Merged
Conversation
Stop publishing/downloading .npmrc as a pipeline artifact. Instead, configure npm to use a temp user config (NPM_CONFIG_USERCONFIG=$(Agent.TempDirectory)/.npmrc) and support customNPMRegistry in the shared setup template, including auth (npmAuthenticate@0) and lockfile registry rewrites. Thread $(AZURE_ARTIFACTS_FEED) through DevDiv pipeline templates to enable the custom registry flow.
…try” step. Making the generated JS do const registry = process.env.NPM_CONFIG_REGISTRY; (and error if it’s missing), instead of trying to inline/concatenate a JSON-escaped registry string.
bschnurr
added
the
debt
bschnurr
commented
Jan 22, 2026
| value: VSCode-python-debugger | ||
| - name: VsixName | ||
| value: python-debugger.vsix | ||
| - name: AZURE_ARTIFACTS_FEED |
Member
Author
There was a problem hiding this comment.
already supplying the feed here
rchiodo
reviewed
Jan 22, 2026
build/templates/setup.yml
Outdated
| $env:NPM_CONFIG_REGISTRY = $registry | ||
| $scriptPath = Join-Path "$(Agent.TempDirectory)" 'setup-npm-registry.js' | ||
|
|
||
| $lines = @( |
Contributor
There was a problem hiding this comment.
THis seems hard to maintain. Could it be an external script instead?
Contributor
There was a problem hiding this comment.
Pull request overview
This PR refactors the Azure DevOps pipeline npm registry configuration to comply with stricter pipeline security rules that prevent using checked-in .npmrc files. Instead of relying on a project-level .npmrc file, the solution now configures npm registry settings directly through environment variables and a temporary user configuration file.
Changes:
- Introduced
customNPMRegistryandnodeVersionparameters across pipeline templates for flexible registry and Node.js version configuration - Replaced the old
.npmrccreation and authentication flow with a new custom registry setup that uses a temporary user config file - Updated vsce commands to use the scoped package name
@vscode/vsce@latest
Reviewed changes
Copilot reviewed 7 out of 7 changed files in this pull request and generated no comments.
Show a summary per file
| File | Description |
|---|---|
| build/templates/setup.yml | Major refactoring: removed old .npmrc creation logic, added comprehensive custom npm registry setup with lock file rewriting, parameterized Node and Python versions |
| build/templates/sign.yml | Added customNPMRegistry and nodeVersion parameters, threaded them to setup.yml |
| build/templates/publish.yml | Updated vsce commands to use @vscode/vsce@latest scoped package |
| build/templates/publish-extension.yml | Added customNPMRegistry and nodeVersion parameters, moved setup.yml call after artifact download |
| build/templates/package.yml | Added customNPMRegistry and nodeVersion parameters, threaded them to setup.yml |
| build/azure-devdiv-pipeline.stable.yml | Configured AZURE_ARTIFACTS_FEED as customNPMRegistry for Build and Publish stages |
| build/azure-devdiv-pipeline.pre-release.yml | Configured AZURE_ARTIFACTS_FEED as customNPMRegistry for Build and Publish stages |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
…them from setup.yml:22-67 (plus the new documented scripts under scripts).
rchiodo
previously approved these changes
Jan 22, 2026
rchiodo
approved these changes
Jan 22, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Previously we used a .npmrc file. but new stricter pipeline rules wont allow "checkout". now just set the npm registry directly.
reusing similar logic from https://github.com/microsoft/vscode-engineering/blob/main/azure-pipelines/extension/templates/steps/pipeline-setup.yml
also tried copying .npmrc to artifacts then downloading in the publish job but noticed errors around lack of manifest file