Skip to content

Route pipeline module installs through CFS feed for network isolation#1607

Draft
givinalis wants to merge 1 commit into
mainfrom
givinalis/cfs-network-isolation-feed
Draft

Route pipeline module installs through CFS feed for network isolation#1607
givinalis wants to merge 1 commit into
mainfrom
givinalis/cfs-network-isolation-feed

Conversation

@givinalis

Copy link
Copy Markdown
Collaborator

Summary

The 1ES CI/PR pipelines run under network isolation. The CFSClean / CFSClean2 policies (CFS = Centralized Feed Service, required for SFI compliance) block the public PowerShell Gallery and require every package to be restored from a CFS-backed feed.

In build 169001301 the "Stop Network Isolation" step reported:

Policy Status
CFSClean ✅ COMPLIANT
CFSClean2 NOT COMPLIANT — 204 violations
CFSClean3 ✅ COMPLIANT

All 204 violations were pwsh.exe reaching www.powershellgallery.com (184) and cdn.powershellgallery.com (20) during the Install-Module steps.

Help: https://eng.ms/docs/cloud-ai-platform/devdiv/one-engineering-system-1es/1es-build/cloudbuild/security/1espt-network-isolation · https://aka.ms/1es/netiso/pipelinetemplates

What changed

  • New build/Install-GalleryModule.ps1 — single place that installs build/test dependencies. Installs from a CFS-backed feed (registering it as a trusted PSRepository and authenticating with the pipeline access token) when configured, and falls back to the public PowerShell Gallery for local development (and while the feed URL is still a placeholder).
  • build/Install-Dependencies.ps1 — added a -Repository parameter (defaults to PSGallery / DEPENDENCY_PS_REPO) and now installs the Microsoft.Graph.* modules through the helper.
  • generate_adapter-1es.yml / generate_adapter.yml — added DependencyRepository and CfsFeedUrl parameters, a guarded NuGetAuthenticate@1 step, and routed the PlatyPS / Pester / dependency installs through the helper with DEPENDENCY_PS_REPO, DEPENDENCY_PS_FEED_URL and SYSTEM_ACCESSTOKEN env.
  • 1es-entra-powershell-pr.yml, 1es-entra-powershell-ci-build.yml, integration-tests.yml — pass the CFS feed name/URL to the generation templates. (1es-entra-powershell-release.yml does no Install-Module, so it is unchanged.)

⚠️ Action required before this can pass

This is a draft because the CFS feed does not exist yet. Do the CFS onboarding at https://aka.ms/cfs (create/onboard an Azure Artifacts feed with the PowerShell Gallery as an upstream source, grant the build identity read access), then replace the placeholder URL:

https://pkgs.dev.azure.com/msazure/One/_packaging/REPLACE_WITH_CFS_FEED/nuget/v2

in the three pipeline files (and adjust DependencyRepository if a different feed name is used). Local development is unaffected — scripts default to the public PowerShell Gallery.

Testing

  • Install-GalleryModule.ps1 and Install-Dependencies.ps1 pass the PowerShell parser and PSScriptAnalyzer (Warning/Error).
  • All five pipeline YAML files validated.

The 1ES CI/PR pipelines run under network isolation where the CFSClean/
CFSClean2 policies block the public PowerShell Gallery. Builds were flagged
with 204 policy violations for reaching www/cdn.powershellgallery.com during
Install-Module.

Add a central Install-GalleryModule.ps1 helper that installs build/test
dependencies from a CFS-backed feed (with token auth) when configured, and
falls back to the public PowerShell Gallery for local development. Wire the
CFS feed name/URL through the generation templates and the PR, CI and
integration-tests pipelines.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@learn-build-service-prod

Copy link
Copy Markdown

Learn Build status updates of commit c3043a6:

❌ Validation status: errors

Please follow instructions here which may help to resolve issue.

File Status Preview URL Details
❌Error Details

  • Line 0, Column 0: [Error: PSMD2Yaml_FileLoadFailed] Failed to load file: C:/LocalRun/W/iuex-s/module/mapping/monikerMapping.json. PackageRoot, ReferenceTocUrl, and ConceptualTocUrl are required for every moniker. PackageRoot should be a valid relative path to docset root.

For more details, please refer to the build report.

Note: Your PR may contain errors or warnings or suggestions unrelated to the files you changed. This happens when external dependencies like GitHub alias, Microsoft alias, cross repo links are updated. Please use these instructions to resolve them.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant