To comply with security policies, this change updates the nuget (C#) and cargo (Rust) projects in this repo to resolve dependencies through a public Azure feed (which upstreams to nuget.org and crates.io), instead of directly from nuget.org and crates.io.
To support our model of adding/updating packages and to be consistent with the lock files we've enabled for our Rust projects, this change also enables lock files (named packages.lock.json) for our C# projects.
I also found a few of our Rust projects which were not using a lock file, so I added Cargo.lock files to those projects.
All packages have been saved to the feed at the versions given in the various lock files. Whether the pipelines build our code or you build it locally, the Azure feed will be used to download dependency packages. Authentication is not required.
To add/upgrade a package in the feed, you must authenticate with write credentials. For nuget, this is seemless once you install the credential provider. For cargo, the process is not so simple. Ideally, a cargo login before cargo build would allow you to seamlessly update the feed, but cargo does not currently support optional authentication with fallback to anonymous. In other words, because we allow anonymous access, cargo will not authenticate. Instead, you can use the feed's REST API directly. I updated edgelet/doc/devguide.md with a new section (edgelet/doc/devguide.md#update-a-dependency) that explains how to add/upgrade dependencies in the feed for Rust projects.
To test, I ran the CI Build pipeline (as well as the E2E-Checkin pipeline, plus all the PR check pipelines) and confirmed they all passed.
Azure IoT Edge PR checklist:
This checklist is used to make sure that common guidelines for a pull request are followed.
To comply with security policies, this change updates the nuget (C#) and cargo (Rust) projects in this repo to resolve dependencies through a public Azure feed (which upstreams to nuget.org and crates.io), instead of directly from nuget.org and crates.io.
To support our model of adding/updating packages and to be consistent with the lock files we've enabled for our Rust projects, this change also enables lock files (named packages.lock.json) for our C# projects.
I also found a few of our Rust projects which were not using a lock file, so I added Cargo.lock files to those projects.
All packages have been saved to the feed at the versions given in the various lock files. Whether the pipelines build our code or you build it locally, the Azure feed will be used to download dependency packages. Authentication is not required.
To add/upgrade a package in the feed, you must authenticate with write credentials. For nuget, this is seemless once you install the credential provider. For cargo, the process is not so simple. Ideally, a
cargo loginbeforecargo buildwould allow you to seamlessly update the feed, but cargo does not currently support optional authentication with fallback to anonymous. In other words, because we allow anonymous access, cargo will not authenticate. Instead, you can use the feed's REST API directly. I updated edgelet/doc/devguide.md with a new section (edgelet/doc/devguide.md#update-a-dependency) that explains how to add/upgrade dependencies in the feed for Rust projects.To test, I ran the CI Build pipeline (as well as the E2E-Checkin pipeline, plus all the PR check pipelines) and confirmed they all passed.
Azure IoT Edge PR checklist:
This checklist is used to make sure that common guidelines for a pull request are followed.
General Guidelines and Best Practices
Testing Guidelines