Skip to content

[Fix]Release pipeline compliance #556

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
weiyuanyue wants to merge 5 commits into
base: main
Choose a base branch
from
Open

[Fix]Release pipeline compliance #556

weiyuanyue wants to merge 5 commits into from
+38 −4

Conversation

@weiyuanyue
Copy link
Contributor

@weiyuanyue weiyuanyue commented Jan 9, 2026
edited
Loading

截屏2026-01-09 18 55 17

This change enforces single‑feed supply‑chain governance for the Azure DevOps (ADO) release pipeline while keeping the GitHub Actions (GA) PR pipeline simple and stable. Concretely:

  • Mirrored Microsoft.ML.OnnxRuntime.Foundry 1.23.2 into the project feed pde-oss_Internal (ADO needs this version during release).
  • Created a nuget.config.template for Local development
  • Removed the repo’s GA nuget.config and generate an ephemeral config at runtime inside GA (so the file is not scanned by ADO’s SSCA detectors).

This simultaneously clears SSCA findings on ADO and preserves GA’s current behavior for PR validation.

Background

  • SSCA/CFS policy requires ADO builds to restore from a single Azure Artifacts feed in our own project (no direct nuget.org, no cross‑org feeds, first).
  • The GA/Local nuget.config in the repo pointed at multiple sources (including a cross‑org ORT feed). When present in the repo, ADO’s SSCA scans it and flags non‑compliance.
  • We also need Foundry runtime packages on ADO release; the version currently required is Microsoft.ML.OnnxRuntime.Foundry 1.23.2.

What’s changed

Release (ADO):

  • Ensure Foundry dependency availability by mirroring Microsoft.ML.OnnxRuntime.Foundry 1.23.2 into pde-oss_Internal.

PR (GA):

  • Delete the repo’s GA nuget.config.
  • Create a short‑lived, ephemeral NuGet config at runtime inside GA with the exact source mapping GA needs. The ephemeral file lives only on the runner and is not committed, hence not scanned by ADO SSCA.

Security & Compliance

  • ADO: Single source (pde-oss_Internal) + satisfies SSCA/CFS; cross‑org and nuget.org references are not present in any repo config file consumed by release.
  • GA: Ephemeral config exists only on the runner; since it’s not committed, ADO cannot see or scan it, eliminating the multi‑feed/cross‑org finding pathway.
  • Provenance: Foundry package Microsoft.ML.OnnxRuntime.Foundry 1.23.2 is available from the project feed, ensuring deterministic resolution at release.

@weiyuanyue weiyuanyue requested a review from a team as a code owner January 9, 2026 12:28
@weiyuanyue weiyuanyue changed the title [Fix] Configure NuGet feeds for CI builds [Fix]Consolidate NuGet to single feed (pde-oss_Internal) and mirror ORT/Foundry packages Jan 9, 2026
@weiyuanyue weiyuanyue marked this pull request as draft January 9, 2026 12:38
@weiyuanyue weiyuanyue changed the title [Fix]Consolidate NuGet to single feed (pde-oss_Internal) and mirror ORT/Foundry packages [Fix]Release supply‑chain compliance Jan 9, 2026
@weiyuanyue weiyuanyue marked this pull request as ready for review January 9, 2026 15:12
@weiyuanyue weiyuanyue changed the title [Fix]Release supply‑chain compliance [Fix]Release pipeline compliance Jan 9, 2026
Copilot AI mentioned this pull request Jan 9, 2026
Closed
@microsoft microsoft deleted a comment from Copilot AI Jan 9, 2026
Milly Wei (from Dev Box) added 4 commits January 10, 2026 13:29
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@weiyuanyue