Migrate to new Azure tenant#11269
Conversation
Signed-off-by: willdavsmith <willdavsmith@gmail.com>
Signed-off-by: willdavsmith <willdavsmith@gmail.com>
Signed-off-by: willdavsmith <willdavsmith@gmail.com>
Signed-off-by: willdavsmith <willdavsmith@gmail.com>
Signed-off-by: willdavsmith <willdavsmith@gmail.com>
Signed-off-by: willdavsmith <willdavsmith@gmail.com>
willdavsmith
requested a deployment
to
external-contributor-approval
GitHub Actions
Waiting
| if ! rad install kubernetes \ | ||
| --set global.azureWorkloadIdentity.enabled=true \ | ||
| --set database.enabled=true; then | ||
| --set database.enabled=false; then |
There was a problem hiding this comment.
The new tenants have pretty tight quotas, and the database feature doesn't seem to work in single-node AKS. disabling for now.
Signed-off-by: willdavsmith <willdavsmith@gmail.com>
willdavsmith
temporarily deployed
to
external-contributor-approval
GitHub Actions
Inactive
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #11269 +/- ##
=======================================
Coverage 50.98% 50.98%
=======================================
Files 679 679
Lines 43174 43174
=======================================
+ Hits 22012 22013 +1
+ Misses 19040 19038 -2
- Partials 2122 2123 +1 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
willdavsmith
temporarily deployed
to
external-contributor-approval
GitHub Actions
Inactive
willdavsmith
requested a deployment
to
external-contributor-approval
GitHub Actions
Waiting
willdavsmith
requested a deployment
to
external-contributor-approval
GitHub Actions
Waiting
| AZURE_WORKLOAD_IDENTITY_WEBHOOK_VER: 1.3.0 | ||
| # Container registry for storing container images | ||
| CONTAINER_REGISTRY: ghcr.io/radius-project/dev | ||
| CONTAINER_REGISTRY: ${{ vars.FUNCTIONAL_TEST_CONTAINER_REGISTRY }} |
There was a problem hiding this comment.
setting these in vars makes forkability much easier.
|
|
||
| - name: Get App Token (radius-publisher) | ||
| uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1 | ||
| id: get_publisher_token |
There was a problem hiding this comment.
I don't think we need the publishing steps for the functional test workflows. I refactored to use BICEP_TYPES_REGISTRY (public) for pulling types, and TEST_BICEP_TYPES_REGISTRY any time we need to push types.
| }, | ||
| "cloud": { | ||
| "credentialPrecedence": ["Environment"] | ||
| "credentialPrecedence": ["AzureCLI", "Environment"] |
There was a problem hiding this comment.
for private ACR
| ) | ||
|
|
||
| func Test_AWSRedeployWithUpdatedResourceUpdatesResource(t *testing.T) { | ||
| t.Skip("temporarily skipping AWS tests while OIDC issuer validation is being updated") |
There was a problem hiding this comment.
I need to talk to Nithya today about the setup. the rest of the PR can be reviewed but I'll leave it in draft state until this part is ready.
willdavsmith
changed the title
| FUNCTIONALTEST_TIMEOUT: 60m | ||
| # The Azure Location to store test resources | ||
| AZURE_LOCATION: westus3 | ||
| AZURE_LOCATION: westus2 |
There was a problem hiding this comment.
suggestion: move to vars as well
| steps: | ||
| - name: Get GitHub app token | ||
| if: github.repository == 'radius-project/radius' | ||
| if: github.repository == vars.RADIUS_REPOSITORY |
There was a problem hiding this comment.
suggestion: keeping hard-codded is fine in this case
There was a problem hiding this comment.
to test on a fork, I had to set up a GitHub app, so I think this one should still be a var
Signed-off-by: willdavsmith <willdavsmith@gmail.com>
willdavsmith
temporarily deployed
to
external-contributor-approval
GitHub Actions
Inactive
Radius functional test overviewClick here to see the test run details
Test Status⌛ Building Radius and pushing container images for functional tests... |
| # AZURE_OIDC_ISSUER_PUBLIC_KEY | ||
| # AZURE_OIDC_ISSUER_PRIVATE_KEY | ||
| # AZURE_OIDC_ISSUER | ||
| eval "export $(echo "${{ secrets.FUNCTEST_AZURE_OIDC_JSON }}" | jq -r 'to_entries | map("\(.key)=\(.value)") | @sh')" |
There was a problem hiding this comment.
not sure how they were set before, but I kept getting parsing issues for these secrets when exported from Terraform. these should fix it
There was a problem hiding this comment.
Pull request overview
This pull request migrates the Radius project to a new Azure tenant, replaces hardcoded values with GitHub variables for better fork-ability, and modernizes the Bicep types publishing approach. The changes eliminate the complex remote workflow dispatch pattern by implementing direct publishing of Bicep types, improving testability and reducing dependencies. The PR also enhances security by adding proper JSON validation, improving credential handling, and migrating from PAT tokens to the built-in github.token where possible.
Changes:
- Replaced hardcoded Azure configuration values with GitHub variables (location, cluster names, registry URLs, app IDs)
- Simplified Bicep types publishing by removing remote repository dispatch in favor of direct publishing to ACR
- Improved JSON parsing for secrets with proper validation using
jq -eand error handling - Enhanced fork-ability by using
vars.RADIUS_REPOSITORYand migrating from PAT togithub.tokenin most workflows - Disabled database for Radius installation in manage-radius-installation.sh
- Added proper conditional checks and permissions for workflow jobs
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| .github/workflows/long-running-azure.yaml | Updated environment variables to use GitHub vars, improved JSON parsing, added bicepconfig.json update step, changed database.enabled to false, missing permissions block in report-failure job |
| .github/workflows/functional-test-noncloud.yaml | Updated repository checks to use vars.RADIUS_REPOSITORY, migrated to github.token, added issues:write permission |
| .github/workflows/functional-test-cloud.yaml | Removed complex remote workflow dispatch for Bicep types publishing, implemented direct publishing approach, improved OIDC key validation with openssl, enhanced JSON parsing with validation, added packages:read permission, added conditional checks with always() |
| .github/scripts/manage-radius-installation.sh | Changed database.enabled from true to false for Radius installation |
brooke-hamilton
left a comment
brooke-hamilton
left a comment
There was a problem hiding this comment.
🚀
Minor issues only below.
There was a problem hiding this comment.
Duplicate Checkout step
| permissions: {} | ||
| if: failure() && github.event_name == 'schedule' && github.repository == 'radius-project/radius' | ||
| if: failure() && github.event_name == 'schedule' && github.repository == vars.RADIUS_REPOSITORY | ||
| steps: |
There was a problem hiding this comment.
Does this job need write permissions for issues?
There was a problem hiding this comment.
no, because it's using GH_RAD_CI_BOT_PAT. we would only need permissions if we were using the default GITHUB_TOKEN (github.token)
| - name: Create failure issue for failing scheduled run | ||
| uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 | ||
| with: | ||
| github-token: ${{ secrets.GH_RAD_CI_BOT_PAT }} |
There was a problem hiding this comment.
Just verifying - does this workflow still use the PAT, or was the PAT removed?
There was a problem hiding this comment.
this workflow still uses the PAT. it's only using it here though (for issue creation) because I didn't want to affect that flow in this PR. it was removed everywhere else in the PR because it was possible to use the default github.token for the purpose.
Signed-off-by: willdavsmith <willdavsmith@gmail.com>
willdavsmith
requested a deployment
to
external-contributor-approval
GitHub Actions
Waiting
willdavsmith
requested a deployment
to
external-contributor-approval
GitHub Actions
Waiting
| steps: | ||
| - name: Get GitHub app token | ||
| if: github.repository == 'radius-project/radius' | ||
| if: github.repository == vars.RADIUS_REPOSITORY |
There was a problem hiding this comment.
The vars.RADIUS_REPOSITORY variable is used in conditional expressions without the ${{ }} wrapper. In GitHub Actions, when accessing vars context in if conditions, you must use the ${{ }} wrapper. The correct syntax is:
if: github.repository == '${{ vars.RADIUS_REPOSITORY }}'
Without the wrapper and quotes, the expression will be evaluated as a literal string comparison against "vars.RADIUS_REPOSITORY" rather than the actual variable value. This affects multiple step-level conditionals in this file.
| if: github.repository == vars.RADIUS_REPOSITORY | |
| if: github.repository == '${{ vars.RADIUS_REPOSITORY }}' |
| uses: ./.github/actions/process-test-results | ||
| # In case of failure, upload functional_test_results to artifacts so that they are not erased by subsequent runs. | ||
| if: failure() && github.repository == 'radius-project/radius' | ||
| if: failure() && github.repository == vars.RADIUS_REPOSITORY |
There was a problem hiding this comment.
The vars.RADIUS_REPOSITORY variable is used in conditional expressions without the ${{ }} wrapper. In GitHub Actions, when accessing vars context in if conditions, you must use the ${{ }} wrapper. The correct syntax is:
if: failure() && github.repository == '${{ vars.RADIUS_REPOSITORY }}'
Without the wrapper and quotes, the expression will be evaluated as a literal string comparison against "vars.RADIUS_REPOSITORY" rather than the actual variable value.
| if: failure() && github.repository == vars.RADIUS_REPOSITORY | |
| if: failure() && github.repository == '${{ vars.RADIUS_REPOSITORY }}' |
| report-test-results: | ||
| # Report final test status. Runs after all tests complete (or are skipped). | ||
| if: always() && github.repository == 'radius-project/radius' | ||
| if: always() && github.repository == vars.RADIUS_REPOSITORY |
There was a problem hiding this comment.
The vars.RADIUS_REPOSITORY variable is used in conditional expressions without the ${{ }} wrapper. In GitHub Actions, when accessing vars context in if conditions, you must use the ${{ }} wrapper. The correct syntax is:
if: always() && github.repository == '${{ vars.RADIUS_REPOSITORY }}'
Without the wrapper and quotes, the expression will be evaluated as a literal string comparison against "vars.RADIUS_REPOSITORY" rather than the actual variable value.
| timeout-minutes: 5 | ||
| permissions: {} | ||
| if: failure() && github.event_name == 'schedule' && github.repository == 'radius-project/radius' | ||
| if: failure() && github.event_name == 'schedule' && github.repository == vars.RADIUS_REPOSITORY |
There was a problem hiding this comment.
The vars.RADIUS_REPOSITORY variable is used in conditional expressions without the ${{ }} wrapper. In GitHub Actions, when accessing vars context in if conditions, you must use the ${{ }} wrapper. The correct syntax is:
if: failure() && github.event_name == 'schedule' && github.repository == '${{ vars.RADIUS_REPOSITORY }}'
Without the wrapper and quotes, the expression will be evaluated as a literal string comparison against "vars.RADIUS_REPOSITORY" rather than the actual variable value.
|
|
||
| - name: Get GitHub app token | ||
| if: github.repository == 'radius-project/radius' | ||
| if: github.repository == vars.RADIUS_REPOSITORY |
There was a problem hiding this comment.
The vars.RADIUS_REPOSITORY variable is used in conditional expressions without the ${{ }} wrapper. In GitHub Actions, when accessing vars context in if conditions, you must use the ${{ }} wrapper. The correct syntax is:
if: github.repository == '${{ vars.RADIUS_REPOSITORY }}'
Without the wrapper and quotes, the expression will be evaluated as a literal string comparison against "vars.RADIUS_REPOSITORY" rather than the actual variable value.
| steps: | ||
| - name: Get GitHub app token | ||
| if: github.repository == 'radius-project/radius' | ||
| if: github.repository == vars.RADIUS_REPOSITORY |
There was a problem hiding this comment.
The vars.RADIUS_REPOSITORY variable is used in conditional expressions without the ${{ }} wrapper. In GitHub Actions, when accessing vars context in if conditions, you must use the ${{ }} wrapper. The correct syntax is:
if: github.repository == '${{ vars.RADIUS_REPOSITORY }}'
Without the wrapper and quotes, the expression will be evaluated as a literal string comparison against "vars.RADIUS_REPOSITORY" rather than the actual variable value.
| if: github.repository == vars.RADIUS_REPOSITORY | |
| if: github.repository == '${{ vars.RADIUS_REPOSITORY }}' |
| steps: | ||
| - name: Get GitHub app token | ||
| if: github.repository == 'radius-project/radius' | ||
| if: github.repository == vars.RADIUS_REPOSITORY |
There was a problem hiding this comment.
The vars.RADIUS_REPOSITORY variable is used in conditional expressions without the ${{ }} wrapper. In GitHub Actions, when accessing vars context in if conditions, you must use the ${{ }} wrapper. The correct syntax is:
if: github.repository == '${{ vars.RADIUS_REPOSITORY }}'
Without the wrapper and quotes, the expression will be evaluated as a literal string comparison against "vars.RADIUS_REPOSITORY" rather than the actual variable value.
| if: github.repository == vars.RADIUS_REPOSITORY | |
| if: github.repository == '${{ vars.RADIUS_REPOSITORY }}' |
| jobs: | ||
| tests: | ||
| if: github.repository == 'radius-project/radius' | ||
| if: github.repository == vars.RADIUS_REPOSITORY |
There was a problem hiding this comment.
The vars.RADIUS_REPOSITORY variable is used in conditional expressions without the ${{ }} wrapper. In GitHub Actions, when accessing vars context in if conditions, you must use the ${{ }} wrapper. The correct syntax is:
if: github.repository == '${{ vars.RADIUS_REPOSITORY }}'
Without the wrapper and quotes, the expression will be evaluated as a literal string comparison against "vars.RADIUS_REPOSITORY" rather than the actual variable value. This affects multiple locations in this file.
| if: github.repository == vars.RADIUS_REPOSITORY | |
| if: github.repository == '${{ vars.RADIUS_REPOSITORY }}' |
| uses: ./.github/actions/process-test-results | ||
| # In case of failure, upload functional_test_results to artifacts so that they are not erased by subsequent runs. | ||
| if: failure() && github.repository == 'radius-project/radius' | ||
| if: failure() && github.repository == vars.RADIUS_REPOSITORY |
There was a problem hiding this comment.
The vars.RADIUS_REPOSITORY variable is used in conditional expressions without the ${{ }} wrapper. In GitHub Actions, when accessing vars context in if conditions, you must use the ${{ }} wrapper. The correct syntax is:
if: failure() && github.repository == '${{ vars.RADIUS_REPOSITORY }}'
Without the wrapper and quotes, the expression will be evaluated as a literal string comparison against "vars.RADIUS_REPOSITORY" rather than the actual variable value.
| if: failure() && github.repository == vars.RADIUS_REPOSITORY | |
| if: failure() && github.repository == '${{ vars.RADIUS_REPOSITORY }}' |
| always() && | ||
| (github.event_name != 'pull_request_target' || needs.approval-gate.result == 'success' || needs.approval-gate.result == 'skipped') && | ||
| (github.event_name != 'schedule' || github.repository == 'radius-project/radius') | ||
| (github.event_name != 'schedule' || github.repository == vars.RADIUS_REPOSITORY) |
There was a problem hiding this comment.
The vars.RADIUS_REPOSITORY variable is used in conditional expressions without the ${{ }} wrapper. In GitHub Actions, when accessing vars context in if conditions, you must use the ${{ }} wrapper. The correct syntax is:
(github.event_name != 'schedule' || github.repository == '${{ vars.RADIUS_REPOSITORY }}')
Without the wrapper and quotes, the expression will be evaluated as a literal string comparison against "vars.RADIUS_REPOSITORY" rather than the actual variable value.
| (github.event_name != 'schedule' || github.repository == vars.RADIUS_REPOSITORY) | |
| (github.event_name != 'schedule' || github.repository == '${{ vars.RADIUS_REPOSITORY }}') |
NOTE: the cloud tests are failing in this PR. it seems to be running the version of the workflow from main. this should be resolved when it's merged into main.
Description
[Fork] Passing LRT run: https://github.com/willdavsmith/radius/actions/runs/22155234512
Passing Cloud test run: https://github.com/willdavsmith/radius/actions/runs/22124974117
[main] Passing Cloud test run: https://github.com/radius-project/radius/actions/runs/22317562274
[main] Passing long-running test run: https://github.com/radius-project/radius/actions/runs/22248761002
New/updated GitHub variables:
New/updated GitHub secrets:
Type of change
Fixes: #issue_number
Contributor checklist
Please verify that the PR meets the following requirements, where applicable: