Revert "Add networkIsolationPolicy to 1ES pipeline templates for SFI-ES4.2.4 compliance"#15193
Conversation
…ES4.2.4 …" This reverts commit aa9e2bd.
|
🚀 Dogfood this PR with:
curl -fsSL https://raw.githubusercontent.com/dotnet/aspire/main/eng/scripts/get-aspire-cli-pr.sh | bash -s -- 15193Or
iex "& { $(irm https://raw.githubusercontent.com/dotnet/aspire/main/eng/scripts/get-aspire-cli-pr.ps1) } 15193" |
There was a problem hiding this comment.
Pull request overview
Temporarily reverts the previously-added networkIsolationPolicy settings in 1ES official/unofficial Azure Pipelines templates to unblock winget installation.
Changes:
- Removed
settings.networkIsolationPolicyfrom the official 1ES pipeline template parameters. - Removed
settings.networkIsolationPolicyfrom the unofficial 1ES pipeline template parameters.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| eng/pipelines/azure-pipelines.yml | Removes networkIsolationPolicy from official pipeline template parameters to avoid the winget break. |
| eng/pipelines/azure-pipelines-unofficial.yml | Removes networkIsolationPolicy from unofficial pipeline template parameters for parity and to avoid the same break. |
You can also share your feedback on Copilot code review. Take the survey.
| extends: | ||
| template: v1/1ES.Official.PipelineTemplate.yml@1ESPipelineTemplates | ||
| parameters: | ||
| settings: | ||
| networkIsolationPolicy: Permissive,CFSClean2 | ||
| featureFlags: | ||
| autoEnablePREfastWithNewRuleset: false | ||
| autoEnableRoslynWithNewRuleset: false |
There was a problem hiding this comment.
Removing networkIsolationPolicy entirely likely reverts the pipeline to a less-controlled default and may re-open the SFI-ES4.2.4 / s360 findings that the reverted PR was addressing. If the issue is specifically winget access, consider re-introducing networkIsolationPolicy with a narrower exception (e.g., avoid the specific enforcement mode that breaks winget, or isolate the winget acquisition by using a pre-baked image/internal artifact so the overall pipeline can keep the stricter policy).
| @@ -39,8 +39,6 @@ resources: | |||
| extends: | |||
| template: v1/1ES.Unofficial.PipelineTemplate.yml@1ESPipelineTemplates | |||
| parameters: | |||
There was a problem hiding this comment.
Since this is described as a temporary revert, consider adding an inline comment/TODO near parameters: documenting the rollback reason (winget break) and a tracking link (issue/PR) for re-introducing the policy after 13.2. This makes it less likely the compliance setting is forgotten and helps future maintainers understand why the policy is absent.
| parameters: | |
| parameters: | |
| # TODO: Temporary rollback of Roslyn auto-enable ruleset due to winget break. | |
| # Re-enable after 13.2 once the policy can be safely applied. | |
| # Tracking: ISSUE-XXXX (replace with real issue/PR link). |
Reverts #14696
Reverting temporarily as this broke our installation of winget. @radical let's figure this out after 13.2 since these changes were trying to fix some s360 alerts.