Merge branch 'master' into v-sabiraj-awsscriptchanges

Author: v-atulyadav

.github/actions/Dockerfile

@@ -4,19 +4,19 @@ FROM mcr.microsoft.com/powershell:latest
 ARG SolutionName
 
 ARG mainTemplateChanged
-ENV mainTemplateChanged ${mainTemplateChanged}
+ENV mainTemplateChanged=${mainTemplateChanged}
 
 ARG createUiChanged
-ENV createUiChanged ${createUiChanged}
+ENV createUiChanged=${createUiChanged}
 
-ENV sname ${SolutionName}
-ENV sname1 $SolutionName
+ENV sname=${SolutionName}
+ENV sname1=$SolutionName
 RUN echo "mainTemplateChanged ${mainTemplateChanged}"
 RUN echo "createUiChanged ${createUiChanged}"
 
 LABEL version="v1.0"
 
-WORKDIR ./Solutions/$SolutionName
+WORKDIR /app/Solutions/$SolutionName
 
 COPY ./Solutions/$SolutionName dist
 COPY ./.github/actions/entrypoint.ps1 dist

.github/workflows/arm-ttk-validations.yaml

@@ -1,6 +1,14 @@
 name: Arm-ttk Validations
 
-on: [pull_request]
+on:
+  pull_request:
+    paths:
+      - 'Solutions/**/mainTemplate.json'
+      - 'Solutions/**/createUiDefinition.json'
+
+permissions:
+  contents: read
+  pull-requests: read
 
 jobs:
   run-arm-ttk:
@@ -10,30 +18,33 @@ jobs:
       mainTemplateChanged: ${{ steps.step1.outputs.mainTemplateChanged }}
       createUiChanged: ${{ steps.step1.outputs.createUiChanged }}
     steps:
-      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           fetch-depth: 0
       - shell: pwsh
         id: step1
         name: Identify Changes in PR
         run: |
-          Set-PSRepository PSGallery -InstallationPolicy Trusted
-          Install-Module powershell-yaml
-          ./.script/package-automation/arm-ttk-tests.ps1
+          try {
+            Set-PSRepository PSGallery -InstallationPolicy Trusted
+            Install-Module powershell-yaml -Force
+            ./.script/package-automation/arm-ttk-tests.ps1
+          }
+          catch {
+            Write-Error "Failed to run ARM-TTK tests: $_"
+            exit 1
+          }
 
-      - uses: docker/build-push-action@4976231911ebf5f32aad765192d35f942aa48cb8
+      - uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 # v6.9.0
         id: publishGithubPackage
         name: Run ARM-TTK
-        if: ${{ success() && steps.step1.outcome == 'success' && steps.step1.outputs.solutionName != '' && (steps.step1.outputs.mainTemplateChanged == 'true' || steps.step1.outputs.createUiChanged == 'true') }}
-        env: 
-          SolutionName: ${{ steps.step1.outputs.solutionName }}
-          mainTemplateChanged: ${{ steps.step1.outputs.mainTemplateChanged }}
-          createUiChanged: ${{ steps.step1.outputs.createUiChanged }}
+        if: ${{ success() && steps.step1.outputs.solutionName != '' && (steps.step1.outputs.mainTemplateChanged == 'true' || steps.step1.outputs.createUiChanged == 'true') }}
         with:
           context: .
           file: ./.github/actions/Dockerfile
           push: false
+          provenance: false
           build-args: |
-            SolutionName
-            mainTemplateChanged
-            createUiChanged
+            SolutionName=${{ steps.step1.outputs.solutionName }}
+            mainTemplateChanged=${{ steps.step1.outputs.mainTemplateChanged }}
+            createUiChanged=${{ steps.step1.outputs.createUiChanged }}

.github/workflows/codeql-analysis.yml

@@ -32,8 +32,8 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        language: [ 'javascript', 'python', 'ruby' ]
-        # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby' ]
+        language: [ 'javascript', 'python', 'ruby', 'actions' ]
+        # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby', 'actions' ]
         # Learn more about CodeQL language support at https://git.io/codeql-language-support
 
     steps:

.github/workflows/package-command.yaml

@@ -4,124 +4,155 @@ env:
   DEFAULTPACKAGEVERSION: "${{ vars.DEFAULTPACKAGEVERSION }}"
   BASE_FOLDER_PATH: "${{ vars.BASEFOLDERPATH }}"
   BRANCH_NAME: "${{ github.event.client_payload.pull_request.head.ref || github.event.client_payload.pullRequestBranchName }}"
-  GITHUB_APPS_ID: "${{ secrets.APPLICATION_ID }}"
-  GITHUB_APPS_KEY: "${{ secrets.APPLICATION_PRIVATE_KEY }}"
+  PULL_REQUEST_NUMBER: "${{ github.event.client_payload.pull_request.number || github.event.client_payload.pullRequestNumber }}"
 
 on:
   repository_dispatch:
     types: [package-command, Package-command, PACKAGE-command]
 
 concurrency:
-  group: "GroupName-PackageCommand-${{ github.event.client_payload.pull_request.number || github.run_id }}"
+  group: "package-command-${{ github.event.client_payload.pull_request.number || github.run_id }}"
   cancel-in-progress: true
 
+permissions:
+  contents: write
+  pull-requests: write
+  actions: read
+
 jobs:
   validate-and-create-package:
     if: ${{ !github.event.pull_request.head.repo.fork && !contains(github.event.client_payload.pull_request.head.ref , 'dependabot/') && !contains(github.event.client_payload.pullRequestBranchName , 'dependabot/') }}
     runs-on: ubuntu-latest
+    outputs:
+      is-automated-pr: ${{ steps.checkAutomatedPR.outputs.isAutomatedPR }}
+      package-created: ${{ steps.validateAndCreatePackage.outputs.isCreatePackage }}
     steps:
+      - name: Validate inputs
+        run: |
+          if [ -z "${{ env.BRANCH_NAME }}" ]; then
+            echo "::error::Branch name is required"
+            exit 1
+          fi
+          if [ -z "${{ env.PULL_REQUEST_NUMBER }}" ]; then
+            echo "::error::Pull request number is required"
+            exit 1
+          fi
+
+      - name: Checkout repository
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          ref: "${{ env.BRANCH_NAME }}"
+          fetch-depth: 0
+          persist-credentials: false  # Disable automatic token authentication
+          # Do not use privileged token for untrusted code checkout
+
       - name: Generate a token
         id: generate_token
-        uses: actions/create-github-app-token@46e4a501e119d39574a54e53a06c9a705efc55c9
+        uses: actions/create-github-app-token@333678481b1f02ee31fa1443aba4f1f7cb5b08b5 # v2.0.0
         with:
-          app-id: ${{ env.GITHUB_APPS_ID }}
-          private-key: ${{ env.GITHUB_APPS_KEY }}
+          app-id: ${{ secrets.APPLICATION_ID }}
+          private-key: ${{ secrets.APPLICATION_PRIVATE_KEY }}
+          owner: ${{ github.repository_owner }}
+          repositories: ${{ github.event.repository.name }}
 
-      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
+      - name: Check if PR branch is up to date with master
+        id: check_up_to_date
+        shell: bash
         env:
-          GeneratedToken: ${{ steps.generate_token.outputs.token }}
-        with:
-          ref: "${{ env.BRANCH_NAME }}"
-          fetch-depth: 2
-          token: ${{ env.GeneratedToken}}
+          GITHUB_TOKEN: ${{ steps.generate_token.outputs.token }}
+        run: |
+          git remote set-url origin https://x-access-token:${GITHUB_TOKEN}@github.com/${{ github.repository }}.git
+          git fetch origin master
+          BASE=$(git merge-base HEAD origin/master)
+          if [ "$BASE" = "$(git rev-parse HEAD)" ]; then
+            echo "skip_pipeline=true" >> $GITHUB_ENV
+            echo "PR branch is up to date with master. Skipping pipeline."
+          else
+            echo "skip_pipeline=false" >> $GITHUB_ENV
+          fi
 
-      - id: checkAutomatedPR
-        name: check-Automated-PR
-        if: ${{ success() }}
-        env:
-          BranchName: ${{ github.event.pull_request.head.ref || github.event.client_payload.pull_request.head.ref || github.event.client_payload.pullRequestBranchName }}
+      - name: Check for automated PR
+        id: checkAutomatedPR
+        if: env.skip_pipeline != 'true'
         shell: pwsh
         run: |
-          $pullRequestBranchName = "$env:BranchName"
-          Write-Host "Pull Request Branch Name is $pullRequestBranchName"
-          $isAutomatedPR = $false
-          if ($pullRequestBranchName -like '*automated-pr')
-          {
+          $branchName = "${{ env.BRANCH_NAME }}"
+          Write-Host "Pull Request Branch Name is $branchName"
+          $isAutomatedPR = $branchName -like '*automated-pr'
+          if ($isAutomatedPR) {
             Write-Host "Skipping packaging as it is an automated pr!"
-            $isAutomatedPR = $true
           }
-          Write-Output "isAutomatedPR=$isAutomatedPR" >> $env:GITHUB_OUTPUT
-          Write-Host "Is this Pull Request autogenerated $isAutomatedPR"
+          "isAutomatedPR=$($isAutomatedPR.ToString().ToLower())" | Out-File -FilePath $env:GITHUB_OUTPUT -Append
+          Write-Host "Is this Pull Request autogenerated: $isAutomatedPR"
 
-      - id: validateAndCreatePackage
-        name: validate-create-package
-        if: ${{ success() && steps.checkAutomatedPR.outputs.isAutomatedPR == 'False' }}
-        env:
-          RUNID: "${{ github.run_id }}" 
-          PULL_REQUEST_NUMBER: "${{ github.event.client_payload.pull_request.number || github.event.client_payload.pullRequestNumber }}"
+      - name: Validate and create package
+        id: validateAndCreatePackage
+        if: steps.checkAutomatedPR.outputs.isAutomatedPR == 'false' && env.skip_pipeline != 'true'
         shell: pwsh
         run: |
-          $runId = "${{ env.RUNID }}"
+          $runId = "${{ github.run_id }}"
           $instrumentationKey = "${{ env.APPINSIGHTS }}"
           $pullRequestNumber = "${{ env.PULL_REQUEST_NUMBER }}"
           $defaultPackageVersion = "${{ env.DEFAULTPACKAGEVERSION }}"
           $baseFolderPath = "${{ env.BASE_FOLDER_PATH }}"
-          Set-PSRepository PSGallery -InstallationPolicy Trusted
-          Install-Module powershell-yaml
-          ./.script/package-automation/package-service.ps1 $runId $pullRequestNumber $instrumentationKey $baseFolderPath $defaultPackageVersion $false
+          # Validate required parameters
+          if ([string]::IsNullOrEmpty($runId)) {
+            Write-Error "Run ID is required"
+            exit 1
+          }
+          if ([string]::IsNullOrEmpty($pullRequestNumber)) {
+            Write-Error "Pull Request Number is required"
+            exit 1
+          }
+          try {
+            Set-PSRepository PSGallery -InstallationPolicy Trusted
+            Install-Module powershell-yaml -Force
+            ./.script/package-automation/package-service.ps1 $runId $pullRequestNumber $instrumentationKey $baseFolderPath $defaultPackageVersion $false
+          }
+          catch {
+            Write-Error "Package creation failed: $_"
+            exit 1
+          }
 
-      - name: Upload Artifacts
+      - name: Upload package artifacts
         id: uploadPackageArtifacts
-        if: ${{ success() && (steps.validateAndCreatePackage.outcome == 'success' && env.IS_CREATE_PACKAGE && env.PACKAGE_CREATION_PATH != '' && env.BLOBNAME != '') }}
-        uses: actions/upload-artifact@e0057a5b76f2fdad976135e8dd7b691e632b9056
-        env:
-          BLOBNAME: "${{ steps.validateAndCreatePackage.outputs.blobName }}"
-          PACKAGE_CREATION_PATH: "${{ steps.validateAndCreatePackage.outputs.packageCreationPath }}"
-          DATA_FOLDER_PATH: "${{ steps.validateAndCreatePackage.outputs.dataFolderPath }}"
-          DATA_INPUT_FILE_NAME: "${{ steps.validateAndCreatePackage.outputs.dataInputFileName }}"
-          SOLUTION_NAME: "${{ steps.validateAndCreatePackage.outputs.solutionName }}"
-          SOLUTION_SUPPORTED_BY: "${{ steps.validateAndCreatePackage.outputs.solutionSupportedBy }}"
-          RUNID: "${{ github.run_id }}" 
-          PULL_REQUEST_NUMBER: "${{ github.event.client_payload.pull_request.number || github.event.client_payload.pullRequestNumber }}"
-          IS_CREATE_PACKAGE: ${{ steps.validateAndCreatePackage.outputs.isCreatePackage }}
+        if: |
+          steps.validateAndCreatePackage.outcome == 'success' && 
+          steps.validateAndCreatePackage.outputs.isCreatePackage == 'true' &&
+          steps.validateAndCreatePackage.outputs.uploadPackagePath != '' && 
+          steps.validateAndCreatePackage.outputs.blobName != ''
+        uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4.5.0
         with: 
-          name: "${{ env.BLOBNAME }}"
-          path: "${{ env.PACKAGE_CREATION_PATH }}"
+          name: "${{ steps.validateAndCreatePackage.outputs.blobName }}"
+          path: |
+            ${{ steps.validateAndCreatePackage.outputs.uploadPackagePath }}
+            ${{ steps.validateAndCreatePackage.outputs.packageCreationPath }}*.json
+          retention-days: 20  # Override default 90 days for cost optimization
 
-      - name: Upload Data File Artifacts
+      - name: Upload data file artifacts
         id: uploadDataFileArtifact
-        if: ${{ success() && (steps.validateAndCreatePackage.outcome == 'success' && env.DATA_FOLDER_PATH != '' && env.DATA_INPUT_FILE_NAME != '') }}
-        uses: actions/upload-artifact@e0057a5b76f2fdad976135e8dd7b691e632b9056
-        env:
-          DATA_FOLDER_PATH: "${{ steps.validateAndCreatePackage.outputs.dataFolderPath }}"
-          DATA_INPUT_FILE_NAME: "${{ steps.validateAndCreatePackage.outputs.dataInputFileName }}"
+        if: |
+          steps.validateAndCreatePackage.outcome == 'success' && 
+          steps.validateAndCreatePackage.outputs.dataFolderPath != '' && 
+          steps.validateAndCreatePackage.outputs.dataInputFileName != ''
+        uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4.5.0
         with: 
-          name: "${{ env.DATA_INPUT_FILE_NAME }}"
-          path: "${{ env.DATA_FOLDER_PATH }}"
+          name: "${{ steps.validateAndCreatePackage.outputs.dataInputFileName }}"
+          path: "${{ steps.validateAndCreatePackage.outputs.dataFolderPath }}"
+          retention-days: 20  # Override default 90 days for cost optimization
 
-      - name: Push changes to Existing PR
-        if: ${{ success() && steps.uploadDataFileArtifact.outcome == 'success'}}
+      - name: Push changes to existing PR
+        if: steps.uploadDataFileArtifact.outcome == 'success'
+        env:
+          GITHUB_TOKEN: ${{ steps.generate_token.outputs.token }}
         run: |
           git config --global user.email "[email protected]"
-          git config --global user.name "Github Bot"
+          git config --global user.name "GitHub Actions Bot"
+          git remote set-url origin https://x-access-token:${GITHUB_TOKEN}@github.com/${{ github.repository }}.git
           git add -A
-          git commit -m '[skip ci] Github Bot Added package to Pull Request!'
-          git push
-
-      - uses: docker/build-push-action@v2
-        id: publishGithubPackage
-        name: Run ARM-TTK
-        if: ${{ success() }}
-        continue-on-error: true
-        env: 
-          SolutionName: "${{ steps.validateAndCreatePackage.outputs.solutionName }}"
-          mainTemplateChanged: "True"
-          createUiChanged: "True"
-        with:
-          context: .
-          file: ./.github/actions/Dockerfile
-          push: false
-          build-args: |
-            SolutionName
-            mainTemplateChanged
-            createUiChanged
+          if ! git diff --cached --quiet; then
+            git commit -m '[skip ci] Automated package addition to Pull Request'
+            git push origin HEAD:${{ env.BRANCH_NAME }}
+          else
+            echo "No changes to commit"
+          fi