Skip to content

Adding new release pipeline with signing capability #1142

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
tarunramsinghani wants to merge 4 commits into
base: master
Choose a base branch
from
Open

Adding new release pipeline with signing capability #1142

tarunramsinghani wants to merge 4 commits into from

Conversation

@tarunramsinghani
Copy link
Contributor

@tarunramsinghani tarunramsinghani commented Dec 12, 2025

Summary

This PR restructures the Azure Pipelines configuration for better maintainability and adds ESRP signing support for the VstsTaskSdk.dll in release builds.

Changes

Pipeline Structure Reorganization

  • Separated build templates: Renamed steps.yml to build-steps.yml for both Node.js and PowerShell components
  • Isolated PowerShell job: Moved PowerShell builds from cross-platform jobs to a dedicated Windows-only job in CI pipeline
  • Created dedicated publish templates:
    • ci/node/publish-job.yml for npm publishing
    • ci/powershell/publish-job.yml for PowerShell Gallery publishing
  • Unified release pipeline: Created ci/release-pipeline.yml that publishes both Node.js and PowerShell packages

ESRP Signing Implementation

  • Added ci/powershell/signing-steps.yml with three-stage signing process:
    • Strong name signing
    • Authenticode signing
    • Third-party signing
  • Integrated signing into release pipeline with enableSigning parameter
  • Signing occurs after DLL build but before module packaging

Build Improvements

  • Modified powershell/make.js to use locally built DLL from _lib folder when available (CI/release pipelines)
  • Falls back to downloading pre-built DLL for local development
  • Added pipeline artifacts for both npm package and PowerShell module in CI builds
  • Added condition: succeeded() to publish steps to prevent publishing on test failures

Other Changes

  • Removed unused ci/powershell/release-pipeline.yml (superseded by unified release pipeline)
  • Added .vscode/settings.json to .gitignore
  • Removed obsolete os parameter from PowerShell templates (always runs on Windows)

Benefits

  • Better separation of concerns: Build, test, and publish logic are clearly separated
  • Improved security: Release builds now use properly signed assemblies
  • Easier maintenance: Template reuse eliminates duplication
  • More flexibility: CI and release pipelines can evolve independently
  • Clear pipeline structure: Folder organization reflects component boundaries

Testing

  • CI pipeline builds and tests both Node.js and PowerShell components
  • Release pipeline includes signing verification steps
  • All builds produce pipeline artifacts for validation

Related Work

Part of ongoing effort to improve pipeline maintainability and add proper code signing for shipped components.

@tarunramsinghani
Fix PowerShell module tests and upgrade dependencies
0be6cf9 
- Upgrade TypeScript from 4.0.2 to 5.9.3 for Node.js 20 compatibility
- Upgrade @types/node to 20.0.0 and remove conflicting @types/glob
- Add --skipLibCheck flag to TypeScript compilation for compatibility
- Fix Test-CanUnravel function to handle null objects properly
- Fix Invoke-Process function to properly return exit codes
- Fix LocalizationFunctions to use InvariantCulture for number formatting
- Update mocha version check in make.js
- All 107 tests now pass successfully
@tarunramsinghani
Update Node.js version for PowerShell SDK and fix error handling
97fb64b 
- Add Node.js 20.x support for PowerShell SDK in CI pipeline
- Fix error handlers in make.js to properly exit with code 1 on failures
- Update TypeScript version validation to accept 5.x versions
- Ensure CI pipeline failures are properly reported instead of silent success
@tarunramsinghani
Reorganize pipeline templates into ci folder structure
998c1ed 
- Move Node.js template to ci/node/steps.yml
- Move PowerShell templates to ci/powershell/ folder
  - steps.yml: Build and test template
  - publish-job.yml: Publish to PowerShell Gallery job
  - release-pipeline.yml: Manual release pipeline
- Update all template references in azure-pipelines.yml
- PowerShell steps now run on all OS platforms (Windows, Linux, macOS)
- Separate build/test from publish concerns with dedicated templates
@tarunramsinghani
Reorganize pipeline templates and add ESRP signing
2a92810 
- Separated Node.js and PowerShell builds into dedicated template files
- Renamed steps.yml to build-steps.yml for clarity
- Created unified release pipeline with npm and PowerShell Gallery publishing
- Added ESRP signing steps for VstsTaskSdk.dll (strong name, authenticode, 3rd party)
- Modified make.js to use locally built DLL from _lib folder in CI/release pipelines
- Moved PowerShell build to separate job in CI pipeline
- Added pipeline artifacts for both npm package and PowerShell module
- Added .vscode/settings.json to .gitignore
@tarunramsinghani tarunramsinghani requested review from a team as code owners December 12, 2025 11:47
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@tarunramsinghani