docs: add air-gapped apiops setup walkthroughs for GitHub Actions and Azure DevOps#77
docs: add air-gapped apiops setup walkthroughs for GitHub Actions and Azure DevOps#77Copilot wants to merge 8 commits into
Conversation
…Azure DevOps Add step-by-step guides under docs/walkthrough/ covering: - Tarball preparation with --cli-package flag - Lock file strategy for offline npm ci - Self-hosted runner/agent configuration - Workflow/pipeline modifications for offline operation - Upgrade procedures and troubleshooting Update docs/README.md navigation with new walkthrough section. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> Co-authored-by: EMaher <9244742+EMaher@users.noreply.github.com>
- Merged inbox/docwriter-airgapped-walkthroughs.md into decisions.md - Established walkthrough pattern for complex multi-step deployment scenarios - Covers GitHub Actions and Azure DevOps air-gapped deployments - Pattern: docs/walkthrough/ (scenario-based), docs/ci-cd/ (reference), docs/guides/ (feature-oriented) - Deleted merged inbox file Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> Co-authored-by: EMaher <9244742+EMaher@users.noreply.github.com>
Agent-Logs-Url: https://github.com/Azure/apiops-cli/sessions/55ca6c66-0c45-4eec-9647-95bcedd33b90 Co-authored-by: EMaher <9244742+EMaher@users.noreply.github.com>
Agent-Logs-Url: https://github.com/Azure/apiops-cli/sessions/55ca6c66-0c45-4eec-9647-95bcedd33b90 Co-authored-by: EMaher <9244742+EMaher@users.noreply.github.com>
|
|
||
| | Requirement | Details | | ||
| |-------------|---------| | ||
| | **Connected workstation** | A machine with internet access to download packages | |
There was a problem hiding this comment.
The whole point is an air gapped environment. Isn't there a way to have a local intranet npm registry?
There was a problem hiding this comment.
Updated in a4f5edb. The walkthrough now uses a local intranet npm registry (Azure Artifacts feed) as the primary/default pattern, with tarball + offline cache as fallback only.
| |-------------|---------| | ||
| | **Connected workstation** | A machine with internet access to download packages | | ||
| | **Node.js 22.x** | Installed on both the workstation and the agent | | ||
| | **npm 10+** | Comes with Node.js 22 | |
There was a problem hiding this comment.
remove this line if it comes with prerequisite
There was a problem hiding this comment.
Done in a4f5edb. I removed the separate npm prerequisite line and folded it into the Node.js prerequisite.
| | **Connected workstation** | A machine with internet access to download packages | | ||
| | **Node.js 22.x** | Installed on both the workstation and the agent | | ||
| | **npm 10+** | Comes with Node.js 22 | | ||
| | **Self-hosted Azure Pipelines agent** | Registered in your agent pool, running in the air-gapped network | |
There was a problem hiding this comment.
Add link to official documentation.
There was a problem hiding this comment.
Added in a4f5edb. I linked official Microsoft docs for self-hosted agents and Azure Artifacts npm feed setup.
| | **Node.js 22.x** | Installed on both the workstation and the agent | | ||
| | **npm 10+** | Comes with Node.js 22 | | ||
| | **Self-hosted Azure Pipelines agent** | Registered in your agent pool, running in the air-gapped network | | ||
| | **Azure connectivity from agent** | The agent must reach your APIM instance's ARM endpoint (network-level, not npm) | |
There was a problem hiding this comment.
Is there a document about on premises installs or sovereign clouds?
There was a problem hiding this comment.
Yes—added in a4f5edb. There is now a dedicated “Sovereign Clouds and On-Premises” section linking Azure DevOps Server install docs and national cloud endpoint guidance.
| | **npm 10+** | Comes with Node.js 22 | | ||
| | **Self-hosted Azure Pipelines agent** | Registered in your agent pool, running in the air-gapped network | | ||
| | **Azure connectivity from agent** | The agent must reach your APIM instance's ARM endpoint (network-level, not npm) | | ||
| | **Transfer mechanism** | USB drive, Azure Artifacts upstream feed, or approved file share for moving packages into the restricted zone | |
There was a problem hiding this comment.
Done in a4f5edb. I removed that transfer-mechanism prerequisite line.
|
|
||
| --- | ||
|
|
||
| ## Step 1 — Prepare the Tarball (Connected Workstation) |
There was a problem hiding this comment.
Update this to talk about using local npm registry.
There was a problem hiding this comment.
Updated in a4f5edb. Step 1 now explicitly covers configuring a local npm registry first (Azure Artifacts feed) and uses tarball flow only as fallback.
|
|
||
| Copy the entire npm cache directory (or the `_cacache` subfolder) to your transfer media. | ||
|
|
||
| > **Alternative — Azure Artifacts upstream feed:** If your air-gapped network has an Azure Artifacts feed with an upstream source configured (accessible during a controlled sync window), you can use it as a local npm registry instead of transferring the cache manually. Configure `.npmrc` to point to the feed. |
There was a problem hiding this comment.
Assume this is the default path.
There was a problem hiding this comment.
Handled in a4f5edb. The local registry path is now assumed as default flow; the Azure Artifacts section was moved into the main steps and the tarball flow is fallback.
|
|
||
| ### `pipelines/run-extractor.yaml` | ||
|
|
||
| ```yaml |
There was a problem hiding this comment.
I'm worried about this getting out of date with the default pipelines.
There was a problem hiding this comment.
Addressed in a4f5edb. I removed large copied YAML blocks and replaced them with minimal durable edits that reference the generated default pipeline files to reduce drift risk.
- Make local npm registry (Azure Artifacts) the primary approach - Demote tarball flow to fallback section - Remove redundant npm and transfer mechanism prerequisites - Add official Microsoft docs links (agents, feeds, on-prem, sovereign clouds) - Replace brittle embedded YAML with edit guidance referencing generated files - Add sovereign clouds and on-premises section Closes #44 Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> Co-authored-by: EMaher <9244742+EMaher@users.noreply.github.com>
|
|
||
| Commit `package-lock.json` to the repository. The command `npm ci --offline` requires it. | ||
|
|
||
| Then transfer the npm cache to the agent: |
There was a problem hiding this comment.
in my testing - this wasn't needed... The npm command (as long as it was already available on the runner) would just use the tgz file and install it to the cache... I would think that the npmcacache.tar.gz would be needed only if there are other npm packages?
Added operator-focused walkthroughs for running
apiopsin restricted networks where CI agents/runners cannot reach npm at runtime. The docs now explicitly cover local package bootstrapping and pipeline behavior for both GitHub Actions and Azure DevOps.New walkthroughs (
docs/walkthrough/)air-gapped-github-actions.mdair-gapped-azure-devops.mdapiopstarballpackage-lock.jsonnpm ci --offline) and cache/feed optionsBehavior alignment with current
initsemanticsapiops init --cli-package <path>stages the tarball and writes a localfile:dependency inpackage.json.npm ci, which consumes the local package viapackage.json/lockfile resolution.Docs navigation update
docs/README.md:docs/walkthrough/to the documentation tree for discoverability