Skip to content

Commit 4d78576

Browse files
Prajwal-MicrosoftPrajwal-Microsoft
authored
Merge pull request #541 from microsoft/psl-sm-integration
ci: Refactor pipeline, add oidc auth and integrate smoke testing automation
2 parents 66f6c82 + 8d0dc7e commit 4d78576

29 files changed

Lines changed: 2405 additions & 79 deletions

.github/workflows/deploy-orchestrator.yml

Lines changed: 1 addition & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -64,9 +64,7 @@ on:
6464

6565
env:
6666
AZURE_DEV_COLLECT_TELEMETRY: ${{ vars.AZURE_DEV_COLLECT_TELEMETRY }}
67-
permissions:
68-
contents: read
69-
actions: read
67+
7068
jobs:
7169
docker-build:
7270
uses: ./.github/workflows/job-docker-build.yml

.github/workflows/deploy-linux.yml renamed to .github/workflows/deploy-v2.yml

Lines changed: 29 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,4 @@
1-
name: Deploy-Test-Cleanup (v2) Linux
1+
name: Deploy-Test-Cleanup (v2)
22
on:
33
push:
44
branches:
@@ -19,9 +19,17 @@ on:
1919
- 'src/ContentProcessorWeb/config-overrides.js'
2020
- 'src/ContentProcessorWeb/nginx-custom.conf'
2121
- 'src/ContentProcessorWeb/env.sh'
22-
- '.github/workflows/deploy-linux.yml'
22+
- '.github/workflows/deploy-v2.yml'
2323
workflow_dispatch:
2424
inputs:
25+
runner_os:
26+
description: 'Deployment Environment'
27+
required: false
28+
type: choice
29+
options:
30+
- 'codespace'
31+
- 'Local'
32+
default: 'codespace'
2533
azure_location:
2634
description: 'Azure Location For Deployment'
2735
required: false
@@ -95,11 +103,13 @@ on:
95103
permissions:
96104
contents: read
97105
actions: read
106+
id-token: write
98107
jobs:
99108
validate-inputs:
100109
runs-on: ubuntu-latest
101110
outputs:
102111
validation_passed: ${{ steps.validate.outputs.passed }}
112+
runner_os: ${{ steps.validate.outputs.runner_os }}
103113
azure_location: ${{ steps.validate.outputs.azure_location }}
104114
resource_group_name: ${{ steps.validate.outputs.resource_group_name }}
105115
waf_enabled: ${{ steps.validate.outputs.waf_enabled }}
@@ -125,9 +135,24 @@ jobs:
125135
INPUT_AZURE_ENV_EXISTING_LOG_ANALYTICS_WORKSPACE_RID: ${{ github.event.inputs.AZURE_ENV_EXISTING_LOG_ANALYTICS_WORKSPACE_RID }}
126136
INPUT_AZURE_EXISTING_AI_PROJECT_RESOURCE_ID: ${{ github.event.inputs.AZURE_EXISTING_AI_PROJECT_RESOURCE_ID }}
127137
INPUT_EXISTING_WEBAPP_URL: ${{ github.event.inputs.existing_webapp_url }}
138+
INPUT_RUNNER_OS: ${{ github.event.inputs.runner_os }}
128139
run: |
129140
echo "🔍 Validating workflow input parameters..."
130141
VALIDATION_FAILED=false
142+
143+
# Resolve runner_os from Deployment Environment selection
144+
DEPLOY_ENV="${INPUT_RUNNER_OS:-codespace}"
145+
if [[ "$DEPLOY_ENV" == "codespace" ]]; then
146+
RUNNER_OS="ubuntu-latest"
147+
echo "✅ Deployment Environment: 'codespace' → runner: ubuntu-latest"
148+
elif [[ "$DEPLOY_ENV" == "Local" ]]; then
149+
RUNNER_OS="windows-latest"
150+
echo "✅ Deployment Environment: 'Local' → runner: windows-latest"
151+
else
152+
echo "❌ ERROR: Deployment Environment must be 'codespace' or 'Local', got: '$DEPLOY_ENV'"
153+
VALIDATION_FAILED=true
154+
RUNNER_OS="ubuntu-latest"
155+
fi
131156
132157
# Validate azure_location (Azure region format)
133158
LOCATION="${INPUT_AZURE_LOCATION:-australiaeast}"
@@ -251,6 +276,7 @@ jobs:
251276
252277
# Output validated values
253278
echo "passed=true" >> $GITHUB_OUTPUT
279+
echo "runner_os=$RUNNER_OS" >> $GITHUB_OUTPUT
254280
echo "azure_location=$LOCATION" >> $GITHUB_OUTPUT
255281
echo "resource_group_name=$INPUT_RESOURCE_GROUP_NAME" >> $GITHUB_OUTPUT
256282
echo "waf_enabled=$WAF_ENABLED" >> $GITHUB_OUTPUT
@@ -267,7 +293,7 @@ jobs:
267293
if: needs.validate-inputs.outputs.validation_passed == 'true'
268294
uses: ./.github/workflows/deploy-orchestrator.yml
269295
with:
270-
runner_os: ubuntu-latest
296+
runner_os: ${{ needs.validate-inputs.outputs.runner_os || 'ubuntu-latest' }}
271297
azure_location: ${{ needs.validate-inputs.outputs.azure_location || 'australiaeast' }}
272298
resource_group_name: ${{ needs.validate-inputs.outputs.resource_group_name || '' }}
273299
waf_enabled: ${{ needs.validate-inputs.outputs.waf_enabled == 'true' }}

.github/workflows/deploy-windows.yml

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -78,6 +78,7 @@ on:
7878
permissions:
7979
contents: read
8080
actions: read
81+
id-token: write
8182
jobs:
8283
validate-inputs:
8384
runs-on: ubuntu-latest

.github/workflows/deploy.yml

Lines changed: 13 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -17,9 +17,11 @@ on:
1717
permissions:
1818
contents: read
1919
actions: read
20+
id-token: write
2021
jobs:
2122
deploy:
2223
runs-on: ubuntu-latest
24+
environment: production
2325
outputs:
2426
RESOURCE_GROUP_NAME: ${{ steps.generate_rg_name.outputs.RESOURCE_GROUP_NAME }}
2527
CONTAINER_WEB_APPURL: ${{ steps.get_output.outputs.CONTAINER_WEB_APPURL }}
@@ -34,16 +36,15 @@ jobs:
3436
uses: actions/checkout@v5
3537

3638
- name: Login to Azure
37-
run: |
38-
az login --service-principal -u ${{ secrets.AZURE_CLIENT_ID }} -p ${{ secrets.AZURE_CLIENT_SECRET }} --tenant ${{ secrets.AZURE_TENANT_ID }}
39-
az account set --subscription ${{ secrets.AZURE_SUBSCRIPTION_ID }}
39+
uses: azure/login@v2
40+
with:
41+
client-id: ${{ secrets.AZURE_CLIENT_ID }}
42+
tenant-id: ${{ secrets.AZURE_TENANT_ID }}
43+
subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
4044

4145
- name: Run Quota Check
4246
id: quota-check
4347
env:
44-
AZURE_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }}
45-
AZURE_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}
46-
AZURE_CLIENT_SECRET: ${{ secrets.AZURE_CLIENT_SECRET }}
4748
AZURE_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
4849
GPT_MIN_CAPACITY: "100"
4950
AZURE_REGIONS: ${{ vars.AZURE_REGIONS }}
@@ -268,6 +269,7 @@ jobs:
268269
if: always()
269270
needs: [deploy, e2e-test]
270271
runs-on: ubuntu-latest
272+
environment: production
271273
env:
272274
RESOURCE_GROUP_NAME: ${{ needs.deploy.outputs.RESOURCE_GROUP_NAME }}
273275
AI_SERVICES_NAME: ${{ needs.deploy.outputs.AI_SERVICES_NAME }}
@@ -276,9 +278,11 @@ jobs:
276278
ENVIRONMENT_NAME: ${{ needs.deploy.outputs.ENVIRONMENT_NAME }}
277279
steps:
278280
- name: Login to Azure
279-
run: |
280-
az login --service-principal -u ${{ secrets.AZURE_CLIENT_ID }} -p ${{ secrets.AZURE_CLIENT_SECRET }} --tenant ${{ secrets.AZURE_TENANT_ID }}
281-
az account set --subscription ${{ secrets.AZURE_SUBSCRIPTION_ID }}
281+
uses: azure/login@v2
282+
with:
283+
client-id: ${{ secrets.AZURE_CLIENT_ID }}
284+
tenant-id: ${{ secrets.AZURE_TENANT_ID }}
285+
subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
282286

283287
- name: Delete Bicep Deployment
284288
if: always()

.github/workflows/job-cleanup-deployment.yml

Lines changed: 7 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -40,12 +40,11 @@ on:
4040
description: 'Docker Image Tag'
4141
required: true
4242
type: string
43-
permissions:
44-
contents: read
45-
actions: read
43+
4644
jobs:
4745
cleanup-deployment:
4846
runs-on: ${{ inputs.runner_os }}
47+
environment: production
4948
continue-on-error: true
5049
env:
5150
RESOURCE_GROUP_NAME: ${{ inputs.RESOURCE_GROUP_NAME }}
@@ -201,10 +200,11 @@ jobs:
201200
echo "✅ All input parameters validated successfully!"
202201
203202
- name: Login to Azure
204-
shell: bash
205-
run: |
206-
az login --service-principal -u ${{ secrets.AZURE_CLIENT_ID }} -p ${{ secrets.AZURE_CLIENT_SECRET }} --tenant ${{ secrets.AZURE_TENANT_ID }}
207-
az account set --subscription ${{ secrets.AZURE_SUBSCRIPTION_ID }}
203+
uses: azure/login@v2
204+
with:
205+
client-id: ${{ secrets.AZURE_CLIENT_ID }}
206+
tenant-id: ${{ secrets.AZURE_TENANT_ID }}
207+
subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
208208

209209
- name: Delete Resource Group (Optimized Cleanup)
210210
id: delete_rg

.github/workflows/job-deploy-linux.yml

Lines changed: 10 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -38,12 +38,11 @@ on:
3838
CONTAINER_WEB_APPURL:
3939
description: "Container Web App URL"
4040
value: ${{ jobs.deploy-linux.outputs.CONTAINER_WEB_APPURL }}
41-
permissions:
42-
contents: read
43-
actions: read
41+
4442
jobs:
4543
deploy-linux:
4644
runs-on: ubuntu-latest
45+
environment: production
4746
env:
4847
AZURE_DEV_COLLECT_TELEMETRY: ${{ vars.AZURE_DEV_COLLECT_TELEMETRY }}
4948
outputs:
@@ -200,13 +199,18 @@ jobs:
200199
- name: Install azd
201200
uses: Azure/setup-azd@v2
202201

202+
- name: Login to Azure
203+
uses: azure/login@v2
204+
with:
205+
client-id: ${{ secrets.AZURE_CLIENT_ID }}
206+
tenant-id: ${{ secrets.AZURE_TENANT_ID }}
207+
subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
208+
203209
- name: Login to AZD
204210
id: login-azure
205211
shell: bash
206212
run: |
207-
az login --service-principal -u ${{ secrets.AZURE_CLIENT_ID }} -p ${{ secrets.AZURE_CLIENT_SECRET }} --tenant ${{ secrets.AZURE_TENANT_ID }}
208-
az account set --subscription ${{ secrets.AZURE_SUBSCRIPTION_ID }}
209-
azd auth login --client-id ${{ secrets.AZURE_CLIENT_ID }} --client-secret ${{ secrets.AZURE_CLIENT_SECRET }} --tenant-id ${{ secrets.AZURE_TENANT_ID }}
213+
azd auth login --client-id ${{ secrets.AZURE_CLIENT_ID }} --federated-credential-provider "github" --tenant-id ${{ secrets.AZURE_TENANT_ID }}
210214
211215
- name: Deploy using azd up and extract values (Linux)
212216
id: get_output_linux

.github/workflows/job-deploy-windows.yml

Lines changed: 10 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -38,12 +38,11 @@ on:
3838
CONTAINER_WEB_APPURL:
3939
description: "Container Web App URL"
4040
value: ${{ jobs.deploy-windows.outputs.CONTAINER_WEB_APPURL }}
41-
permissions:
42-
contents: read
43-
actions: read
41+
4442
jobs:
4543
deploy-windows:
4644
runs-on: windows-latest
45+
environment: production
4746
env:
4847
AZURE_DEV_COLLECT_TELEMETRY: ${{ vars.AZURE_DEV_COLLECT_TELEMETRY }}
4948
outputs:
@@ -200,13 +199,18 @@ jobs:
200199
- name: Setup Azure Developer CLI (Windows)
201200
uses: Azure/setup-azd@v2
202201

202+
- name: Login to Azure
203+
uses: azure/login@v2
204+
with:
205+
client-id: ${{ secrets.AZURE_CLIENT_ID }}
206+
tenant-id: ${{ secrets.AZURE_TENANT_ID }}
207+
subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
208+
203209
- name: Login to AZD
204210
id: login-azure
205211
shell: bash
206212
run: |
207-
az login --service-principal -u ${{ secrets.AZURE_CLIENT_ID }} -p ${{ secrets.AZURE_CLIENT_SECRET }} --tenant ${{ secrets.AZURE_TENANT_ID }}
208-
az account set --subscription ${{ secrets.AZURE_SUBSCRIPTION_ID }}
209-
azd auth login --client-id ${{ secrets.AZURE_CLIENT_ID }} --client-secret ${{ secrets.AZURE_CLIENT_SECRET }} --tenant-id ${{ secrets.AZURE_TENANT_ID }}
213+
azd auth login --client-id ${{ secrets.AZURE_CLIENT_ID }} --federated-credential-provider "github" --tenant-id ${{ secrets.AZURE_TENANT_ID }}
210214
211215
- name: Deploy using azd up and extract values (Windows)
212216
id: get_output_windows

.github/workflows/job-deploy.yml

Lines changed: 7 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -98,14 +98,13 @@ env:
9898
RUN_E2E_TESTS: ${{ inputs.trigger_type == 'workflow_dispatch' && (inputs.run_e2e_tests || 'GoldenPath-Testing') || 'GoldenPath-Testing' }}
9999
BUILD_DOCKER_IMAGE: ${{ inputs.trigger_type == 'workflow_dispatch' && (inputs.build_docker_image || false) || false }}
100100
RG_TAGS: ${{ vars.RG_TAGS }}
101-
permissions:
102-
contents: read
103-
actions: read
101+
104102
jobs:
105103
azure-setup:
106104
name: Azure Setup
107105
if: inputs.trigger_type != 'workflow_dispatch' || inputs.existing_webapp_url == '' || inputs.existing_webapp_url == null
108106
runs-on: ubuntu-latest
107+
environment: production
109108
outputs:
110109
RESOURCE_GROUP_NAME: ${{ steps.check_create_rg.outputs.RESOURCE_GROUP_NAME }}
111110
ENV_NAME: ${{ steps.generate_env_name.outputs.ENV_NAME }}
@@ -318,17 +317,15 @@ jobs:
318317
uses: actions/checkout@v4
319318

320319
- name: Login to Azure
321-
shell: bash
322-
run: |
323-
az login --service-principal -u ${{ secrets.AZURE_CLIENT_ID }} -p ${{ secrets.AZURE_CLIENT_SECRET }} --tenant ${{ secrets.AZURE_TENANT_ID }}
324-
az account set --subscription ${{ secrets.AZURE_SUBSCRIPTION_ID }}
320+
uses: azure/login@v2
321+
with:
322+
client-id: ${{ secrets.AZURE_CLIENT_ID }}
323+
tenant-id: ${{ secrets.AZURE_TENANT_ID }}
324+
subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
325325

326326
- name: Run Quota Check
327327
id: quota-check
328328
env:
329-
AZURE_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }}
330-
AZURE_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}
331-
AZURE_CLIENT_SECRET: ${{ secrets.AZURE_CLIENT_SECRET }}
332329
AZURE_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
333330
GPT_MIN_CAPACITY: ${{ env.GPT_MIN_CAPACITY }}
334331
AZURE_REGIONS: ${{ vars.AZURE_REGIONS }}

.github/workflows/job-docker-build.yml

Lines changed: 10 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -19,13 +19,12 @@ on:
1919

2020
env:
2121
BRANCH_NAME: ${{ github.event.workflow_run.head_branch || github.head_ref || github.ref_name }}
22-
permissions:
23-
contents: read
24-
actions: read
22+
2523
jobs:
2624
docker-build:
2725
if: inputs.trigger_type == 'workflow_dispatch' && inputs.build_docker_image == true
2826
runs-on: ubuntu-latest
27+
environment: production
2928
outputs:
3029
IMAGE_TAG: ${{ steps.generate_docker_tag.outputs.IMAGE_TAG }}
3130
steps:
@@ -49,12 +48,15 @@ jobs:
4948
- name: Set up Docker Buildx
5049
uses: docker/setup-buildx-action@v3
5150

52-
- name: Log in to Azure Container Registry
53-
uses: azure/docker-login@v2
51+
- name: Log in to Azure
52+
uses: azure/login@v2
5453
with:
55-
login-server: ${{ secrets.ACR_TEST_LOGIN_SERVER }}
56-
username: ${{ secrets.ACR_TEST_USERNAME }}
57-
password: ${{ secrets.ACR_TEST_PASSWORD }}
54+
client-id: ${{ secrets.AZURE_CLIENT_ID }}
55+
tenant-id: ${{ secrets.AZURE_TENANT_ID }}
56+
subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
57+
58+
- name: Log in to Azure Container Registry
59+
run: az acr login --name ${{ secrets.ACR_TEST_LOGIN_SERVER }}
5860

5961
- name: Build and Push ContentProcessor Docker image
6062
uses: docker/build-push-action@v6

0 commit comments

Comments
 (0)