Route pipeline module installs through CFS feed for network isolation#1607
Draft
givinalis wants to merge 1 commit into
Draft
Route pipeline module installs through CFS feed for network isolation#1607givinalis wants to merge 1 commit into
givinalis wants to merge 1 commit into
Conversation
The 1ES CI/PR pipelines run under network isolation where the CFSClean/ CFSClean2 policies block the public PowerShell Gallery. Builds were flagged with 204 policy violations for reaching www/cdn.powershellgallery.com during Install-Module. Add a central Install-GalleryModule.ps1 helper that installs build/test dependencies from a CFS-backed feed (with token auth) when configured, and falls back to the public PowerShell Gallery for local development. Wire the CFS feed name/URL through the generation templates and the PR, CI and integration-tests pipelines. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
|
Learn Build status updates of commit c3043a6: ❌ Validation status: errorsPlease follow instructions here which may help to resolve issue.
For more details, please refer to the build report. Note: Your PR may contain errors or warnings or suggestions unrelated to the files you changed. This happens when external dependencies like GitHub alias, Microsoft alias, cross repo links are updated. Please use these instructions to resolve them. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
The 1ES CI/PR pipelines run under network isolation. The
CFSClean/CFSClean2policies (CFS = Centralized Feed Service, required for SFI compliance) block the public PowerShell Gallery and require every package to be restored from a CFS-backed feed.In build
169001301the "Stop Network Isolation" step reported:All 204 violations were
pwsh.exereachingwww.powershellgallery.com(184) andcdn.powershellgallery.com(20) during theInstall-Modulesteps.Help: https://eng.ms/docs/cloud-ai-platform/devdiv/one-engineering-system-1es/1es-build/cloudbuild/security/1espt-network-isolation · https://aka.ms/1es/netiso/pipelinetemplates
What changed
build/Install-GalleryModule.ps1— single place that installs build/test dependencies. Installs from a CFS-backed feed (registering it as a trustedPSRepositoryand authenticating with the pipeline access token) when configured, and falls back to the public PowerShell Gallery for local development (and while the feed URL is still a placeholder).build/Install-Dependencies.ps1— added a-Repositoryparameter (defaults toPSGallery/DEPENDENCY_PS_REPO) and now installs theMicrosoft.Graph.*modules through the helper.generate_adapter-1es.yml/generate_adapter.yml— addedDependencyRepositoryandCfsFeedUrlparameters, a guardedNuGetAuthenticate@1step, and routed thePlatyPS/Pester/ dependency installs through the helper withDEPENDENCY_PS_REPO,DEPENDENCY_PS_FEED_URLandSYSTEM_ACCESSTOKENenv.1es-entra-powershell-pr.yml,1es-entra-powershell-ci-build.yml,integration-tests.yml— pass the CFS feed name/URL to the generation templates. (1es-entra-powershell-release.ymldoes noInstall-Module, so it is unchanged.)This is a draft because the CFS feed does not exist yet. Do the CFS onboarding at https://aka.ms/cfs (create/onboard an Azure Artifacts feed with the PowerShell Gallery as an upstream source, grant the build identity read access), then replace the placeholder URL:
in the three pipeline files (and adjust
DependencyRepositoryif a different feed name is used). Local development is unaffected — scripts default to the public PowerShell Gallery.Testing
Install-GalleryModule.ps1andInstall-Dependencies.ps1pass the PowerShell parser and PSScriptAnalyzer (Warning/Error).