chore: update action versions in workflows for consistency and stability (#216)

mawasile · web-flow · commit 14ff5f26677c · 2025-07-17T10:02:08.000+02:00
* chore: update action versions in workflows for consistency and stability

* fix: add check for PAC CLI existence in Power Platform CLI test step

* fix: add PAC CLI to PATH for proper execution in workflow

* fix: change PAC command from version to help for better usage guidance

* fix: update environment variables for Power Platform CLI usage in Azure deployment workflow

* fix: comment out ARM_USE_OIDC in Azure deployment workflow for clarity

* fix: comment out ARM_USE_AZUREAD for clarity in Azure deployment workflow

* fix: comment out ARM_USE_AZUREAD and add secret for Azure login

* fix: enable ARM_USE_AZUREAD and ARM_USE_OIDC for Azure deployment workflow

* feat: add debug step to log environment variables and inputs in CI workflow

* refactor: format debug step for environment variables and inputs in CI workflow

* fix: escape variables in remote storage configuration for proper parsing

* fix: add use_azuread_auth to remote storage configuration for improved authentication

* fix: update remote storage configuration to set container access type to private

* refactor: replace PowerShell with Bash for shell commands in CI workflow

* chore: update CI workflow for improved efficiency and maintainability

* fix: improve PAC CLI path detection in CI workflow

* refactor: comment out PAC CLI path detection in CI workflow

* refactor: comment out Power Platform CLI test step and update installation method

* fix: specify version for Power Platform CLI installation

* refactor: remove commented-out PAC CLI test and path detection steps

* fix: add security-events permission for SARIF report uploads

* fix: update environment variable syntax for azd commands

* fix: correct condition for AZD down input and add debug echo step

* refactor: remove debug echo step for AZD down input
diff --git a/.github/workflows/azure-dev.yml b/.github/workflows/azure-dev.yml
@@ -23,6 +23,8 @@ on:
 # GitHub Actions workflow to deploy to Azure using azd
 
 permissions:
+  actions: read # Needed for uploading SARIF reports
+  security-events: write  # Needed for uploading SARIF reports
   id-token: write
   contents: read
 
@@ -37,23 +39,23 @@ jobs:
 
     steps:
       - name: Checkout the branch ${{ github.ref_name }}
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           ref: ${{ github.ref_name }}
 
       - name: Install azd
-        uses: Azure/setup-azd@v2
+        uses: Azure/setup-azd@ae0f8b5482eeac61e940f447327d84c73beb8b1e # v2.1.0
         with:
           version: '1.17.2'  # Specify your desired azd version here
 
       - name: Install Terraform
-        uses: hashicorp/setup-terraform@v3
+        uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd # v3.1.2
         with:
           terraform_version: 1.9.0
 
 
       - name: Install TFLint
-        uses: terraform-linters/setup-tflint@v4
+        uses: terraform-linters/setup-tflint@90f302c255ef959cbfb4bd10581afecdb7ece3e6 # v4.1.1
         with:
           tflint_version: v0.49.0
           github_token: ${{ secrets.GITHUB_TOKEN }}  # Used to avoid rate
@@ -68,84 +70,80 @@ jobs:
           gitleaks version
 
       - name: Setup .NET SDK
-        uses: actions/setup-dotnet@v4
+        uses: actions/setup-dotnet@55ec9447dda3d1cf6bd587150f3262f30ee10815 # v3.4.2
         with:
           dotnet-version: '8.0.x'
 
+      - name: Install Power Platform Tools
+        uses: microsoft/powerplatform-actions/actions-install@51f663ea104eb227c3712215ceb2f82827d81c27 # v1.9.0
+      
       - name: Install Power Platform CLI
         run: |
-          dotnet tool install --global Microsoft.PowerApps.CLI.Tool
+          dotnet tool install --global Microsoft.PowerApps.CLI.Tool --version 1.44.2
           pac help
 
+
       - name: Set Up Python
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # 5.6.0
         with:
           python-version: "3.x"
 
       - name: Install Checkov
         run: pip install checkov
 
-
       - name: Login to Azure with Federated Identity
-        uses: azure/login@v2
+        uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0
         with:
           client-id: ${{ vars.AZURE_CLIENT_ID }}
           tenant-id: ${{ vars.AZURE_TENANT_ID }}
           subscription-id: ${{ vars.AZURE_SUBSCRIPTION_ID }}
 
       - name: Provision Infrastructure
         env:
-          POWER_PLATFORM_USE_CLI: false
-          AZURE_SUBSCRIPTION_ID: ${{ vars.AZURE_SUBSCRIPTION_ID }}
-          RS_STORAGE_ACCOUNT: ${{ vars.RS_STORAGE_ACCOUNT }}
-          RS_CONTAINER_NAME: ${{ vars.RS_CONTAINER_NAME }}
-          RS_RESOURCE_GROUP: ${{ vars.RS_RESOURCE_GROUP }}
-          RESOURCE_SHARE_USER: ${{ vars.RESOURCE_SHARE_USER }}
+          POWER_PLATFORM_USE_OIDC: "true"
+          POWER_PLATFORM_CLIENT_ID: ${{ vars.AZURE_CLIENT_ID }}
+          POWER_PLATFORM_TENANT_ID: ${{ vars.AZURE_TENANT_ID }}
+
           ARM_USE_AZUREAD: "true"
           ARM_STORAGE_USE_AZUREAD: "true"
           ARM_USE_OIDC: "true"
           ARM_CLIENT_ID: ${{ vars.AZURE_CLIENT_ID }}
           ARM_TENANT_ID: ${{ vars.AZURE_TENANT_ID }}
           ARM_SUBSCRIPTION_ID: ${{ vars.AZURE_SUBSCRIPTION_ID }}
-          POWER_PLATFORM_CLIENT_ID: ${{ vars.AZURE_CLIENT_ID }}
-          POWER_PLATFORM_TENANT_ID: ${{ vars.AZURE_TENANT_ID }}
-          POWER_PLATFORM_USE_OIDC: "true"
+          AZURE_SUBSCRIPTION_ID: ${{ vars.AZURE_SUBSCRIPTION_ID }}
+          
+          RS_STORAGE_ACCOUNT: ${{ vars.RS_STORAGE_ACCOUNT }}
+          RS_CONTAINER_NAME: ${{ vars.RS_CONTAINER_NAME }}
+          RS_RESOURCE_GROUP: ${{ vars.RS_RESOURCE_GROUP }}
+          
+          RESOURCE_SHARE_USER: ${{ vars.RESOURCE_SHARE_USER }}
+      
           GITHUB_PAT: ${{ secrets.MCS_RUNNER }}
           GITHUB_REPO_OWNER: ${{ github.repository_owner }}
           GITHUB_REPO_NAME: ${{ github.event.repository.name }}
           GITHUB_RUNNER_IMAGE_NAME: "github-runner"
           GITHUB_RUNNER_IMAGE_TAG: "latest"
           GITHUB_RUNNER_IMAGE_BRANCH: ${{ github.ref_name }}
-        shell: pwsh
+        shell: bash
         run: |
           azd config set auth.useAzCliAuth "true"
-          azd env new $env:AZURE_ENV_NAME --location $env:AZURE_LOCATION --no-prompt
-          azd env set RESOURCE_SHARE_USER "$env:RESOURCE_SHARE_USER"
-          azd env set POWER_PLATFORM_USE_CLI "false"
-
-          azd env set RS_STORAGE_ACCOUNT $env:RS_STORAGE_ACCOUNT
-          azd env set RS_CONTAINER_NAME $env:RS_CONTAINER_NAME
-          azd env set RS_RESOURCE_GROUP $env:RS_RESOURCE_GROUP
-
-          azd env set GITHUB_PAT $env:GITHUB_PAT
-          azd env set GITHUB_REPO_OWNER $env:GITHUB_REPO_OWNER
-          azd env set GITHUB_REPO_NAME $env:GITHUB_REPO_NAME
-          azd env set GITHUB_RUNNER_IMAGE_NAME $env:GITHUB_RUNNER_IMAGE_NAME
-          azd env set GITHUB_RUNNER_IMAGE_TAG $env:GITHUB_RUNNER_IMAGE_TAG
-          azd env set GITHUB_RUNNER_IMAGE_BRANCH $env:GITHUB_RUNNER_IMAGE_BRANCH
+          azd env new "$AZURE_ENV_NAME" --location "$AZURE_LOCATION" --no-prompt
+          azd env set RESOURCE_SHARE_USER "$RESOURCE_SHARE_USER"
 
+          azd env set RS_STORAGE_ACCOUNT "$RS_STORAGE_ACCOUNT"
+          azd env set RS_CONTAINER_NAME "$RS_CONTAINER_NAME"
+          azd env set RS_RESOURCE_GROUP "$RS_RESOURCE_GROUP"
 
-          azd env set GITHUB_PAT $env:GITHUB_PAT
-          azd env set GITHUB_REPO_OWNER $env:GITHUB_REPO_OWNER
-          azd env set GITHUB_REPO_NAME $env:GITHUB_REPO_NAME
-          azd env set GITHUB_RUNNER_IMAGE_NAME $env:GITHUB_RUNNER_IMAGE_NAME
-          azd env set GITHUB_RUNNER_IMAGE_TAG $env:GITHUB_RUNNER_IMAGE_TAG
-          azd env set GITHUB_RUNNER_IMAGE_BRANCH $env:GITHUB_RUNNER_IMAGE_BRANCH
+          azd env set GITHUB_PAT "$GITHUB_PAT"
+          azd env set GITHUB_REPO_OWNER "$GITHUB_REPO_OWNER"
+          azd env set GITHUB_REPO_NAME "$GITHUB_REPO_NAME"
+          azd env set GITHUB_RUNNER_IMAGE_NAME "$GITHUB_RUNNER_IMAGE_NAME"
+          azd env set GITHUB_RUNNER_IMAGE_TAG "$GITHUB_RUNNER_IMAGE_TAG"
+          azd env set GITHUB_RUNNER_IMAGE_BRANCH "$GITHUB_RUNNER_IMAGE_BRANCH"
 
           azd provision --no-prompt
 
-
-      - uses: actions/upload-artifact@v4
+      - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         if: success() || failure()
         with:
           name: sarif-reports
@@ -154,42 +152,42 @@ jobs:
             ./checkov-results.sarif/results_sarif.sarif
 
       - name: Upload Gitleaks SARIF report to Github
-        uses: github/codeql-action/upload-sarif@v3
+        uses: github/codeql-action/upload-sarif@9b02dc2f60288b463e7a66e39c78829b62780db7 # v2.22.1
         with:
           sarif_file: ./gitleaks-report.sarif
 
 
       - name: Upload Checkov SARIF Report to GitHub
-        uses: github/codeql-action/upload-sarif@v3
+        uses: github/codeql-action/upload-sarif@9b02dc2f60288b463e7a66e39c78829b62780db7 # v2.22.1
         with:
           sarif_file: ./checkov-results.sarif/results_sarif.sarif
 
-
       - name: Azd down
-        if: ${{ github.event.inputs.run_azd_down == true }}
+        if: ${{ github.event.inputs.run_azd_down == 'true' }}
         env:
-          POWER_PLATFORM_USE_CLI: false
-          AZURE_SUBSCRIPTION_ID: ${{ vars.AZURE_SUBSCRIPTION_ID }}
-          RS_STORAGE_ACCOUNT: ${{ vars.RS_STORAGE_ACCOUNT }}
-          RS_CONTAINER_NAME: ${{ vars.RS_CONTAINER_NAME }}
-          RS_RESOURCE_GROUP: ${{ vars.RS_RESOURCE_GROUP }}
-          RESOURCE_SHARE_USER: ${{ vars.RESOURCE_SHARE_USER }}
+          POWER_PLATFORM_CLIENT_ID: ${{ vars.AZURE_CLIENT_ID }}
+          POWER_PLATFORM_TENANT_ID: ${{ vars.AZURE_TENANT_ID }}
+          POWER_PLATFORM_USE_OIDC: "true"
+
           ARM_USE_AZUREAD: "true"
           ARM_STORAGE_USE_AZUREAD: "true"
           ARM_USE_OIDC: "true"
           ARM_CLIENT_ID: ${{ vars.AZURE_CLIENT_ID }}
           ARM_TENANT_ID: ${{ vars.AZURE_TENANT_ID }}
           ARM_SUBSCRIPTION_ID: ${{ vars.AZURE_SUBSCRIPTION_ID }}
-          POWER_PLATFORM_CLIENT_ID: ${{ vars.AZURE_CLIENT_ID }}
-          POWER_PLATFORM_TENANT_ID: ${{ vars.AZURE_TENANT_ID }}
-          POWER_PLATFORM_USE_OIDC: "true"
-        shell: pwsh
-        run: |
+          AZURE_SUBSCRIPTION_ID: ${{ vars.AZURE_SUBSCRIPTION_ID }}
 
-          azd env set RS_STORAGE_ACCOUNT $env:RS_STORAGE_ACCOUNT
-          azd env set RS_CONTAINER_NAME $env:RS_CONTAINER_NAME
-          azd env set RS_RESOURCE_GROUP $env:RS_RESOURCE_GROUP
-          azd env set RESOURCE_SHARE_USER "$env:RESOURCE_SHARE_USER"
+          RS_STORAGE_ACCOUNT: ${{ vars.RS_STORAGE_ACCOUNT }}
+          RS_CONTAINER_NAME: ${{ vars.RS_CONTAINER_NAME }}
+          RS_RESOURCE_GROUP: ${{ vars.RS_RESOURCE_GROUP }}
+          RESOURCE_SHARE_USER: ${{ vars.RESOURCE_SHARE_USER }}
+          
+        shell: bash
+        run: |
+          azd env set RS_STORAGE_ACCOUNT "$RS_STORAGE_ACCOUNT"
+          azd env set RS_CONTAINER_NAME "$RS_CONTAINER_NAME"
+          azd env set RS_RESOURCE_GROUP "$RS_RESOURCE_GROUP"
+          azd env set RESOURCE_SHARE_USER "$RESOURCE_SHARE_USER"
 
-          azd env select $env:AZURE_ENV_NAME
+          azd env select "$AZURE_ENV_NAME"
           azd down --no-prompt --force --purge
diff --git a/.github/workflows/terraform-validate.yml b/.github/workflows/terraform-validate.yml
@@ -52,7 +52,7 @@ jobs:
       - name: Setup Terraform
         uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd # v3.1.2
         with:
-          terraform_version: "1.12.2"  # Pinning specific version is recommended
+          terraform_version: "1.9.0"  # Pinning specific version
         
       - name: Terraform Init
         id: tf-init
@@ -89,7 +89,7 @@ jobs:
         working-directory: ./infra
 
       - name: Setup TFLint
-        uses: terraform-linters/setup-tflint@v4
+        uses: terraform-linters/setup-tflint@90f302c255ef959cbfb4bd10581afecdb7ece3e6 # v4.1.1
         with:
           tflint_version: v0.49.0  # Specify a version (recommended)
           github_token: ${{ secrets.GITHUB_TOKEN }}  # Used to avoid rate limiting
@@ -121,7 +121,7 @@ jobs:
 
       - name: GitLeaks Scan
         id: gitleaks
-        uses: gitleaks/gitleaks-action@v2
+        uses: gitleaks/gitleaks-action@ff98106e4c7b2bc287b24eaf42907196329070c7 # v2.3.9
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           GITLEAKS_LICENSE: ${{ secrets.GITLEAKS_LICENSE }}
@@ -132,7 +132,7 @@ jobs:
 
       - name: Upload GitLeaks SARIF report
         if: success() || failure()  # Upload even if GitLeaks finds issues
-        uses: github/codeql-action/upload-sarif@v3
+        uses: github/codeql-action/upload-sarif@9b02dc2f60288b463e7a66e39c78829b62780db7 # v2.22.1
         with:
           directory: ./  # Ensure the report path is correct
           sarif_file: results.sarif
@@ -151,7 +151,7 @@ jobs:
 
       - name: Upload Checkov SARIF report
         if: success() || failure()  # Upload even if Checkov finds issues
-        uses: github/codeql-action/upload-sarif@v3
+        uses: github/codeql-action/upload-sarif@9b02dc2f60288b463e7a66e39c78829b62780db7 # v2.22.1
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         with:
diff --git a/.github/workflows/test-runner.yaml b/.github/workflows/test-runner.yaml
@@ -39,7 +39,7 @@ jobs:
 
     steps:
       - name: Checkout the branch ${{ github.ref_name }}
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           ref: ${{ github.ref_name }}
 
@@ -110,7 +110,7 @@ jobs:
         continue-on-error: true # Continue even if tests fail to ensure artifacts are uploaded
 
       - name: Upload test results as workflow artifact
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         if: (!cancelled()) # Upload artifacts even if tests fail
         with:
           name: pytest-test-results
@@ -120,7 +120,7 @@ jobs:
           retention-days: 30
 
       - name: Publish pytest test results
-        uses: dorny/test-reporter@v2
+        uses: dorny/test-reporter@dc3a92680fcc15842eef52e8c4606ea7ce6bd3f3 # v2.1.1
         if: (!cancelled()) # Run even if tests fail
         with:
           name: Azure AI Search E2E Tests
diff --git a/azd-hooks/scripts/hooks/preprovision/run_preconfig.ps1 b/azd-hooks/scripts/hooks/preprovision/run_preconfig.ps1
@@ -82,10 +82,11 @@ function Initialize-RemoteStorage {
         
         $remoteStorageConfig = @"
 {
-    "storage_account_name": "${RS_STORAGE_ACCOUNT}",
-    "container_name": "${RS_CONTAINER_NAME}",
-    "key": "azd/${AZURE_ENV_NAME}/terraform.tfstate",
-    "resource_group_name": "${RS_RESOURCE_GROUP}"
+    "storage_account_name": "`${RS_STORAGE_ACCOUNT}`",
+    "container_name": "`${RS_CONTAINER_NAME}`",
+    "key": "azd/`${AZURE_ENV_NAME}`/terraform.tfstate",
+    "resource_group_name": "`${RS_RESOURCE_GROUP}`",
+    "use_azuread_auth": "true"
 }
 "@
         Set-Content -Path $script:providerConfPath -Value $remoteStorageConfig -Encoding UTF8
diff --git a/docs/advanced_scenarios.md b/docs/advanced_scenarios.md
@@ -75,9 +75,9 @@ Set the following environment variables for GitHub runner deployment:
     # GitHub configuration
     ### Set the remote state configurations (reusing variables from step 5):
 
-        azd env set RS_STORAGE_ACCOUNT $STORAGE_ACCOUNT_NAME
-        azd env set RS_CONTAINER_NAME $CONTAINER_NAME
-        azd env set RS_RESOURCE_GROUP $RESOURCE_GROUP_NAME
+    azd env set RS_STORAGE_ACCOUNT $STORAGE_ACCOUNT_NAME
+    azd env set RS_CONTAINER_NAME $CONTAINER_NAME
+    azd env set RS_RESOURCE_GROUP $RESOURCE_GROUP_NAME
     azd env set GITHUB_RUNNER_IMAGE_BRANCH "<branch-containing-docker-file>"  # optional, defaults to "main"
     azd env set GITHUB_RUNNER_GROUP "<github-runner-group>"  # optional, defaults to "default"
 
diff --git a/docs/github_self_hosted_deployment.md b/docs/github_self_hosted_deployment.md
@@ -75,9 +75,9 @@ Set the following environment variables for GitHub runner deployment:
     # GitHub configuration
     ### Set the remote state configurations (reusing variables from step 5):
 
-        azd env set RS_STORAGE_ACCOUNT $STORAGE_ACCOUNT_NAME
-        azd env set RS_CONTAINER_NAME $CONTAINER_NAME
-        azd env set RS_RESOURCE_GROUP $RESOURCE_GROUP_NAME
+    azd env set RS_STORAGE_ACCOUNT $STORAGE_ACCOUNT_NAME
+    azd env set RS_CONTAINER_NAME $CONTAINER_NAME
+    azd env set RS_RESOURCE_GROUP $RESOURCE_GROUP_NAME
     azd env set GITHUB_RUNNER_IMAGE_BRANCH "<branch-containing-docker-file>"  # optional, defaults to "main"
     azd env set GITHUB_RUNNER_GROUP "<github-runner-group>"  # optional, defaults to "default"
 
diff --git a/infra/main.search_configuration.tf b/infra/main.search_configuration.tf
@@ -278,7 +278,7 @@ resource "azurerm_storage_container" "scripts" {
   # checkov:skip=CKV2_AZURE_21: Logging not needed for temporary deployment scripts container
   name                  = "scripts"
   storage_account_id    = azurerm_storage_account.deployment_container.id
-  container_access_type = "blob"
+  container_access_type = "private"
 
   depends_on = [
     azurerm_storage_account.deployment_container,
