Switch ESRP Production publish stage to EsrpRelease@9 on windows-latest

RyAuld · RyAuld · commit 2dd89f5a53db · 2026-03-30T10:45:03.000-07:00
diff --git a/.Pipelines/pipeline-publish.yml b/.Pipelines/pipeline-publish.yml
@@ -126,8 +126,10 @@ stages:
 
 # ══════════════════════════════════════════════════════════════════════════════
 # Stage 4b · Publish to PyPI (ESRP Production)
+#   Uses EsrpRelease@9 via the MSAL-ESRP-AME service connection.
 #   IMPORTANT: configure a required manual approval on this environment in
 #   ADO → Pipelines → Environments → MSAL-Python-Release → Approvals and checks.
+#   IMPORTANT: EsrpRelease@9 requires a Windows agent.
 # ══════════════════════════════════════════════════════════════════════════════
 - stage: PublishPyPI
   displayName: 'Publish to PyPI (ESRP Production)'
@@ -139,9 +141,9 @@ stages:
     )
   jobs:
   - deployment: DeployPyPI
-    displayName: 'Upload to pypi.org'
+    displayName: 'Upload to PyPI via ESRP'
     pool:
-      vmImage: ubuntu-latest
+      vmImage: windows-latest
     environment: MSAL-Python-Release
     strategy:
       runOnce:
@@ -153,23 +155,21 @@ stages:
               artifactName: python-dist
               targetPath: $(Pipeline.Workspace)/python-dist
 
-          - task: UsePythonVersion@0
-            inputs:
-              versionSpec: '3.12'
-            displayName: 'Use Python 3.12'
-
-          - script: |
-              python -m pip install --upgrade pip twine
-            displayName: 'Install twine'
-
-          - task: TwineAuthenticate@1
-            displayName: 'Authenticate with MSAL-Prod-Python-Upload'
+          - task: EsrpRelease@9
+            displayName: 'Publish to PyPI via ESRP'
             inputs:
-              pythonUploadServiceConnection: MSAL-Prod-Python-Upload
-
-          - script: |
-              python -m twine upload \
-                -r "MSAL-Prod-Python-Upload" \
-                --config-file $(PYPIRC_PATH) \
-                $(Pipeline.Workspace)/python-dist/*
-            displayName: 'Upload to PyPI (ESRP Production)'
+              connectedservicename: 'MSAL-ESRP-AME'
+              usemanagedidentity: true
+              keyvaultname: 'MSALVault'
+              signcertname: 'MSAL-ESRP-Release-Signing'
+              clientid: '8650ce2b-38d4-466a-9144-bc5c19c88112'
+              intent: 'PackageDistribution'
+              contenttype: 'PyPi'
+              contentsource: 'Folder'
+              folderlocation: '$(Pipeline.Workspace)/python-dist'
+              waitforreleasecompletion: true
+              owners: 'ryauld@microsoft.com;avdunn@microsoft.com'
+              approvers: 'avdunn@microsoft.com;bogavril@microsoft.com'
+              serviceendpointurl: 'https://api.esrp.microsoft.com'
+              mainpublisher: 'ESRPRELPACMAN'
+              domaintenantid: '33e01921-4d64-4f8c-a055-5bdaffd5e33d'
