[Core] raw githubusercontent urls are updated to refer azcli blob to restrict external system access

[msarfraz]

Related command

Description
This PR removes the dependency on GitHub (raw.githubusercontent.com) VM image aliases, replacing it with Azure Blob Storage (azcliprod.blob.core.windows.net). This change enables Azure CLI to work properly in network isolated environments where GitHub access is blocked.

In addition, new validation added in CI pipeline to flag if any raw.githubusercontent.com URL is used in the code.

Background
In enterprise environments with strict network isolation policies, access to raw.githubusercontent.com is not allowed.

Changes

VM Image Alias Migration
Before:
https://raw.githubusercontent.com/Azure/azure-rest-api-specs/master/arm-compute/quickstart-templates/aliases.json
After:
https://azcliprod.blob.core.windows.net/cli/vm/aliases_master.json

Release pipeline task:

set -e
 
 # Define files to sync: "github_url|blob_name"
 declare -a FILES=(
   "https://raw.githubusercontent.com/Azure/azure-cli/release/src/azure-cli/setup.py|azure-cli/setup.py"
   "https://raw.githubusercontent.com/Azure/azure-cli/release/src/azure-cli-core/setup.py|azure-cli-core/setup.py"
   "https://raw.githubusercontent.com/Azure/azure-cli/release/src/azure-cli-telemetry/setup.py|azure-cli-telemetry/setup.py"
   "https://raw.githubusercontent.com/Azure/azure-cli/release/src/azure-cli-testsdk/setup.py|azure-cli-testsdk/setup.py"
   "https://raw.githubusercontent.com/Azure/azure-rest-api-specs/main/arm-compute/quickstart-templates/aliases.json|vm/aliases.json"
   "https://raw.githubusercontent.com/Azure/azure-rest-api-specs/master/arm-compute/quickstart-templates/aliases.json|vm/aliases_master.json"
 )
 
 TEMP_FILE="/tmp/download_temp"
 FAILED=0
 
 for item in "${FILES[@]}"; do
   # Split by '|'
   GITHUB_URL="${item%|*}"
   BLOB_NAME="${item#*|}"
   
   echo "============================================"
   echo "Syncing: ${BLOB_NAME}"
   echo "From: ${GITHUB_URL}"
   echo "============================================"
   
   # Download from GitHub
   if curl -sL -o "$TEMP_FILE" "$GITHUB_URL"; then
     # Upload to AME Storage
     az storage blob upload \
       --account-name azcliprod \
       --container-name cli \
       --name "$BLOB_NAME" \
       --file "$TEMP_FILE" \
       --overwrite \
       --auth-mode login
     
     echo "✓ Successfully synced: ${BLOB_NAME}"
   else
     echo "✗ Failed to download: ${GITHUB_URL}"
     FAILED=1
   fi
   
   rm -f "$TEMP_FILE"
   echo ""
 done
 
 if [ $FAILED -eq 1 ]; then
   echo "Some files failed to sync!"
   exit 1
 fi
 
 echo "============================================"
 echo "All files synced successfully!"
 echo "============================================"

Testing Guide

History Notes

[Component Name 1] BREAKING CHANGE: az command a: Make some customer-facing breaking change
[Component Name 2] az command b: Add some customer-facing feature

---

This checklist is used to make sure that common guidelines for a pull request are followed.

• The PR title and description has followed the guideline in Submitting Pull Requests.

• I adhere to the Command Guidelines.

• I adhere to the Error Handling Guidelines.

[azure-client-tools-bot-prd]

️✔️AzureCLI-FullTest

️✔️acr

️✔️latest

️✔️3.12

️✔️3.13

️✔️acs

️✔️latest

️✔️3.12

️✔️3.13

️✔️advisor

️✔️latest

️✔️3.12

️✔️3.13

️✔️ams

️✔️latest

️✔️3.12

️✔️3.13

️✔️apim

️✔️latest

️✔️3.12

️✔️3.13

️✔️appconfig

️✔️latest

️✔️3.12

️✔️3.13

️✔️appservice

️✔️latest

️✔️3.12

️✔️3.13

️✔️aro

️✔️latest

️✔️3.12

️✔️3.13

️✔️backup

️✔️latest

️✔️3.12

️✔️3.13

️✔️batch

️✔️latest

️✔️3.12

️✔️3.13

️✔️batchai

️✔️latest

️✔️3.12

️✔️3.13

️✔️billing

️✔️latest

️✔️3.12

️✔️3.13

️✔️botservice

️✔️latest

️✔️3.12

️✔️3.13

️✔️cdn

️✔️latest

️✔️3.12

️✔️3.13

️✔️cloud

️✔️latest

️✔️3.12

️✔️3.13

️✔️cognitiveservices

️✔️latest

️✔️3.12

️✔️3.13

️✔️compute_recommender

️✔️latest

️✔️3.12

️✔️3.13

️✔️computefleet

️✔️latest

️✔️3.12

️✔️3.13

️✔️config

️✔️latest

️✔️3.12

️✔️3.13

️✔️configure

️✔️latest

️✔️3.12

️✔️3.13

️✔️consumption

️✔️latest

️✔️3.12

️✔️3.13

️✔️container

️✔️latest

️✔️3.12

️✔️3.13

️✔️containerapp

️✔️latest

️✔️3.12

️✔️3.13

️✔️core

️✔️latest

️✔️3.12

️✔️3.13

️✔️cosmosdb

️✔️latest

️✔️3.12

️✔️3.13

️✔️databoxedge

️✔️latest

️✔️3.12

️✔️3.13

️✔️dls

️✔️latest

️✔️3.12

️✔️3.13

️✔️dms

️✔️latest

️✔️3.12

️✔️3.13

️✔️eventgrid

️✔️latest

️✔️3.12

️✔️3.13

️✔️eventhubs

️✔️latest

️✔️3.12

️✔️3.13

️✔️feedback

️✔️latest

️✔️3.12

️✔️3.13

️✔️find

️✔️latest

️✔️3.12

️✔️3.13

️✔️hdinsight

️✔️latest

️✔️3.12

️✔️3.13

️✔️identity

️✔️latest

️✔️3.12

️✔️3.13

️✔️iot

️✔️latest

️✔️3.12

️✔️3.13

️✔️keyvault

️✔️latest

️✔️3.12

️✔️3.13

️✔️lab

️✔️latest

️✔️3.12

️✔️3.13

️✔️managedservices

️✔️latest

️✔️3.12

️✔️3.13

️✔️maps

️✔️latest

️✔️3.12

️✔️3.13

️✔️marketplaceordering

️✔️latest

️✔️3.12

️✔️3.13

️✔️monitor

️✔️latest

️✔️3.12

️✔️3.13

️✔️mysql

️✔️latest

️✔️3.12

️✔️3.13

️✔️netappfiles

️✔️latest

️✔️3.12

️✔️3.13

️✔️network

️✔️latest

️✔️3.12

️✔️3.13

️✔️policyinsights

️✔️latest

️✔️3.12

️✔️3.13

️✔️postgresql

️✔️latest

️✔️3.12

️✔️3.13

️✔️privatedns

️✔️latest

️✔️3.12

️✔️3.13

️✔️profile

️✔️latest

️✔️3.12

️✔️3.13

️✔️rdbms

️✔️latest

️✔️3.12

️✔️3.13

️✔️redis

️✔️latest

️✔️3.12

️✔️3.13

️✔️relay

️✔️latest

️✔️3.12

️✔️3.13

️✔️resource

️✔️latest

️✔️3.12

️✔️3.13

️✔️role

️✔️latest

️✔️3.12

️✔️3.13

️✔️search

️✔️latest

️✔️3.12

️✔️3.13

️✔️security

️✔️latest

️✔️3.12

️✔️3.13

️✔️servicebus

️✔️latest

️✔️3.12

️✔️3.13

️✔️serviceconnector

️✔️latest

️✔️3.12

️✔️3.13

️✔️servicefabric

️✔️latest

️✔️3.12

️✔️3.13

️✔️signalr

️✔️latest

️✔️3.12

️✔️3.13

️✔️sql

️✔️latest

️✔️3.12

️✔️3.13

️✔️sqlvm

️✔️latest

️✔️3.12

️✔️3.13

️✔️storage

️✔️latest

️✔️3.12

️✔️3.13

️✔️synapse

️✔️latest

️✔️3.12

️✔️3.13

️✔️telemetry

️✔️latest

️✔️3.12

️✔️3.13

️✔️util

️✔️latest

️✔️3.12

️✔️3.13

️✔️vm

️✔️latest

️✔️3.12

️✔️3.13

[azure-client-tools-bot-prd]

Hi @msarfraz,
Since the current milestone time is less than 7 days, this pr will be reviewed in the next milestone.

[azure-client-tools-bot-prd]

️✔️AzureCLI-BreakingChangeTest

️✔️Non Breaking Changes

[yonzhan]

Thank you for your contribution! We will review the pull request and get back to you soon.

[github-actions]

The git hooks are available for azure-cli and azure-cli-extensions repos. They could help you run required checks before creating the PR.

Please sync the latest code with latest dev branch (for azure-cli) or main branch (for azure-cli-extensions).
After that please run the following commands to enable git hooks:

pip install azdev --upgrade
azdev setup -c <your azure-cli repo path> -r <your azure-cli-extensions repo path>

[Copilot]

Pull request overview

This PR aims to remove Azure CLI’s dependency on raw.githubusercontent.com for VM image aliases by switching to an Azure Blob Storage URL (azcliprod.blob.core.windows.net), and adds a CI validation to prevent reintroducing the forbidden URL.

Changes:

• Update test recordings to use the Azure Blob URL for VM image aliases.
• Add a CI script to fail PRs that introduce the forbidden raw.githubusercontent.com/.../aliases.json URL in new diff lines.
• Wire the new CI check into azure-pipelines.yml.

Reviewed changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated 3 comments.

Show a summary per file

File	Description
src/azure-cli/azure/cli/command_modules/resource/tests/latest/recordings/test_delete_dependent_resources.yaml	Updates recorded request URL for aliases.json from GitHub to Azure Blob.
src/azure-cli/azure/cli/command_modules/cloud/tests/latest/recordings/test_cloud_scenario.yaml	Updates recorded cloud metadata response to use Azure Blob for vmImageAliasDoc.
src/azure-cli-core/azure/cli/core/cloud.py	Touches vm_image_alias_doc for Azure Bleu cloud (currently still raw GitHub).
scripts/ci/check_aliases_source_url.py	Introduces a new CI guard script for forbidden aliases URL usage.
azure-pipelines.yml	Runs the new CI guard script during the linter job.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[wangzelin007]

The regex only matches the exact azure-rest-api-specs/.../aliases.json path. If someone introduces a different raw.githubusercontent.com URL for other files, this check won't catch it. The PR's stated goal is to block GitHub URLs in network-isolated environments, so the pattern should be broader —
e.g., simply matching https://raw.githubusercontent.com/.

[msarfraz]

The regex is updated to match base URL "https://raw.githubusercontent.com" in the code. The documentation, tests, scripts and recordings directories are excluded from validation to avoid false positives

[Copilot]

Pull request overview

Copilot reviewed 5 out of 5 changed files in this pull request and generated 1 comment.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pull request overview

Copilot reviewed 5 out of 5 changed files in this pull request and generated 2 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pull request overview

Copilot reviewed 5 out of 5 changed files in this pull request and generated 3 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

In this user-facing argparse description, “github” should be capitalized as “GitHub” to match common project wording and other strings in this file.

[msarfraz]

@copilot apply changes based on this feedback

[Copilot]

The log message uses “github” in lowercase; please use “GitHub” for consistency and clarity in CI output.

[msarfraz]

@copilot apply changes based on this feedback