Add new event for finalizing resource annotations and use to configure installer certificate trust

[danegsta]

Description

Adds a new WithConfigurationFinalizer API that takes a configuration callback to be invoked after BeforeStartEvent. Callbacks are called in LIFO order, so the last registered callback will be called first, allowing resources to provide a reliable final callback that will run after all other annotation processing is complete.

I've converted the Python And JS AddInstaller methods to use this new callback to finalize the installer configuration and added certificate trust overrides based on the parent resource certificate trust configuration.

Fixes #13195

Checklist

• Is this feature complete?
  • Yes. Ready to ship.
  • No. Follow-up changes expected.
• Are you including unit tests for the changes and scenario tests if relevant?
  • Yes
  • No
• Did you add public API?
  • Yes
    • If yes, did you have an API Review for it?
      • Yes
      • No
    • Did you add <remarks /> and <code /> elements on your triple slash comments?
      • Yes
      • No
  • No
• Does the change make any security assumptions or guarantees?
  • Yes
    • If yes, have you done a threat model and had a security review?
      • Yes
      • No
  • No
• Does the change require an update in our Aspire docs?
  • Yes
    • Link to aspire-docs issue (consider using one of the following templates):
      • New (or update) doc-idea template
      • New breaking-change template
      • New diagnostic template
  • No

[github-actions]

🚀 Dogfood this PR with:

⚠️ WARNING: Do not do this without first carefully reviewing the code of this PR to satisfy yourself it is safe.

curl -fsSL https://raw.githubusercontent.com/dotnet/aspire/main/eng/scripts/get-aspire-cli-pr.sh | bash -s -- 13200

Or

• Run remotely in PowerShell:

iex "& { $(irm https://raw.githubusercontent.com/dotnet/aspire/main/eng/scripts/get-aspire-cli-pr.ps1) } 13200"

[Copilot]

Pull request overview

This PR introduces a new WithConfigurationFinalizer API that enables resource configuration callbacks to be invoked after the BeforeStartEvent completes. This provides a reliable mechanism for resources to finalize their configuration based on all previously applied annotations. The implementation includes converting Python and JavaScript installer setup to use this new finalizer pattern, along with adding certificate trust configuration inheritance from parent resources to their installer resources.

Key changes:

• New public API WithConfigurationFinalizer for registering finalization callbacks that execute in LIFO order
• Finalizers are invoked after BeforeStartEvent handlers in DistributedApplication.ExecuteBeforeStartHooksAsync
• Python and JavaScript installers now use finalizers instead of BeforeStartEvent subscriptions for configuration
• Certificate trust settings are inherited from parent resources to installer resources

Reviewed changes

Copilot reviewed 7 out of 7 changed files in this pull request and generated 6 comments.

Show a summary per file

File	Description
src/Aspire.Hosting/ResourceBuilderExtensions.cs	Adds the new public API WithConfigurationFinalizer extension method
src/Aspire.Hosting/ApplicationModel/FinalizeResourceConfigurationCallbackAnnotation.cs	New annotation types for the finalizer callback and its context
src/Aspire.Hosting/DistributedApplication.cs	Implements finalizer execution logic after BeforeStartEvent completes
src/Aspire.Hosting/ApplicationModel/CertificateAuthorityCollectionAnnotation.cs	Adds static From method to merge certificate authority annotations
src/Aspire.Hosting.Python/PythonAppResourceBuilderExtensions.cs	Converts installer configuration to use finalizer pattern and adds certificate trust inheritance
src/Aspire.Hosting.JavaScript/JavaScriptHostingExtensions.cs	Converts installer configuration to use finalizer pattern and adds certificate trust inheritance
tests/Aspire.Hosting.Python.Tests/AddPythonAppTests.cs	Updates test helper to invoke finalizers after BeforeStartEvent (includes whitespace cleanup)

---

You can also share your feedback on Copilot code review for a chance to win a $100 gift card. Take the survey.

[mitchdenny]

Do we want to make this annotation/API experimental for 13.1?

[danegsta]

Do we want to make this annotation/API experimental for 13.1?

Good call, I've updated the PR to make it experimental.

[mitchdenny]

@danegsta where did we end up with this? Is this PR still the path forward?

[danegsta]

@danegsta where did we end up with this? Is this PR still the path forward?

@eerhardt was working on an alternate approach in #13780; I think this PR is redundant to that approach.