[acrcssc] Fix continuous patching tasks to handle registries with DNL enabled #9524
Conversation
️✔️Azure CLI Extensions Breaking Change Test
|
|
Thank you for your contribution! We will review the pull request and get back to you soon. |
|
The git hooks are available for azure-cli and azure-cli-extensions repos. They could help you run required checks before creating the PR. Please sync the latest code with latest dev branch (for azure-cli) or main branch (for azure-cli-extensions). pip install azdev --upgrade
azdev setup -c <your azure-cli repo path> -r <your azure-cli-extensions repo path>
|
|
There was a problem hiding this comment.
Pull request overview
This PR fixes an issue where continuous patching tasks fail when working with Azure Container Registry instances that have Domain Name Label (DNL) enabled. DNL registries return login server names with hash suffixes (e.g., registry-hash) instead of the base registry name, causing subsequent Azure CLI commands to fail. The fix adds logic to detect and extract the base registry name from DNL-formatted names.
Changes:
- Added DNL registry name detection and extraction logic in task YAML templates
- Updated cssc container image tag from cbcf692 to 7260211 across all templates
- Incremented extension version from 1.0.0b5 to 1.0.0b6
Reviewed changes
Copilot reviewed 6 out of 6 changed files in this pull request and generated 5 comments.
Show a summary per file
| File | Description |
|---|---|
| src/acrcssc/setup.py | Version bump to 1.0.0b6 for the bug fix release |
| src/acrcssc/HISTORY.rst | Added changelog entry documenting the DNL registry fix |
| src/acrcssc/azext_acrcssc/templates/tmp_dry_run_template.yaml | Updated cssc container image tag |
| src/acrcssc/azext_acrcssc/templates/task/cssc_trigger_workflow.yaml | Added DNL detection logic and updated cssc image tag; bash script formatting cleaned up |
| src/acrcssc/azext_acrcssc/templates/task/cssc_scan_image.yaml | Added DNL detection logic and updated cssc image tag |
| src/acrcssc/azext_acrcssc/templates/task/cssc_patch_image.yaml | Updated cssc container image tag |
| values: | ||
| ScanReport : os-vulnerability-report_trivy_{{ regexReplaceAll "[^a-zA-Z0-9]" .Values.SOURCE_REPOSITORY "-" }}_{{.Values.SOURCE_IMAGE_TAG}}_$(date "+%Y-%m-%d").json | ||
| cssc : mcr.microsoft.com/acr/cssc:cbcf692 | ||
| cssc : mcr.microsoft.com/acr/cssc:7260211 |
There was a problem hiding this comment.
Should we update this to latest version - 1fb6e2a
There was a problem hiding this comment.
We should also ensure that this cssc image version is cached in task infa.
There was a problem hiding this comment.
Current LinuxCachedImagesConfig.json shows the current version as 7260211 with last commit on Nov 2025, where is the reference to tag 1fb6e2a?
Is a new release in the works?
There was a problem hiding this comment.
Seeing this new version from this pipeline - https://msazure.visualstudio.com/AzureContainerRegistry/_build/results?buildId=149167468&view=results which seems to have run 17hours ago.
There was a problem hiding this comment.
I'm getting the following error.
docker: Error response from daemon: manifest for mcr.microsoft.com/acr/cssc:1fb6e2ad not found: manifest unknown: manifest tagged by "1fb6e2ad" is not found.
The commit included in the pipeline seems to only affect the az image, but will give it time to propagate, might just take a while to reflect
There was a problem hiding this comment.
Image is not available today yet, but I saw another PR updating the tag of the cached images in acr-builder repo.
Will hold of until new image is added to the cache, since it seems we are in the middle of a release
4 participants
Fix for #9512
Task's run variables only return the registry's DNL name (login server name) and not the resource name. This causes the following calls to cli using the registry name to fail as they are using the registry's login server name.
This change checks for the naming convention and retrieves the part that is only the resource name without the added hash.
This checklist is used to make sure that common guidelines for a pull request are followed.
Related command
az acr supply-chain workflowGeneral Guidelines
azdev style <YOUR_EXT>locally? (pip install azdevrequired)python scripts/ci/test_index.py -qlocally? (pip install wheel==0.30.0required)For new extensions:
About Extension Publish
There is a pipeline to automatically build, upload and publish extension wheels.
Once your pull request is merged into main branch, a new pull request will be created to update
src/index.jsonautomatically.You only need to update the version information in file setup.py and historical information in file HISTORY.rst in your PR but do not modify
src/index.json.