[confcom] Make dependency fetching more resilient

[DomAyre]

Why

The confcom extension currently relies on using the Github API to dynamically find the latest release of our dependencies which has the assets we need, this presents two issues.

• The dependencies are updated implicitly and can break from underneath us
• The GitHub API calls required to take this approach has a very low rate limit for unauthenticated request which we often hit in CI

How

• For each dependency, define the exact version to pull each assert required
• Use the Github CDN to pull the artefact instead of the API, since we have the exact version

---

This checklist is used to make sure that common guidelines for a pull request are followed.

Related command

General Guidelines

• Have you run azdev style <YOUR_EXT> locally? (pip install azdev required)
• Have you run python scripts/ci/test_index.py -q locally? (pip install wheel==0.30.0 required)
• My extension version conforms to the Extension version schema

[azure-client-tools-bot-prd]

️✔️Azure CLI Extensions Breaking Change Test

️✔️Non Breaking Changes

[azure-client-tools-bot-prd]

Hi @DomAyre,
Please write the description of changes which can be perceived by customers into HISTORY.rst.
If you want to release a new extension version, please update the version in setup.py as well.

[yonzhan]

Thank you for your contribution! We will review the pull request and get back to you soon.

[github-actions]

The git hooks are available for azure-cli and azure-cli-extensions repos. They could help you run required checks before creating the PR.

Please sync the latest code with latest dev branch (for azure-cli) or main branch (for azure-cli-extensions).
After that please run the following commands to enable git hooks:

pip install azdev --upgrade
azdev setup -c <your azure-cli repo path> -r <your azure-cli-extensions repo path>

[github-actions]

• For more info about extension versioning, please refer to Extension version schema

[Copilot]

Pull Request Overview

This PR refactors the binary fetching mechanism in the confcom extension to improve resilience and avoid GitHub API rate limits. The changes replace dynamic GitHub API queries with pinned versions and direct CDN downloads.

Key Changes:

• Pin specific versions for all external dependencies (OPA v1.10.1, integrity-vhd v1.6, kata-containers 3.2.0.azl3.genpolicy3, cosesign1go v1.4.0)
• Replace GitHub API calls with direct GitHub CDN URLs for downloading binaries
• Refactor path handling to use pathlib instead of os.path

Reviewed Changes

Copilot reviewed 7 out of 7 changed files in this pull request and generated 12 comments.

Show a summary per file

File	Description
lib/paths.py	Migrated from os module to pathlib for cleaner path handling; added get_data_dir() function
lib/opa.py	Restructured to use pinned OPA v1.10.1 with direct CDN downloads and SHA256 checksum verification
rootfs_proxy.py	Simplified binary download to use pinned integrity-vhd v1.6 with direct CDN downloads
kata_proxy.py	Updated to fetch genpolicy binaries and data files from pinned kata-containers 3.2.0.azl3 releases
cose_proxy.py	Modified to download sign1util from pinned cosesign1go v1.4.0 release