update based on CI/CD the long term strategy

Author: dantelmomsft

.github/workflows/app-ci.yaml

@@ -1,9 +1,13 @@
-name: Deploy to Production (Azure)
+name: APP CI/CD Pipeline 
 
 on:
   push:
     branches:
       - main
+    paths:
+      - "app/**"
+    tags:        
+      - v.*.*.*
   workflow_dispatch:
 
 jobs:
@@ -26,10 +30,10 @@ jobs:
         run: |
           if [[ $GITHUB_REF_NAME == 'refs/heads/main' ]]; then
               echo "DEPLOY_ENVIRONMENT=Development" >> "$GITHUB_OUTPUT"
-          elif [[ $GITHUB_REF_NAME == 'refs/heads/develop' ]]; then
-              echo "DEPLOY_ENVIRONMENT=Development" >> "$GITHUB_OUTPUT"
-          elif [[ $GITHUB_REF_NAME == 'refs/heads/release' ]]; then
-               echo "DEPLOY_ENVIRONMENT=Development" >> "$GITHUB_OUTPUT"
+          elif [[ $GITHUB_REF_NAME == *'refs/heads/release'* ]]; then
+              echo "DEPLOY_ENVIRONMENT=Test" >> "$GITHUB_OUTPUT"
+          elif [[ $GITHUB_REF_NAME == *'refs/tags/v'* ]]; then
+               echo "DEPLOY_ENVIRONMENT=Production" >> "$GITHUB_OUTPUT"
           else
               echo "DEPLOY_ENVIRONMENT=Development" >> "$GITHUB_OUTPUT"
           fi

.github/workflows/infra-ci.yaml

@@ -0,0 +1,119 @@
+name: Infra CI Pipeline 
+
+on:
+  push:
+    branches:
+      - main
+    paths:
+      - "infra/**"
+
+  workflow_dispatch:
+
+# To configure required secrets for connecting to Azure, simply run `azd pipeline config`
+
+# Set up permissions for deploying with secretless Azure federated credentials
+# https://learn.microsoft.com/en-us/azure/developer/github/connect-from-azure?tabs=azure-portal%2Clinux#set-up-azure-login-with-openid-connect-authentication
+permissions:
+  id-token: write
+  contents: read
+
+jobs:
+  validate-bicep:
+    name: "Infra Biceps Validation"
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Build Bicep for linting
+        uses: azure/CLI@v1
+        with:
+          inlineScript: az config set bicep.use_binary_from_path=false && az bicep build -f infra/main.bicep --stdout
+          
+      - name: Run Microsoft Security DevOps Analysis
+        uses: microsoft/security-devops-action@v1
+        id: msdo
+        continue-on-error: true
+        with:
+          tools: templateanalyzer
+
+      - name: Upload alerts to Security tab
+        uses: github/codeql-action/upload-sarif@v2
+        if: github.repository == 'Azure-Samples/azure-search-openai-demo-java'
+        with:
+          sarif_file: ${{ steps.msdo.outputs.sarifFile }}
+
+
+#   deploy:
+#     name: "Deploy Infra and App using azd"
+#     runs-on: ubuntu-latest
+#     environment:
+#         name: "Development"
+#     env:
+#       AZURE_CLIENT_ID: ${{ vars.AZURE_CLIENT_ID }}
+#       AZURE_TENANT_ID: ${{ vars.AZURE_TENANT_ID }}
+#       AZURE_SUBSCRIPTION_ID: ${{ vars.AZURE_SUBSCRIPTION_ID }}
+#       AZURE_CREDENTIALS: ${{ secrets.AZURE_CREDENTIALS }}
+#     steps:
+#       - name: Checkout
+#         uses: actions/checkout@v4
+    
+#       - name: Install azd
+#         uses: Azure/[email protected]
+      
+#       - name: Log in with Azure (Federated Credentials)
+#         if: ${{ env.AZURE_CLIENT_ID != '' }}
+#         run: |
+#           azd auth login `
+#             --client-id "$Env:AZURE_CLIENT_ID" `
+#             --federated-credential-provider "github" `
+#             --tenant-id "$Env:AZURE_TENANT_ID"
+#         shell: pwsh
+
+#       - name: Log in with Azure (Client Credentials)
+#         if: ${{ env.AZURE_CREDENTIALS != '' }}
+#         run: |
+#           $info = $Env:AZURE_CREDENTIALS | ConvertFrom-Json -AsHashtable;
+#           Write-Host "::add-mask::$($info.clientSecret)"
+
+#           azd auth login `
+#             --client-id "$($info.clientId)" `
+#             --client-secret "$($info.clientSecret)" `
+#             --tenant-id "$($info.tenantId)"
+#         shell: pwsh
+#         env:
+#           AZURE_CREDENTIALS: ${{ secrets.AZURE_CREDENTIALS }}
+
+#       - name: Provision Infrastructure
+#         run: azd provision --no-prompt
+#         env:
+#           AZURE_ENV_NAME: ${{ vars.AZURE_ENV_NAME }}
+#           AZURE_LOCATION: ${{ vars.AZURE_LOCATION }}
+#           AZURE_SUBSCRIPTION_ID: ${{ vars.AZURE_SUBSCRIPTION_ID }}
+#           AZURE_FORMRECOGNIZER_RESOURCE_GROUP: ${{ vars.AZURE_FORMRECOGNIZER_RESOURCE_GROUP }}
+#           AZURE_FORMRECOGNIZER_SERVICE: ${{ vars.AZURE_FORMRECOGNIZER_RESOURCE_GROUP }}
+#           AZURE_OPENAI_RESOURCE_GROUP: ${{ vars.AZURE_FORMRECOGNIZER_SERVICE }}
+#           AZURE_OPENAI_SERVICE: ${{ vars.AZURE_OPENAI_SERVICE }}
+#           AZURE_RESOURCE_GROUP: ${{ vars.AZURE_RESOURCE_GROUP }}
+#           AZURE_SEARCH_SERVICE: ${{ vars.AZURE_SEARCH_SERVICE }}
+#           AZURE_SEARCH_SERVICE_RESOURCE_GROUP: ${{ vars.AZURE_SEARCH_SERVICE_RESOURCE_GROUP }}
+#           AZURE_STORAGE_ACCOUNT: ${{ vars.AZURE_STORAGE_ACCOUNT }}
+#           AZURE_STORAGE_RESOURCE_GROUP: ${{ vars.AZURE_STORAGE_RESOURCE_GROUP }}
+
+#       - name: Deploy Application
+#         run: azd deploy --no-prompt
+#         env:
+#           AZURE_ENV_NAME: ${{ vars.AZURE_ENV_NAME }}
+#           AZURE_LOCATION: ${{ vars.AZURE_LOCATION }}
+#           AZURE_SUBSCRIPTION_ID: ${{ vars.AZURE_SUBSCRIPTION_ID }}
+#           AZURE_FORMRECOGNIZER_RESOURCE_GROUP: ${{ vars.AZURE_FORMRECOGNIZER_RESOURCE_GROUP }}
+#           AZURE_FORMRECOGNIZER_SERVICE: ${{ vars.AZURE_FORMRECOGNIZER_RESOURCE_GROUP }}
+#           AZURE_OPENAI_RESOURCE_GROUP: ${{ vars.AZURE_FORMRECOGNIZER_SERVICE }}
+#           AZURE_OPENAI_SERVICE: ${{ vars.AZURE_OPENAI_SERVICE }}
+#           AZURE_RESOURCE_GROUP: ${{ vars.AZURE_RESOURCE_GROUP }}
+#           AZURE_SEARCH_SERVICE: ${{ vars.AZURE_SEARCH_SERVICE }}
+#           AZURE_SEARCH_SERVICE_RESOURCE_GROUP: ${{ vars.AZURE_SEARCH_SERVICE_RESOURCE_GROUP }}
+#           AZURE_STORAGE_ACCOUNT: ${{ vars.AZURE_STORAGE_ACCOUNT }}
+#           AZURE_STORAGE_RESOURCE_GROUP: ${{ vars.AZURE_STORAGE_RESOURCE_GROUP }}
+
+

.github/workflows/template-validation.yaml

@@ -1,7 +1,5 @@
 name: Validate AZD template
 on:
-  push:
-    branches: [ main ]
   pull_request:
     branches: [ main ]
   schedule:
@@ -29,7 +27,7 @@ jobs:
 
       - name: Upload alerts to Security tab
         uses: github/codeql-action/upload-sarif@v2
-        if: github.repository == 'Azure-Samples/azure-search-openai-demo'
+        if: github.repository == 'Azure-Samples/azure-search-openai-demo-java'
         with:
           sarif_file: ${{ steps.msdo.outputs.sarifFile }}
 
@@ -42,7 +40,7 @@ jobs:
 
       - name: Build React Frontend
         run: |
-          echo "Building front-end and merge into Spring Boot static folder. Environment [${{ steps.set-deploy-env.outputs.DEPLOY_ENVIRONMENT }}]"
+          echo "Building front-end and merge into Spring Boot static folder."
           cd ./app/frontend
           npm install
           npm run build
@@ -61,21 +59,8 @@ jobs:
           java-version: '17'
           cache: 'maven'
 
-      - name: Set environment for branch
-        id: set-deploy-env
-        run: |
-          if [[ $GITHUB_REF_NAME == 'refs/heads/main' ]]; then
-              echo "DEPLOY_ENVIRONMENT=Development" >> "$GITHUB_OUTPUT"
-          elif [[ $GITHUB_REF_NAME == 'refs/heads/develop' ]]; then
-              echo "DEPLOY_ENVIRONMENT=Development" >> "$GITHUB_OUTPUT"
-          elif [[ $GITHUB_REF_NAME == 'refs/heads/release' ]]; then
-               echo "DEPLOY_ENVIRONMENT=Development" >> "$GITHUB_OUTPUT"
-          else
-              echo "DEPLOY_ENVIRONMENT=Development" >> "$GITHUB_OUTPUT"
-          fi
-
       - name: Build Spring Boot App
         run: |
-          echo "Building Spring Boot app. Environment [${{ steps.set-deploy-env.outputs.DEPLOY_ENVIRONMENT }}]"
+          echo "Building Spring Boot app."
           cd ./app/backend
           ./mvnw verify