Skip to content

CI: resolve crate dependencies through the public MxcDependencies feed#594

Open
bbonaby wants to merge 1 commit into
mainfrom
user/bbonaby/add-feed-update-pipeline
Open

CI: resolve crate dependencies through the public MxcDependencies feed#594
bbonaby wants to merge 1 commit into
mainfrom
user/bbonaby/add-feed-update-pipeline

Conversation

@bbonaby

@bbonaby bbonaby commented Jun 30, 2026

Copy link
Copy Markdown
Collaborator

📖 Description

GitHub Actions Rust jobs (lint, the Windows/Linux/macOS builds, and the microvm and hyperlight e2e jobs) now resolve their dependencies through the public, anonymous-read MxcDependencies Azure Artifacts feed instead of crates.io, mirroring the network-isolated ADO build so resolution behaves the same in both.

A new dependency-feed-check job gates the platform builds and fails fast with remediation guidance when a PR introduces a crate the feed has not yet cached. Official signed ADO builds continue to use the internal Mxc-Azure-Feed. A manual MXC-Update-Feed-Dependencies pipeline seeds the public feed from src/Cargo.lock and supports both in-repo and forked PRs.

🔍 Validation

Ran the MXC-Update-Feed-Dependencies pipeline in shine-oss
(build 354859)
for PR 591; it succeeded and updated the feed with the PR's new crates.

✅ Checklist

📋 Issue Type

  • Task
Microsoft Reviewers: Open in CodeFlow
Copilot AI review requested due to automatic review settings June 30, 2026 18:27
@bbonaby bbonaby requested a review from a team as a code owner June 30, 2026 18:27
@bbonaby bbonaby force-pushed the user/bbonaby/add-feed-update-pipeline branch from ce5ac31 to 9ecec70 Compare June 30, 2026 18:56
@microsoft microsoft deleted a comment from azure-pipelines Bot Jun 30, 2026

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Note

Copilot couldn't run its full agentic review because no GitHub Actions runner was available. Make sure your repository has a runner available to run Copilot's review, or add a copilot-setup-steps.yml file specifying one with the runs-on attribute. See the docs for more details.

Updates CI so Rust dependency resolution in GitHub Actions matches the network-isolated ADO build by routing crate downloads through the public MxcDependencies Azure Artifacts feed, and adds a fast precheck to fail early when the feed is missing newly introduced crates.

Changes:

  • Route all GitHub Actions Rust jobs (lint/build/e2e) through the public MxcDependencies feed via a reusable composite action.
  • Add a dependency-feed-check reusable workflow and gate platform builds on it to fail fast with remediation guidance.
  • Add/adjust ADO pipeline templates and a seeding pipeline/script to populate the public feed from src/Cargo.lock, plus documentation updates.

Reviewed changes

Copilot reviewed 19 out of 19 changed files in this pull request and generated 5 comments.

Show a summary per file
File Description
docs/pull-requests.md Documents the new dependency feed behavior and remediation steps.
.github/workflows/Build.yml Adds dependency-feed-check and gates platform jobs on it.
.github/workflows/Dependency.Feed.Check.Job.yml New reusable workflow to cargo fetch via the feed and emit guidance.
.github/actions/setup-cargo-feed/action.yml New composite action to append the public feed cargo config.
.github/workflows/Lint.Job.yml Ensures lint uses the feed setup action.
.github/workflows/Build.Windows.Job.yml Ensures Windows build uses the feed setup action.
.github/workflows/Build.Linux.Job.yml Ensures Linux build uses the feed setup action; installs ARM64 cross-linker.
.github/workflows/Build.MacOS.Job.yml Ensures macOS build uses the feed setup action.
.github/workflows/microvm-e2e.yml Ensures microvm e2e uses the feed setup action.
.github/workflows/hyperlight-e2e.yml Ensures hyperlight e2e uses the feed setup action.
.github/PULL_REQUEST_TEMPLATE.md Adds checklist + guidance for dependency-feed-check failures.
.azure-pipelines/templates/Rust.Build.Steps.Official.yml Switches official setup to a private cargo setup template.
.azure-pipelines/templates/Lint.Job.yml Adds isOfficialBuild to select private vs public feed in ADO.
.azure-pipelines/templates/Cargo.Setup.Public.yml Updates comments to reflect private-feed equivalent template.
.azure-pipelines/templates/Cargo.Setup.Private.yml New template to append internal feed config and optionally authenticate.
.azure-pipelines/templates/1ES.Build.Stages.yml Passes isOfficialBuild into the Lint template.
.azure-pipelines/scripts/seed_feed.py New script to seed the public feed by authenticated fetches of locked crates.
.azure-pipelines/Update.Feed.Dependencies.yml New pipeline to run the seeding script, including fork PR support.
.azure-pipelines/README.md Small documentation cleanup for local development guidance.
Comment thread .github/actions/setup-cargo-feed/action.yml
Comment thread .github/workflows/Dependency.Feed.Check.Job.yml Outdated
Comment thread .azure-pipelines/Update.Feed.Dependencies.yml
Comment thread .azure-pipelines/scripts/seed_feed.py Outdated
Comment thread .github/workflows/Build.Linux.Job.yml Outdated
@bbonaby bbonaby marked this pull request as draft June 30, 2026 20:19
@bbonaby bbonaby force-pushed the user/bbonaby/add-feed-update-pipeline branch from 9ecec70 to 84c0cd8 Compare June 30, 2026 20:36
@bbonaby bbonaby closed this Jun 30, 2026
@bbonaby bbonaby reopened this Jun 30, 2026
@bbonaby bbonaby force-pushed the user/bbonaby/add-feed-update-pipeline branch from 84c0cd8 to ab3a6c6 Compare June 30, 2026 21:00
@microsoft microsoft deleted a comment from azure-pipelines Bot Jun 30, 2026
@microsoft microsoft deleted a comment from azure-pipelines Bot Jun 30, 2026
@microsoft microsoft deleted a comment from azure-pipelines Bot Jun 30, 2026
@microsoft microsoft deleted a comment from azure-pipelines Bot Jun 30, 2026
@bbonaby

bbonaby commented Jun 30, 2026

Copy link
Copy Markdown
Collaborator Author

/azp run

@azure-pipelines

Copy link
Copy Markdown
Azure Pipelines successfully started running 1 pipeline(s).
@bbonaby bbonaby force-pushed the user/bbonaby/add-feed-update-pipeline branch 4 times, most recently from ad177ae to 93d4ccd Compare July 1, 2026 23:29
… a check gate and update pipeline

All GitHub Actions Rust jobs (lint, the Windows/Linux/macOS builds, the microvm/hyperlight e2e jobs, and a dependency-feed-check gate) append config.public.toml to the repo-root cargo config via a shared composite action so they resolve through the anonymous public MxcDependencies feed, mirroring the network-isolated ADO build. The platform builds depend on dependency-feed-check so a missing crate fails fast with guidance; the arm64 Linux leg installs gcc-aarch64-linux-gnu for the cross-linker.

A shine-oss MXC-Update-Feed-Dependencies pipeline adds new crates to the feed using its own build identity (CargoAuthenticate): in-repo branch PRs via /azp run MXC-Update-Feed-Dependencies, forked PRs via a manual Run pipeline with the prNumber parameter (which overlays only the PR manifests and lockfile, so no fork code runs).

The ADO lint stage uses the internal Mxc-Azure-Feed on official builds (new Cargo.Setup.Private template) and the public mirror on fork/unofficial builds. docs/pull-requests.md and the PR template document the remediation for both in-repo and forked PRs.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@bbonaby bbonaby force-pushed the user/bbonaby/add-feed-update-pipeline branch from 93d4ccd to 3cbe049 Compare July 1, 2026 23:51
@bbonaby bbonaby marked this pull request as ready for review July 1, 2026 23:51
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

2 participants