Move NuGet.org publish to separate release pipeline#14
Closed
jfversluis wants to merge 7 commits into
Closed
Conversation
MicroBuild signing (enableMicrobuild: true) in devflow-official.yml enables CFS network isolation at the pipeline level. This sinkhole-blocks api.nuget.org to 192.0.2.2 (TEST-NET), regardless of the networkIsolationPolicy setting. Every attempt to publish inline has failed: - Permissive alone (3f0661a) - Permissive, CFSClean2 (e3e3905) - Permissive, CFSClean, CFSClean2 (336076a) The fix is to use a separate pipeline without MicroBuild, matching the pattern used by dotnet/aspire (release-publish-nuget.yml) and dotnet/maui (ci-official-release.yml). This was attempted before in 4dcf64c but reverted 4 minutes later (cb4990e) — likely before the new pipeline definition could be registered in Azure DevOps. Changes: - New eng/pipelines/release-publish-nuget.yml with: - networkIsolationPolicy: Permissive (works without MicroBuild CFS) - SBOM generation via PrepareArtifacts/releaseJob pattern - Package signature verification before publish - Dry run and skip flags for safe operation - Cleaned devflow-official.yml: removed inline publish_nuget stage and CFS workaround settings Prerequisite: register release-publish-nuget.yml as a new pipeline definition in Azure DevOps (dnceng/internal) and authorize the 'nuget.org (dotnetframework)' service connection. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Contributor
There was a problem hiding this comment.
Pull request overview
Moves NuGet.org package publishing out of the main official DevFlow pipeline into a dedicated release pipeline to avoid CFS network isolation triggered by MicroBuild signing.
Changes:
- Added a new manual
release-publish-nuget.ymlpipeline that downloadsPackageArtifacts, regenerates SBOM via 1ES outputs, verifies package signatures, and publishes to NuGet.org (with dry-run / skip flags). - Removed the inline NuGet publish stage, related parameters, and network isolation workarounds from
devflow-official.yml.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| eng/pipelines/release-publish-nuget.yml | New standalone release pipeline that prepares artifacts (SBOM) and publishes signed packages to NuGet.org. |
| eng/pipelines/devflow-official.yml | Removes embedded NuGet publishing so the official build pipeline focuses on build/sign/validate only. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Contributor
|
@jfversluis I've opened a new pull request, #15, to work on those changes. Once the pull request is ready, I'll request review from you. |
Co-authored-by: jfversluis <939291+jfversluis@users.noreply.github.com> Agent-Logs-Url: https://github.com/dotnet/maui-labs/sessions/10c15b12-1066-4c2d-982a-344f78606755
[WIP] [WIP] Address feedback on NuGet.org publish release pipeline changes
Contributor
|
@jfversluis I've opened a new pull request, #16, to work on those changes. Once the pull request is ready, I'll request review from you. |
Co-authored-by: jfversluis <939291+jfversluis@users.noreply.github.com> Agent-Logs-Url: https://github.com/dotnet/maui-labs/sessions/a1ea6e7c-7053-4fce-b090-418e01ca6df5
Add `checkout: none` to PublishNuGet job in release pipeline
Member
Author
|
Not needed anymore, it works for now. |
mattleibow
added a commit
that referenced
this pull request
May 12, 2026
Critical/High fixes: - #1: Use namespace+class for unique hint names (prevents AddSource crash when two pages share the same simple class name) - #2: CrossFileResolver uses FQN lookup + ambiguity detection for duplicate simple names across namespaces - #3: CollectionView conditional rendering fixed — no more [[double brackets]], uses unified annotation list builder - #4: Root ContentPage walks children directly, preventing SemanticProperties on root from swallowing the entire page - #5: Visibility conditions on layout containers now propagate as condition group wrappers ('When [visible when X = true]:') - #6: Property-element content (ContentPage.Content, ScrollView.Content) no longer dropped — unknown property elements are transparent by default, only known non-visual ones (Resources, Triggers, etc.) are suppressed - #7: Shell routes stored in UiElement for Shell page markdown Medium fixes: - #8: Promoted containers (Border with Description) now walk children too, preserving actionable descendants like buttons - #9: Unresolved user controls kept as placeholders (previously dropped), important for third-party controls with SemanticProperties - #10: DataTrigger with IsVisible=False setter now correctly inverted to 'hidden when Property = Value' instead of 'visible when' - #11: IsVisible=False elements skipped entirely — not reachable by screen readers, should not appear in accessibility-first index - #12: Aggregate namespace validated as legal C# before emitting - #13: Always use global:: for page references in aggregate, even for no-namespace pages - #14: BindingRegex now requires whitespace after 'Binding' keyword, preventing false matches like {BindingSource} - #15: CrossFileResolver uses in-progress set for cycle detection, preventing partial cache on indirect A→B→A cycles Low fixes: - #16: Dead emptyViewChildren code block removed - #17: Removed unused TemplateVariants from dead CollectionView code 104 exact-match tests, all passing. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
The
publish_nugetstage indevflow-official.ymlfails because MicroBuild signing (enableMicrobuild: true) enables CFS network isolation at the pipeline level, which sinkhole-blocksapi.nuget.orgto192.0.2.2(TEST-NET). This happens regardless ofnetworkIsolationPolicy— every inline approach has failed:Permissivealone (3f0661a) ❌Permissive, CFSClean2(e3e3905) ❌Permissive, CFSClean, CFSClean2(336076a) ❌Root Cause
The CFS enforcement is scoped to the entire pipeline definition, not individual stages. Since the build stage uses MicroBuild for code signing, all stages in that pipeline — including the NuGet publish stage — are subject to CFS network restrictions.
Fix
Move NuGet.org publishing to a separate pipeline (
release-publish-nuget.yml) that does not use MicroBuild signing. This is the same pattern used by:release-publish-nuget.yml(separate fromazure-pipelines.yml)ci-official-release.yml(separate fromci-official.yml)This was actually attempted before in 4dcf64c but reverted 4 minutes later (cb4990e) — likely before the new pipeline definition could be registered in Azure DevOps.
Changes
eng/pipelines/release-publish-nuget.yml(new):networkIsolationPolicy: Permissive(works because no MicroBuild in this pipeline)dotnet-maui-labs-officialeng/pipelines/devflow-official.yml(cleaned up):publish_nugetstagenetworkIsolationPolicyworkaround settingspublishPackagesNugetparameterPrerequisites (manual steps after merge)
release-publish-nuget.ymlas a new pipeline in Azure DevOps (dnceng/internal)nuget.org (dotnetframework)service connection for the new pipelinecc @ruimarinho — you authored several of the earlier attempts at this, wanted to get your eyes on this approach.