Merge pull request #761 from microsoft/psl-fix-vulnerabilities

ci: fixed vulnerabilities

Author: Prajwal-Microsoft

.github/workflows/azure-dev.yml

@@ -18,7 +18,7 @@ jobs:
         uses: actions/checkout@v4 
       # Step 2: Validate the Azure template using microsoft/template-validation-action 
       - name: Validate Azure Template 
-        uses: microsoft/template-validation-action@Latest
+        uses: microsoft/template-validation-action@bae4895d0a8abd4f0d5aad68ae8647b3027f4c91
         with: 
           validateAzd: true
           useDevContainer: false

.github/workflows/deploy-linux.yml

@@ -1,4 +1,8 @@
 name: Deploy-Test-Cleanup (v2) Linux
+
+permissions:
+  contents: read
+  actions: read
 on:
   workflow_run:
     workflows: ["Build Docker and Optional Push v4"]

.github/workflows/deploy-orchestrator.yml

@@ -1,5 +1,9 @@
 name: Deployment orchestrator
 
+permissions:
+  contents: read
+  actions: read
+
 on:
   workflow_call:
     inputs:

.github/workflows/deploy-waf.yml

@@ -1,5 +1,8 @@
 name: Validate WAF Deployment v4
 
+permissions:
+  contents: read
+  actions: read
 on:
   push:
     branches:
@@ -20,16 +23,16 @@ jobs:
 
       - name: Run Quota Check
         id: quota-check
+        env:
+          AZURE_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }}
+          AZURE_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}
+          AZURE_CLIENT_SECRET: ${{ secrets.AZURE_CLIENT_SECRET }}
+          AZURE_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+          GPT_MIN_CAPACITY: ${{ env.GPT_MIN_CAPACITY }}
+          O4_MINI_MIN_CAPACITY: ${{ env.O4_MINI_MIN_CAPACITY }}
+          GPT41_MINI_MIN_CAPACITY: ${{ env.GPT41_MINI_MIN_CAPACITY }}
+          AZURE_REGIONS: ${{ vars.AZURE_REGIONS }}
         run: |
-          export AZURE_CLIENT_ID=${{ secrets.AZURE_CLIENT_ID }}
-          export AZURE_TENANT_ID=${{ secrets.AZURE_TENANT_ID }}
-          export AZURE_CLIENT_SECRET=${{ secrets.AZURE_CLIENT_SECRET }}
-          export AZURE_SUBSCRIPTION_ID="${{ secrets.AZURE_SUBSCRIPTION_ID }}"
-          export GPT_MIN_CAPACITY="1"
-          export O4_MINI_MIN_CAPACITY="1"
-          export GPT41_MINI_MIN_CAPACITY="1"
-          export AZURE_REGIONS="${{ vars.AZURE_REGIONS }}"
-
           chmod +x infra/scripts/checkquota.sh
           if ! infra/scripts/checkquota.sh; then
             # If quota check fails due to insufficient quota, set the flag

.github/workflows/deploy-windows.yml

@@ -1,4 +1,8 @@
 name: Deploy-Test-Cleanup (v2) Windows
+
+permissions:
+  contents: read
+  actions: read
 on:
   # workflow_run:
   #   workflows: ["Build Docker and Optional Push v3"]

.github/workflows/deploy.yml

@@ -1,5 +1,8 @@
 name: Validate Deployment v4
 
+permissions:
+  contents: read
+  actions: read
 on:
   workflow_run:
     workflows: ["Build Docker and Optional Push v4"]
@@ -33,16 +36,16 @@ jobs:
 
       - name: Run Quota Check
         id: quota-check
+        env:
+          AZURE_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }}
+          AZURE_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}
+          AZURE_CLIENT_SECRET: ${{ secrets.AZURE_CLIENT_SECRET }}
+          AZURE_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+          GPT_MIN_CAPACITY: ${{ env.GPT_MIN_CAPACITY }}
+          O4_MINI_MIN_CAPACITY: ${{ env.O4_MINI_MIN_CAPACITY }}
+          GPT41_MINI_MIN_CAPACITY: ${{ env.GPT41_MINI_MIN_CAPACITY }}
+          AZURE_REGIONS: ${{ vars.AZURE_REGIONS }}
         run: |
-          export AZURE_CLIENT_ID=${{ secrets.AZURE_CLIENT_ID }}
-          export AZURE_TENANT_ID=${{ secrets.AZURE_TENANT_ID }}
-          export AZURE_CLIENT_SECRET=${{ secrets.AZURE_CLIENT_SECRET }}
-          export AZURE_SUBSCRIPTION_ID="${{ secrets.AZURE_SUBSCRIPTION_ID }}"
-          export GPT_MIN_CAPACITY="150"
-          export O4_MINI_MIN_CAPACITY="50"
-          export GPT41_MINI_MIN_CAPACITY="50"
-          export AZURE_REGIONS="${{ vars.AZURE_REGIONS }}"
-
           chmod +x infra/scripts/checkquota.sh
           if ! infra/scripts/checkquota.sh; then
             # If quota check fails due to insufficient quota, set the flag

.github/workflows/docker-build-and-push.yml

@@ -44,16 +44,20 @@ on:
       - 'azure_custom.yaml'
   workflow_dispatch:
 
+permissions:
+  contents: read
+  actions: read
+
 jobs:
   build-and-push:
     runs-on: ubuntu-latest
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v2
+        uses: actions/checkout@v4
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v1
+        uses: docker/setup-buildx-action@v3
 
       - name: Log in to Azure Container Registry
         if: ${{ github.ref_name == 'main' || github.ref_name == 'dev-v4'|| github.ref_name == 'demo-v4' || github.ref_name == 'hotfix' }}
@@ -70,7 +74,7 @@ jobs:
       - name: Get registry
         id: registry
         run: |
-          echo "ext_registry=${{ secrets.ACR_LOGIN_SERVER || 'acrlogin.azurecr.io'}}" >> $GITHUB_OUTPUT
+          echo "ext_registry=${{ secrets.ACR_LOGIN_SERVER || 'acrlogin.azurecr.io' }}" >> $GITHUB_OUTPUT
 
       - name: Determine Tag Name Based on Branch
         id: determine_tag

.github/workflows/job-cleanup-deployment.yml

@@ -1,5 +1,8 @@
 name: Cleanup Deployment Job
 
+permissions:
+  contents: read
+  actions: read
 on:
   workflow_call:
     inputs:

.github/workflows/job-deploy-linux.yml

@@ -1,5 +1,9 @@
 name: Deploy Steps - Linux
 
+permissions:
+  contents: read
+  actions: read
+
 on:
   workflow_call:
     inputs:
@@ -316,19 +320,17 @@ jobs:
       - name: Run Post deployment scripts
         env:
           INPUT_RESOURCE_GROUP_NAME: ${{ inputs.RESOURCE_GROUP_NAME }}
+          AZURE_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+          AZURE_RESOURCE_GROUP: ${{ inputs.RESOURCE_GROUP_NAME }}
+          BACKEND_URL: ${{ steps.get_output_linux.outputs.BACKEND_URL }}
+          AZURE_STORAGE_ACCOUNT_NAME: ${{ steps.get_output_linux.outputs.AZURE_STORAGE_ACCOUNT_NAME }}
+          AZURE_STORAGE_CONTAINER_NAME: sample-dataset
+          AZURE_AI_SEARCH_NAME: ${{ steps.get_output_linux.outputs.AZURE_AI_SEARCH_NAME }}
+          AZURE_AI_SEARCH_INDEX_NAME: sample-dataset-index
+          AZURE_ENV_NAME: ${{ steps.get_output_linux.outputs.AZURE_ENV_NAME }}
         run: |
           set -e
           az account set --subscription "${{ secrets.AZURE_SUBSCRIPTION_ID }}"
-
-          # Set environment variables for selecting_team_config_and_data.sh
-          export AZURE_SUBSCRIPTION_ID="${{ secrets.AZURE_SUBSCRIPTION_ID }}"
-          export AZURE_RESOURCE_GROUP="$INPUT_RESOURCE_GROUP_NAME"
-          export BACKEND_URL="${{ steps.get_output_linux.outputs.BACKEND_URL }}"
-          export AZURE_STORAGE_ACCOUNT_NAME="${{ steps.get_output_linux.outputs.AZURE_STORAGE_ACCOUNT_NAME }}"
-          export AZURE_STORAGE_CONTAINER_NAME="sample-dataset"
-          export AZURE_AI_SEARCH_NAME="${{ steps.get_output_linux.outputs.AZURE_AI_SEARCH_NAME }}"
-          export AZURE_AI_SEARCH_INDEX_NAME="sample-dataset-index"
-          export AZURE_ENV_NAME="${{ steps.get_output_linux.outputs.AZURE_ENV_NAME }}"
           
           # Upload team configurations and index sample data in one step
           # Automatically select "6" (All use cases) for non-interactive deployment

.github/workflows/job-deploy-windows.yml

@@ -1,5 +1,9 @@
 name: Deploy Steps - Windows
 
+permissions:
+  contents: read
+  actions: read
+
 on:
   workflow_call:
     inputs:
@@ -307,28 +311,24 @@ jobs:
           "WEBAPP_URL=$WEBAPP_URL" | Out-File -FilePath $env:GITHUB_OUTPUT -Encoding utf8 -Append
 
       - name: Run Post deployment scripts
-        shell: pwsh
+        shell: bash
         env:
           INPUT_RESOURCE_GROUP_NAME: ${{ inputs.RESOURCE_GROUP_NAME }}
+          AZURE_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+          AZURE_RESOURCE_GROUP: ${{ inputs.RESOURCE_GROUP_NAME }}
+          BACKEND_URL: ${{ steps.get_output_windows.outputs.BACKEND_URL }}
+          AZURE_STORAGE_ACCOUNT_NAME: ${{ steps.get_output_windows.outputs.AZURE_STORAGE_ACCOUNT_NAME }}
+          AZURE_STORAGE_CONTAINER_NAME: sample-dataset
+          AZURE_AI_SEARCH_NAME: ${{ steps.get_output_windows.outputs.AZURE_AI_SEARCH_NAME }}
+          AZURE_AI_SEARCH_INDEX_NAME: sample-dataset-index
+          AZURE_ENV_NAME: ${{ steps.get_output_windows.outputs.AZURE_ENV_NAME }}
         run: |
-          Set-StrictMode -Version Latest
-          $ErrorActionPreference = "Stop"
-
+          set -e
           az account set --subscription "${{ secrets.AZURE_SUBSCRIPTION_ID }}"
-
-          # Set environment variables for team_config_and_data.ps1
-          $env:AZURE_SUBSCRIPTION_ID = "${{ secrets.AZURE_SUBSCRIPTION_ID }}"
-          $env:AZURE_RESOURCE_GROUP = "$env:INPUT_RESOURCE_GROUP_NAME"
-          $env:BACKEND_URL = "${{ steps.get_output_windows.outputs.BACKEND_URL }}"
-          $env:AZURE_STORAGE_ACCOUNT_NAME = "${{ steps.get_output_windows.outputs.AZURE_STORAGE_ACCOUNT_NAME }}"
-          $env:AZURE_STORAGE_CONTAINER_NAME = "sample-dataset"
-          $env:AZURE_AI_SEARCH_NAME = "${{ steps.get_output_windows.outputs.AZURE_AI_SEARCH_NAME }}"
-          $env:AZURE_AI_SEARCH_INDEX_NAME = "sample-dataset-index"
-          $env:AZURE_ENV_NAME = "${{ steps.get_output_windows.outputs.AZURE_ENV_NAME }}"
-
+          
           # Upload team configurations and index sample data in one step
           # Automatically select "6" (All use cases) for non-interactive deployment
-          bash -c "echo 6 | pwsh -File infra/scripts/Selecting-Team-Config-And-Data.ps1"
+          echo "6" | bash infra/scripts/selecting_team_config_and_data.sh
 
       - name: Generate Deployment Summary
         if: always()