feat: add microsoft.azd.exec extension

Add the azd-exec extension as microsoft.azd.exec to the official
extensions directory. This extension enables script execution with
Azure Developer CLI context, environment variables, and automatic
Azure Key Vault secret resolution.

Features:
- Execute script files (-s) or inline commands (-i) with shell selection
- Automatic azd environment variable loading via azd env get-values
- Azure Key Vault secret reference resolution in environment variables
- Cross-platform shell support (bash, sh, zsh, pwsh, powershell, cmd)
- Child process exit code propagation for CI/CD pipelines
- Interactive mode with stdin passthrough

Architecture:
- internal/cmd: Cobra CLI commands (root, version, listen)
- internal/executor: Script execution engine with command builder
- internal/envutil: Shared Key Vault reference resolution
- internal/shellutil: Shared shell detection and validation

Test coverage: 82-94% across all packages (42 tests).

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Author: jongio

.github/workflows/lint-ext-microsoft-azd-exec.yml

@@ -0,0 +1,22 @@
+name: ext-microsoft-azd-exec-ci
+
+on:
+  pull_request:
+    paths:
+      - "cli/azd/extensions/microsoft.azd.exec/**"
+      - ".github/workflows/lint-ext-microsoft-azd-exec.yml"
+    branches: [main]
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number }}
+  cancel-in-progress: true
+
+permissions:
+  contents: read
+  pull-requests: write
+
+jobs:
+  lint:
+    uses: ./.github/workflows/lint-go.yml
+    with:
+      working-directory: cli/azd/extensions/microsoft.azd.exec

cli/azd/extensions/microsoft.azd.exec/.golangci.yaml

@@ -0,0 +1,17 @@
+version: "2"
+
+linters:
+  default: none
+  enable:
+    - gosec
+    - lll
+    - unused
+    - errorlint
+  settings:
+    lll:
+      line-length: 220
+      tab-width: 4
+
+formatters:
+  enable:
+    - gofmt

cli/azd/extensions/microsoft.azd.exec/CHANGELOG.md

@@ -0,0 +1,9 @@
+# Changelog
+
+## 0.5.0
+
+- Initial release as `microsoft.azd.exec` in the Azure/azure-dev repository.
+- Execute scripts and inline commands with full azd environment context.
+- Cross-platform shell detection and execution (bash, sh, zsh, pwsh, powershell, cmd).
+- Interactive mode for scripts requiring stdin.
+- Child process exit code propagation for CI/CD pipelines.

cli/azd/extensions/microsoft.azd.exec/README.md

@@ -0,0 +1,51 @@
+# microsoft.azd.exec
+
+Execute scripts and commands with Azure Developer CLI context and environment variables.
+
+## Installation
+
+```bash
+azd extension install microsoft.azd.exec
+```
+
+## Usage
+
+```bash
+# Execute a script file with azd environment
+azd exec ./setup.sh
+
+# Inline command with environment variables
+azd exec 'echo $AZURE_ENV_NAME'
+
+# Specify shell explicitly
+azd exec --shell pwsh "Write-Host 'Hello'"
+
+# Pass arguments to script
+azd exec ./build.sh -- --verbose
+
+# Interactive mode
+azd exec -i ./interactive-setup.sh
+```
+
+## Features
+
+- **Shell auto-detection**: Detects shell from file extension
+- **Cross-platform**: Supports bash, sh, zsh, pwsh, powershell, and cmd
+- **Interactive mode**: Connect stdin for scripts requiring user input
+- **Environment loading**: Inherits azd environment variables (including resolved Key Vault secrets from azd core)
+- **Exit code propagation**: Child process exit codes forwarded for CI/CD pipelines
+
+## Development
+
+```bash
+cd cli/azd/extensions/microsoft.azd.exec
+
+# Build
+go build ./...
+
+# Test
+go test ./...
+
+# Build for all platforms
+EXTENSION_ID=microsoft.azd.exec EXTENSION_VERSION=0.5.0 ./build.sh
+```

cli/azd/extensions/microsoft.azd.exec/build.ps1

@@ -0,0 +1,73 @@
+# Ensure script fails on any error
+$ErrorActionPreference = 'Stop'
+
+# Get the directory of the script
+$EXTENSION_DIR = Split-Path -Parent $MyInvocation.MyCommand.Path
+
+# Change to the script directory
+Set-Location -Path $EXTENSION_DIR
+
+# Create a safe version of EXTENSION_ID replacing dots with dashes
+$EXTENSION_ID_SAFE = $env:EXTENSION_ID -replace '\.', '-'
+
+# Define output directory
+$OUTPUT_DIR = if ($env:OUTPUT_DIR) { $env:OUTPUT_DIR } else { Join-Path $EXTENSION_DIR "bin" }
+
+# Create output directory if it doesn't exist
+if (-not (Test-Path -Path $OUTPUT_DIR)) {
+    New-Item -ItemType Directory -Path $OUTPUT_DIR | Out-Null
+}
+
+# List of OS and architecture combinations
+if ($env:EXTENSION_PLATFORM) {
+    $PLATFORMS = @($env:EXTENSION_PLATFORM)
+}
+else {
+    $PLATFORMS = @(
+        "windows/amd64",
+        "windows/arm64",
+        "darwin/amd64",
+        "darwin/arm64",
+        "linux/amd64",
+        "linux/arm64"
+    )
+}
+
+$APP_PATH = "$env:EXTENSION_ID/internal/cmd"
+
+# Loop through platforms and build
+foreach ($PLATFORM in $PLATFORMS) {
+    $OS, $ARCH = $PLATFORM -split '/'
+
+    $OUTPUT_NAME = Join-Path $OUTPUT_DIR "$EXTENSION_ID_SAFE-$OS-$ARCH"
+
+    if ($OS -eq "windows") {
+        $OUTPUT_NAME += ".exe"
+    }
+
+    Write-Host "Building for $OS/$ARCH..."
+
+    # Delete the output file if it already exists
+    if (Test-Path -Path $OUTPUT_NAME) {
+        Remove-Item -Path $OUTPUT_NAME -Force
+    }
+
+    # Set environment variables for Go build
+    $env:GOOS = $OS
+    $env:GOARCH = $ARCH
+
+    go build `
+        -trimpath `
+        -buildmode=pie `
+        -tags=cfi,cfg,osusergo `
+        -ldflags="-s -w -X '$APP_PATH.Version=$env:EXTENSION_VERSION'" `
+        -o $OUTPUT_NAME
+
+    if ($LASTEXITCODE -ne 0) {
+        Write-Host "An error occurred while building for $OS/$ARCH"
+        exit 1
+    }
+}
+
+Write-Host "Build completed successfully!"
+Write-Host "Binaries are located in the $OUTPUT_DIR directory."

cli/azd/extensions/microsoft.azd.exec/build.sh

@@ -0,0 +1,66 @@
+#!/bin/bash
+
+# Get the directory of the script
+EXTENSION_DIR="$(cd "$(dirname "$0")" && pwd)"
+
+# Change to the script directory
+cd "$EXTENSION_DIR" || exit
+
+# Create a safe version of EXTENSION_ID replacing dots with dashes
+EXTENSION_ID_SAFE="${EXTENSION_ID//./-}"
+
+# Define output directory
+OUTPUT_DIR="${OUTPUT_DIR:-$EXTENSION_DIR/bin}"
+
+# Create output and target directories if they don't exist
+mkdir -p "$OUTPUT_DIR"
+
+# Get Git commit hash and build date
+COMMIT=$(git rev-parse HEAD)
+BUILD_DATE=$(date -u +%Y-%m-%dT%H:%M:%SZ)
+
+# List of OS and architecture combinations
+if [ -n "$EXTENSION_PLATFORM" ]; then
+    PLATFORMS=("$EXTENSION_PLATFORM")
+else
+    PLATFORMS=(
+        "windows/amd64"
+        "windows/arm64"
+        "darwin/amd64"
+        "darwin/arm64"
+        "linux/amd64"
+        "linux/arm64"
+    )
+fi
+
+APP_PATH="$EXTENSION_ID/internal/cmd"
+
+# Loop through platforms and build
+for PLATFORM in "${PLATFORMS[@]}"; do
+    OS=$(echo "$PLATFORM" | cut -d'/' -f1)
+    ARCH=$(echo "$PLATFORM" | cut -d'/' -f2)
+
+    OUTPUT_NAME="$OUTPUT_DIR/$EXTENSION_ID_SAFE-$OS-$ARCH"
+
+    if [ "$OS" = "windows" ]; then
+        OUTPUT_NAME+='.exe'
+    fi
+
+    echo "Building for $OS/$ARCH..."
+
+    # Delete the output file if it already exists
+    [ -f "$OUTPUT_NAME" ] && rm -f "$OUTPUT_NAME"
+
+    # Set environment variables for Go build
+    GOOS=$OS GOARCH=$ARCH go build \
+        -ldflags="-X '$APP_PATH.Version=$EXTENSION_VERSION' -X '$APP_PATH.Commit=$COMMIT' -X '$APP_PATH.BuildDate=$BUILD_DATE'" \
+        -o "$OUTPUT_NAME"
+
+    if [ $? -ne 0 ]; then
+        echo "An error occurred while building for $OS/$ARCH"
+        exit 1
+    fi
+done
+
+echo "Build completed successfully!"
+echo "Binaries are located in the $OUTPUT_DIR directory."

cli/azd/extensions/microsoft.azd.exec/ci-build.ps1

@@ -0,0 +1,86 @@
+param(
+    [string] $Version = (Get-Content "$PSScriptRoot/../version.txt"),
+    [string] $SourceVersion = (git rev-parse HEAD),
+    [switch] $CodeCoverageEnabled,
+    [string] $OutputFileName
+)
+$PSNativeCommandArgumentPassing = 'Legacy'
+
+# Remove any previously built binaries
+go clean
+
+if ($LASTEXITCODE) {
+    Write-Host "Error running go clean"
+    exit $LASTEXITCODE
+}
+
+# Run `go help build` to obtain detailed information about `go build` flags.
+$buildFlags = @(
+    # remove all file system paths from the resulting executable.
+    "-trimpath",
+
+    # Use buildmode=pie (Position Independent Executable) for enhanced security.
+    "-buildmode=pie"
+)
+
+if ($CodeCoverageEnabled) {
+    $buildFlags += "-cover"
+}
+
+# Build constraint tags
+$tagsFlag = "-tags=cfi,cfg,osusergo"
+
+# ld linker flags
+$ldFlag = "-ldflags=-s -w -X 'microsoft.azd.exec/internal/cmd.Version=$Version'"
+
+if ($IsWindows) {
+    Write-Host "Building for Windows"
+}
+elseif ($IsLinux) {
+    Write-Host "Building for linux"
+}
+elseif ($IsMacOS) {
+    Write-Host "Building for macOS"
+}
+
+# Add output file flag based on specified output file name
+$outputFlag = "-o=$OutputFileName"
+
+# collect flags
+$buildFlags += @(
+    $tagsFlag,
+    $ldFlag,
+    $outputFlag
+)
+
+function PrintFlags() {
+    param(
+        [string] $flags
+    )
+
+    $i = 0
+    foreach ($buildFlag in $buildFlags) {
+        $argWithValue = $buildFlag.Split('=', 2)
+        if ($argWithValue.Length -eq 2 -and !$argWithValue[1].StartsWith("`"")) {
+            $buildFlag = "$($argWithValue[0])=`"$($argWithValue[1])`""
+        }
+
+        if ($i -eq $buildFlags.Length - 1) {
+            Write-Host "  $buildFlag"
+        }
+        else {
+            Write-Host "  $buildFlag ``"
+        }
+        $i++
+    }
+}
+
+Write-Host "Running: go build ``"
+PrintFlags -flags $buildFlags
+go build @buildFlags
+if ($LASTEXITCODE) {
+    Write-Host "Error running go build"
+    exit $LASTEXITCODE
+}
+
+Write-Host "go build succeeded"

cli/azd/extensions/microsoft.azd.exec/extension.yaml

@@ -0,0 +1,11 @@
+capabilities:
+    - custom-commands
+    - metadata
+description: Execute scripts and commands with Azure Developer CLI context, environment variables, and Azure Key Vault secret resolution.
+displayName: Exec
+id: microsoft.azd.exec
+language: go
+namespace: exec
+requiredAzdVersion: ">1.23.6"
+usage: azd exec <command> [options]
+version: 0.5.0