test(marketplace): pin ADO sourceBase authoring->consume e2e + docs (#1010)#1810
Merged
Conversation
…1010) Adds a hermetic end-to-end test that authors an Azure DevOps marketplace (`sourceBase: https://dev.azure.com/{org}/{project}/_git`) through the full `MarketplaceBuilder` build pipeline and consumes a dependency from the emitted `marketplace.json`. Asserts the build emits a host-preserving `dev.azure.com` URL, the consumed `DependencyReference` is ADO-typed (`is_azure_devops`, `classify_host` kind `ado`) and not rewritten onto github.com, and auth resolution is routed only to `dev.azure.com` (org `contoso`) with no cross-host token leak. Documents ADO as a first-class marketplace authoring host alongside GitHub/GHE/GitLab in the producer guide, manifest-schema reference, and the apm-guide package-authoring skill. Adds a CHANGELOG [Unreleased] entry. The ADO REST metadata client is deferred to #1808 (perf optimization); the generic-git clone path is the supported fetch. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Contributor
There was a problem hiding this comment.
Pull request overview
Adds a hermetic integration regression pin for Azure DevOps (ADO) marketplace authoring via marketplace.sourceBase, and updates the docs/guides + changelog to treat ADO as a first-class marketplace host.
Changes:
- Add
tests/integration/test_ado_marketplace_e2e.pyto exercise the full “author marketplace -> emit marketplace.json -> consume emitted URL” contract without network orADO_APM_PAT. - Update producer docs + manifest schema reference +
apm-guidepackage-authoring skill to document ADOsourceBase(https://dev.azure.com/{org}/{project}/_git) behavior. - Add a
CHANGELOG.md[Unreleased]entry for the documentation + hermetic e2e coverage.
Show a summary per file
| File | Description |
|---|---|
tests/integration/test_ado_marketplace_e2e.py |
New hermetic end-to-end test covering ADO sourceBase authoring, consumer parsing, and host-scoped auth routing. |
packages/apm-guide/.apm/skills/apm-usage/package-authoring.md |
Adds ADO sourceBase authoring guidance and example. |
docs/src/content/docs/reference/manifest-schema.md |
Extends sourceBase reference text to explicitly include Azure DevOps behavior and host preservation. |
docs/src/content/docs/producer/publish-to-a-marketplace.md |
Producer guide now includes ADO as a supported sourceBase target with auth pointer. |
CHANGELOG.md |
Adds an [Unreleased] “Added” entry documenting ADO marketplace authoring host support + new hermetic test. |
Copilot's findings
- Files reviewed: 5/5 changed files
- Comments generated: 1
| def __init__(self) -> None: | ||
| self.calls: list[tuple[str, str | None]] = [] | ||
|
|
||
| def resolve(self, host: str, org: str | None = None): |
danielmeppiel
added a commit
that referenced
this pull request
Jun 16, 2026
…nt reconcile + new-tip) Union CHANGELOG entries with newly-landed #1810 (ADO marketplace host) and #1770 (Antigravity target); spec count sites unchanged at cumulative 90 (req-pl-013/014/015). Regenerated policy golden snapshot to carry both the merged security.* keys and unmanaged_files.exclude. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
danielmeppiel
added a commit
that referenced
this pull request
Jun 17, 2026
…h-1670 Faithful union resolution: keep main's new [Unreleased] Added entries (#1793 audit unmanaged-files, #1810 ADO marketplace, #1770 antigravity target, #1794 security policy keys) AND re-insert this PR's MCP extra-passthrough + denylist entry (#1670/#1765) in Keep-a-Changelog order. All adapter/integrator denylist wiring preserved. Co-authored-by: Sergio Sisternes <sergio.sisternes@epam.com> Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
danielmeppiel
added a commit
that referenced
this pull request
Jun 17, 2026
Integrates the remote 'Update branch' merge (62368eb, main up to #1810) with the local newer-main merge (#1820). CHANGELOG resolved as a faithful union: all [Unreleased] Added entries kept, MCP extra-passthrough entry (#1670/#1765) appears exactly once. Denylist + tests preserved. Co-authored-by: Sergio Sisternes <sergio.sisternes@epam.com> Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
sergio-sisternes-epam
pushed a commit
that referenced
this pull request
Jun 17, 2026
Sync the 800-line/complexity tightening branch with origin/main tip 788a09a (8 commits ahead of merge-base 45843c3): SBOM export + declared-license (#1820), dompurify bump (#1789), audit-unmanaged (#1793), ADO sourceBase (#1810), Antigravity target (#1770), marketplace token (#1763), spec-conformance (#1801), declared-license and integrity keys (#1794/#1777). Conflict resolution preserves the strangler-fig extraction: HEAD's relocations into sibling _*.py modules win, with main's feature additions folded into the new homes. Notable folds: - hook_merge.py: thread container key + antigravity dispatch. - audit: route fail_on_drift + LockFile through the audit module so test monkeypatches on apm_cli.commands.audit.* still take effect. Resolve merge-introduced CI regressions under the tightened gates: - ruff complexity: _classify_primitive_type (PLR0911), validate_policy (C901/PLR0912 via _validate_security), _audit_content_scan (PLR0912 via _run_drift_detection). - file-length <=800: split spdx_data.py (_spdx_exception_ids.py), policy_checks.py (_policy_checks_unmanaged.py), pack.py render helpers (into _pack_ops.py); all re-exported for the patch contract. Local CI mirror green: ruff check/format, pylint R0801 10/10, auth-signals, file-length<=800, full unit suite 17225 passed. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
TL;DR
Azure DevOps marketplace support (#1010) is already implemented and tested at HEAD via the maintainer-approved design: ADO sources ride
marketplace.sourceBase(ahttps://dev.azure.com/{org}/{project}/_gitbase) rather than a newhostfield or a widenedSOURCE_RE. This PR closes the one remaining gap -- a hermetic end-to-end "authoring -> consume" pin -- and promotes ADO to a first-class, documented marketplace host.Problem (WHY)
The isolated pieces of ADO marketplace support were proven independently, but the full marketplace flow (author an ADO
sourceBasemarketplace through the build pipeline, then consume a dependency from the emittedmarketplace.json) had no hermetic regression pin. The only ADO marketplace e2e (tests/integration/test_ado_e2e.py) is gated onADO_APM_PATand hits live Azure DevOps, so it does not run in normal CI and cannot guard the authoring path.Approach (WHAT)
tests/integration/test_ado_marketplace_e2e.py, noADO_APM_PAT, no network) that authors an ADOsourceBasemarketplace through the fullMarketplaceBuilder.build()pipeline and consumes a dependency from the output.[Unreleased]entry.Implementation (HOW)
The new test asserts the end-to-end contract:
build()onsourceBase: https://dev.azure.com/contoso/platform/_git+source: agent-skillsemits asource: urlplugin whose URL parses (viaurllib.parse) to hostdev.azure.com, path/contoso/platform/_git/agent-skills-- host-preserving, not rewritten to github.com.DependencyReference.parse(url)yieldshost == dev.azure.com,is_azure_devops() is True,repo_url == contoso/platform/agent-skills;AuthResolver.classify_host(...).kind == "ado".AuthResolver, resolution targets only("dev.azure.com", "contoso")-- github.com is never asked, so an ADOADO_APM_PATcan never be offered to a GitHub remote.classify_host("github.com").kind == "github".All URL assertions use
urllib.parsecomponent comparison pertests/instructions(never substring).What is already shipped at HEAD (evidence)
sourceBasecomposes relative repo, host preservedtests/unit/marketplace/test_marketplace_source_base.py::test_ado_shaped_source_base_composes_relative_repogitkind,dev.azure.comhost kepttests/unit/marketplace/test_parser.py::test_https_ado_url_classified_as_gitgithost-typed auth (ADO incl.) + clone-based fetchsrc/apm_cli/marketplace/client.py(classify_host,_FETCHERS["git"])tests/integration/test_ado_e2e.py(+ bearer/auth suites)ADO_APM_PAT)Scope / deferrals
/_apis/git/repositories/) is a perf optimization, NOT required for marketplace authoring. The generic-git clone path is the supported fetch.Validation evidence
4 passed.tests/integration/test_ado_marketplace_e2e.py tests/unit/marketplace/test_marketplace_source_base.py tests/unit/marketplace/test_parser.py tests/integration/test_ado_e2e.py tests/integration/test_marketplace_builder_hermetic.py:110 passed, 9 skipped(the 9 are the liverequires_ado_patcases).ruff checkclean,ruff format --checkclean,pylint R080110.00/10,scripts/lint-auth-signals.shclean.How to test
Closes #1010.