From 38a326832bd5d0df068a80ce6d191f39bae2253a Mon Sep 17 00:00:00 2001
From: bschnurr <bschnurr@microsoft.com>
Date: Thu, 11 Dec 2025 13:28:09 -0800
Subject: [PATCH 1/3] try update to python3.10

---
 build/azure-devdiv-pipeline.pre-release.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/build/azure-devdiv-pipeline.pre-release.yml b/build/azure-devdiv-pipeline.pre-release.yml
index 3ec92340..24696057 100644
--- a/build/azure-devdiv-pipeline.pre-release.yml
+++ b/build/azure-devdiv-pipeline.pre-release.yml
@@ -81,7 +81,7 @@ extends:
 
               - task: UsePythonVersion@0
                 inputs:
-                  versionSpec: '3.9' # note Install Python dependencies step below relies on Python 3.9
+                  versionSpec: '3.10' # note Install Python dependencies step below relies on Python 3.9
                   addToPath: true
                   architecture: 'x64'
                 displayName: Select Python version

From f052752eb51f5bdfce87e2b7c2e07642a92d0fe0 Mon Sep 17 00:00:00 2001
From: bschnurr <bschnurr@microsoft.com>
Date: Thu, 11 Dec 2025 13:52:17 -0800
Subject: [PATCH 2/3] update to match autopep8

---
 build/azure-devdiv-pipeline.pre-release.yml |  6 ++--
 build/templates/publish.yml                 | 14 +++------
 build/templates/sign.yml                    | 33 ++++++++++++++-------
 3 files changed, 31 insertions(+), 22 deletions(-)

diff --git a/build/azure-devdiv-pipeline.pre-release.yml b/build/azure-devdiv-pipeline.pre-release.yml
index 24696057..26298739 100644
--- a/build/azure-devdiv-pipeline.pre-release.yml
+++ b/build/azure-devdiv-pipeline.pre-release.yml
@@ -75,13 +75,13 @@ extends:
 
               - task: NodeTool@0
                 inputs:
-                  versionSpec: '22.x'
+                  versionSpec: '22.17.0'
                   checkLatest: true
                 displayName: Select Node 22 LTS
 
               - task: UsePythonVersion@0
                 inputs:
-                  versionSpec: '3.10' # note Install Python dependencies step below relies on Python 3.9
+                  versionSpec: '3.9' # note Install Python dependencies step below relies on Python 3.9
                   addToPath: true
                   architecture: 'x64'
                 displayName: Select Python version
@@ -113,6 +113,8 @@ extends:
                   workingDirectory: $(Build.StagingDirectory)\drop
                   signType: real
                   verifySignature: true
+                  teamName: $(TeamName)
+                  preRelease: true
 
               - ${{ if eq(parameters.publishExtension, true) }}:
                   - template: build/templates/publish.yml@self
diff --git a/build/templates/publish.yml b/build/templates/publish.yml
index 41672f3e..2e4764b7 100644
--- a/build/templates/publish.yml
+++ b/build/templates/publish.yml
@@ -39,9 +39,6 @@ parameters:
   - name: preRelease
     type: boolean
     default: false
-  - name: noVerify
-    type: boolean
-    default: true
 
 steps:
   # Node & vsce expected to be prepared by parent pipeline; omit local installation.
@@ -89,17 +86,14 @@ steps:
         Write-Host "Listing publish folder contents: $root"
         Get-ChildItem -Recurse $root | Select-Object FullName,Length | Format-Table -AutoSize
 
-        $extraFlags = ''
-        if ('${{ parameters.noVerify }}' -eq 'True') { $extraFlags = "$extraFlags --noVerify" }
-
         if ('${{ parameters.preRelease }}' -eq 'True') {
           Write-Host 'Publishing as pre-release'
-          # disabled for now; uncomment when ready
-          npx vsce publish --pat $aadToken --packagePath $vsixPath --manifestPath $manifestPath --signaturePath $signaturePath $extraFlags --pre-release
+          Write-Host "Executing: npx vsce publish --pat *** --packagePath $vsixPath --manifestPath $manifestPath --signaturePath $signaturePath --pre-release"
+          npx vsce publish --pat $aadToken --packagePath $vsixPath --manifestPath $manifestPath --signaturePath $signaturePath --pre-release
         } else {
           Write-Host 'Publishing as stable release'
-          # disabled for now; uncomment when ready
-          npx vsce publish --pat $aadToken --packagePath $vsixPath --manifestPath $manifestPath --signaturePath $signaturePath $extraFlags
+          Write-Host "Executing: npx vsce publish --pat *** --packagePath $vsixPath --manifestPath $manifestPath --signaturePath $signaturePath"
+          npx vsce publish --pat $aadToken --packagePath $vsixPath --manifestPath $manifestPath --signaturePath $signaturePath
         }
 
         if ($LASTEXITCODE -ne 0) {
diff --git a/build/templates/sign.yml b/build/templates/sign.yml
index 9122f3c1..7fd84f46 100644
--- a/build/templates/sign.yml
+++ b/build/templates/sign.yml
@@ -5,8 +5,6 @@
 #     vsixName: autopep8.vsix
 #     workingDirectory: $(Build.SourcesDirectory)
 #     signType: real
-# Note: vsce CLI is invoked via 'npx vsce' (devDependency), no global install required.
-
 parameters:
   - name: vsixName
     type: string
@@ -29,11 +27,11 @@ parameters:
   - name: prepareRoot
     type: boolean
     default: true
-  # vsceVersion parameter removed; rely on pinned devDependency version via npx.
+  - name: teamName
+    type: string
+    default: VSCode-autopep8
 
 steps:
-  # vsce CLI expected to be installed by parent pipeline; no local install here.
-
   - task: NuGetToolInstaller@1
     displayName: Install NuGet
 
@@ -69,15 +67,30 @@ steps:
         $sig = Join-Path $wd $signatureName
         if (!(Test-Path $sig)) { Write-Warning "Signature placeholder missing (will attempt signing anyway)." }
 
-  # Deprecated prepareRoot step removed: we now sign directly in workingDirectory by overriding BaseOutputDirectory.
+  # ✅ Added MicroBuildSigningPlugin for PME enforcement
+  - task: MicroBuildSigningPlugin@4
+    displayName: Enable MicroBuild Signing
+    inputs:
+      signType: ${{ parameters.signType }} # 'real' or 'test'
+      zipSources: false
+      feedSource: 'https://devdiv.pkgs.visualstudio.com/DefaultCollection/_packaging/MicroBuildToolset/nuget/v3/index.json'
+      ConnectedServiceName: 'MicroBuild Signing Task (DevDiv)'
+      ConnectedPMEServiceName: 6cc74545-d7b9-4050-9dfa-ebefcc8961ea
+    env:
+      SYSTEM_ACCESSTOKEN: $(System.AccessToken)
+      TeamName: ${{ parameters.teamName }}
 
   - task: MSBuild@1
     displayName: Run signing (MSBuild)
     inputs:
       solution: '$(Build.SourcesDirectory)/build/sign.proj'
-      msbuildArguments: '/verbosity:detailed /bl:"${{ parameters.workingDirectory }}\\signing.binlog" /p:SignType=${{ parameters.signType }} /p:BaseOutputDirectory=${{ parameters.workingDirectory }} /p:OutDir=${{ parameters.workingDirectory }} /p:IntermediateOutputPath=${{ parameters.workingDirectory }}\\intermediate'
-
-  # No copy-back needed; signing outputs now land directly in workingDirectory.
+      msbuildArguments: >
+        /verbosity:detailed
+        /bl:"${{ parameters.workingDirectory }}\\signing.binlog"
+        /p:SignType=${{ parameters.signType }}
+        /p:BaseOutputDirectory=${{ parameters.workingDirectory }}
+        /p:OutDir=${{ parameters.workingDirectory }}
+        /p:IntermediateOutputPath=${{ parameters.workingDirectory }}\\intermediate
 
   - task: PowerShell@2
     displayName: Post-sign inspection
@@ -132,7 +145,7 @@ steps:
             if (!(Test-Path $vsix)) { Write-Error "Missing VSIX: $vsix"; exit 1 }
             if (!(Test-Path $manifest)) { Write-Error "Missing manifest: $manifest"; exit 1 }
             if (!(Test-Path $signature)) { Write-Error "Missing signature file: $signature"; exit 1 }
-            npx vsce verify-signature --packagePath "$vsix" --manifestPath "$manifest" --signaturePath "$signature"
+            npx @vscode/vsce verify-signature --packagePath "$vsix" --manifestPath "$manifest" --signaturePath "$signature"
             if ($LASTEXITCODE -ne 0) {
               Write-Error "vsce verify-signature failed with exit code $LASTEXITCODE"
               exit $LASTEXITCODE

From 3c4d70e45607f689a267d3415a8f7ec9a01def2b Mon Sep 17 00:00:00 2001
From: bschnurr <bschnurr@microsoft.com>
Date: Thu, 11 Dec 2025 13:59:07 -0800
Subject: [PATCH 3/3] remove preRelease

---
 build/azure-devdiv-pipeline.pre-release.yml | 1 -
 1 file changed, 1 deletion(-)

diff --git a/build/azure-devdiv-pipeline.pre-release.yml b/build/azure-devdiv-pipeline.pre-release.yml
index 26298739..29820c86 100644
--- a/build/azure-devdiv-pipeline.pre-release.yml
+++ b/build/azure-devdiv-pipeline.pre-release.yml
@@ -114,7 +114,6 @@ extends:
                   signType: real
                   verifySignature: true
                   teamName: $(TeamName)
-                  preRelease: true
 
               - ${{ if eq(parameters.publishExtension, true) }}:
                   - template: build/templates/publish.yml@self