diff --git a/.github/workflows/azure-dev-down.yml b/.github/workflows/azure-dev-down.yml index f65059e0..f8e0338d 100644 --- a/.github/workflows/azure-dev-down.yml +++ b/.github/workflows/azure-dev-down.yml @@ -34,7 +34,7 @@ jobs: uses: Azure/setup-azd@c495e71ba59e44bfaaac10a32c8ee90d191ca4a3 # v2.2.1 with: version: '1.20.0' # Specify your desired azd version here - + - name: Setup Node.js uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0 with: @@ -71,7 +71,7 @@ jobs: RS_RESOURCE_GROUP: ${{ vars.RS_RESOURCE_GROUP }} RESOURCE_SHARE_USER: ${{ vars.RESOURCE_SHARE_USER }} RESOURCE_TAGS: ${{ vars.RESOURCE_TAGS }} - + shell: bash run: | azd config set auth.useAzCliAuth "true" @@ -83,8 +83,14 @@ jobs: azd env set RESOURCE_TAGS "$RESOURCE_TAGS" azd package # trigger prepackage hook to setup terraform provider - azd provision --preview # https://github.com/Azure/azure-dev/issues/4317 - azd down --no-prompt --force --purge + + # Detect if debug logging is enabled and set DEBUG_FLAG accordingly + DEBUG_FLAG="" + if [ "$ACTIONS_STEP_DEBUG" = "true" ] || [ "$ACTIONS_RUNNER_DEBUG" = "true" ] || [ "$RUNNER_DEBUG" = "1" ]; then + DEBUG_FLAG="--debug" + fi + azd provision --preview $DEBUG_FLAG # https://github.com/Azure/azure-dev/issues/4317 + azd down --no-prompt --force --purge $DEBUG_FLAG - name: Purge Soft-Deleted Azure OpenAI Resources shell: bash @@ -97,7 +103,7 @@ jobs: # Only attempt to purge if we have the required information if [[ -n "$OPENAI_RESOURCE_NAME" && -n "$AZURE_REGION" ]]; then echo "Attempting to purge soft-deleted Azure OpenAI resource: $OPENAI_RESOURCE_NAME in $AZURE_REGION" - + # Purge the soft-deleted Cognitive Services account (continue on error if resource not found) az cognitiveservices account purge \ --location "$AZURE_REGION" \ diff --git a/.github/workflows/azure-dev.yml b/.github/workflows/azure-dev.yml index ec71a5d1..a438baf1 100644 --- a/.github/workflows/azure-dev.yml +++ b/.github/workflows/azure-dev.yml @@ -1,266 +1,277 @@ -name: "CI-Deploy" -on: - workflow_dispatch: - inputs: - azd_environment_name: - description: "Name of the AZD Environment" - required: true - default: "CICD" - azure_location: - description: "Azure location for the environment" - required: true - default: "eastus" - run_azd_down: - description: "Run AZD Down to destroy the deployed resources." - type: boolean - required: true - default: false - push: - # Run when commits are pushed to mainline branch - # Set this to the mainline branch you are using - branches: - - main - paths-ignore: - - 'docs/**' - - 'decision-log/**' - - 'cicd/**' - - '*.md' - pull_request: - # Run when pull requests are opened or updated - branches: - - main - paths-ignore: - - 'docs/**' - - 'decision-log/**' - - 'cicd/**' - - '*.md' - -# GitHub Actions workflow to deploy to Azure using azd -# Ensure only one deployment runs at a time to prevent conflicts -concurrency: - group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} - cancel-in-progress: false - -permissions: - actions: read # Needed for uploading SARIF reports - security-events: write # Needed for uploading SARIF reports - id-token: write # Needed for OIDC Authentication - contents: read - - -jobs: - build: - runs-on: ${{ fromJson(vars.ACTIONS_RUNNER_NAME || '["ubuntu-latest"]') }} - env: - AZURE_ENV_NAME: ${{ github.event.inputs.azd_environment_name || (github.event_name == 'pull_request' && format('pr-{0}', github.event.pull_request.number)) || 'CICD' }} - AZURE_LOCATION: ${{ github.event.inputs.azure_location || 'eastus' }} - - steps: - - name: Checkout code - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - with: - persist-credentials: false - - - name: Install azd - uses: Azure/setup-azd@c495e71ba59e44bfaaac10a32c8ee90d191ca4a3 # v2.2.1 - with: - version: '1.20.0' # Specify your desired azd version here - - - name: Setup Node.js - uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0 - with: - node-version: '18.x' - - - name: Install Terraform - uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd # v3.1.2 - with: - terraform_version: 1.13.3 - - - name: Install TFLint - uses: terraform-linters/setup-tflint@4cb9feea73331a35b422df102992a03a44a3bb33 # v6.2.1 - with: - tflint_version: v0.58.1 - github_token: ${{ secrets.GITHUB_TOKEN }} # Used to avoid rate - - - name: Install GitLeaks - run: | - curl -sSL https://github.com/gitleaks/gitleaks/releases/download/v8.28.0/gitleaks_8.28.0_linux_x64.tar.gz -o gitleaks.tar.gz - tar -xzf gitleaks.tar.gz - chmod +x gitleaks - sudo mv gitleaks /usr/local/bin/ - rm gitleaks.tar.gz - gitleaks version - - - name: Run GitLeaks Scan - env: - GITLEAKS_LICENSE: ${{ secrets.GITLEAKS_LICENSE }} - run: | - gitleaks detect \ - --verbose \ - --max-archive-depth 50 \ - --report-format sarif \ - --report-path ./gitleaks-report.sarif \ - --source . \ - --exit-code 0 || true - echo "GitLeaks scan completed" - - - name: Setup .NET SDK - shell: bash - run: | - # Install .NET SDK to temp directory for self-hosted runners to avoid permission issues - DOTNET_INSTALL_DIR="${{ runner.temp }}/dotnet" - mkdir -p "$DOTNET_INSTALL_DIR" - - # Download and run the dotnet-install script - curl -sSL https://dot.net/v1/dotnet-install.sh -o dotnet-install.sh - chmod +x dotnet-install.sh - ./dotnet-install.sh --channel 9.0 --install-dir "$DOTNET_INSTALL_DIR" - rm dotnet-install.sh - - # Add to PATH for subsequent steps - echo "$DOTNET_INSTALL_DIR" >> $GITHUB_PATH - echo "DOTNET_ROOT=$DOTNET_INSTALL_DIR" >> $GITHUB_ENV - - - name: Install Power Platform Tools - uses: microsoft/powerplatform-actions/actions-install@6c7b538671a040d11afd8ab94d77bfe3b3ed87e6 # v1.9.1 - with: - add-tools-to-path: true - - - name: Install Power Platform CLI - run: | - pac help - - - name: Set Up Python - uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # 6.1.0 - with: - python-version: "3.x" - - - name: Install Checkov - run: pip install checkov - - - name: Login to Azure with Federated Identity - uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0 - with: - client-id: ${{ vars.AZURE_CLIENT_ID }} - tenant-id: ${{ vars.AZURE_TENANT_ID }} - subscription-id: ${{ vars.AZURE_SUBSCRIPTION_ID }} - - - name: Provision Infrastructure - env: - POWER_PLATFORM_USE_OIDC: "true" - POWER_PLATFORM_CLIENT_ID: ${{ vars.AZURE_CLIENT_ID }} - POWER_PLATFORM_TENANT_ID: ${{ vars.AZURE_TENANT_ID }} - - ARM_USE_AZUREAD: "true" - ARM_STORAGE_USE_AZUREAD: "true" - ARM_USE_OIDC: "true" - ARM_CLIENT_ID: ${{ vars.AZURE_CLIENT_ID }} - ARM_TENANT_ID: ${{ vars.AZURE_TENANT_ID }} - ARM_SUBSCRIPTION_ID: ${{ vars.AZURE_SUBSCRIPTION_ID }} - AZURE_SUBSCRIPTION_ID: ${{ vars.AZURE_SUBSCRIPTION_ID }} - - RS_STORAGE_ACCOUNT: ${{ vars.RS_STORAGE_ACCOUNT }} - RS_CONTAINER_NAME: ${{ vars.RS_CONTAINER_NAME }} - RS_RESOURCE_GROUP: ${{ vars.RS_RESOURCE_GROUP }} - - RESOURCE_SHARE_USER: ${{ vars.RESOURCE_SHARE_USER }} - RESOURCE_TAGS: ${{ vars.RESOURCE_TAGS }} - - GITHUB_PAT: ${{ secrets.MCS_RUNNER }} - GITHUB_REPO_OWNER: ${{ github.repository_owner }} - GITHUB_REPO_NAME: ${{ github.event.repository.name }} - GITHUB_RUNNER_IMAGE_NAME: "github-runner" - GITHUB_RUNNER_IMAGE_TAG: "latest" - GITHUB_RUNNER_IMAGE_BRANCH: ${{ github.ref_name }} - shell: bash - run: | - azd config set auth.useAzCliAuth "true" - azd env new "$AZURE_ENV_NAME" --location "$AZURE_LOCATION" --no-prompt - azd env set RESOURCE_SHARE_USER "$RESOURCE_SHARE_USER" - azd env set RESOURCE_TAGS "$RESOURCE_TAGS" - - azd env set RS_STORAGE_ACCOUNT "$RS_STORAGE_ACCOUNT" - azd env set RS_CONTAINER_NAME "$RS_CONTAINER_NAME" - azd env set RS_RESOURCE_GROUP "$RS_RESOURCE_GROUP" - - azd env set GITHUB_PAT "$GITHUB_PAT" - azd env set GITHUB_REPO_OWNER "$GITHUB_REPO_OWNER" - azd env set GITHUB_REPO_NAME "$GITHUB_REPO_NAME" - azd env set GITHUB_RUNNER_IMAGE_NAME "$GITHUB_RUNNER_IMAGE_NAME" - azd env set GITHUB_RUNNER_IMAGE_TAG "$GITHUB_RUNNER_IMAGE_TAG" - azd env set GITHUB_RUNNER_IMAGE_BRANCH "$GITHUB_RUNNER_IMAGE_BRANCH" - - azd provision --no-prompt - - - uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0 - if: success() || failure() - with: - name: sarif-reports - path: | - ./gitleaks-report.sarif - ./checkov-results.sarif/results_sarif.sarif - - - name: Upload Gitleaks SARIF report to Github - uses: github/codeql-action/upload-sarif@9b02dc2f60288b463e7a66e39c78829b62780db7 # v2.22.1 - with: - sarif_file: ./gitleaks-report.sarif - - - - name: Upload Checkov SARIF Report to GitHub - uses: github/codeql-action/upload-sarif@9b02dc2f60288b463e7a66e39c78829b62780db7 # v2.22.1 - with: - sarif_file: ./checkov-results.sarif/results_sarif.sarif - - - name: Destroy Infrastructure - if: ${{ github.event.inputs.run_azd_down == 'true' || github.event_name == 'pull_request' }} - env: - POWER_PLATFORM_CLIENT_ID: ${{ vars.AZURE_CLIENT_ID }} - POWER_PLATFORM_TENANT_ID: ${{ vars.AZURE_TENANT_ID }} - POWER_PLATFORM_USE_OIDC: "true" - - ARM_USE_AZUREAD: "true" - ARM_STORAGE_USE_AZUREAD: "true" - ARM_USE_OIDC: "true" - ARM_CLIENT_ID: ${{ vars.AZURE_CLIENT_ID }} - ARM_TENANT_ID: ${{ vars.AZURE_TENANT_ID }} - ARM_SUBSCRIPTION_ID: ${{ vars.AZURE_SUBSCRIPTION_ID }} - AZURE_SUBSCRIPTION_ID: ${{ vars.AZURE_SUBSCRIPTION_ID }} - - RS_STORAGE_ACCOUNT: ${{ vars.RS_STORAGE_ACCOUNT }} - RS_CONTAINER_NAME: ${{ vars.RS_CONTAINER_NAME }} - RS_RESOURCE_GROUP: ${{ vars.RS_RESOURCE_GROUP }} - RESOURCE_SHARE_USER: ${{ vars.RESOURCE_SHARE_USER }} - RESOURCE_TAGS: ${{ vars.RESOURCE_TAGS }} - - shell: bash - run: | - azd env set RS_STORAGE_ACCOUNT "$RS_STORAGE_ACCOUNT" - azd env set RS_CONTAINER_NAME "$RS_CONTAINER_NAME" - azd env set RS_RESOURCE_GROUP "$RS_RESOURCE_GROUP" - azd env set RESOURCE_SHARE_USER "$RESOURCE_SHARE_USER" - azd env set RESOURCE_TAGS "$RESOURCE_TAGS" - - azd env select "$AZURE_ENV_NAME" - azd down --no-prompt --force --purge - - - name: Purge Soft-Deleted Azure OpenAI Resources - if: ${{ github.event.inputs.run_azd_down == 'true' || github.event_name == 'pull_request' }} - shell: bash - run: | - # Get the OpenAI resource name and location from environment outputs - OPENAI_RESOURCE_NAME=$(azd env get-values --output json | jq -r '.openai_resource_name // empty') - AZURE_REGION=$(azd env get-values --output json | jq -r '.primary_azure_region // empty') - RESOURCE_GROUP=$(azd env get-values --output json | jq -r '.resource_group_name // empty') - - # Only attempt to purge if we have the required information - if [[ -n "$OPENAI_RESOURCE_NAME" && -n "$AZURE_REGION" ]]; then - echo "Attempting to purge soft-deleted Azure OpenAI resource: $OPENAI_RESOURCE_NAME in $AZURE_REGION" - - # Purge the soft-deleted Cognitive Services account (continue on error if resource not found) - az cognitiveservices account purge \ - --location "$AZURE_REGION" \ - --resource-group "$RESOURCE_GROUP" \ - --name "$OPENAI_RESOURCE_NAME" || echo "Resource may not be in soft-delete state or already purged" - else - echo "OpenAI resource information not found in environment outputs. Skipping purge." - fi +name: "CI-Deploy" +on: + workflow_dispatch: + inputs: + azd_environment_name: + description: "Name of the AZD Environment" + required: true + default: "CICD" + azure_location: + description: "Azure location for the environment" + required: true + default: "eastus" + run_azd_down: + description: "Run AZD Down to destroy the deployed resources." + type: boolean + required: true + default: false + push: + # Run when commits are pushed to mainline branch + # Set this to the mainline branch you are using + branches: + - main + paths-ignore: + - 'docs/**' + - 'decision-log/**' + - 'cicd/**' + - '*.md' + pull_request: + # Run when pull requests are opened or updated + branches: + - main + paths-ignore: + - 'docs/**' + - 'decision-log/**' + - 'cicd/**' + - '*.md' + +# GitHub Actions workflow to deploy to Azure using azd +# Ensure only one deployment runs at a time to prevent conflicts +concurrency: + group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} + cancel-in-progress: false + +permissions: + actions: read # Needed for uploading SARIF reports + security-events: write # Needed for uploading SARIF reports + id-token: write # Needed for OIDC Authentication + contents: read + + +jobs: + build: + runs-on: ${{ fromJson(vars.ACTIONS_RUNNER_NAME || '["ubuntu-latest"]') }} + env: + AZURE_ENV_NAME: ${{ github.event.inputs.azd_environment_name || (github.event_name == 'pull_request' && format('pr-{0}', github.event.pull_request.number)) || 'CICD' }} + AZURE_LOCATION: ${{ github.event.inputs.azure_location || 'eastus' }} + + steps: + - name: Checkout code + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + with: + persist-credentials: false + + - name: Install azd + uses: Azure/setup-azd@c495e71ba59e44bfaaac10a32c8ee90d191ca4a3 # v2.2.1 + with: + version: '1.20.0' # Specify your desired azd version here + + - name: Setup Node.js + uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0 + with: + node-version: '18.x' + + - name: Install Terraform + uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd # v3.1.2 + with: + terraform_version: 1.13.3 + + - name: Install TFLint + uses: terraform-linters/setup-tflint@4cb9feea73331a35b422df102992a03a44a3bb33 # v6.2.1 + with: + tflint_version: v0.58.1 + github_token: ${{ secrets.GITHUB_TOKEN }} # Used to avoid rate + + - name: Install GitLeaks + run: | + curl -sSL https://github.com/gitleaks/gitleaks/releases/download/v8.28.0/gitleaks_8.28.0_linux_x64.tar.gz -o gitleaks.tar.gz + tar -xzf gitleaks.tar.gz + chmod +x gitleaks + sudo mv gitleaks /usr/local/bin/ + rm gitleaks.tar.gz + gitleaks version + + - name: Run GitLeaks Scan + env: + GITLEAKS_LICENSE: ${{ secrets.GITLEAKS_LICENSE }} + run: | + gitleaks detect \ + --verbose \ + --max-archive-depth 50 \ + --report-format sarif \ + --report-path ./gitleaks-report.sarif \ + --source . \ + --exit-code 0 || true + echo "GitLeaks scan completed" + + - name: Setup .NET SDK + shell: bash + run: | + # Install .NET SDK to temp directory for self-hosted runners to avoid permission issues + DOTNET_INSTALL_DIR="${{ runner.temp }}/dotnet" + mkdir -p "$DOTNET_INSTALL_DIR" + + # Download and run the dotnet-install script + curl -sSL https://dot.net/v1/dotnet-install.sh -o dotnet-install.sh + chmod +x dotnet-install.sh + ./dotnet-install.sh --channel 9.0 --install-dir "$DOTNET_INSTALL_DIR" + rm dotnet-install.sh + + # Add to PATH for subsequent steps + echo "$DOTNET_INSTALL_DIR" >> $GITHUB_PATH + echo "DOTNET_ROOT=$DOTNET_INSTALL_DIR" >> $GITHUB_ENV + + - name: Install Power Platform Tools + uses: microsoft/powerplatform-actions/actions-install@6c7b538671a040d11afd8ab94d77bfe3b3ed87e6 # v1.9.1 + with: + add-tools-to-path: true + + - name: Install Power Platform CLI + run: | + pac help + + - name: Set Up Python + uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # 6.1.0 + with: + python-version: "3.x" + + - name: Install Checkov + run: pip install checkov + + - name: Login to Azure with Federated Identity + uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0 + with: + client-id: ${{ vars.AZURE_CLIENT_ID }} + tenant-id: ${{ vars.AZURE_TENANT_ID }} + subscription-id: ${{ vars.AZURE_SUBSCRIPTION_ID }} + + - name: Provision Infrastructure + env: + POWER_PLATFORM_USE_OIDC: "true" + POWER_PLATFORM_CLIENT_ID: ${{ vars.AZURE_CLIENT_ID }} + POWER_PLATFORM_TENANT_ID: ${{ vars.AZURE_TENANT_ID }} + + ARM_USE_AZUREAD: "true" + ARM_STORAGE_USE_AZUREAD: "true" + ARM_USE_OIDC: "true" + ARM_CLIENT_ID: ${{ vars.AZURE_CLIENT_ID }} + ARM_TENANT_ID: ${{ vars.AZURE_TENANT_ID }} + ARM_SUBSCRIPTION_ID: ${{ vars.AZURE_SUBSCRIPTION_ID }} + AZURE_SUBSCRIPTION_ID: ${{ vars.AZURE_SUBSCRIPTION_ID }} + + RS_STORAGE_ACCOUNT: ${{ vars.RS_STORAGE_ACCOUNT }} + RS_CONTAINER_NAME: ${{ vars.RS_CONTAINER_NAME }} + RS_RESOURCE_GROUP: ${{ vars.RS_RESOURCE_GROUP }} + + RESOURCE_SHARE_USER: ${{ vars.RESOURCE_SHARE_USER }} + RESOURCE_TAGS: ${{ vars.RESOURCE_TAGS }} + + GITHUB_PAT: ${{ secrets.MCS_RUNNER }} + GITHUB_REPO_OWNER: ${{ github.repository_owner }} + GITHUB_REPO_NAME: ${{ github.event.repository.name }} + GITHUB_RUNNER_IMAGE_NAME: "github-runner" + GITHUB_RUNNER_IMAGE_TAG: "latest" + GITHUB_RUNNER_IMAGE_BRANCH: ${{ github.ref_name }} + shell: bash + run: | + azd config set auth.useAzCliAuth "true" + azd env new "$AZURE_ENV_NAME" --location "$AZURE_LOCATION" --no-prompt + azd env set RESOURCE_SHARE_USER "$RESOURCE_SHARE_USER" + azd env set RESOURCE_TAGS "$RESOURCE_TAGS" + + azd env set RS_STORAGE_ACCOUNT "$RS_STORAGE_ACCOUNT" + azd env set RS_CONTAINER_NAME "$RS_CONTAINER_NAME" + azd env set RS_RESOURCE_GROUP "$RS_RESOURCE_GROUP" + + azd env set GITHUB_PAT "$GITHUB_PAT" + azd env set GITHUB_REPO_OWNER "$GITHUB_REPO_OWNER" + azd env set GITHUB_REPO_NAME "$GITHUB_REPO_NAME" + azd env set GITHUB_RUNNER_IMAGE_NAME "$GITHUB_RUNNER_IMAGE_NAME" + azd env set GITHUB_RUNNER_IMAGE_TAG "$GITHUB_RUNNER_IMAGE_TAG" + azd env set GITHUB_RUNNER_IMAGE_BRANCH "$GITHUB_RUNNER_IMAGE_BRANCH" + + # Detect if debug logging is enabled and set DEBUG_FLAG accordingly + DEBUG_FLAG="" + if [ "$ACTIONS_STEP_DEBUG" = "true" ] || [ "$ACTIONS_RUNNER_DEBUG" = "true" ] || [ "$RUNNER_DEBUG" = "1" ]; then + DEBUG_FLAG="--debug" + fi + azd provision --no-prompt $DEBUG_FLAG + + - uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0 + if: success() || failure() + with: + name: sarif-reports + path: | + ./gitleaks-report.sarif + ./checkov-results.sarif/results_sarif.sarif + + - name: Upload Gitleaks SARIF report to Github + uses: github/codeql-action/upload-sarif@9b02dc2f60288b463e7a66e39c78829b62780db7 # v2.22.1 + with: + sarif_file: ./gitleaks-report.sarif + + + - name: Upload Checkov SARIF Report to GitHub + uses: github/codeql-action/upload-sarif@9b02dc2f60288b463e7a66e39c78829b62780db7 # v2.22.1 + with: + sarif_file: ./checkov-results.sarif/results_sarif.sarif + + - name: Destroy Infrastructure + if: ${{ github.event.inputs.run_azd_down == 'true' || github.event_name == 'pull_request' }} + env: + POWER_PLATFORM_CLIENT_ID: ${{ vars.AZURE_CLIENT_ID }} + POWER_PLATFORM_TENANT_ID: ${{ vars.AZURE_TENANT_ID }} + POWER_PLATFORM_USE_OIDC: "true" + + ARM_USE_AZUREAD: "true" + ARM_STORAGE_USE_AZUREAD: "true" + ARM_USE_OIDC: "true" + ARM_CLIENT_ID: ${{ vars.AZURE_CLIENT_ID }} + ARM_TENANT_ID: ${{ vars.AZURE_TENANT_ID }} + ARM_SUBSCRIPTION_ID: ${{ vars.AZURE_SUBSCRIPTION_ID }} + AZURE_SUBSCRIPTION_ID: ${{ vars.AZURE_SUBSCRIPTION_ID }} + + RS_STORAGE_ACCOUNT: ${{ vars.RS_STORAGE_ACCOUNT }} + RS_CONTAINER_NAME: ${{ vars.RS_CONTAINER_NAME }} + RS_RESOURCE_GROUP: ${{ vars.RS_RESOURCE_GROUP }} + RESOURCE_SHARE_USER: ${{ vars.RESOURCE_SHARE_USER }} + RESOURCE_TAGS: ${{ vars.RESOURCE_TAGS }} + + shell: bash + run: | + azd env set RS_STORAGE_ACCOUNT "$RS_STORAGE_ACCOUNT" + azd env set RS_CONTAINER_NAME "$RS_CONTAINER_NAME" + azd env set RS_RESOURCE_GROUP "$RS_RESOURCE_GROUP" + azd env set RESOURCE_SHARE_USER "$RESOURCE_SHARE_USER" + azd env set RESOURCE_TAGS "$RESOURCE_TAGS" + + azd env select "$AZURE_ENV_NAME" + + # Detect if debug logging is enabled and set DEBUG_FLAG accordingly + DEBUG_FLAG="" + if [ "$ACTIONS_STEP_DEBUG" = "true" ] || [ "$ACTIONS_RUNNER_DEBUG" = "true" ] || [ "$RUNNER_DEBUG" = "1" ]; then + DEBUG_FLAG="--debug" + fi + azd down --no-prompt --force --purge $DEBUG_FLAG + + - name: Purge Soft-Deleted Azure OpenAI Resources + if: ${{ github.event.inputs.run_azd_down == 'true' || github.event_name == 'pull_request' }} + shell: bash + run: | + # Get the OpenAI resource name and location from environment outputs + OPENAI_RESOURCE_NAME=$(azd env get-values --output json | jq -r '.openai_resource_name // empty') + AZURE_REGION=$(azd env get-values --output json | jq -r '.primary_azure_region // empty') + RESOURCE_GROUP=$(azd env get-values --output json | jq -r '.resource_group_name // empty') + + # Only attempt to purge if we have the required information + if [[ -n "$OPENAI_RESOURCE_NAME" && -n "$AZURE_REGION" ]]; then + echo "Attempting to purge soft-deleted Azure OpenAI resource: $OPENAI_RESOURCE_NAME in $AZURE_REGION" + + # Purge the soft-deleted Cognitive Services account (continue on error if resource not found) + az cognitiveservices account purge \ + --location "$AZURE_REGION" \ + --resource-group "$RESOURCE_GROUP" \ + --name "$OPENAI_RESOURCE_NAME" || echo "Resource may not be in soft-delete state or already purged" + else + echo "OpenAI resource information not found in environment outputs. Skipping purge." + fi