Migrate CI/CD from GitHub Actions to ADO; remove GH Actions workflow

.Pipelines/CI-AND-RELEASE-PIPELINES.md

@@ -7,16 +7,16 @@ including what each pipeline does, when it runs, and how to trigger a release.
 
 ## Pipeline Files
 
-| File | Purpose |
-|------|---------|
-| [`azure-pipelines.yml`](../azure-pipelines.yml) | PR gate and post-merge CI — calls the shared template with `runPublish: false` |
-| [`pipeline-publish.yml`](pipeline-publish.yml) | Release pipeline — manually queued, builds and publishes to PyPI |
-| [`template-pipeline-stages.yml`](template-pipeline-stages.yml) | Shared stages template — PreBuildCheck, Validate, and CI stages reused by both pipelines |
-| [`credscan-exclusion.json`](credscan-exclusion.json) | CredScan suppression file for known test fixtures |
+| File | ADO Pipeline | Purpose |
+|------|-------------|---------|
+| [`azure-pipelines.yml`](../azure-pipelines.yml) | [MSAL.Python-PR-OneBranch-Official (3064)](https://dev.azure.com/IdentityDivision/IDDP/_build?definitionId=3064) | PR gate and post-merge CI — calls the shared template with `runPublish: false` |
+| [`pipeline-publish.yml`](pipeline-publish.yml) | [MSAL.Python-Publish (3067)](https://dev.azure.com/IdentityDivision/IDDP/_build?definitionId=3067) | Release pipeline — manually queued, builds and publishes to PyPI |
+| [`template-pipeline-stages.yml`](template-pipeline-stages.yml) | — | Shared stages template — PreBuildCheck, Validate, and CI stages reused by both pipelines |
+| [`credscan-exclusion.json`](credscan-exclusion.json) | — | CredScan suppression file for known test fixtures |
 
 ---
 
-## PR / CI Pipeline (`azure-pipelines.yml`)
+## PR / CI Pipeline — [MSAL.Python-PR-OneBranch-Official (3064)](https://dev.azure.com/IdentityDivision/IDDP/_build?definitionId=3064)
 
 ### Triggers
 
@@ -35,7 +35,7 @@ PreBuildCheck ─► CI
 | Stage | What it does |
 |-------|-------------|
 | **PreBuildCheck** | Runs SDL security scans: PoliCheck (policy/offensive content), CredScan (leaked credentials), and PostAnalysis (breaks the build on findings) |
-| **CI** | Runs the full test suite on Python 3.9, 3.10, 3.11, 3.12, 3.13, and 3.14 |
+| **CI** | Runs the full test suite on Python 3.8, 3.9, 3.10, 3.11, 3.12, 3.13, and 3.14 |
 
 The Validate stage is **skipped** on PR/CI runs (it only applies to release builds).
 
@@ -45,7 +45,7 @@ The Validate stage is **skipped** on PR/CI runs (it only applies to release buil
 
 ---
 
-## Release Pipeline (`pipeline-publish.yml`)
+## Release Pipeline — [MSAL.Python-Publish (3067)](https://dev.azure.com/IdentityDivision/IDDP/_build?definitionId=3067)
 
 ### Triggers
 
@@ -70,7 +70,7 @@ PreBuildCheck ─► Validate ─► CI ─► Build ─┬─► PublishMSALPyt
 |-------|-------------|-----------|
 | **PreBuildCheck** | PoliCheck + CredScan scans | Always |
 | **Validate** | Asserts the `packageVersion` parameter matches `msal/sku.py __version__` | Always (release runs only) |
-| **CI** | Full test matrix (Python 3.9–3.14) | After Validate passes |
+| **CI** | Full test matrix (Python 3.8–3.14) | After Validate passes |
 | **Build** | Builds `sdist` and `wheel` via `python -m build`; publishes `python-dist` artifact | After CI passes |
 | **PublishMSALPython** | Uploads to test.pypi.org | `publishTarget == test.pypi.org (Preview / RC)` |
 | **PublishPyPI** | Uploads to PyPI via ESRP; requires manual approval | `publishTarget == pypi.org (ESRP Production)` |

.Pipelines/template-pipeline-stages.yml

@@ -68,6 +68,16 @@ stages:
         GdnBreakGdnToolCredScan: true
         GdnBreakGdnToolPoliCheck: true
 
+    - task: securedevelopmentteam.vss-secure-development-tools.build-task-publishsecurityanalysislogs.PublishSecurityAnalysisLogs@3
+      displayName: 'Publish Security Analysis Logs (TSA)'
+      condition: succeededOrFailed()
+      inputs:
+        tsaConfigFile: '$(Build.SourcesDirectory)/.Pipelines/tsaConfig.json'
+
+    - task: mspremier.PostBuildCleanup.PostBuildCleanup-task.PostBuildCleanup@3
+      displayName: 'Clean agent directories'
+      condition: always()
+
 # ══════════════════════════════════════════════════════════════════════════════
 # Stage 1 · Validate — verify packageVersion matches msal/sku.py __version__
 #           Skipped when runPublish is false (PR / merge builds).
@@ -127,6 +137,8 @@ stages:
       vmImage: ubuntu-latest
     strategy:
       matrix:
+        Python38:
+          python.version: '3.8'
         Python39:
           python.version: '3.9'
         Python310:
@@ -187,6 +199,7 @@ stages:
         set -o pipefail
         pytest -vv --junitxml=test-results/junit.xml 2>&1 | tee test-results/pytest.log
       displayName: 'Run tests'
+      retryCountOnTaskFailure: 3
       env:
         LAB_APP_CLIENT_CERT_PFX_PATH: $(LAB_APP_CLIENT_CERT_PFX_PATH)
 

.Pipelines/tsaConfig.json

@@ -0,0 +1,17 @@
+{
+    "codebaseName": "MSAL Python",
+    "notificationAliases": [
+        "IdentityDevExDotnet@microsoft.com"
+    ],
+    "codebaseAdmins": [
+        "EUROPE\\aadidagt"
+    ],
+    "instanceUrl": "https://identitydivision.visualstudio.com",
+    "projectName": "IDDP",
+    "areaPath": "IDDP\\DevEx-Client-SDK\\Python",
+    "iterationPath": "IDDP\\Unscheduled",
+    "tools": [
+        "credscan",
+        "policheck"
+    ]
+}

azure-pipelines.yml

@@ -24,3 +24,51 @@ stages:
 - template: .Pipelines/template-pipeline-stages.yml
   parameters:
     runPublish: false
+
+- stage: Benchmark
+  displayName: 'Run benchmarks'
+  dependsOn: CI
+  # Only run on post-merge pushes to dev — not on PRs or scheduled runs.
+  # Benchmarks are noisy and the baseline cache is only meaningful on a stable branch.
+  condition: |
+    and(
+      succeeded('CI'),
+      eq(variables['Build.SourceBranch'], 'refs/heads/dev'),
+      or(
+        eq(variables['Build.Reason'], 'IndividualCI'),
+        eq(variables['Build.Reason'], 'BatchedCI'),
+        eq(variables['Build.Reason'], 'Manual')
+      )
+    )
+  jobs:
+  - job: Benchmark
+    displayName: 'Performance benchmarks (Python 3.9)'
+    pool:
+      vmImage: ubuntu-latest
+    steps:
+    - task: UsePythonVersion@0
+      inputs:
+        versionSpec: '3.9'
+      displayName: 'Set up Python 3.9'
+
+    - script: |
+        python -m pip install --upgrade pip
+        pip install -r requirements.txt
+      displayName: 'Install dependencies'
+
+    - task: Cache@2
+      displayName: 'Restore performance baseline cache'
+      inputs:
+        key: 'perf-baseline | "$(Agent.OS)" | tests/test_benchmark.py'
+        path: .perf.baseline
+
+    - bash: |
+        pytest --benchmark-only --benchmark-json benchmark.json --log-cli-level INFO tests/test_benchmark.py
+      displayName: 'Run benchmarks'
+
+    - task: PublishPipelineArtifact@1
+      displayName: 'Publish benchmark results'
+      condition: succeededOrFailed()
+      inputs:
+        targetPath: 'benchmark.json'
+        artifact: 'benchmark-results'