debug output #7
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: "CI-Deploy" | |
| on: | |
| workflow_dispatch: | |
| inputs: | |
| azd_environment_name: | |
| description: "Name of the AZD Environment" | |
| required: true | |
| default: "CICD" | |
| azure_location: | |
| description: "Azure location for the environment" | |
| required: true | |
| default: "eastus" | |
| run_azd_down: | |
| description: "Run AZD Down to destroy the deployed resources." | |
| type: boolean | |
| required: true | |
| default: false | |
| push: | |
| # Run when commits are pushed to mainline branch | |
| # Set this to the mainline branch you are using | |
| branches: | |
| - main | |
| - mcs/ianjensenisme/test-azd-pipeline-update | |
| # GitHub Actions workflow to deploy to Azure using azd | |
| permissions: | |
| id-token: write | |
| contents: read | |
| jobs: | |
| build: | |
| runs-on: ubuntu-latest | |
| env: | |
| AZURE_ENV_NAME: ${{ github.event.inputs.azd_environment_name || 'CICD' }} | |
| AZURE_LOCATION: ${{ github.event.inputs.azure_location || 'eastus' }} | |
| steps: | |
| - name: Checkout the branch ${{ github.ref_name }} | |
| uses: actions/checkout@v4 | |
| with: | |
| ref: ${{ github.ref_name }} | |
| - name: Install azd | |
| uses: Azure/setup-azd@v2 | |
| - name: Install Terraform | |
| uses: hashicorp/setup-terraform@v3 | |
| with: | |
| terraform_version: 1.9.0 | |
| - name: Install TFLint | |
| uses: terraform-linters/setup-tflint@v3 | |
| with: | |
| tflint_version: v0.49.0 | |
| github_token: ${{ secrets.GITHUB_TOKEN }} # Used to avoid rate | |
| - name: Install GitLeaks | |
| run: | | |
| curl -sSL https://github.com/gitleaks/gitleaks/releases/download/v8.17.0/gitleaks_8.17.0_linux_x64.tar.gz -o gitleaks.tar.gz | |
| tar -xzf gitleaks.tar.gz | |
| chmod +x gitleaks | |
| sudo mv gitleaks /usr/local/bin/ | |
| rm gitleaks.tar.gz | |
| gitleaks version | |
| - name: Setup .NET SDK | |
| uses: actions/setup-dotnet@v3 | |
| with: | |
| dotnet-version: '8.0.x' | |
| - name: Install Power Platform CLI | |
| run: | | |
| dotnet tool install --global Microsoft.PowerApps.CLI.Tool | |
| pac help | |
| - name: Set Up Python | |
| uses: actions/setup-python@v4 | |
| with: | |
| python-version: "3.x" | |
| - name: Install Checkov | |
| run: pip install checkov | |
| - name: Login to Azure with Federated Identity | |
| uses: azure/login@v2 | |
| with: | |
| client-id: ${{ vars.AZURE_CLIENT_ID }} | |
| tenant-id: ${{ vars.AZURE_TENANT_ID }} | |
| subscription-id: ${{ vars.AZURE_SUBSCRIPTION_ID }} | |
| - name: Authenticate with Azure Developer CLI | |
| run: | | |
| azd auth login --client-id ${{ vars.AZURE_CLIENT_ID }} --tenant-id ${{ vars.AZURE_TENANT_ID }} --federated-credential-provider "github" | |
| - name: Provision Infrastructure | |
| env: | |
| POWER_PLATFORM_USE_CLI: false | |
| AZURE_SUBSCRIPTION_ID: ${{ vars.AZURE_SUBSCRIPTION_ID }} | |
| RS_STORAGE_ACCOUNT: ${{ vars.RS_STORAGE_ACCOUNT }} | |
| RS_CONTAINER_NAME: ${{ vars.RS_CONTAINER_NAME }} | |
| RS_RESOURCE_GROUP: ${{ vars.RS_RESOURCE_GROUP }} | |
| RESOURCE_SHARE_USER: ${{ vars.RESOURCE_SHARE_USER }} | |
| ARM_USE_AZUREAD: "true" | |
| ARM_STORAGE_USE_AZUREAD: "true" | |
| ARM_USE_OIDC: "true" | |
| ARM_CLIENT_ID: ${{ vars.AZURE_CLIENT_ID }} | |
| ARM_TENANT_ID: ${{ vars.AZURE_TENANT_ID }} | |
| ARM_SUBSCRIPTION_ID: ${{ vars.AZURE_SUBSCRIPTION_ID }} | |
| POWER_PLATFORM_CLIENT_ID: ${{ vars.AZURE_CLIENT_ID }} | |
| POWER_PLATFORM_TENANT_ID: ${{ vars.AZURE_TENANT_ID }} | |
| POWER_PLATFORM_USE_OIDC: "true" | |
| shell: pwsh | |
| run: | | |
| azd config set auth.useAzCliAuth "true" | |
| azd env new $env:AZURE_ENV_NAME --location $env:AZURE_LOCATION --no-prompt | |
| azd env set RESOURCE_SHARE_USER "$env:RESOURCE_SHARE_USER" | |
| azd env set POWER_PLATFORM_USE_CLI "false" | |
| azd env set RS_STORAGE_ACCOUNT $env:RS_STORAGE_ACCOUNT | |
| azd env set RS_CONTAINER_NAME $env:RS_CONTAINER_NAME | |
| azd env set RS_RESOURCE_GROUP $env:RS_RESOURCE_GROUP | |
| azd provision --no-prompt | |
| - uses: actions/upload-artifact@v4 | |
| if: success() || failure() | |
| with: | |
| name: sarif-reports | |
| path: | | |
| ./gitleaks-report.sarif | |
| ./checkov-results.sarif/results_sarif.sarif | |
| - name: Upload Gitleaks SARIF report to Github | |
| uses: github/codeql-action/upload-sarif@v3 | |
| with: | |
| sarif_file: ./gitleaks-report.sarif | |
| - name: Upload Checkov SARIF Report to GitHub | |
| uses: github/codeql-action/upload-sarif@v3 | |
| with: | |
| sarif_file: ./checkov-results.sarif/results_sarif.sarif | |
| - name: Azd down | |
| if: ${{ github.event.inputs.run_azd_down == true }} | |
| env: | |
| POWER_PLATFORM_USE_CLI: false | |
| AZURE_SUBSCRIPTION_ID: ${{ vars.AZURE_SUBSCRIPTION_ID }} | |
| RS_STORAGE_ACCOUNT: ${{ vars.RS_STORAGE_ACCOUNT }} | |
| RS_CONTAINER_NAME: ${{ vars.RS_CONTAINER_NAME }} | |
| RS_RESOURCE_GROUP: ${{ vars.RS_RESOURCE_GROUP }} | |
| RESOURCE_SHARE_USER: ${{ vars.RESOURCE_SHARE_USER }} | |
| ARM_USE_AZUREAD: "true" | |
| ARM_STORAGE_USE_AZUREAD: "true" | |
| ARM_USE_OIDC: "true" | |
| ARM_CLIENT_ID: ${{ vars.AZURE_CLIENT_ID }} | |
| ARM_TENANT_ID: ${{ vars.AZURE_TENANT_ID }} | |
| ARM_SUBSCRIPTION_ID: ${{ vars.AZURE_SUBSCRIPTION_ID }} | |
| POWER_PLATFORM_CLIENT_ID: ${{ vars.AZURE_CLIENT_ID }} | |
| POWER_PLATFORM_TENANT_ID: ${{ vars.AZURE_TENANT_ID }} | |
| POWER_PLATFORM_USE_OIDC: "true" | |
| shell: pwsh | |
| run: | | |
| azd env set RS_STORAGE_ACCOUNT $env:RS_STORAGE_ACCOUNT | |
| azd env set RS_CONTAINER_NAME $env:RS_CONTAINER_NAME | |
| azd env set RS_RESOURCE_GROUP $env:RS_RESOURCE_GROUP | |
| azd env set RESOURCE_SHARE_USER "$env:RESOURCE_SHARE_USER" | |
| azd env select $env:AZURE_ENV_NAME | |
| azd down --no-prompt --force --purge |