Fix bicep CLI uninitialized path in container app deployments (#6610)

* fix security issue with playwright/test 1.49.1 (#6592)

* Checkpoint from VS Code for cloud agent session

* Fix bicep CLI initialization by restoring EnsureInstalled calls

- Restore public EnsureInstalled() method in bicep.go
- Remove automatic installation from Build() and BuildBicepParam()
- Add explicit EnsureInstalled() calls in service_target_containerapp.go and bicep_provider.go
- Update all test files to use public EnsureInstalled() method
- Reverts incorrect changes from previous checkpoint commit

This fix follows the same pattern as PR #6593 for GitHub CLI.

Co-authored-by: vhvb1989 <24213737+vhvb1989@users.noreply.github.com>

* Checkpoint from VS Code for cloud agent session

---------

Co-authored-by: Victor Vazquez <vhvb1989@gmail.com>
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: vhvb1989 <24213737+vhvb1989@users.noreply.github.com>

Author: Copilot

cli/azd/internal/scaffold/scaffold_test.go

@@ -257,8 +257,6 @@ func TestExecInfra(t *testing.T) {
 
 			ctx := context.Background()
 			cli := bicep.NewCli(mockinput.NewMockConsole(), exec.NewCommandRunner(nil))
-			err = cli.EnsureInstalled(ctx)
-			require.NoError(t, err)
 
 			res, err := cli.Build(ctx, filepath.Join(dir, "main.bicep"))
 			require.NoError(t, err)

cli/azd/pkg/infra/provisioning/bicep/bicep_provider.go

@@ -95,11 +95,6 @@ func (p *BicepProvider) Name() string {
 // Initialize initializes provider state from the options.
 // It also calls EnsureEnv, which ensures the client-side state is ready for provisioning.
 func (p *BicepProvider) Initialize(ctx context.Context, projectPath string, opt provisioning.Options) error {
-	// Ensure bicep CLI is installed before any operations
-	if err := p.bicepCli.EnsureInstalled(ctx); err != nil {
-		return fmt.Errorf("ensuring bicep is installed: %w", err)
-	}
-
 	infraOptions, err := opt.GetWithDefaults()
 	if err != nil {
 		return err

cli/azd/pkg/infra/provisioning/bicep/bicep_provider_test.go

@@ -1093,7 +1093,6 @@ func TestUserDefinedTypes(t *testing.T) {
 
 	azCli := mockazapi.NewAzureClientFromMockContext(mockContext)
 	bicepCli := bicep.NewCli(mockContext.Console, mockContext.CommandRunner)
-	require.NoError(t, bicepCli.EnsureInstalled(*mockContext.Context))
 	env := environment.NewWithValues("test-env", map[string]string{})
 
 	mockContext.CommandRunner.When(func(args exec.RunArgs, command string) bool {

cli/azd/pkg/project/service_target_containerapp.go

@@ -229,11 +229,7 @@ func (at *containerAppTarget) Deploy(
 		fetchBicepCli := at.bicepCli
 		if fetchBicepCli == nil {
 			fetchBicepCli = func() (*bicep.Cli, error) {
-				cli := bicep.NewCli(at.console, at.commandRunner)
-				if err := cli.EnsureInstalled(ctx); err != nil {
-					return nil, err
-				}
-				return cli, nil
+				return bicep.NewCli(at.console, at.commandRunner), nil
 			}
 		}
 

cli/azd/pkg/tools/bicep/bicep.go

@@ -28,7 +28,14 @@ import (
 // user).
 var Version semver.Version = semver.MustParse("0.39.26")
 
-// Cli is a wrapper around the bicep CLI. Call EnsureInstalled before using Build or BuildBicepParam.
+// Cli is a wrapper around the bicep CLI.
+// The CLI automatically ensures bicep is installed before executing commands.
+//
+// Concurrency notes: The sync.Once is per-instance, not global. In normal operation, the IoC
+// container registers Cli as a singleton, so one shared instance is used. However, some code paths
+// (e.g., service_target_containerapp.go) create new instances inline. If multiple instances race to
+// install bicep concurrently, this is safe because downloadBicep uses atomic file operations
+// (temp file + rename). The only downside is potentially redundant downloads, which is rare and harmless.
 type Cli struct {
 	path        string
 	runner      exec.CommandRunner
@@ -39,8 +46,8 @@ type Cli struct {
 	installErr  error
 }
 
-// NewCli creates a new Bicep CLI wrapper. The CLI is not yet installed; call EnsureInstalled
-// before using Build or BuildBicepParam methods.
+// NewCli creates a new Bicep CLI wrapper.
+// The CLI automatically ensures bicep is installed when Build or BuildBicepParam is called.
 func NewCli(console input.Console, commandRunner exec.CommandRunner) *Cli {
 	return newCliWithTransporter(console, commandRunner, http.DefaultClient)
 }
@@ -58,10 +65,9 @@ func newCliWithTransporter(
 	}
 }
 
-// EnsureInstalled checks if bicep is available and downloads/upgrades if needed.
+// ensureInstalledOnce checks if bicep is available and downloads/upgrades if needed.
 // This is safe to call multiple times; installation only happens once.
-// Should be called with a request-scoped context before first use.
-func (cli *Cli) EnsureInstalled(ctx context.Context) error {
+func (cli *Cli) ensureInstalledOnce(ctx context.Context) error {
 	cli.installOnce.Do(func() {
 		cli.installErr = cli.ensureInstalled(ctx)
 	})
@@ -270,6 +276,10 @@ type BuildResult struct {
 }
 
 func (cli *Cli) Build(ctx context.Context, file string) (BuildResult, error) {
+	if err := cli.ensureInstalledOnce(ctx); err != nil {
+		return BuildResult{}, fmt.Errorf("ensuring bicep is installed: %w", err)
+	}
+
 	args := []string{"build", file, "--stdout"}
 	buildRes, err := cli.runCommand(ctx, nil, args...)
 
@@ -287,6 +297,10 @@ func (cli *Cli) Build(ctx context.Context, file string) (BuildResult, error) {
 }
 
 func (cli *Cli) BuildBicepParam(ctx context.Context, file string, env []string) (BuildResult, error) {
+	if err := cli.ensureInstalledOnce(ctx); err != nil {
+		return BuildResult{}, fmt.Errorf("ensuring bicep is installed: %w", err)
+	}
+
 	args := []string{"build-params", file, "--stdout"}
 	buildRes, err := cli.runCommand(ctx, env, args...)
 

cli/azd/pkg/tools/bicep/bicep_test.go

@@ -48,7 +48,7 @@ func TestNewBicepCli(t *testing.T) {
 	cli := newCliWithTransporter(
 		mockContext.Console, mockContext.CommandRunner, mockContext.HttpClient,
 	)
-	err := cli.EnsureInstalled(*mockContext.Context)
+	err := cli.ensureInstalledOnce(*mockContext.Context)
 	require.NoError(t, err)
 	require.NotNil(t, cli)
 
@@ -121,7 +121,7 @@ func TestNewBicepCliWillUpgrade(t *testing.T) {
 	cli := newCliWithTransporter(
 		mockContext.Console, mockContext.CommandRunner, mockContext.HttpClient,
 	)
-	err = cli.EnsureInstalled(*mockContext.Context)
+	err = cli.ensureInstalledOnce(*mockContext.Context)
 	require.NoError(t, err)
 	require.NotNil(t, cli)
 

cli/azd/test/functional/aspire_test.go

@@ -179,8 +179,6 @@ func Test_CLI_Aspire_DetectGen(t *testing.T) {
 		require.NoError(t, err)
 
 		bicepCli := bicep.NewCli(mockinput.NewMockConsole(), exec.NewCommandRunner(nil))
-		err = bicepCli.EnsureInstalled(ctx)
-		require.NoError(t, err)
 
 		// Validate bicep builds without errors
 		// cdk lint errors are expected
@@ -232,8 +230,6 @@ func Test_CLI_Aspire_DetectGen(t *testing.T) {
 		require.NoError(t, err)
 
 		bicepCli := bicep.NewCli(mockinput.NewMockConsole(), exec.NewCommandRunner(nil))
-		err = bicepCli.EnsureInstalled(ctx)
-		require.NoError(t, err)
 
 		// Validate bicep builds without errors
 		// cdk lint errors are expected