Use ESRP build, sign, release

CHANGELOG.md

@@ -7,6 +7,8 @@ adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
 ## Unreleased
 
+## v1.5.0
+
 ADDED
 
 - Added `ReplaySafeLogger` and `OrchestrationContext.create_replay_safe_logger()`

durabletask-azuremanaged/CHANGELOG.md

@@ -7,6 +7,9 @@ adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
 ## Unreleased
 
+## v1.5.0
+
+- Updates base dependency to durabletask v1.5.0
 - Added optional `interceptors`, `channel`, and `channel_options` parameters to
   `DurableTaskSchedulerClient`, `AsyncDurableTaskSchedulerClient`, and
   `DurableTaskSchedulerWorker` to allow combining custom gRPC interceptors with

durabletask-azuremanaged/pyproject.toml

@@ -9,7 +9,7 @@ build-backend = "setuptools.build_meta"
 
 [project]
 name = "durabletask.azuremanaged"
-version = "1.4.0"
+version = "1.5.0"
 description = "Durable Task Python SDK provider implementation for the Azure Durable Task Scheduler"
 keywords = [
     "durable",
@@ -26,7 +26,7 @@ requires-python = ">=3.10"
 license = {file = "LICENSE"}
 readme = "README.md"
 dependencies = [
-    "durabletask>=1.4.0",
+    "durabletask>=1.5.0",
     "azure-identity>=1.19.0"
 ]
 

eng/ci/official-build.yml

@@ -0,0 +1,55 @@
+variables:
+  - template: ci/variables/cfs.yml@eng
+
+trigger:
+  batch: true
+  branches:
+    include:
+      - main
+
+# CI only, does not trigger on PRs.
+pr: none
+
+schedules:
+  # Build nightly to catch any new CVEs and report SDL often.
+  # We are also required to generate CodeQL reports weekly, so this
+  # helps us meet that.
+  - cron: "0 5 * * *"
+    displayName: Nightly Build
+    branches:
+      include:
+        - main
+    always: true
+
+resources:
+  repositories:
+    - repository: 1es
+      type: git
+      name: 1ESPipelineTemplates/1ESPipelineTemplates
+      ref: refs/tags/release
+    - repository: eng
+      type: git
+      name: engineering
+      ref: refs/tags/release
+
+extends:
+  template: v1/1ES.Official.PipelineTemplate.yml@1es
+  parameters:
+    pool:
+      name: 1es-pool-azfunc
+      image: 1es-ubuntu-22.04
+      os: linux
+      ${{ if eq( variables['Build.Reason'], 'Schedule' ) }}:
+        demands:
+          - Priority -equals Low
+    sdl:
+      sourceAnalysisPool:
+        name: 1es-pool-azfunc
+        image: 1es-windows-2022
+        os: windows
+
+    stages:
+      - stage: BuildAndSign
+        dependsOn: []
+        jobs:
+          - template: /eng/templates/build.yml@self

eng/ci/release.yml

@@ -0,0 +1,85 @@
+pr: none
+trigger: none
+
+resources:
+  repositories:
+    - repository: 1ESPipelineTemplates
+      type: git
+      name: 1ESPipelineTemplates/1ESPipelineTemplates
+      ref: refs/tags/release
+  pipelines:
+    - pipeline: DurableTaskPythonBuildPipeline
+      source: durabletask-python.official
+
+extends:
+  template: v1/1ES.Official.PipelineTemplate.yml@1ESPipelineTemplates
+  parameters:
+    pool:
+      name: 1es-pool-azfunc
+      image: 1es-ubuntu-22.04
+      os: linux
+
+    stages:
+      - stage: release
+        jobs:
+          - job: durabletask
+            displayName: "Release durabletask"
+            templateContext:
+              type: releaseJob
+              isProduction: true
+              inputs:
+                - input: pipelineArtifact
+                  pipeline: DurableTaskPythonBuildPipeline
+                  artifactName: drop
+                  targetPath: $(System.DefaultWorkingDirectory)/drop
+
+            steps:
+              - task: SFP.release-tasks.custom-build-release-task.EsrpRelease@9
+                displayName: "ESRP Release durabletask"
+                inputs:
+                  connectedservicename: "dtfx-internal-esrp-prod"
+                  usemanagedidentity: true
+                  keyvaultname: "durable-esrp-akv"
+                  signcertname: "dts-esrp-cert"
+                  clientid: "0b3ed1a4-0727-4a50-b82a-02c2bd9dec89"
+                  intent: "PackageDistribution"
+                  contenttype: "PyPi"
+                  contentsource: "Folder"
+                  folderlocation: "$(System.DefaultWorkingDirectory)/drop/buildoutputs/durabletask"
+                  waitforreleasecompletion: true
+                  owners: "torosent@microsoft.com"
+                  approvers: "andystaples@microsoft.com;beverst@microsoft.com"
+                  serviceendpointurl: "https://api.esrp.microsoft.com"
+                  mainpublisher: "durabletask-java"
+                  domaintenantid: "33e01921-4d64-4f8c-a055-5bdaffd5e33d"
+
+          - job: durabletask_azuremanaged
+            displayName: "Release durabletask-azuremanaged"
+            templateContext:
+              type: releaseJob
+              isProduction: true
+              inputs:
+                - input: pipelineArtifact
+                  pipeline: DurableTaskPythonBuildPipeline
+                  artifactName: drop
+                  targetPath: $(System.DefaultWorkingDirectory)/drop
+
+            steps:
+              - task: SFP.release-tasks.custom-build-release-task.EsrpRelease@9
+                displayName: "ESRP Release durabletask-azuremanaged"
+                inputs:
+                  connectedservicename: "dtfx-internal-esrp-prod"
+                  usemanagedidentity: true
+                  keyvaultname: "durable-esrp-akv"
+                  signcertname: "dts-esrp-cert"
+                  clientid: "0b3ed1a4-0727-4a50-b82a-02c2bd9dec89"
+                  intent: "PackageDistribution"
+                  contenttype: "PyPi"
+                  contentsource: "Folder"
+                  folderlocation: "$(System.DefaultWorkingDirectory)/drop/buildoutputs/durabletask-azuremanaged"
+                  waitforreleasecompletion: true
+                  owners: "torosent@microsoft.com"
+                  approvers: "andystaples@microsoft.com;beverst@microsoft.com"
+                  serviceendpointurl: "https://api.esrp.microsoft.com"
+                  mainpublisher: "durabletask-java"
+                  domaintenantid: "33e01921-4d64-4f8c-a055-5bdaffd5e33d"

eng/templates/build.yml

@@ -0,0 +1,57 @@
+jobs:
+  - job:
+    templateContext:
+      outputs:
+        - output: pipelineArtifact
+          path: $(Build.ArtifactStagingDirectory)
+          artifact: drop
+          sbomBuildDropPath: "$(System.DefaultWorkingDirectory)"
+          sbomPackageName: "Durable Task Python SBOM"
+
+    steps:
+      - checkout: self
+
+      - task: UsePythonVersion@0
+        displayName: "Use Python 3.12"
+        inputs:
+          versionSpec: "3.12"
+          addToPath: true
+
+      # The 1ES pool is network-isolated, so direct pypi.org access is blocked.
+      # Authenticate pip to an ADO Artifacts feed that proxies PyPI as upstream.
+      - task: PipAuthenticate@1
+        displayName: "Pip Authenticate"
+        inputs:
+          artifactFeeds: "internal/PythonSDK_Internal_PublicPackages"
+
+      # Install build + lint tooling
+      - script: |
+          python -m pip install --upgrade pip
+          python -m pip install build flake8
+        displayName: "Install build tooling"
+
+      # Lint core SDK
+      - script: flake8 .
+        displayName: "flake8: durabletask"
+        workingDirectory: durabletask
+
+      # Lint azuremanaged provider
+      - script: flake8 .
+        displayName: "flake8: durabletask-azuremanaged"
+        workingDirectory: durabletask-azuremanaged
+
+      # Build sdist + wheel for durabletask (core SDK)
+      - script: |
+          python -m build --sdist --wheel --outdir $(Build.ArtifactStagingDirectory)/buildoutputs/durabletask .
+        displayName: "Build durabletask (sdist + wheel)"
+
+      # Build sdist + wheel for durabletask-azuremanaged
+      - script: |
+          python -m build --sdist --wheel --outdir $(Build.ArtifactStagingDirectory)/buildoutputs/durabletask-azuremanaged ./durabletask-azuremanaged
+        displayName: "Build durabletask-azuremanaged (sdist + wheel)"
+
+      # List staged outputs for visibility in logs
+      - script: |
+          ls -la $(Build.ArtifactStagingDirectory)/buildoutputs/durabletask
+          ls -la $(Build.ArtifactStagingDirectory)/buildoutputs/durabletask-azuremanaged
+        displayName: "List build outputs"

pyproject.toml

@@ -9,7 +9,7 @@ build-backend = "setuptools.build_meta"
 
 [project]
 name = "durabletask"
-version = "1.4.0"
+version = "1.5.0"
 description = "A Durable Task Client SDK for Python"
 keywords = [
     "durable",