Add new private channel publishing guardrails

[mmitche]

• This issue is blocking
• This issue is causing unreasonable pain

As extra insurance, Arcade publishing should refuse to publish to public endpoints if the commit being published is not anonymously accessible. I could see this implemented in a couple ways:

Darc

• Darc would attempt to anonymously access to commit of the BAR build id that is about to be published. This would happen locally as well as in CI automation, assuming that a local dev has updated their darc client.
• If the commit is anonymously accessible, any channel is permissible
• If the commit is not anonymously accessible, only internal channels are permissible.

Because publishing endpoint data is kept in arcade, this would require some kind of DB addition. On that note, I don't love it.

Arcade

• The maestro publishing logic would attempt to anonymously access to commit of the BAR build id that is about to be published.
• For all channels to be published to, if any are public (this metadata is on the channel config) and the commit is not anonymously accessible, we fail.

This method does have one annoying side effect. Dev builds of branches pushed only to AzDO (e.g. for testing arcade changes) would not be able to be published to the public "General Testing" channel. I propose that this would be deal with by adding an override switch to darc that would explicitly pass the "SkipSafetyChecks" parameter to the build task.

Verdict

I think going with the arcade publishing method is best.

Release Note Category

• Feature changes/additions
• Bug fixes
• Internal Infrastructure Improvements

Release Note Description

[mmitche]

Okay, these guardrails do not need to be 'new'. They existed:

https://github.com/dotnet/arcade/blob/main/src/Microsoft.DotNet.Build.Tasks.Feed/src/PublishArtifactsInManifestBase.cs#L331-L341

[mmitche]

https://github.com/dotnet/arcade/blob/main/eng/publishing/v3/publish.yml#L166

This is set incorrectly.

[mmitche]

And the safety check is never executed.

[dkurepa]

The main part of this issue is in #15041. This PR isn't merged yet and might need a bit more work, but what it does it it adds the internal repo check, along with an ignore check flag.
The ignore check flag would be set to true in the beginning, this is because we'll have some internal repos like wpf-int that will still need to publish to public channels.
This is where the second currently alive PR comes in dotnet/arcade-services#4013. The PR adds a darc flag that makes it so we pass an ignore check parameter to repos that need to ignore it.

So what we need to do is:

• Finish and merge the first, arcade PR
• Merge the darc PR
• Figure out the list of repos that need to ignore the check
• Make sure the flag is set everywhere
• Set the default value of ignore check to false

These changes will also have to be communicated to our customers