Remove npmrc artifact; add custom registry setup

Stop publishing/downloading .npmrc as a pipeline artifact. Instead, configure npm to use a temp user config (NPM_CONFIG_USERCONFIG=$(Agent.TempDirectory)/.npmrc) and support customNPMRegistry in the shared setup template, including auth (npmAuthenticate@0) and lockfile registry rewrites. Thread $(AZURE_ARTIFACTS_FEED) through DevDiv pipeline templates to enable the custom registry flow.

Author: bschnurr

build/azure-devdiv-pipeline.pre-release.yml

@@ -108,6 +108,7 @@ extends:
               buildSteps: ${{ parameters.buildSteps }}
               isPreRelease: true
               standardizedVersioning: true
+              customNPMRegistry: $(AZURE_ARTIFACTS_FEED)
 
       - stage: Publish
         displayName: Publish Extension
@@ -122,3 +123,4 @@ extends:
               ghCreateTag: true
               ghCreateRelease: true
               ghReleaseAddChangeLog: true
+              customNPMRegistry: $(AZURE_ARTIFACTS_FEED)

build/azure-devdiv-pipeline.stable.yml

@@ -105,6 +105,7 @@ extends:
               buildPlatforms: ${{ parameters.buildPlatforms }}
               buildSteps: ${{ parameters.buildSteps }}
               isPreRelease: false
+              customNPMRegistry: $(AZURE_ARTIFACTS_FEED)
 
       - stage: Publish
         displayName: Publish Extension
@@ -116,3 +117,4 @@ extends:
               publishExtension: ${{ parameters.publishExtension }}
               preRelease: false
               teamName: $(TeamName)
+              customNPMRegistry: $(AZURE_ARTIFACTS_FEED)

build/templates/package.yml

@@ -10,6 +10,16 @@ parameters:
     type: object
     displayName: 'List of platforms to build'
 
+  - name: customNPMRegistry
+    type: string
+    default: ''
+    displayName: 'Custom NPM registry (optional)'
+
+  - name: nodeVersion
+    type: string
+    default: '22.17.0'
+    displayName: 'Node version to install'
+
   - name: buildSteps
     type: stepList
     default: []
@@ -71,13 +81,11 @@ jobs:
               targetPath: '$(Build.ArtifactStagingDirectory)/drop'
               artifactName: vsix-${{ coalesce(platform.vsceTarget, 'universal') }}
 
-            - output: pipelineArtifact
-              displayName: Publish .npmrc
-              targetPath: '$(Build.SourcesDirectory)/.npmrc'
-              artifactName: npmrc
-
         steps:
           - template: setup.yml@self
+            parameters:
+              customNPMRegistry: ${{ parameters.customNPMRegistry }}
+              nodeVersion: ${{ parameters.nodeVersion }}
 
           - ${{ if and(eq(parameters.isPreRelease, true), eq(parameters.standardizedVersioning, true)) }}:
               - template: modify-extension-version.yml@self
@@ -136,19 +144,3 @@ jobs:
               contents: '*.vsix'
               targetFolder: $(Build.ArtifactStagingDirectory)/drop
             displayName: 📦 Copy VSIX to staging
-
-          - ${{ if eq(coalesce(platform.vsceTarget, 'universal'), 'universal') }}:
-              - pwsh: |
-                  $source = "${{ parameters.workingDirectory }}/.npmrc"
-                  $destDir = "$(Build.ArtifactStagingDirectory)/npmrc"
-                  $dest = Join-Path $destDir '.npmrc'
-
-                  New-Item -ItemType Directory -Path $destDir -Force | Out-Null
-
-                  if (-not (Test-Path $source)) {
-                    throw "Expected .npmrc at: $source"
-                  }
-
-                  Copy-Item -LiteralPath $source -Destination $dest -Force
-                  Write-Host "Copied $source -> $dest"
-                displayName: 📦 Stage .npmrc for artifact

build/templates/publish-extension.yml

@@ -26,6 +26,16 @@ parameters:
     type: object
     displayName: 'List of platforms to sign and publish'
 
+  - name: customNPMRegistry
+    type: string
+    default: ''
+    displayName: 'Custom NPM registry (optional)'
+
+  - name: nodeVersion
+    type: string
+    default: '22.17.0'
+    displayName: 'Node version to install'
+
   # Signing parameters
   - name: signType
     type: string
@@ -151,6 +161,8 @@ jobs:
           signType: ${{ parameters.signType }}
           verifySignature: ${{ parameters.verifySignature }}
           teamName: ${{ parameters.teamName }}
+          customNPMRegistry: ${{ parameters.customNPMRegistry }}
+          nodeVersion: ${{ parameters.nodeVersion }}
 
   # Job 2: Publish to marketplace
   - ${{ if eq(parameters.publishExtension, true) }}:
@@ -171,17 +183,12 @@ jobs:
               targetPath: $(Build.ArtifactStagingDirectory)/${{ parameters.publishFolder }}
             displayName: 🚛 Download signed extension
 
-          - task: 1ES.DownloadPipelineArtifact@1
-            inputs:
-              artifactName: npmrc
-              targetPath: $(Pipeline.Workspace)/npmrc
-            displayName: 🚛 Download .npmrc artifact
-
           - template: setup.yml
             parameters:
               installNode: true
               installPython: false
-              npmrcPath: $(Pipeline.Workspace)/npmrc/.npmrc
+              customNPMRegistry: ${{ parameters.customNPMRegistry }}
+              nodeVersion: ${{ parameters.nodeVersion }}
 
           # Extract VSIX to read publisher/version for GitHub release tagging.
           # Use Agent.TempDirectory to avoid reusing Build.ArtifactStagingDirectory which

build/templates/setup.yml

@@ -6,70 +6,133 @@ parameters:
   - name: installPython
     type: boolean
     default: true
+  - name: customNPMRegistry
+    type: string
+    default: ''
+  - name: nodeVersion
+    type: string
+    default: '22.17.0'
+  - name: pythonVersion
+    type: string
+    default: '3.9'
   - name: npmrcPath
     type: string
-    default: '$(Build.SourcesDirectory)/.npmrc'
+    default: '$(Agent.TempDirectory)/.npmrc'
 
 steps:
   - ${{ if eq(parameters.installNode, true) }}:
-      - pwsh: |
-          $npmrcPath = "${{ parameters.npmrcPath }}"
+      - task: NodeTool@0
+        inputs:
+          versionSpec: ${{ parameters.nodeVersion }}
+          checkLatest: true
+        displayName: 🛠 Install Node ${{ parameters.nodeVersion }}
 
-          if (Test-Path -LiteralPath $npmrcPath -PathType Container) {
-            throw "npmrcPath points to a directory (expected a file): $npmrcPath"
-          }
+      - ${{ if ne(parameters.customNPMRegistry, '') }}:
+        # When using a private/custom registry, configure npm to read auth/config from a temp user config
+        # instead of relying on a checked-in project .npmrc.
+        - pwsh: |
+            $path = "${{ parameters.npmrcPath }}"
 
-          $parent = Split-Path -Parent $npmrcPath
-          if ($parent -and -not (Test-Path -LiteralPath $parent)) {
-            New-Item -ItemType Directory -Path $parent -Force | Out-Null
-          }
+            if (Test-Path -LiteralPath $path -PathType Container) {
+              throw "npmrcPath points to a directory (expected a file): $path"
+            }
 
-          if (-not (Test-Path -LiteralPath $npmrcPath -PathType Leaf)) {
-            New-Item -ItemType File -Path $npmrcPath -Force | Out-Null
-          }
-        displayName: Ensure .npmrc is a file
+            $parent = Split-Path -Parent $path
+            if ($parent -and -not (Test-Path -LiteralPath $parent)) {
+              New-Item -ItemType Directory -Path $parent -Force | Out-Null
+            }
 
-      - task: npmAuthenticate@0
-        inputs:
-          workingFile: ${{ parameters.npmrcPath }}
+            if (-not (Test-Path -LiteralPath $path -PathType Leaf)) {
+              New-Item -ItemType File -Path $path -Force | Out-Null
+            }
+
+            Write-Host "##vso[task.setvariable variable=NPM_CONFIG_USERCONFIG]$path"
+            Write-Host "##vso[task.setvariable variable=NPM_CONFIG_REGISTRY]${{ parameters.customNPMRegistry }}"
+          displayName: 📦 Setup NPM User Config
 
-      - pwsh: |
-          $source = "${{ parameters.npmrcPath }}"
-          $dest = "$(Build.SourcesDirectory)/.npmrc"
+        # Configure npm/yarn to use the custom registry and ensure auth headers are sent.
+        - pwsh: |
+            $path = "${{ parameters.npmrcPath }}"
+            $registry = "${{ parameters.customNPMRegistry }}"
 
-          if (-not (Test-Path -LiteralPath $source -PathType Leaf)) {
-            throw "Expected authenticated .npmrc file at: $source"
-          }
+            $env:NPM_CONFIG_USERCONFIG = $path
+            $env:NPM_CONFIG_REGISTRY = $registry
 
-          if (Test-Path -LiteralPath $dest -PathType Container) {
-            throw "Expected destination .npmrc to be a file, but it is a directory: $dest"
-          }
+            npm config set registry "$registry"
 
-          $srcFull = [System.IO.Path]::GetFullPath($source)
-          $destFull = [System.IO.Path]::GetFullPath($dest)
+            # npm >v7 deprecated the `always-auth` config option, refs npm/cli@72a7eeb
+            # following is a workaround for yarn-like clients to send authorization header for GET
+            # requests to the registry.
+            "always-auth=true" | Out-File -FilePath $path -Append -Encoding utf8
 
-          if ($srcFull -ieq $destFull) {
-            Write-Host "Authenticated .npmrc already in repo root: $dest"
-            return
-          }
+            $yarn = Get-Command yarn -ErrorAction SilentlyContinue
+            if ($null -ne $yarn) {
+              yarn config set registry "$registry"
+            } else {
+              Write-Host "yarn not found; skipping yarn registry configuration"
+            }
+          displayName: 📦 Setup NPM & Yarn
 
-          if (-not (Test-Path -LiteralPath $dest -PathType Leaf)) {
-            Copy-Item -LiteralPath $source -Destination $dest -Force
-            Write-Host "Copied authenticated .npmrc -> $dest"
-          } else {
-            Write-Host "Repo root .npmrc already exists; not overwriting: $dest"
-          }
-        displayName: Copy .npmrc to repo root (if missing)
+        # Populate the temp .npmrc with auth for the configured registry.
+        - task: npmAuthenticate@0
+          inputs:
+            workingFile: ${{ parameters.npmrcPath }}
+          displayName: 📦 Setup NPM Authentication
+
+        # Some lockfiles contain hardcoded references to public registries. Rewrite them so installs
+        # and `npx` resolve from the custom registry consistently.
+        - pwsh: |
+            $registry = "${{ parameters.customNPMRegistry }}"
+            $scriptPath = Join-Path "$(Agent.TempDirectory)" 'setup-npm-registry.js'
+
+            $lines = @(
+              "const fs = require('fs').promises;",
+              "const path = require('path');",
+              "",
+              "async function* getLockFiles(dir) {",
+              "  const files = await fs.readdir(dir);",
+              "",
+              "  for (const file of files) {",
+              "    const fullPath = path.join(dir, file);",
+              "    const stat = await fs.stat(fullPath);",
+              "",
+              "    if (stat.isDirectory()) {",
+              "      if (file === 'node_modules' || file === '.git') {",
+              "        continue;",
+              "      }",
+              "      yield* getLockFiles(fullPath);",
+              "    } else if (file === 'yarn.lock' || file === 'package-lock.json') {",
+              "      yield fullPath;",
+              "    }",
+              "  }",
+              "}",
+              "",
+              "async function rewrite(file, registry) {",
+              "  let contents = await fs.readFile(file, 'utf8');",
+              "  contents = contents.replace(/https:\\/\\/registry\\.[^.]+\\.(com|org)\\//g, registry);",
+              "  await fs.writeFile(file, contents);",
+              "}",
+              "",
+              "async function main() {",
+              "  const root = process.cwd();",
+              "  const registry = process.env.NPM_CONFIG_REGISTRY || " + JSON.stringify($registry) + ";",
+              "",
+              "  for await (const file of getLockFiles(root)) {",
+              "    await rewrite(file, registry);",
+              "    console.log('Updated node registry:', file);",
+              "  }",
+              "}",
+              "",
+              "main();"
+            )
+
+            Set-Content -LiteralPath $scriptPath -Value ($lines -join "`n") -Encoding utf8
+            node $scriptPath
+          displayName: 📦 Setup NPM Registry
 
       - script: npm config get registry
         displayName: Verify NPM Registry
 
-      - task: NodeTool@0
-        inputs:
-          versionSpec: '22.17.0'
-          checkLatest: true
-        displayName: Select Node 22 LTS
-
   - ${{ if eq(parameters.installPython, true) }}:
       - task: PipAuthenticate@1
         displayName: 'Pip Authenticate'
@@ -78,7 +141,7 @@ steps:
 
       - task: UsePythonVersion@0
         inputs:
-          versionSpec: '3.9' # note Install Python dependencies step below relies on Python 3.9
+          versionSpec: ${{ parameters.pythonVersion }}
           addToPath: true
           architecture: 'x64'
-        displayName: Select Python version
+        displayName: Select Python ${{ parameters.pythonVersion }}

build/templates/sign.yml

@@ -13,9 +13,15 @@ parameters:
   - name: buildPlatforms
     type: object
     displayName: 'List of platforms to sign'
+  - name: customNPMRegistry
+    type: string
+    default: ''
   - name: workingDirectory
     type: string
     default: '$(Build.StagingDirectory)'
+  - name: nodeVersion
+    type: string
+    default: '22.17.0'
   - name: signType
     type: string
     default: real
@@ -73,16 +79,10 @@ steps:
       restoreDirectory: '$(Build.SourcesDirectory)/packages'
       nugetConfigPath: '$(Build.SourcesDirectory)/build/NuGet.config'
 
-  # Setup Node.js and npm authentication
-  - task: DownloadPipelineArtifact@2
-    inputs:
-      artifactName: npmrc
-      targetPath: $(Pipeline.Workspace)/npmrc
-    displayName: 🚛 Download .npmrc artifact
-
   - template: setup.yml@self
     parameters:
-      npmrcPath: $(Pipeline.Workspace)/npmrc/.npmrc
+      customNPMRegistry: ${{ parameters.customNPMRegistry }}
+      nodeVersion: ${{ parameters.nodeVersion }}
 
   - task: Npm@1
     displayName: 'npm ci (install vsce)'