Merge branch 'main' into genetic-kangaroo

Author: eleanorjboyd

build/azure-pipeline.npm.yml

@@ -20,7 +20,12 @@ parameters:
       - preview
 
   - name: publishPackage
-    displayName: 🚀 Publish to npm
+    displayName: 🚀 Publish npm
+    type: boolean
+    default: false
+
+  - name: publishToConsumptionFeed
+    displayName: 📡 Publish to msft_consumption feed
     type: boolean
     default: false
 
@@ -32,7 +37,7 @@ parameters:
           versionSpec: '22.21.1'
         displayName: Select Node version
 
-      - script: npm ci
+      - script: npm install
         workingDirectory: $(Build.SourcesDirectory)/pythonEnvironmentsApi
         displayName: Install package dependencies
 
@@ -56,6 +61,18 @@ variables:
       value: next
     ${{ else }}:
       value: latest
+  - name: AzureArtifactsFeedUrl
+    value: 'https://pkgs.dev.azure.com/azure-public/vside/_packaging/python-environments/npm/registry/'
+  # Same URL without the https:// prefix (used in .npmrc auth lines)
+  - name: AzureArtifactsFeedUrlNoProtocol
+    value: 'pkgs.dev.azure.com/azure-public/vside/_packaging/python-environments/npm/registry/'
+  # Managed Identity service connection for Azure Artifacts auth (shared with Pylance)
+  - name: AzureServiceConnection
+    value: 'PylanceSecureVsIdePublishWithManagedIdentity'
+  - name: ConsumptionFeedUrl
+    value: 'https://pkgs.dev.azure.com/azure-public/vside/_packaging/msft_consumption/npm/registry/'
+  - name: ConsumptionFeedUrlNoProtocol
+    value: 'pkgs.dev.azure.com/azure-public/vside/_packaging/msft_consumption/npm/registry/'
 
 extends:
   template: azure-pipelines/MicroBuild.1ES.Official.yml@MicroBuildTemplate
@@ -68,7 +85,8 @@ extends:
         enabled: true
     pool:
       name: AzurePipelines-EO
-      os: windows
+      image: 1ESPT-Ubuntu22.04
+      os: linux
 
     customBuildTags:
       - ES365AIMigrationTooling
@@ -79,6 +97,11 @@ extends:
         jobs:
           - job: BuildPackage
             displayName: Build npm package
+            templateContext:
+              outputs:
+                - output: pipelineArtifact
+                  targetPath: $(Build.ArtifactStagingDirectory)
+                  artifactName: npm-package
             steps:
               - ${{ each step in parameters.buildSteps }}:
                   - ${{ step }}
@@ -90,39 +113,112 @@ extends:
                   contents: '*.tgz'
                   targetFolder: $(Build.ArtifactStagingDirectory)
 
-              - task: 1ES.PublishBuildArtifacts@1
-                displayName: Publish build artifact
-                inputs:
-                  pathToPublish: $(Build.ArtifactStagingDirectory)
-                  artifactName: npm-package
-
       - stage: Publish
-        displayName: Publish to npm
+        displayName: Publish to Azure Artifacts
         dependsOn: Build
         condition: and(succeeded(), eq('${{ parameters.publishPackage }}', 'true'))
         jobs:
           - job: PublishPackage
             displayName: Publish $(PackageName)
-            steps:
-              - task: DownloadBuildArtifacts@1
-                displayName: Download build artifact
-                inputs:
-                  buildType: current
-                  downloadType: single
+            templateContext:
+              type: releaseJob
+              isProduction: true
+              inputs:
+                - input: pipelineArtifact
                   artifactName: npm-package
-                  downloadPath: $(Build.ArtifactStagingDirectory)
+                  targetPath: $(Pipeline.Workspace)/npm-package
+            steps:
+              - checkout: none
 
               - task: NodeTool@0
                 inputs:
                   versionSpec: '22.21.1'
                 displayName: Select Node version
 
-              - bash: echo '//registry.npmjs.org/:_authToken=${NODE_AUTH_TOKEN}' > .npmrc
-                workingDirectory: $(Build.SourcesDirectory)/pythonEnvironmentsApi
-                displayName: Configure npm auth
+              # Acquire a short-lived AAD token via Managed Identity (no stored secrets)
+              # SEE https://eng.ms/docs/cloud-ai-platform/devdiv/one-engineering-system-1es/1es-docs/1es-security-configuration/configuration-guides/pat-burndown-guidance
+              - task: AzureCLI@2
+                displayName: Acquire AAD token via Managed Identity
+                inputs:
+                  azureSubscription: '$(AzureServiceConnection)'
+                  scriptType: 'pscore'
+                  scriptLocation: 'inlineScript'
+                  inlineScript: |
+                    $token = az account get-access-token --query accessToken --resource 499b84ac-1321-427f-aa17-267ca6975798 -o tsv
+                    Write-Host "##vso[task.setvariable variable=AzdoToken;issecret=true]$token"
+
+              - powershell: |
+                  @"
+                  registry=$(AzureArtifactsFeedUrl)
+                  always-auth=true
+                  "@ | Out-File -FilePath .npmrc
+
+                  @"
+                  ; begin auth token
+                  //$(AzureArtifactsFeedUrlNoProtocol):username=VssSessionToken
+                  //$(AzureArtifactsFeedUrlNoProtocol):_authToken=$env:AZDO_TOKEN
+                  //$(AzureArtifactsFeedUrlNoProtocol):email=not-used@example.com
+                  ; end auth token
+                  "@ | Out-File -FilePath $HOME/.npmrc
+                env:
+                  AZDO_TOKEN: $(AzdoToken)
+                displayName: Create .npmrc files
+
+              - powershell: |
+                  $tgz = Get-ChildItem "$(Pipeline.Workspace)/npm-package/*.tgz" | Select-Object -First 1
+                  if (-not $tgz) {
+                      Write-Error "No .tgz file found in $(Pipeline.Workspace)/npm-package/"
+                      exit 1
+                  }
+                  Write-Host "Publishing: $($tgz.FullName)"
+                  if ("$(npmTag)" -eq "next") {
+                      npm publish $tgz.FullName --registry $(AzureArtifactsFeedUrl) --tag next --ignore-scripts
+                  } else {
+                      npm publish $tgz.FullName --registry $(AzureArtifactsFeedUrl) --ignore-scripts
+                  }
+                displayName: npm publish (${{ parameters.quality }})
+
+      - stage: PublishConsumption
+        displayName: Publish package to msft_consumption feed
+        dependsOn: Publish
+        condition: and(not(failed()), eq('${{ parameters.publishToConsumptionFeed }}', 'true'))
+        jobs:
+          - job: PullToConsumption
+            displayName: Pull $(PackageName) to msft_consumption
+            steps:
+              - checkout: none
+
+              - task: NodeTool@0
+                inputs:
+                  versionSpec: '22.21.1'
+                displayName: Select Node version
 
-              - bash: npm publish $(Build.ArtifactStagingDirectory)/npm-package/*.tgz --tag $(npmTag) --access public
-                displayName: Publish to npm (${{ parameters.quality }})
-                workingDirectory: $(Build.SourcesDirectory)/pythonEnvironmentsApi
+              - task: AzureCLI@2
+                displayName: Acquire AAD token via Managed Identity
+                inputs:
+                  azureSubscription: '$(AzureServiceConnection)'
+                  scriptType: 'pscore'
+                  scriptLocation: 'inlineScript'
+                  inlineScript: |
+                    $token = az account get-access-token --query accessToken --resource 499b84ac-1321-427f-aa17-267ca6975798 -o tsv
+                    Write-Host "##vso[task.setvariable variable=AzdoToken;issecret=true]$token"
+
+              - powershell: |
+                  @"
+                  registry=$(ConsumptionFeedUrl)
+                  always-auth=true
+                  "@ | Out-File -FilePath .npmrc
+
+                  @"
+                  ; begin auth token
+                  //$(ConsumptionFeedUrlNoProtocol):username=VssSessionToken
+                  //$(ConsumptionFeedUrlNoProtocol):_authToken=$env:AZDO_TOKEN
+                  //$(ConsumptionFeedUrlNoProtocol):email=not-used@example.com
+                  ; end auth token
+                  "@ | Out-File -FilePath $HOME/.npmrc
                 env:
-                  NODE_AUTH_TOKEN: $(NpmAuthToken)
+                  AZDO_TOKEN: $(AzdoToken)
+                displayName: Create .npmrc files
+
+              - script: npm i -g $(PackageName)@$(npmTag) --registry $(ConsumptionFeedUrl)
+                displayName: Pull to msft_consumption

build/azure-pipeline.stable.yml

@@ -112,7 +112,7 @@ extends:
           project: 'Monaco'
           definition: 593
           buildVersionToDownload: 'latestFromBranch'
-          branchName: 'refs/heads/release/2026.2'
+          branchName: 'refs/heads/release/2026.4'
           targetPath: '$(Build.SourcesDirectory)/python-env-tools/bin'
           artifactName: 'bin-$(buildTarget)'
           itemPattern: |

package-lock.json

@@ -2,7 +2,7 @@
     "name": "vscode-python-envs",
     "displayName": "Python Environments",
     "description": "Provides a unified python environment experience",
-    "version": "1.21.0",
+    "version": "1.23.0",
     "publisher": "ms-python",
     "preview": true,
     "engines": {

package.json

@@ -34,6 +34,7 @@
         "clean": "node -e \"const fs = require('fs'); fs.rmSync('./out', { recursive: true, force: true });\""
     },
     "devDependencies": {
+        "@types/node": "^22.0.0",
         "@types/vscode": "^1.99.0",
         "typescript": "^5.1.3"
     }

pythonEnvironmentsApi/package.json

@@ -33,6 +33,7 @@ import {
     AutoActivationType,
     getAutoActivationType,
     getEnvironmentForTerminal,
+    shouldActivateInCurrentTerminal,
     waitForShellIntegration,
 } from './utils';
 
@@ -405,8 +406,21 @@ export class TerminalManagerImpl implements TerminalManager {
 
     public async initialize(api: PythonEnvironmentApi): Promise<void> {
         const actType = getAutoActivationType();
+
+        // When activateEnvInCurrentTerminal is explicitly false,
+        // skip activation for ALL pre-existing terminals (terminals open before extension load).
+        // New terminals opened after extension load are still activated via autoActivateOnTerminalOpen.
+        const skipPreExistingTerminals = !shouldActivateInCurrentTerminal() && terminals().length > 0;
+        if (skipPreExistingTerminals) {
+            traceVerbose(
+                'python.terminal.activateEnvInCurrentTerminal is explicitly disabled, skipping activation for pre-existing terminals',
+            );
+        }
+
         if (actType === ACT_TYPE_COMMAND) {
-            await Promise.all(terminals().map(async (t) => this.activateUsingCommand(api, t)));
+            if (!skipPreExistingTerminals) {
+                await Promise.all(terminals().map(async (t) => this.activateUsingCommand(api, t)));
+            }
         } else if (actType === ACT_TYPE_SHELL) {
             const shells = new Set(
                 terminals()
@@ -415,14 +429,16 @@ export class TerminalManagerImpl implements TerminalManager {
             );
             if (shells.size > 0) {
                 await this.handleSetupCheck(shells);
-                await Promise.all(
-                    terminals().map(async (t) => {
-                        // If the shell is not set up, we activate using command fallback.
-                        if (this.shellSetup.get(identifyTerminalShell(t)) === false) {
-                            await this.activateUsingCommand(api, t);
-                        }
-                    }),
-                );
+                if (!skipPreExistingTerminals) {
+                    await Promise.all(
+                        terminals().map(async (t) => {
+                            // If the shell is not set up, we activate using command fallback.
+                            if (this.shellSetup.get(identifyTerminalShell(t)) === false) {
+                                await this.activateUsingCommand(api, t);
+                            }
+                        }),
+                    );
+                }
             }
         }
     }

src/features/terminal/terminalManager.ts

@@ -262,6 +262,52 @@ export async function setAutoActivationType(value: AutoActivationType): Promise<
     return await config.update('terminal.autoActivationType', value, true);
 }
 
+/**
+ * Determines whether activation commands should be sent to pre-existing terminals
+ * (terminals open before extension load).
+ *
+ * Checks the legacy `python.terminal.activateEnvInCurrentTerminal` setting using `inspect()`
+ * to distinguish between the default value and an explicitly user-set value.
+ *
+ * Priority: workspaceFolderValue > workspaceValue > globalRemoteValue > globalLocalValue > globalValue
+ * (matches the precedence used by getShellIntegrationEnabledCache and getAutoActivationType)
+ *
+ * - If the user has explicitly set the value to `false` at any scope, returns `false`.
+ * - Otherwise (default or explicitly `true`), returns `true`.
+ *
+ * @returns `false` only when the user has explicitly set the setting to `false`; `true` otherwise.
+ */
+export function shouldActivateInCurrentTerminal(): boolean {
+    const pythonConfig = getConfiguration('python');
+    const inspected = pythonConfig.inspect<boolean>('terminal.activateEnvInCurrentTerminal');
+
+    if (!inspected) {
+        return true;
+    }
+
+    // Only respect `false` when the user has deliberately set it.
+    // Priority: workspaceFolder > workspace > globalRemote > globalLocal > global
+    const inspectValue = inspected as Record<string, unknown>;
+
+    if (inspected.workspaceFolderValue === false) {
+        return false;
+    }
+    if (inspected.workspaceValue === false) {
+        return false;
+    }
+    if ('globalRemoteValue' in inspected && inspectValue.globalRemoteValue === false) {
+        return false;
+    }
+    if ('globalLocalValue' in inspected && inspectValue.globalLocalValue === false) {
+        return false;
+    }
+    if (inspected.globalValue === false) {
+        return false;
+    }
+
+    return true;
+}
+
 export async function getAllDistinctProjectEnvironments(
     api: PythonProjectGetterApi & PythonProjectEnvironmentApi,
 ): Promise<PythonEnvironment[] | undefined> {