[release/v7.5] Split TPN manifest and Component Governance manifest#26967
Conversation
Co-authored-by: Copilot <[email protected]>
adityapatwardhan
added
the
CL-BuildPackaging
There was a problem hiding this comment.
Pull request overview
Backport to release/v7.5 that reorganizes component governance manifests into separate main and TPN manifests, and extends the ClearlyDefined tooling to better handle harvesting and caching while updating CI/build references to the new paths.
Changes:
- Split
cgmanifest.jsonintotools/cgmanifest/main/cgmanifest.jsonandtools/cgmanifest/tpn/cgmanifest.json, and updated scripts/pipelines to use the new locations. - Enhanced ClearlyDefined tooling with cache persistence utilities and version-search helpers (plus a new
Find-LastHarvestedVersion.ps1helper). - Updated notice generation to scan the TPN manifest directory and adjusted
.vsts-ci/*path filters for the new cgmanifest layout.
Reviewed changes
Copilot reviewed 11 out of 12 changed files in this pull request and generated 8 comments.
Show a summary per file
| File | Description |
|---|---|
tools/packaging/packaging.psm1 |
Updates packaging logic to reference the new main CG manifest path. |
tools/findMissingNotices.ps1 |
Adds TPN-manifest generation logic and a -ForceHarvestedOnly mode using ClearlyDefined harvest status. |
tools/clearlyDefined/src/ClearlyDefined/ClearlyDefined.psm1 |
Adds cache persistence + search/version helper functions; adjusts harvesting and cache TTL behavior. |
tools/clearlyDefined/Find-LastHarvestedVersion.ps1 |
New helper to find the last harvested version via ClearlyDefined (with NuGet fallback). |
tools/clearlyDefined/ClearlyDefined.ps1 |
Points validation/harvest script at the new main CG manifest path. |
tools/cgmanifest/tpn/cgmanifest.json |
Adds the TPN-specific component list manifest. |
tools/cgmanifest/main/cgmanifest.json |
Adds the main component governance manifest. |
.vsts-ci/windows-arm64.yml |
Updates PR path filtering for cgmanifest changes. |
.vsts-ci/psresourceget-acr.yml |
Updates PR path filtering for cgmanifest changes. |
.vsts-ci/mac.yml |
Updates PR path filtering for cgmanifest changes. |
.vsts-ci/linux-internal.yml |
Updates PR path filtering for cgmanifest changes. |
.pipelines/templates/compliance/generateNotice.yml |
Targets Component Detection at the TPN manifest directory. |
| # Build a lookup table of harvest status by package name + version | ||
| $harvestStatus = @{} | ||
| foreach ($item in $fullList) { | ||
| $key = "$($item.Name)|$($item.PackageVersion)" | ||
| $harvestStatus[$key] = $item.harvested | ||
| } |
There was a problem hiding this comment.
Get-ClearlyDefinedData returns the raw ClearlyDefined definition object (with added cachedTime/harvested/harvestedResult) which includes coordinates.name and coordinates.revision, not Name/PackageVersion. Building the harvest-status key from $item.Name and $item.PackageVersion will end up using empty keys and misclassify everything as unharvested. Use $item.coordinates.name + $item.coordinates.revision (or add explicit Name/PackageVersion properties in Get-ClearlyDefinedData).
| foreach ($item in $finalHarvestData) { | ||
| $matchingNewRegistration = $newRegistrations | Where-Object { | ||
| $_.Component.Nuget.Name -eq $item.Name -and | ||
| $_.Component.Nuget.Version -eq $item.PackageVersion | ||
| } |
There was a problem hiding this comment.
$item.Name / $item.PackageVersion are used to match registrations, but those properties are not present on the objects output by Get-ClearlyDefinedData (package name/version are under $item.coordinates.name and $item.coordinates.revision). As written, $matchingNewRegistration will never match and the TPN manifest update loop will produce incorrect/empty output.
| if ($needHarvest.Count -gt 0) { | ||
| Write-Verbose "Found $($needHarvest.Count) packages that need harvesting. Starting harvest..." -Verbose | ||
| $needHarvest | Select-Object -ExpandProperty coordinates | ConvertFrom-ClearlyDefinedCoordinates | Start-ClearlyDefinedHarvest |
There was a problem hiding this comment.
ConvertFrom-ClearlyDefinedCoordinates expects a coordinate string (e.g. nuget/nuget/-/Name/Version), but Get-ClearlyDefinedData returns a definition object whose .coordinates property is a structured object. Piping Select -ExpandProperty coordinates | ConvertFrom-ClearlyDefinedCoordinates will fail (or produce wrong results). Start-ClearlyDefinedHarvest can bind directly from the .coordinates object (type/name/revision).
| Start-job -ScriptBlock { | ||
| Invoke-WebRequest -Method Post -Uri 'https://api.clearlydefined.io/harvest' -Body $using:body -ContentType 'application/json' -MaximumRetryCount $using:maxRetryCount -RetryIntervalSec $using:retryIntervalSec | ||
| } |
There was a problem hiding this comment.
Start-ClearlyDefinedHarvest now starts a background job and returns immediately. In non-interactive script execution (CI), the PowerShell session can exit before jobs run/complete, meaning harvest requests may never be sent; it can also spawn an unbounded number of jobs when harvesting many packages. Consider keeping the synchronous Invoke-WebRequest (or add throttled async execution with Wait-Job/Receive-Job and proper cleanup) to preserve the function’s behavior and reliability.
| - .github/ISSUE_TEMPLATE/* | ||
| - .vsts-ci/misc-analysis.yml | ||
| - tools/cgmanifest.json | ||
| - tools/cgmanifest/* |
There was a problem hiding this comment.
Azure Pipelines path filters treat * as a single path segment; tools/cgmanifest/* likely won’t match nested paths like tools/cgmanifest/main/cgmanifest.json. If the intent is to exclude all cgmanifest changes, this should be tools/cgmanifest/** so changes under main/ and tpn/ are covered.
| - .github/workflows/* | ||
| - .vsts-ci/misc-analysis.yml | ||
| - tools/cgmanifest.json | ||
| - tools/cgmanifest/* |
There was a problem hiding this comment.
Azure Pipelines path filters treat * as a single path segment; tools/cgmanifest/* likely won’t match nested paths like tools/cgmanifest/main/cgmanifest.json. If the intent is to exclude all cgmanifest changes, this should be tools/cgmanifest/** so changes under main/ and tpn/ are covered.
| - .vsts-ci/windows.yml | ||
| - .vsts-ci/windows/* | ||
| - tools/cgmanifest.json | ||
| - tools/cgmanifest/* |
There was a problem hiding this comment.
Azure Pipelines path filters treat * as a single path segment; tools/cgmanifest/* likely won’t match nested paths like tools/cgmanifest/main/cgmanifest.json. If the intent is to exclude all cgmanifest changes, this should be tools/cgmanifest/** so changes under main/ and tpn/ are covered.
| - .vsts-ci/windows.yml | ||
| - .vsts-ci/windows/* | ||
| - tools/cgmanifest.json | ||
| - tools/cgmanifest/* |
There was a problem hiding this comment.
Azure Pipelines path filters treat * as a single path segment; tools/cgmanifest/* likely won’t match nested paths like tools/cgmanifest/main/cgmanifest.json. If the intent is to exclude all cgmanifest changes, this should be tools/cgmanifest/** so changes under main/ and tpn/ are covered.
Backport of #26891 to release/v7.5
Triggered by @adityapatwardhan on behalf of @TravisEz13
Original CL Label: CL-BuildPackaging
/cc @PowerShell/powershell-maintainers
Impact
REQUIRED: Choose either Tooling Impact or Customer Impact (or both). At least one checkbox must be selected.
Tooling Impact
Splits cgmanifest.json into tools/cgmanifest/main/ and tools/cgmanifest/tpn/ directories. Updates CI and build scripts to reference the new paths. Adds ClearlyDefined cache persistence and Find-LastHarvestedVersion.ps1 script.
Customer Impact
Regression
REQUIRED: Check exactly one box.
This is not a regression.
Testing
Existing CI tests cover the cgmanifest paths. Build packaging pipelines will validate the new manifest locations.
Risk
REQUIRED: Check exactly one box.
This is a file reorganization of the cgmanifest into separate TPN and CG manifests plus addition of ClearlyDefined cache and version-finding tooling. No runtime behavior changes.
Merge Conflicts
48 version-number conflicts in tools/cgmanifest/main/cgmanifest.json resolved by keeping the release/v7.5 package versions (ours) since master has newer .NET 10 versions not applicable to v7.5.