Skip to content

fix(check-rendered-specs): add source-origin preflight guard#17775

Open
liunan-ms wants to merge 1 commit into
microsoft:4.0from
liunan-ms:liunan/source-origin-guard-fork
Open

fix(check-rendered-specs): add source-origin preflight guard#17775
liunan-ms wants to merge 1 commit into
microsoft:4.0from
liunan-ms:liunan/source-origin-guard-fork

Conversation

@liunan-ms

@liunan-ms liunan-ms commented Jun 19, 2026
edited by azure-boards Bot
Loading

Copy link
Copy Markdown
Contributor

This PR adds a preflight source-origin allowlist check before azldev component update/render in the rendered-spec PR path. The new guard validates the resolved Fedora dist-git and lookaside URIs from azldev config dump and fails fast if they differ from the trusted Fedora endpoints, preventing fork PRs from redirecting source fetches to attacker-controlled infrastructure.

Fixes: AB#22017

@liunan-ms liunan-ms force-pushed the liunan/source-origin-guard-fork branch from 03c0c99 to 3cc9a4f Compare June 19, 2026 18:47
@liunan-ms liunan-ms changed the title Add source-origin preflight guard fix(check-rendered-specs): add source-origin preflight guard Jun 19, 2026
@liunan-ms liunan-ms marked this pull request as ready for review June 19, 2026 18:50
@liunan-ms liunan-ms requested a review from a team as a code owner June 19, 2026 18:50
Copilot AI review requested due to automatic review settings June 19, 2026 18:50
Copilot AI reviewed Jun 19, 2026
View reviewed changes

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR adds a defense-in-depth preflight guard to the rendered-specs PR check workflow to ensure the resolved Fedora dist-git, lookaside, and source repo base URIs match a trusted allowlist before running azldev component update / azldev component render, reducing the risk of fork PRs redirecting source fetches.

Changes:

  • Added a new Python guard script that reads azldev config dump -f json and validates Fedora source-origin URIs against an allowlist.
  • Wired the guard into the GitHub Actions rendered-specs check workflow so it runs before lock updates and before renders (inside the container).

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.

File Description
scripts/ci/render-specs-check/source_origin_guard.py New source-origin allowlist validator for resolved Fedora endpoints from azldev config dump.
.github/workflows/check-rendered-specs.yml Runs the new guard inside the container before azldev component update and before render logic.

Comment thread scripts/ci/render-specs-check/source_origin_guard.py
Comment thread scripts/ci/render-specs-check/source_origin_guard.py Outdated
@liunan-ms liunan-ms force-pushed the liunan/source-origin-guard-fork branch from 3cc9a4f to 05d3aaf Compare June 19, 2026 20:45
tobiasb-ms
tobiasb-ms requested changes Jun 22, 2026
View reviewed changes
Comment thread scripts/ci/render-specs-check/source_origin_guard.py
Comment thread scripts/ci/render-specs-check/source_origin_guard.py Outdated
Comment thread scripts/ci/render-specs-check/source_origin_guard.py Outdated
Comment thread scripts/ci/render-specs-check/source_origin_guard.py
Comment thread scripts/ci/render-specs-check/source_origin_guard.py Outdated
Copilot AI review requested due to automatic review settings June 23, 2026 00:06
Copilot AI reviewed Jun 23, 2026
View reviewed changes

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.

Comment thread scripts/ci/render-specs-check/source_origin_guard.py
Comment thread scripts/ci/render-specs-check/source_origin_guard.py
tobiasb-ms
tobiasb-ms approved these changes Jun 23, 2026
View reviewed changes

@tobiasb-ms tobiasb-ms left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

issue(non-blocking): I'd prefer if you rebased so this is one commit -- the second commit is logically part of the initial implementation.

Comment thread scripts/ci/render-specs-check/source_origin_guard.py Outdated
@liunan-ms liunan-ms force-pushed the liunan/source-origin-guard-fork branch from ff2f442 to 2ae0e8b Compare June 23, 2026 16:31
christopherco
christopherco requested changes Jun 25, 2026
View reviewed changes

@christopherco christopherco left a comment
edited
Loading

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code changes themselves look good. Requesting to update your commit message in your commit to add a short explanation of the changes. We're doing rebase-merge commits of PRs now, so the commit itself is what is added to the final git tree, including its commit title and message. We need our future git log to have useful commit message information.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@tobiasb-ms tobiasb-ms tobiasb-ms approved these changes
Copilot code review Copilot Copilot left review comments
@christopherco christopherco christopherco requested changes

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@liunan-ms @christopherco @tobiasb-ms