From 79c35effc365b0e825db03969b9f9c6baf033968 Mon Sep 17 00:00:00 2001 From: Alex Soto Date: Thu, 18 Jun 2026 15:22:18 -0400 Subject: [PATCH 1/4] [ci] Fix network isolation requirements --- build-tools/automation/azure-pipelines.yaml | 16 +++++++++++++-- .../yaml-templates/install-dotnet-tool.yaml | 20 ++++++++++++++++++- .../automation/yaml-templates/variables.yaml | 6 ++++++ 3 files changed, 39 insertions(+), 3 deletions(-) diff --git a/build-tools/automation/azure-pipelines.yaml b/build-tools/automation/azure-pipelines.yaml index 9f9454386e3..ef753995c43 100644 --- a/build-tools/automation/azure-pipelines.yaml +++ b/build-tools/automation/azure-pipelines.yaml @@ -411,13 +411,25 @@ extends: - task: AzureCLI@2 inputs: azureSubscription: "Darc: Maestro Production" - scriptType: ps + scriptType: pscore scriptLocation: inlineScript inlineScript: | $versionEndpoint = 'https://maestro.dot.net/api/assets/darc-version?api-version=2019-01-16' $darcVersion = $(Invoke-WebRequest -Uri $versionEndpoint -UseBasicParsing).Content $arcadeServicesSource = 'https://pkgs.dev.azure.com/dnceng/public/_packaging/dotnet-eng/nuget/v3/index.json' - & dotnet tool update microsoft.dotnet.darc --version "$darcVersion" --add-source "$arcadeServicesSource" --tool-path $(Agent.ToolsDirectory)\darc -v n + # Write an isolated NuGet.config that clears all sources and lists only the dnceng + # 'dotnet-eng' feed, and pass it via --configfile so 'dotnet tool update' + # policy. See https://devdiv.visualstudio.com/DevDiv/_git/Xamarin.yaml-templates/pullrequest/750402 + $darcNuGetConfig = Join-Path "$(Agent.TempDirectory)" 'darc-nuget.config' + Set-Content -Path $darcNuGetConfig -Encoding utf8 -Value @( + '', + '', + ' ', + ' ', + " ", + ' ', + '') + & dotnet tool update microsoft.dotnet.darc --version "$darcVersion" --configfile "$darcNuGetConfig" --tool-path $(Agent.ToolsDirectory)\darc -v n & $(Agent.ToolsDirectory)\darc\darc add-build-to-channel --default-channels --id $(BARBuildId) --ci --publishing-infra-version 3 --azdev-pat $(System.AccessToken) displayName: add build to default darc channel condition: and(succeeded(), eq('${{ parameters.pushXAPackagesToMaestro }}', 'true')) diff --git a/build-tools/automation/yaml-templates/install-dotnet-tool.yaml b/build-tools/automation/yaml-templates/install-dotnet-tool.yaml index 295bf4029c4..84f3d5d3a99 100644 --- a/build-tools/automation/yaml-templates/install-dotnet-tool.yaml +++ b/build-tools/automation/yaml-templates/install-dotnet-tool.yaml @@ -10,6 +10,24 @@ steps: ignoreLASTEXITCODE: true condition: ${{ parameters.condition }} +# Write an isolated NuGet.config (clear + only the dnceng public feeds) +# referenced via --configfile below. +# See https://devdiv.visualstudio.com/DevDiv/_git/Xamarin.yaml-templates/pullrequest/750402 +- pwsh: | + $cfg = Join-Path "$(Agent.TempDirectory)" 'install-dotnet-tool-nuget.config' + Set-Content -Path $cfg -Encoding utf8 -Value @( + '', + '', + ' ', + ' ', + ' ', + ' ', + ' ', + ' ', + '') + displayName: write isolated NuGet.config for ${{ parameters.toolName }} + condition: ${{ parameters.condition }} + - task: DotNetCoreCLI@2 displayName: install ${{ parameters.toolName }} ${{ parameters.version }} condition: ${{ parameters.condition }} @@ -21,5 +39,5 @@ steps: update ${{ parameters.toolName }} -v:diag --tool-path $(Agent.ToolsDirectory) --version ${{ parameters.version }} - --add-source "https://api.nuget.org/v3/index.json" + --configfile "$(Agent.TempDirectory)/install-dotnet-tool-nuget.config" diff --git a/build-tools/automation/yaml-templates/variables.yaml b/build-tools/automation/yaml-templates/variables.yaml index 8a9d45d11f7..c683a98c9f9 100644 --- a/build-tools/automation/yaml-templates/variables.yaml +++ b/build-tools/automation/yaml-templates/variables.yaml @@ -76,3 +76,9 @@ variables: value: true - name: DOTNET_GENERATE_ASPNET_CERTIFICATE value: false +# Fix network isolation requirements +# See https://devdiv.visualstudio.com/DevDiv/_git/Xamarin.yaml-templates/pullrequest/750402 +- name: DOTNET_CLI_WORKLOAD_UPDATE_NOTIFY_DISABLE + value: 'true' +- name: DOTNET_SDK_VULNERABILITY_CHECK_DISABLE + value: 'true' From 265fbc5ed817e258eeec0d5446581ae5de2bcae9 Mon Sep 17 00:00:00 2001 From: Jonathan Peppers Date: Thu, 18 Jun 2026 16:33:38 -0500 Subject: [PATCH 2/4] Use --source instead of temp NuGet.config for dotnet tool install Address review feedback: '--source' clears default feeds and points only at the required dnceng feed, so we don't need to write a temp NuGet.config and pass '--configfile'. - install-dotnet-tool.yaml (apkdiff, dotnet-test-slicer): only 'dotnet-public' is needed; both tools live on that mirror. - azure-pipelines.yaml (microsoft.dotnet.darc): still needs 'dotnet-eng', which is the only feed darc is published to. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --- build-tools/automation/azure-pipelines.yaml | 17 ++++---------- .../yaml-templates/install-dotnet-tool.yaml | 23 ++++--------------- 2 files changed, 8 insertions(+), 32 deletions(-) diff --git a/build-tools/automation/azure-pipelines.yaml b/build-tools/automation/azure-pipelines.yaml index ef753995c43..e327b9c082e 100644 --- a/build-tools/automation/azure-pipelines.yaml +++ b/build-tools/automation/azure-pipelines.yaml @@ -417,19 +417,10 @@ extends: $versionEndpoint = 'https://maestro.dot.net/api/assets/darc-version?api-version=2019-01-16' $darcVersion = $(Invoke-WebRequest -Uri $versionEndpoint -UseBasicParsing).Content $arcadeServicesSource = 'https://pkgs.dev.azure.com/dnceng/public/_packaging/dotnet-eng/nuget/v3/index.json' - # Write an isolated NuGet.config that clears all sources and lists only the dnceng - # 'dotnet-eng' feed, and pass it via --configfile so 'dotnet tool update' - # policy. See https://devdiv.visualstudio.com/DevDiv/_git/Xamarin.yaml-templates/pullrequest/750402 - $darcNuGetConfig = Join-Path "$(Agent.TempDirectory)" 'darc-nuget.config' - Set-Content -Path $darcNuGetConfig -Encoding utf8 -Value @( - '', - '', - ' ', - ' ', - " ", - ' ', - '') - & dotnet tool update microsoft.dotnet.darc --version "$darcVersion" --configfile "$darcNuGetConfig" --tool-path $(Agent.ToolsDirectory)\darc -v n + # --source clears all default feeds and uses only the dnceng 'dotnet-eng' feed, + # so the install does not depend on nuget.org for network-isolated builds. + # See https://devdiv.visualstudio.com/DevDiv/_git/Xamarin.yaml-templates/pullrequest/750402 + & dotnet tool update microsoft.dotnet.darc --version "$darcVersion" --source "$arcadeServicesSource" --tool-path $(Agent.ToolsDirectory)\darc -v n & $(Agent.ToolsDirectory)\darc\darc add-build-to-channel --default-channels --id $(BARBuildId) --ci --publishing-infra-version 3 --azdev-pat $(System.AccessToken) displayName: add build to default darc channel condition: and(succeeded(), eq('${{ parameters.pushXAPackagesToMaestro }}', 'true')) diff --git a/build-tools/automation/yaml-templates/install-dotnet-tool.yaml b/build-tools/automation/yaml-templates/install-dotnet-tool.yaml index 84f3d5d3a99..fe3a86b2a83 100644 --- a/build-tools/automation/yaml-templates/install-dotnet-tool.yaml +++ b/build-tools/automation/yaml-templates/install-dotnet-tool.yaml @@ -10,24 +10,6 @@ steps: ignoreLASTEXITCODE: true condition: ${{ parameters.condition }} -# Write an isolated NuGet.config (clear + only the dnceng public feeds) -# referenced via --configfile below. -# See https://devdiv.visualstudio.com/DevDiv/_git/Xamarin.yaml-templates/pullrequest/750402 -- pwsh: | - $cfg = Join-Path "$(Agent.TempDirectory)" 'install-dotnet-tool-nuget.config' - Set-Content -Path $cfg -Encoding utf8 -Value @( - '', - '', - ' ', - ' ', - ' ', - ' ', - ' ', - ' ', - '') - displayName: write isolated NuGet.config for ${{ parameters.toolName }} - condition: ${{ parameters.condition }} - - task: DotNetCoreCLI@2 displayName: install ${{ parameters.toolName }} ${{ parameters.version }} condition: ${{ parameters.condition }} @@ -35,9 +17,12 @@ steps: inputs: command: custom custom: tool + # --source clears all default feeds and uses only the dnceng public 'dotnet-public' + # mirror, so the install does not depend on nuget.org for network-isolated builds. + # See https://devdiv.visualstudio.com/DevDiv/_git/Xamarin.yaml-templates/pullrequest/750402 arguments: >- update ${{ parameters.toolName }} -v:diag --tool-path $(Agent.ToolsDirectory) --version ${{ parameters.version }} - --configfile "$(Agent.TempDirectory)/install-dotnet-tool-nuget.config" + --source "https://pkgs.dev.azure.com/dnceng/public/_packaging/dotnet-public/nuget/v3/index.json" From 530a94c0621bfe8d0aa7c9ccbb90a2045b040eb8 Mon Sep 17 00:00:00 2001 From: Jonathan Peppers Date: Thu, 18 Jun 2026 16:34:50 -0500 Subject: [PATCH 3/4] Revert scriptType back to 'ps' No longer need pscore now that the inline script doesn't write a temp NuGet.config. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --- build-tools/automation/azure-pipelines.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/build-tools/automation/azure-pipelines.yaml b/build-tools/automation/azure-pipelines.yaml index e327b9c082e..5992e8915fc 100644 --- a/build-tools/automation/azure-pipelines.yaml +++ b/build-tools/automation/azure-pipelines.yaml @@ -411,7 +411,7 @@ extends: - task: AzureCLI@2 inputs: azureSubscription: "Darc: Maestro Production" - scriptType: pscore + scriptType: ps scriptLocation: inlineScript inlineScript: | $versionEndpoint = 'https://maestro.dot.net/api/assets/darc-version?api-version=2019-01-16' From 8237261720784556c84a6ff491fd31291c949d40 Mon Sep 17 00:00:00 2001 From: Jonathan Peppers Date: Thu, 18 Jun 2026 16:35:41 -0500 Subject: [PATCH 4/4] Drop redundant --source comments Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --- build-tools/automation/azure-pipelines.yaml | 3 --- build-tools/automation/yaml-templates/install-dotnet-tool.yaml | 3 --- 2 files changed, 6 deletions(-) diff --git a/build-tools/automation/azure-pipelines.yaml b/build-tools/automation/azure-pipelines.yaml index 5992e8915fc..9f4bdd1eddd 100644 --- a/build-tools/automation/azure-pipelines.yaml +++ b/build-tools/automation/azure-pipelines.yaml @@ -417,9 +417,6 @@ extends: $versionEndpoint = 'https://maestro.dot.net/api/assets/darc-version?api-version=2019-01-16' $darcVersion = $(Invoke-WebRequest -Uri $versionEndpoint -UseBasicParsing).Content $arcadeServicesSource = 'https://pkgs.dev.azure.com/dnceng/public/_packaging/dotnet-eng/nuget/v3/index.json' - # --source clears all default feeds and uses only the dnceng 'dotnet-eng' feed, - # so the install does not depend on nuget.org for network-isolated builds. - # See https://devdiv.visualstudio.com/DevDiv/_git/Xamarin.yaml-templates/pullrequest/750402 & dotnet tool update microsoft.dotnet.darc --version "$darcVersion" --source "$arcadeServicesSource" --tool-path $(Agent.ToolsDirectory)\darc -v n & $(Agent.ToolsDirectory)\darc\darc add-build-to-channel --default-channels --id $(BARBuildId) --ci --publishing-infra-version 3 --azdev-pat $(System.AccessToken) displayName: add build to default darc channel diff --git a/build-tools/automation/yaml-templates/install-dotnet-tool.yaml b/build-tools/automation/yaml-templates/install-dotnet-tool.yaml index fe3a86b2a83..84a7ac7f236 100644 --- a/build-tools/automation/yaml-templates/install-dotnet-tool.yaml +++ b/build-tools/automation/yaml-templates/install-dotnet-tool.yaml @@ -17,9 +17,6 @@ steps: inputs: command: custom custom: tool - # --source clears all default feeds and uses only the dnceng public 'dotnet-public' - # mirror, so the install does not depend on nuget.org for network-isolated builds. - # See https://devdiv.visualstudio.com/DevDiv/_git/Xamarin.yaml-templates/pullrequest/750402 arguments: >- update ${{ parameters.toolName }} -v:diag --tool-path $(Agent.ToolsDirectory)