Skip to content

Commit c1b3a07

Browse files
AjitPadhi-Microsoftdependabot[bot]Roopan-MicrosoftPavan-MicrosoftPrasanjeet-Microsoft
authored
chore: Rebased with dev and dependabotchanges branch (#2171)
Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Roopan P M <v-roopanpm@microsoft.com> Co-authored-by: Roopan-Microsoft <168007406+Roopan-Microsoft@users.noreply.github.com> Co-authored-by: Pavan-Microsoft <v-kupavan@microsoft.com> Co-authored-by: Prasanjeet-Microsoft <v-singhprasa@microsoft.com> Co-authored-by: Harmanpreet Kaur <v-harmanpkau@microsoft.com> Co-authored-by: Harmanpreet-Microsoft <v-harmanprka@microsoft.com> Co-authored-by: Ross Smith <ross-p-smith@users.noreply.github.com> Co-authored-by: gpickett <122489228+gpickett@users.noreply.github.com> Co-authored-by: Francia Riesco <friesco@microsoft.com> Co-authored-by: Francia Riesco <Fr4nc3@users.noreply.github.com> Co-authored-by: Prajwal D C <v-dcprajwal@microsoft.com> Co-authored-by: UtkarshMishra-Microsoft <v-utkamishra@microsoft.com> Co-authored-by: Priyanka-Microsoft <v-prisinghal@microsoft.com> Co-authored-by: Kiran-Siluveru-Microsoft <v-ksiluveru@microsoft.com> Co-authored-by: Prashant-Microsoft <v-pmalusare@microsoft.com> Co-authored-by: Rohini-Microsoft <v-rwalunj@microsoft.com> Co-authored-by: Avijit-Microsoft <v-aghorui@microsoft.com> Co-authored-by: RaviKiran-Microsoft <v-ravikirans@microsoft.com> Co-authored-by: Somesh Joshi <v-somejoshi@microsoft.com> Co-authored-by: Himanshi Agrawal <v-himagrawal@microsoft.com> Co-authored-by: pradeepjha-microsoft <v-pradeepjha@microsoft.com> Co-authored-by: Bangarraju-Microsoft <v-golib@microsoft.com> Co-authored-by: Harsh-Microsoft <v-hbangera@microsoft.com> Co-authored-by: Kanchan-Microsoft <v-knagshetti@microsoft.com> Co-authored-by: Cristopher Coronado <cristofima@hotmail.com> Co-authored-by: Cristopher Coronado Moreira <crcorona@pichincha.com> Co-authored-by: Vamshi-Microsoft <v-vamolla@microsoft.com> Co-authored-by: Thanusree-Microsoft <168087422+Thanusree-Microsoft@users.noreply.github.com> Co-authored-by: Niraj Chaudhari (Persistent Systems Inc) <v-nirajcha@microsoft.com> Co-authored-by: Rohini-Microsoft <168007985+Rohini-Microsoft@users.noreply.github.com> Co-authored-by: Ragini-Microsoft <v-raginich@microsoft.com> Co-authored-by: Rafi-Microsoft <v-rafmd@microsoft.com> Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> Co-authored-by: Atulku-Microsoft <v-atulku@microsoft.com> Co-authored-by: Kingshuk-Microsoft <v-kidatta@microsoft.com> Co-authored-by: Ayaz-Microsoft <v-ayazkhan@microsoft.com> Co-authored-by: Abdul-Microsoft <v-amujeebta@microsoft.com> Co-authored-by: Prekshith-Microsoft <v-pdj@microsoft.com> Co-authored-by: Akhileswara-Microsoft <v-golnaidu@microsoft.com> Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
1 parent 20c066d commit c1b3a07

58 files changed

Lines changed: 4039 additions & 1578520 deletions

File tree

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

.github/workflows/broken-links-checker.yml

Lines changed: 5 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -2,8 +2,6 @@ name: Broken Link Checker
22

33
on:
44
pull_request:
5-
paths:
6-
- '**/*.md'
75
workflow_dispatch:
86

97
permissions:
@@ -28,6 +26,11 @@ jobs:
2826
with:
2927
files: |
3028
**/*.md
29+
30+
- name: Skip - No Markdown Files Changed
31+
if: github.event_name == 'pull_request' && steps.changed-markdown-files.outputs.any_changed != 'true'
32+
run: echo "No markdown files changed. Skipping broken link check."
33+
3134
# For PR: Check broken links only in changed files
3235
- name: Check Broken Links in Changed Markdown Files
3336
id: lychee-check-pr

.github/workflows/build-docker-images.yml

Lines changed: 35 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -6,14 +6,6 @@ on:
66
- main
77
- dev
88
- demo
9-
paths:
10-
- 'code/**'
11-
- '!code/tests/**'
12-
- 'docker/**'
13-
- 'package.json'
14-
- 'pyproject.toml'
15-
- '.github/workflows/build-docker-images.yml'
16-
- '.github/workflows/build-docker.yml'
179
pull_request:
1810
branches:
1911
- main
@@ -27,8 +19,43 @@ on:
2719
merge_group:
2820
workflow_dispatch:
2921

22+
permissions:
23+
id-token: write
24+
contents: read
25+
packages: write
26+
3027
jobs:
28+
check-changes:
29+
runs-on: ubuntu-latest
30+
outputs:
31+
should_build: ${{ steps.filter.outputs.docker_related }}
32+
steps:
33+
- name: Checkout
34+
uses: actions/checkout@v6
35+
with:
36+
fetch-depth: 0
37+
38+
- name: Check for relevant changes
39+
id: filter
40+
uses: dorny/paths-filter@v3
41+
with:
42+
filters: |
43+
docker_related:
44+
- 'code/**'
45+
- '!code/tests/**'
46+
- 'docker/**'
47+
- 'package.json'
48+
- 'pyproject.toml'
49+
- '.github/workflows/build-docker-images.yml'
50+
- '.github/workflows/build-docker.yml'
51+
52+
- name: Skip - No Relevant Changes
53+
if: steps.filter.outputs.docker_related != 'true' && github.event_name != 'workflow_dispatch'
54+
run: echo "No relevant changes detected. Skipping docker build."
55+
3156
docker-build:
57+
needs: check-changes
58+
if: needs.check-changes.outputs.should_build == 'true' || github.event_name == 'workflow_dispatch'
3259
strategy:
3360
matrix:
3461
include:
@@ -41,7 +68,6 @@ jobs:
4168
uses: ./.github/workflows/build-docker.yml
4269
with:
4370
new_registry: 'cwydcontainerreg.azurecr.io'
44-
new_username: 'cwydcontainerreg'
4571
app_name: ${{ matrix.app_name }}
4672
dockerfile: ${{ matrix.dockerfile }}
4773
push: ${{ github.ref_name == 'main' || github.ref_name == 'dev' || github.ref_name == 'demo'|| github.ref_name == 'dependabotchanges' }}

.github/workflows/build-docker.yml

Lines changed: 12 additions & 22 deletions
Original file line numberDiff line numberDiff line change
@@ -6,9 +6,6 @@ on:
66
new_registry:
77
required: true
88
type: string
9-
new_username:
10-
required: true
11-
type: string
129
app_name:
1310
required: true
1411
type: string
@@ -18,35 +15,28 @@ on:
1815
push:
1916
required: true
2017
type: boolean
21-
secrets:
22-
DOCKER_PASSWORD:
23-
required: false
24-
DEV_DOCKER_PASSWORD:
25-
required: false
2618

2719
jobs:
2820
docker-build:
2921
runs-on: ubuntu-latest
22+
environment: production
3023
steps:
3124
- name: Checkout
3225
uses: actions/checkout@v6
3326

34-
- name: Docker Login to cwydcontainerreg (Main)
35-
if: ${{ inputs.push == true && github.ref_name == 'main' }}
36-
uses: docker/login-action@v4
27+
- name: Login to Azure via OIDC
28+
if: ${{ inputs.push == true }}
29+
uses: azure/login@v2
3730
with:
38-
registry: ${{ inputs.new_registry }}
39-
username: ${{ inputs.new_username }}
40-
password: ${{ secrets.DEV_DOCKER_PASSWORD }}
31+
client-id: ${{ secrets.AZURE_CLIENT_ID }}
32+
tenant-id: ${{ secrets.AZURE_TENANT_ID }}
33+
subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
4134

42-
# Login for 'dev' and 'demo' branches to cwydcontainerreg only
43-
- name: Docker Login to cwydcontainerreg (Dev/Demo)
44-
if: ${{ inputs.push == true && (github.ref_name == 'dev' || github.ref_name == 'demo' || github.ref_name == 'dependabotchanges') }}
45-
uses: docker/login-action@v4
46-
with:
47-
registry: ${{ inputs.new_registry }}
48-
username: ${{ inputs.new_username }}
49-
password: ${{ secrets.DEV_DOCKER_PASSWORD }}
35+
- name: Login to ACR
36+
if: ${{ inputs.push == true }}
37+
run: |
38+
REGISTRY_NAME=$(echo "${{ inputs.new_registry }}" | sed 's/.azurecr.io//')
39+
az acr login --name "$REGISTRY_NAME"
5040
5141
- name: Set up Docker Buildx
5242
uses: docker/setup-buildx-action@v4

.github/workflows/ci.yml

Lines changed: 66 additions & 36 deletions
Original file line numberDiff line numberDiff line change
@@ -6,32 +6,55 @@ on:
66
- main
77
- dev
88
- demo
9-
paths:
10-
- 'infra/**'
11-
- 'scripts/**'
12-
- 'azure.yaml'
13-
- 'pyproject.toml'
14-
- 'Makefile'
15-
- '.github/workflows/ci.yml'
169
schedule:
1710
- cron: '0 8,20 * * *' # Runs at 8:00 AM and 8:00 PM GMT
1811
workflow_dispatch:
1912

2013
permissions:
14+
id-token: write
2115
contents: read
2216
packages: write
2317

2418
concurrency:
2519
group: ${{ github.workflow }}-${{ github.ref }}
2620

2721
jobs:
22+
check-changes:
23+
runs-on: ubuntu-latest
24+
outputs:
25+
should_deploy: ${{ steps.filter.outputs.deploy_related }}
26+
steps:
27+
- name: Checkout
28+
uses: actions/checkout@v6
29+
with:
30+
fetch-depth: 0
31+
32+
- name: Check for relevant changes
33+
id: filter
34+
uses: dorny/paths-filter@v3
35+
with:
36+
filters: |
37+
deploy_related:
38+
- 'infra/**'
39+
- 'scripts/**'
40+
- 'azure.yaml'
41+
- 'pyproject.toml'
42+
- 'Makefile'
43+
- '.github/workflows/ci.yml'
44+
45+
- name: Skip - No Relevant Changes
46+
if: steps.filter.outputs.deploy_related != 'true' && github.event_name != 'workflow_dispatch' && github.event_name != 'schedule'
47+
run: echo "No relevant changes detected. Skipping deployment validation."
48+
2849
deploy:
50+
needs: check-changes
51+
if: needs.check-changes.outputs.should_deploy == 'true' || github.event_name == 'workflow_dispatch' || github.event_name == 'schedule'
2952
runs-on: ubuntu-latest
53+
environment: production
3054
env:
3155
AZURE_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }}
3256
AZURE_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}
3357
AZURE_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
34-
AZURE_CLIENT_SECRET: ${{ secrets.AZURE_CLIENT_SECRET }}
3558
PRINCIPAL_ID: ${{ secrets.PRINCIPAL_ID }}
3659
PRINCIPAL_NAME: ${{ secrets.PRINCIPAL_NAME }}
3760
PRINCIPAL_TYPE: 'ServicePrincipal'
@@ -51,12 +74,16 @@ jobs:
5174
- name: Install azd
5275
uses: Azure/setup-azd@v2
5376

77+
- name: Login to Azure
78+
uses: azure/login@v2
79+
with:
80+
client-id: ${{ secrets.AZURE_CLIENT_ID }}
81+
tenant-id: ${{ secrets.AZURE_TENANT_ID }}
82+
subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
83+
5484
- name: Run Quota Check
5585
id: quota-check
5686
run: |
57-
export AZURE_CLIENT_ID=${{ secrets.AZURE_CLIENT_ID }}
58-
export AZURE_TENANT_ID=${{ secrets.AZURE_TENANT_ID }}
59-
export AZURE_CLIENT_SECRET=${{ secrets.AZURE_CLIENT_SECRET }}
6087
export AZURE_SUBSCRIPTION_ID="${{ secrets.AZURE_SUBSCRIPTION_ID }}"
6188
export GPT_MIN_CAPACITY="150"
6289
export TEXT_EMBEDDING_MIN_CAPACITY="30"
@@ -169,8 +196,9 @@ jobs:
169196
runCmd: |
170197
export optional_args="./code/tests"
171198
172-
# Azure login first
173-
az login --service-principal -u $AZURE_CLIENT_ID -p $AZURE_CLIENT_SECRET --tenant $AZURE_TENANT_ID
199+
# Azure login via OIDC federated token
200+
OIDC_TOKEN=$(curl -s -H "Authorization: bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" "${ACTIONS_ID_TOKEN_REQUEST_URL}&audience=api://AzureADTokenExchange" | jq -r '.value')
201+
az login --service-principal -u "$AZURE_CLIENT_ID" --tenant "$AZURE_TENANT_ID" --federated-token "$OIDC_TOKEN"
174202
az account set --subscription $AZURE_SUBSCRIPTION_ID
175203
176204
# Capture deployment output to a log file
@@ -192,9 +220,10 @@ jobs:
192220
echo "Frontend URL from logs: $(cat log_web_url.txt)"
193221
env: |
194222
AZURE_CLIENT_ID
195-
AZURE_CLIENT_SECRET
196223
AZURE_TENANT_ID
197224
AZURE_SUBSCRIPTION_ID
225+
ACTIONS_ID_TOKEN_REQUEST_URL
226+
ACTIONS_ID_TOKEN_REQUEST_TOKEN
198227
AZURE_ENV_NAME
199228
AZURE_LOCATION
200229
AZURE_RESOURCE_GROUP
@@ -286,10 +315,6 @@ jobs:
286315
env:
287316
FRONTEND_WEBSITE_URL: ${{ env.FRONTEND_WEBSITE_URL }}
288317
ADMIN_WEBSITE_URL: ${{ env.ADMIN_WEBSITE_URL }}
289-
AZURE_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }}
290-
AZURE_CLIENT_SECRET: ${{ secrets.AZURE_CLIENT_SECRET }}
291-
AZURE_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}
292-
AZURE_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
293318

294319
- name: Export PostgreSQL Host Endpoint from Makefile
295320
run: |
@@ -326,19 +351,23 @@ jobs:
326351
python - <<EOF
327352
import os
328353
import psycopg2
329-
from azure.identity import ClientSecretCredential
354+
from azure.identity import DefaultAzureCredential
330355
331-
tenant_id = os.environ["AZURE_TENANT_ID"]
332-
client_id = os.environ["AZURE_CLIENT_ID"]
333-
client_secret = os.environ["AZURE_CLIENT_SECRET"]
334356
pg_host = os.environ.get("PG_HOST_DESTINATION", "localhost")
335357
336-
# Acquire Azure AD access token for PostgreSQL
337-
credential = ClientSecretCredential(tenant_id, client_id, client_secret)
358+
# Acquire Azure AD access token for PostgreSQL via OIDC (Azure CLI credential)
359+
credential = DefaultAzureCredential()
338360
token = credential.get_token("https://ossrdbms-aad.database.windows.net/.default").token
339361
362+
# Get the service principal display name for PostgreSQL user
363+
import subprocess
364+
sp_display_name = subprocess.run(
365+
["az", "ad", "sp", "show", "--id", os.environ["AZURE_CLIENT_ID"], "--query", "displayName", "-o", "tsv"],
366+
capture_output=True, text=True
367+
).stdout.strip()
368+
340369
db_params = {
341-
"user": client_id, # Use service principal clientId
370+
"user": sp_display_name, # Use service principal display name
342371
"password": token, # Use AAD token instead of password
343372
"host": pg_host,
344373
"port": "5432",
@@ -360,10 +389,6 @@ jobs:
360389
except Exception as e:
361390
print(f"❌ Error during import: {e}")
362391
EOF
363-
env:
364-
AZURE_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }}
365-
AZURE_CLIENT_SECRET: ${{ secrets.AZURE_CLIENT_SECRET }}
366-
AZURE_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}
367392
368393
- name: Final Status Check
369394
id: final-status
@@ -387,24 +412,24 @@ jobs:
387412

388413

389414
e2e-test:
390-
needs: deploy
391-
if: needs.deploy.outputs.DEPLOYMENT_SUCCESS == 'true'
415+
needs: [check-changes, deploy]
416+
if: always() && needs.deploy.result == 'success' && needs.deploy.outputs.DEPLOYMENT_SUCCESS == 'true'
392417
uses: ./.github/workflows/test-automation.yml
393418
with:
394419
web_url: ${{ needs.deploy.outputs.web_url }}
395420
admin_url: ${{ needs.deploy.outputs.admin_url }}
396421

397422

398423
cleanup:
399-
if: always()
400-
needs: [deploy, e2e-test]
424+
if: always() && needs.deploy.result != 'skipped'
425+
needs: [check-changes, deploy, e2e-test]
401426
runs-on: ubuntu-latest
427+
environment: production
402428

403429
env:
404430
AZURE_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }}
405431
AZURE_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}
406432
AZURE_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
407-
AZURE_CLIENT_SECRET: ${{ secrets.AZURE_CLIENT_SECRET }}
408433
AZURE_ENV_NAME: ${{ needs.deploy.outputs.solution_suffix }} # Get from deploy job
409434
AZURE_LOCATION: ${{ vars.AZURE_LOCATION }}
410435
imageTag: ${{ needs.deploy.outputs.imageTag }}
@@ -420,12 +445,17 @@ jobs:
420445
push: never
421446
imageName: ghcr.io/azure-samples/chat-with-your-data-solution-accelerator
422447
imageTag: ${{ env.imageTag }}
423-
runCmd: make destroy
448+
runCmd: |
449+
OIDC_TOKEN=$(curl -s -H "Authorization: bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" "${ACTIONS_ID_TOKEN_REQUEST_URL}&audience=api://AzureADTokenExchange" | jq -r '.value')
450+
az login --service-principal -u "$AZURE_CLIENT_ID" --tenant "$AZURE_TENANT_ID" --federated-token "$OIDC_TOKEN"
451+
az account set --subscription $AZURE_SUBSCRIPTION_ID
452+
make destroy
424453
env: |
425454
AZURE_CLIENT_ID
426-
AZURE_CLIENT_SECRET
427455
AZURE_TENANT_ID
428456
AZURE_SUBSCRIPTION_ID
457+
ACTIONS_ID_TOKEN_REQUEST_URL
458+
ACTIONS_ID_TOKEN_REQUEST_TOKEN
429459
AZURE_ENV_NAME
430460
AZURE_LOCATION
431461
AZURE_RESOURCE_GROUP

0 commit comments

Comments
 (0)