Configure Private Runners (#230)

* Create private-runner.yml

* Update private-runner.yml

* Potential fix for code scanning alert no. 74: Workflow does not contain permissions

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>

* fix: update runner configuration to use dynamic runner name

* fix: update runner configuration to use dynamic runner name

* fix: update runner configuration to use ACTIONS_RUNNER_NAME variable

* feat: enhance private runner workflow with environment inputs and setup steps

* feat: add Terraform configuration for Azure infrastructure including virtual network, subnets, and storage account

* feat: add Storage Account Contributor role assignment and update dependencies for container creation

* feat: add Terraform configuration for Azure infrastructure including virtual network, RBAC assignments, and diagnostic settings

* feat: add GitHub integration for CI/CD with repository variables and update Terraform configurations

* feat: add push trigger for private runner branch in CI/CD workflow

* fix: update workflow name and permissions for Terraform remote state deployment

* fix: set default location for Terraform environment variable

* fix: correct environment variable name for GitHub token in Terraform workflow

* refactor: comment out GitHub provider and variables in Terraform files for clarity

* feat: add GitHub runner subnet and associated network security group with rules

* fix: add missing concurrency group for Terraform remote state workflow

* feat: enhance GitHub runner network security group with outbound rules and NAT gateway setup

* fix: update address space and prefixes for virtual network and subnets to align with new IP scheme

* fix: update remote state workflow to remove push trigger and streamline inputs

* feat: add README files for ACA and VM GitHub runners

* fix: add missing installation step for unzip in private runner workflow

* feat: add Azure CLI installation step in private runner workflow

* fix: replace Azure CLI installation step with direct script execution

* fix: update Azure CLI installation method to use package repository

* fix: update azd installation version to 1.18.0

* feat: add NodeJS installation step in private runner workflow

* fix: add -y flag to NodeJS installation command in private runner workflow

* feat: add Azure Blob Storage connection test step in private runner workflow

* feat: add DNS resolution test for private endpoint in Azure Blob Storage connection

* feat: add network diagnostics and DNS checks for Azure Blob Storage connection

* feat: add push trigger for private runner branch in Terraform setup workflow

* fix: update logging commands to use echo for network diagnostics in private runner workflow

* feat: add GitHub Actions runner installation script and Terraform configuration for VM deployment

* feat: add push trigger for private runner branch in Terraform setup workflow

* feat: add GITHUB_RUNNER_TOKEN and GITHUB_RUNNER_URL to environment variables in Terraform workflow

* fix: update default location for Terraform state infrastructure to West US 2

* fix: update default Azure location for Terraform state infrastructure to westus2

* fix: comment out unused Network Security Group Association resource in main.tf

* feat: add GitHub Actions runner installation script and update Terraform configuration

* fix: format comments in GitHub Actions runner installation script for clarity

* fix: run GitHub Actions runner configuration as root

* fix: add echo statement to display GitHub URL in runner installation script

* fix: update echo statements to include runner name and ensure GITHUB_URL is used correctly

* fix: update GitHub runner installation script to use correct token variable and display additional repo information

* fix: comment out runner configuration and execution commands in installation script

* fix: add return statement to installation script for better flow control

* fix: replace return statement with exit in installation script for proper termination

* fix: update GITHUB_TOKEN variable reference in installation script for consistency

* fix: correct GITHUB_TOKEN variable reference in installation script for accurate output

* fix: add github_token to vm_github_runner_config for improved configuration

* fix: add github_token to vm_github_runner_config for improved configuration

* fix: update GitHub runner configuration to use structured JSON format and remove unused variables

* fix: add TF_VAR_vm_github_runner_config to environment variables for improved configuration

* fix: correct TF_VAR_vm_github_runner_config assignment for accurate environment variable setup

* fix: update TF_VAR_vm_github_runner_config assignment to use structured JSON format

* fix: remove unused GitHub runner variables and update configuration for improved security

* fix: correct variable assignment syntax for registration response and GitHub runner token extraction

* fix: correct variable assignment syntax for registration response and GitHub runner token extraction

* fix: update variable syntax for registration response and token extraction in GitHub runner script

* fix: remove duplicate token fetching command in GitHub runner installation script

* fix: update GitHub runner token variable and remove unused token fetching commands

* fix: update GitHub runner token variable in Terraform configuration

* fix: update GitHub runner token variable in installation script

* fix: remove unnecessary exit command from GitHub runner installation script

* fix: comment out Terraform destroy step in workflow

* fix: comment out run.sh execution in GitHub runner installation script and increase disk size to 40GB in Terraform configuration

* refactor: update GitHub runner configuration variables for consistency and clarity

* refactor: update comments for systemd service registration and autostart configuration in GitHub runner installation script

* fix: comment out config.sh execution in GitHub runner installation script for clarity

* fix: comment out runner execution and exit in GitHub runner installation script for clarity

* fix: enable runner configuration execution in GitHub runner installation script

* fix: update GitHub URL in runner configuration command for accuracy

* fix: uncomment and enable systemd service registration for GitHub Actions runner

* feat: add comprehensive GitHub Actions runner installation script with network diagnostics and package management

* fix: remove commented-out GITHUB_TOKEN variable from installation script

* feat: add echo statements for runner configuration details in installation script

* fix: remove debug echo statements from installation script

* feat: add RUNNER_TOKEN variable to GitHub Actions runner installation script

* chore: remove obsolete GitHub Actions runner installation script

* refactor: update GitHub Actions runner installation script to use RUNNER_TOKEN and remove GITHUB_TOKEN

* fix: update script path in GitHub Actions runner installation extension

* feat: add runner_token input for workflow dispatch and update environment variables

* fix: add sudo flag to package installation commands in private-runner.yml

* refactor: comment out installation steps for Unzip, NodeJS, and Azure CLI in private-runner.yml

* fix: correct shebang line and add sudoers configuration for github-runner user

* refactor: remove redundant Azure storage commands in private-runner.yml

* refactor: comment out Azure Blob Storage connection test steps in private-runner.yml

* fix: update azd version from 1.18.0 to 1.18.1 in private-runner.yml

* feat: add steps to check Terraform and AZD CLI versions in private-runner.yml

* refactor: comment out Terraform installation step in private-runner.yml

* refactor: update network security group rules for GitHub runner and storage access

* refactor: remove commented-out Terraform destroy step from setup-remote-state.yml

* refactor: remove Power Platform CLI installation step from azure-dev.yml

* fix: add missing configuration to install Power Platform Tools

* chore: update azd and Terraform versions in workflows

* refactor: comment out Terraform installation step in azure-dev.yml

* fix: add missing newline at end of README files for GitHub runners

* Add guidelines for PowerShell, Python, and Terraform coding conventions; create NOTICE.md for licensing information

* feat: Add GitHub Actions self-hosted runner infrastructure

- Introduced outputs for Container Apps Environment ID, GitHub runner app URL, Log Analytics Workspace ID, and Azure Container Registry details in outputs.tf.
- Created provider.tf to define required Terraform version and providers for Azure and AzAPI.
- Added variables for GitHub runner configuration, infrastructure subnet IDs, location, resource group name, and tags in variables.tf.
- Implemented main.github_runners.tf to manage GitHub runner deployment in primary and failover regions, including role assignments for necessary permissions.
- Updated network.tf to set up GitHub runner subnets and associated Network Security Groups with comprehensive rules for security.
- Modified outputs.tf and variables.tf in the cicd directory to accommodate new GitHub runner configurations and settings.
- Added documentation for configuring CI/CD in cicd.md.
- Cleaned up infra/main.network.tf by removing deprecated GitHub runner subnet configurations and associated NSGs.

* docs: Update CICD documentation with additional setup instructions and details

* feat: Enhance README and CI/CD documentation with new sections on networking, resource groups, and security considerations; add guides for federated identity credentials and GitHub self-hosted runners

* Refactor CI/CD Infrastructure for GitHub Runners

- Updated network configuration to use variables for address spaces in `network.tf`.
- Removed redundant resources related to GitHub runner networking and security groups.
- Introduced conditional deployment for GitHub runners based on type (VM or ACA) in `runner.tf`.
- Enhanced GitHub runner configuration variables to support both VM and ACA setups.
- Added validation for GitHub runner configuration to ensure proper settings for ACA.
- Updated Terraform provider configurations to include AzAPI and removed GitHub provider.
- Added documentation for alternative access to Azure AI Search using service principals.
- Cleaned up variable definitions in `main.tfvars.json` and `variables.tf` to reflect changes in GitHub runner deployment.

* feat: Update documentation for Azure Developer CLI, CI/CD, PowerShell, Terraform, and Terratest best practices; enhance security and workflow guidelines

* refactor: Align variable formatting in networking configuration for consistency

* refactor: Remove unnecessary Checkov skip comments for NSG configuration in subnet resources

* refactor: Remove unnecessary blank lines in subnet resource definitions for clarity

* refactor: Remove push trigger from private runner workflow for cleaner execution

* chore: Initialize changelog and configuration files for versioning

* refactor: removing external mods
;

* chore: Add .external_modules/ to .gitignore

* refactor: Improve formatting and clarity in CI/CD documentation

* refactor: Remove unnecessary shell specification from GitHub Actions step

* refactor: Reorder masking of GitHub runner registration token in workflow steps

* refactor: Use variable for masking GitHub runner registration token

* fix: update required Terraform version to >= 1.6.0 for compatibility

* refactor: streamline security rules and remove unnecessary ACA-specific rules

* refactor: remove explicit deny rules for inbound and outbound traffic in NSG

* fix: update subnet address spaces for GitHub runner and storage

* refactor: comment out unused security rules in GitHub runner NSG

* refactor: format code for consistency and readability across Terraform files

* refactor: update DNS security rules to restrict access to Azure platform only

* refactor: update network diagnostics to test GitHub connectivity and remove unused output variables

* feat: add GitHub PAT variable for runner configuration and update Terraform version

* feat: add GitHub PAT environment variable for Terraform Plan step

* fix: use GitHub PAT variable for context access token in container registry task

* refactor: remove unused variables and commented code from runner configuration

* fix: use GitHub PAT secret as fallback for Terraform Plan step

* fix: use secrets for GitHub runner registration token fallback and update workload profile name

* fix: mask GitHub runner registration token and set it as an environment variable

* fix: mask GitHub runner registration token and set it as an environment variable using GitHub Actions

* fix: remove unnecessary import of core in GitHub Actions script for token handling

* fix: update storage account and container references in private runner workflow

* Update cicd/tfstate.tf

Co-authored-by: Copilot <[email protected]>

* fix: update GitHub Actions workflows to mask sensitive inputs and improve Terraform configurations

* c

* Thanks to @phongcao and @nexilus18 for their work on these runners.

Co-authored-by: Phong Cao <[email protected]>
Co-authored-by: Neyissa Exilus <[email protected]>

* Update cicd/github_runner_vm/main.tf

* chore: remove outdated documentation on GitHub self-hosted runners deployment

* chore: remove Azure Principal Architect chat mode documentation

* chore: clean up GitHub Actions workflows and remove unused files

* fix: correct resource_share_user variable format in main.tfvars.json

* fix: update GitHub Actions workflow to disable credential persistence and clean up unused variable

---------

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
Co-authored-by: Mateusz Wasilewski <[email protected]>
Co-authored-by: Copilot <[email protected]>
Co-authored-by: Phong Cao <[email protected]>
Co-authored-by: Neyissa Exilus <[email protected]>

Author: 6 people

.changes/header.tpl.md

@@ -0,0 +1,7 @@
+# Changelog
+
+All notable changes to this project will be documented in this file.
+
+The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
+adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html),
+and is generated by [Changie](https://github.com/miniscruff/changie).

.changes/unreleased/.gitkeep

@@ -0,0 +1,3 @@
+## v0.1.0 - 2025-08-28
+### Added
+* Copilot Studio with Azure AI Search AZD Template

.changes/v0.1.0.md

@@ -0,0 +1,26 @@
+changesDir: .changes
+unreleasedDir: unreleased
+headerPath: header.tpl.md
+changelogPath: CHANGELOG.md
+versionExt: md
+versionFormat: '## {{.Version}} - {{.Time.Format "2006-01-02"}}'
+kindFormat: '### {{.Kind}}'
+changeFormat: '* {{.Body}}'
+kinds:
+    - label: Added
+      auto: minor
+    - label: Changed
+      auto: major
+    - label: Deprecated
+      auto: minor
+    - label: Removed
+      auto: major
+    - label: Fixed
+      auto: patch
+    - label: Security
+      auto: patch
+newlines:
+    afterChangelogHeader: 1
+    beforeChangelogVersion: 1
+    endOfVersion: 1
+envPrefix: CHANGIE_

.changie.yaml

@@ -15,7 +15,7 @@
             "version": "8.0"
         },
         "ghcr.io/azure/azure-dev/azd:latest": {
-            "version": "1.18.0"
+            "version": "1.18.1"
         },
         "./features/dev-tools": {}
     },

.devcontainer/devcontainer.json

@@ -0,0 +1,91 @@
+---
+description: Author or revise Architecture Decision Records (ADRs) that match this repository’s decision-log style and conventions.
+tools: ['changes', 'codebase', 'editFiles', 'fetch', 'githubRepo', 'openSimpleBrowser', 'problems', 'runCommands', 'search', 'searchResults', 'usages', 'microsoft.docs.mcp', 'azure_design_architecture', 'azure_get_code_gen_best_practices', 'azure_get_deployment_best_practices', 'azure_get_swa_best_practices', 'azure_query_learn']
+---
+# ADR Authoring Mode — Instructions
+
+You are **ADR Author Mode** for this repository. Your job is to help the user create or revise an ADR that matches the repository’s existing style in `/decision-log/`.
+
+## Core responsibilities
+
+1. **Detect intent**
+
+   * If the user wants a **new ADR**, gather: short title, context/problem, decision, considered options (with pros/cons), decision drivers, and consequences/risks/follow-ups.
+   * If the user wants to **revise** an ADR, locate the file in `/decision-log/` and propose a focused patch (do not rewrite history; add “Status” changes or append “Changelog” entries).
+
+2. **Follow repository conventions**
+
+   * **Location:** `/decision-log/`
+   * **Filename:** `###-<kebab-title>.md` (use the next available sequence number).
+   * **Heading:** `# <Short Title>`
+   * **Status line:** one of `proposed | accepted | rejected | superseded by <ADR #> | deprecated`
+   * Include sections in this order (omit any that are clearly not applicable):
+
+     * **Status** (and **Date**)
+     * **Context**
+     * **Rationale** 
+     * **Decision** (state chosen option and why)
+     * **Considered Alternatives** (pros cons of each)
+     * **Consequences** (positive/negative trade-offs)
+     * **Links / References**
+     * **Changelog** (append-only)
+
+3. **Guardrails and quality**
+
+   * Keep one decision per ADR.
+   * Use crisp, neutral engineering language; avoid marketing terms.
+   * Make risks explicit and assign follow-ups with owners if mentioned.
+   * If revising, never delete prior rationale—add a dated note or superseding ADR.
+
+4. **Cross-checks before writing**
+
+   * Search `/decision-log/` for similar topics to avoid duplication. If duplication risk exists, suggest “amend existing ADR” or “supersede” flow.
+   * Verify terms and technology names (e.g., “Microsoft Entra ID”) via quick websearch if the user asks for branding specifics.
+
+5. **File operations**
+
+   * For a **new ADR**:
+
+     1. Create the file path `/decision-log/###-<kebab-title>.md`.
+     2. Populate the full template below.
+   * For a **revision**:
+
+     1. Open the target ADR.
+     2. Propose a minimal diff via `editFiles` (status changes or append “Changelog”).
+   * Do not touch unrelated files.
+
+## Canonical ADR template to use
+
+```markdown
+# {Short Title}
+
+**Status:** {proposed | accepted | rejected | deprecated | superseded by ADR-XXXX}  
+**Date:** {YYYY-MM-DD}
+
+## Context
+{Describe the context and the problem to be solved. Link to issues, PRs, or docs if relevant.}
+
+## Rationale
+{Describe the decision drivers and rationale for how an option will be chosen.}
+
+## Decision
+**{Option ?}**, because {key justification referencing drivers}
+
+## Considered Alternatives
+### {Option A}
+### {Option B}
+### {Option C}
+
+### Consequences
+- {Positive consequence 1}
+- {Negative consequence 1}
+- {Operational/Process implications}
+- {Security/Compliance implications (if any)}
+- {Follow-ups with owners and dates}
+
+## Links / References
+- {Links to issues/PRs/design docs/benchmarks}
+
+## Changelog
+- {YYYY-MM-DD} — {Change summary, e.g., status changed to accepted; superseded by ADR-XXXX}
+```