Fix editable install: add --no-build-isolation; add lab cert retrieval for e2e tests

RyAuld · RyAuld · commit c5a2192fd8fa · 2026-03-19T15:17:19.000-07:00
diff --git a/.Pipelines/template-install-lab-cert.yml b/.Pipelines/template-install-lab-cert.yml
@@ -0,0 +1,32 @@
+# template-install-lab-cert.yml
+#
+# Retrieves the MSID Lab authentication certificate from Key Vault and writes
+# it to disk as a PFX file, then exposes the path as a pipeline variable so
+# the test step can pass it via LAB_APP_CLIENT_CERT_PFX_PATH.
+#
+# Prerequisites (one-time ADO setup):
+#   - Service connection 'AuthSdkResourceManager' must exist in the project and
+#     have 'Get' and 'List' access to the 'msidlabs' Key Vault.
+#   - Pipeline variable 'LAB_APP_CLIENT_ID' must be set on the pipeline
+#     (ADO UI: Pipelines -> MSAL-Python Publish -> Edit -> Variables).
+#
+# The 'LabAuth' secret in msidlabs Key Vault is a base64-encoded PFX
+# certificate used to authenticate to both the msidlabs and id4skeyvault
+# Key Vaults during e2e tests.
+
+steps:
+- task: AzureKeyVault@2
+  displayName: 'Retrieve lab certificate from Key Vault'
+  inputs:
+    azureSubscription: 'AuthSdkResourceManager'
+    KeyVaultName: 'msidlabs'
+    SecretsFilter: 'LabAuth'
+    RunAsPreJob: false
+
+- bash: |
+    set -euo pipefail
+    CERT_PATH="$(Build.SourcesDirectory)/lab-auth.pfx"
+    printf '%s' "$(LabAuth)" | base64 -d > "$CERT_PATH"
+    echo "##vso[task.setvariable variable=LAB_APP_CLIENT_CERT_PFX_PATH]$CERT_PATH"
+    echo "Lab cert written to: $CERT_PATH ($(wc -c < "$CERT_PATH") bytes)"
+  displayName: 'Write lab certificate to disk'
diff --git a/.Pipelines/template-run-tests.yml b/.Pipelines/template-run-tests.yml
@@ -10,6 +10,10 @@
 #   - template: .Pipelines/template-run-tests.yml
 
 steps:
+# Retrieve the MSID Lab certificate used by e2e tests to authenticate to
+# msidlabs and id4skeyvault Key Vaults. Sets LAB_APP_CLIENT_CERT_PFX_PATH.
+- template: template-install-lab-cert.yml
+
 - task: UsePythonVersion@0
   inputs:
     versionSpec: '$(python.version)'
@@ -18,7 +22,7 @@ steps:
 - script: |
     python -m pip install --upgrade pip
     grep -v '^-e' requirements.txt | pip install -r /dev/stdin
-    pip install -e . --no-deps
+    pip install -e . --no-deps --no-build-isolation
   displayName: 'Install dependencies'
 
 # Use bash: (not script:) so set -o pipefail works — script: uses /bin/sh on Linux
@@ -29,6 +33,9 @@ steps:
     set -o pipefail
     pytest -vv --junitxml=test-results/junit.xml 2>&1 | tee test-results/pytest.log
   displayName: 'Run tests'
+  env:
+    LAB_APP_CLIENT_ID: $(LAB_APP_CLIENT_ID)
+    LAB_APP_CLIENT_CERT_PFX_PATH: $(LAB_APP_CLIENT_CERT_PFX_PATH)
 
 - task: PublishTestResults@2
   displayName: 'Publish test results'
