From f2bf1893fe5b952e81ee848b8764ad8611c5f49f Mon Sep 17 00:00:00 2001 From: Vamshi-Microsoft Date: Mon, 23 Feb 2026 13:52:40 +0530 Subject: [PATCH 1/3] Migrated GitHub Actions authentication from client secrets to OIDC --- .github/workflows/azure-dev.yml | 1 - .github/workflows/deploy-linux.yml | 1 + .github/workflows/deploy-orchestrator.yml | 4 --- .github/workflows/deploy-waf.yml | 16 ++++++----- .github/workflows/deploy-windows.yml | 1 + .github/workflows/deploy.yml | 28 +++++++++++++------- .github/workflows/docker-build-and-push.yml | 16 +++++++---- .github/workflows/job-cleanup-deployment.yml | 15 ++++++----- .github/workflows/job-deploy-linux.yml | 15 ++++++----- .github/workflows/job-deploy-windows.yml | 15 ++++++----- .github/workflows/job-deploy.yml | 19 +++++++------ .github/workflows/job-docker-build.yml | 17 ++++++------ .github/workflows/job-send-notification.yml | 3 --- .github/workflows/test-automation-v2.yml | 9 ++++--- .github/workflows/test-automation.yml | 9 ++++++- infra/scripts/checkquota.sh | 10 ------- 16 files changed, 99 insertions(+), 80 deletions(-) diff --git a/.github/workflows/azure-dev.yml b/.github/workflows/azure-dev.yml index 93aa7483..23bed8a2 100644 --- a/.github/workflows/azure-dev.yml +++ b/.github/workflows/azure-dev.yml @@ -25,7 +25,6 @@ jobs: id: validation env: AZURE_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }} - AZURE_CLIENT_SECRET: ${{ secrets.AZURE_CLIENT_SECRET }} AZURE_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }} AZURE_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }} AZURE_ENV_NAME: ${{ secrets.AZURE_ENV_NAME }} diff --git a/.github/workflows/deploy-linux.yml b/.github/workflows/deploy-linux.yml index d5d4b737..e41489f0 100644 --- a/.github/workflows/deploy-linux.yml +++ b/.github/workflows/deploy-linux.yml @@ -1,6 +1,7 @@ name: Deploy-Test-Cleanup (v2) Linux permissions: + id-token: write contents: read actions: read on: diff --git a/.github/workflows/deploy-orchestrator.yml b/.github/workflows/deploy-orchestrator.yml index 22c4d073..8a9f9083 100644 --- a/.github/workflows/deploy-orchestrator.yml +++ b/.github/workflows/deploy-orchestrator.yml @@ -1,9 +1,5 @@ name: Deployment orchestrator -permissions: - contents: read - actions: read - on: workflow_call: inputs: diff --git a/.github/workflows/deploy-waf.yml b/.github/workflows/deploy-waf.yml index a879b200..a035fae9 100644 --- a/.github/workflows/deploy-waf.yml +++ b/.github/workflows/deploy-waf.yml @@ -1,6 +1,7 @@ name: Validate WAF Deployment v4 permissions: + id-token: write contents: read actions: read on: @@ -13,6 +14,7 @@ on: jobs: deploy: runs-on: ubuntu-latest + environment: production env: GPT_MIN_CAPACITY: 1 O4_MINI_MIN_CAPACITY: 1 @@ -21,12 +23,16 @@ jobs: - name: Checkout Code uses: actions/checkout@v4 + - name: Login to Azure + uses: azure/login@v2 + with: + client-id: ${{ secrets.AZURE_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + - name: Run Quota Check id: quota-check env: - AZURE_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }} - AZURE_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }} - AZURE_CLIENT_SECRET: ${{ secrets.AZURE_CLIENT_SECRET }} AZURE_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }} GPT_MIN_CAPACITY: ${{ env.GPT_MIN_CAPACITY }} O4_MINI_MIN_CAPACITY: ${{ env.O4_MINI_MIN_CAPACITY }} @@ -66,10 +72,6 @@ jobs: echo "Selected Region: $VALID_REGION" echo "AZURE_LOCATION=$VALID_REGION" >> $GITHUB_ENV - - name: Login to Azure - run: | - az login --service-principal -u ${{ secrets.AZURE_CLIENT_ID }} -p ${{ secrets.AZURE_CLIENT_SECRET }} --tenant ${{ secrets.AZURE_TENANT_ID }} - - name: Install Bicep CLI run: az bicep install diff --git a/.github/workflows/deploy-windows.yml b/.github/workflows/deploy-windows.yml index b1ed8e93..c666eec4 100644 --- a/.github/workflows/deploy-windows.yml +++ b/.github/workflows/deploy-windows.yml @@ -1,6 +1,7 @@ name: Deploy-Test-Cleanup (v2) Windows permissions: + id-token: write contents: read actions: read on: diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index e3550c5b..202b3347 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -1,6 +1,7 @@ name: Validate Deployment v4 permissions: + id-token: write contents: read actions: read on: @@ -24,6 +25,7 @@ env: jobs: deploy: runs-on: ubuntu-latest + environment: production outputs: RESOURCE_GROUP_NAME: ${{ steps.check_create_rg.outputs.RESOURCE_GROUP_NAME }} WEBAPP_URL: ${{ steps.get_output.outputs.WEBAPP_URL }} @@ -34,12 +36,16 @@ jobs: - name: Checkout Code uses: actions/checkout@v4 + - name: Login to Azure + uses: azure/login@v2 + with: + client-id: ${{ secrets.AZURE_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + - name: Run Quota Check id: quota-check env: - AZURE_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }} - AZURE_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }} - AZURE_CLIENT_SECRET: ${{ secrets.AZURE_CLIENT_SECRET }} AZURE_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }} GPT_MIN_CAPACITY: ${{ env.GPT_MIN_CAPACITY }} O4_MINI_MIN_CAPACITY: ${{ env.O4_MINI_MIN_CAPACITY }} @@ -79,10 +85,6 @@ jobs: echo "Selected Region: $VALID_REGION" echo "AZURE_LOCATION=$VALID_REGION" >> $GITHUB_ENV - - name: Login to Azure - run: | - az login --service-principal -u ${{ secrets.AZURE_CLIENT_ID }} -p ${{ secrets.AZURE_CLIENT_SECRET }} --tenant ${{ secrets.AZURE_TENANT_ID }} - - name: Install Bicep CLI run: az bicep install @@ -212,13 +214,19 @@ jobs: if: always() && needs.deploy.outputs.RESOURCE_GROUP_NAME != '' needs: [deploy, e2e-test] runs-on: ubuntu-latest + environment: production env: RESOURCE_GROUP_NAME: ${{ needs.deploy.outputs.RESOURCE_GROUP_NAME }} steps: - name: Login to Azure - run: | - az login --service-principal -u ${{ secrets.AZURE_CLIENT_ID }} -p ${{ secrets.AZURE_CLIENT_SECRET }} --tenant ${{ secrets.AZURE_TENANT_ID }} - az account set --subscription "${{ secrets.AZURE_SUBSCRIPTION_ID }}" + uses: azure/login@v2 + with: + client-id: ${{ secrets.AZURE_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + + - name: Set Azure Subscription + run: az account set --subscription "${{ secrets.AZURE_SUBSCRIPTION_ID }}" - name: Extract AI Services and Key Vault Names if: always() diff --git a/.github/workflows/docker-build-and-push.yml b/.github/workflows/docker-build-and-push.yml index d9301a6d..54b79a62 100644 --- a/.github/workflows/docker-build-and-push.yml +++ b/.github/workflows/docker-build-and-push.yml @@ -45,12 +45,14 @@ on: workflow_dispatch: permissions: + id-token: write contents: read actions: read jobs: build-and-push: runs-on: ubuntu-latest + environment: production steps: - name: Checkout repository @@ -59,13 +61,17 @@ jobs: - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 - - name: Log in to Azure Container Registry + - name: Login to Azure if: ${{ github.ref_name == 'main' || github.ref_name == 'dev-v4'|| github.ref_name == 'demo-v4' || github.ref_name == 'hotfix' }} - uses: azure/docker-login@v2 + uses: azure/login@v2 with: - login-server: ${{ secrets.ACR_LOGIN_SERVER || 'acrlogin.azurecr.io' }} - username: ${{ secrets.ACR_USERNAME }} - password: ${{ secrets.ACR_PASSWORD }} + client-id: ${{ secrets.AZURE_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + + - name: Log in to Azure Container Registry + if: ${{ github.ref_name == 'main' || github.ref_name == 'dev-v4'|| github.ref_name == 'demo-v4' || github.ref_name == 'hotfix' }} + run: az acr login --name ${{ secrets.ACR_LOGIN_SERVER || 'acrlogin.azurecr.io' }} - name: Get current date id: date diff --git a/.github/workflows/job-cleanup-deployment.yml b/.github/workflows/job-cleanup-deployment.yml index e1afa455..48c2586b 100644 --- a/.github/workflows/job-cleanup-deployment.yml +++ b/.github/workflows/job-cleanup-deployment.yml @@ -1,8 +1,5 @@ name: Cleanup Deployment Job -permissions: - contents: read - actions: read on: workflow_call: inputs: @@ -49,6 +46,7 @@ jobs: cleanup-deployment: runs-on: ${{ inputs.runner_os }} continue-on-error: true + environment: production env: RESOURCE_GROUP_NAME: ${{ inputs.RESOURCE_GROUP_NAME }} AZURE_LOCATION: ${{ inputs.AZURE_LOCATION }} @@ -58,10 +56,15 @@ jobs: steps: - name: Login to Azure + uses: azure/login@v2 + with: + client-id: ${{ secrets.AZURE_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + + - name: Set Azure Subscription shell: bash - run: | - az login --service-principal -u ${{ secrets.AZURE_CLIENT_ID }} -p ${{ secrets.AZURE_CLIENT_SECRET }} --tenant ${{ secrets.AZURE_TENANT_ID }} - az account set --subscription ${{ secrets.AZURE_SUBSCRIPTION_ID }} + run: az account set --subscription ${{ secrets.AZURE_SUBSCRIPTION_ID }} - name: Delete Resource Group (Optimized Cleanup) id: delete_rg diff --git a/.github/workflows/job-deploy-linux.yml b/.github/workflows/job-deploy-linux.yml index f941a202..60c5458e 100644 --- a/.github/workflows/job-deploy-linux.yml +++ b/.github/workflows/job-deploy-linux.yml @@ -1,9 +1,5 @@ name: Deploy Steps - Linux -permissions: - contents: read - actions: read - on: workflow_call: inputs: @@ -49,6 +45,7 @@ on: jobs: deploy-linux: runs-on: ubuntu-latest + environment: production env: AZURE_DEV_COLLECT_TELEMETRY: ${{ vars.AZURE_DEV_COLLECT_TELEMETRY }} outputs: @@ -206,13 +203,19 @@ jobs: - name: Install azd uses: Azure/setup-azd@v2 + - name: Login to Azure + uses: azure/login@v2 + with: + client-id: ${{ secrets.AZURE_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + - name: Login to AZD id: login-azure shell: bash run: | - az login --service-principal -u ${{ secrets.AZURE_CLIENT_ID }} -p ${{ secrets.AZURE_CLIENT_SECRET }} --tenant ${{ secrets.AZURE_TENANT_ID }} az account set --subscription ${{ secrets.AZURE_SUBSCRIPTION_ID }} - azd auth login --client-id ${{ secrets.AZURE_CLIENT_ID }} --client-secret ${{ secrets.AZURE_CLIENT_SECRET }} --tenant-id ${{ secrets.AZURE_TENANT_ID }} + azd auth login --client-id "${{ secrets.AZURE_CLIENT_ID }}" --federated-credential-provider "github" --tenant-id "${{ secrets.AZURE_TENANT_ID }}" - name: Deploy using azd up and extract values (Linux) id: get_output_linux diff --git a/.github/workflows/job-deploy-windows.yml b/.github/workflows/job-deploy-windows.yml index 1ee301d5..030c9619 100644 --- a/.github/workflows/job-deploy-windows.yml +++ b/.github/workflows/job-deploy-windows.yml @@ -1,9 +1,5 @@ name: Deploy Steps - Windows -permissions: - contents: read - actions: read - on: workflow_call: inputs: @@ -48,6 +44,7 @@ on: jobs: deploy-windows: runs-on: windows-latest + environment: production env: AZURE_DEV_COLLECT_TELEMETRY: ${{ vars.AZURE_DEV_COLLECT_TELEMETRY }} outputs: @@ -205,13 +202,19 @@ jobs: - name: Install azd uses: Azure/setup-azd@v2 + - name: Login to Azure + uses: azure/login@v2 + with: + client-id: ${{ secrets.AZURE_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + - name: Login to AZD id: login-azure shell: bash run: | - az login --service-principal -u ${{ secrets.AZURE_CLIENT_ID }} -p ${{ secrets.AZURE_CLIENT_SECRET }} --tenant ${{ secrets.AZURE_TENANT_ID }} az account set --subscription ${{ secrets.AZURE_SUBSCRIPTION_ID }} - azd auth login --client-id ${{ secrets.AZURE_CLIENT_ID }} --client-secret ${{ secrets.AZURE_CLIENT_SECRET }} --tenant-id ${{ secrets.AZURE_TENANT_ID }} + azd auth login --client-id "${{ secrets.AZURE_CLIENT_ID }}" --federated-credential-provider "github" --tenant-id "${{ secrets.AZURE_TENANT_ID }}" - name: Deploy using azd up and extract values (Windows) diff --git a/.github/workflows/job-deploy.yml b/.github/workflows/job-deploy.yml index 2046488e..7a8f32e3 100644 --- a/.github/workflows/job-deploy.yml +++ b/.github/workflows/job-deploy.yml @@ -1,9 +1,5 @@ name: Deploy Job -permissions: - contents: read - actions: read - on: workflow_call: inputs: @@ -112,6 +108,7 @@ jobs: name: Azure Setup if: inputs.trigger_type != 'workflow_dispatch' || inputs.existing_webapp_url == '' || inputs.existing_webapp_url == null runs-on: ubuntu-latest + environment: production outputs: RESOURCE_GROUP_NAME: ${{ steps.check_create_rg.outputs.RESOURCE_GROUP_NAME }} ENV_NAME: ${{ steps.generate_env_name.outputs.ENV_NAME }} @@ -290,17 +287,19 @@ jobs: uses: actions/checkout@v4 - name: Login to Azure + uses: azure/login@v2 + with: + client-id: ${{ secrets.AZURE_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + + - name: Set Azure Subscription shell: bash - run: | - az login --service-principal -u ${{ secrets.AZURE_CLIENT_ID }} -p ${{ secrets.AZURE_CLIENT_SECRET }} --tenant ${{ secrets.AZURE_TENANT_ID }} - az account set --subscription ${{ secrets.AZURE_SUBSCRIPTION_ID }} + run: az account set --subscription ${{ secrets.AZURE_SUBSCRIPTION_ID }} - name: Run Quota Check id: quota-check env: - AZURE_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }} - AZURE_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }} - AZURE_CLIENT_SECRET: ${{ secrets.AZURE_CLIENT_SECRET }} AZURE_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }} GPT_MIN_CAPACITY: ${{ env.GPT_MIN_CAPACITY }} O4_MINI_MIN_CAPACITY: ${{ env.O4_MINI_MIN_CAPACITY }} diff --git a/.github/workflows/job-docker-build.yml b/.github/workflows/job-docker-build.yml index b62fdf68..71e7a42b 100644 --- a/.github/workflows/job-docker-build.yml +++ b/.github/workflows/job-docker-build.yml @@ -1,7 +1,4 @@ name: Docker Build Job -permissions: - contents: read - actions: read on: workflow_call: inputs: @@ -26,6 +23,7 @@ jobs: docker-build: if: inputs.trigger_type == 'workflow_dispatch' && inputs.build_docker_image == true runs-on: ubuntu-latest + environment: production outputs: IMAGE_TAG: ${{ steps.generate_docker_tag.outputs.IMAGE_TAG }} steps: @@ -49,12 +47,15 @@ jobs: - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 - - name: Log in to Azure Container Registry - uses: azure/docker-login@v2 + - name: Login to Azure + uses: azure/login@v2 with: - login-server: ${{ secrets.ACR_TEST_LOGIN_SERVER }} - username: ${{ secrets.ACR_TEST_USERNAME }} - password: ${{ secrets.ACR_TEST_PASSWORD }} + client-id: ${{ secrets.AZURE_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + + - name: Log in to Azure Container Registry + run: az acr login --name ${{ secrets.ACR_TEST_LOGIN_SERVER }} - name: Build and optionally push Backend Docker image uses: docker/build-push-action@v6 diff --git a/.github/workflows/job-send-notification.yml b/.github/workflows/job-send-notification.yml index 06ec6d8b..5b062a89 100644 --- a/.github/workflows/job-send-notification.yml +++ b/.github/workflows/job-send-notification.yml @@ -1,7 +1,4 @@ name: Send Notification Job -permissions: - contents: read - actions: read on: workflow_call: inputs: diff --git a/.github/workflows/test-automation-v2.yml b/.github/workflows/test-automation-v2.yml index 07267617..394adbe5 100644 --- a/.github/workflows/test-automation-v2.yml +++ b/.github/workflows/test-automation-v2.yml @@ -37,6 +37,7 @@ env: jobs: test: runs-on: ubuntu-latest + environment: production outputs: TEST_SUCCESS: ${{ steps.test1.outcome == 'success' || steps.test2.outcome == 'success' || steps.test3.outcome == 'success' }} TEST_REPORT_URL: ${{ steps.upload_report.outputs.artifact-url }} @@ -50,9 +51,11 @@ jobs: python-version: '3.13' - name: Login to Azure - run: | - az login --service-principal -u ${{ secrets.AZURE_CLIENT_ID }} -p ${{ secrets.AZURE_CLIENT_SECRET }} --tenant ${{ secrets.AZURE_TENANT_ID }} - az account set --subscription ${{ secrets.AZURE_SUBSCRIPTION_ID }} + uses: azure/login@v2 + with: + client-id: ${{ secrets.AZURE_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} - name: Install dependencies run: | diff --git a/.github/workflows/test-automation.yml b/.github/workflows/test-automation.yml index 0982bab4..4a893c4c 100644 --- a/.github/workflows/test-automation.yml +++ b/.github/workflows/test-automation.yml @@ -1,5 +1,9 @@ name: Test Automation MACAE +permissions: + id-token: write + contents: read + on: workflow_dispatch: workflow_call: @@ -26,6 +30,7 @@ on: jobs: test: runs-on: ubuntu-latest + environment: production env: MACAE_WEB_URL: ${{ inputs.MACAE_WEB_URL }} MACAE_URL_API: ${{ inputs.MACAE_URL_API }} @@ -45,7 +50,9 @@ jobs: - name: Azure CLI Login uses: azure/login@v2 with: - creds: '{"clientId":"${{ secrets.AZURE_CLIENT_ID }}","clientSecret":"${{ secrets.AZURE_CLIENT_SECRET }}","subscriptionId":"${{ secrets.AZURE_SUBSCRIPTION_ID }}","tenantId":"${{ secrets.AZURE_TENANT_ID }}"}' + client-id: ${{ secrets.AZURE_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} # - name: Start Container App # uses: azure/cli@v2 diff --git a/infra/scripts/checkquota.sh b/infra/scripts/checkquota.sh index 6fcb6461..b7981571 100644 --- a/infra/scripts/checkquota.sh +++ b/infra/scripts/checkquota.sh @@ -7,16 +7,6 @@ SUBSCRIPTION_ID="${AZURE_SUBSCRIPTION_ID}" GPT_MIN_CAPACITY="${GPT_MIN_CAPACITY}" O4_MINI_MIN_CAPACITY="${O4_MINI_MIN_CAPACITY}" GPT41_MINI_MIN_CAPACITY="${GPT41_MINI_MIN_CAPACITY}" -AZURE_CLIENT_ID="${AZURE_CLIENT_ID}" -AZURE_TENANT_ID="${AZURE_TENANT_ID}" -AZURE_CLIENT_SECRET="${AZURE_CLIENT_SECRET}" - -# Authenticate using Managed Identity -echo "Authentication using Managed Identity..." -if ! az login --service-principal -u "$AZURE_CLIENT_ID" -p "$AZURE_CLIENT_SECRET" --tenant "$AZURE_TENANT_ID"; then - echo "❌ Error: Failed to login using Managed Identity." - exit 1 -fi echo "🔄 Validating required environment variables..." if [[ -z "$SUBSCRIPTION_ID" || -z "$REGIONS" ]]; then From f62a140779d19ebb260e8f7dfa8534f2446206b8 Mon Sep 17 00:00:00 2001 From: Vamshi-Microsoft Date: Mon, 23 Feb 2026 14:03:19 +0530 Subject: [PATCH 2/3] Added runner_os input (Deployment Environment) and Deleted deploy-windows.yml since it's no longer needed --- .../{deploy-linux.yml => deploy-v2.yml} | 29 +- .github/workflows/deploy-windows.yml | 273 ------------------ 2 files changed, 27 insertions(+), 275 deletions(-) rename .github/workflows/{deploy-linux.yml => deploy-v2.yml} (91%) delete mode 100644 .github/workflows/deploy-windows.yml diff --git a/.github/workflows/deploy-linux.yml b/.github/workflows/deploy-v2.yml similarity index 91% rename from .github/workflows/deploy-linux.yml rename to .github/workflows/deploy-v2.yml index e41489f0..2d7234d6 100644 --- a/.github/workflows/deploy-linux.yml +++ b/.github/workflows/deploy-v2.yml @@ -1,4 +1,4 @@ -name: Deploy-Test-Cleanup (v2) Linux +name: Deploy-Test-Cleanup (v2) permissions: id-token: write @@ -15,6 +15,14 @@ on: - hotfix workflow_dispatch: inputs: + runner_os: + description: 'Deployment Environment' + required: false + type: choice + options: + - 'codespace' + - 'Local' + default: 'codespace' azure_location: description: 'Azure Location For Deployment' required: false @@ -91,6 +99,7 @@ jobs: runs-on: ubuntu-latest outputs: validation_passed: ${{ steps.validate.outputs.passed }} + runner_os: ${{ steps.validate.outputs.runner_os }} azure_location: ${{ steps.validate.outputs.azure_location }} resource_group_name: ${{ steps.validate.outputs.resource_group_name }} waf_enabled: ${{ steps.validate.outputs.waf_enabled }} @@ -106,6 +115,7 @@ jobs: id: validate shell: bash env: + INPUT_RUNNER_OS: ${{ github.event.inputs.runner_os }} INPUT_AZURE_LOCATION: ${{ github.event.inputs.azure_location }} INPUT_RESOURCE_GROUP_NAME: ${{ github.event.inputs.resource_group_name }} INPUT_WAF_ENABLED: ${{ github.event.inputs.waf_enabled }} @@ -119,6 +129,20 @@ jobs: run: | echo "🔍 Validating workflow input parameters..." VALIDATION_FAILED=false + + # Resolve runner_os from Deployment Environment selection + DEPLOY_ENV="${INPUT_RUNNER_OS:-codespace}" + if [[ "$DEPLOY_ENV" == "codespace" ]]; then + RUNNER_OS="ubuntu-latest" + echo "✅ Deployment Environment: 'codespace' → runner: ubuntu-latest" + elif [[ "$DEPLOY_ENV" == "Local" ]]; then + RUNNER_OS="windows-latest" + echo "✅ Deployment Environment: 'Local' → runner: windows-latest" + else + echo "❌ ERROR: Deployment Environment must be 'codespace' or 'Local', got: '$DEPLOY_ENV'" + VALIDATION_FAILED=true + RUNNER_OS="ubuntu-latest" + fi # Validate azure_location (Azure region format) LOCATION="${INPUT_AZURE_LOCATION:-australiaeast}" @@ -242,6 +266,7 @@ jobs: # Output validated values echo "passed=true" >> $GITHUB_OUTPUT + echo "runner_os=$RUNNER_OS" >> $GITHUB_OUTPUT echo "azure_location=$LOCATION" >> $GITHUB_OUTPUT echo "resource_group_name=$INPUT_RESOURCE_GROUP_NAME" >> $GITHUB_OUTPUT echo "waf_enabled=$WAF_ENABLED" >> $GITHUB_OUTPUT @@ -258,7 +283,7 @@ jobs: if: needs.validate-inputs.outputs.validation_passed == 'true' uses: ./.github/workflows/deploy-orchestrator.yml with: - runner_os: ubuntu-latest + runner_os: ${{ needs.validate-inputs.outputs.runner_os || 'ubuntu-latest' }} azure_location: ${{ needs.validate-inputs.outputs.azure_location || 'australiaeast' }} resource_group_name: ${{ needs.validate-inputs.outputs.resource_group_name || '' }} waf_enabled: ${{ needs.validate-inputs.outputs.waf_enabled == 'true' }} diff --git a/.github/workflows/deploy-windows.yml b/.github/workflows/deploy-windows.yml deleted file mode 100644 index c666eec4..00000000 --- a/.github/workflows/deploy-windows.yml +++ /dev/null @@ -1,273 +0,0 @@ -name: Deploy-Test-Cleanup (v2) Windows - -permissions: - id-token: write - contents: read - actions: read -on: - # workflow_run: - # workflows: ["Build Docker and Optional Push v3"] - # types: - # - completed - # branches: - # - main - # - dev-v3 - # - hotfix - workflow_dispatch: - inputs: - azure_location: - description: 'Azure Location For Deployment' - required: false - default: 'australiaeast' - type: choice - options: - - 'australiaeast' - - 'centralus' - - 'eastasia' - - 'eastus2' - - 'japaneast' - - 'northeurope' - - 'southeastasia' - - 'uksouth' - resource_group_name: - description: 'Resource Group Name (Optional)' - required: false - default: '' - type: string - - waf_enabled: - description: 'Enable WAF' - required: false - default: false - type: boolean - EXP: - description: 'Enable EXP' - required: false - default: false - type: boolean - build_docker_image: - description: 'Build & Push Docker Image (Optional)' - required: false - default: false - type: boolean - - cleanup_resources: - description: 'Cleanup Deployed Resources' - required: false - default: false - type: boolean - - run_e2e_tests: - description: 'Run End-to-End Tests' - required: false - default: 'GoldenPath-Testing' - type: choice - options: - - 'GoldenPath-Testing' - - 'Smoke-Testing' - - 'None' - - AZURE_ENV_LOG_ANALYTICS_WORKSPACE_ID: - description: 'Log Analytics Workspace ID (Optional)' - required: false - default: '' - type: string - AZURE_EXISTING_AI_PROJECT_RESOURCE_ID: - description: 'AI Project Resource ID (Optional)' - required: false - default: '' - type: string - existing_webapp_url: - description: 'Existing WebApp URL (Skips Deployment)' - required: false - default: '' - type: string - - # schedule: - # - cron: '0 11,23 * * *' # Runs at 11:00 AM and 11:00 PM GMT - -jobs: - validate-inputs: - runs-on: ubuntu-latest - outputs: - validation_passed: ${{ steps.validate.outputs.passed }} - azure_location: ${{ steps.validate.outputs.azure_location }} - resource_group_name: ${{ steps.validate.outputs.resource_group_name }} - waf_enabled: ${{ steps.validate.outputs.waf_enabled }} - exp: ${{ steps.validate.outputs.exp }} - build_docker_image: ${{ steps.validate.outputs.build_docker_image }} - cleanup_resources: ${{ steps.validate.outputs.cleanup_resources }} - run_e2e_tests: ${{ steps.validate.outputs.run_e2e_tests }} - azure_env_log_analytics_workspace_id: ${{ steps.validate.outputs.azure_env_log_analytics_workspace_id }} - azure_existing_ai_project_resource_id: ${{ steps.validate.outputs.azure_existing_ai_project_resource_id }} - existing_webapp_url: ${{ steps.validate.outputs.existing_webapp_url }} - steps: - - name: Validate Workflow Input Parameters - id: validate - shell: bash - env: - INPUT_AZURE_LOCATION: ${{ github.event.inputs.azure_location }} - INPUT_RESOURCE_GROUP_NAME: ${{ github.event.inputs.resource_group_name }} - INPUT_WAF_ENABLED: ${{ github.event.inputs.waf_enabled }} - INPUT_EXP: ${{ github.event.inputs.EXP }} - INPUT_BUILD_DOCKER_IMAGE: ${{ github.event.inputs.build_docker_image }} - INPUT_CLEANUP_RESOURCES: ${{ github.event.inputs.cleanup_resources }} - INPUT_RUN_E2E_TESTS: ${{ github.event.inputs.run_e2e_tests }} - INPUT_AZURE_ENV_LOG_ANALYTICS_WORKSPACE_ID: ${{ github.event.inputs.AZURE_ENV_LOG_ANALYTICS_WORKSPACE_ID }} - INPUT_AZURE_EXISTING_AI_PROJECT_RESOURCE_ID: ${{ github.event.inputs.AZURE_EXISTING_AI_PROJECT_RESOURCE_ID }} - INPUT_EXISTING_WEBAPP_URL: ${{ github.event.inputs.existing_webapp_url }} - run: | - echo "🔍 Validating workflow input parameters..." - VALIDATION_FAILED=false - - # Validate azure_location (Azure region format) - LOCATION="${INPUT_AZURE_LOCATION:-australiaeast}" - - if [[ ! "$LOCATION" =~ ^[a-z0-9]+$ ]]; then - echo "❌ ERROR: azure_location '$LOCATION' is invalid. Must contain only lowercase letters and numbers" - VALIDATION_FAILED=true - else - echo "✅ azure_location: '$LOCATION' is valid" - fi - - # Validate resource_group_name (Azure naming convention, optional) - if [[ -n "$INPUT_RESOURCE_GROUP_NAME" ]]; then - if [[ ! "$INPUT_RESOURCE_GROUP_NAME" =~ ^[a-zA-Z0-9._\(\)-]+$ ]] || [[ "$INPUT_RESOURCE_GROUP_NAME" =~ \.$ ]]; then - echo "❌ ERROR: resource_group_name '$INPUT_RESOURCE_GROUP_NAME' is invalid. Must contain only alphanumerics, periods, underscores, hyphens, and parentheses. Cannot end with period." - VALIDATION_FAILED=true - elif [[ ${#INPUT_RESOURCE_GROUP_NAME} -gt 90 ]]; then - echo "❌ ERROR: resource_group_name '$INPUT_RESOURCE_GROUP_NAME' exceeds 90 characters (length: ${#INPUT_RESOURCE_GROUP_NAME})" - VALIDATION_FAILED=true - else - echo "✅ resource_group_name: '$INPUT_RESOURCE_GROUP_NAME' is valid" - fi - else - echo "✅ resource_group_name: Not provided (will be auto-generated)" - fi - - # Validate waf_enabled (boolean) - WAF_ENABLED="${INPUT_WAF_ENABLED:-false}" - if [[ "$WAF_ENABLED" != "true" && "$WAF_ENABLED" != "false" ]]; then - echo "❌ ERROR: waf_enabled must be 'true' or 'false', got: '$WAF_ENABLED'" - VALIDATION_FAILED=true - else - echo "✅ waf_enabled: '$WAF_ENABLED' is valid" - fi - - # Validate EXP (boolean) - EXP_ENABLED="${INPUT_EXP:-false}" - if [[ "$EXP_ENABLED" != "true" && "$EXP_ENABLED" != "false" ]]; then - echo "❌ ERROR: EXP must be 'true' or 'false', got: '$EXP_ENABLED'" - VALIDATION_FAILED=true - else - echo "✅ EXP: '$EXP_ENABLED' is valid" - fi - - # Validate build_docker_image (boolean) - BUILD_DOCKER="${INPUT_BUILD_DOCKER_IMAGE:-false}" - if [[ "$BUILD_DOCKER" != "true" && "$BUILD_DOCKER" != "false" ]]; then - echo "❌ ERROR: build_docker_image must be 'true' or 'false', got: '$BUILD_DOCKER'" - VALIDATION_FAILED=true - else - echo "✅ build_docker_image: '$BUILD_DOCKER' is valid" - fi - - # Validate cleanup_resources (boolean) - CLEANUP_RESOURCES="${INPUT_CLEANUP_RESOURCES:-false}" - if [[ "$CLEANUP_RESOURCES" != "true" && "$CLEANUP_RESOURCES" != "false" ]]; then - echo "❌ ERROR: cleanup_resources must be 'true' or 'false', got: '$CLEANUP_RESOURCES'" - VALIDATION_FAILED=true - else - echo "✅ cleanup_resources: '$CLEANUP_RESOURCES' is valid" - fi - - # Validate run_e2e_tests (specific allowed values) - TEST_OPTION="${INPUT_RUN_E2E_TESTS:-GoldenPath-Testing}" - if [[ "$TEST_OPTION" != "GoldenPath-Testing" && "$TEST_OPTION" != "Smoke-Testing" && "$TEST_OPTION" != "None" ]]; then - echo "❌ ERROR: run_e2e_tests must be one of: GoldenPath-Testing, Smoke-Testing, None, got: '$TEST_OPTION'" - VALIDATION_FAILED=true - else - echo "✅ run_e2e_tests: '$TEST_OPTION' is valid" - fi - - # Validate AZURE_ENV_LOG_ANALYTICS_WORKSPACE_ID (optional, Azure Resource ID format) - if [[ -n "$INPUT_AZURE_ENV_LOG_ANALYTICS_WORKSPACE_ID" ]]; then - if [[ ! "$INPUT_AZURE_ENV_LOG_ANALYTICS_WORKSPACE_ID" =~ ^/subscriptions/[a-fA-F0-9-]+/[Rr]esource[Gg]roups/[^/]+/providers/[Mm]icrosoft\.[Oo]perational[Ii]nsights/[Ww]orkspaces/[^/]+$ ]]; then - echo "❌ ERROR: AZURE_ENV_LOG_ANALYTICS_WORKSPACE_ID is invalid. Must be a valid Azure Resource ID format:" - echo " /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}" - echo " Got: '$INPUT_AZURE_ENV_LOG_ANALYTICS_WORKSPACE_ID'" - VALIDATION_FAILED=true - else - echo "✅ AZURE_ENV_LOG_ANALYTICS_WORKSPACE_ID: Valid Resource ID format" - fi - else - echo "✅ AZURE_ENV_LOG_ANALYTICS_WORKSPACE_ID: Not provided (optional)" - fi - - # Validate AZURE_EXISTING_AI_PROJECT_RESOURCE_ID (optional, Azure Resource ID format) - if [[ -n "$INPUT_AZURE_EXISTING_AI_PROJECT_RESOURCE_ID" ]]; then - if [[ ! "$INPUT_AZURE_EXISTING_AI_PROJECT_RESOURCE_ID" =~ ^/subscriptions/[a-fA-F0-9-]+/[Rr]esource[Gg]roups/[^/]+/providers/([Mm]icrosoft\.[Mm]achine[Ll]earning[Ss]ervices/([Ww]orkspaces|[Pp]rojects)/[^/]+|[Mm]icrosoft\.[Cc]ognitive[Ss]ervices/[Aa]ccounts/[^/]+/[Pp]rojects/[^/]+)$ ]]; then - echo "❌ ERROR: AZURE_EXISTING_AI_PROJECT_RESOURCE_ID is invalid. Must be a valid Azure Resource ID format:" - echo " /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.CognitiveServices/accounts/{accountName}/projects/{projectName}" - echo " Got: '$INPUT_AZURE_EXISTING_AI_PROJECT_RESOURCE_ID'" - VALIDATION_FAILED=true - else - echo "✅ AZURE_EXISTING_AI_PROJECT_RESOURCE_ID: Valid Resource ID format" - fi - else - echo "✅ AZURE_EXISTING_AI_PROJECT_RESOURCE_ID: Not provided (optional)" - fi - - # Validate existing_webapp_url (optional, must start with https) - if [[ -n "$INPUT_EXISTING_WEBAPP_URL" ]]; then - if [[ ! "$INPUT_EXISTING_WEBAPP_URL" =~ ^https:// ]]; then - echo "❌ ERROR: existing_webapp_url must start with 'https://', got: '$INPUT_EXISTING_WEBAPP_URL'" - VALIDATION_FAILED=true - else - echo "✅ existing_webapp_url: '$INPUT_EXISTING_WEBAPP_URL' is valid" - fi - else - echo "✅ existing_webapp_url: Not provided (will perform deployment)" - fi - - # Fail workflow if any validation failed - if [[ "$VALIDATION_FAILED" == "true" ]]; then - echo "" - echo "❌ Parameter validation failed. Please correct the errors above and try again." - exit 1 - fi - - echo "" - echo "✅ All input parameters validated successfully!" - - # Output validated values - echo "passed=true" >> $GITHUB_OUTPUT - echo "azure_location=$LOCATION" >> $GITHUB_OUTPUT - echo "resource_group_name=$INPUT_RESOURCE_GROUP_NAME" >> $GITHUB_OUTPUT - echo "waf_enabled=$WAF_ENABLED" >> $GITHUB_OUTPUT - echo "exp=$EXP_ENABLED" >> $GITHUB_OUTPUT - echo "build_docker_image=$BUILD_DOCKER" >> $GITHUB_OUTPUT - echo "cleanup_resources=$CLEANUP_RESOURCES" >> $GITHUB_OUTPUT - echo "run_e2e_tests=$TEST_OPTION" >> $GITHUB_OUTPUT - echo "azure_env_log_analytics_workspace_id=$INPUT_AZURE_ENV_LOG_ANALYTICS_WORKSPACE_ID" >> $GITHUB_OUTPUT - echo "azure_existing_ai_project_resource_id=$INPUT_AZURE_EXISTING_AI_PROJECT_RESOURCE_ID" >> $GITHUB_OUTPUT - echo "existing_webapp_url=$INPUT_EXISTING_WEBAPP_URL" >> $GITHUB_OUTPUT - - Run: - needs: validate-inputs - if: needs.validate-inputs.outputs.validation_passed == 'true' - uses: ./.github/workflows/deploy-orchestrator.yml - with: - runner_os: windows-latest - azure_location: ${{ needs.validate-inputs.outputs.azure_location || 'australiaeast' }} - resource_group_name: ${{ needs.validate-inputs.outputs.resource_group_name || '' }} - waf_enabled: ${{ needs.validate-inputs.outputs.waf_enabled == 'true' }} - EXP: ${{ needs.validate-inputs.outputs.exp == 'true' }} - build_docker_image: ${{ needs.validate-inputs.outputs.build_docker_image == 'true' }} - cleanup_resources: ${{ needs.validate-inputs.outputs.cleanup_resources == 'true' }} - run_e2e_tests: ${{ needs.validate-inputs.outputs.run_e2e_tests || 'GoldenPath-Testing' }} - AZURE_ENV_LOG_ANALYTICS_WORKSPACE_ID: ${{ needs.validate-inputs.outputs.azure_env_log_analytics_workspace_id || '' }} - AZURE_EXISTING_AI_PROJECT_RESOURCE_ID: ${{ needs.validate-inputs.outputs.azure_existing_ai_project_resource_id || '' }} - existing_webapp_url: ${{ needs.validate-inputs.outputs.existing_webapp_url || '' }} - trigger_type: ${{ github.event_name }} - secrets: inherit From 832d9f0a9e95560b0cc17e5bc8db90976465b353 Mon Sep 17 00:00:00 2001 From: Vamshi-Microsoft Date: Mon, 23 Feb 2026 15:11:40 +0530 Subject: [PATCH 3/3] Removed skip markers from multiple test functions in test_MACAE_Smoke_test.py --- tests/e2e-test/tests/test_MACAE_Smoke_test.py | 10 ---------- 1 file changed, 10 deletions(-) diff --git a/tests/e2e-test/tests/test_MACAE_Smoke_test.py b/tests/e2e-test/tests/test_MACAE_Smoke_test.py index e3f0b39c..4ea37b8e 100644 --- a/tests/e2e-test/tests/test_MACAE_Smoke_test.py +++ b/tests/e2e-test/tests/test_MACAE_Smoke_test.py @@ -11,7 +11,6 @@ logger = logging.getLogger(__name__) -@pytest.mark.skip(reason="Skipping - running only test_cross_team_agent_validation") @pytest.mark.gp def test_macae_v4_gp_workflow(login_logout, request): """ @@ -449,7 +448,6 @@ def test_macae_v4_gp_workflow(login_logout, request): raise -@pytest.mark.skip(reason="Skipping - running only test_cross_team_agent_validation") def test_validate_source_text_not_visible(login_logout, request): """ Validate that source text is not visible after retail customer response. @@ -577,7 +575,6 @@ def test_validate_source_text_not_visible(login_logout, request): raise -@pytest.mark.skip(reason="Skipping - running only test_cross_team_agent_validation") def test_rai_validation_unable_to_create_plan(login_logout, request): """ Validate RAI (Responsible AI) validation for 'Unable to create plan' message across all 5 teams. @@ -770,7 +767,6 @@ def test_rai_validation_unable_to_create_plan(login_logout, request): raise -@pytest.mark.skip(reason="Skipping - running only test_cross_team_agent_validation") def test_rai_validation_in_clarification(login_logout, request): """ Validate RAI (Responsible AI) validation for 'Unable to create plan' message in clarification input. @@ -896,7 +892,6 @@ def test_rai_validation_in_clarification(login_logout, request): raise -@pytest.mark.skip(reason="Skipping - running only test_cross_team_agent_validation") def test_cancel_button_all_teams(login_logout, request): """ Validate cancel button functionality across all 5 teams. @@ -1093,7 +1088,6 @@ def test_cancel_button_all_teams(login_logout, request): raise -@pytest.mark.skip(reason="Skipping - running only test_cross_team_agent_validation") @pytest.mark.cancel def test_cancel_functionality_all_teams(login_logout, request): """ @@ -1264,7 +1258,6 @@ def test_cancel_functionality_all_teams(login_logout, request): raise -@pytest.mark.skip(reason="Skipping - running only test_cross_team_agent_validation") @pytest.mark.rai def test_rai_prompt_in_clarification(login_logout, request): """ @@ -1366,7 +1359,6 @@ def test_rai_prompt_in_clarification(login_logout, request): raise -@pytest.mark.skip(reason="Skipping - running only test_cross_team_agent_validation") @pytest.mark.rai def test_rai_prompts_all_teams(login_logout, request): """ @@ -1492,7 +1484,6 @@ def test_rai_prompts_all_teams(login_logout, request): raise -@pytest.mark.skip(reason="Skipping - running only test_cross_team_agent_validation") @pytest.mark.input_validation def test_chat_input_validation(login_logout, request): """ @@ -1609,7 +1600,6 @@ def test_chat_input_validation(login_logout, request): raise -@pytest.mark.skip(reason="Skipping - running only test_cross_team_agent_validation") @pytest.mark.duplicate_teams def test_duplicate_team_entries(login_logout, request): """