Skip to content

Add SQL Server installation steps to Copilot setup workflow #2285

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
johlju wants to merge 1 commit into from
Closed

Add SQL Server installation steps to Copilot setup workflow #2285

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
123 changes: 123 additions & 0 deletions .github/workflows/copilot-setup-steps.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -189,6 +189,129 @@ jobs:
Write-Host "Running DSCv3 to validate correct operation..."
dsc --version

- name: Install SQL Server on Ubuntu
shell: bash
run: |
echo "Installing SQL Server 2022 on Ubuntu..."

# Import the public repository GPG keys
echo "::group::Import Microsoft GPG keys"
curl -fsSL https://packages.microsoft.com/keys/microsoft.asc | sudo tee /etc/apt/trusted.gpg.d/microsoft.asc > /dev/null
echo "::endgroup::"

# Register the SQL Server Ubuntu repository
echo "::group::Register SQL Server repository"
sudo add-apt-repository "$(wget -qO- https://packages.microsoft.com/config/ubuntu/20.04/mssql-server-2022.list)" -y
echo "::endgroup::"

# Update package list and install SQL Server
echo "::group::Install SQL Server package"
sudo apt-get update
sudo apt-get install -y mssql-server
echo "::endgroup::"

# Configure SQL Server with mssql-conf (unattended setup)
echo "::group::Configure SQL Server"
sudo MSSQL_SA_PASSWORD='P@ssw0rd1' \
MSSQL_PID='Developer' \
MSSQL_TCP_PORT=1433 \
ACCEPT_EULA='Y' \
/opt/mssql/bin/mssql-conf -n setup
echo "::endgroup::"
Comment on lines +215 to +220
Copy link

@coderabbitai coderabbitai bot Sep 20, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue

Security concern: Hardcoded SA password in workflow.

The SQL Server SA password is hardcoded as 'P@ssw0rd1' directly in the workflow file. This creates several security issues:

  • The password is visible in the repository and logs
  • It uses a common, predictable pattern
  • No password rotation capability

Consider using GitHub secrets or environment variables for sensitive credentials:

- sudo MSSQL_SA_PASSWORD='P@ssw0rd1' \
+ sudo MSSQL_SA_PASSWORD='${{ secrets.SQL_SA_PASSWORD }}' \

Or generate a random password at runtime:

+ # Generate a secure random password
+ SA_PASSWORD=$(openssl rand -base64 16)
+ echo "::add-mask::$SA_PASSWORD"
+ sudo MSSQL_SA_PASSWORD="$SA_PASSWORD" \
- sudo MSSQL_SA_PASSWORD='P@ssw0rd1' \
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
sudo MSSQL_SA_PASSWORD='P@ssw0rd1' \
MSSQL_PID='Developer' \
MSSQL_TCP_PORT=1433 \
ACCEPT_EULA='Y' \
/opt/mssql/bin/mssql-conf -n setup
echo "::endgroup::"
sudo MSSQL_SA_PASSWORD='${{ secrets.SQL_SA_PASSWORD }}' \
MSSQL_PID='Developer' \
MSSQL_TCP_PORT=1433 \
ACCEPT_EULA='Y' \
/opt/mssql/bin/mssql-conf -n setup
echo "::endgroup::"
🤖 Prompt for AI Agents 
.github/workflows/copilot-setup-steps.yml around lines 215 to 220: the SA
password is hardcoded as 'P@ssw0rd1' which exposes credentials; replace the
literal with a secure source by reading the password from a GitHub Actions
secret (e.g. use secrets.MSSQL_SA_PASSWORD) or generate a random password at
runtime and store it in an environment variable, pass that variable into
MSSQL_SA_PASSWORD when invoking mssql-conf, ensure the secret value is never
printed to logs, and document/update repository/security guidance to require
setting the secret in the Actions settings.


# Verify SQL Server is running
echo "::group::Verify SQL Server status"
sudo systemctl status mssql-server --no-pager --lines=5
echo "::endgroup::"

echo "SQL Server 2022 installation completed successfully"
Comment on lines +192 to +227
Copy link

@coderabbitai coderabbitai bot Sep 20, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue

🧩 Analysis chain

Verify SQL Server 2022 compatibility with Ubuntu in GitHub Actions runners.

The workflow hardcodes the Ubuntu 20.04 repository URLs and configuration (lines 204, 241) while GitHub Actions ubuntu-latest runners typically use Ubuntu 22.04 or newer. This mismatch could cause installation failures or use of incompatible packages.

🌐 Web query:

Ubuntu version used by GitHub Actions ubuntu-latest runners 2024

💡 Result:

Short answer: ubuntu-latest pointed to Ubuntu 22.04 for most of 2024. Ubuntu 24.04 was published as an image in May 2024 and GitHub began rolling the ubuntu-latest label to 24.04 on Dec 5, 2024 (rollout completed Jan 17, 2025). [1][2][3]

Sources:

  • GitHub-hosted runners reference (labels include ubuntu-latest, ubuntu-24.04, ubuntu-22.04). [1]
  • "Ubuntu 24.04 is now available" announcement (May 14, 2024). [2]
  • Issue announcing rollout of ubuntu-latest → Ubuntu‑24.04 (rollout Dec 5, 2024 → Jan 17, 2025). [3]

Fix hardcoded Microsoft SQL Server apt repo (ubuntu/20.04) — ensure runner OS and repo match

The workflow registers packages.microsoft.com/config/ubuntu/20.04/... but github's ubuntu-latest was 22.04 for most of 2024 and rolled to 24.04 (rollout started Dec 5, 2024; completed Jan 17, 2025). Using a 20.04 repo on 22.04/24.04 runners can break apt and mssql-server installation.

  • Action: either pin the job to runs-on: ubuntu-20.04, or make the repo URL match the runner OS (e.g., use $(lsb_release -rs) or a small mapping to select the correct packages.microsoft.com/config/ubuntu//mssql-server-2022.list).

Location: .github/workflows/copilot-setup-steps.yml lines 192-227 (add-apt-repository wget for packages.microsoft.com/config/ubuntu/20.04/...).


- name: Install SQL Server Command Line Tools
shell: bash
run: |
echo "Installing SQL Server command line tools..."

# Import Microsoft GPG keys (if not already done)
echo "::group::Import Microsoft GPG keys for tools"
curl -fsSL https://packages.microsoft.com/keys/microsoft.asc | sudo tee /etc/apt/trusted.gpg.d/microsoft.asc > /dev/null
echo "::endgroup::"

# Register Microsoft Ubuntu repository for tools
echo "::group::Register Microsoft tools repository"
curl -fsSL https://packages.microsoft.com/config/ubuntu/20.04/prod.list | sudo tee /etc/apt/sources.list.d/mssql-release.list
echo "::endgroup::"

# Install mssql-tools18 and unixODBC
echo "::group::Install mssql-tools18"
sudo apt-get update
sudo ACCEPT_EULA=Y apt-get install -y mssql-tools18 unixodbc-dev
echo "::endgroup::"

# Add tools to PATH
echo "::group::Configure PATH for SQL tools"
echo 'export PATH="$PATH:/opt/mssql-tools18/bin"' >> ~/.bashrc
echo 'export PATH="$PATH:/opt/mssql-tools18/bin"' >> ~/.bash_profile
echo "/opt/mssql-tools18/bin" >> $GITHUB_PATH
echo "::endgroup::"

# Test sqlcmd connectivity
echo "::group::Test SQL Server connectivity"
/opt/mssql-tools18/bin/sqlcmd -S localhost -U sa -P 'P@ssw0rd1' -Q "SELECT @@VERSION" -b
echo "::endgroup::"
Comment on lines +259 to +260
Copy link

@coderabbitai coderabbitai bot Sep 20, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue

Security concern: Password exposed in command line and logs.

The SA password is passed directly to sqlcmd in the command line, which will be visible in workflow logs and potentially in process lists.

Use environment variables or input redirection to avoid password exposure:

- /opt/mssql-tools18/bin/sqlcmd -S localhost -U sa -P 'P@ssw0rd1' -Q "SELECT @@VERSION" -b
+ # Set password as environment variable to avoid command line exposure
+ export SQLCMDPASSWORD='$SA_PASSWORD'
+ /opt/mssql-tools18/bin/sqlcmd -S localhost -U sa -Q "SELECT @@VERSION" -b

Committable suggestion skipped: line range outside the PR's diff.

🤖 Prompt for AI Agents 
.github/workflows/copilot-setup-steps.yml lines 259-260: the SA password is
hardcoded in the sqlcmd command and will be exposed in logs/process lists;
replace the literal password with a secret-based environment variable (e.g., set
SQLCMDPASSWORD or SA_PASSWORD from secrets in the job/env block using ${{
secrets.SA_PASSWORD }}), invoke sqlcmd without exposing the password on the
command line (omit -P and rely on the environment variable or feed the password
via stdin/here-doc), and ensure you do not echo the password or print the
command so it isn’t leaked in workflow logs.


echo "SQL Server command line tools installed successfully"

- name: Configure SQL Server Environment for Integration Tests
shell: pwsh
run: |
Write-Host "Configuring SQL Server environment for SqlServerDsc integration tests..."

# Set SqlServerDsc CI environment variable
Write-Host "Setting SqlServerDsc CI environment variable..."
$env:SqlServerDscCI = $true
echo "SqlServerDscCI=true" >> $env:GITHUB_ENV

# Configure SQL Server connection parameters for Linux
Write-Host "Setting SQL Server connection parameters for integration tests..."

# Set SA password for integration tests
$env:SQL_SA_PASSWORD = 'P@ssw0rd1'
echo "SQL_SA_PASSWORD=P@ssw0rd1" >> $env:GITHUB_ENV
Comment on lines +278 to +279
Copy link

@coderabbitai coderabbitai bot Sep 20, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue

Security concern: SA password exposed in environment variables.

Setting the SA password as an environment variable (line 279) makes it accessible to all subsequent steps and visible in the GitHub Actions environment, which poses a security risk.

Consider using GitHub secrets or a more secure approach:

- # Set SA password for integration tests
- $env:SQL_SA_PASSWORD = 'P@ssw0rd1'
- echo "SQL_SA_PASSWORD=P@ssw0rd1" >> $env:GITHUB_ENV
+ # Use the same password generated during installation
+ $env:SQL_SA_PASSWORD = $env:SA_PASSWORD
+ echo "::add-mask::$($env:SQL_SA_PASSWORD)"
+ echo "SQL_SA_PASSWORD=$($env:SQL_SA_PASSWORD)" >> $env:GITHUB_ENV
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
$env:SQL_SA_PASSWORD = 'P@ssw0rd1'
echo "SQL_SA_PASSWORD=P@ssw0rd1" >> $env:GITHUB_ENV
# Use the same password generated during installation
$env:SQL_SA_PASSWORD = $env:SA_PASSWORD
echo "::add-mask::$($env:SQL_SA_PASSWORD)"
echo "SQL_SA_PASSWORD=$($env:SQL_SA_PASSWORD)" >> $env:GITHUB_ENV


Write-Host "SQL Server will use the default instance (MSSQLSERVER)"
Write-Host "This is because SQL Server on Linux does not support named instances"

# Test SQL Server connectivity using SqlServer module
Write-Host "Testing SQL Server connectivity using PowerShell SqlServer module..."
try {
# Connect to default instance on localhost
$connectionString = "Server=localhost;Database=master;User Id=sa;Password=P@ssw0rd1;TrustServerCertificate=true;Encrypt=false;"
$connection = New-Object System.Data.SqlClient.SqlConnection($connectionString)
Comment on lines +288 to +289
Copy link

@coderabbitai coderabbitai bot Sep 20, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue

Security concern: Password in connection string.

The connection string contains a hardcoded password that will be visible in logs and potentially stored in memory.

Use integrated authentication or a more secure connection approach:

- $connectionString = "Server=localhost;Database=master;User Id=sa;Password=P@ssw0rd1;TrustServerCertificate=true;Encrypt=false;"
+ $connectionString = "Server=localhost;Database=master;User Id=sa;Password=$($env:SQL_SA_PASSWORD);TrustServerCertificate=true;Encrypt=false;"
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
$connectionString = "Server=localhost;Database=master;User Id=sa;Password=P@ssw0rd1;TrustServerCertificate=true;Encrypt=false;"
$connection = New-Object System.Data.SqlClient.SqlConnection($connectionString)
$connectionString = "Server=localhost;Database=master;User Id=sa;Password=$($env:SQL_SA_PASSWORD);TrustServerCertificate=true;Encrypt=false;"
$connection = New-Object System.Data.SqlClient.SqlConnection($connectionString)
🤖 Prompt for AI Agents 
.github/workflows/copilot-setup-steps.yml around lines 288-289: the connection
string currently contains a hardcoded plaintext password; replace this with a
secure approach by reading the password (and other sensitive parts) from a CI
secret (GitHub Actions secret injected as an env var) or using
integrated/managed authentication, build the connection string at runtime using
the secret (or an authentication token) without echoing it to logs, and if using
PowerShell wrap the password as a SecureString/PSCredential so it is not stored
or printed.

$connection.Open()

$command = $connection.CreateCommand()
$command.CommandText = "SELECT @@VERSION, @@SERVERNAME, SERVERPROPERTY('Edition')"
$reader = $command.ExecuteReader()

if ($reader.Read()) {
Write-Host "SQL Server Version: $($reader[0])"
Write-Host "Server Name: $($reader[1])"
Write-Host "Edition: $($reader[2])"
}

$reader.Close()
$connection.Close()

Write-Host "SQL Server connectivity test successful!"
Write-Host "Integration tests will use the default instance (MSSQLSERVER)"
}
catch {
Write-Error "Failed to connect to SQL Server: $($_.Exception.Message)"
exit 1
}

Write-Host "SQL Server environment configuration complete"

- name: Install .NET Tools
shell: pwsh
run: |
Expand Down
2 changes: 2 additions & 0 deletions CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0

### Added

- Added GitHub Actions workflow for Copilot development environment setup
including SQL Server 2022 on Ubuntu for integration testing support.
- Added integration tests for `Get-SqlDscManagedComputer` command to ensure it
functions correctly in real environments
[issue #2220](https://github.com/dsccommunity/SqlServerDsc/issues/2220).
Expand Down
Loading