Skip to content

Enable CFSClean* policies for dotnet-buildtools-prereqs-docker pipelines#1609

Open
mmitche wants to merge 1 commit intomainfrom
dev/mmitche/enable-cfsclean-policies
Open

Enable CFSClean* policies for dotnet-buildtools-prereqs-docker pipelines#1609
mmitche wants to merge 1 commit intomainfrom
dev/mmitche/enable-cfsclean-policies

Conversation

@mmitche
Copy link
Member

@mmitche mmitche commented Mar 18, 2026

This PR enables CFSClean and CFSClean2 network isolation policies across all 1ES pipeline templates in the repo.

Changes

  • **\�ng/docker-tools/templates/1es.yml**: Updated the
    etworkIsolationPolicy\ parameter default from \Permissive,CFSClean\ to \Permissive,CFSClean,CFSClean2. This template is used by the official and unofficial build pipelines.
  • **\�ng/docker-tools/templates/1es-official.yml**: Added \settings\ block with
    etworkIsolationPolicy: Permissive,CFSClean,CFSClean2. This template previously had no network isolation settings.
  • **\�ng/docker-tools/templates/1es-unofficial.yml**: Added \settings\ block with
    etworkIsolationPolicy: Permissive,CFSClean,CFSClean2. This template previously had no network isolation settings.

Context

CFSClean2 is a new 1ES network isolation policy that needs to be enabled alongside CFSClean. The \Permissive\ base policy ensures builds continue to work while these security policies are applied.

Note: \�ng/pipelines/renovate.yml\ (referenced in the tracking CSV) does not exist in this repo. The renovate pipeline (AzDO ID 1594) may be configured outside the repo.

@mmitche
Enable CFSClean* policies for dotnet-buildtools-prereqs-docker pipelines
3a3b029 
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@mmitche mmitche requested review from a team as code owners March 18, 2026 16:07
lbussell
lbussell requested changes Mar 18, 2026
View reviewed changes
Copy link
Member

@lbussell lbussell left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Don't make changes to files under eng/docker-tools, they will get overwritten. Instead, pass the intended network isolation policies down to 1es.yml via the networkIsolationPolicy parameter (which you edited in this PR).

If 1es-official.yml or 1es-unofficial.yml are still used in this repo, migrate to 1es.yml instead. The older 1es-*.yml templates will be removed in a future update: dotnet/docker-tools#1892

@mmitche
Copy link
Member Author

mmitche commented Mar 18, 2026

Don't make changes to files under eng/docker-tools, they will get overwritten. Instead, pass the intended network isolation policies down to 1es.yml via the networkIsolationPolicy parameter (which you edited in this PR).

If 1es-official.yml or 1es-unofficial.yml are still used in this repo, migrate to 1es.yml instead. The older 1es-*.yml templates will be removed in a future update: dotnet/docker-tools#1892

@copilot Do this.

Copy link
Contributor

Copilot AI commented Mar 18, 2026

@mmitche I've opened a new pull request, #1610, to work on those changes. Once the pull request is ready, I'll request review from you.

Copilot AI mentioned this pull request Mar 18, 2026
Draft
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@lbussell lbussell lbussell requested changes

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@mmitche @lbussell