Merge branch 'main' into ber.a/defaultSeverity

Author: DedSec256

.github/workflows/commands.yml

@@ -5,15 +5,45 @@ on:
     types: [created]
 
 jobs:
+  authorize_commenter:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: read
+    outputs:
+      allowed: ${{ steps.check.outputs.allowed }}
+    steps:
+      - name: Check commenter write access
+        id: check
+        uses: actions/github-script@v7
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          script: |
+            const actor = context.payload.comment.user.login;
+            const repo_owner = context.payload.repository.owner.login;
+            const repo_name = context.payload.repository.name;
+            try {
+              const { data: permission } = await github.rest.repos.getCollaboratorPermissionLevel({
+                owner: repo_owner,
+                repo: repo_name,
+                username: actor
+              });
+              const allowed = ['admin', 'write'].includes(permission.permission);
+              core.setOutput('allowed', allowed ? 'true' : 'false');
+            } catch (e) {
+              core.setOutput('allowed', 'false');
+            }
+
   parsing_job:
+    needs: authorize_commenter
     runs-on: ubuntu-latest
     permissions:
       issues: write  # Allow adding a reaction via the comment-pipeline
       pull-requests: write
     outputs:
       command: ${{ steps.parse.outputs.command }}
       arg: ${{ steps.parse.outputs.arguments }}
-    if: github.event.issue.pull_request
+    if: needs.authorize_commenter.outputs.allowed == 'true' && github.event.issue.pull_request
     steps:
       - name: Parse comment
         id: parse
@@ -27,13 +57,13 @@ jobs:
             /run test-baseline
           github-token: ${{ secrets.GITHUB_TOKEN }}
 
-  # This second job by definiton runs user-supplied code - you must NOT elevate its permissions to `write`
-  # Malicious code could change nuget source URL, build targets or even compiler itself to pass a GH token
-  # And use it to create branches, spam issues etc. Any write-actions happen in the second job, which does not allow
-  # user extension points (i.e. plain scripts, must NOT run scripts from within checked-out code)
+  # This second job by definition runs user-supplied code - you must NOT elevate its permissions to `write`
   run-parsed-command:
     needs: parsing_job
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: read
     if: needs.parsing_job.outputs.command != ''
     steps:
 
@@ -130,6 +160,19 @@ jobs:
           echo "run_step_outcome=$run_step_outcome" >> $GITHUB_OUTPUT
           echo "hasPatch=$hasPatch" >> $GITHUB_OUTPUT
 
+      - name: Validate patch paths
+        if: ${{ steps.read-meta.outputs.run_step_outcome == 'success' && steps.read-meta.outputs.hasPatch == 'true' }}
+        run: |
+          # Forbid any .git* paths anywhere
+          if grep -E '^(\+\+\+|---) ' repo.patch | grep -E '(^|/)\.git(/|$)|(^|/)\.git'; then
+            echo "Patch touches .git paths; aborting"; exit 1
+          fi
+
+          # Allow only top-level src/, tests/, vsintegration/ changes
+          if grep -E '^(\+\+\+|---) ' repo.patch | grep -Ev '^(---|\+\+\+) (a|b)/(src|tests|vsintegration)/' | grep -E '^(---|\+\+\+) '; then
+            echo "Patch touches files outside allowed directories (src/tests/vsintegration); aborting"; exit 1
+          fi
+
       - name: Apply and push patch
         if: ${{ steps.read-meta.outputs.run_step_outcome == 'success' && steps.read-meta.outputs.hasPatch == 'true' }}
         run: |
@@ -142,7 +185,6 @@ jobs:
           echo "Pushing to origin $branch"
           git push origin HEAD:"$branch"
 
-
       - name: Count stats
         id: stats
         if: ${{ steps.read-meta.outputs.run_step_outcome == 'success' && steps.read-meta.outputs.hasPatch == 'true' }}
@@ -189,8 +231,6 @@ jobs:
         if: always()
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          PR_NUMBER: ${{ env.PR_NUMBER }}
         run: |
-          # Use gh CLI to comment with multi-line markdown
           gh pr comment ${{ github.event.issue.number }} \
             --body-file pr_report.md

eng/Version.Details.props

@@ -27,7 +27,7 @@ This file should be imported by eng/Versions.props
     <MicrosoftCodeAnalysisFeaturesPackageVersion>5.0.0-2.25480.7</MicrosoftCodeAnalysisFeaturesPackageVersion>
     <MicrosoftVisualStudioLanguageServicesPackageVersion>5.0.0-2.25480.7</MicrosoftVisualStudioLanguageServicesPackageVersion>
     <!-- dotnet/arcade dependencies -->
-    <MicrosoftDotNetArcadeSdkPackageVersion>11.0.0-beta.25603.2</MicrosoftDotNetArcadeSdkPackageVersion>
+    <MicrosoftDotNetArcadeSdkPackageVersion>11.0.0-beta.25612.6</MicrosoftDotNetArcadeSdkPackageVersion>
     <!-- _git/dotnet-optimization dependencies -->
     <optimizationlinuxarm64MIBCRuntimePackageVersion>1.0.0-prerelease.25502.1</optimizationlinuxarm64MIBCRuntimePackageVersion>
     <optimizationlinuxx64MIBCRuntimePackageVersion>1.0.0-prerelease.25502.1</optimizationlinuxx64MIBCRuntimePackageVersion>

eng/Version.Details.xml

@@ -76,9 +76,9 @@
     </Dependency>
   </ProductDependencies>
   <ToolsetDependencies>
-    <Dependency Name="Microsoft.DotNet.Arcade.Sdk" Version="11.0.0-beta.25603.2">
+    <Dependency Name="Microsoft.DotNet.Arcade.Sdk" Version="11.0.0-beta.25612.6">
       <Uri>https://github.com/dotnet/arcade</Uri>
-      <Sha>9851192f7f7a7ee352358cce2627160fd1f2a54e</Sha>
+      <Sha>8adf115288fa51feaa30d063b946478054c7f7b4</Sha>
     </Dependency>
     <Dependency Name="optimization.windows_nt-x64.MIBC.Runtime" Version="1.0.0-prerelease.25502.1">
       <Uri>https://dev.azure.com/dnceng/internal/_git/dotnet-optimization</Uri>

eng/Versions.props

@@ -133,7 +133,7 @@
     <MicrosoftVisualStudioLanguageIntellisenseVersion>$(VisualStudioEditorPackagesVersion)</MicrosoftVisualStudioLanguageIntellisenseVersion>
     <MicrosoftVisualStudioPlatformVSEditorVersion>$(VisualStudioEditorPackagesVersion)</MicrosoftVisualStudioPlatformVSEditorVersion>
     <MicrosoftVisualStudioTextUIWpfVersion>$(VisualStudioEditorPackagesVersion)</MicrosoftVisualStudioTextUIWpfVersion>
-    <NuGetSolutionRestoreManagerInteropVersion>5.6.0</NuGetSolutionRestoreManagerInteropVersion>
+    <NuGetVisualStudioVersion>17.14.0</NuGetVisualStudioVersion>
     <MicrosoftVisualStudioExtensibilityTestingVersion>0.1.800-beta</MicrosoftVisualStudioExtensibilityTestingVersion>
     <MicrosoftVisualStudioExtensibilityTestingSourceGeneratorVersion>$(MicrosoftVisualStudioExtensibilityTestingVersion)</MicrosoftVisualStudioExtensibilityTestingSourceGeneratorVersion>
 

eng/common/core-templates/job/source-index-stage1.yml

@@ -3,7 +3,7 @@ parameters:
   sourceIndexBuildCommand: powershell -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "eng/common/build.ps1 -restore -build -binarylog -ci"
   preSteps: []
   binlogPath: artifacts/log/Debug/Build.binlog
-  condition: ''
+  condition: eq(variables['Build.SourceBranch'], 'refs/heads/main')
   dependsOn: ''
   pool: ''
   is1ESPipeline: ''
@@ -41,4 +41,4 @@ jobs:
 
   - template: /eng/common/core-templates/steps/source-index-stage1-publish.yml
     parameters:
-      binLogPath: ${{ parameters.binLogPath }}
+      binLogPath: ${{ parameters.binLogPath }}

eng/common/internal-feed-operations.ps1

@@ -26,7 +26,7 @@ function SetupCredProvider {
   $url = 'https://raw.githubusercontent.com/microsoft/artifacts-credprovider/master/helpers/installcredprovider.ps1'
 
   Write-Host "Writing the contents of 'installcredprovider.ps1' locally..."
-  Invoke-WebRequest $url -OutFile installcredprovider.ps1
+  Invoke-WebRequest $url -UseBasicParsing -OutFile installcredprovider.ps1
 
   Write-Host 'Installing plugin...'
   .\installcredprovider.ps1 -Force

eng/common/post-build/nuget-verification.ps1

@@ -65,7 +65,7 @@ if ($NuGetExePath) {
         Write-Host "Downloading nuget.exe from $nugetExeUrl..."
         $ProgressPreference = 'SilentlyContinue'
         try {
-            Invoke-WebRequest $nugetExeUrl -OutFile $downloadedNuGetExe
+            Invoke-WebRequest $nugetExeUrl -UseBasicParsing -OutFile $downloadedNuGetExe
             $ProgressPreference = 'Continue'
         } catch {
             $ProgressPreference = 'Continue'

eng/common/tools.ps1

@@ -157,9 +157,6 @@ function InitializeDotNetCli([bool]$install, [bool]$createSdkLocationFile) {
     return $global:_DotNetInstallDir
   }
 
-  # Don't resolve runtime, shared framework, or SDK from other locations to ensure build determinism
-  $env:DOTNET_MULTILEVEL_LOOKUP=0
-
   # Disable first run since we do not need all ASP.NET packages restored.
   $env:DOTNET_NOLOGO=1
 
@@ -225,7 +222,6 @@ function InitializeDotNetCli([bool]$install, [bool]$createSdkLocationFile) {
   # Make Sure that our bootstrapped dotnet cli is available in future steps of the Azure Pipelines build
   Write-PipelinePrependPath -Path $dotnetRoot
 
-  Write-PipelineSetVariable -Name 'DOTNET_MULTILEVEL_LOOKUP' -Value '0'
   Write-PipelineSetVariable -Name 'DOTNET_NOLOGO' -Value '1'
 
   return $global:_DotNetInstallDir = $dotnetRoot
@@ -277,7 +273,7 @@ function GetDotNetInstallScript([string] $dotnetRoot) {
 
     Retry({
       Write-Host "GET $uri"
-      Invoke-WebRequest $uri -OutFile $installScript
+      Invoke-WebRequest $uri -UseBasicParsing -OutFile $installScript
     })
   }
 
@@ -510,7 +506,7 @@ function InitializeXCopyMSBuild([string]$packageVersion, [bool]$install) {
     Write-Host "Downloading $packageName $packageVersion"
     $ProgressPreference = 'SilentlyContinue' # Don't display the console progress UI - it's a huge perf hit
     Retry({
-      Invoke-WebRequest "https://pkgs.dev.azure.com/dnceng/public/_packaging/dotnet-eng/nuget/v3/flat2/$packageName/$packageVersion/$packageName.$packageVersion.nupkg" -OutFile $packagePath
+      Invoke-WebRequest "https://pkgs.dev.azure.com/dnceng/public/_packaging/dotnet-eng/nuget/v3/flat2/$packageName/$packageVersion/$packageName.$packageVersion.nupkg" -UseBasicParsing -OutFile $packagePath
     })
 
     if (!(Test-Path $packagePath)) {
@@ -556,23 +552,30 @@ function LocateVisualStudio([object]$vsRequirements = $null){
     Write-Host "Downloading vswhere $vswhereVersion"
     $ProgressPreference = 'SilentlyContinue' # Don't display the console progress UI - it's a huge perf hit
     Retry({
-      Invoke-WebRequest "https://netcorenativeassets.blob.core.windows.net/resource-packages/external/windows/vswhere/$vswhereVersion/vswhere.exe" -OutFile $vswhereExe
+      Invoke-WebRequest "https://netcorenativeassets.blob.core.windows.net/resource-packages/external/windows/vswhere/$vswhereVersion/vswhere.exe" -UseBasicParsing -OutFile $vswhereExe
     })
   }
 
-  if (!$vsRequirements) { $vsRequirements = $GlobalJson.tools.vs }
+  if (!$vsRequirements) {
+    if (Get-Member -InputObject $GlobalJson.tools -Name 'vs' -ErrorAction SilentlyContinue) {
+      $vsRequirements = $GlobalJson.tools.vs
+    } else {
+      $vsRequirements = $null
+    }
+  }
+
   $args = @('-latest', '-format', 'json', '-requires', 'Microsoft.Component.MSBuild', '-products', '*')
 
   if (!$excludePrereleaseVS) {
     $args += '-prerelease'
   }
 
-  if (Get-Member -InputObject $vsRequirements -Name 'version') {
+  if ($vsRequirements -and (Get-Member -InputObject $vsRequirements -Name 'version' -ErrorAction SilentlyContinue)) {
     $args += '-version'
     $args += $vsRequirements.version
   }
 
-  if (Get-Member -InputObject $vsRequirements -Name 'components') {
+  if ($vsRequirements -and (Get-Member -InputObject $vsRequirements -Name 'components' -ErrorAction SilentlyContinue)) {
     foreach ($component in $vsRequirements.components) {
       $args += '-requires'
       $args += $component

eng/common/tools.sh

@@ -115,9 +115,6 @@ function InitializeDotNetCli {
 
   local install=$1
 
-  # Don't resolve runtime, shared framework, or SDK from other locations to ensure build determinism
-  export DOTNET_MULTILEVEL_LOOKUP=0
-
   # Disable first run since we want to control all package sources
   export DOTNET_NOLOGO=1
 
@@ -166,7 +163,6 @@ function InitializeDotNetCli {
   # build steps from using anything other than what we've downloaded.
   Write-PipelinePrependPath -path "$dotnet_root"
 
-  Write-PipelineSetVariable -name "DOTNET_MULTILEVEL_LOOKUP" -value "0"
   Write-PipelineSetVariable -name "DOTNET_NOLOGO" -value "1"
 
   # return value

global.json

@@ -1,6 +1,6 @@
 {
   "sdk": {
-    "version": "10.0.100-rc.2.25502.107",
+    "version": "10.0.100",
     "allowPrerelease": true,
     "paths": [
       ".dotnet",
@@ -9,7 +9,7 @@
     "errorMessage": "The .NET SDK could not be found, please run ./eng/common/dotnet.sh."
   },
   "tools": {
-    "dotnet": "10.0.100-rc.2.25502.107",
+    "dotnet": "10.0.100",
     "vs": {
       "version": "18.0",
       "components": [
@@ -22,7 +22,7 @@
     "perl": "5.38.2.2"
   },
   "msbuild-sdks": {
-    "Microsoft.DotNet.Arcade.Sdk": "11.0.0-beta.25603.2",
+    "Microsoft.DotNet.Arcade.Sdk": "11.0.0-beta.25612.6",
     "Microsoft.DotNet.Helix.Sdk": "8.0.0-beta.23255.2"
   }
 }