Merge branch 'main' into cleanup

Author: mattdot

.devcontainer/features/dev-tools/install.sh

@@ -1,4 +1,7 @@
 #!/bin/sh
+# Copyright (c) Microsoft Corporation.
+# Licensed under the MIT license.
+
 set -eux
 
 echo "Installing development tools for Copilot Studio with Azure AI Search..."

.devcontainer/postCreate.sh

@@ -1,4 +1,7 @@
 #!/bin/sh
+# Copyright (c) Microsoft Corporation.
+# Licensed under the MIT license.
+
 set -eux
 
 echo "Running post-create setup for interactive operations..."
@@ -13,6 +16,7 @@ echo "Installing PowerApps CLI..."
 dotnet tool install --global Microsoft.PowerApps.CLI.Tool --version 1.49.3
 
 # Restore .NET packages including Microsoft.Agents.CopilotStudio.Client
+echo "Restoring .NET packages..."
 if [ -f "tests/Copilot/CopilotTests.csproj" ]; then
     dotnet restore tests/Copilot/CopilotTests.csproj
     echo "Copilot project packages restored successfully!"

.github/workflows/azure-dev-down.yml

@@ -14,7 +14,7 @@ on:
         default: "eastus"
 
 permissions:
-  id-token: write
+  id-token: write # Needed for OIDC Authentication
   contents: read
 
 jobs:
@@ -26,17 +26,17 @@ jobs:
 
     steps:
       - name: Checkout the branch ${{ github.ref_name }}
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:
           ref: ${{ github.ref_name }}
 
       - name: Install azd
-        uses: Azure/setup-azd@ae0f8b5482eeac61e940f447327d84c73beb8b1e # v2.1.0
+        uses: Azure/setup-azd@cf638ffd167fc81e1851241a478a723c05fa9cb3 # v2.2.0
         with:
           version: '1.20.0'  # Specify your desired azd version here
-
+        
       - name: Setup Node.js
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6.0.0
         with:
           node-version: '18.x'
 
@@ -72,6 +72,7 @@ jobs:
           RS_CONTAINER_NAME: ${{ vars.RS_CONTAINER_NAME }}
           RS_RESOURCE_GROUP: ${{ vars.RS_RESOURCE_GROUP }}
           RESOURCE_SHARE_USER: ${{ vars.RESOURCE_SHARE_USER }}
+          RESOURCE_TAGS: ${{ vars.RESOURCE_TAGS }}
 
         shell: bash
         run: |
@@ -86,3 +87,25 @@ jobs:
           azd package # trigger prepackage hook to setup terraform provider
           azd provision --preview  # https://github.com/Azure/azure-dev/issues/4317
           azd down --no-prompt --force --purge
+
+      - name: Purge Soft-Deleted Azure OpenAI Resources
+        shell: bash
+        run: |
+          # Get the OpenAI resource name and location from environment outputs
+          OPENAI_RESOURCE_NAME=$(azd env get-values --output json | jq -r '.openai_resource_name // empty')
+          AZURE_REGION=$(azd env get-values --output json | jq -r '.primary_azure_region // empty')
+          RESOURCE_GROUP=$(azd env get-values --output json | jq -r '.resource_group_name // empty')
+
+          # Only attempt to purge if we have the required information
+          if [[ -n "$OPENAI_RESOURCE_NAME" && -n "$AZURE_REGION" ]]; then
+            echo "Attempting to purge soft-deleted Azure OpenAI resource: $OPENAI_RESOURCE_NAME in $AZURE_REGION"
+            
+            # Purge the soft-deleted Cognitive Services account (continue on error if resource not found)
+            az cognitiveservices account purge \
+              --location "$AZURE_REGION" \
+              --resource-group "$RESOURCE_GROUP" \
+              --name "$OPENAI_RESOURCE_NAME" || echo "Resource may not be in soft-delete state or already purged"
+          else
+            echo "OpenAI resource information not found in environment outputs. Skipping purge."
+          fi
+

.github/workflows/azure-dev.yml

@@ -20,45 +20,54 @@ on:
     # Set this to the mainline branch you are using
     branches:
       - main
+  pull_request:
+    # Run when pull requests are opened or updated
+    branches:
+      - main
+
 # GitHub Actions workflow to deploy to Azure using azd
+# Ensure only one deployment runs at a time to prevent conflicts
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: false
 
 permissions:
   actions: read # Needed for uploading SARIF reports
   security-events: write  # Needed for uploading SARIF reports
-  id-token: write
+  id-token: write # Needed for OIDC Authentication
   contents: read
 
 
 jobs:
   build:
     runs-on: ${{ fromJson(vars.ACTIONS_RUNNER_NAME || '["ubuntu-latest"]') }}
     env:
-      AZURE_ENV_NAME: ${{ github.event.inputs.azd_environment_name || 'CICD' }}
+      AZURE_ENV_NAME: ${{ github.event.inputs.azd_environment_name || (github.event_name == 'pull_request' && format('pr-{0}', github.event.pull_request.number)) || 'CICD' }}
       AZURE_LOCATION: ${{ github.event.inputs.azure_location || 'eastus' }}
 
     steps:
-      - name: Checkout the branch ${{ github.ref_name }}
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - name: Checkout code
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:
-          ref: ${{ github.ref_name }}
+          persist-credentials: false
 
       - name: Install azd
-        uses: Azure/setup-azd@ae0f8b5482eeac61e940f447327d84c73beb8b1e # v2.1.0
+        uses: Azure/setup-azd@cf638ffd167fc81e1851241a478a723c05fa9cb3 # v2.2.0
         with:
           version: '1.20.0'  # Specify your desired azd version here
 
       - name: Setup Node.js
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6.0.0
         with:
           node-version: '18.x'
 
       - name: Install Terraform
         uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd # v3.1.2
         with:
-          terraform_version: 1.13.3   
+          terraform_version: 1.13.3
 
       - name: Install TFLint
-        uses: terraform-linters/setup-tflint@90f302c255ef959cbfb4bd10581afecdb7ece3e6 # v4.1.1
+        uses: terraform-linters/setup-tflint@acd1575d3c037258ce5b2dd01379dc49ce24c6b7 # v6.2.0
         with:
           tflint_version: v0.58.1
           github_token: ${{ secrets.GITHUB_TOKEN }}  # Used to avoid rate
@@ -113,7 +122,7 @@ jobs:
           pac help
 
       - name: Set Up Python
-        uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # 5.6.0
+        uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # 6.0.0
         with:
           python-version: "3.x"
 
@@ -193,8 +202,8 @@ jobs:
         with:
           sarif_file: ./checkov-results.sarif/results_sarif.sarif
 
-      - name: Azd down
-        if: ${{ github.event.inputs.run_azd_down == 'true' }}
+      - name: Destroy Infrastructure
+        if: ${{ github.event.inputs.run_azd_down == 'true' || github.event_name == 'pull_request' }}
         env:
           POWER_PLATFORM_CLIENT_ID: ${{ vars.AZURE_CLIENT_ID }}
           POWER_PLATFORM_TENANT_ID: ${{ vars.AZURE_TENANT_ID }}
@@ -212,6 +221,7 @@ jobs:
           RS_CONTAINER_NAME: ${{ vars.RS_CONTAINER_NAME }}
           RS_RESOURCE_GROUP: ${{ vars.RS_RESOURCE_GROUP }}
           RESOURCE_SHARE_USER: ${{ vars.RESOURCE_SHARE_USER }}
+          RESOURCE_TAGS: ${{ vars.RESOURCE_TAGS }}
 
         shell: bash
         run: |
@@ -222,4 +232,26 @@ jobs:
           azd env set RESOURCE_TAGS "$RESOURCE_TAGS"
 
           azd env select "$AZURE_ENV_NAME"
-          azd down --no-prompt --force --purge
+          azd down --no-prompt --force --purge
+
+      - name: Purge Soft-Deleted Azure OpenAI Resources
+        if: ${{ github.event.inputs.run_azd_down == 'true' || github.event_name == 'pull_request' }}
+        shell: bash
+        run: |
+          # Get the OpenAI resource name and location from environment outputs
+          OPENAI_RESOURCE_NAME=$(azd env get-values --output json | jq -r '.openai_resource_name // empty')
+          AZURE_REGION=$(azd env get-values --output json | jq -r '.primary_azure_region // empty')
+          RESOURCE_GROUP=$(azd env get-values --output json | jq -r '.resource_group_name // empty')
+
+          # Only attempt to purge if we have the required information
+          if [[ -n "$OPENAI_RESOURCE_NAME" && -n "$AZURE_REGION" ]]; then
+            echo "Attempting to purge soft-deleted Azure OpenAI resource: $OPENAI_RESOURCE_NAME in $AZURE_REGION"
+            
+            # Purge the soft-deleted Cognitive Services account (continue on error if resource not found)
+            az cognitiveservices account purge \
+              --location "$AZURE_REGION" \
+              --resource-group "$RESOURCE_GROUP" \
+              --name "$OPENAI_RESOURCE_NAME" || echo "Resource may not be in soft-delete state or already purged"
+          else
+            echo "OpenAI resource information not found in environment outputs. Skipping purge."
+          fi

.github/workflows/terraform-validate.yml

@@ -13,6 +13,7 @@ permissions:
   contents: read
   security-events: write
   pull-requests: write  # Allow workflow to comment on PRs
+  id-token: write # Needed for OIDC Authentication
 
 # Global environment variables
 env:
@@ -45,12 +46,12 @@ jobs:
 
     steps:
       - name: Checkout code
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:
           fetch-depth: 0  # Required for proper GitLeaks scanning
 
       - name: Setup Node.js
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6.0.0
         with:
           node-version: '18.x'
 
@@ -94,7 +95,7 @@ jobs:
         working-directory: ./infra
 
       - name: Setup TFLint
-        uses: terraform-linters/setup-tflint@90f302c255ef959cbfb4bd10581afecdb7ece3e6 # v4.1.1
+        uses: terraform-linters/setup-tflint@acd1575d3c037258ce5b2dd01379dc49ce24c6b7 # v6.2.0
         with:
           tflint_version: v0.58.1  # Specify a version (recommended)
           github_token: ${{ secrets.GITHUB_TOKEN }}  # Used to avoid rate limiting
@@ -159,7 +160,7 @@ jobs:
 
       - name: Run Checkov action
         id: checkov
-        uses: bridgecrewio/checkov-action@38a95e98d734de90b74687a0fc94cfb4dcc9c169 # v12.1347.0
+        uses: bridgecrewio/checkov-action@cba89e33f08479973cadc681333ffe84f7c8e824 # v12.1347.0
         with: 
           framework: terraform
           download_external_modules: true
@@ -235,7 +236,7 @@ jobs:
     if: needs.check-dependabot.outputs.is_dependabot == 'true' && success()
     steps:
       - name: Comment on PR
-        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
         with:
           github-token: ${{ secrets.GITHUB_TOKEN }}
           script: |
@@ -272,7 +273,7 @@ jobs:
     if: needs.check-dependabot.outputs.is_dependabot == 'true' && failure()
     steps:
       - name: Comment on PR about failure
-        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
         with:
           github-token: ${{ secrets.GITHUB_TOKEN }}
           script: |

.github/workflows/test-search.yaml

@@ -39,7 +39,7 @@ jobs:
 
     steps:
       - name: Checkout the branch ${{ github.ref_name }}
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:
           ref: ${{ github.ref_name }}