ci: add ESRP-based PyPI release pipeline#473
Merged
Merged
Conversation
ESRP Release is the only Microsoft-compliant path for publishing to PyPI; GitHub Actions / Trusted Publishers are not approved. Three-job flow (Prepare / ManualValidation / PublishToESRP) consumes wheel + sdist from official build by OFFICIAL_BUILD_ID and aligns trigger model with modelkit-release-github.yml (manual, release/* branch only).
Switch modelkit-release-pypi.yml and modelkit-release-github.yml to extend v1/1ES.Official.PipelineTemplate.yml@1ESPipelineTemplates, running on the ProjectReunionESPool-2022 pool with MMS2022-1ES-GPT. GitHub release: split the original single-job pipeline into Prepare (downloads official build, stages wheels + parquets) and CreateGitHubRelease (releaseJob consuming the staged artifact), since 1ES Official only permits GitHubRelease@1 inside templateContext.type: releaseJob and that job type cannot run DownloadPipelineArtifact@2. Version is now derived from the wheel filename instead of pyproject.toml so the release job needs no source checkout.
…pipeline # Conflicts: # .pipelines/modelkit-release-github.yml
For end-to-end validation only. Revert before going live.
The GitHub release pipeline migration is now its own PR; keep this branch scoped to the PyPI release pipeline only.
For end-to-end validation only. Revert before going live.
timenick
added a commit
that referenced
this pull request
May 14, 2026
) ## Summary Switches [.pipelines/modelkit-release-github.yml](.pipelines/modelkit-release-github.yml) from `v2/OneBranch.Official.CrossPlat.yml@templates` to `v1/1ES.Official.PipelineTemplate.yml@1ESPipelineTemplates`, running on `ProjectReunionESPool-2022` with `MMS2022-1ES-GPT`. This aligns the GitHub release pipeline with the PyPI release pipeline (#473) on the same 1ES template and pool. Trigger model is unchanged: `trigger: none`, manual queue only, `OFFICIAL_BUILD_ID` parameter required, `release/*` branch condition on the stage. ## Pipeline shape The single-job pipeline is split into two jobs because 1ES Official only allows `GitHubRelease@1` inside `templateContext.type: releaseJob`, and a `releaseJob` cannot run `DownloadPipelineArtifact@2`: 1. **Prepare** (`pool.type: windows`) — downloads the official build artifacts by `OFFICIAL_BUILD_ID`, stages `*.whl` + parquet runtime check rules into `$(Build.SourcesDirectory)/release_assets`, publishes them as pipeline artifact `GitHubReleaseAssets` via `templateContext.outputs`. 2. **CreateGitHubRelease** (`templateContext.type: releaseJob`, `isProduction: true`) — consumes `GitHubReleaseAssets` via `templateContext.inputs`, derives the version from the wheel filename (so no source checkout is needed), invokes `GitHubRelease@1` to create the tag + release.
Updates input parameter casing and adds required contentsource and serviceendpointurl fields per EsrpRelease@12 schema.
- Re-enable release/* branch gate - Restore contenttype to PyPi (was 'npm' from testing) - Move ESRP owners/approvers to queue-time parameters
DingmaomaoBJTU
approved these changes
May 25, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds .pipelines/modelkit-release-pypi.yml, a OneBranch pipeline that publishes ModelKit wheel + sdist to PyPI via ESRP Release.
ESRP Release is the only Microsoft-compliant path for publishing OSS to PyPI per the ESS Release docs — GitHub Actions and Trusted Publishers are explicitly not approved.
Pipeline shape
Three-job stage
Publish, gated torelease/*branches:pool.type: windows) — downloads the official build artifacts byOFFICIAL_BUILD_ID, stages only*.whl+*.tar.gz(excludes the*.zipruntime check rules that the official build also emits), sanity-checks wheel filename version againstpyproject.toml. Publishes the staged folder as pipeline artifactPyPiPackagesviatemplateContext.outputs.pool: Server, agentless) —ManualValidation@0task with 24h timeout, notifiesESRP_OWNERS, rejects on timeout. Cancellable cheaply if the wrong build was queued.templateContext.type: releaseJob,isProduction: true) — receivesPyPiPackagesartifact viatemplateContext.inputs, invokesEsrpRelease@11withintent: PackageDistribution/ContentType: PyPi/MainPublisher: ESRPRELPACMAN.Trigger model mirrors modelkit-release-github.yml:
trigger: none, manual queue only,OFFICIAL_BUILD_IDparameter required,release/*branch condition on the stage.Pre-merge requirements (ADO side)
Before the first run, configure these as pipeline variables (or a variable group) in ADO — pipeline references them but does not provide values:
ESRP_SERVICE_CONNECTION— ADO service connection onboarded to ESRP ReleaseESRP_KEYVAULT_NAME— Azure Key Vault holding the TSS signing certESRP_SIGN_CERT_NAME— TSS signing cert name (required by task even though PyPI doesn't sign)ESRP_CLIENT_ID— Managed Identity / App Registration client ID authorized for public PyPIESRP_OWNERS— owner email(s)ESRP_APPROVERS— approver email(s)DomainTenantId(PME),ServiceEndpointUrl,MainPublisherare hardcoded per the ESS Release docs default.