[release/13.2] Enable CFSClean policies and use dotnet-public feed for winget CLI#15541
[release/13.2] Enable CFSClean policies and use dotnet-public feed for winget CLI#15541aspire-repo-bot[bot] wants to merge 3 commits intorelease/13.2from
Conversation
- Add networkIsolationPolicy: Permissive, CFSClean, CFSClean2 to the 1ES official pipeline template parameters - Switch winget CLI installation from PSGallery to dotnet-public Azure Artifacts feed to comply with CFSClean network restrictions Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
|
🚀 Dogfood this PR with:
curl -fsSL https://raw.githubusercontent.com/microsoft/aspire/main/eng/scripts/get-aspire-cli-pr.sh | bash -s -- 15541Or
iex "& { $(irm https://raw.githubusercontent.com/microsoft/aspire/main/eng/scripts/get-aspire-cli-pr.ps1) } 15541" |
| - pwsh: | | ||
| Write-Host "Installing Microsoft.WinGet.Client from PSGallery..." | ||
| Install-PSResource -Name Microsoft.WinGet.Client -Repository PSGallery -TrustRepository | ||
| $repoName = 'dotnet-public' |
There was a problem hiding this comment.
This should be microsoft-public now
There was a problem hiding this comment.
Actually, maybe not, sorry. What is that for?
There was a problem hiding this comment.
This is feed we are using to get winget cli.
| template: v1/1ES.Official.PipelineTemplate.yml@1ESPipelineTemplates | ||
| parameters: | ||
| settings: | ||
| networkIsolationPolicy: Permissive,CFSClean,CFSClean2 |
There was a problem hiding this comment.
Help me understand why we need CFSClean, CFSClean2? What's the difference? Also, why do we need permisive, and do we need an exclusion list to get the gallery?
There was a problem hiding this comment.
This is a backport of the PR we meged for main.
@mmitche ^^
There was a problem hiding this comment.
IIUC, Permissive -> CFSClean -> CFSClean2 - they are building upon the previous one to establish the restrictions, and allowances. Permissive is the base one allowing most outbound connections.
3 participants
Backport of #15442 to release/13.2
/cc @radical @mmitche
Customer Impact
Testing
Risk
Regression?