Enable AKS deployment agent for asdfasf

[gambtho]

AKS Desktop — Containerization Agent Setup

This PR adds the GitHub Copilot Coding Agent configuration for containerizing and deploying this application to AKS.

What gets added

• .github/workflows/copilot-setup-steps.yml — environment setup for the agent
• .github/agents/containerization.agent.md — agent instructions for containerization + AKS deployment

What happens after merge

The Copilot Coding Agent will analyze this repository and create a follow-up PR with:

• A best-practice Dockerfile
• Kubernetes manifests in /deploy/kubernetes/
• .github/workflows/deploy-to-aks.yml (deployment workflow)
• Optional /deploy/README.md

AKS Configuration

• Cluster: thgamble_dt
• Resource Group: thgamble_dt_group
• Namespace: somens

---

Created by AKS Desktop

Summary by CodeRabbit

• Chores
  • Added containerization and deployment automation specifications
  • Added GitHub Actions workflow for environment setup and validation

[coderabbitai]

📝 Walkthrough

Walkthrough

Two new configuration files establish a containerization agent specification with detailed MCP tools, execution workflow, Dockerfile generation, Kubernetes manifests, and AKS deployment procedures. A GitHub Actions workflow is added for Copilot setup, featuring Node.js, OPA, and containerization-assist-mcp tool integration.

Changes

Cohort / File(s)	Summary
Agent Specification .github/agents/containerization.agent.md	New comprehensive containerization agent specification defining role, requirements (image tag 1.0), MCP tools, execution pipeline (analyze → generate/fix Dockerfile → build → scan → generate Kubernetes manifests), output directory structure, AKS deployment configuration, GitHub Actions workflow integration, naming conventions, and validation checklist. Enforces strict tool-call ordering via artifacts/tool-call-checklist.md.
Copilot Setup Workflow .github/workflows/copilot-setup-steps.yml	New GitHub Actions workflow triggered on workflow_dispatch. Configures Node.js 22, OPA via open-policy-agent/setup-opa@v2, and runs containerization-assist-mcp@latest list-policies command for policy verification.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Poem

🐰 Hops of joy in the workflow lane,
Containers now dance without pain,
Docker, Kubernetes, OPA's might,
Agents configured, burning so bright!
Configuration's garden takes root with care ✨

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Title check	❓ Inconclusive	The title mentions 'Enable AKS deployment agent' which aligns with the PR's objective of enabling a Copilot Coding Agent for AKS deployment, but includes 'asdfasf' which appears to be placeholder or test text unrelated to the actual change.	Clarify the title by removing the 'asdfasf' placeholder text. Consider 'Enable AKS deployment agent for containerization' or similar to better reflect the actual functionality being added.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch aks-desktop/setup-asdfasf-1771454493633

Tip

Issue Planner is now in beta. Read the docs and try it out! Share your feedback on Discord.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 4

🧹 Nitpick comments (5)

.github/workflows/copilot-setup-steps.yml (3)

17-23: Pin OPA to a specific version instead of latest.

version: latest makes the OPA installation non-deterministic. A new OPA release could silently break the list-policies invocation or introduce unexpected behavior in the agent's environment.

♻️ Suggested fix

       - name: Setup OPA
         uses: open-policy-agent/setup-opa@v2
         with:
-          version: latest
+          version: v0.71.0   # pin to a known-good release

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/copilot-setup-steps.yml around lines 17 - 23, Replace the
non-deterministic OPA installer version in the "Setup OPA" step (uses:
open-policy-agent/setup-opa@v2) by pinning the with.version value to a specific
released tag (e.g., a tested vX.Y.Z) instead of "latest"; update the version
string in that step so the workflow consistently installs a known OPA release
and re-run the "Verify OPA installation" (opa version) to confirm the pinned
version.

---

10-27: Pin third-party actions to commit SHAs to guard against tag mutation.

GitHub's security guidance for Actions workflows states: "Pin third-party actions to specific commits by using the SHA value." actions/checkout@v4, actions/setup-node@v4, and open-policy-agent/setup-opa@v2 are all pinned to mutable tags. If any tag is force-pushed, the step executes different (potentially malicious) code with no warning.

Example for actions/checkout:

-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

Apply the same pattern to setup-node and setup-opa.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/copilot-setup-steps.yml around lines 10 - 27, Replace
mutable tags for third-party actions by pinning each action reference to a
specific commit SHA: update uses: actions/checkout@v4, uses:
actions/setup-node@v4, and uses: open-policy-agent/setup-opa@v2 to their
respective full commit SHAs (e.g., actions/checkout@<sha>,
actions/setup-node@<sha>, open-policy-agent/setup-opa@<sha>) in the workflow
steps named "actions/checkout", "Set up Node.js 22"/actions/setup-node, and
"Setup OPA"/open-policy-agent/setup-opa so the workflow runs a fixed, auditable
commit instead of a mutable tag.

---

3-4: Add push/pull_request path triggers so the workflow self-validates on change.

GitHub documentation notes that the copilot-setup-steps.yml file will automatically run as a normal GitHub Actions workflow when changes are made, so you can see if it runs successfully, and this will show alongside other checks in a pull request where you create or modify the file. With workflow_dispatch as the only trigger, a broken setup step won't surface until Copilot actually tries to use it.

♻️ Suggested trigger addition

 on:
   workflow_dispatch:
+  push:
+    paths:
+      - .github/workflows/copilot-setup-steps.yml
+  pull_request:
+    paths:
+      - .github/workflows/copilot-setup-steps.yml

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/copilot-setup-steps.yml around lines 3 - 4, Update the
workflow triggers in the top-level on: block so the CI runs automatically on
changes; specifically, in the workflow's on: section replace or augment the
existing workflow_dispatch-only trigger by adding push and pull_request triggers
(optionally with sensible path filters) so changes to copilot-setup-steps.yml
will self-validate on PRs and pushes rather than requiring manual
workflow_dispatch.

.github/agents/containerization.agent.md (2)

65-67: Unconditional Dockerfile generation contradicts the "minimal changes" principle.

Line 66 instructs the agent to call generate-dockerfile even if a Dockerfile already exists, which will overwrite it. This directly conflicts with the principle stated at line 52: "Keep changes minimal and explainable; don't restructure the repo unless necessary."

If the repository already has a carefully tuned Dockerfile, the generated replacement may regress it. Consider a conditional approach:

♻️ Suggested update

 ### 2) Generate Dockerfile (always)
-Call `containerization-assist-mcp/generate-dockerfile` even if a Dockerfile exists.
-Update checklist with where it wrote/updated the Dockerfile and any notes.
+If no Dockerfile exists, call `containerization-assist-mcp/generate-dockerfile`.
+If a Dockerfile already exists, call `containerization-assist-mcp/analyze-repo` to validate it, then proceed to the fix step.
+Update checklist with what was found and any notes.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/agents/containerization.agent.md around lines 65 - 67, Update the
unconditional Dockerfile generation so the agent only invokes
containerization-assist-mcp/generate-dockerfile when no Dockerfile exists or
when an explicit overwrite flag/consent is provided; modify the "Generate
Dockerfile (always)" instruction to be conditional (check for existing
Dockerfile, report its path in the checklist, and ask/require confirmation
before replacing it) and ensure the checklist records whether the file was
created, skipped, or updated along with any notes about changes.

---

78-81: The fix→rebuild loop has no termination condition — add a retry cap.

"Repeat until successful" with no bound means a persistently broken Dockerfile will spin the agent indefinitely, consuming CI minutes until the default 6-hour job timeout hits.

♻️ Suggested update

 If build fails:
 - Call `containerization-assist-mcp/fix-dockerfile` (again)
 - Re-run `build-image`
-- Repeat until successful
+- Repeat until successful, **up to 3 total attempts**. If still failing after 3 attempts, stop and report the error.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/agents/containerization.agent.md around lines 78 - 81, Add a bounded
retry loop around the fix-and-rebuild flow so it cannot spin forever: introduce
a MAX_RETRIES constant and a retry counter in the containerization agent's loop
that calls containerization-assist-mcp/fix-dockerfile and re-runs build-image,
incrementing the counter each cycle; if counter >= MAX_RETRIES stop attempting
further fixes, surface a clear failure/exit status and include the last error
output, and optionally add a short backoff between attempts. Ensure the change
updates the control logic that currently implements "Repeat until successful" to
check the counter and break on reaching the cap, using the same command names
(containerization-assist-mcp/fix-dockerfile, build-image) so the behavior is
preserved but bounded.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/agents/containerization.agent.md:
- Around line 96-116: Remove the hardcoded Azure Subscription ID and placeholder
values in the AKS Deployment Configuration: replace the plain-text subscription
ID (d0ecd0d2-779b-4fd0-8f04-d46d07f05703) with a reference to the repo secret or
variable (e.g., use the same secrets.AZURE_SUBSCRIPTION_ID used in
deploy-to-aks.yml), and replace "Identity ID: asdafsdf" and "Container Image:
asdfasdf" with real values or secret/variable references (e.g., the actual
Managed Identity client ID or secrets.AZURE_CLIENT_ID and the actual registry
path like myregistry.azurecr.io/myapp) so the agent spec no longer contains
placeholders or sensitive data in plaintext.
- Around line 12-13: The hard requirement forcing a static image tag `1.0`
should be replaced with a per-build unique tag pattern (e.g., using CI build ID,
commit SHA, or pipeline run id) so images are immutable and traceable; update
the rule in containerization.agent.md and ensure the generated deploy-to-aks.yml
references that dynamic tag (and documents using imagePullPolicy: Always or
CI-driven tag substitution) so each deployment ties to a specific build and
allows safe rollbacks.

In @.github/workflows/copilot-setup-steps.yml:
- Around line 25-27: The CI step named "Test merge" uses npx
containerization-assist-mcp@latest which creates supply-chain risk; update that
step to pin a specific verified version (e.g., replace
containerization-assist-mcp@latest with containerization-assist-mcp@1.2.0 in the
npx invocation used in the "Test merge" run command), or remove the entire "Test
merge" step if you prefer not to execute the MCP check during workflow runs.
- Around line 3-8: Add a least-privilege permissions block for the
copilot-setup-steps job: in the YAML containing the job id copilot-setup-steps
(the job with runs-on: ubuntu-latest triggered by workflow_dispatch) add a
permissions mapping that grants only what’s needed (for example permissions:
contents: read) at either the job or workflow level so the job no longer
inherits broad default GITHUB_TOKEN permissions.

---

Nitpick comments:
In @.github/agents/containerization.agent.md:
- Around line 65-67: Update the unconditional Dockerfile generation so the agent
only invokes containerization-assist-mcp/generate-dockerfile when no Dockerfile
exists or when an explicit overwrite flag/consent is provided; modify the
"Generate Dockerfile (always)" instruction to be conditional (check for existing
Dockerfile, report its path in the checklist, and ask/require confirmation
before replacing it) and ensure the checklist records whether the file was
created, skipped, or updated along with any notes about changes.
- Around line 78-81: Add a bounded retry loop around the fix-and-rebuild flow so
it cannot spin forever: introduce a MAX_RETRIES constant and a retry counter in
the containerization agent's loop that calls
containerization-assist-mcp/fix-dockerfile and re-runs build-image, incrementing
the counter each cycle; if counter >= MAX_RETRIES stop attempting further fixes,
surface a clear failure/exit status and include the last error output, and
optionally add a short backoff between attempts. Ensure the change updates the
control logic that currently implements "Repeat until successful" to check the
counter and break on reaching the cap, using the same command names
(containerization-assist-mcp/fix-dockerfile, build-image) so the behavior is
preserved but bounded.

In @.github/workflows/copilot-setup-steps.yml:
- Around line 17-23: Replace the non-deterministic OPA installer version in the
"Setup OPA" step (uses: open-policy-agent/setup-opa@v2) by pinning the
with.version value to a specific released tag (e.g., a tested vX.Y.Z) instead of
"latest"; update the version string in that step so the workflow consistently
installs a known OPA release and re-run the "Verify OPA installation" (opa
version) to confirm the pinned version.
- Around line 10-27: Replace mutable tags for third-party actions by pinning
each action reference to a specific commit SHA: update uses:
actions/checkout@v4, uses: actions/setup-node@v4, and uses:
open-policy-agent/setup-opa@v2 to their respective full commit SHAs (e.g.,
actions/checkout@<sha>, actions/setup-node@<sha>,
open-policy-agent/setup-opa@<sha>) in the workflow steps named
"actions/checkout", "Set up Node.js 22"/actions/setup-node, and "Setup
OPA"/open-policy-agent/setup-opa so the workflow runs a fixed, auditable commit
instead of a mutable tag.
- Around line 3-4: Update the workflow triggers in the top-level on: block so
the CI runs automatically on changes; specifically, in the workflow's on:
section replace or augment the existing workflow_dispatch-only trigger by adding
push and pull_request triggers (optionally with sensible path filters) so
changes to copilot-setup-steps.yml will self-validate on PRs and pushes rather
than requiring manual workflow_dispatch.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Hardcoding image tag 1.0 on every build makes rollbacks impossible and breaks imagePullPolicy semantics.

With a static, always-reused tag:

• Kubernetes nodes that have already pulled 1.0 with the default imagePullPolicy: IfNotPresent will silently run stale images after subsequent pushes.
• There is no audit trail linking a running workload back to a specific commit or pipeline run.
• Rolling back requires re-pushing a previous image layer to the same tag — with no guarantees the correct image is still available locally.

Consider replacing the fixed tag with a unique per-build identifier:

♻️ Suggested update

-## Hard Requirements
-- **Image tag must be `1.0`** (always).
+## Hard Requirements
+- **Image tag must be unique per build** (e.g., `${{ github.sha }}` or `${{ github.run_id }}`).
+  The generated workflow should also tag and push `latest` as a convenience alias.

Then in the generated deploy-to-aks.yml, reference the unique tag so each deployment is traceable and reversible.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	## Hard Requirements
	- **Image tag must be `1.0`** (always).
	## Hard Requirements
	- **Image tag must be unique per build** (e.g., `${{ github.sha }}` or `${{ github.run_id }}`).
	The generated workflow should also tag and push `latest` as a convenience alias.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/agents/containerization.agent.md around lines 12 - 13, The hard
requirement forcing a static image tag `1.0` should be replaced with a per-build
unique tag pattern (e.g., using CI build ID, commit SHA, or pipeline run id) so
images are immutable and traceable; update the rule in containerization.agent.md
and ensure the generated deploy-to-aks.yml references that dynamic tag (and
documents using imagePullPolicy: Always or CI-driven tag substitution) so each
deployment ties to a specific build and allows safe rollbacks.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Azure Subscription ID is exposed in a public file, and several values are unresolved placeholders.

Two distinct concerns here:

1. Hardcoded Subscription ID (line 102):
d0ecd0d2-779b-4fd0-8f04-d46d07f05703 is committed in plain text to a public repository. Sensitive data should never be stored as plaintext in workflow files. Azure subscription IDs, while not a secret in the strictest sense, enable resource enumeration and can be used to craft targeted API calls or phishing against your tenant. This value should be moved to a repository variable or referenced via secrets in the generated deploy-to-aks.yml (which, to its credit, already does this for secrets.AZURE_SUBSCRIPTION_ID). The agent spec itself doesn't need to expose it inline.

2. Placeholder values that will produce a broken agent run:

• Line 101 — Identity ID: asdafsdf — this is clearly a placeholder. OIDC federated credentials require a real Managed Identity or service principal client ID; using asdafsdf will cause Azure login to fail.
• Line 104 — Container Image: asdfasdf — another garbage value. Kubernetes manifests generated with this image name will fail to pull.

These appear to be auto-generated by AKS Desktop from the string "asdfasf" entered during setup. Before merging, replace them with the real values:

• Identity ID → the actual Azure Managed Identity client ID (or secrets.AZURE_CLIENT_ID)
• Container Image → the actual container registry path (e.g., myregistry.azurecr.io/myapp)

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/agents/containerization.agent.md around lines 96 - 116, Remove the
hardcoded Azure Subscription ID and placeholder values in the AKS Deployment
Configuration: replace the plain-text subscription ID
(d0ecd0d2-779b-4fd0-8f04-d46d07f05703) with a reference to the repo secret or
variable (e.g., use the same secrets.AZURE_SUBSCRIPTION_ID used in
deploy-to-aks.yml), and replace "Identity ID: asdafsdf" and "Container Image:
asdfasdf" with real values or secret/variable references (e.g., the actual
Managed Identity client ID or secrets.AZURE_CLIENT_ID and the actual registry
path like myregistry.azurecr.io/myapp) so the agent spec no longer contains
placeholders or sensitive data in plaintext.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Add a permissions block scoped to least-privilege.

GitHub's official documentation for copilot-setup-steps workflows explicitly instructs: "Set the permissions to the lowest permissions possible needed for your steps." No permissions key is present, so the job inherits the repository's default GITHUB_TOKEN permissions, which are typically broader than necessary.

Since this job only checks out code and runs read-only tooling, a minimal grant is sufficient:

🔒 Proposed fix

 jobs:
   copilot-setup-steps:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/copilot-setup-steps.yml around lines 3 - 8, Add a
least-privilege permissions block for the copilot-setup-steps job: in the YAML
containing the job id copilot-setup-steps (the job with runs-on: ubuntu-latest
triggered by workflow_dispatch) add a permissions mapping that grants only
what’s needed (for example permissions: contents: read) at either the job or
workflow level so the job no longer inherits broad default GITHUB_TOKEN
permissions.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Check the npm registry for containerization-assist-mcp package details
curl -s https://registry.npmjs.org/containerization-assist-mcp/latest | jq '{name: .name, version: .version, description: .description, main: .main, time: .time, author: .author}'

Repository: gambtho/willitconnect

Length of output: 320

---

🏁 Script executed:

#!/bin/bash
# Also check if there's any scoped version or similar package names
curl -s https://registry.npmjs.org/-/v1/search?text=containerization-assist | jq '.objects[] | {name: .package.name, version: .package.version, description: .package.description}'

Repository: gambtho/willitconnect

Length of output: 37673

---

🏁 Script executed:

#!/bin/bash
# Check the file itself to see the full context of the workflow
cat -n .github/workflows/copilot-setup-steps.yml | head -35

Repository: gambtho/willitconnect

Length of output: 811

---

Pin the version to a specific release instead of using @latest.

The containerization-assist-mcp package on npm is a legitimate TypeScript MCP server for containerization workflows (currently at v1.2.0), not an unrelated or legacy package. However, using @latest in CI workflows creates unnecessary supply chain risk—a compromised action would have access to all repository secrets.

Before merging:

1. Pin to an explicit, verified version (e.g., containerization-assist-mcp@1.2.0).
2. Optionally remove this "Test merge" step entirely — verifying the MCP tool at setup time adds friction with minimal Copilot benefit.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/copilot-setup-steps.yml around lines 25 - 27, The CI step
named "Test merge" uses npx containerization-assist-mcp@latest which creates
supply-chain risk; update that step to pin a specific verified version (e.g.,
replace containerization-assist-mcp@latest with
containerization-assist-mcp@1.2.0 in the npx invocation used in the "Test merge"
run command), or remove the entire "Test merge" step if you prefer not to
execute the MCP check during workflow runs.