Prepare 2.0.0

.gitignore

@@ -17,7 +17,7 @@ venv/
 ENV/
 
 # FCIB
-src/artifacts_keyring/plugins/
+src/artifacts_keyring/bin/
 
 # Pytest
 .pytest_cache/

MANIFEST.in

@@ -1,3 +1,3 @@
 include LICENSE.txt
 include README.md
-recursive-include src/artifacts_keyring/plugins *
+recursive-include src/artifacts_keyring/bin *

README.md

@@ -1,5 +1,5 @@
 ## NOTE
-'artifacts-keyring' is a relatively thin wrapper around [artifacts-credprovider](https://github.com/microsoft/artifacts-credprovider).  Make sure to also look at that repository for more information about different scenarios. For example:
+'artifacts-keyring' is a relatively thin wrapper around [artifacts-credprovider](https://github.com/microsoft/artifacts-credprovider). Make sure to also look at that repository for more information about different scenarios. For example:
 
 * [Environment variable to explicitly override tokens](https://github.com/microsoft/artifacts-credprovider)
 * [Safely using credentials in docker](https://github.com/dotnet/dotnet-docker/blob/master/documentation/scenarios/nuget-credentials.md#using-the-azure-artifact-credential-provider)
@@ -38,6 +38,27 @@ Artifacts, the following requirements must be met:
   learn.microsoft.com/dotnet/core/install/) for installation guideline.
   ```
 
+#### macOS requirements
+
+The platform-specific macOS wheels require **macOS 11.0 or higher**. This is because the bundled MSAL
+native library (`msalruntime.dylib`) targets macOS 11.0+, which is encoded into the wheel's platform tag
+(e.g. `macosx_11_0_arm64`). pip will only install the platform-specific wheel on macOS 11.0+.
+
+On macOS 10.x, no matching platform-specific wheel will be found and pip will fall back to the source
+distribution (sdist), which requires a [.NET 8 runtime or sdk](https://learn.microsoft.com/dotnet/core/install/)
+to be installed separately.
+
+#### Linux requirements
+
+On Linux, `artifacts-keyring` is distributed as a source distribution (sdist) that bundles the default
+(non-platform-specific) .NET 8 artifacts-credential provider. This requires .NET 8 or higher [.NET runtime or sdk](https://learn.microsoft.com/dotnet/core/install/)
+to be installed.
+
+The bundled MSAL native library (`libmsalruntime.so`) also requires additional Linux package dependencies.
+See the [MSAL .NET Linux package dependencies](https://learn.microsoft.com/en-us/entra/msal/dotnet/acquiring-tokens/desktop-mobile/linux-dotnet-sdk?tabs=ubuntudep#package-dependencies) for the full list.
+
+See [Linux credential provider setup](#linux-credential-provider-setup) for advanced options to remove the .NET runtime dependency.
+
 ### Publishing packages to an Azure Artifacts feed
 Once `artifacts-keyring` is installed, to publish a package, use the following `twine` 
 command, replacing **<org_name>** and **<feed_name>** with your own:
@@ -62,6 +83,33 @@ Check out that link to the GitHub repo for more information on configuration opt
 
 - `ARTIFACTS_KEYRING_NONINTERACTIVE_MODE`: Controls whether the underlying credential provider can issue 
 interactive prompts.
+- `ARTIFACTS_KEYRING_CREDENTIALPROVIDER_PATH`: The full path to the Azure Artifacts Credential Provider
+executable (e.g. `~/.dotnet/tools/CredentialProvider.Microsoft` or 
+`~/.nuget/plugins/netcore/CredentialProvider.Microsoft/CredentialProvider.Microsoft`).
+When set, this path is used instead of the bundled credential provider on all platforms.
+On Linux, where only a source distribution is available with the non-self-contained .NET 8 credential provider,
+this variable can be used to point to a self-contained platform-specific binary (e.g. `linux-x64`) that does
+not require a .NET runtime, but does require additional linux dependencies.
+The executable at the provided path must already have the appropriate permissions set (e.g. `chmod +x`).
+
+#### Linux credential provider setup
+
+To remove the .NET runtime/sdk dependency for supported Linux platforms, you can install a self-contained version of the [Azure Artifacts Credential Provider](https://github.com/microsoft/artifacts-credprovider)
+and its Linux package dependencies separately and point `artifacts-keyring` to it using the `ARTIFACTS_KEYRING_CREDENTIALPROVIDER_PATH` environment variable.
+The self-contained binary still requires the [MSAL .NET Linux package dependencies](https://learn.microsoft.com/entra/msal/dotnet/acquiring-tokens/desktop-mobile/linux-dotnet-sdk?tabs=ubuntudep#package-dependencies).
+
+**Example: Using a self-contained credential provider binary**
+```bash
+# Download and install the credential provider using the install script
+wget -qO- https://aka.ms/install-artifacts-credprovider.sh | bash
+
+# Point artifacts-keyring to the executable
+export ARTIFACTS_KEYRING_CREDENTIALPROVIDER_PATH=~/.nuget/plugins/netcore/CredentialProvider.Microsoft/CredentialProvider.Microsoft
+```
+Once set, `pip` and `twine` commands work as usual:
+```bash
+pip install <package_name> --index-url https://pkgs.dev.azure.com/<org_name>/_packaging/<feed_name>/pypi/simple
+```
 
 ### Build Environment Variables
 
@@ -70,6 +118,60 @@ self-contained .NET version of the Azure Artifacts Credential Provider.
 - `ARTIFACTS_CREDENTIAL_PROVIDER_NON_SC`: Controls whether or not to build the non-self-contained 
 .NET 8 version of keyring.
 
+## Troubleshooting
+
+### Enabling credential provider logs
+
+For debug logs of the artifacts-credprovider, enable file logging by setting the `ARTIFACTS_CREDENTIALPROVIDER_LOG_PATH` environment variable to an absolute path before running `pip` or `twine`:
+
+**Windows (PowerShell):**
+```powershell
+$env:ARTIFACTS_CREDENTIALPROVIDER_LOG_PATH = "C:\path\to\credprovider.log"
+pip install <package_name> --index-url https://pkgs.dev.azure.com/<org_name>/_packaging/<feed_name>/pypi/simple
+```
+
+**Linux/macOS:**
+```bash
+export ARTIFACTS_CREDENTIALPROVIDER_LOG_PATH=/path/to/credprovider.log
+pip install <package_name> --index-url https://pkgs.dev.azure.com/<org_name>/_packaging/<feed_name>/pypi/simple
+```
+
+### Clearing credential caches to force a full token refresh
+
+The credential provider uses two cache layers. To force re-authentication, clear both:
+
+**1. Session Token Cache** — stores the short-lived token used by pip/twine:
+
+Windows (PowerShell):
+```powershell
+Remove-Item "$env:LocalAppData\MicrosoftCredentialProvider\SessionTokenCache.dat" -ErrorAction SilentlyContinue
+```
+
+Linux/macOS:
+```bash
+rm -f ~/.local/share/MicrosoftCredentialProvider/SessionTokenCache.dat
+```
+
+**2. MSAL Token Cache** — stores the underlying Azure identity token used to acquire new session tokens:
+
+Windows (PowerShell):
+```powershell
+Remove-Item -Recurse -Force "$env:LocalAppData\.IdentityService" -ErrorAction SilentlyContinue
+```
+
+Linux/macOS:
+```bash
+rm -rf ~/.local/.IdentityService
+```
+
+**3. pip HTTP cache** — stores downloaded package metadata and wheels; clearing ensures pip re-fetches from the feed:
+
+```bash
+pip cache purge
+```
+
+The next pip or twine command should force a token refresh.
+
 ## Local development
 
 1. Install build dependencies with `pip install .`

pipelines/build-wheels.yml

@@ -28,8 +28,6 @@ jobs:
 
   - script: |
       python -m pip install --upgrade pip
-      pip install setuptools
-      pip install wheel
       pip install cibuildwheel
     displayName: 'Install build dependencies'
 
@@ -41,6 +39,24 @@ jobs:
       CIBW_ENVIRONMENT: "ARTIFACTS_CREDENTIAL_PROVIDER_RID=win-x64"
       CIBW_CPYTHON_STANDALONE_URL: ${{ parameters.cibuildwheelPythonUrl }}
       CIBW_PYPY_STANDALONE_URL: ${{ parameters.cibuildwheelPythonUrl }}
+
+  - script: |
+      cibuildwheel --output-dir wheel-win-x86
+    displayName: 'Build win-x86 wheels'
+    env:
+      CIBW_ARCHS_WINDOWS: "x86"
+      CIBW_ENVIRONMENT: "ARTIFACTS_CREDENTIAL_PROVIDER_RID=win-x86"
+      CIBW_CPYTHON_STANDALONE_URL: ${{ parameters.cibuildwheelPythonUrl }}
+      CIBW_PYPY_STANDALONE_URL: ${{ parameters.cibuildwheelPythonUrl }}
+
+  - script: |
+      cibuildwheel --output-dir wheel-win-arm64
+    displayName: 'Build win-arm64 wheels'
+    env:
+      CIBW_ARCHS_WINDOWS: "ARM64"
+      CIBW_ENVIRONMENT: "ARTIFACTS_CREDENTIAL_PROVIDER_RID=win-arm64"
+      CIBW_CPYTHON_STANDALONE_URL: ${{ parameters.cibuildwheelPythonUrl }}
+      CIBW_PYPY_STANDALONE_URL: ${{ parameters.cibuildwheelPythonUrl }}
 
   - ${{ if eq(parameters.publish, true) }}:
     - task: PublishBuildArtifacts@1
@@ -49,6 +65,18 @@ jobs:
         pathToPublish: 'wheel-win-x64'
         artifactName: 'wheels-win-x64'
 
+    - task: PublishBuildArtifacts@1
+      displayName: 'Publish win-x86 wheels'
+      inputs:
+        pathToPublish: 'wheel-win-x86'
+        artifactName: 'wheels-win-x86'
+
+    - task: PublishBuildArtifacts@1
+      displayName: 'Publish win-arm64 wheels'
+      inputs:
+        pathToPublish: 'wheel-win-arm64'
+        artifactName: 'wheels-win-arm64'
+
 - job: BuildOSX
   displayName: 'Build macOS Wheels'
   pool:
@@ -76,7 +104,7 @@ jobs:
     env:
       CIBW_ARCHS_MACOS: "x86_64"
       CIBW_ENVIRONMENT: "ARTIFACTS_CREDENTIAL_PROVIDER_RID=osx-x64"
-      MACOSX_DEPLOYMENT_TARGET: "10.15"
+      MACOSX_DEPLOYMENT_TARGET: "11.0"
       CIBW_CPYTHON_STANDALONE_URL: ${{ parameters.cibuildwheelPythonUrl }}
       CIBW_PYPY_STANDALONE_URL: ${{ parameters.cibuildwheelPythonUrl }}
 
@@ -86,7 +114,7 @@ jobs:
     env:
       CIBW_ARCHS_MACOS: "arm64"
       CIBW_ENVIRONMENT: "ARTIFACTS_CREDENTIAL_PROVIDER_RID=osx-arm64"
-      MACOSX_DEPLOYMENT_TARGET: "10.15"
+      MACOSX_DEPLOYMENT_TARGET: "11.0"
       CIBW_CPYTHON_STANDALONE_URL: ${{ parameters.cibuildwheelPythonUrl }}
       CIBW_PYPY_STANDALONE_URL: ${{ parameters.cibuildwheelPythonUrl }}
 
@@ -103,25 +131,23 @@ jobs:
         pathToPublish: 'wheel-osx-arm64'
         artifactName: 'wheels-osx-arm64'
 
-- job: BuildLinux64
-  displayName: 'Build Linux x64 Wheels'
+- job: BuildLinux
+  displayName: 'Build Linux Wheels'
   pool:
     vmImage: 'ubuntu-latest'
   steps:
-  - script: |
-      sudo apt-get update -y
-      sudo apt-get install -y python3-full
-    displayName: 'Install build tools'
+  - task: UsePythonVersion@0
+    inputs:
+      versionSpec: '3.x'
+      addToPath: true
 
   - task: PipAuthenticate@1
     displayName: 'Pip Authenticate'
     inputs:
       artifactFeeds: ${{ parameters.artifactFeed }}
 
   - script: |
-      python3 -m pip install --upgrade pip
-      pip install setuptools
-      pip install wheel
+      python -m pip install --upgrade pip
       pip install cibuildwheel
     displayName: 'Install build dependencies'
 

pipelines/pr.yml

@@ -1,3 +1,10 @@
+schedules:
+- cron: "0 0 * * SAT"
+  displayName: Saturday midnight (UTC) run
+  always: true
+  branches:
+    include: 
+    - master
 
 resources:
 - repo: self

pipelines/validate-setup-bash.yml

@@ -35,7 +35,7 @@ steps:
 
     echo "Checking for Credential Provider installation..."
 
-    if [ ! -d "./src/artifacts_keyring/plugins/plugins/netcore/CredentialProvider.Microsoft" ]; then
+    if [ ! -d "./src/artifacts_keyring/bin/plugins/netcore/CredentialProvider.Microsoft" ]; then
       echo "Credential provider plugin directory not found"
       exit 1
     fi