fix: downmerge from main to dev

[Priyanka-Microsoft]

Purpose

• ...
  This pull request introduces several important updates to the GitHub Actions workflows, primarily focusing on simplifying and unifying deployment pipelines, improving security and authentication mechanisms, and enhancing flexibility for deployment environments. The main changes include refactoring Docker build and deployment workflows to use Azure federated authentication, consolidating Linux and Windows deployment workflows into a single, parameterized workflow, and updating permissions for OIDC-based authentication.

Workflow Refactoring and Unification

• The separate Windows deployment workflow (deploy-windows.yml) has been removed and its functionality integrated into a single, renamed workflow (deploy-v2.yml), which now supports both Linux and Windows deployments via a new runner_os input parameter. This reduces duplication and centralizes deployment logic. [1] [2] [3] [4] [5] [6] [7] [8]

• The deployment orchestrator workflow (deploy-orchestrator.yml) has been simplified by removing explicit permissions, relying on those set by the calling workflow.

Authentication and Security Improvements

• Docker build and deployment workflows now use Azure federated identity (OIDC) for authentication via the azure/login@v2 action, removing the need to store and pass Docker registry passwords and service principal secrets directly. [1] [2] [3] [4] [5] [6] [7]

• The id-token: write permission has been added to workflows that require OIDC authentication. [1] [2] [3]

Parameterization and Flexibility

• The new runner_os input allows selection between Linux and Windows runners for deployment, validated and mapped internally to the correct GitHub Actions runner label. [1] [2] [3] [4]

• Additional workflow inputs and outputs have been updated to support this flexibility and improve validation of deployment parameters. [1] [2] [3] [4]

Environment and Permissions Consistency

• The environment: production attribute has been added to relevant jobs for improved environment scoping and secrets management. [1] [2]

---

Most Important Changes

1. Workflow Unification and Refactoring

• Merged the Linux and Windows deployment workflows into a single, parameterized workflow (deploy-v2.yml), removing the now-redundant deploy-windows.yml and adding a runner_os input to control the deployment environment. [1] [2] [3] [4] [5] [6] [7] [8]

2. Azure Federated Authentication (OIDC)

• Updated Docker build and deployment workflows to use Azure OIDC authentication (azure/login@v2), removing the need for Docker registry passwords and service principal secrets. [1] [2] [3] [4] [5] [6] [7]

3. Enhanced Permissions and Security

• Added id-token: write permission to workflows that require OIDC authentication for Azure login. [1] [2] [3]

4. Improved Parameterization and Validation

• Introduced and validated a runner_os parameter for deployment workflows, allowing dynamic selection of runner environment and improving input validation. [1] [2] [3] [4]

5. Environment Scoping

• Added environment: production to relevant jobs for improved environment management and secrets handling. [1] [2]

Does this introduce a breaking change?

• Yes
• No

Golden Path Validation

• I have tested the primary workflows (the "golden path") to ensure they function correctly without errors.

Deployment Validation

• I have validated the deployment process successfully and all services are running as expected with this change.

What to Check

Verify that the following are valid

• ...

Other Information