Use CFS rather than public npm registry in PR builds and official builds

.github/actions/cfs-npm-authenticate/action.yml

@@ -0,0 +1,33 @@
+name: Add auth token to .npmrc
+
+on:
+  workflow_call:
+
+inputs:
+  working-directory:
+    description: The directory whose .npmrc file should be modified
+    required: true
+    type: string
+  token:
+    description: The auth token to add to the .npmrc file
+    required: true
+    type: string
+  feed-url:
+    description: The URL of the Azure Artifacts feed to authenticate with
+    required: false
+    default: //devdiv.pkgs.visualstudio.com/DevDiv/_packaging/Pylance_PublicPackages
+
+runs:
+  using: composite
+  steps:
+    - name: Generate .npmrc
+      shell: bash
+      run: |
+        echo "registry=https:${{ inputs.feed-url }}/npm/registry/" > ${{ inputs.working-directory }}/.npmrc
+        echo "" >> ${{ inputs.working-directory }}/.npmrc
+        echo "${{ inputs.feed-url }}/npm/registry/:username=github-actions" >> ${{ inputs.working-directory }}/.npmrc
+        echo "${{ inputs.feed-url }}/npm/registry/:_authToken=${{ inputs.token }}" >> ${{ inputs.working-directory }}/.npmrc
+        echo "${{ inputs.feed-url }}/npm/registry/:[email protected]" >> ${{ inputs.working-directory }}/.npmrc
+        echo "${{ inputs.feed-url }}/npm:username=github-actions"  >> ${{ inputs.working-directory }}/.npmrc
+        echo "${{ inputs.feed-url }}/npm:_authToken=${{ inputs.token }}" >> ${{ inputs.working-directory }}/.npmrc
+        echo "${{ inputs.feed-url }}/npm:[email protected]" >> ${{ inputs.working-directory }}/.npmrc

.github/actions/cfs-npm-cache/action.yml

@@ -0,0 +1,19 @@
+name: Setup npm cache caching
+
+on:
+  workflow_call:
+
+runs:
+  using: composite
+  steps:
+    - name: Get npm cache directory
+      id: npm-cache
+      shell: bash
+      run: echo "dir=$(npm config get cache)" >> $GITHUB_OUTPUT
+
+    - uses: actions/cache@v3
+      with:
+        path: ${{ steps.npm-cache.outputs.dir }}
+        key: ${{ runner.os }}-node-${{ hashFiles('**/.npmrc') }}-${{ hashFiles('**/package-lock.json') }}
+        # For security, only reuse caches with matching .npmrc files (ex. same registry URL)
+        restore-keys: ${{ runner.os }}-node-${{ hashFiles('**/.npmrc') }}

.github/actions/cfs-npm-install/action.yml

@@ -0,0 +1,54 @@
+# Does an npm install using our private Azure Artifacts registry which requires OIDC authentication.
+# Workflows that use this action must add the id-token: write permission.
+
+name: npm install via CFS
+
+on:
+  workflow_call:
+
+runs:
+  using: composite
+  steps:
+    - name: Azure OIDC Login
+      uses: azure/login@v2
+      with:
+        # These are not secret values and are safe to commit to the repository
+        client-id: 92c669e8-02ad-4ce6-ad73-f222fc7177e2
+        tenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
+        allow-no-subscriptions: true
+
+    - name: Setup CFS Credentials
+      shell: bash
+      id: npm-auth
+      # The resource guid is the app id of Azure DevOps
+      run: |
+        echo "token=$(az account get-access-token --resource 499b84ac-1321-427f-aa17-267ca6975798 | jq -r .accessToken)" >> $GITHUB_OUTPUT
+
+    - uses: ./.github/actions/cfs-npm-authenticate
+      with:
+        working-directory: .
+        token: ${{ steps.npm-auth.outputs.token }}
+
+    - uses: ./.github/actions/cfs-npm-authenticate
+      with:
+        working-directory: packages/pyright
+        token: ${{ steps.npm-auth.outputs.token }}
+
+    - uses: ./.github/actions/cfs-npm-authenticate
+      with:
+        working-directory: packages/pyright-internal
+        token: ${{ steps.npm-auth.outputs.token }}
+
+    - uses: ./.github/actions/cfs-npm-authenticate
+      with:
+        working-directory: packages/vscode-pyright
+        token: ${{ steps.npm-auth.outputs.token }}
+
+    - run: npm run install:all
+      shell: bash
+      working-directory: ${{ inputs.working-directory }}
+
+    - name: Cleanup .npmrc
+      shell: bash
+      run: rm .npmrc
+      working-directory: ${{ inputs.working-directory }}

.github/workflows/validation.yml

@@ -157,6 +157,9 @@ jobs:
     runs-on: ubuntu-latest
     name: Build
     needs: typecheck
+    permissions:
+      id-token: write
+      contents: read
 
     steps:
       - uses: actions/checkout@v4
@@ -165,19 +168,8 @@ jobs:
         with:
           node-version: ${{ env.NODE_VERSION }}
 
-      - name: Get npm cache directory
-        id: npm-cache
-        shell: bash
-        run: |
-          echo "dir=$(npm config get cache)" >> $GITHUB_OUTPUT
-      - uses: actions/cache@v4
-        with:
-          path: ${{ steps.npm-cache.outputs.dir }}
-          key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }}
-          restore-keys: |
-            ${{ runner.os }}-node-
-
-      - run: npm run install:all
+      - uses: ./.github/actions/cfs-npm-cache
+      - uses: ./.github/actions/cfs-npm-install
 
       - run: npm publish --dry-run
         working-directory: packages/pyright

build/azuredevops/azure-pipelines-release.yml

@@ -15,6 +15,8 @@ variables:
     value: vscode-pyright.vsix
   - name: ARTIFACT_NAME_VSIX
     value: vsix
+  - name: AZURE_ARTIFACTS_FEED
+    value: 'https://devdiv.pkgs.visualstudio.com/DevDiv/_packaging/Pylance_PublicPackages/npm/registry/'
 
 extends:
   template: azure-pipelines/MicroBuild.1ES.Official.yml@MicroBuildTemplate
@@ -61,6 +63,7 @@ extends:
                 displayName: Use Node 18.x
                 inputs:
                   versionSpec: 18.x
+              - template: /build/templates/npmAuthenticate.yml@self
               - task: CmdLine@2
                 displayName: npm install
                 inputs:

build/templates/npmAuthenticate.yml

@@ -0,0 +1,16 @@
+steps:
+  - task: npmAuthenticate@0
+    inputs:
+      workingFile: .npmrc
+
+  - task: npmAuthenticate@0
+    inputs:
+      workingFile: packages/pyright/.npmrc
+
+  - task: npmAuthenticate@0
+    inputs:
+      workingFile: packages/pyright-internal/.npmrc
+
+  - task: npmAuthenticate@0
+    inputs:
+      workingFile: packages/vscode-pyright/.npmrc