Merge pull request #576 from microsoft/main

feat: Use agents for kernel function & Enhance devcontainer, CI/CD workflows, and Dependabot automation

Author: Avijit-Microsoft

.devcontainer/devcontainer.json

@@ -3,7 +3,9 @@
     "image": "mcr.microsoft.com/devcontainers/python:3.11-bullseye",
     "forwardPorts": [50505],
     "features": {
-        "ghcr.io/azure/azure-dev/azd:latest": {}
+        "ghcr.io/azure/azure-dev/azd:latest": {},
+        "ghcr.io/devcontainers/features/azure-cli:1": {},
+        "ghcr.io/devcontainers/features/docker-in-docker:2": {}
     },
     "customizations": {
         "vscode": {
@@ -16,7 +18,7 @@
             ]
         }
     },
-    "postStartCommand": "git pull origin main && python3 -m pip install -r infra/scripts/index_scripts/requirements.txt && curl -sL https://aka.ms/InstallAzureCLIDeb | sudo bash && chmod +x ./infra/scripts/quota_check_params.sh",
+    "postStartCommand": "bash ./.devcontainer/setup_env.sh",
     "remoteUser": "vscode",
     "hostRequirements": {
         "memory": "4gb"

.devcontainer/setup_env.sh

@@ -0,0 +1,9 @@
+#!/bin/bash
+
+git fetch
+git pull
+
+# provide execute permission to quotacheck script
+sudo chmod +x ./infra/scripts/checkquota_km.sh
+sudo chmod +x ./infra/scripts/quota_check_params.sh
+sudo chmod +x ./infra/scripts/run_process_data_scripts.sh

.github/dependabot.yml

@@ -1,37 +1,52 @@
 version: 2
+
 updates:
- # GitHub Actions dependencies
- - package-ecosystem: "github-actions"
-   directory: "/"
-   schedule:
-     interval: "monthly"
-   commit-message:
-     prefix: "build"
-   target-branch: "dependabotchanges"
-   open-pull-requests-limit: 100
+  # GitHub Actions - grouped
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "monthly"
+    target-branch: "dependabotchanges"
+    commit-message:
+      prefix: "build"
+    open-pull-requests-limit: 10
+    groups:
+      github-actions:
+        patterns:
+          - "*"
 
- - package-ecosystem: "pip"
-   directory: "/src/api"
-   schedule:
-     interval: "monthly"
-   commit-message:
-     prefix: "build"
-   target-branch: "dependabotchanges"
-   open-pull-requests-limit: 100
+  # Python backend dependencies - grouped
+  - package-ecosystem: "pip"
+    directory: "/src/api"
+    schedule:
+      interval: "monthly"
+    target-branch: "dependabotchanges"
+    commit-message:
+      prefix: "build"
+    open-pull-requests-limit: 10
+    groups:
+      backend-deps:
+        patterns:
+          - "*"
 
- - package-ecosystem: "npm"
-   directory: "/src/App"
-   schedule:
-     interval: "monthly"
-   commit-message:
-     prefix: "build"
-   target-branch: "dependabotchanges"
-   open-pull-requests-limit: 100
-   registries:
-     - npm_public_registry  # Only use public npm registry
+  # Frontend npm dependencies - grouped
+  - package-ecosystem: "npm"
+    directory: "/src/App"
+    schedule:
+      interval: "monthly"
+    target-branch: "dependabotchanges"
+    commit-message:
+      prefix: "build"
+    open-pull-requests-limit: 10
+    registries:
+      - npm_public_registry
+    groups:
+      frontend-deps:
+        patterns:
+          - "*"
 
 registries:
- npm_public_registry:
-   type: "npm-registry"
-   url: "https://registry.npmjs.org/"
-   token: ${{ secrets.TOKEN }}
+  npm_public_registry:
+    type: "npm-registry"
+    url: "https://registry.npmjs.org/"
+    token: ${{ secrets.TOKEN }}

.github/workflows/Scheduled-Dependabot-PRs-Auto-Merge.yml

@@ -0,0 +1,152 @@
+# ------------------------------------------------------------------------------
+# Scheduled Dependabot PRs Auto-Merge Workflow
+#
+# Purpose:
+#   - Automatically detect, rebase (if needed), and merge Dependabot PRs targeting
+#     the `dependabotchanges` branch, supporting different merge strategies.
+#
+# Features:
+#   ✅ Filters PRs authored by Dependabot and targets the specific base branch
+#   ✅ Rebases PRs with conflicts and auto-resolves using "prefer-theirs" strategy
+#   ✅ Attempts all three merge strategies: merge, squash, rebase (first success wins)
+#   ✅ Handles errors gracefully, logs clearly
+#
+# Triggers:
+#   - Scheduled daily run (midnight UTC)
+#   - Manual trigger (via GitHub UI)
+#
+# Required Permissions:
+#   - contents: write
+#   - pull-requests: write
+# ------------------------------------------------------------------------------
+
+name: Scheduled Dependabot PRs Auto-Merge
+
+on:
+  schedule:
+    - cron: '0 0 * * *'  # Runs once a day at midnight UTC
+  workflow_dispatch:
+
+permissions:
+  contents: write
+  pull-requests: write
+
+jobs:
+  merge-dependabot:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Install GitHub CLI
+        run: |
+          sudo apt update
+          sudo apt install -y gh
+      - name: Fetch & Filter Dependabot PRs
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          echo "🔍 Fetching all Dependabot PRs targeting 'dependabotchanges'..."
+          > matched_prs.txt
+          pr_batch=$(gh pr list --state open --json number,title,author,baseRefName,url \
+            --jq '.[] | "\(.number)|\(.title)|\(.author.login)|\(.baseRefName)|\(.url)"')
+          while IFS='|' read -r number title author base url; do
+            author=$(echo "$author" | xargs)
+            base=$(echo "$base" | xargs)
+            if [[ "$author" == "app/dependabot" && "$base" == "dependabotchanges" ]]; then
+              echo "$url" >> matched_prs.txt
+              echo "✅ Matched PR #$number - $title"
+            else
+              echo "❌ Skipped PR #$number - $title (Author: $author, Base: $base)"
+            fi
+          done <<< "$pr_batch"
+          echo "👉 Matched PRs:"
+          cat matched_prs.txt || echo "None"
+      - name: Rebase PR if Conflicts Exist
+        if: success()
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          if [[ ! -s matched_prs.txt ]]; then
+            echo "⚠️ No matching PRs to process."
+            exit 0
+          fi
+          while IFS= read -r pr_url; do
+            pr_number=$(basename "$pr_url")
+            echo "🔁 Checking PR #$pr_number for conflicts..."
+            mergeable=$(gh pr view "$pr_number" --json mergeable --jq '.mergeable')
+            if [[ "$mergeable" == "CONFLICTING" ]]; then
+              echo "⚠️ Merge conflicts detected. Performing manual rebase for PR #$pr_number..."
+              head_branch=$(gh pr view "$pr_number" --json headRefName --jq '.headRefName')
+              base_branch=$(gh pr view "$pr_number" --json baseRefName --jq '.baseRefName')
+              git fetch origin "$base_branch":"$base_branch"
+              git fetch origin "$head_branch":"$head_branch"
+              git checkout "$head_branch"
+              git config user.name "github-actions"
+              git config user.email "[email protected]"
+              # Attempt rebase with 'theirs' strategy
+              if git rebase --strategy=recursive -X theirs "$base_branch"; then
+                echo "✅ Rebase successful. Pushing..."
+                git push origin "$head_branch" --force
+              else
+                echo "❌ Rebase failed. Aborting..."
+                git rebase --abort || true
+              fi
+            else
+              echo "✅ PR #$pr_number is mergeable. Skipping rebase."
+            fi
+          done < matched_prs.txt
+          
+      - name: Auto-Merge PRs using available strategy
+        if: success()
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          if [[ ! -s matched_prs.txt ]]; then
+            echo "⚠️ No matching PRs to process."
+            exit 0
+          fi
+          while IFS= read -r pr_url; do
+            pr_number=$(basename "$pr_url")
+            echo "🔍 Checking mergeability for PR #$pr_number"
+            attempt=0
+            max_attempts=8
+            mergeable=""
+            sleep 5  # Let GitHub calculate mergeable status
+            while [[ $attempt -lt $max_attempts ]]; do
+              mergeable=$(gh pr view "$pr_number" --json mergeable --jq '.mergeable' 2>/dev/null || echo "UNKNOWN")
+              echo "🔁 Attempt $((attempt+1))/$max_attempts: mergeable=$mergeable"
+              if [[ "$mergeable" == "MERGEABLE" ]]; then
+                success=0
+                for strategy in rebase squash merge; do
+                  echo "🚀 Trying to auto-merge PR #$pr_number using '$strategy' strategy..."
+                  set -x
+                  merge_output=$(gh pr merge --auto --"$strategy" "$pr_url" 2>&1)
+                  merge_status=$?
+                  set +x
+                  echo "$merge_output"
+                  if [[ $merge_status -eq 0 ]]; then
+                    echo "✅ Auto-merge succeeded using '$strategy'."
+                    success=1
+                    break
+                  else
+                    echo "❌ Auto-merge failed using '$strategy'. Trying next strategy..."
+                  fi
+                done
+                if [[ $success -eq 0 ]]; then
+                  echo "❌ All merge strategies failed for PR #$pr_number"
+                fi
+                break
+              elif [[ "$mergeable" == "CONFLICTING" ]]; then
+                echo "❌ Cannot merge due to conflicts. Skipping PR #$pr_number"
+                break
+              else
+                echo "🕒 Waiting for GitHub to determine mergeable status..."
+                sleep 15
+              fi
+              ((attempt++))
+            done
+            if [[ "$mergeable" != "MERGEABLE" && "$mergeable" != "CONFLICTING" ]]; then
+              echo "❌ Mergeability undetermined after $max_attempts attempts. Skipping PR #$pr_number"
+            fi
+          done < matched_prs.txt || echo "⚠️ Completed loop with some errors, but continuing gracefully."

.github/workflows/azure-dev-validation.yml

@@ -19,7 +19,7 @@ jobs:
 
       # Step 2: Validate the Azure template using microsoft/template-validation-action
       - name: Validate Azure Template
-        uses: microsoft/template-validation-action@v0.3.5
+        uses: microsoft/template-validation-action@v0.4.3
         id: validation
         env:
           AZURE_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }}

.github/workflows/bicep_deploy.yml

@@ -10,7 +10,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout Code
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
 
       - name: Run Quota Check
         id: quota-check

.github/workflows/broken-links-checker.yml

@@ -0,0 +1,57 @@
+name: Broken Link Checker
+
+on:
+  pull_request:
+    paths:
+      - '**/*.md'
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+jobs:
+  markdown-link-check:
+    name: Check Markdown Broken Links
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout Repo
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      # For PR : Get only changed markdown files
+      - name: Get changed markdown files (PR only)
+        id: changed-markdown-files
+        if: github.event_name == 'pull_request'
+        uses: tj-actions/changed-files@ed68ef82c095e0d48ec87eccea555d944a631a4c # v46
+        with:
+          files: |
+            **/*.md
+
+
+      # For PR: Check broken links only in changed files
+      - name: Check Broken Links in Changed Markdown Files
+        id: lychee-check-pr
+        if: github.event_name == 'pull_request' && steps.changed-markdown-files.outputs.any_changed == 'true'
+        uses: lycheeverse/[email protected]
+        with:
+          args: >
+            --verbose --exclude-mail --no-progress --exclude ^https?://
+            ${{ steps.changed-markdown-files.outputs.all_changed_files }}
+          failIfEmpty: false
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      # For manual trigger: Check all markdown files in repo
+      - name: Check Broken Links in All Markdown Files in Entire Repo (Manual Trigger)
+        id: lychee-check-manual
+        if: github.event_name == 'workflow_dispatch'
+        uses: lycheeverse/[email protected]
+        with:
+          args: >
+            --verbose --exclude-mail --no-progress --exclude ^https?://
+            '**/*.md'
+          failIfEmpty: false
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/codeql.yml

@@ -47,12 +47,12 @@ jobs:
 
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v3
+      uses: actions/checkout@v4
 
     # Installing DotNet version
-    - uses: actions/checkout@v3
+    - uses: actions/checkout@v4
     - name: Setup dotnet ${{ matrix.dotnet-version }}
-      uses: actions/setup-dotnet@v3
+      uses: actions/setup-dotnet@v4
       with:
         dotnet-version: ${{ matrix.dotnet-version }}
     # You can test your matrix by printing the current dotnet version
@@ -61,7 +61,7 @@ jobs:
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@v2
+      uses: github/codeql-action/init@v3
       with:
         languages: ${{ matrix.language }}
         # If you wish to specify custom queries, you can do so here or in a config file.
@@ -88,6 +88,6 @@ jobs:
     #     ./location_of_script_within_repo/buildscript.sh
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v2
+      uses: github/codeql-action/analyze@v3
       with:
         category: "/language:${{matrix.language}}"