Merge pull request #363 from microsoft/main

fix: downmerge from main to dev

Author: Roopan-Microsoft

.github/workflows/azure-dev.yml

@@ -24,7 +24,6 @@ jobs:
         id: validation 
         env: 
           AZURE_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }} 
-          AZURE_CLIENT_SECRET: ${{ secrets.AZURE_CLIENT_SECRET }} 
           AZURE_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }} 
           AZURE_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }} 
           AZURE_ENV_NAME: ${{ secrets.AZURE_ENV_NAME }} 

.github/workflows/build-docker-images.yml

@@ -2,6 +2,7 @@ name: Build Docker and Optional Push
 permissions:
   contents: read
   actions: read
+  id-token: write
 on:
   push:
     branches:
@@ -50,15 +51,11 @@ jobs:
         include:
           - app_name: cmsabackend
             dockerfile: docker/Backend.Dockerfile
-            password_secret: DOCKER_PASSWORD
           - app_name: cmsafrontend
             dockerfile: docker/Frontend.Dockerfile
-            password_secret: DOCKER_PASSWORD
     uses: ./.github/workflows/build-docker.yml
     with:
       registry: cmsacontainerreg.azurecr.io
-      username: cmsacontainerreg
-      password_secret: ${{ matrix.password_secret }}
       app_name: ${{ matrix.app_name }}
       dockerfile: ${{ matrix.dockerfile }}
       push: ${{ github.ref_name == 'main' || github.ref_name == 'dev' || github.ref_name == 'demo' || github.ref_name == 'hotfix' }}

.github/workflows/build-docker.yml

@@ -6,12 +6,6 @@ on:
       registry:
         required: true
         type: string
-      username:
-        required: true
-        type: string
-      password_secret:
-        required: true
-        type: string
       app_name:
         required: true
         type: string
@@ -21,25 +15,27 @@ on:
       push:
         required: true
         type: boolean
-    secrets:
-      DOCKER_PASSWORD:
-        required: false
 
 jobs:
   docker-build:
     runs-on: ubuntu-latest
+    environment: production
     steps:
 
     - name: Checkout
       uses: actions/checkout@v6
 
-    - name: Docker Login
+    - name: Login to Azure
       if: ${{ inputs.push }}
-      uses: docker/login-action@v3
+      uses: azure/login@v2
       with:
-        registry: ${{ inputs.registry }}
-        username: ${{ inputs.username }}
-        password: ${{ secrets[inputs.password_secret] }}
+        client-id: ${{ secrets.AZURE_CLIENT_ID }}
+        tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+        subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+
+    - name: Login to ACR
+      if: ${{ inputs.push }}
+      run: az acr login --name ${{ inputs.registry }}
 
     - name: Set up Docker Buildx
       uses: docker/setup-buildx-action@v3

.github/workflows/deploy-orchestrator.yml

@@ -1,9 +1,5 @@
 name: Deployment orchestrator
 
-permissions:
-  contents: read
-  actions: read
-
 on:
   workflow_call:
     inputs:

.github/workflows/deploy-linux.yml .github/workflows/deploy-v2.yml.github/workflows/deploy-linux.yml renamed to .github/workflows/deploy-v2.yml

@@ -1,7 +1,8 @@
-name: Deploy-Test-Cleanup (v2) Linux
+name: Deploy-Test-Cleanup (v2)
 permissions:
   contents: read
   actions: read
+  id-token: write
 on:
   workflow_run:
       workflows: ["Build Docker and Optional Push"]
@@ -13,6 +14,14 @@ on:
         - demo
   workflow_dispatch:
     inputs:
+      runner_os:
+        description: 'Deployment Environment'
+        required: false
+        type: choice
+        options:
+          - 'codespace'
+          - 'Local'
+        default: 'codespace'
       azure_location:
         description: 'Azure Location For Deployment'
         required: false
@@ -85,6 +94,7 @@ jobs:
     runs-on: ubuntu-latest
     outputs:
       validation_passed: ${{ steps.validate.outputs.passed }}
+      runner_os: ${{ steps.validate.outputs.runner_os }}
       azure_location: ${{ steps.validate.outputs.azure_location }}
       resource_group_name: ${{ steps.validate.outputs.resource_group_name }}
       waf_enabled: ${{ steps.validate.outputs.waf_enabled }}
@@ -100,6 +110,7 @@ jobs:
         id: validate
         shell: bash
         env:
+          INPUT_RUNNER_OS: ${{ github.event.inputs.runner_os }}
           INPUT_AZURE_LOCATION: ${{ github.event.inputs.azure_location }}
           INPUT_RESOURCE_GROUP_NAME: ${{ github.event.inputs.resource_group_name }}
           INPUT_WAF_ENABLED: ${{ github.event.inputs.waf_enabled }}
@@ -114,6 +125,20 @@ jobs:
           echo "🔍 Validating workflow input parameters..."
           VALIDATION_FAILED=false
           
+          # Validate runner_os (Deployment Environment)
+          RUNNER_INPUT="${INPUT_RUNNER_OS:-codespace}"
+          if [[ "$RUNNER_INPUT" == "codespace" ]]; then
+            RUNNER_OS="ubuntu-latest"
+            echo "✅ runner_os: '$RUNNER_INPUT' → ubuntu-latest"
+          elif [[ "$RUNNER_INPUT" == "Local" ]]; then
+            RUNNER_OS="windows-latest"
+            echo "✅ runner_os: '$RUNNER_INPUT' → windows-latest"
+          else
+            echo "❌ ERROR: runner_os must be 'codespace' or 'Local', got: '$RUNNER_INPUT'"
+            VALIDATION_FAILED=true
+            RUNNER_OS="ubuntu-latest"
+          fi
+          
           # Validate azure_location (Azure region format)
           LOCATION="${INPUT_AZURE_LOCATION:-australiaeast}"
           
@@ -236,6 +261,7 @@ jobs:
           
           # Output validated values
           echo "passed=true" >> $GITHUB_OUTPUT
+          echo "runner_os=$RUNNER_OS" >> $GITHUB_OUTPUT
           echo "azure_location=$LOCATION" >> $GITHUB_OUTPUT
           echo "resource_group_name=$INPUT_RESOURCE_GROUP_NAME" >> $GITHUB_OUTPUT
           echo "waf_enabled=$WAF_ENABLED" >> $GITHUB_OUTPUT
@@ -252,7 +278,7 @@ jobs:
     if: needs.validate-inputs.outputs.validation_passed == 'true'
     uses: ./.github/workflows/deploy-orchestrator.yml
     with:
-      runner_os: ubuntu-latest
+      runner_os: ${{ needs.validate-inputs.outputs.runner_os || 'ubuntu-latest' }}
       azure_location: ${{ needs.validate-inputs.outputs.azure_location || 'australiaeast' }}
       resource_group_name: ${{ needs.validate-inputs.outputs.resource_group_name || '' }}
       waf_enabled: ${{ needs.validate-inputs.outputs.waf_enabled == 'true' }}