Fix internal build break: remove failing TS-starter / bundle-layout verifier checks, add GitHub-CI coverage, fix latent sidecar-scope bug

[radical]

The signed build+sign pipeline (microsoft-aspire, definition 1602) has been broken on main since #17274 merged. Two checks added by that PR fail in the 1ES signed-build agent — the only environment that actually runs eng/scripts/verify-cli-archive.ps1 against the real signed archive:

1. Test-ExtractedBundleLayout invokes aspire-managed --help, which returns exit 1 by design — Aspire.Managed's entry point is a hard args switch on dashboard|server|nuget, and anything else falls through to ShowUsage() returning 1 (src/Aspire.Managed/Program.cs:22-28,58-62). PR Fix internal build break: 'aspire-managed --help' in CLI archive verifier returns exit 1 #17341 patched this to aspire-managed nuget --help, which only fixed half the breakage.
2. Test-TypeScriptStarterProject invokes aspire new aspire-ts-starter, whose packager-managed AppHost bootstrap performs a NuGet restore that resolves transitive deps (Microsoft.Extensions.*, Grpc.*, OpenTelemetry.*, …) to https://api.nuget.org/v3/index.json. The signed-build agent has no public-internet egress and the restore fails with Permission denied (api.nuget.org:443).

Same class of regression both times: the verifier doesn't run on GitHub PRs and only fires in the post-merge build+sign pipeline, so the incompatibility wasn't caught pre-merge.

Surgical removal of the failing checks

Only the failing pieces are removed; all orthogonal infrastructure from #17274 is kept so it can be reused when the TS check returns.

Removed:

• Test-TypeScriptStarterProject (function + call site)
• Test-ExtractedBundleLayout (function + call site)
• CreateFakeBundleArchiveAsync + CreateFakeCliScript from FakeArchiveHelper.cs (no other consumers)

Kept:

• Helpers Get-ExecutableFileName, Get-ArchiveRoot, Get-ArchiveRidFamily
• Refactored Test-CSharpStarterProject function (functionally equivalent to the pre-Validate TypeScript CLI archive layout #17274 inline C# starter check)
• Test-ArchiveSidecar's use of Get-ArchiveRidFamily
• aspireBin discovery via Get-ArchiveRoot

The script header's step list is updated to match what now runs.

Added: slim GitHub-CI coverage for the verifier

The verifier still only runs in the post-merge AzDO pipeline, so regressions in its contract surface days late. A slim synthetic-archive E2E test exercises the verifier in GitHub CI with no real CLI, no bundle, and no network:

• VerifyCliArchive_AcceptsCleanPerRidArchive — clean per-RID archive whose fake aspire mock handles --version and new aspire-starter; asserts exit 0 + expected per-step success lines.
• VerifyCliArchive_RejectsArchiveWithStraySidecar — archive with a stray .aspire-install.json at the root; asserts non-zero exit with the user-facing error text from Test-ArchiveSidecar. This is the per-RID archive contract from feat(cli): co-locate bundle with CLI binary for packager-managed installs #16817 that the verifier was originally written to enforce.
• VerifyCliArchive_RejectsStraySidecarWhenBinaryIsNestedUnderSubdirectory — same contract, with the binary nested under a single subdirectory. Catches a latent scope-narrowing bug in the sidecar check (see below).

New FakeArchiveHelper.CreateFakeVerifyArchiveAsync produces these archives. Pre-existing CreateFakeArchiveAsync is unchanged, so install-script tests are unaffected. Unix-only because the fake aspire mock is a bash script.

Fixed: latent Test-ArchiveSidecar scope-narrowing

Test-ArchiveSidecar was being called with $archiveRoot (the directory Get-ArchiveRoot picks out as the binary's home), not $extractDir (the true extraction directory). For an archive shaped like {.aspire-install.json, payload/aspire}, Get-ArchiveRoot returns payload/, and the sidecar scan recurses only into payload/ — silently missing the stray sidecar at the actual archive root.

Latent only — today's signed archives put aspire at the extraction root, so Get-ArchiveRoot returns $extractDir unchanged and the scope-narrowing didn't matter in practice. A producer-side refactor that introduced a top-level directory would have silently hidden a #16817 contract violation. Fixed by scanning $extractDir instead; pinned by the third test above.

Follow-up

Re-introducing the TS-starter and bundle-layout coverage is tracked in #17349.

Fixes #17345

[github-actions]

🚀 Dogfood this PR with:

⚠️ WARNING: Do not do this without first carefully reviewing the code of this PR to satisfy yourself it is safe.

curl -fsSL https://raw.githubusercontent.com/microsoft/aspire/main/eng/scripts/get-aspire-cli-pr.sh | bash -s -- 17346

Or

• Run remotely in PowerShell:

iex "& { $(irm https://raw.githubusercontent.com/microsoft/aspire/main/eng/scripts/get-aspire-cli-pr.ps1) } 17346"

[radical]

Triggered a validation build of this revert on the internal microsoft-aspire pipeline (definition 1602) to confirm the build+sign stage now passes end-to-end.

Build: 20260520.15 — branch ankj/revert-cli-archive-verify-additions. Will post the result here when it finishes.

[Copilot]

Pull request overview

This PR reverts the verifier-side additions from #17274 and the follow-up fix from #17341 to unblock the internal signed build pipeline while environmental compatibility issues are investigated (tracked in #17345).

Changes:

• Removes the Acquisition E2E test coverage that validated verify-cli-archive.ps1 against a synthetic bundle-shaped archive.
• Simplifies eng/scripts/verify-cli-archive.ps1 back to validating sidecar absence, aspire --version, and aspire new aspire-starter.
• Removes the synthetic “bundle extraction + TS starter” fake archive generation helper and its script path constant.

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 1 comment.

File	Description
tests/Aspire.Acquisition.Tests/Scripts/VerifyCliArchivePowerShellTests.cs	Deletes the synthetic end-to-end test for verify-cli-archive.ps1.
tests/Aspire.Acquisition.Tests/Scripts/Common/ScriptPaths.cs	Removes the VerifyCliArchivePowerShell script path constant.
tests/Aspire.Acquisition.Tests/Scripts/Common/FakeArchiveHelper.cs	Removes the fake “bundle-shaped” archive generator and mock CLI script.
eng/scripts/verify-cli-archive.ps1	Reverts bundle-layout and TypeScript-starter verification; keeps only basic archive validation + C# starter creation.

[radical]

Switched to a surgical removal of just the failing parts of #17274 (kept the helpers and the Test-CSharpStarterProject refactor) and re-triggered validation on the internal microsoft-aspire pipeline.

Build: 20260520.17 — branch ankj/revert-cli-archive-verify-additions. Cancelled the earlier validation run (2980639) that was testing the now-obsolete full-revert. Will report the result here when it finishes.

[radical]

Pushed a follow-up commit (6a9d3e3) addressing the gap raised in review: re-added VerifyCliArchivePowerShellTests with two tests scoped to the verifier's current shape — happy path (VerifyCliArchive_AcceptsCleanPerRidArchive) and the per-RID sidecar rejection contract from #16817 (VerifyCliArchive_RejectsArchiveWithStraySidecar). Both pass locally.

New FakeArchiveHelper.CreateFakeVerifyArchiveAsync produces the synthetic archives — no real CLI, no bundle, no network. Pre-existing CreateFakeArchiveAsync is unchanged so install-script tests are unaffected. Skipped on Windows (the fake mock is a bash script, matching the deleted test's skip annotation).

The AzDO validation build 20260520.17 is still relevant — this commit only adds test-side code, the verify-cli-archive.ps1 script itself is unchanged.

[radical]

Pushed 3881931ff0 addressing a latent sidecar-scope bug surfaced by review:

Test-ArchiveSidecar was called with $archiveRoot (the directory Get-ArchiveRoot picks out as the binary's home), not $extractDir. For an archive shaped {.aspire-install.json, payload/aspire}, the sidecar scan only recurses into payload/ and silently accepts the stray. Today's signed archives put aspire at the root, so this never bit anyone, but a producer-side change introducing a top-level directory would have hidden a #16817 contract violation.

Fix is one line in the script (scan $extractDir, not $archiveRoot). Pinned with a third test VerifyCliArchive_RejectsStraySidecarWhenBinaryIsNestedUnderSubdirectory that builds the malformed archive shape and asserts rejection — without the script fix the test fails, with it the test passes. Same helper (CreateFakeVerifyArchiveAsync) now covers both binary-at-root and binary-in-subdir shapes via a nestAspireUnderSubdir parameter, which also exercises the previously-untested branch of Get-ArchiveRoot.

Local run: 3/3 tests pass (1.8s).

Cancelled the prior AzDO validation build (2980648) — it was validating the version of the script without the latent-bug fix. Triggered a fresh build 20260520.18 for the current HEAD. Will report results.