1 — Prerequisites
+
+| Requirement | Notes |
+|-------------|-------|
+| ADO Organization | [Create one](https://learn.microsoft.com/en-us/azure/devops/organizations/accounts/create-organization) if you don't have one |
+| ADO Project | Under the org; enable **Pipelines** and **Artifacts** |
+| GitHub account with admin rights | Needed to authorize the ADO GitHub App |
+| PyPI API token | Scoped to the `msal` project — generate at <https://pypi.org/manage/account/token/> |
+| MSAL-Python (test.pypi.org) API token | Scoped to the `msal` project on test.pypi.org |
+
+---
+
+## Step 2 — Connect ADO to the GitHub Repository
+
+1. In your ADO project go to **Project Settings → Service connections → New service connection**.
+2. Choose **GitHub** and click **Next**.
+3. Select **GitHub App** (recommended) or **Personal Access Token**.
+   - GitHub App: follow the OAuth flow to install the ADO GitHub App on the
+     `AzureAD` organization and grant repository access to
+     `microsoft-authentication-library-for-python`.
+   - PAT: create a GitHub PAT with `repo` scope and paste it here.
+4. Set **Service connection name**: `github-msal-python`
+5. Check **Grant access permission to all pipelines**, click **Save**.
+
+---
+
+## Step 3 — Create PyPI Service Connections (Twine)
+
+The `TwineAuthenticate@1` task uses "Python package upload" service connections
+for external registries.
+
+### 3a — MSAL-Python (test.pypi.org) connection
+
+1. **Project Settings → Service connections → New service connection**
+2. Choose **Python package upload**, click **Next**.
+3. Fill in:
+   | Field | Value |
+   |-------|-------|
+   | **Twine repository URL** | `https://test.pypi.org/legacy/` |
+   | **EndpointName** (`-r` value) | `MSAL-Test-Python-Upload` |
+   | **Username** | `__token__` |
+   | **Password** | *(your test.pypi.org API token, e.g. `pypi-AgA...`)* |
+   | **Service connection name** | `MSAL-Test-Python-Upload` |
+4. Check **Grant access permission to all pipelines**, click **Save**.
+
+### 3b — PyPI (production) connection
+
+1. **Project Settings → Service connections → New service connection**
+2. Choose **Python package upload**, click **Next**.
+3. Fill in:
+   | Field | Value |
+   |-------|-------|
+   | **Twine repository URL** | `https://upload.pypi.org/legacy/` |
+   | **EndpointName** (`-r` value) | `MSAL-Prod-Python-Upload` |
+   | **Username** | `__token__` |
+   | **Password** | *(your PyPI API token)* |
+   | **Service connection name** | `MSAL-Prod-Python-Upload` |
+4. Check **Grant access permission to all pipelines**, click **Save**.
+
+> **Security note:** Never commit API tokens to source control.  All secrets
+> are stored in ADO service connections and injected by `TwineAuthenticate@1`
+> via the ephemeral `$(PYPIRC_PATH)` file at pipeline runtime.
+
+---
+
+## Step 4 — Create ADO Environments
+
+Environments let you add approval gates before the deployment jobs run.
+
+1. Go to **Pipelines → Environments → New environment**.
+2. Create two environments:
+
+   | Name | Description |
+   |------|-------------|
+   | `MSAL-Python` | Staging — test.pypi.org uploads |
+   | `MSAL-Python-Release` | Production — PyPI uploads (**add approval check**) |
+
+3. For the `MSAL-Python-Release` environment:
+   - Click the `MSAL-Python-Release` environment → **Approvals and checks → +**
+   - Add **Approvals** → add the release approver(s) (e.g., release manager).
+   - This ensures a human must approve before the wheel is pushed to production.
+
+---
+
+## Step 5 — Create the Pipeline in ADO
+
+1. Go to **Pipelines → New pipeline**.
+2. Select **GitHub** as the code source.
+3. Pick the repository **AzureAD/microsoft-authentication-library-for-python**.
+   - ADO will use the `github-msal-python` service connection created in Step 2.
+4. Choose **Existing Azure Pipelines YAML file**.
+5. Set the path to: `/.Pipelines/pipeline-publish.yml`
+6. Click **Continue** → review the YAML → click **Save** (not *Run*).
+7. Rename the pipeline to something descriptive, e.g.
+   `msal-python · publish`.
+
+> **Note:** The existing `azure-pipelines.yml` (CI-only, runs on `dev`) is a
+> separate pipeline and is not affected.
+
+---
+
+## Step 6 — Authorize Pipelines to use Service Connections
+
+When the pipeline first uses a service connection you may be prompted to
+authorize it.  To pre-authorize:
+
+1. **Project Settings → Service connections** → click a connection →
+   **Security** tab.
+2. Set the **Pipeline permissions** to include the new publish pipeline.
+
+Repeat for all three connections: `github-msal-python`, `MSAL-Test-Python-Upload`,
+`MSAL-Prod-Python-Upload`.
+
+---
+
+## Step 7 — Pipeline Parameters (Run Pipeline UI)
+
+This pipeline is **always manually queued**. Both fields are required — the Validate stage fails if either is missing or the version doesn’t match `msal/sku.py`:
+
+| Parameter | Required | Description | Example values |
+|-----------|----------|-------------|----------------|
+| **Package version to publish** | ✅ Yes | Must exactly match `msal/sku.py __version__`. | `1.36.0` (release), `1.36.0rc1` (preview) |
+| **Publish target** | ✅ Yes | Explicit destination — no auto-routing. | `MSAL-Python` (test.pypi.org) or `pypi` (production) |
+
+---
+
+## Step 8 — End-to-End Release Walkthrough
+
+### Publishing a preview / release candidate to test.pypi.org
+
+1. Set `msal/sku.py __version__ = "1.36.0rc1"`
+2. Go to **Pipelines → Run pipeline**
+3. Enter `packageVersion = 1.36.0rc1`, select `publishTarget = MSAL-Python`
+4. Click **Run** — pipeline runs: Validate → CI → Build → PublishMSALPython
+5. Verify at <https://test.pypi.org/project/msal/>
+
+### Publishing a production release to PyPI
+
+1. Set `msal/sku.py __version__ = "1.36.0"` and merge to the release branch
+2. Go to **Pipelines → Run pipeline**
+3. Enter `packageVersion = 1.36.0`, select `publishTarget = pypi`
+4. Click **Run** — pipeline runs: Validate → CI → Build → PublishPyPI (approval gate)
+5. Go to **Pipelines → Environments → MSAL-Python-Release** and approve the deployment
+6. Verify: `pip install msal==1.36.0` or check <https://pypi.org/project/msal/>
+
+## Pipeline Trigger Reference
+
+```
+Manual queue (publishTarget = MSAL-Python)
+  └─►  Validate  ─►  CI  ─►  Build  ─►  PublishMSALPython
+                                              (test.pypi.org, auto)
+
+Manual queue (publishTarget = pypi)
+  └─►  Validate  ─►  CI  ─►  Build  ─►  PublishPyPI
+                                              (PyPI, requires approval)
+```
+
+---
+
+## Troubleshooting
+
+| Symptom | Likely cause | Fix |
+|---------|-------------|-----|
+| `403` on twine upload | Token expired or wrong scope | Regenerate API token on pypi.org; update the service connection |
+| `File already exists` error | Version already published; PyPI does not allow overwriting | Bump version in `msal/sku.py` |
+| Pipeline not triggered by tag | ADO only picks up tags after the pipeline is saved with the `tags:` trigger | Re-save the pipeline in ADO after adding the trigger |
+| `TwineAuthenticate` says endpoint not found | Service connection name mismatch | Ensure `pythonUploadServiceConnection` value exactly matches the service connection name |
+
+---
+
+## References
+
+- [Publish Python packages with Azure Pipelines](https://learn.microsoft.com/en-us/azure/devops/pipelines/artifacts/pypi?view=azure-devops)
+- [TwineAuthenticate@1 task reference](https://learn.microsoft.com/en-us/azure/devops/pipelines/tasks/reference/twine-authenticate-v1?view=azure-devops)
+- [Publish and download Python packages with Azure Artifacts](https://learn.microsoft.com/en-us/azure/devops/artifacts/quickstarts/python-packages?view=azure-devops)
+- [Python package upload service connection](https://learn.microsoft.com/en-us/azure/devops/pipelines/library/service-endpoints#python-package-upload-service-connection)
+- [ADO Environments – approvals and checks](https://learn.microsoft.com/en-us/azure/devops/pipelines/process/approvals?view=azure-devops)
@@ -0,0 +1,179 @@
+# pipeline-publish.yml
+#
+# Publish pipeline for the msal Python package.
+# Source: https://github.com/AzureAD/microsoft-authentication-library-for-python
+#
+# Composes reusable templates from this folder:
+#   template-run-tests.yml         - pytest across Python version matrix
+#   template-build-package.yml     - sdist + wheel build + twine check
+#   template-publish-package.yml   - TwineAuthenticate + twine upload (parameterized)
+#
+# Trigger logic:
+#   This pipeline is MANUALLY TRIGGERED ONLY.
+#   Both packageVersion and publishTarget must be explicitly set at queue time.
+#
+# One-time ADO setup: see ADO-PUBLISH-SETUP.md
+
+# ── Pipeline parameters ────────────────────────────────────────────────────────
+# Both fields are shown as required inputs in the ADO "Run pipeline" UI.
+# Neither has a default — the Validate stage will fail if either is empty or
+# if packageVersion does not match msal/sku.py __version__.
+parameters:
+- name: packageVersion
+  displayName: 'Package version to publish (must match msal/sku.py, e.g. 1.36.0 or 1.36.0rc1)'
+  type: string
+
+- name: publishTarget
+  displayName: 'Publish target'
+  type: string
+  values:
+  - MSAL-Python   # publishes to test.pypi.org (staging / preview)
+  - pypi          # publishes to PyPI (production)
+
+trigger: none    # manual runs only — no automatic branch or tag triggers
+pr: none
+
+variables:
+  pythonBuildVersion: '3.12'    # single version used for build + publish jobs
+
+# ══════════════════════════════════════════════════════════════════════════════
+# Stage 1 · Validate — verify packageVersion matches msal/sku.py before
+#           anything else runs.
+# ══════════════════════════════════════════════════════════════════════════════
+stages:
+- stage: Validate
+  displayName: 'Validate version'
+  jobs:
+  - job: ValidateVersion
+    displayName: 'Assert packageVersion matches msal/sku.py'
+    pool:
+      vmImage: ubuntu-latest
+    steps:
+    - task: UsePythonVersion@0
+      inputs:
+        versionSpec: '3.12'
+      displayName: 'Use Python 3.12'
+
+    - bash: |
+        PARAM_VER="${{ parameters.packageVersion }}"
+        SKU_VER=$(python -c "import sys; sys.path.insert(0,'msal'); from sku import __version__; print(__version__)")
+
+        if [ -z "$PARAM_VER" ]; then
+          echo "##vso[task.logissue type=error]packageVersion is required. Enter the version to publish (must match msal/sku.py __version__)."
+          exit 1
+        elif [ "$PARAM_VER" != "$SKU_VER" ]; then
+          echo "##vso[task.logissue type=error]Version mismatch: parameter '$PARAM_VER' != msal/sku.py '$SKU_VER'"
+          echo "Update msal/sku.py __version__ to match the packageVersion parameter, or correct the parameter."
+          exit 1
+        else
+          echo "Version validated: $PARAM_VER"
+        fi
+      displayName: 'Validate version matches msal/sku.py'
+
+# ══════════════════════════════════════════════════════════════════════════════
+# Stage 2 · CI — run the full test matrix
+# ══════════════════════════════════════════════════════════════════════════════
+- stage: CI
+  displayName: 'Test'
+  dependsOn: Validate
+  condition: succeeded()
+  jobs:
+  - job: Test
+    displayName: 'pytest – Python $(python.version)'
+    pool:
+      vmImage: ubuntu-latest
+    strategy:
+      matrix:
+        Python39:
+          python.version: '3.9'
+        Python310:
+          python.version: '3.10'
+        Python311:
+          python.version: '3.11'
+        Python312:
+          python.version: '3.12'
+        Python313:
+          python.version: '3.13'
+    steps:
+    - template: template-run-tests.yml      # python.version resolved from matrix
+
+# ══════════════════════════════════════════════════════════════════════════════
+# Stage 3 · Build — compile sdist + wheel (single Python version)
+# ══════════════════════════════════════════════════════════════════════════════
+- stage: Build
+  displayName: 'Build distribution'
+  dependsOn: CI
+  condition: succeeded()
+  jobs:
+  - job: BuildDist
+    displayName: 'Build sdist + wheel'
+    pool:
+      vmImage: ubuntu-latest
+    steps:
+    - template: template-build-package.yml
+      parameters:
+        pythonVersion: '3.12'     # must be a literal — template params resolve at compile time
+        artifactName: python-dist
+
+# ══════════════════════════════════════════════════════════════════════════════
+# Stage 4a · Publish to MSAL-Python (test.pypi.org)
+#   Runs when: publishTarget == 'MSAL-Python'
+# ══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
+- stage: PublishMSALPython
+  displayName: 'Publish → MSAL-Python (test.pypi.org)'
+  dependsOn: Build
+  condition: >
+    and(
+      succeeded(),
+      eq('${{ parameters.publishTarget }}', 'MSAL-Python')
+    )
+  jobs:
+  - deployment: DeployMSALPython
+    displayName: 'Upload to MSAL-Python (test.pypi.org)'
+    pool:
+      vmImage: ubuntu-latest
+    # Optional: add approval checks in ADO → Pipelines → Environments → MSAL-Python
+    environment: MSAL-Python
+    strategy:
+      runOnce:
+        deploy:
+          steps:
+          - template: template-publish-package.yml
+            parameters:
+              serviceConnectionName: MSAL-Test-Python-Upload
+              repositoryName: MSAL-Test-Python-Upload
+              artifactName: python-dist
+              pythonVersion: '3.12'     # must be a literal — template params resolve at compile time
+              skipExisting: true
+
+# ══════════════════════════════════════════════════════════════════════════════
+# Stage 4b · Publish to PyPI
+#   Runs when: publishTarget == 'pypi'
+# ══════════════════════════════════════════════════════════════════════════════
+- stage: PublishPyPI
+  displayName: 'Publish → PyPI'
+  dependsOn: Build
+  condition: >
+    and(
+      succeeded(),
+      eq('${{ parameters.publishTarget }}', 'pypi')
+    )
+  jobs:
+  - deployment: DeployPyPI
+    displayName: 'Upload to PyPI'
+    pool:
+      vmImage: ubuntu-latest
+    # IMPORTANT: configure a required manual approval on this environment in
+    # ADO → Pipelines → Environments → MSAL-Python-Release → Approvals and checks.
+    environment: MSAL-Python-Release
+    strategy:
+      runOnce:
+        deploy:
+          steps:
+          - template: template-publish-package.yml
+            parameters:
+              serviceConnectionName: MSAL-Prod-Python-Upload
+              repositoryName: MSAL-Prod-Python-Upload
+              artifactName: python-dist
+              pythonVersion: '3.12'     # must be a literal — template params resolve at compile time
+              skipExisting: false