Conversation
Adds the actions under github-actions/ (TypeScript sources + committed esbuild bundles in dist/) so they can be consumed at the @jay ref from an external workflow, e.g.: uses: microsoft/Managed-Apps/github-actions/install-ms-cli@jay uses: microsoft/Managed-Apps/github-actions/ms-app-deploy@jay Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
jbujula
requested review from
Anshulmsft,
Chamu-Rajasekera and
pavankm
as code owners
On pushes to main that touch github-actions/, rebuilds the esbuild bundles, fails if committed dist/ is stale, then cuts an immutable vX.Y.Z tag and moves the vX alias. MAJOR.MINOR come from package.json; PATCH auto-increments from existing tags. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Tag the exact vMAJOR.MINOR.PATCH from github-actions/package.json (single source of truth) instead of auto-incrementing patch from tags. Fail the run if that tag already exists, signalling a needed version bump. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
First release cut from main will be v1.0.1, avoiding the existing manual v1.0.0 tag on the jay test branch. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Hand-maintained changelog (Keep a Changelog format) scoped to the actions. Updated in the same PR that bumps package.json version; the release workflow does not modify it. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Colocates the /create-pr release-PR skill with the component. Branches from origin/main, bumps version, updates CHANGELOG, rebuilds dist, and opens a PR. Loads when Claude is rooted at github-actions/. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Documents the end-to-end activity flow (setup / local dev / CI loops), the ms-app-deploy sequence with RP rejection points, and the release versioning flow. Captures real test learnings: AllowExternalArtifact- Deployment gate, repoType none BYOB, preprod cloud, SPN RP block, and app-scope sharing. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
The real RP error and environment setting is AllowExternalArtifactDeployment (singular "Artifact"); README and the deploy action.yml comment had an extra "s". Corrected to match the actual setting name. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Version-controls the corrected BYOB setup walkthrough (SKILL.md + BAP role-grant .http asset) alongside the actions it documents. Refs point to microsoft/Managed-Apps/github-actions/@v1; setting name and node version corrected. Marked user-invocable for /maaf-byob-setup. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Anshulmsft
reviewed
Jun 23, 2026
| var __create = Object.create; | ||
| var __defProp = Object.defineProperty; | ||
| var __getOwnPropDesc = Object.getOwnPropertyDescriptor; | ||
| var __getOwnPropNames = Object.getOwnPropertyNames; |
Contributor
There was a problem hiding this comment.
It seems these files get generated by after compiling ts files. Do we need to check-in these files?
pavankm
reviewed
Jun 23, 2026
| # | ||
| # ms-app-deploy/action.yml | ||
| # | ||
| # Deploys a MAAF code app via `ms app deploy`. Three deploy modes are |
Collaborator
There was a problem hiding this comment.
do not use the term MAAF in customer facing docs
pavankm
reviewed
Jun 23, 2026
| # - Tenant admin has enabled `AllowExternalArtifactDeployment` on the | ||
| # target environment. Without it, deploy returns a policy error from | ||
| # the RP. Wiki: | ||
| # microsoft.ghe.com/bic/Managed-Ops-Internal/blob/main/docs/devops/MAAF/allowExternalArtifactDeployment-powershell.md |
Collaborator
There was a problem hiding this comment.
This is an internal Wiki and should not be referenced in customer facing code
pavankm
reviewed
Jun 23, 2026
| # action's auth inputs (`app-id`, `client-secret`, `tenant-id`) are wired | ||
| # to the CLI's documented SPN env vars, but the server will reject them | ||
| # until either: | ||
| # (a) the RP enables SPN for MAAF operations, OR |
Collaborator
There was a problem hiding this comment.
internal detail & team name
pavankm
reviewed
Jun 23, 2026
| # tenant-id: ${{ secrets.PP_SP_TENANT_ID }} | ||
| # | ||
| name: 'ms-app-deploy' | ||
| description: 'Power Platform MS App Deploy — deploys a MAAF code app for the given commit' |
Collaborator
There was a problem hiding this comment.
Not "Power Platform". Change this, and other references to "Microsoft managed apps"
pavankm
requested changes
Jun 23, 2026
pavankm
reviewed
Jun 23, 2026
| // is loaded. | ||
|
|
||
| /** Set to 'true' after install-ms-cli successfully installs the CLI. */ | ||
| export const MsInstalledEnvVarName = 'POWERPLATFORMTOOLS_MSINSTALLED'; |
Collaborator
There was a problem hiding this comment.
managed apps are not an offering under Power Platform.
We should change this to avoid confusion
pavankm
reviewed
Jun 23, 2026
| - **`repoType: none` needs no git remote.** `ms app create --repo none` scaffolds | ||
| from a template and writes `ms.config.json`; deploy builds locally and uploads | ||
| the artifact. No `git init`/remote required. | ||
| - **Cloud target** is set via `MS_CLI_CLOUD_INSTANCE` (tested `preprod`). The |
pavankm
reviewed
Jun 23, 2026
| - **Sharing:** for `repoType: none` apps (no platform-managed repo), | ||
| `ms app share <id> --access edit` grants contributor access at the **app scope** | ||
| rather than the repository scope. | ||
| - **Debug env override:** `MS_CLI_MAAF_DEBUG_ENVIRONMENT_ID` was used in testing to |
Collaborator
There was a problem hiding this comment.
This env var should not be surfaced to customers
pavankm
reviewed
Jun 23, 2026
|
|
||
| ```pwsh | ||
| $Env:MS_CLI_MAAF_DEBUG_ENVIRONMENT_ID = '<environment-guid>' | ||
| $Env:MS_CLI_CLOUD_INSTANCE = 'preprod' |
Collaborator
There was a problem hiding this comment.
this env var should not be surfaced to customers
pavankm
reviewed
Jun 23, 2026
| @@ -0,0 +1,95 @@ | |||
| --- | |||
| name: create-pr | |||
Collaborator
There was a problem hiding this comment.
This change is a mix of internal development and customer facing artifacts.
I'd suggest we keep the internal development separate and not in the public facing repo - otherwise internal processes, comments and iterations are all visible in git history
Relocates architecture / release / BYOB-setup content from github-actions/.claude/skills/ to github-actions/docs/ as plain Markdown, strips Claude skill frontmatter, and neutralizes Claude-specific tool references (AskUserQuestion/TodoWrite) so any coding-agent CLI can use them. Updates the README to a Docs section linking all three. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
The Power Apps RP now accepts Service Principal identities for MAAF operations, so the ms-app-deploy "ServicePrincipalNotSupportedForMaaf- Operations / RP currently rejects SPN" warning is no longer valid. Removes that core.warning, rewrites the deploy action.yml auth notes, and updates the architecture + BYOB docs accordingly. Rebuilds dist. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
actions/checkout@v5 and actions/setup-node@v5 target node24; @v4 targets node20 and triggers the runner deprecation warning. Updates all example workflows in the README, BYOB doc, and action.yml comments, and bumps the README quick-start node-version to 24. No action source change (our actions already run on node24), so no dist rebuild. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Renames github-actions/docs to github-actions/agent-skills so the folder name signals it holds agent-usable skills (tool-agnostic). Adds github-actions/AGENTS.md (cross-tool standard) as an index so any coding agent auto-discovers the skills. Updates README links. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
The ms CLI emits NDJSON progress lines followed by a multi-line result
object. The greedy first-{ to last-} parse spliced them into one invalid
blob and threw "Unexpected non-whitespace character after JSON" — even
though the deploy succeeded. Now extract top-level JSON objects (string-
aware brace scan) and return the last valid one.
Also fix output mapping: read appId (the CLI's field, not id), source
environment-id from ms.config.json, set commit-sha from the result, and
add an app-play-uri output. Rebuilds dist.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What this PR adds
Tooling for building, deploying, and releasing Microsoft Managed Apps (MAAF) from CI, all under
github-actions/:Three GitHub Actions
install-ms-cli@microsoft/managed-apps-cli(binary:ms) on the runner. Supports the public npm registry and private Azure DevOps Artifacts feeds.ms-app-packms app pack— runs the app's build command and stages the packed artifact.ms-app-deployms app deploy— uploads and deploys to the target Power Platform environment. Supports--artifact,--commit, and CLI-internal pack modes based onrepoTypeinms.config.json.Plus release automation (
.github/workflows/release-github-actions.yml), a hand-maintainedCHANGELOG.md, and tool-agnostic agent skills (github-actions/agent-skills/, indexed bygithub-actions/AGENTS.md): architecture, a release guide, and a BYOB setup walkthrough.Usage
How it's built
src/actions/<name>/index.ts, compiled withgulp+ bundled per-action byesbuild(target: node24) intodist/actions/<name>/index.js.dist/is committed (referenced by eachaction.yml'smain:), so it must be rebuilt when sources change:npm install && npm run build.node24.Design notes
src/shared/env.ts(a side-effect-free module). The actions import the install env-var names from there rather than frominstall-ms-cli/index, soms-app-pack/ms-app-deploybundles never embed the installer's load-time entry point. Verified: the installer's code is absent from the pack/deploy bundles.app-id+client-secret+tenant-idare all supplied; partial input warns instead of silently using a stale identity. Secrets are masked viacore.setSecret.install-ms-cli) writes a0600temp.npmrcand uses Azure DevOps_password(base64 PAT) vs. bearer_authTokenbased on a strict hostname match (*.pkgs.dev.azure.com), preventing PAT exfiltration via a spoofed registry URL.Versioning & releases
github-actions/package.jsonis the single source of truth for the version.Two tags are maintained:
v1(moving major)@v1). Re-pointed to the latestv1.x.yon each release.v1.x.y(immutable)Release workflow (
release-github-actions.yml) runs on pushes tomainthat touchgithub-actions/**. It:dist/and fails if the committed bundle is stale (drift guard).package.jsonand fails if that tag already exists (signal to bump).vX.Y.Ztag and force-moves thevXalias to the merge commit.Bump
versioninpackage.jsonto control the release: patch (bug fix), minor (new optional input/output/action), major (breaking — produces a freshvNalias and leaves older majors untouched).Changelog (
CHANGELOG.md) is hand-maintained — updated in the same PR that bumps the version (promote[Unreleased]→ the new version). The release workflow does not modify it.Release guide (
github-actions/agent-skills/release-guide.md) is a plain runbook for cutting a release PR — branch from latestorigin/main, bumppackage.json, update the changelog, rebuilddist/, open the PR. Follow it by hand or hand it to any coding-agent CLI.Testing
Validated end-to-end from an external consumer workflow against the
@jayref: the action resolves and runs on the node24 runtime (no node20 deprecation warning for these actions), andinstall-ms-cliinstalls the CLI successfully.Architecture
See
github-actions/agent-skills/architecture.mdfor the end-to-end MAAF flow (setup / local dev / CI loops), thems-app-deploysequence with RP rejection points, and the release/versioning flow — with Mermaid diagrams. All agent skills live undergithub-actions/agent-skills/(indexed bygithub-actions/AGENTS.md) and are linked from thegithub-actions/README.md.🤖 Generated with Claude Code