Skip to content

Enable CFSClean* policies for dotnet-crank-ci-official pipeline#873

Open
mmitche wants to merge 2 commits intomainfrom
enable-cfsclean-main
Open

Enable CFSClean* policies for dotnet-crank-ci-official pipeline#873
mmitche wants to merge 2 commits intomainfrom
enable-cfsclean-main

Conversation

@mmitche
Copy link
Member

@mmitche mmitche commented Mar 18, 2026

Adds CFSClean and CFSClean2 network isolation policies.

mmitche and others added 2 commits March 18, 2026 08:52
@mmitche
Enable CFSClean* policies for dotnet-crank-ci-official pipeline
b5b5637 
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@mmitche
Update crank to use dotnet-public feed instead of nuget.org
e90a147 
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@mmitche mmitche force-pushed the enable-cfsclean-main branch from 8124211 to e90a147 Compare March 18, 2026 16:56
@mmitche
Copy link
Member Author

mmitche commented Mar 18, 2026

✅ Test build passed after fixing nuget.org references for CFSClean compliance.

Passing build: https://dev.azure.com/dnceng/internal/_build/results?buildId=2929815

Changes in this update:

  • Replaced nuget.org URLs with dotnet-public AzDO feed equivalents for ultra package download and version checker
  • Added <clear />\ to NuGet.config files generated by the crank agent to prevent inheriting nuget.org from machine/user-level configs
  • This ensures the crank agent and integration tests work correctly under CFSClean network isolation

sebastienros
sebastienros reviewed Mar 18, 2026
View reviewed changes
src/Microsoft.Crank.Controller/VersionChecker.cs
{
static TimeSpan CacheTimeout = TimeSpan.FromDays(1);
static string PackageVersionUrl = "https://api.nuget.org/v3-flatcontainer/microsoft.crank.controller/index.json";
static string PackageVersionUrl = "https://pkgs.dev.azure.com/dnceng/public/_packaging/dotnet-public/nuget/v3/flat2/microsoft.crank.controller/index.json";
Copy link
Member

@sebastienros sebastienros Mar 18, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The dotnet tool which is installed from nuget.org is checking the nuget feed for new versions in order to display a warning. Should we care here?

Copy link
Member Author

@mmitche mmitche Mar 19, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If it's installed from nuget.org...wouldn't there not ever be a newer package anyway?

sebastienros
sebastienros reviewed Mar 18, 2026
View reviewed changes
src/Microsoft.Crank.Agent/Startup.cs
File.WriteAllText(rootNugetConfig, @"<?xml version=""1.0"" encoding=""utf-8""?>
<configuration>
<packageSources>
<clear />
Copy link
Member

@sebastienros sebastienros Mar 18, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We should be fine since this is added to the root folder

sebastienros
sebastienros reviewed Mar 18, 2026
View reviewed changes
src/Microsoft.Crank.Agent/Startup.cs
private static readonly string _dotnetInstallPs1Url = "https://dot.net/v1/dotnet-install.ps1";
private static readonly string _perfviewUrl = $"https://github.com/Microsoft/perfview/releases/download/{PerfViewVersion}/PerfView.exe";
private static readonly string _ultraUrl = $"https://www.nuget.org/api/v2/package/ultra/{UltraVersion}";
private static readonly string _ultraUrl = $"https://pkgs.dev.azure.com/dnceng/public/_packaging/dotnet-public/nuget/v3/flat2/ultra/{UltraVersion}/ultra.{UltraVersion}.nupkg";
Copy link
Member

@sebastienros sebastienros Mar 18, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@LoopedBard3 we need to update the package version and push it in the internal feed

Copy link
Member

@LoopedBard3 LoopedBard3 Mar 19, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pushed v1.3.0 and v2.0.2 to the feed. We can merge this as is and then update to v2.0.2 if we want.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sebastienros sebastienros sebastienros left review comments

@LoopedBard3 LoopedBard3 LoopedBard3 left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@mmitche @sebastienros @LoopedBard3