[build-tools] Fix CI download failures, upgrade xa-prep-tasks and BootstrapTasks to net10.0#10886
Merged
jonathanpeppers merged 6 commits intomainfrom Mar 5, 2026
Merged
Conversation
…ri task Transient network errors (e.g. SSL handshake failures) during file downloads would cause immediate build failures. Add retry support with configurable MaxRetries (default 3) and exponential backoff delays of 5s, 15s, and 30s. Partial temp files are cleaned up between attempts. Cancellation is respected during retries. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
jonathanpeppers
requested review from
grendello and
simonrozsival
as code owners
jonathanpeppers
added
the
copilot
Contributor
There was a problem hiding this comment.
Pull request overview
Adds retry support to the Xamarin.Android.BuildTools.PrepTasks.DownloadUri MSBuild task to reduce build failures from transient network download errors during repo/tooling preparation.
Changes:
- Introduces configurable
MaxRetries(default: 3) and a fixed backoff schedule (5s/15s/30s). - Wraps download logic in a retry loop and cleans up the temp download file between attempts.
- Logs attempt counts and retry warnings, and uses cancellation tokens for the backoff delay.
build-tools/xa-prep-tasks/Xamarin.Android.BuildTools.PrepTasks/DownloadUri.cs
Outdated
Show resolved
Hide resolved
build-tools/xa-prep-tasks/Xamarin.Android.BuildTools.PrepTasks/DownloadUri.cs
Outdated
Show resolved
Hide resolved
- Use File.Create instead of File.OpenWrite to truncate temp files, preventing corrupted output with trailing bytes on retries. - Catch OperationCanceledException from Task.Delay during backoff so cancellation exits the retry loop cleanly instead of throwing an unhandled exception. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
On macOS CI, SSL handshake failures occur when CRL/OCSP endpoints are unreachable and CheckCertificateRevocationList is set to true. Switch to SocketsHttpHandler with an X509ChainPolicy that still checks revocation but treats RevocationStatusUnknown as non-fatal, matching the approach in dotnet/arcade's DownloadFile task: https://github.com/dotnet/arcade/blob/a07b621/src/Microsoft.DotNet.Arcade.Sdk/src/DownloadFile.cs#L122-L145 This requires upgrading xa-prep-tasks from netstandard2.0 to net10.0 (DotNetStableTargetFramework) for SocketsHttpHandler APIs. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
BootstrapTasks has a ProjectReference to xa-prep-tasks, which now targets net10.0 instead of netstandard2.0. Update BootstrapTasks to match, fixing NU1201 compatibility error. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
HashAlgorithm.Create(string) is obsolete in net10.0. Use the parameterless factory methods (SHA1.Create(), etc.) instead. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
- CreateFrameworkList: AssemblyName.ProcessorArchitecture is obsolete in net10.0, hardcode 'MSIL' since all managed assemblies use it. - GenerateSupportedPlatforms: throw on invalid VersionCodeFull instead of passing null to AndroidVersion constructor. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
jonathanpeppers
changed the title
Member
Author
|
This is green enough, I'm merging as it blocks all other PRs. |
jonathanpeppers
added a commit
that referenced
this pull request
Mar 5, 2026
…tstrapTasks to net10.0 (#10886) Fix transient SSL/TLS download failures in CI by adding retry logic and adopting the same fail-open CRL revocation policy used by [dotnet/arcade](https://github.com/dotnet/arcade/blob/a07b621/src/Microsoft.DotNet.Arcade.Sdk/src/DownloadFile.cs#L122-L145). Also upgrades `xa-prep-tasks` and `BootstrapTasks` from `netstandard2.0` to `net10.0` (required for `SocketsHttpHandler` APIs), and fixes resulting obsolete API warnings. ### Context macOS CI runners intermittently fail SSL handshakes when CRL/OCSP endpoints are unreachable. The `DOTNET_SYSTEM_NET_SECURITY_NOREVOCATIONCHECKBYDEFAULT` env var is set in CI ([variables.yaml](https://github.com/dotnet/android/blob/main/build-tools/automation/yaml-templates/variables.yaml#L75)), but code explicitly setting `CheckCertificateRevocationList = true` overrides it. ### Changes #### 1. Retry logic with exponential backoff - `DownloadUri` task now retries up to 3 times (configurable via `MaxRetries`) - Exponential backoff delays: 5s → 15s → 30s - Partial temp files cleaned up between attempts #### 2. Code review fixes - `File.OpenWrite` → `File.Create` to properly truncate on retries - Wrap `Task.Delay` in try/catch for cancellation handling #### 3. SocketsHttpHandler with fail-open CRL policy - Replaced `HttpClientHandler` with `SocketsHttpHandler` + `SslClientAuthenticationOptions` - Uses `X509ChainPolicy` with `IgnoreEndRevocationUnknown | IgnoreCertificateAuthorityRevocationUnknown` - Still checks revocation, but treats unreachable CRL endpoints as non-fatal - Matches [dotnet/arcade's DownloadFile approach](https://github.com/dotnet/arcade/blob/a07b621/src/Microsoft.DotNet.Arcade.Sdk/src/DownloadFile.cs#L122-L145) #### 4. Upgrade BootstrapTasks to `net10.0` - `SocketsHttpHandler` and `X509ChainPolicy` require `net10.0` (not available in `netstandard2.0`) - Updated `xa-prep-tasks.csproj` and `BootstrapTasks.csproj` TFMs - Updated `PrepTasksAssembly` and `BootstrapTasksAssembly` paths in `Directory.Build.props` #### 5. Fix SYSLIB0045: `HashAlgorithm.Create(string)` obsolete - Replaced with switch expression mapping to parameterless factory methods - Removed MD5 support (CA5351), suppressed CA5350 for SHA1 (content hashing only) #### 6. Fix SYSLIB0037 and CS8604 in BootstrapTasks - `CreateFrameworkList`: `AssemblyName.ProcessorArchitecture` is obsolete — hardcode `MSIL` - `GenerateSupportedPlatforms`: throw on invalid `VersionCodeFull` instead of passing null
jonathanpeppers
added a commit
that referenced
this pull request
Mar 6, 2026
…tstrapTasks to net10.0 (#10886) Fix transient SSL/TLS download failures in CI by adding retry logic and adopting the same fail-open CRL revocation policy used by [dotnet/arcade](https://github.com/dotnet/arcade/blob/a07b621/src/Microsoft.DotNet.Arcade.Sdk/src/DownloadFile.cs#L122-L145). Also upgrades `xa-prep-tasks` and `BootstrapTasks` from `netstandard2.0` to `net10.0` (required for `SocketsHttpHandler` APIs), and fixes resulting obsolete API warnings. ### Context macOS CI runners intermittently fail SSL handshakes when CRL/OCSP endpoints are unreachable. The `DOTNET_SYSTEM_NET_SECURITY_NOREVOCATIONCHECKBYDEFAULT` env var is set in CI ([variables.yaml](https://github.com/dotnet/android/blob/main/build-tools/automation/yaml-templates/variables.yaml#L75)), but code explicitly setting `CheckCertificateRevocationList = true` overrides it. ### Changes #### 1. Retry logic with exponential backoff - `DownloadUri` task now retries up to 3 times (configurable via `MaxRetries`) - Exponential backoff delays: 5s → 15s → 30s - Partial temp files cleaned up between attempts #### 2. Code review fixes - `File.OpenWrite` → `File.Create` to properly truncate on retries - Wrap `Task.Delay` in try/catch for cancellation handling #### 3. SocketsHttpHandler with fail-open CRL policy - Replaced `HttpClientHandler` with `SocketsHttpHandler` + `SslClientAuthenticationOptions` - Uses `X509ChainPolicy` with `IgnoreEndRevocationUnknown | IgnoreCertificateAuthorityRevocationUnknown` - Still checks revocation, but treats unreachable CRL endpoints as non-fatal - Matches [dotnet/arcade's DownloadFile approach](https://github.com/dotnet/arcade/blob/a07b621/src/Microsoft.DotNet.Arcade.Sdk/src/DownloadFile.cs#L122-L145) #### 4. Upgrade BootstrapTasks to `net10.0` - `SocketsHttpHandler` and `X509ChainPolicy` require `net10.0` (not available in `netstandard2.0`) - Updated `xa-prep-tasks.csproj` and `BootstrapTasks.csproj` TFMs - Updated `PrepTasksAssembly` and `BootstrapTasksAssembly` paths in `Directory.Build.props` #### 5. Fix SYSLIB0045: `HashAlgorithm.Create(string)` obsolete - Replaced with switch expression mapping to parameterless factory methods - Removed MD5 support (CA5351), suppressed CA5350 for SHA1 (content hashing only) #### 6. Fix SYSLIB0037 and CS8604 in BootstrapTasks - `CreateFrameworkList`: `AssemblyName.ProcessorArchitecture` is obsolete — hardcode `MSIL` - `GenerateSupportedPlatforms`: throw on invalid `VersionCodeFull` instead of passing null
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Fix transient SSL/TLS download failures in CI by adding retry logic and adopting the same fail-open CRL revocation policy used by dotnet/arcade. Also upgrades
xa-prep-tasksandBootstrapTasksfromnetstandard2.0tonet10.0(required forSocketsHttpHandlerAPIs), and fixes resulting obsolete API warnings.Context
macOS CI runners intermittently fail SSL handshakes when CRL/OCSP endpoints are unreachable. The
DOTNET_SYSTEM_NET_SECURITY_NOREVOCATIONCHECKBYDEFAULTenv var is set in CI (variables.yaml), but code explicitly settingCheckCertificateRevocationList = trueoverrides it.Changes
1. Retry logic with exponential backoff (
ec45d3ca1)DownloadUritask now retries up to 3 times (configurable viaMaxRetries)2. Code review fixes (
d334caf26)File.OpenWrite→File.Createto properly truncate on retriesTask.Delayin try/catch for cancellation handling3. SocketsHttpHandler with fail-open CRL policy (
b5aac5f5a)HttpClientHandlerwithSocketsHttpHandler+SslClientAuthenticationOptionsX509ChainPolicywithIgnoreEndRevocationUnknown | IgnoreCertificateAuthorityRevocationUnknown4. Upgrade BootstrapTasks to
net10.0(876262d5a)SocketsHttpHandlerandX509ChainPolicyrequirenet10.0(not available innetstandard2.0)xa-prep-tasks.csprojandBootstrapTasks.csprojTFMsPrepTasksAssemblyandBootstrapTasksAssemblypaths inDirectory.Build.props5. Fix SYSLIB0045:
HashAlgorithm.Create(string)obsolete (891a9f3a5)6. Fix SYSLIB0037 and CS8604 in BootstrapTasks (
f28bb68ac)CreateFrameworkList:AssemblyName.ProcessorArchitectureis obsolete — hardcodeMSILGenerateSupportedPlatforms: throw on invalidVersionCodeFullinstead of passing null