Skip to content

[release/13.2] Enable CFSClean policies and use dotnet-public feed for winget CLI#15541

Merged
joperezr merged 3 commits intorelease/13.2from
backport/pr-15442-to-release/13.2
Mar 25, 2026
Merged

[release/13.2] Enable CFSClean policies and use dotnet-public feed for winget CLI#15541
joperezr merged 3 commits intorelease/13.2from
backport/pr-15442-to-release/13.2

Conversation

@aspire-repo-bot
Copy link

@aspire-repo-bot aspire-repo-bot bot commented Mar 24, 2026

Backport of #15442 to release/13.2

/cc @radical @mmitche

Customer Impact

Testing

Risk

Regression?

mmitche and others added 3 commits March 24, 2026 19:43
@mmitche
Enable CFSClean policies and use dotnet-public feed for winget CLI
1c9a13d 
- Add networkIsolationPolicy: Permissive, CFSClean, CFSClean2 to
  the 1ES official pipeline template parameters
- Switch winget CLI installation from PSGallery to dotnet-public
  Azure Artifacts feed to comply with CFSClean network restrictions

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@radical
Update eng/pipelines/templates/prepare-winget-manifest.yml
2bc9193 
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
@radical
Update eng/pipelines/azure-pipelines.yml
f564e75 
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
@github-actions
Copy link
Contributor

github-actions bot commented Mar 24, 2026

🚀 Dogfood this PR with:

⚠️ WARNING: Do not do this without first carefully reviewing the code of this PR to satisfy yourself it is safe.

curl -fsSL https://raw.githubusercontent.com/microsoft/aspire/main/eng/scripts/get-aspire-cli-pr.sh | bash -s -- 15541

Or

  • Run remotely in PowerShell:
iex "& { $(irm https://raw.githubusercontent.com/microsoft/aspire/main/eng/scripts/get-aspire-cli-pr.ps1) } 15541"

@radical radical requested review from eerhardt and joperezr March 24, 2026 20:33
joperezr
joperezr reviewed Mar 24, 2026
View reviewed changes
eng/pipelines/templates/prepare-winget-manifest.yml
- pwsh: |
Write-Host "Installing Microsoft.WinGet.Client from PSGallery..."
Install-PSResource -Name Microsoft.WinGet.Client -Repository PSGallery -TrustRepository
$repoName = 'dotnet-public'
Copy link
Member

@joperezr joperezr Mar 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This should be microsoft-public now

Copy link
Member

@joperezr joperezr Mar 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actually, maybe not, sorry. What is that for?

Copy link
Member

@radical radical Mar 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is feed we are using to get winget cli.

joperezr
joperezr reviewed Mar 24, 2026
View reviewed changes
eng/pipelines/azure-pipelines.yml
template: v1/1ES.Official.PipelineTemplate.yml@1ESPipelineTemplates
parameters:
settings:
networkIsolationPolicy: Permissive,CFSClean,CFSClean2
Copy link
Member

@joperezr joperezr Mar 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Help me understand why we need CFSClean, CFSClean2? What's the difference? Also, why do we need permisive, and do we need an exclusion list to get the gallery?

Copy link
Member

@radical radical Mar 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is a backport of the PR we meged for main.
@mmitche ^^

Copy link
Member

@radical radical Mar 25, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

IIUC, Permissive -> CFSClean -> CFSClean2 - they are building upon the previous one to establish the restrictions, and allowances. Permissive is the base one allowing most outbound connections.

Copy link
Member

@mmitche mmitche Mar 25, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

CFSClean and Clean2 are separate policies and we require both of them.

@github-actions github-actions bot mentioned this pull request Mar 25, 2026
Closed
@joperezr joperezr merged commit 4961db2 into release/13.2 Mar 25, 2026
6 checks passed
@joperezr joperezr deleted the backport/pr-15442-to-release/13.2 branch March 25, 2026 17:19
@github-actions github-actions bot mentioned this pull request Mar 26, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@radical radical radical left review comments

@joperezr joperezr joperezr approved these changes

@eerhardt eerhardt Awaiting requested review from eerhardt

+1 more reviewer

@mmitche mmitche mmitche left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@radical @mmitche @joperezr