Skip to content

[Core] raw githubusercontent urls are updated to refer azcli blob to restrict external system access#33240

Open
msarfraz wants to merge 14 commits intoAzure:devfrom
msarfraz:network-isolation
Open

[Core] raw githubusercontent urls are updated to refer azcli blob to restrict external system access#33240
msarfraz wants to merge 14 commits intoAzure:devfrom
msarfraz:network-isolation

Conversation

@msarfraz
Copy link
Copy Markdown
Contributor

@msarfraz msarfraz commented Apr 22, 2026
edited
Loading

Related command

Description
This PR removes the dependency on GitHub (raw.githubusercontent.com) VM image aliases, replacing it with Azure Blob Storage (azcliprod.blob.core.windows.net). This change enables Azure CLI to work properly in network isolated environments where GitHub access is blocked.

In addition, new validation added in CI pipeline to flag if any raw.githubusercontent.com URL is used in the code.

Background
In enterprise environments with strict network isolation policies, access to raw.githubusercontent.com is not allowed.

Changes

VM Image Alias Migration
Before:
https://raw.githubusercontent.com/Azure/azure-rest-api-specs/master/arm-compute/quickstart-templates/aliases.json
After:
https://azcliprod.blob.core.windows.net/cli/vm/aliases_master.json

Release pipeline task:

set -e
 
 # Define files to sync: "github_url|blob_name"
 declare -a FILES=(
   "https://raw.githubusercontent.com/Azure/azure-cli/release/src/azure-cli/setup.py|azure-cli/setup.py"
   "https://raw.githubusercontent.com/Azure/azure-cli/release/src/azure-cli-core/setup.py|azure-cli-core/setup.py"
   "https://raw.githubusercontent.com/Azure/azure-cli/release/src/azure-cli-telemetry/setup.py|azure-cli-telemetry/setup.py"
   "https://raw.githubusercontent.com/Azure/azure-cli/release/src/azure-cli-testsdk/setup.py|azure-cli-testsdk/setup.py"
   "https://raw.githubusercontent.com/Azure/azure-rest-api-specs/main/arm-compute/quickstart-templates/aliases.json|vm/aliases.json"
   "https://raw.githubusercontent.com/Azure/azure-rest-api-specs/master/arm-compute/quickstart-templates/aliases.json|vm/aliases_master.json"
 )
 
 TEMP_FILE="/tmp/download_temp"
 FAILED=0
 
 for item in "${FILES[@]}"; do
   # Split by '|'
   GITHUB_URL="${item%|*}"
   BLOB_NAME="${item#*|}"
   
   echo "============================================"
   echo "Syncing: ${BLOB_NAME}"
   echo "From: ${GITHUB_URL}"
   echo "============================================"
   
   # Download from GitHub
   if curl -sL -o "$TEMP_FILE" "$GITHUB_URL"; then
     # Upload to AME Storage
     az storage blob upload \
       --account-name azcliprod \
       --container-name cli \
       --name "$BLOB_NAME" \
       --file "$TEMP_FILE" \
       --overwrite \
       --auth-mode login
     
     echo "✓ Successfully synced: ${BLOB_NAME}"
   else
     echo "✗ Failed to download: ${GITHUB_URL}"
     FAILED=1
   fi
   
   rm -f "$TEMP_FILE"
   echo ""
 done
 
 if [ $FAILED -eq 1 ]; then
   echo "Some files failed to sync!"
   exit 1
 fi
 
 echo "============================================"
 echo "All files synced successfully!"
 echo "============================================"

Testing Guide

History Notes

[Component Name 1] BREAKING CHANGE: az command a: Make some customer-facing breaking change
[Component Name 2] az command b: Add some customer-facing feature

This checklist is used to make sure that common guidelines for a pull request are followed.

Copilot AI review requested due to automatic review settings April 22, 2026 05:30
@azure-client-tools-bot-prd
Copy link
Copy Markdown

azure-client-tools-bot-prd Bot commented Apr 22, 2026
edited
Loading

️✔️AzureCLI-FullTest
️✔️acr
️✔️latest
️✔️3.12
️✔️3.13
️✔️acs
️✔️latest
️✔️3.12
️✔️3.13
️✔️advisor
️✔️latest
️✔️3.12
️✔️3.13
️✔️ams
️✔️latest
️✔️3.12
️✔️3.13
️✔️apim
️✔️latest
️✔️3.12
️✔️3.13
️✔️appconfig
️✔️latest
️✔️3.12
️✔️3.13
️✔️appservice
️✔️latest
️✔️3.12
️✔️3.13
️✔️aro
️✔️latest
️✔️3.12
️✔️3.13
️✔️backup
️✔️latest
️✔️3.12
️✔️3.13
️✔️batch
️✔️latest
️✔️3.12
️✔️3.13
️✔️batchai
️✔️latest
️✔️3.12
️✔️3.13
️✔️billing
️✔️latest
️✔️3.12
️✔️3.13
️✔️botservice
️✔️latest
️✔️3.12
️✔️3.13
️✔️cdn
️✔️latest
️✔️3.12
️✔️3.13
️✔️cloud
️✔️latest
️✔️3.12
️✔️3.13
️✔️cognitiveservices
️✔️latest
️✔️3.12
️✔️3.13
️✔️compute_recommender
️✔️latest
️✔️3.12
️✔️3.13
️✔️computefleet
️✔️latest
️✔️3.12
️✔️3.13
️✔️config
️✔️latest
️✔️3.12
️✔️3.13
️✔️configure
️✔️latest
️✔️3.12
️✔️3.13
️✔️consumption
️✔️latest
️✔️3.12
️✔️3.13
️✔️container
️✔️latest
️✔️3.12
️✔️3.13
️✔️containerapp
️✔️latest
️✔️3.12
️✔️3.13
️✔️core
️✔️latest
️✔️3.12
️✔️3.13
️✔️cosmosdb
️✔️latest
️✔️3.12
️✔️3.13
️✔️databoxedge
️✔️latest
️✔️3.12
️✔️3.13
️✔️dls
️✔️latest
️✔️3.12
️✔️3.13
️✔️dms
️✔️latest
️✔️3.12
️✔️3.13
️✔️eventgrid
️✔️latest
️✔️3.12
️✔️3.13
️✔️eventhubs
️✔️latest
️✔️3.12
️✔️3.13
️✔️feedback
️✔️latest
️✔️3.12
️✔️3.13
️✔️find
️✔️latest
️✔️3.12
️✔️3.13
️✔️hdinsight
️✔️latest
️✔️3.12
️✔️3.13
️✔️identity
️✔️latest
️✔️3.12
️✔️3.13
️✔️iot
️✔️latest
️✔️3.12
️✔️3.13
️✔️keyvault
️✔️latest
️✔️3.12
️✔️3.13
️✔️lab
️✔️latest
️✔️3.12
️✔️3.13
️✔️managedservices
️✔️latest
️✔️3.12
️✔️3.13
️✔️maps
️✔️latest
️✔️3.12
️✔️3.13
️✔️marketplaceordering
️✔️latest
️✔️3.12
️✔️3.13
️✔️monitor
️✔️latest
️✔️3.12
️✔️3.13
️✔️mysql
️✔️latest
️✔️3.12
️✔️3.13
️✔️netappfiles
️✔️latest
️✔️3.12
️✔️3.13
️✔️network
️✔️latest
️✔️3.12
️✔️3.13
️✔️policyinsights
️✔️latest
️✔️3.12
️✔️3.13
️✔️postgresql
️✔️latest
️✔️3.12
️✔️3.13
️✔️privatedns
️✔️latest
️✔️3.12
️✔️3.13
️✔️profile
️✔️latest
️✔️3.12
️✔️3.13
️✔️rdbms
️✔️latest
️✔️3.12
️✔️3.13
️✔️redis
️✔️latest
️✔️3.12
️✔️3.13
️✔️relay
️✔️latest
️✔️3.12
️✔️3.13
️✔️resource
️✔️latest
️✔️3.12
️✔️3.13
️✔️role
️✔️latest
️✔️3.12
️✔️3.13
️✔️search
️✔️latest
️✔️3.12
️✔️3.13
️✔️security
️✔️latest
️✔️3.12
️✔️3.13
️✔️servicebus
️✔️latest
️✔️3.12
️✔️3.13
️✔️serviceconnector
️✔️latest
️✔️3.12
️✔️3.13
️✔️servicefabric
️✔️latest
️✔️3.12
️✔️3.13
️✔️signalr
️✔️latest
️✔️3.12
️✔️3.13
️✔️sql
️✔️latest
️✔️3.12
️✔️3.13
️✔️sqlvm
️✔️latest
️✔️3.12
️✔️3.13
️✔️storage
️✔️latest
️✔️3.12
️✔️3.13
️✔️synapse
️✔️latest
️✔️3.12
️✔️3.13
️✔️telemetry
️✔️latest
️✔️3.12
️✔️3.13
️✔️util
️✔️latest
️✔️3.12
️✔️3.13
️✔️vm
️✔️latest
️✔️3.12
️✔️3.13

@azure-client-tools-bot-prd
Copy link
Copy Markdown

azure-client-tools-bot-prd Bot commented Apr 22, 2026

Hi @msarfraz,
Since the current milestone time is less than 7 days, this pr will be reviewed in the next milestone.

@azure-client-tools-bot-prd
Copy link
Copy Markdown

azure-client-tools-bot-prd Bot commented Apr 22, 2026
edited
Loading

️✔️AzureCLI-BreakingChangeTest
️✔️Non Breaking Changes

@yonzhan
Copy link
Copy Markdown
Collaborator

yonzhan commented Apr 22, 2026

Thank you for your contribution! We will review the pull request and get back to you soon.

@github-actions
Copy link
Copy Markdown

github-actions Bot commented Apr 22, 2026

The git hooks are available for azure-cli and azure-cli-extensions repos. They could help you run required checks before creating the PR.

Please sync the latest code with latest dev branch (for azure-cli) or main branch (for azure-cli-extensions).
After that please run the following commands to enable git hooks:

pip install azdev --upgrade
azdev setup -c <your azure-cli repo path> -r <your azure-cli-extensions repo path>

@microsoft-github-policy-service microsoft-github-policy-service Bot added the Auto-Assign Auto assign by bot label Apr 22, 2026
Copilot AI reviewed Apr 22, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR aims to remove Azure CLI’s dependency on raw.githubusercontent.com for VM image aliases by switching to an Azure Blob Storage URL (azcliprod.blob.core.windows.net), and adds a CI validation to prevent reintroducing the forbidden URL.

Changes:

  • Update test recordings to use the Azure Blob URL for VM image aliases.
  • Add a CI script to fail PRs that introduce the forbidden raw.githubusercontent.com/.../aliases.json URL in new diff lines.
  • Wire the new CI check into azure-pipelines.yml.

Reviewed changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated 3 comments.

Show a summary per file
File Description
src/azure-cli/azure/cli/command_modules/resource/tests/latest/recordings/test_delete_dependent_resources.yaml Updates recorded request URL for aliases.json from GitHub to Azure Blob.
src/azure-cli/azure/cli/command_modules/cloud/tests/latest/recordings/test_cloud_scenario.yaml Updates recorded cloud metadata response to use Azure Blob for vmImageAliasDoc.
src/azure-cli-core/azure/cli/core/cloud.py Touches vm_image_alias_doc for Azure Bleu cloud (currently still raw GitHub).
scripts/ci/check_aliases_source_url.py Introduces a new CI guard script for forbidden aliases URL usage.
azure-pipelines.yml Runs the new CI guard script during the linter job.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread scripts/ci/check_aliases_source_url.py Outdated
Comment thread src/azure-cli-core/azure/cli/core/cloud.py Outdated
Comment thread scripts/ci/check_aliases_source_url.py Outdated
@msarfraz msarfraz requested a review from Copilot April 23, 2026 02:28
Copilot AI reviewed Apr 23, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 5 out of 5 changed files in this pull request and generated 1 comment.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread azure-pipelines.yml
@msarfraz msarfraz requested a review from Copilot April 24, 2026 05:31
Copilot AI reviewed Apr 24, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 5 out of 5 changed files in this pull request and generated 2 comments.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread azure-pipelines.yml Outdated
Comment thread scripts/ci/validate_external_source_urls.py
@msarfraz
Update azure-pipelines.yml
c226885 
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
@msarfraz msarfraz changed the title [Core] githubusercontent urls are updated to refer azcli blob for VM image aliases [Core] raw githubusercontent urls are updated to refer azcli blob to restrict external system access Apr 24, 2026
@msarfraz msarfraz requested a review from Copilot April 24, 2026 07:48
Copilot AI reviewed Apr 24, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 5 out of 5 changed files in this pull request and generated 3 comments.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread scripts/ci/validate_external_source_urls.py Outdated
Comment thread scripts/ci/validate_external_source_urls.py Outdated
Comment thread azure-pipelines.yml Outdated
msarfraz and others added 2 commits April 24, 2026 18:05
@msarfraz
message updated as per copilot suggestion
be9568e 
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
exclusions are separated in a json file
6ff79c5
wangzelin007
wangzelin007 previously approved these changes Apr 28, 2026
View reviewed changes
Comment thread src/azure-cli-core/azure/cli/core/cloud.py Outdated
Comment thread azure-pipelines.yml Outdated
@msarfraz msarfraz requested a review from Copilot May 4, 2026 00:33
Copilot AI reviewed May 4, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 6 out of 6 changed files in this pull request and generated 1 comment.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread src/azure-cli-core/azure/cli/core/cloud.py Outdated
@msarfraz msarfraz requested a review from wangzelin007 May 4, 2026 05:57
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@isra-fel isra-fel Awaiting requested review from isra-fel isra-fel is a code owner

@notyashhh notyashhh Awaiting requested review from notyashhh notyashhh is a code owner

@xuming-ms xuming-ms Awaiting requested review from xuming-ms xuming-ms is a code owner

@teresaritorto teresaritorto Awaiting requested review from teresaritorto teresaritorto is a code owner

@ReaNAiveD ReaNAiveD Awaiting requested review from ReaNAiveD ReaNAiveD is a code owner

@naga-nandyala naga-nandyala Awaiting requested review from naga-nandyala naga-nandyala is a code owner

@YanaXu YanaXu Awaiting requested review from YanaXu YanaXu is a code owner

@yonzhan yonzhan Awaiting requested review from yonzhan yonzhan is a code owner

@bebound bebound Awaiting requested review from bebound bebound is a code owner

@jiasli jiasli Awaiting requested review from jiasli jiasli is a code owner

@evelyn-ys evelyn-ys Awaiting requested review from evelyn-ys

@calvinhzy calvinhzy Awaiting requested review from calvinhzy

@wangzelin007 wangzelin007 Awaiting requested review from wangzelin007 wangzelin007 is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

@msarfraz msarfraz

Labels

act-codegen-extensibility-squad act-platform-engineering-squad Auto-Assign Auto assign by bot Core CLI core infrastructure Storage az storage

Projects

None yet

Milestone

June 2026 (2026-06-02)

Development

Successfully merging this pull request may close these issues.

6 participants

@msarfraz @yonzhan @wangzelin007 @jiasli @evelyn-ys