Scan the VMR for binaries and cloaked files (#15299)

.config/dotnet-tools.json

@@ -3,7 +3,7 @@
   "isRoot": true,
   "tools": {
     "microsoft.dotnet.darc": {
-      "version": "1.1.0-beta.23063.1",
+      "version": "1.1.0-beta.23068.1",
       "commands": [
         "darc"
       ]

eng/Version.Details.xml

@@ -205,13 +205,13 @@
       <Uri>https://github.com/dotnet/arcade</Uri>
       <Sha>3600aa80a01e90f38a7b86b9d7c1264e091aa5a8</Sha>
     </Dependency>
-    <Dependency Name="Microsoft.DotNet.Darc" Version="1.1.0-beta.23063.1">
+    <Dependency Name="Microsoft.DotNet.Darc" Version="1.1.0-beta.23068.1">
       <Uri>https://github.com/dotnet/arcade-services</Uri>
-      <Sha>ad564790607031479f7c74b4211f53930d0f6ca8</Sha>
+      <Sha>fbfe3ef4178f3e5ca05ee32ebd4a20599e72f115</Sha>
     </Dependency>
-    <Dependency Name="Microsoft.DotNet.DarcLib" Version="1.1.0-beta.23063.1">
+    <Dependency Name="Microsoft.DotNet.DarcLib" Version="1.1.0-beta.23068.1">
       <Uri>https://github.com/dotnet/arcade-services</Uri>
-      <Sha>ad564790607031479f7c74b4211f53930d0f6ca8</Sha>
+      <Sha>fbfe3ef4178f3e5ca05ee32ebd4a20599e72f115</Sha>
     </Dependency>
     <Dependency Name="Microsoft.Extensions.Logging.Console" Version="8.0.0-alpha.1.22557.12">
       <Uri>https://github.com/dotnet/runtime</Uri>

eng/Versions.props

@@ -30,7 +30,7 @@
   </PropertyGroup>
   <PropertyGroup>
     <!-- Dependency from https://github.com/dotnet/arcade-services -->
-    <MicrosoftDotNetDarcLibVersion>1.1.0-beta.23063.1</MicrosoftDotNetDarcLibVersion>
+    <MicrosoftDotNetDarcLibVersion>1.1.0-beta.23068.1</MicrosoftDotNetDarcLibVersion>
   </PropertyGroup>
   <PropertyGroup>
     <!-- Dependency from https://github.com/dotnet/winforms -->

src/SourceBuild/content/eng/pipelines/ci.yml

@@ -16,6 +16,9 @@ pr:
     - internal/release/*
 
 stages:
+- ${{ if and(ne(variables['System.TeamProject'], 'public'), notin(variables['Build.Reason'], 'PullRequest')) }}:
+  - template: templates/stages/vmr-scan.yml
+
 # For rolling builds we want to build the MSFT SDK first so that we can
 # compare the contents with the source-built one later.
 # This only works because we don't run this test in PRs. If we decided

src/SourceBuild/content/eng/pipelines/templates/stages/vmr-scan.yml

@@ -0,0 +1,45 @@
+stages:
+- stage: VMR_Scan
+  displayName: VMR Scan
+  dependsOn: []
+  variables:
+  - template: /eng/common/templates/variables/pool-providers.yml
+  jobs:
+  - job: Scan
+    displayName: VMR Scan
+    pool:
+      ${{ if eq(variables['System.TeamProject'], 'public') }}:
+        name: $(DncEngPublicBuildPool)
+        demands: ImageOverride -equals Build.Ubuntu.2004.Amd64.Open
+      ${{ if eq(variables['System.TeamProject'], 'internal') }}:
+        name: $(DncEngInternalBuildPool)
+        demands: ImageOverride -equals Build.Ubuntu.2004.Amd64
+
+    steps:
+    - checkout: self
+
+    - script: |
+        source ./eng/common/tools.sh
+        InitializeDotNetCli true
+        dotnet='./.dotnet/dotnet'
+        "$dotnet" tool restore
+      displayName: Initialize tooling
+      workingDirectory: $(Build.SourcesDirectory)/src/installer
+
+    - script: >
+        ./.dotnet/dotnet darc vmr scan-binary-files
+        --vmr "$(Build.SourcesDirectory)"
+        --tmp "$(Agent.TempDirectory)"
+        || (echo '##[error]Found binaries in the VMR' && exit 1)
+      displayName: Scan for binaries
+      workingDirectory: $(Build.SourcesDirectory)/src/installer
+      continueOnError: true
+
+    - script: >
+        ./.dotnet/dotnet darc vmr scan-cloaked-files
+        --vmr "$(Build.SourcesDirectory)"
+        --tmp "$(Agent.TempDirectory)"
+        || (echo '##[error]Found cloaked files in the VMR' && exit 1)
+      displayName: Scan for cloaked files
+      workingDirectory: $(Build.SourcesDirectory)/src/installer
+      continueOnError: true