Merge branch 'main' into add-security-insights

Author: vinayada1

.github/scripts/monitor-remote-workflow.mjs

@@ -0,0 +1,141 @@
+// @ts-nocheck
+
+/** @param {{ github: any, core: any }} param0 */
+export default async ({ github, core }) => {
+  try {
+    const remoteOwner = core.getInput("OWNER", { required: true });
+    const remoteRepo = core.getInput("REPO", { required: true });
+    const remoteWorkflowFile = core.getInput("WORKFLOW_FILE", {
+      required: true,
+    });
+    const dispatchStartedAt = core.getInput("DISPATCH_STARTED_AT", {
+      required: true,
+    });
+
+    const maxWaitSeconds = Number(core.getInput("MAX_WAIT_SECONDS") || "900"); // Default to 15 minutes
+    const pollIntervalSeconds = Number(
+      core.getInput("POLL_INTERVAL_SECONDS") || "10",
+    );
+
+    /** @param {number} ms */
+    const sleep = (ms) => new Promise((resolve) => setTimeout(resolve, ms));
+
+    core.info(
+      `Waiting for remote workflow run in ${remoteOwner}/${remoteRepo}...`,
+    );
+
+    const findLatestRun = async () => {
+      const response = await github.rest.actions.listWorkflowRuns({
+        owner: remoteOwner,
+        repo: remoteRepo,
+        workflow_id: remoteWorkflowFile,
+        event: "repository_dispatch",
+        per_page: 20,
+      });
+
+      const candidateRuns = (response.data.workflow_runs || [])
+        /** @param {any} run */
+        .filter((run) => run.created_at >= dispatchStartedAt)
+        /** @param {any} left @param {any} right */
+        .sort((left, right) => left.created_at.localeCompare(right.created_at));
+
+      return candidateRuns.length > 0
+        ? candidateRuns[candidateRuns.length - 1]
+        : undefined;
+    };
+
+    let run;
+    for (
+      let elapsed = 0;
+      elapsed < maxWaitSeconds;
+      elapsed += pollIntervalSeconds
+    ) {
+      run = await findLatestRun();
+      if (run) {
+        break;
+      }
+
+      await sleep(pollIntervalSeconds * 1000);
+    }
+
+    if (!run) {
+      core.setFailed(
+        `Timed out waiting for remote workflow run to start: https://github.com/${remoteOwner}/${remoteRepo}/actions/workflows/${remoteWorkflowFile}`,
+      );
+      return;
+    }
+
+    const runUrl =
+      run.html_url ||
+      `https://github.com/${remoteOwner}/${remoteRepo}/actions/runs/${run.id}`;
+
+    core.info(`Monitoring remote run id: ${run.id}`);
+    core.info(`Remote workflow run URL: ${runUrl}`);
+
+    for (
+      let elapsed = 0;
+      elapsed < maxWaitSeconds;
+      elapsed += pollIntervalSeconds
+    ) {
+      const runResponse = await github.rest.actions.getWorkflowRun({
+        owner: remoteOwner,
+        repo: remoteRepo,
+        run_id: run.id,
+      });
+
+      const status = runResponse.data.status;
+      const conclusion = runResponse.data.conclusion || "";
+
+      if (status === "completed") {
+        core.setOutput("run_id", String(run.id));
+        core.setOutput("run_url", runUrl);
+        core.setOutput("conclusion", conclusion);
+
+        if (conclusion === "success") {
+          core.info("Remote workflow completed successfully");
+          return;
+        }
+
+        const jobsResponse = await github.rest.actions.listJobsForWorkflowRun({
+          owner: remoteOwner,
+          repo: remoteRepo,
+          run_id: run.id,
+          per_page: 100,
+        });
+
+        const failedJobs = (jobsResponse.data.jobs || []).filter(
+          /** @param {any} job */
+          (job) => job.conclusion !== "success",
+        );
+        const failedJobText = failedJobs
+          /** @param {any} job */
+          .map((job) => {
+            const failedSteps = (job.steps || [])
+              /** @param {any} step */
+              .filter((step) => step.conclusion === "failure")
+              /** @param {any} step */
+              .map((step) => `  - Step: ${step.name}`)
+              .join("\n");
+
+            return `- Job: ${job.name} [${job.conclusion}]${failedSteps ? `\n${failedSteps}` : ""}`;
+          })
+          .join("\n");
+
+        core.setFailed(
+          `Remote workflow failed with conclusion: ${conclusion}\nRemote workflow run: ${runUrl}${failedJobText ? `\nFailed jobs/steps:\n${failedJobText}` : ""}`,
+        );
+        return;
+      }
+
+      await sleep(pollIntervalSeconds * 1000);
+    }
+
+    core.setOutput("run_id", String(run.id));
+    core.setOutput("run_url", runUrl);
+    core.setFailed(
+      `Timed out waiting for remote workflow completion: ${runUrl}`,
+    );
+  } catch (error) {
+    core.setFailed(error instanceof Error ? error.message : String(error));
+  }
+};

.github/workflows/build.yaml

@@ -59,9 +59,6 @@ env:
   # URL to get source code for building the image
   IMAGE_SRC: https://github.com/radius-project/radius
 
-  # bicep-types ACR url for uploading Radius Bicep types
-  BICEP_TYPES_REGISTRY: biceptypes.azurecr.io
-
 jobs:
   changes:
     name: Changes
@@ -356,15 +353,14 @@ jobs:
           helm push ${{ env.ARTIFACT_DIR }}/${{ env.HELM_PACKAGE_DIR }}/radius-${{ env.CHART_VERSION }}.tgz oci://${{ env.OCI_REGISTRY }}/${{ env.OCI_REPOSITORY }}
 
   build-and-push-bicep-types:
-    name: Publish Radius bicep types to ACR
+    name: Dispatch Bicep Types publish
     runs-on: ubuntu-24.04
-    timeout-minutes: 5
+    timeout-minutes: 15
     needs: [changes]
-    if: needs.changes.outputs.only_changed != 'true'
+    if: github.repository == 'radius-project/radius' && needs.changes.outputs.only_changed != 'true' && (startsWith(github.ref, 'refs/tags/v') || github.ref == 'refs/heads/main')
     environment: publish-bicep
     permissions:
       contents: read # Required for actions/checkout
-      id-token: write # Required for azure/login
     steps:
       - name: Checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
@@ -379,49 +375,64 @@ jobs:
       - name: Parse release version and set environment variables
         run: python ./.github/scripts/get_release_version.py
 
-      - name: Setup Go
-        uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
-        with:
-          go-version-file: go.mod
-          cache-dependency-path: go.sum
-          cache: true
-
-      - name: Setup Node.js
-        uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0
+      - name: Get App Token
+        uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1
+        id: get-token
         with:
-          node-version-file: .node-version
-
-      - name: Generate Bicep extensibility types from OpenAPI specs
+          app-id: ${{ secrets.RADIUS_PUBLISHER_BOT_APP_ID }}
+          private-key: ${{ secrets.RADIUS_PUBLISHER_BOT_PRIVATE_KEY }}
+          permission-metadata: read
+          permission-actions: read
+          permission-contents: write
+          owner: azure-octo
+          repositories: |
+            radius-publisher
+
+      - name: Capture dispatch start time
+        id: dispatch-start
+        shell: bash
         run: |
-          make generate-bicep-types VERSION=${{ env.REL_CHANNEL == 'edge' && 'latest' || env.REL_CHANNEL }}
+          echo "started_at=$(date -u +%Y-%m-%dT%H:%M:%SZ)" >> "$GITHUB_OUTPUT"
 
-      - name: Upload Radius Bicep types artifacts
-        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
+      - name: Repository Dispatch
+        id: repository-dispatch
+        uses: peter-evans/repository-dispatch@28959ce8df70de7be546dd1250a005dd32156697 # v4.0.1
         with:
-          name: radius-bicep-types
-          path: ./hack/bicep-types-radius/generated
-          if-no-files-found: error
-
-      - name: Login via Azure CLI
-        if: github.repository == 'radius-project/radius' && ((startsWith(github.ref, 'refs/tags/v') || github.ref == 'refs/heads/main'))
-        uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0
+          token: ${{ steps.get-token.outputs.token }}
+          repository: azure-octo/radius-publisher
+          event-type: bicep-types
+          client-payload: |-
+            {
+              "source_repository": "${{ github.repository }}",
+              "source_ref": "${{ github.ref }}",
+              "source_sha": "${{ github.sha }}",
+              "rel_channel": "${{ env.REL_CHANNEL }}",
+              "registry_target": "radius"
+            }
+
+      - name: Monitor remote workflow
+        id: monitor-remote-workflow
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
         with:
-          client-id: ${{ secrets.BICEPTYPES_CLIENT_ID }}
-          tenant-id: ${{ secrets.BICEPTYPES_TENANT_ID }}
-          subscription-id: ${{ secrets.BICEPTYPES_SUBSCRIPTION_ID }}
-
-      - name: Setup and verify bicep CLI
-        if: github.repository == 'radius-project/radius' && ((startsWith(github.ref, 'refs/tags/v') || github.ref == 'refs/heads/main'))
-        run: |
-          curl -Lo bicep https://github.com/Azure/bicep/releases/latest/download/bicep-linux-x64
-          chmod +x ./bicep
-          sudo mv ./bicep /usr/local/bin/bicep
-          bicep --version
-
-      - name: Publish bicep types
-        if: github.repository == 'radius-project/radius' && ((startsWith(github.ref, 'refs/tags/v') || github.ref == 'refs/heads/main'))
+          github-token: ${{ steps.get-token.outputs.token }}
+          script: |
+            const { default: script } = await import(`${process.env.GITHUB_WORKSPACE}/.github/scripts/monitor-remote-workflow.mjs`)
+            await script({context, github, core})
+        env:
+          INPUT_OWNER: azure-octo
+          INPUT_REPO: radius-publisher
+          INPUT_WORKFLOW_FILE: publish-bicep-types.yml
+          INPUT_DISPATCH_STARTED_AT: ${{ steps.dispatch-start.outputs.started_at }}
+          INPUT_MAX_WAIT_SECONDS: "600"
+          INPUT_POLL_INTERVAL_SECONDS: "15"
+
+      - name: Show failed logs
+        if: failure() && steps.monitor-remote-workflow.outputs.run_id != ''
+        shell: bash
+        env:
+          GH_TOKEN: ${{ steps.get-token.outputs.token }}
         run: |
-          bicep publish-extension ./hack/bicep-types-radius/generated/index.json --target br:${{ env.BICEP_TYPES_REGISTRY }}/radius:${{ env.REL_CHANNEL == 'edge' && 'latest' || env.REL_CHANNEL }} --force
+          gh run view "${{ steps.monitor-remote-workflow.outputs.run_id }}" --repo azure-octo/radius-publisher --log-failed || true
 
   publish-release:
     name: Publish GitHub Release

.github/workflows/functional-test-cloud.yaml

@@ -387,39 +387,64 @@ jobs:
           message: |
             :hourglass: Publishing Bicep Recipes for functional tests...
 
-      - name: Setup Node.js
-        uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0
+      - name: Get App Token (radius-publisher)
+        uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1
+        id: get_publisher_token
         with:
-          node-version-file: .node-version
+          app-id: ${{ secrets.RADIUS_PUBLISHER_BOT_APP_ID }}
+          private-key: ${{ secrets.RADIUS_PUBLISHER_BOT_PRIVATE_KEY }}
+          permission-metadata: read
+          permission-actions: read
+          permission-contents: write
+          owner: azure-octo
+          repositories: |
+            radius-publisher
 
-      - name: Generate Bicep extensibility types from OpenAPI specs
+      - name: Capture dispatch start time
+        id: dispatch-start
+        shell: bash
         run: |
-          make generate-bicep-types VERSION=${{ env.REL_VERSION == 'edge' && 'latest' || env.REL_VERSION }}
+          echo "started_at=$(date -u +%Y-%m-%dT%H:%M:%SZ)" >> "$GITHUB_OUTPUT"
 
-      - name: Upload Radius Bicep types artifacts
-        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
+      - name: Repository Dispatch (publish test bicep types)
+        id: repository-dispatch
+        uses: peter-evans/repository-dispatch@28959ce8df70de7be546dd1250a005dd32156697 # v4.0.1
         with:
-          name: radius_bicep_types_cloud
-          path: ./hack/bicep-types-radius/generated
-          if-no-files-found: error
+          token: ${{ steps.get_publisher_token.outputs.token }}
+          repository: azure-octo/radius-publisher
+          event-type: bicep-types
+          client-payload: |-
+            {
+              "source_repository": "${{ github.repository }}",
+              "source_ref": "${{ github.ref }}",
+              "source_sha": "${{ github.sha }}",
+              "rel_channel": "${{ env.REL_VERSION }}",
+              "registry_target": "test/radius"
+            }
 
-      - name: Login via Azure CLI
-        uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0
+      - name: Monitor remote workflow
+        id: monitor-remote-workflow
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
         with:
-          client-id: ${{ secrets.BICEPTYPES_CLIENT_ID }}
-          tenant-id: ${{ secrets.BICEPTYPES_TENANT_ID }}
-          subscription-id: ${{ secrets.BICEPTYPES_SUBSCRIPTION_ID }}
-
-      - name: Setup and verify bicep CLI
-        run: |
-          curl -Lo bicep https://github.com/Azure/bicep/releases/latest/download/bicep-linux-x64
-          chmod +x ./bicep
-          sudo mv ./bicep /usr/local/bin/bicep
-          bicep --version
-
-      - name: Publish bicep types
+          github-token: ${{ steps.get_publisher_token.outputs.token }}
+          script: |
+            const { default: script } = await import(`${process.env.GITHUB_WORKSPACE}/.github/scripts/monitor-remote-workflow.mjs`)
+            await script({context, github, core})
+        env:
+          INPUT_OWNER: azure-octo
+          INPUT_REPO: radius-publisher
+          INPUT_WORKFLOW_FILE: publish-bicep-types.yml
+          INPUT_DISPATCH_STARTED_AT: ${{ steps.dispatch-start.outputs.started_at }}
+          INPUT_MAX_WAIT_SECONDS: "900"
+          INPUT_POLL_INTERVAL_SECONDS: "10"
+
+      - name: Show failed logs
+        if: failure() && steps.monitor-remote-workflow.outputs.run_id != ''
+        shell: bash
+        env:
+          GH_TOKEN: ${{ steps.get_publisher_token.outputs.token }}
         run: |
-          bicep publish-extension ./hack/bicep-types-radius/generated/index.json --target br:${{ env.BICEP_TYPES_REGISTRY }}/test/radius:${{ env.REL_VERSION == 'edge' && 'latest' || env.REL_VERSION }} --force
+          gh run view "${{ steps.monitor-remote-workflow.outputs.run_id }}" --repo azure-octo/radius-publisher --log-failed || true
 
       - name: Generate test bicepconfig.json
         run: |

.vscode/mcp.json

@@ -5,8 +5,14 @@
       "url": "https://api.githubcopilot.com/mcp/"
     },
     "terraform": {
+      "type": "stdio",
       "command": "docker",
-      "args": ["run", "-i", "--rm", "hashicorp/terraform-mcp-server:0.3"]
+      "args": ["run", "-i", "--rm", "hashicorp/terraform-mcp-server:0.4.0"]
+    },
+    "gopls": {
+      "type": "stdio",
+      "command": "gopls",
+      "args": ["mcp"]
     }
   }
 }