search

dotnet / arcade

Tools that provide common build infrastructure for multiple .NET Foundation projects.
MIT License
664 stars 339 forks source link

Add new private channel publishing guardrails #14167

Open mmitche opened 10 months ago

mmitche commented 10 months ago

As extra insurance, Arcade publishing should refuse to publish to public endpoints if the commit being published is not anonymously accessible. I could see this implemented in a couple ways:

Darc

Because publishing endpoint data is kept in arcade, this would require some kind of DB addition. On that note, I don't love it.

Arcade

This method does have one annoying side effect. Dev builds of branches pushed only to AzDO (e.g. for testing arcade changes) would not be able to be published to the public "General Testing" channel. I propose that this would be deal with by adding an override switch to darc that would explicitly pass the "SkipSafetyChecks" parameter to the build task.

Verdict

I think going with the arcade publishing method is best.

Release Note Category

mmitche commented 10 months ago

Okay, these guardrails do not need to be 'new'. They existed:

https://github.com/dotnet/arcade/blob/main/src/Microsoft.DotNet.Build.Tasks.Feed/src/PublishArtifactsInManifestBase.cs#L331-L341

mmitche commented 10 months ago

https://github.com/dotnet/arcade/blob/main/eng/publishing/v3/publish.yml#L166

This is set incorrectly.

mmitche commented 10 months ago

And the safety check is never executed.