Update cicd instructions (#278)

HadwaAbdelhalem · ianjensenisme · web-flow · commit 70df62c3794f · 2025-10-08T10:09:27.000-07:00
* Eliminates the Terraform workflow for remote state setup, which is no longer needed.

Updates documentation to clarify the configuration for GitHub runners, ensuring users have accurate guidance for setting up and using self-hosted runners effectively.

This streamlines the CI/CD process and removes potential confusion for new users.

Update Gitleaks scanning for newly initialized templates with no remote branch set.

update gitignore to avoid including sensitive data in cicd/.ssh/
cicd/.ssh/* as terraform backend and GH runner code will be executed locally per the updated guidance

* feat: add Azure Developer CLI Assistant Mode documentation

* feat: add GitHub CLI feature to devcontainer and update documentation for CI/CD setup

Adds GitHub CLI feature to devcontainer and enhances CI/CD docs

Introduces the GitHub CLI feature into the development container, improving the setup for developers.

Updates documentation to streamline the CI/CD pipeline configuration, enhancing user guidance for Azure Developer CLI workflows.

This change aims to facilitate easier project initialization and deployment processes.

* dd additional API permissions guidance for service principal in azd-assistant documentation

* update GitHub runner configuration and registration token handling in documentation

* remove azd copilot chat mood file into a separate PR

* fix: remove trailing comma from GitHub runner configuration in README

* Update docs/cicd.md

grammar updates

Co-authored-by: Ian Jensen &lt;94021216+ianjensenisme@users.noreply.github.com&gt;

* Update docs/cicd.md

typo

Co-authored-by: Ian Jensen &lt;94021216+ianjensenisme@users.noreply.github.com&gt;

* Update docs/cicd.md

wording

Co-authored-by: Ian Jensen &lt;94021216+ianjensenisme@users.noreply.github.com&gt;

---------

Co-authored-by: Ian Jensen &lt;94021216+ianjensenisme@users.noreply.github.com&gt;
diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json
@@ -7,6 +7,7 @@
         "ghcr.io/devcontainers/features/python:1" : {},
         "ghcr.io/devcontainers/features/powershell:1": {},
         "ghcr.io/devcontainers/features/azure-cli:1": {},
+        "ghcr.io/devcontainers/features/github-cli:1": {},
         "ghcr.io/devcontainers/features/docker-in-docker:2": {},
         "ghcr.io/devcontainers/features/terraform:1": {
             "installTFsec": true
diff --git a/.github/workflows/setup-remote-state.yml b/.github/workflows/setup-remote-state.yml
diff --git a/.gitignore b/.gitignore
@@ -501,4 +501,17 @@ power_platform_deployment_settings
 
 .external_modules/
 
-*.sln
+*.sln
+
+# Ignore SSH keys and certificates (security sensitive)
+cicd/.ssh/
+cicd/.ssh/*
+**/.ssh/
+*.pem
+*.key
+*_rsa
+*_dsa
+*_ecdsa
+*_ed25519
+*.p12
+*.pfx
diff --git a/README.md b/README.md
@@ -6,32 +6,38 @@ network security.
 
 ## Table of Contents
 
-- [Features](#features)
-- [Architecture](#architecture)
-  - [Key Architecture Components](#key-architecture-components)
-- [Account & License Requirements](#account--license-requirements)
-  - [User Configuration](#user-configuration)
-- [Getting Started](#getting-started)
-  - [GitHub Codespaces](#github-codespaces)
-  - [VS Code Dev Containers](#vs-code-dev-containers)
-  - [Local Environment](#local-environment)
-  - [Deploying](#deploying)
-  - [Using the Bot](#using-the-bot)
-  - [Clean Up](#clean-up)
-- [Testing](#testing)
-  - [Copilot Studio Agent Test](#copilot-studio-agent-test)
-  - [AI Search Test (Optional)](#ai-search-test-optional)
-- [Advanced Scenarios](#advanced-scenarios)
-  - [GitHub Self-Hosted Runners](#github-self-hosted-runners)
-  - [Bring Your Own Networking](#bring-your-own-networking)
-  - [Custom Resource Group](#custom-resource-group)
-- [Additional Considerations](#additional-considerations)
-  - [Security Considerations](#security-considerations)
-  - [Production Readiness](#production-readiness)
-- [Resources](#resources)
-- [Data Collection](#data-collection)
-- [Responsible AI](#responsible-ai)
-- [Getting Help](#getting-help)
+- [Copilot Studio with Azure AI Search](#copilot-studio-with-azure-ai-search)
+  - [Table of Contents](#table-of-contents)
+  - [Features](#features)
+  - [Architecture](#architecture)
+    - [Key Architecture Components](#key-architecture-components)
+  - [Account \& License Requirements](#account--license-requirements)
+    - [User Configuration](#user-configuration)
+  - [Getting Started](#getting-started)
+    - [GitHub Codespaces](#github-codespaces)
+    - [VS Code Dev Containers](#vs-code-dev-containers)
+    - [Local Environment](#local-environment)
+    - [Deploying](#deploying)
+    - [Using the Bot](#using-the-bot)
+    - [Clean Up](#clean-up)
+  - [Testing](#testing)
+    - [Copilot Studio Agent Test](#copilot-studio-agent-test)
+      - [Running Tests After Local Deployment Execution](#running-tests-after-local-deployment-execution)
+      - [Running Tests with Manual Environment Variable Configuration](#running-tests-with-manual-environment-variable-configuration)
+    - [AI Search Test (Optional)](#ai-search-test-optional)
+      - [Prerequisites for AI Search Tests](#prerequisites-for-ai-search-tests)
+      - [Running AI Search Tests Locally](#running-ai-search-tests-locally)
+  - [Advanced Scenarios](#advanced-scenarios)
+    - [GitHub Self-Hosted Runners](#github-self-hosted-runners)
+    - [Bring Your Own Networking](#bring-your-own-networking)
+    - [Custom Resource Group](#custom-resource-group)
+  - [Additional Considerations](#additional-considerations)
+    - [Security Considerations](#security-considerations)
+    - [Production Readiness](#production-readiness)
+  - [Resources](#resources)
+  - [Data Collection](#data-collection)
+  - [Responsible AI](#responsible-ai)
+  - [Getting Help](#getting-help)
 
 ## Features
 
@@ -161,6 +167,7 @@ A related option is VS Code Dev Containers, which will open the project in your
     ```
 
     Note that this command will initialize a git repository, so you do not need to clone this repository.
+    This will also create a new folder with the environment name you entered though the cmd steps in the `.azure` folder. It will also set it as the default environment for any calls to `azd` going forward.
 
 ### Deploying
 
@@ -181,14 +188,6 @@ The steps below will provision Azure and Power Platform resources and will deplo
 
     *Note: the `pac auth create` command may return a warning about being unable to connect to a Dataverse organization. This is expected, and will not impact the deployment.*
 
-1. Create a new azd environment:
-
-    ```shell
-    azd env new
-    ```
-
-    This will create a new folder in the `.azure` folder, and set it as the active environment for any calls to `azd` going forward.
-
 1. Set you internative testing user.
   
     ```shell
@@ -197,7 +196,7 @@ The steps below will provision Azure and Power Platform resources and will deplo
 
     Set this value to the Azure Entra ID object ID of the primary administrator or developer who will manage and modify the deployed solution resources in the future. This user will be granted administrative access to the Power Platform resources (such as bot ownership and environment management) and will have visibility into the Azure resources provisioned by this deployment. Replace `entraid_user_object_id` with the actual object ID of the intended admin or developer.
 
-1. Deploy your infrastructure
+3. Deploy your infrastructure
 
     ```shell
     azd up
diff --git a/azd-hooks/scripts/hooks/preprovision/run_gitleaks.ps1 b/azd-hooks/scripts/hooks/preprovision/run_gitleaks.ps1
@@ -35,8 +35,10 @@ function Run-Gitleaks {
 
     $SourcePath = (Get-Location)
 
-    # Get current git branch
+    # Get current git branch and check if repository has commits
     $currentBranch = $null
+    $hasCommits = $false
+    
     try {
         Write-Host "Getting current git branch..."
         $currentBranch = git branch --show-current
@@ -45,6 +47,19 @@ function Run-Gitleaks {
             $currentBranch = "unknown"
         } else {
             Write-Host "Current git branch: $currentBranch"
+            
+            # Check if the repository has any commits
+            try {
+                git rev-parse HEAD 2>$null | Out-Null
+                if ($LASTEXITCODE -eq 0) {
+                    $hasCommits = $true
+                    Write-Host "Repository has commits, will use branch reference in log options."
+                } else {
+                    Write-Host "Repository has no commits yet, will skip branch reference in log options."
+                }
+            } catch {
+                Write-Host "Cannot determine commit history, will skip branch reference in log options."
+            }
         }
     } catch {
         Write-Warning "Error getting git branch: $_"
@@ -61,8 +76,8 @@ function Run-Gitleaks {
         "--log-level", "$LogLevel"
     )
 
-    # Only add log-opts if we have a valid branch name.
-    if ($currentBranch -ne "unknown") {
+    # Only add log-opts if we have a valid branch name and the repository has commits.
+    if ($currentBranch -ne "unknown" -and $hasCommits) {
         $cmdOptions += "--log-opts"
         $cmdOptions += "$currentBranch"
     }
diff --git a/azure.yaml b/azure.yaml
@@ -48,6 +48,7 @@ hooks:
       continueOnError: false
       interactive: false
       run: azd-hooks/scripts/hooks/postpackage/postpackage.ps1
-      pipeline:
-        variables:
-          - RESOURCE_SHARE_USER
+pipeline:
+  variables:
+    - RESOURCE_SHARE_USER
+    - ACTIONS_RUNNER_NAME
diff --git a/cicd/README.md b/cicd/README.md
@@ -32,12 +32,14 @@ This configuration creates:
 
    ```json
    {
-     "subscription_id": "your-subscription-id",
-     "location": "East US",
-     "github_token": "your-github-token",
-     "github_owner": "Azure-Samples",
-     "github_repository": "Copilot-Studio-with-Azure-AI-Search"
-   }
+    "subscription_id": "YOUR_SUBSCRIPTION_ID",
+    "location": "West US",
+    "github_runner_config": {
+      "repo_owner": "YOUR_REPO_OWNER",
+      "repo_name": "YOUR_REPO_NAME",
+    }
+
+  }
    ```
 
 3. Initialize and apply:
@@ -50,21 +52,34 @@ This configuration creates:
 
 ## Backend Configuration
 
-After deployment, use the output values to configure your Terraform backend in other projects:
+After deployment, use the output to set the remote state values for your template.
 
 ```hcl
-terraform {
-  backend "azurerm" {
-    storage_account_name = "sttfstate<random>"
-    container_name       = "tfstate"
-    key                  = "terraform.tfstate"
-    resource_group_name  = "rg-tfstate-<random>"
-    subscription_id      = "your-subscription-id"
-    use_azuread_auth     = true
-  }
+backend_config = {
+  "container_name" = "CONTAINER_NAME"
+  "resource_group_name" = "RESOURCE_GROUP_NAME"
+  "storage_account_name" = "STORAGE_ACCOUNT_NAME"
+  "subscription_id" = "SUBSCRIPTION_ID"
 }
 ```
 
+   ```shell
+    # Set the remote state variables
+    azd env set RS_STORAGE_ACCOUNT 'STORAGE_ACCOUNT_NAME'
+    azd env set RS_CONTAINER_NAME 'CONTAINER_NAME'
+    azd env set RS_RESOURCE_GROUP 'RESOURCE_GROUP_NAME'
+
+    # Direct  jobs to the new runner by setting a repo variable used by your workflows for `runs-on` selection
+    azd env set ACTIONS_RUNNER_NAME ['self-hosted']
+    
+    # Update the template to use remote backend
+    azd hooks run prepackage
+    ```
+
+  - `ACTIONS_RUNNER_NAME`: set to `['self-hosted']` (JSON array syntax) to target any self-hosted runner
+
+Note: The runner VM registers with labels like `self-hosted,vm,<resource-group>,<location>,<unique-id>`. You can narrow job placement further by including those additional labels in your `runs-on` matrix if desired.
+
 ## Security Features
 
 - Private storage account (no public access)
@@ -81,16 +96,5 @@ This configuration automatically sets up GitHub repository variables for CI/CD p
 - `RS_RESOURCE_GROUP`: Name of the resource group containing the storage account
 - `RS_CONTAINER_NAME`: Name of the storage container for Terraform state
 
-These variables can be used in GitHub Actions workflows to configure Terraform backend settings.
-
-## Environment Variables Alternative
+These variables will be used in GitHub Actions workflows to configure Terraform backend settings.
 
-Instead of using `terraform.tfvars.json`, you can set environment variables:
-
-```bash
-export TF_VAR_subscription_id="your-subscription-id"
-export TF_VAR_location="East US"
-export TF_VAR_github_token="your-github-token"
-export TF_VAR_github_owner="Azure-Samples"
-export TF_VAR_github_repository="Copilot-Studio-with-Azure-AI-Search"
-```
diff --git a/cicd/terraform.tfvars.json.example b/cicd/terraform.tfvars.json.example
@@ -1,6 +1,8 @@
 {
   "subscription_id": "00000000-0000-0000-0000-000000000000",
-  "location": "East US",
-  "github_owner": "Azure-Samples",
-  "github_repository": "Copilot-Studio-with-Azure-AI-Search"
+  "location": "West US",
+  "github_runner_config": {
+    "repo_owner": "YOUR_REPO_OWNER",
+    "repo_name": "YOUR_REPO_NAME",
+  }
 }
diff --git a/docs/cicd.md b/docs/cicd.md
diff --git a/infra/modules/copilot_studio/power_platform_core.tf b/infra/modules/copilot_studio/power_platform_core.tf

Original file line number	Diff line number	Diff line change
`@@ -1,6 +1,8 @@`
`1`	`1`	`{`
`2`	`2`	`"subscription_id": "00000000-0000-0000-0000-000000000000",`
`3`		`- "location": "East US",`
`4`		`- "github_owner": "Azure-Samples",`
`5`		`- "github_repository": "Copilot-Studio-with-Azure-AI-Search"`
	`3`	`+ "location": "West US",`
	`4`	`+ "github_runner_config": {`
	`5`	`+ "repo_owner": "YOUR_REPO_OWNER",`
	`6`	`+ "repo_name": "YOUR_REPO_NAME",`
	`7`	`+ }`
`6`	`8`	`}`