Resolved comments

4gust · 4gust · commit 6e3e6ad9eb45 · 2026-05-21T22:45:58.000+01:00
diff --git a/.Pipelines/CI-AND-RELEASE-PIPELINES.md b/.Pipelines/CI-AND-RELEASE-PIPELINES.md
@@ -41,7 +41,7 @@ PreBuildCheck ─► UnitTests ─► E2ETests ─► Benchmark (post-merge to d
 |-------|-------------|-------------|
 | **PreBuildCheck** | Runs SDL security scans: PoliCheck (policy/offensive content), CredScan (leaked credentials), and PostAnalysis (breaks the build on findings) | Always |
 | **UnitTests** | Runs the unit test suite on Python 3.9, 3.10, 3.11, 3.12, 3.13, and 3.14 (no Key Vault required) | After PreBuildCheck |
-| **E2ETests** | Fetches the MSID Lab certificate from Key Vault and runs `tests/test_e2e.py` + `tests/test_fmi_e2e.py` on the same Python matrix. Skipped on forked PRs (no Key Vault access). | After UnitTests |
+| **E2ETests** | Fetches the MSID Lab certificate from Key Vault and runs `tests/test_e2e.py` + `tests/test_fmi_e2e.py` on the same Python matrix. On forked PRs the stage still runs, but the Key Vault tasks are skipped and the E2E tests self-skip (because `LAB_APP_CLIENT_CERT_PFX_PATH` is unset), so the stage reports green with all E2E tests marked Skipped in the Tests tab. | After UnitTests |
 | **Benchmark** | Runs performance benchmarks on Python 3.9 and publishes `benchmark-results` artifact | Post-merge pushes to `dev` and manual runs only |
 
 The `Validate` stage is **skipped** on PR/CI runs (it only applies to release builds).
diff --git a/.Pipelines/pipeline-publish.yml b/.Pipelines/pipeline-publish.yml
@@ -44,7 +44,7 @@ stages:
 - stage: Build
   displayName: 'Build package'
   dependsOn: E2ETests
-  condition: in(dependencies.E2ETests.result, 'Succeeded', 'SucceededWithIssues')
+  condition: eq(dependencies.E2ETests.result, 'Succeeded')
   jobs:
   - job: BuildDist
     displayName: 'Build sdist + wheel (Python 3.12)'
@@ -83,7 +83,7 @@ stages:
   dependsOn: Build
   condition: >
     and(
-      in(dependencies.Build.result, 'Succeeded', 'SucceededWithIssues'),
+      eq(dependencies.Build.result, 'Succeeded'),
       eq('${{ parameters.publishTarget }}', 'test.pypi.org (Preview / RC)')
     )
   jobs:
@@ -140,7 +140,7 @@ stages:
   dependsOn: Build
   condition: >
     and(
-      in(dependencies.Build.result, 'Succeeded', 'SucceededWithIssues'),
+      eq(dependencies.Build.result, 'Succeeded'),
       eq('${{ parameters.publishTarget }}', 'pypi.org (ESRP Production)')
     )
   jobs:
diff --git a/.Pipelines/template-pipeline-stages.yml b/.Pipelines/template-pipeline-stages.yml
@@ -178,14 +178,22 @@ stages:
         PYTHONUNBUFFERED: '1'
 
     # Run cryptography version-gating tests separately as a warning-only check.
+    # These tests fail whenever a new `cryptography` release ships (signalling a
+    # required ceiling bump in setup.cfg). We deliberately swallow the non-zero
+    # exit code with `|| true` so the step always succeeds at the shell level —
+    # this keeps the stage result as 'Succeeded' (not 'SucceededWithIssues') so
+    # downstream publish gates can stay strict. Failures are still surfaced as
+    # JUnit test failures in the Tests tab via PublishTestResults below
+    # (failTaskOnFailedTests: false), giving maintainers visibility without
+    # blocking unrelated PRs or releases.
     - bash: |
         pytest -vv \
           --timeout=60 \
           tests/test_cryptography.py::CryptographyTestCase::test_ceiling_should_be_latest_cryptography_version_plus_three \
           tests/test_cryptography.py::CryptographyTestCase::test_should_be_run_with_latest_version_of_cryptography \
-          --junitxml=test-results/junit-crypto-ceiling.xml
+          --junitxml=test-results/junit-crypto-ceiling.xml \
+          || true
       displayName: 'Check cryptography ceiling (warning only)'
-      continueOnError: true
       env:
         PYTHONUNBUFFERED: '1'
 
@@ -211,13 +219,17 @@ stages:
 # Stage 3 · E2ETests — runs only if unit tests pass. Fetches the MSID Lab
 #           certificate from Key Vault (mirrors MSAL.NET's
 #           build/template-install-keyvault-secrets.yaml).
-#           Skipped on forked PRs — service connections / Key Vault are not
-#           available to forks. E2E tests self-skip when
-#           LAB_APP_CLIENT_CERT_PFX_PATH is unset.
-# ══════════════════════════════════════════════════════════════════════════════
+#           Fork behaviour: the stage still runs on forked PRs, but the
+#           Key Vault retrieval and certificate decoding steps are skipped
+#           via `ne(System.PullRequest.IsFork, 'True')`. The pytest step then
+#           self-skips each test because LAB_APP_CLIENT_CERT_PFX_PATH is unset
+#           (see tests/test_e2e.py). Result: green stage on forks with all
+#           E2E tests reported as Skipped in the Tests tab.
+# ═══════════════════════════════════════════════════════════════════════════
 - stage: E2ETests
   displayName: 'E2E tests'
   dependsOn: UnitTests
+
   condition: eq(dependencies.UnitTests.result, 'Succeeded')
   jobs:
   - job: Pytest
diff --git a/.github/workflows/python-package.yml b/.github/workflows/python-package.yml
@@ -78,5 +78,4 @@ jobs:
           --benchmark-skip \
           --ignore=tests/test_e2e.py \
           --ignore=tests/test_e2e_manual.py \
-          --ignore=tests/test_fmi_e2e.py \
-          --ignore=tests/test_client_obtain_token_by_browser.py
+          --ignore=tests/test_fmi_e2e.py
