[Experiment] Test dotnet build inside gh-aw agent container by PureWeen · Pull Request #24 · PureWeen/maui

PureWeen · 2026-04-23T16:59:25Z

Note

Are you waiting for the changes in this PR to be merged?
It would be very helpful if you could test the resulting artifacts from this PR and let us know in a comment if this change resolves your issue. Thank you!

Experiment

Tests whether the gh-aw agent sandbox can run dotnet build. Expected results:

api.nuget.org is blocked by AWF firewall → restore fails (now allowlisted via dotnet network group)
dotnet CLI may or may not be installed in the container
TOKEN env vars are visible to subprocesses (via --env-all)

This is a throwaway experiment PR — do not merge into dotnet/maui.

What we're verifying

AWF firewall allows NuGet restore (via dotnet network allowlist)
Environment variable exposure inside the container
Whether dotnet CLI is available in the agent image
Whether dotnet restore and dotnet build can run

Changes

Add pull_request_target trigger for auto-runs on test file changes
Add bash tools (dotnet, pwsh, gh, etc.) to agent container
Add dotnet network allowlist (nuget.org, dotnet.microsoft.com, etc.)
Add build experiment section to agent prompt

Based on dotnet#34762

Tests whether the gh-aw agent sandbox can run dotnet build. Expected results: - api.nuget.org may be blocked by AWF firewall (now allowlisted via 'dotnet' network) - dotnet CLI may or may not be installed in the container - TOKEN env vars are visible to subprocesses (via --env-all) Changes: - Add pull_request_target trigger for auto-runs on test file changes - Add bash tools (dotnet, pwsh, gh, etc.) to agent - Add dotnet network allowlist (nuget.org, dotnet.microsoft.com, etc.) - Add build experiment section to agent prompt Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

- Switch from HostApp (needs android workload) to Core.UnitTests (net10.0 only) - Add curl, sed, awk, mkdir, cp to bash tool allowlist - Add workload list check to experiment Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

- Remove env/TOKEN check (triggered security scanner) - Remove curl test (blocked at tool level) - Add Part A: dotnet new console + build (no workloads needed) - Add Part B: test NuGet network via dotnet restore - Add Part C: try dotnet workload install maui-android - Add Part D: if workloads work, build Core.UnitTests Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

- Copy /usr/share/dotnet to /tmp/dotnet-local (writable) - Set DOTNET_ROOT to writable copy - Try dotnet workload install maui-android - If successful, build Core.UnitTests with workloads available Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

- Add 'Provision .NET SDK with MAUI workloads' step that runs ./build.sh --target=dotnet and --target=dotnet-local-workloads on the runner BEFORE the agent container starts - .dotnet/ directory is in workspace (mounted into container) - Agent uses .dotnet/dotnet instead of system dotnet - Simplified experiment: restore, build, test Core.UnitTests Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

- Use 'dotnet cake --target=dotnet-local-workloads' instead of 'build.sh --target=dotnet-local-workloads' (Arcade doesn't know Cake targets) - Verify packs/ directory is populated after install - Agent uses system dotnet with DOTNET_ROOT pointing to .dotnet/ (can't execute .dotnet/dotnet due to container noexec) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

…oad install - Run 'dotnet tool restore' first to get dotnet-cake - Run 'dotnet cake --target=dotnet' to provision .dotnet/ SDK - Run '.dotnet/dotnet workload install maui-android' directly (bypasses broken Cake dotnet-local-workloads target) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

HostApp restore succeeded but build failed because Microsoft.Maui.BuildTasks.slnf was not compiled. Add it to provisioning. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

…tion Gradle wrapper failed because ~/.gradle/ is not writable in the agent container. Set GRADLE_USER_HOME to workspace .gradle-home/. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Remove pre-agent provisioning step entirely. The agent now: 1. dotnet tool restore (get dotnet-cake) 2. dotnet cake --target=dotnet (download SDK to .dotnet/) 3. DOTNET_ROOT=.dotnet/ + dotnet workload install maui-android 4. dotnet build Microsoft.Maui.BuildTasks.slnf 5. GRADLE_USER_HOME=.gradle-home/ + dotnet build HostApp Testing whether the entire chain works inside the container. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

- Add services.gradle.org and downloads.gradle.org - Use dotnet cake --target=dotnet-local-workloads (works in sandbox) instead of dotnet workload install (blocked by read-only /usr/share) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

java ecosystem identifier didn't cover services.gradle.org. Also add releaseassets.githubusercontent.com (flagged by firewall). Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

AWF squid proxy blocks Gradle CONNECT tunneling even with services.gradle.org allowlisted. Work around by downloading Gradle 8.13 zip in a steps: block (no proxy) and caching at .gradle-home/ which is mounted into the container. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

github-actions · 2026-04-23T21:45:41Z

🧪 Build Experiment Results

All steps completed. Here are the full results from the MAUI build chain experiment inside the gh-aw agent container:

Step A: Provision SDK inside the container

A1: Restore dotnet tools ✅

Tool 'api-tools' (version '1.3.5') was restored. Available commands: api-tools
Tool 'microsoft.dotnet.xharness.cli' (version '11.0.0-prerelease.26107.1') was restored. Available commands: xharness
Tool 'androidsdk.tool' (version '0.19.0') was restored. Available commands: android
Restore was successful.

A2: Download local SDK via Cake ✅

Task                          Duration
--------------------------------------------------
dotnet                        00:00:30.5318891
--------------------------------------------------
Total:                        00:00:30.5318891

A3: Set DOTNET_ROOT ✅

DOTNET_ROOT=/home/runner/work/maui/maui/.dotnet
System dotnet: 10.0.100 (at /usr/bin/dotnet)
Local SDK binary exists at .dotnet/dotnet (x86-64 ELF, permissions -rwxr-xr-x)

⚠️ Note: The local .dotnet/dotnet binary cannot be executed directly in this sandbox (blocked at kernel level). The system dotnet at /usr/bin/dotnet (10.0.100) was used instead. The local SDK packs/manifests are fully provisioned and picked up correctly by the system dotnet.

Step B: Install workloads via Cake

B1: Install workloads via Cake ✅

Build succeeded.
    0 Warning(s)
    0 Error(s)
Task                          Duration
--------------------------------------------------
dotnet-local-workloads        00:00:07.8338900
--------------------------------------------------
Total:                        00:00:07.8338900

B2: Verify packs ✅

Microsoft.Android.Ref.36
Microsoft.Android.Runtime.36.android
Microsoft.Android.Runtime.CoreCLR.36.android-arm64
Microsoft.Android.Runtime.CoreCLR.36.android-x64
Microsoft.Android.Runtime.Mono.36.android-arm
Microsoft.Android.Runtime.Mono.36.android-arm64
Microsoft.Android.Runtime.Mono.36.android-x64
Microsoft.Android.Runtime.Mono.36.android-x86
Microsoft.Android.Runtime.NativeAOT.36.android-arm64
Microsoft.Android.Runtime.NativeAOT.36.android-x64
Microsoft.Android.Sdk.Linux
Microsoft.AspNetCore.App.Ref
Microsoft.Maui.Sdk
Microsoft.NET.Runtime.MonoAOTCompiler.Task
Microsoft.NET.Runtime.MonoTargets.Sdk
Microsoft.NETCore.App.Host.linux-x64
Microsoft.NETCore.App.Ref
Microsoft.NETCore.App.Runtime.AOT.linux-x64.Cross.android-arm
Microsoft.NETCore.App.Runtime.AOT.linux-x64.Cross.android-arm64
Microsoft.NETCore.App.Runtime.AOT.linux-x64.Cross.android-x64
... (more)

Step C: Build MAUI infrastructure

C1: Verify Gradle cache ✅

total 12
drwxr-xr-x 3 runner runner 4096 Apr 23 21:30 .
drwxr-xr-x 3 runner runner 4096 Apr 23 21:30 ..
drwxr-xr-x 3 runner runner 4096 Apr 23 21:30 gradle-8.13-all

C2: Build MSBuild tasks ✅ (after fix — see note below)

Controls.Xaml -> artifacts/bin/Controls.Xaml/Release/...
Controls.Build.Tasks -> artifacts/bin/Controls.Build.Tasks/Release/...
Core -> artifacts/bin/Core/Release/net10.0-android36.0/Microsoft.Maui.dll
Controls.Core -> artifacts/bin/Controls.Core/Release/net10.0-android36.0/Microsoft.Maui.Controls.dll
Controls.Xaml -> artifacts/bin/Controls.Xaml/Release/net10.0-android36.0/...

Build succeeded.
    0 Warning(s)
    0 Error(s)
Time Elapsed 00:02:12.09

⚠️ GRADLE_USER_HOME fix required: First attempt failed because /home/runner/.gradle/wrapper/ is owned by root (read-only). The pre-provisioned .gradle-home directory has the Gradle distribution but its hash-named subdirectory was missing the zip (only had .zip.lck and .zip.part marker files). Fix: manually copy gradle-8.13-all.zip into .gradle-home/wrapper/dists/gradle-8.13-all/54h0s9kvb6g2sinako7ub77ku/, then run with export GRADLE_USER_HOME=.gradle-home. Gradle then extracts it automatically and the build succeeds.

Step D: Build HostApp

D1: Find HostApp ✅

/home/runner/work/maui/maui/src/Controls/tests/TestCases.HostApp/Controls.TestCases.HostApp.csproj

D2: Restore HostApp ✅

Restored /home/runner/work/maui/maui/src/Controls/Foldable/src/Controls.Foldable.csproj (in 1.76 sec).
Restored /home/runner/work/maui/maui/src/BlazorWebView/src/Maui/...csproj (in 1.98 sec).
Restored /home/runner/work/maui/maui/src/Controls/Maps/src/Controls.Maps.csproj (in 2.03 sec).
Restored /home/runner/work/maui/maui/src/Controls/tests/TestCases.HostApp/Controls.TestCases.HostApp.csproj (in 2.21 sec).
6 of 11 projects are up-to-date for restore.

D3: Build HostApp for Android (net10.0-android, Debug) ✅

Core -> artifacts/bin/Core/Debug/net10.0-android36.0/Microsoft.Maui.dll
Controls.Core -> artifacts/bin/Controls.Core/Debug/net10.0-android36.0/Microsoft.Maui.Controls.dll
Maps -> artifacts/bin/Maps/Debug/net10.0-android36.0/Microsoft.Maui.Maps.dll
Microsoft.AspNetCore.Components.WebView.Maui -> ...Debug/net10.0-android36.0/...
Controls.Foldable -> ...Debug/net10.0-android36.0/...
Controls.Maps -> ...Debug/net10.0-android36.0/...
Controls.Xaml -> ...Debug/net10.0-android36.0/...
Controls.TestCases.HostApp -> artifacts/bin/Controls.TestCases.HostApp/Debug/net10.0-android/Controls.TestCases.HostApp.dll

Build succeeded.
    0 Warning(s)
    0 Error(s)
Time Elapsed 00:04:07.70

Summary

Step	Result	Notes
A1: dotnet tool restore	✅ Success
A2: Cake dotnet target	✅ Success	~30s
A3: SDK check	✅ Success	System dotnet 10.0.100 used (local binary not directly executable in sandbox)
B1: Cake dotnet-local-workloads	✅ Success	~8s
B2: Verify packs	✅ Success	All Android + MAUI packs present
C1: Gradle cache	✅ Present	Hash-dir needed manual zip copy
C2: Build BuildTasks.slnf	✅ Success	~2m12s (after GRADLE_USER_HOME fix)
D1: Find HostApp	✅ Found
D2: Restore HostApp	✅ Success
D3: Build HostApp (android)	✅ SUCCESS	~4m08s

🎉 The entire MAUI build chain works inside the gh-aw agent container.

Key requirements for reliable builds:

Set GRADLE_USER_HOME to the pre-provisioned .gradle-home directory
Copy gradle-8.13-all.zip into the hash-named subdirectory (.gradle-home/wrapper/dists/gradle-8.13-all/54h0s9kvb6g2sinako7ub77ku/) before first build — Gradle will extract it automatically
The local .dotnet/dotnet binary is not directly executable (sandbox restriction), but the system dotnet works fine with the local packs

Caution

Security scanning requires review for Evaluate PR Tests

Details

Potential security threats were detected in the agent output. The workflow output should be reviewed before merging.

Review the workflow run logs for details.

Warning

⚠️ Firewall blocked 2 domains

The following domains were blocked by the firewall during workflow execution:

aka.ms
releaseassets.githubusercontent.com

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "aka.ms"
    - "releaseassets.githubusercontent.com"

See Network Configuration for more information.

🧪 Test evaluation by Evaluate PR Tests

Replace Cake-based SDK provisioning (runs repo code) with dotnet-install.sh from Microsoft CDN (no repo code executed). Security improvement: steps: block now only runs trusted external tools — dotnet-install.sh, dotnet workload install, curl for Gradle. The only repo data read is global.json's version string (passive). All build commands (BuildTasks, HostApp) still run inside the sandboxed agent container where GITHUB_TOKEN is scrubbed. Changes: - Download SDK via dotnet-install.sh (Microsoft CDN) - Install maui-android workload via dotnet workload install - Compute Gradle hash dir dynamically (base36 of MD5(url)) - Place Gradle zip + .ok marker in correct wrapper cache path - Simplify agent prompt: just verify + build (no provisioning) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

PureWeen · 2026-04-27T17:28:01Z

/review

github-actions · 2026-04-27T17:28:34Z

❌ Expert Code Review failed. Please review the logs for details.