Address Copilot review comments: Node LTS, cert gate+cleanup, pipefail comment, Build condition, explicit artifact download, prereq docs

Author: RyAuld

.Pipelines/ADO-PUBLISH-SETUP.md

@@ -10,6 +10,7 @@ The `.Pipelines/` folder follows the same template convention as [MSAL.NET](http
 |------|---------|
 | [`pipeline-publish.yml`](pipeline-publish.yml) | Thin top-level wrapper — triggers, parameters, calls `template-pipeline-stages.yml` with `runPublish: true` |
 | [`template-pipeline-stages.yml`](template-pipeline-stages.yml) | Shared stages template — Validate, CI, Build, Publish stages; reusable by PR-gate and post-merge CI pipelines |
+| [`credscan-exclusion.json`](credscan-exclusion.json) | CredScan suppression file — suppresses known false positives for test fixture files (`certificate-with-password.pfx`, `test_mi.py`) |
 
 ---
 
@@ -35,9 +36,11 @@ Every publish requires explicitly entering a version and selecting a destination
 |-------------|-------|
 | ADO Organization | [Create one](https://learn.microsoft.com/en-us/azure/devops/organizations/accounts/create-organization) if you don't have one |
 | ADO Project | Under the org; enable **Pipelines** and **Artifacts** |
+| [Secure Development Tools](https://marketplace.visualstudio.com/items?itemName=securedevelopmentteam.vss-secure-development-tools) extension | Must be installed in the ADO organization — required for the PreBuildCheck stage (PoliCheck, CredScan, PostAnalysis tasks) |
 | GitHub account with admin rights | Needed to authorize the ADO GitHub App |
 | PyPI API token | Scoped to the `msal` project — generate at <https://pypi.org/manage/account/token/> |
 | MSAL-Python (test.pypi.org) API token | Scoped to the `msal` project on test.pypi.org |
+| `AuthSdkResourceManager` Azure service connection *(optional)* | Required only if `LAB_APP_CLIENT_ID` is set to enable e2e tests. ARM service connection with **Get** access to the `LabAuth` secret in the `msidlabs` Key Vault. When not set, the Key Vault steps are automatically skipped. |
 
 ---
 

.Pipelines/template-pipeline-stages.yml

@@ -49,9 +49,9 @@ stages:
       Codeql.SkipTaskAutoInjection: true
     steps:
     - task: NodeTool@0
-      displayName: 'Install NPM'
+      displayName: 'Install Node.js (includes npm)'
       inputs:
-        versionSpec: '16.x'
+        versionSpec: 'lts/*'
 
     - task: securedevelopmentteam.vss-secure-development-tools.build-task-policheck.PoliCheck@2
       displayName: 'Run PoliCheck'
@@ -143,12 +143,11 @@ stages:
           python.version: '3.14'
     steps:
     # Retrieve the MSID Lab certificate from Key Vault (via AuthSdkResourceManager SC).
-    # The cert is written to disk and LAB_APP_CLIENT_CERT_PFX_PATH is set as a variable.
-    # Kept for when e2e tests are fully enabled on a lab-capable agent pool.
-    # Prerequisites: service connection 'AuthSdkResourceManager' with Get/List access
-    # to the 'msidlabs' Key Vault. The 'LabAuth' secret is a base64-encoded PFX.
+    # Gated on LAB_APP_CLIENT_ID being non-empty — if e2e tests are not enabled (the default),
+    # both steps are skipped and the pipeline has no Key Vault dependency.
     - task: AzureKeyVault@2
       displayName: 'Retrieve lab certificate from Key Vault'
+      condition: and(succeeded(), ne(variables['LAB_APP_CLIENT_ID'], ''))
       inputs:
         azureSubscription: 'AuthSdkResourceManager'
         KeyVaultName: 'msidlabs'
@@ -157,11 +156,12 @@ stages:
 
     - bash: |
         set -euo pipefail
-        CERT_PATH="$(Build.SourcesDirectory)/lab-auth.pfx"
+        CERT_PATH="$(Agent.TempDirectory)/lab-auth.pfx"
         printf '%s' "$(LabAuth)" | base64 -d > "$CERT_PATH"
         echo "##vso[task.setvariable variable=LAB_APP_CLIENT_CERT_PFX_PATH]$CERT_PATH"
         echo "Lab cert written to: $CERT_PATH ($(wc -c < "$CERT_PATH") bytes)"
       displayName: 'Write lab certificate to disk'
+      condition: and(succeeded(), ne(variables['LAB_APP_CLIENT_ID'], ''))
 
     - task: UsePythonVersion@0
       inputs:
@@ -173,9 +173,9 @@ stages:
         pip install -r requirements.txt
       displayName: 'Install dependencies'
 
-    # Use bash: (not script:) so set -o pipefail works — script: uses /bin/sh on
-    # Linux which does not support pipefail; without it, tee always exits 0,
-    # masking test failures.
+    # Use bash: explicitly; set -o pipefail so that pytest failures aren't hidden by the pipe to tee.
+    # Without pipefail, tee exits 0 and the step can succeed even when tests fail.
+    # (set -o pipefail also works in script: steps, but bash: makes the shell choice explicit.)
     - bash: |
         pip install pytest pytest-azurepipelines
         mkdir -p test-results
@@ -201,13 +201,17 @@ stages:
         failTaskOnFailedTests: true
         testRunTitle: 'Python $(python.version)'
 
+    - bash: rm -f "$(Agent.TempDirectory)/lab-auth.pfx"
+      displayName: 'Clean up lab certificate'
+      condition: and(always(), ne(variables['LAB_APP_CLIENT_ID'], ''))
+
 # ══════════════════════════════════════════════════════════════════════════════
 # Stage 3 · Build — build sdist + wheel (release only)
 # ══════════════════════════════════════════════════════════════════════════════
 - stage: Build
   displayName: 'Build package'
   dependsOn: CI
-  condition: and(eq(dependencies.CI.result, 'Succeeded'), eq('${{ parameters.runPublish }}', 'true'))
+  condition: and(eq(dependencies.CI.result, 'Succeeded'), eq(${{ parameters.runPublish }}, true))
   jobs:
   - job: BuildDist
     displayName: 'Build sdist + wheel (Python 3.12)'
@@ -260,6 +264,12 @@ stages:
       runOnce:
         deploy:
           steps:
+          - task: DownloadPipelineArtifact@2
+            displayName: 'Download python-dist artifact'
+            inputs:
+              artifactName: python-dist
+              targetPath: $(Pipeline.Workspace)/python-dist
+
           - task: UsePythonVersion@0
             inputs:
               versionSpec: '3.12'
@@ -307,6 +317,12 @@ stages:
       runOnce:
         deploy:
           steps:
+          - task: DownloadPipelineArtifact@2
+            displayName: 'Download python-dist artifact'
+            inputs:
+              artifactName: python-dist
+              targetPath: $(Pipeline.Workspace)/python-dist
+
           - task: UsePythonVersion@0
             inputs:
               versionSpec: '3.12'