Skip to content

Migrate CI/CD from GitHub Actions to ADO; remove GH Actions workflow#895

Open
RyAuld wants to merge 7 commits intodevfrom
RyAuld/update-pipeline-doc-links
Open

Migrate CI/CD from GitHub Actions to ADO; remove GH Actions workflow#895
RyAuld wants to merge 7 commits intodevfrom
RyAuld/update-pipeline-doc-links

Conversation

@RyAuld
Copy link
Copy Markdown
Contributor

@RyAuld RyAuld commented Mar 31, 2026
edited
Loading

Merge blocker: This PR should not be merged until both PyPI publication paths in ADO pipeline 3067 have been fully set up and verified:

  • test.pypi.org - requires MSAL-Test-Python-Upload service connection (pending test.pypi.org API token)
  • pypi.org (ESRP) - requires ESRP MSALJavaReleaseBuilds PyPI approval (currently UpdateInProgress)

Merging before these are ready would leave the project with no working publish path.

Summary

This PR completes the migration of all CI/CD processes from GitHub Actions to ADO pipelines.

Changes

  • Add Python 3.8 to the ADO CI matrix - now matches GH CI coverage (3.8-3.14)
  • Move benchmarks from GH Actions cb job to ADO azure-pipelines.yml - runs after CI on post-merge pushes to dev, publishes benchmark.json as a pipeline artifact
  • Remove GH Actions ci job - tests now covered by ADO pipeline 3064
  • Remove GH Actions cd job - PyPI publish now covered by ADO pipeline 3067
  • Delete .github/workflows/python-package.yml entirely - no GH Actions CI/CD remains
  • Add ADO pipeline hyperlinks to CI-AND-RELEASE-PIPELINES.md
  • Add TSA integration - new .Pipelines/tsaConfig.json routes SDL findings to IDDP\DevEx-Client-SDK\Python; PublishSecurityAnalysisLogs@3 and PostBuildCleanup@3 added to PreBuildCheck stage, matching MSAL .NET SDL pattern
  • Add retryCountOnTaskFailure: 3 to the pytest step - prevents transient network timeouts from failing the build
  • Fix benchmark stage condition - now gates on Build.SourceBranch == refs/heads/dev and allows IndividualCI, BatchedCI, and Manual triggers
  • Switch to PublishPipelineArtifact@1 for benchmark results - consistent with the rest of the pipeline

Secrets cleanup (post-merge)

The following GitHub repository secrets are no longer referenced by any workflow and can be deleted after merge:

  • LAB_APP_CLIENT_CERT_BASE64
  • LAB_APP_CLIENT_ID
  • LAB_OBO_CLIENT_SECRET
  • LAB_OBO_CONFIDENTIAL_CLIENT_ID
  • LAB_OBO_PUBLIC_CLIENT_ID

Required admin action (post-merge)

The MSAL-Python-SDL-CI check (ADO pipeline 769) is currently a required GitHub status check on the dev branch. Pipeline 769 has been disabled in ADO since SDL is now covered by the PreBuildCheck stage in pipeline 3064, but the GitHub branch protection rule still references it - causing PRs to block on 'Expected - Waiting for status to be reported'.

A repository admin must remove it after merge:

  1. Go to Settings -> Branches (or Settings -> Rules -> Rulesets if using rulesets) in this repo
  2. Edit the protection rule for dev
  3. Remove MSAL-Python-SDL-CI from the required status checks list
  4. Save

Once removed, pipeline 769 can remain permanently disabled.

@RyAuld RyAuld requested a review from a team as a code owner March 31, 2026 21:25
Copilot AI review requested due to automatic review settings March 31, 2026 21:25
Copilot AI reviewed Mar 31, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR finalizes the CI/CD migration from GitHub Actions to Azure DevOps (ADO) by expanding the ADO test matrix, adding an ADO benchmark stage, updating pipeline documentation, and deleting the legacy GitHub Actions CI/CD workflow.

Changes:

  • Added Python 3.8 to the ADO CI matrix (now 3.8–3.14).
  • Added a post-CI Benchmark stage to azure-pipelines.yml to run pytest-benchmark and publish benchmark.json.
  • Updated .Pipelines/CI-AND-RELEASE-PIPELINES.md with ADO pipeline hyperlinks and updated version coverage; removed .github/workflows/python-package.yml.

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 2 comments.

File Description
azure-pipelines.yml Adds a Benchmark stage after CI, runs pytest-benchmark on Python 3.9, caches .perf.baseline, and publishes benchmark JSON.
.Pipelines/template-pipeline-stages.yml Extends the CI matrix to include Python 3.8.
.Pipelines/CI-AND-RELEASE-PIPELINES.md Documents the ADO pipelines with hyperlinks and updates stated Python coverage to include 3.8.
.github/workflows/python-package.yml Deletes the legacy GitHub Actions CI/CD workflow.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

RyAuld added 2 commits March 31, 2026 14:46
@RyAuld
Address Copilot review: fix benchmark branch condition, switch to Pub…
a8154b4 
…lishPipelineArtifact@1; add TSA config, PostBuildCleanup, job retries
@RyAuld
Fix: move retries from job to retryCountOnTaskFailure on pytest step …
6107946 
…(matrix jobs don't support retries)
Copilot AI review requested due to automatic review settings March 31, 2026 22:17
Copilot AI reviewed Mar 31, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 5 out of 5 changed files in this pull request and generated 3 comments.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@RyAuld