[xaprepare] Remove NuGet scanning from Step_GenerateCGManifest#11299
Open
jonathanpeppers wants to merge 4 commits intomainfrom
Open
[xaprepare] Remove NuGet scanning from Step_GenerateCGManifest#11299jonathanpeppers wants to merge 4 commits intomainfrom
jonathanpeppers wants to merge 4 commits intomainfrom
Conversation
The Component Governance (CG) Azure DevOps build task auto-detects NuGet packages by scanning `.csproj` files on the build machine, making the 287-line `Step_GenerateCGManifest` in xaprepare redundant. Only git submodules need manual registration via `CGManifest.json`, since CG cannot auto-detect them. This commit replaces the dynamic generation with a static `CGManifest.json` at the repo root containing only `type: git` entries for each submodule. Reference: - https://docs.opensource.microsoft.com/tools/cg/component-detection/cgmanifest.md - https://docs.opensource.microsoft.com/tools/cg/component-detection/build-task.md Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Match the canonical lowercase filename used by the CG docs and other dotnet repos (machinelearning, android-libraries, test-templates). Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Contributor
There was a problem hiding this comment.
Pull request overview
This PR is part of the incremental removal of xaprepare work by switching from a dynamically generated Component Governance manifest to a static CGManifest.json at the repo root, relying on CG’s built-in NuGet detection.
Changes:
- Add a repo-root
CGManifest.jsoncontainingtype: gitregistrations for all submodules. - Remove the xaprepare
Step_GenerateCGManifestimplementation (which scanned project files forPackageReference). - Remove the
Step_GenerateCGManifeststep from the standard xaprepare scenario.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
CGManifest.json |
Adds static CG manifest entries for git submodules. |
build-tools/xaprepare/xaprepare/Steps/Step_GenerateCGManifest.cs |
Removes the dynamic CG manifest generator step implementation. |
build-tools/xaprepare/xaprepare/Scenarios/Scenario_Standard.cs |
Removes the step invocation from the standard scenario. |
The Component Governance (CG) Azure DevOps build task auto-detects NuGet packages by scanning `.csproj` files on the build machine, making the NuGet scanning in `Step_GenerateCGManifest` redundant. Strip the step down to only generate `cgmanifest.json` entries for git submodules, which CG cannot auto-detect. This removes the `MSBuildPackageReferenceInfo` class, `CGManifestEntry` abstraction, `DevelopmentDependencies` list, and all NuGet/MSBuild XML scanning code (-231 lines). The file continues to be generated at build time (not checked in) so that commit hashes stay current when dependabot bumps submodules. Reference: - https://docs.opensource.microsoft.com/tools/cg/component-detection/cgmanifest.md - https://docs.opensource.microsoft.com/tools/cg/component-detection/build-task.md Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
jonathanpeppers
changed the title
jonathanpeppers
changed the title
GeneratedSourceLinkJsonFile and Step_GenerateFiles use these properties. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Part of incremental xaprepare removal. Strips
Step_GenerateCGManifestdown to only git submodule entries.Details
The Component Governance Azure DevOps extension auto-detects NuGet packages by scanning
.csprojfiles on the build machine. This makes the NuGet scanning inStep_GenerateCGManifest— which parsed every.csproj/.targets/.projitemsfile forPackageReferenceelements — completely redundant.Per the CG manifest documentation, a
cgmanifest.jsonis only needed for component types that CG cannot auto-detect, such as git submodules.This PR:
MSBuildPackageReferenceInfo,CGManifestEntryabstraction,DevelopmentDependencieslist, and all NuGet/MSBuild XML scanning code (-231 lines)cgmanifest.jsonat build time with git submodule entries so commit hashes stay current when dependabot bumps submodulescgmanifest.jsonto match CG docs and other dotnet repos