Azure-Samples
diff --git a/‎.env.sample‎
Lines changed: 1 addition & 1 deletion b/‎.env.sample‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎.github/workflows/broken-links-checker.yml‎
Lines changed: 3 additions & 0 deletions b/‎.github/workflows/broken-links-checker.yml‎
Lines changed: 3 additions & 0 deletions
diff --git a/‎.github/workflows/build-docker-images.yml‎
Lines changed: 8 additions & 0 deletions b/‎.github/workflows/build-docker-images.yml‎
Lines changed: 8 additions & 0 deletions
diff --git a/‎.github/workflows/import-sample-data-cosmosdb.yml‎
Lines changed: 76 additions & 0 deletions b/‎.github/workflows/import-sample-data-cosmosdb.yml‎
Lines changed: 76 additions & 0 deletions
diff --git a/‎.github/workflows/import-sample-data-postgresql.yml‎
Lines changed: 61 additions & 0 deletions b/‎.github/workflows/import-sample-data-postgresql.yml‎
Lines changed: 61 additions & 0 deletions
diff --git a/‎.github/workflows/job-deploy.yml‎
Lines changed: 17 additions & 4 deletions b/‎.github/workflows/job-deploy.yml‎
Lines changed: 17 additions & 4 deletions
diff --git a/‎.github/workflows/job-post-deployment-setup.yml‎
Lines changed: 103 additions & 0 deletions b/‎.github/workflows/job-post-deployment-setup.yml‎
Lines changed: 103 additions & 0 deletions
diff --git a/‎.github/workflows/tests.yml‎
Lines changed: 6 additions & 0 deletions b/‎.github/workflows/tests.yml‎
Lines changed: 6 additions & 0 deletions
@@ -27,7 +27,7 @@ AZURE_OPENAI_RESOURCE=
 AZURE_OPENAI_API_KEY=
 AZURE_OPENAI_MODEL=gpt-4o
 AZURE_OPENAI_MODEL_NAME=gpt-4o
-AZURE_OPENAI_EMBEDDING_MODEL=text-embedding-ada-002
+AZURE_OPENAI_EMBEDDING_MODEL=text-embedding-3-small
 AZURE_OPENAI_TEMPERATURE=0
 AZURE_OPENAI_TOP_P=1.0
 AZURE_OPENAI_MAX_TOKENS=1000
 
@@ -2,6 +2,9 @@ name: Broken Link Checker
 
 on:
   pull_request:
+    paths:
+      - '**/*.md'
+      - '.github/workflows/broken-links-checker.yml'
   workflow_dispatch:
 
 permissions:
 
@@ -11,6 +11,14 @@ on:
       - main
       - dev
       - demo
+    paths:
+      - 'code/**'
+      - '!code/tests/**'
+      - 'docker/**'
+      - 'package.json'
+      - 'pyproject.toml'
+      - '.github/workflows/build-docker-images.yml'
+      - '.github/workflows/build-docker.yml'
     types:
       - opened
       - ready_for_review
 
@@ -112,6 +112,82 @@ jobs:
           echo "SAMPLE_DATA_DIR=$SAMPLE_DATA_DIR" >> $GITHUB_ENV
           echo "✅ Sample data files downloaded to $SAMPLE_DATA_DIR"
 
+      - name: Login to Azure for Sample Data Download
+        uses: azure/login@v2
+        with:
+          client-id: ${{ secrets.AZURE_CLIENT_ID }}
+          tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+          subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+
+      - name: Enable Public Access on Sample Data Storage (if disabled)
+        id: sample_storage_access
+        shell: bash
+        env:
+          STORAGE_ACCOUNT_NAME: ${{ vars.SAMPLE_DATA_STORAGE_ACCOUNT_NAME }}
+        run: |
+          echo "🔍 Checking public network access on sample data storage account '${STORAGE_ACCOUNT_NAME}'..."
+
+          # Discover the resource group for the sample data storage account
+          SAMPLE_STORAGE_RG=$(az storage account list --query "[?name=='${STORAGE_ACCOUNT_NAME}'].resourceGroup | [0]" -o tsv)
+          if [ -z "$SAMPLE_STORAGE_RG" ] || [ "$SAMPLE_STORAGE_RG" == "null" ]; then
+            echo "❌ Could not find resource group for storage account '${STORAGE_ACCOUNT_NAME}'."
+            exit 1
+          fi
+          echo "SAMPLE_STORAGE_RG=$SAMPLE_STORAGE_RG" >> $GITHUB_ENV
+          echo "SAMPLE_STORAGE_RG=$SAMPLE_STORAGE_RG" >> $GITHUB_OUTPUT
+
+          CURRENT_ACCESS=$(az storage account show --name "$STORAGE_ACCOUNT_NAME" --resource-group "$SAMPLE_STORAGE_RG" --query "publicNetworkAccess" -o tsv)
+          CURRENT_DEFAULT_ACTION=$(az storage account show --name "$STORAGE_ACCOUNT_NAME" --resource-group "$SAMPLE_STORAGE_RG" --query "networkRuleSet.defaultAction" -o tsv)
+
+          echo "   Current publicNetworkAccess: $CURRENT_ACCESS"
+          echo "   Current defaultAction: $CURRENT_DEFAULT_ACTION"
+
+          NEEDS_RESTORE="false"
+          if [ "$CURRENT_ACCESS" == "Disabled" ] || [ "$CURRENT_DEFAULT_ACTION" == "Deny" ]; then
+            echo "🔓 Enabling public access on sample data storage account..."
+            az storage account update --name "$STORAGE_ACCOUNT_NAME" --resource-group "$SAMPLE_STORAGE_RG" --public-network-access Enabled --output none
+            az storage account update --name "$STORAGE_ACCOUNT_NAME" --resource-group "$SAMPLE_STORAGE_RG" --default-action Allow --output none
+            NEEDS_RESTORE="true"
+
+            echo "⏳ Waiting 30 seconds for network changes to propagate..."
+            sleep 30
+            echo "✅ Public access enabled on sample data storage account."
+          else
+            echo "✅ Public access is already enabled."
+          fi
+
+          echo "NEEDS_RESTORE=$NEEDS_RESTORE" >> $GITHUB_ENV
+          echo "NEEDS_RESTORE=$NEEDS_RESTORE" >> $GITHUB_OUTPUT
+          echo "ORIGINAL_ACCESS=$CURRENT_ACCESS" >> $GITHUB_ENV
+          echo "ORIGINAL_DEFAULT_ACTION=$CURRENT_DEFAULT_ACTION" >> $GITHUB_ENV
+
+      - name: Download Sample Data from Azure Storage
+        shell: bash
+        env:
+          STORAGE_ACCOUNT_NAME: ${{ vars.SAMPLE_DATA_STORAGE_ACCOUNT_NAME }}
+          STORAGE_CONTAINER_NAME: ${{ vars.SAMPLE_DATA_STORAGE_CONTAINER_NAME }}
+        run: |
+          SAMPLE_DATA_DIR="${RUNNER_TEMP}/sample-data"
+          mkdir -p "$SAMPLE_DATA_DIR"
+
+          echo "📥 Downloading sample data files from storage account '${STORAGE_ACCOUNT_NAME}'..."
+          az storage blob download \
+            --account-name "$STORAGE_ACCOUNT_NAME" \
+            --container-name "$STORAGE_CONTAINER_NAME" \
+            --name "azure_search_data.json" \
+            --file "$SAMPLE_DATA_DIR/azure_search_data.json" \
+            --auth-mode login
+
+          az storage blob download \
+            --account-name "$STORAGE_ACCOUNT_NAME" \
+            --container-name "$STORAGE_CONTAINER_NAME" \
+            --name "azure_search_data_UseVectorization_SemanticSearch.json" \
+            --file "$SAMPLE_DATA_DIR/azure_search_data_UseVectorization_SemanticSearch.json" \
+            --auth-mode login
+
+          echo "SAMPLE_DATA_DIR=$SAMPLE_DATA_DIR" >> $GITHUB_ENV
+          echo "✅ Sample data files downloaded to $SAMPLE_DATA_DIR"
+
       - name: Validate Workflow Input Parameters
         shell: bash
         env:
 
@@ -97,6 +97,67 @@ jobs:
           echo "SAMPLE_DATA_DIR=$SAMPLE_DATA_DIR" >> $GITHUB_ENV
           echo "✅ Sample data file downloaded to $SAMPLE_DATA_DIR"
 
+      - name: Login to Azure for Sample Data Download
+        uses: azure/login@v2
+        with:
+          client-id: ${{ secrets.AZURE_CLIENT_ID }}
+          tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+          subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+
+      - name: Enable Public Access on Sample Data Storage (if disabled)
+        id: sample_storage_access
+        shell: bash
+        env:
+          STORAGE_ACCOUNT_NAME: ${{ vars.SAMPLE_DATA_STORAGE_ACCOUNT_NAME }}
+        run: |
+          echo "🔍 Checking public network access on sample data storage account '${STORAGE_ACCOUNT_NAME}'..."
+
+          # Discover the resource group for the sample data storage account
+          SAMPLE_STORAGE_RG=$(az storage account list --query "[?name=='${STORAGE_ACCOUNT_NAME}'].resourceGroup | [0]" -o tsv)
+          if [ -z "$SAMPLE_STORAGE_RG" ] || [ "$SAMPLE_STORAGE_RG" == "null" ]; then
+            echo "❌ Could not find resource group for storage account '${STORAGE_ACCOUNT_NAME}'."
+            exit 1
+          fi
+          echo "SAMPLE_STORAGE_RG=$SAMPLE_STORAGE_RG" >> $GITHUB_ENV
+
+          CURRENT_ACCESS=$(az storage account show --name "$STORAGE_ACCOUNT_NAME" --resource-group "$SAMPLE_STORAGE_RG" --query "publicNetworkAccess" -o tsv)
+          CURRENT_DEFAULT_ACTION=$(az storage account show --name "$STORAGE_ACCOUNT_NAME" --resource-group "$SAMPLE_STORAGE_RG" --query "networkRuleSet.defaultAction" -o tsv)
+
+          echo "   Current publicNetworkAccess: $CURRENT_ACCESS"
+          echo "   Current defaultAction: $CURRENT_DEFAULT_ACTION"
+
+          if [ "$CURRENT_ACCESS" == "Disabled" ] || [ "$CURRENT_DEFAULT_ACTION" == "Deny" ]; then
+            echo "🔓 Enabling public access on sample data storage account..."
+            az storage account update --name "$STORAGE_ACCOUNT_NAME" --resource-group "$SAMPLE_STORAGE_RG" --public-network-access Enabled --output none
+            az storage account update --name "$STORAGE_ACCOUNT_NAME" --resource-group "$SAMPLE_STORAGE_RG" --default-action Allow --output none
+
+            echo "⏳ Waiting 30 seconds for network changes to propagate..."
+            sleep 30
+            echo "✅ Public access enabled on sample data storage account."
+          else
+            echo "✅ Public access is already enabled."
+          fi
+
+      - name: Download Sample Data from Azure Storage
+        shell: bash
+        env:
+          STORAGE_ACCOUNT_NAME: ${{ vars.SAMPLE_DATA_STORAGE_ACCOUNT_NAME }}
+          STORAGE_CONTAINER_NAME: ${{ vars.SAMPLE_DATA_STORAGE_CONTAINER_NAME }}
+        run: |
+          SAMPLE_DATA_DIR="${RUNNER_TEMP}/sample-data"
+          mkdir -p "$SAMPLE_DATA_DIR"
+
+          echo "📥 Downloading sample data file from storage account '${STORAGE_ACCOUNT_NAME}'..."
+          az storage blob download \
+            --account-name "$STORAGE_ACCOUNT_NAME" \
+            --container-name "$STORAGE_CONTAINER_NAME" \
+            --name "exported_data_vector_score.csv" \
+            --file "$SAMPLE_DATA_DIR/exported_data_vector_score.csv" \
+            --auth-mode login
+
+          echo "SAMPLE_DATA_DIR=$SAMPLE_DATA_DIR" >> $GITHUB_ENV
+          echo "✅ Sample data file downloaded to $SAMPLE_DATA_DIR"
+
       - name: Validate Workflow Input Parameters
         shell: bash
         env:
 
@@ -557,13 +557,25 @@ jobs:
       DATABASE_TYPE: ${{ inputs.DATABASE_TYPE }}
     secrets: inherit
 
+  # Run post-deployment setup (Function App client key + PostgreSQL tables)
+  post-deployment-setup:
+    needs: [azure-setup, deploy-linux, deploy-windows]
+    if: |
+      always() &&
+      (needs.deploy-linux.result == 'success' || needs.deploy-windows.result == 'success')
+    uses: ./.github/workflows/job-post-deployment-setup.yml
+    with:
+      RESOURCE_GROUP_NAME: ${{ needs.azure-setup.outputs.RESOURCE_GROUP_NAME }}
+    secrets: inherit
+
   # Call PostgreSQL setup workflow when DATABASE_TYPE is PostgreSQL
   import-sample-data-postgresql:
-    needs: [azure-setup, deploy-linux, deploy-windows]
+    needs: [azure-setup, deploy-linux, deploy-windows, post-deployment-setup]
     if: |
       always() &&
       inputs.DATABASE_TYPE == 'PostgreSQL' &&
-      (needs.deploy-linux.result == 'success' || needs.deploy-windows.result == 'success')
+      (needs.deploy-linux.result == 'success' || needs.deploy-windows.result == 'success') &&
+      needs.post-deployment-setup.result == 'success'
     uses: ./.github/workflows/import-sample-data-postgresql.yml
     with:
       RESOURCE_GROUP_NAME: ${{ needs.azure-setup.outputs.RESOURCE_GROUP_NAME }}
@@ -572,11 +584,12 @@ jobs:
 
   # Call CosmosDB/Azure Search setup workflow when DATABASE_TYPE is CosmosDB
   import-sample-data-cosmosdb:
-    needs: [azure-setup, deploy-linux, deploy-windows]
+    needs: [azure-setup, deploy-linux, deploy-windows, post-deployment-setup]
     if: |
       always() &&
       inputs.DATABASE_TYPE == 'CosmosDB' &&
-      (needs.deploy-linux.result == 'success' || needs.deploy-windows.result == 'success')
+      (needs.deploy-linux.result == 'success' || needs.deploy-windows.result == 'success') &&
+      needs.post-deployment-setup.result == 'success'
     uses: ./.github/workflows/import-sample-data-cosmosdb.yml
     with:
       RESOURCE_GROUP_NAME: ${{ needs.azure-setup.outputs.RESOURCE_GROUP_NAME }}
 
@@ -0,0 +1,103 @@
+name: Post-Deployment Setup
+
+on:
+  workflow_dispatch:
+    inputs:
+      RESOURCE_GROUP_NAME:
+        description: 'Azure Resource Group name'
+        required: true
+        type: string
+  workflow_call:
+    inputs:
+      RESOURCE_GROUP_NAME:
+        description: 'Azure Resource Group name'
+        required: true
+        type: string
+
+permissions:
+  id-token: write
+  contents: read
+
+jobs:
+  post-deployment-setup:
+    runs-on: ubuntu-latest
+    environment: production
+    steps:
+      - name: Checkout Code
+        uses: actions/checkout@v4
+
+      - name: Login to Azure
+        uses: azure/login@v2
+        with:
+          client-id: ${{ secrets.AZURE_CLIENT_ID }}
+          tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+          subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+
+      - name: Setup Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: '3.11'
+
+      - name: Install Python Dependencies
+        shell: bash
+        run: |
+          pip install psycopg2-binary azure-identity
+
+      - name: Run Post-Deployment Setup (Attempt 1)
+        id: setup1
+        shell: bash
+        env:
+          RESOURCE_GROUP: ${{ inputs.RESOURCE_GROUP_NAME }}
+        run: |
+          chmod +x scripts/post_deployment_setup.sh
+          bash scripts/post_deployment_setup.sh "$RESOURCE_GROUP"
+        continue-on-error: true
+
+      - name: Wait 20 seconds before retry
+        if: ${{ steps.setup1.outcome == 'failure' }}
+        shell: bash
+        run: sleep 20s
+
+      - name: Run Post-Deployment Setup (Attempt 2)
+        id: setup2
+        if: ${{ steps.setup1.outcome == 'failure' }}
+        shell: bash
+        env:
+          RESOURCE_GROUP: ${{ inputs.RESOURCE_GROUP_NAME }}
+        run: |
+          chmod +x scripts/post_deployment_setup.sh
+          bash scripts/post_deployment_setup.sh "$RESOURCE_GROUP"
+        continue-on-error: true
+
+      - name: Wait 40 seconds before final retry
+        if: ${{ steps.setup2.outcome == 'failure' }}
+        shell: bash
+        run: sleep 40s
+
+      - name: Run Post-Deployment Setup (Attempt 3)
+        id: setup3
+        if: ${{ steps.setup2.outcome == 'failure' }}
+        shell: bash
+        env:
+          RESOURCE_GROUP: ${{ inputs.RESOURCE_GROUP_NAME }}
+        run: |
+          chmod +x scripts/post_deployment_setup.sh
+          bash scripts/post_deployment_setup.sh "$RESOURCE_GROUP"
+
+      - name: Generate Post-Deployment Summary
+        if: always()
+        shell: bash
+        run: |
+          echo "## 🔧 Post-Deployment Setup Summary" >> $GITHUB_STEP_SUMMARY
+          echo "" >> $GITHUB_STEP_SUMMARY
+          echo "| Field | Value |" >> $GITHUB_STEP_SUMMARY
+          echo "|-------|--------|" >> $GITHUB_STEP_SUMMARY
+          echo "| **Job Status** | ${{ job.status == 'success' && '✅ Success' || '❌ Failed' }} |" >> $GITHUB_STEP_SUMMARY
+          echo "| **Resource Group** | \`${{ inputs.RESOURCE_GROUP_NAME }}\` |" >> $GITHUB_STEP_SUMMARY
+
+      - name: Logout from Azure
+        if: always()
+        shell: bash
+        run: |
+          az logout || true
+          echo "Logged out from Azure."
@@ -12,6 +12,12 @@ on:
       - '.github/workflows/tests.yml'
   pull_request:
     branches: [main, dev, demo]
+    paths:
+      - 'code/**'
+      - 'pyproject.toml'
+      - 'package.json'
+      - 'pytest.ini'
+      - '.github/workflows/tests.yml'
     types:
       - opened
       - ready_for_review