CI: resolve crate dependencies through the public MxcDependencies feed#594
Open
bbonaby wants to merge 1 commit into
Open
CI: resolve crate dependencies through the public MxcDependencies feed#594bbonaby wants to merge 1 commit into
bbonaby wants to merge 1 commit into
Conversation
ce5ac31 to
9ecec70
Compare
Contributor
There was a problem hiding this comment.
Pull request overview
Note
Copilot couldn't run its full agentic review because no GitHub Actions runner was available. Make sure your repository has a runner available to run Copilot's review, or add a copilot-setup-steps.yml file specifying one with the runs-on attribute. See the docs for more details.
Updates CI so Rust dependency resolution in GitHub Actions matches the network-isolated ADO build by routing crate downloads through the public MxcDependencies Azure Artifacts feed, and adds a fast precheck to fail early when the feed is missing newly introduced crates.
Changes:
- Route all GitHub Actions Rust jobs (lint/build/e2e) through the public MxcDependencies feed via a reusable composite action.
- Add a
dependency-feed-checkreusable workflow and gate platform builds on it to fail fast with remediation guidance. - Add/adjust ADO pipeline templates and a seeding pipeline/script to populate the public feed from
src/Cargo.lock, plus documentation updates.
Reviewed changes
Copilot reviewed 19 out of 19 changed files in this pull request and generated 5 comments.
Show a summary per file
| File | Description |
|---|---|
| docs/pull-requests.md | Documents the new dependency feed behavior and remediation steps. |
| .github/workflows/Build.yml | Adds dependency-feed-check and gates platform jobs on it. |
| .github/workflows/Dependency.Feed.Check.Job.yml | New reusable workflow to cargo fetch via the feed and emit guidance. |
| .github/actions/setup-cargo-feed/action.yml | New composite action to append the public feed cargo config. |
| .github/workflows/Lint.Job.yml | Ensures lint uses the feed setup action. |
| .github/workflows/Build.Windows.Job.yml | Ensures Windows build uses the feed setup action. |
| .github/workflows/Build.Linux.Job.yml | Ensures Linux build uses the feed setup action; installs ARM64 cross-linker. |
| .github/workflows/Build.MacOS.Job.yml | Ensures macOS build uses the feed setup action. |
| .github/workflows/microvm-e2e.yml | Ensures microvm e2e uses the feed setup action. |
| .github/workflows/hyperlight-e2e.yml | Ensures hyperlight e2e uses the feed setup action. |
| .github/PULL_REQUEST_TEMPLATE.md | Adds checklist + guidance for dependency-feed-check failures. |
| .azure-pipelines/templates/Rust.Build.Steps.Official.yml | Switches official setup to a private cargo setup template. |
| .azure-pipelines/templates/Lint.Job.yml | Adds isOfficialBuild to select private vs public feed in ADO. |
| .azure-pipelines/templates/Cargo.Setup.Public.yml | Updates comments to reflect private-feed equivalent template. |
| .azure-pipelines/templates/Cargo.Setup.Private.yml | New template to append internal feed config and optionally authenticate. |
| .azure-pipelines/templates/1ES.Build.Stages.yml | Passes isOfficialBuild into the Lint template. |
| .azure-pipelines/scripts/seed_feed.py | New script to seed the public feed by authenticated fetches of locked crates. |
| .azure-pipelines/Update.Feed.Dependencies.yml | New pipeline to run the seeding script, including fork PR support. |
| .azure-pipelines/README.md | Small documentation cleanup for local development guidance. |
9ecec70 to
84c0cd8
Compare
84c0cd8 to
ab3a6c6
Compare
Collaborator
Author
|
/azp run |
|
Azure Pipelines successfully started running 1 pipeline(s). |
ad177ae to
93d4ccd
Compare
… a check gate and update pipeline All GitHub Actions Rust jobs (lint, the Windows/Linux/macOS builds, the microvm/hyperlight e2e jobs, and a dependency-feed-check gate) append config.public.toml to the repo-root cargo config via a shared composite action so they resolve through the anonymous public MxcDependencies feed, mirroring the network-isolated ADO build. The platform builds depend on dependency-feed-check so a missing crate fails fast with guidance; the arm64 Linux leg installs gcc-aarch64-linux-gnu for the cross-linker. A shine-oss MXC-Update-Feed-Dependencies pipeline adds new crates to the feed using its own build identity (CargoAuthenticate): in-repo branch PRs via /azp run MXC-Update-Feed-Dependencies, forked PRs via a manual Run pipeline with the prNumber parameter (which overlays only the PR manifests and lockfile, so no fork code runs). The ADO lint stage uses the internal Mxc-Azure-Feed on official builds (new Cargo.Setup.Private template) and the public mirror on fork/unofficial builds. docs/pull-requests.md and the PR template document the remediation for both in-repo and forked PRs. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
93d4ccd to
3cbe049
Compare
7 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
📖 Description
GitHub Actions Rust jobs (lint, the Windows/Linux/macOS builds, and the microvm and hyperlight e2e jobs) now resolve their dependencies through the public, anonymous-read MxcDependencies Azure Artifacts feed instead of crates.io, mirroring the network-isolated ADO build so resolution behaves the same in both.
A new
dependency-feed-checkjob gates the platform builds and fails fast with remediation guidance when a PR introduces a crate the feed has not yet cached. Official signed ADO builds continue to use the internal Mxc-Azure-Feed. A manualMXC-Update-Feed-Dependenciespipeline seeds the public feed fromsrc/Cargo.lockand supports both in-repo and forked PRs.🔍 Validation
Ran the
MXC-Update-Feed-Dependenciespipeline in shine-oss(build 354859)
for PR 591; it succeeded and updated the feed with the PR's new crates.
✅ Checklist
Cargo.lock, thedependency-feed-checkcheck passes (see docs/pull-requests.md)📋 Issue Type
Microsoft Reviewers: Open in CodeFlow