Azure-pipelines-agent: [Question] Unclear what "Perform an unzip for tasks for each step." does

  ___                      ______ _            _ _
 / _ \                     | ___ (_)          | (_)
/ /_\ \_____   _ _ __ ___  | |_/ /_ _ __   ___| |_ _ __   ___  ___
|  _  |_  / | | | '__/ _ \ |  __/| | '_ \ / _ \ | | '_ \ / _ \/ __|
| | | |/ /| |_| | | |  __/ | |   | | |_) |  __/ | | | | |  __/\__ \
\_| |_/___|\__,_|_|  \___| \_|   |_| .__/ \___|_|_|_| |_|\___||___/
                                   | |
        agent v2.179.0             |_|          (commit bd605d6)


>> Connect:

Connecting to server ...

>> Register Agent:

Scanning for tool capabilities.
Connecting to the server.

Enter deployment group tags for agent? (Y/N) (press enter for N) >

Testing agent connection.
Enter Perform an unzip for tasks for each step. (press enter for N) >

We are all waiting at this prompt until you tell us what happens next.

I went for the default for the moment but I'm curious too!

Same here.

Hi everyone, this is an option for additional security restrictions.
The main idea is that a malicious script could impact the contents of the unzipped task. By unzipping it each time, some customers believe they’re in a more secure state.
Since this is not a wide used option - we are planning to make it as command-line only flag instead of prompting this during agent configuration and update related documentation also.

@anatolybolshakov There's a problem with unnatended installations, this new param, doesn't allow the agent to be installed silently. It always asks for a answer, Is there any new param in order to force via CLI?

EDIT:

Digging into the PR! I've found the CLI param for overriding this question: https://github.com/microsoft/azure-pipelines-agent/pull/3065/files --AlwaysExtractTask

@mtenrero yes, you can use --AlwaysExtractTask command-line parameter to set it up

So, should I answer Y or N? I am still confused what it does, and what's the implication on chonices.

Thanks

Hi everyone, this is an option for additional security restrictions.
The main idea is that a malicious script could impact the contents of the unzipped task. By unzipping it each time, some customers believe they’re in a more secure state.
Since this is not a wide used option - we are planning to make it as command-line only flag instead of prompting this during agent configuration and update related documentation also.

@yuanb Since enabling this options increases pipeline execution time, and it's necessary mostly for specific cases - I would suggest to leave default value - i.e. N

My issue is the grammar and the lack of explanation behind the prompt. Based on the discussion here the option seems to have a good purpose but it's difficult to understand what exactly is being asked in the prompt.

Enter Perform an unzip for tasks for each step. (press enter for N)

Why is the word "Enter" in front of the question? I guess the user prompt mechanism always adds Enter to the beginning of the question. But the question itself should take that in to consideration. "Enter User account to use for the service" for example reads just fine. So maybe change the prompt to "Enter Y to perform an unzip for task for each step. (press enter for N)

Second, why does it say "for each step". I ran the config just once. Why are there multiple steps. Maybe I'm misunderstanding the inner working here, but I've been setting up agents for years now and never been confused about it until now. To me there is only one step. I download, extract and run config. What are the multiple steps being implied here?

Also why is this question being prompted AFTER the agent has already been added:

Scanning for tool capabilities.
Connecting to the server.
Successfully added the agent
Testing agent connection.
Enter Perform an unzip for tasks for each step. (press enter for N)

I thought this was a setup question. Maybe I'm wrong. If I say Y, Is the unzipping going to happen while the agent is running going forward?

This prompt should be reworded in such a way to help explain.

while AlwaysExtractTask sets it to Y, it doesn't seem like there is a similar switch to force it to no on the CLI, thats frustrating.