Investigate a way to auto-validate that a GA service SDK package release does not have non-GA dependencies listed

[ahsonkhan]

We want to avoid cases like these in the future, where a GA release depends on beta version of core. Can we come up with an automatic validation step to catch this and fail the build:

azure-sdk-for-cpp/sdk/attestation/azure-security-attestation/vcpkg/vcpkg.json

Line 17 in a3926d6

"version>=": "1.7.0-beta.1"

That improves our release process. That said, it isn't release blocking though, since our dependency mentions >= and a new GA version of core resolves it correctly.

Example release:
https://github.com/microsoft/vcpkg/pull/25629/files#diff-8a10b4f3178229f2d82b3f64c0568d1e8322005f1fef03bef9c141bd5b3d85e7R14

cc @danieljurek, @LarryOsterman

[ahsonkhan]

This becomes useful especially when the beta releases for packages like Azure Core do not go into the main registry, but rather our beta one:
https://github.com/Azure/azure-sdk-vcpkg-betas/

[ahsonkhan]

@BillyONeal is there a way for vcpkg to help us validate this?

Also, that the versions in our Config.cmake.in and vcpkg.json match.

[BillyONeal]

@BillyONeal is there a way for vcpkg to help us validate this?

Hmmmm closest I can think of is that if you have a port that is 'everything' depend-info will tell you all the dependencies and transitive dependencies, but just list and grep for azure-* probably already gets you pretty close with that.

Also, that the versions in our Config.cmake.in and vcpkg.json match.

For your 'local' manifest you could do that by parsing vcpkg.json in your CMakeLists.txt with string(JSON GET https://cmake.org/cmake/help/latest/command/string.html#get

(This use case is one of the reasons we made vcpkg.json a json file in the first place)

We don't really have a 'canned' way to do this because there's no difference between a 'GA' version and a not 'GA' version to vcpkg.

We do have a thing that validates stuff if you want to add extra validation to we would be happy to merge for you so long as it only would touch an allowlist of ports: https://github.com/microsoft/vcpkg/blob/master/.github/workflows/untrustedPR.yml

[github-actions]

Hi @ahsonkhan, we deeply appreciate your input into this project. Regrettably, this issue has remained unresolved for over 2 years and inactive for 30 days, leading us to the decision to close it. We've implemented this policy to maintain the relevance of our issue queue and facilitate easier navigation for new contributors. If you still believe this topic requires attention, please feel free to create a new issue, referencing this one. Thank you for your understanding and ongoing support.