From 23a41b4cd33c819f5b20defa8c86547e5a9ac867 Mon Sep 17 00:00:00 2001 From: Tal Zaccai Date: Thu, 25 Jun 2026 17:55:33 -0600 Subject: [PATCH] ci: install smoke-test deps from public npm instead of internal feed The ADO smoke pipeline restored dependencies from the org's internal Azure Artifacts feed, while the GitHub Actions build lanes and local dev use public npm. That split caused smoke tests to fail (ERR_PNPM_FETCH_404) whenever a Dependabot lockfile bump introduced a freshly-published transitive version not yet present in the internal feed, even though the GitHub builds passed. Make 'registry' optional in include-prepare-repo.yml: when omitted, the .npmrc and npmAuthenticate steps are skipped and pnpm uses the default public npm registry. The smoke pipeline now omits 'registry' so it installs from public npm, consistent with the other CI lanes. The smoke tests only need the WIF service connection for Azure OpenAI secrets, which is independent of the npm registry. The 4 build/publish pipelines still pass $(REGISTRY) and are unaffected. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --- pipelines/azure-smoke-tests.yml | 18 ++++++++++++------ pipelines/include-prepare-repo.yml | 27 ++++++++++++++++++--------- 2 files changed, 30 insertions(+), 15 deletions(-) diff --git a/pipelines/azure-smoke-tests.yml b/pipelines/azure-smoke-tests.yml index a79a65002..376eb7826 100644 --- a/pipelines/azure-smoke-tests.yml +++ b/pipelines/azure-smoke-tests.yml @@ -31,9 +31,15 @@ # principal must hold the 'Key Vault Secrets User' RBAC role on the # 'build-pipeline-kv' vault (the vault uses RBAC authorization, not access # policies). Authorize the pipeline to use the connection on first run. -# * Pipeline variables (define in the pipeline UI or a linked variable group): -# - REGISTRY npm registry URL used by include-prepare-repo.yml to -# restore dependencies (internal Azure Artifacts feed). +# +# Dependency restore uses the PUBLIC npm registry (registry.npmjs.org), the same +# as the GitHub Actions build lanes (build_ts / build_package_shell) and local +# dev. This keeps the package source consistent across all CI and avoids failures +# where a freshly-published transitive version (e.g. from a Dependabot lockfile +# bump) is not yet present in an internal Azure Artifacts feed. The smoke tests +# only need the WIF service connection for Azure OpenAI secrets, which is +# independent of the npm registry — so no internal feed (or REGISTRY variable) is +# required here. trigger: branches: @@ -86,13 +92,13 @@ jobs: pool: vmImage: $(image) steps: - # Checkout + internal npm registry auth + Node + pnpm install - # (--frozen-lockfile --strict-peer-dependencies). + # Checkout + Node + pnpm install (--frozen-lockfile --strict-peer-dependencies). + # No 'registry' is passed, so install uses the default public npm registry — + # matching the GitHub Actions lanes and local dev. - template: include-prepare-repo.yml parameters: buildDirectory: $(buildDirectory) nodeVersion: $(nodeVersion) - registry: $(REGISTRY) # keytar links against libsecret at runtime on Linux; install before any # TypeAgent process (CLI / shell) loads the native module. diff --git a/pipelines/include-prepare-repo.yml b/pipelines/include-prepare-repo.yml index 0120c4bb8..4401ac5d7 100644 --- a/pipelines/include-prepare-repo.yml +++ b/pipelines/include-prepare-repo.yml @@ -6,8 +6,13 @@ parameters: type: string - name: nodeVersion type: string + # Optional npm registry. When set (e.g. an internal Azure Artifacts feed URL), + # an .npmrc is written and authenticated so pnpm restores from that feed. When + # omitted (empty), the build uses the default public npm registry + # (registry.npmjs.org) with no auth — matching the GitHub Actions lanes. - name: registry type: string + default: "" # Set false to skip pnpm-store caching. Useful for manual/scheduled pipelines # where the Windows post-job cache save can exceed its timeout and fail the job. - name: enableCache @@ -19,16 +24,20 @@ steps: displayName: "Checkout TypeAgent Repository" path: typeagent - - bash: | - echo "registry=${{ parameters.registry }}" > .npmrc - cat .npmrc - displayName: Set npm registry - workingDirectory: ${{ parameters.buildDirectory }} + # Only configure and authenticate a custom registry when one is supplied. + # When 'registry' is empty, these steps are skipped and pnpm uses the default + # public npm registry (no .npmrc, no auth) — same as the GitHub Actions lanes. + - ${{ if ne(parameters.registry, '') }}: + - bash: | + echo "registry=${{ parameters.registry }}" > .npmrc + cat .npmrc + displayName: Set npm registry + workingDirectory: ${{ parameters.buildDirectory }} - - task: npmAuthenticate@0 - displayName: Authenticate to npm registry - inputs: - workingFile: ${{ parameters.buildDirectory }}/.npmrc + - task: npmAuthenticate@0 + displayName: Authenticate to npm registry + inputs: + workingFile: ${{ parameters.buildDirectory }}/.npmrc - task: UseNode@1 displayName: Setup Node.js v${{ parameters.nodeVersion }}