Add NuGet (.NET) package registry to whitelist#104
Open
tomhardy0177 wants to merge 1 commit into
Open
Conversation
Adds a `nuget` section so sandboxes can run `dotnet add package`,
`dotnet restore`, and `nuget.exe` against the NuGet v3 API.
Currently every .NET workflow fails with TLS RST during the Client
hello (api.nuget.org is not in the Envoy allowlist). All other major
package managers (npm, pypi, maven, rubygems, crates.io, go modules)
already have sections; this fills a gap.
Wildcard rationale: the v3 service index at api.nuget.org/v3/index.json
lists separate hostnames for search (azuresearch-{usnc,ussc}.nuget.org)
and the gallery web UI (www.nuget.org). Because Daytona wildcards only
match one subdomain level, *.nuget.org covers all four siblings.
Signed-off-by: tomhardy0177 <183896012+tomhardy0177@users.noreply.github.com>
Comment on lines
+406
to
+410
| # NuGet (.NET package registry — required for `dotnet add package`, | ||
| # `dotnet restore`, and `nuget.exe`). The v3 service index lives at | ||
| # api.nuget.org but lists search endpoints under | ||
| # azuresearch-{usnc,ussc}.nuget.org and the gallery web UI under | ||
| # www.nuget.org, so the *.nuget.org wildcard is needed to cover them all. |
Collaborator
There was a problem hiding this comment.
Make this comment more concise
Suggested change
| # NuGet (.NET package registry — required for `dotnet add package`, | |
| # `dotnet restore`, and `nuget.exe`). The v3 service index lives at | |
| # api.nuget.org but lists search endpoints under | |
| # azuresearch-{usnc,ussc}.nuget.org and the gallery web UI under | |
| # www.nuget.org, so the *.nuget.org wildcard is needed to cover them all. | |
| # NuGet (.NET package registry). Wildcard covers the v3 service index, | |
| # search (azuresearch-*.nuget.org), and gallery UI (www.nuget.org). |
| # azuresearch-{usnc,ussc}.nuget.org and the gallery web UI under | ||
| # www.nuget.org, so the *.nuget.org wildcard is needed to cover them all. | ||
| nuget: | ||
| - api.nuget.org |
Collaborator
There was a problem hiding this comment.
redundant, wildcard covers it
Suggested change
| - api.nuget.org |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds a
nuget:section towhitelist.yamlso sandboxes can rundotnet add package,dotnet restore, andnuget.exeagainst the NuGet v3 API.Domains added
api.nuget.org— v3 service index, package metadata, package binary downloads (PackageBaseAddress)*.nuget.org— wildcard for the sibling hosts the v3 index points at:azuresearch-usnc.nuget.org,azuresearch-ussc.nuget.org(search), andwww.nuget.org(gallery). Per the file header, Daytona wildcards match exactly one subdomain level, so this covers all current and likely future<x>.nuget.orghosts without being overly broad.Why
Every .NET workflow currently fails inside Daytona sandboxes with
Connection reset by peerduring the TLS Client hello toapi.nuget.org. NuGet is the only mainstream package manager not on the list — npm, PyPI, Maven, RubyGems, crates.io, Go modules, Composer, conda, Yarn, and bun already have sections.Concretely,
dotnet add package Microsoft.AspNetCore.SignalR.Client(or any other package) returns:```
error: Unable to load the service index for source https://api.nuget.org/v3/index.json.
error: The SSL connection could not be established, see inner exception.
error: Connection reset by peer
```
This blocks any agent doing greenfield .NET work in a Daytona sandbox, where the standard pattern is
dotnet new <template>followed bydotnet add packageto pull dependencies.Verification of upstream hostnames
All four are covered by
api.nuget.org+*.nuget.org.Related
api.nuget.orgwhich leaves search broken).Format
Follows the conventions of the recently-merged PRs (e.g. #95
api.x.ai, #87 GCP, #89 Cloudflare Tunnel): group header comment, section name, list of domains, no trailing whitespace.