[ci] Stop using preview .NET SDK channel in two lanes#11510
Merged
Conversation
The `MAUI Integration` and `Publish symbols and Push to Maestro` jobs were the only two pipeline lanes installing the SDK via `DotNetPreviewSdkVersion=10.0` + `DotNetPreviewSdkQuality=preview`. Because 10.0 has shipped GA, the `preview` quality on that channel resolves to a stale pre-GA SDK that never received the security fix that landed in the 10.0 GA SDKs. As a result, Component Governance reports `Fix not detected` for those two lanes while every other lane (which installs `DotNetSdkVersion=10.0` + `DotNetSdkQuality=GA`) reports `Fix detected`. Switch both lanes to `DotNetSdkVersion` / `DotNetSdkQuality` so they install the patched GA SDK like all the other jobs, and remove the now-unused `DotNetPreviewSdk*` variables so the stale preview channel cannot be reintroduced. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Contributor
There was a problem hiding this comment.
Pull request overview
Switches two CI lanes (MAUI Integration and Publish symbols/Push to Maestro) from the stale DotNetPreviewSdk* preview channel to the GA DotNetSdk* variables, matching the rest of the pipeline, and removes the now-unused preview variables.
Changes:
- Replace
$(DotNetPreviewSdkVersion)/$(DotNetPreviewSdkQuality)with$(DotNetSdkVersion)/$(DotNetSdkQuality)in the MAUI Integration and Publish-symbols jobs. - Remove the unused
DotNetPreviewSdkVersionandDotNetPreviewSdkQualityvariables fromvariables.yaml.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
| build-tools/automation/yaml-templates/variables.yaml | Removes the unused preview SDK channel/quality variables. |
| build-tools/automation/azure-pipelines.yaml | Updates the two affected jobs to use the GA SDK variables. |
Redth
approved these changes
May 27, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Component Governance is reporting a vulnerable .NET 10.0 SDK against two lanes in the
Xamarin.Androidpipeline --MAUI IntegrationandPublish symbols and Push to Maestro-- while every other lane reportsFix detected.Those two lanes were the only ones installing the SDK with
DotNetPreviewSdkVersion=10.0+DotNetPreviewSdkQuality=preview. Now that 10.0 has shipped GA, thepreviewquality on that channel resolves to a stale pre-GA SDK that never received the security fix that landed in the 10.0 GA SDKs. Every other lane installsDotNetSdkVersion=10.0+DotNetSdkQuality=GA, which is why CG showsFix detectedfor them.This PR switches both lanes to
DotNetSdkVersion/DotNetSdkQualityso they pick up the patched GA SDK like the rest of the pipeline, and removes the now-unusedDotNetPreviewSdk*variables so the stale preview channel cannot be reintroduced.