Skip to content

Commit d406f5c

Browse files
Merge pull request #761 from microsoft/psl-fix-vulnerabilities
ci: fixed vulnerabilities
2 parents 9a46db0 + 82fcd1e commit d406f5c

14 files changed

+95
-60
lines changed

.github/workflows/azure-dev.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -18,7 +18,7 @@ jobs:
1818
uses: actions/checkout@v4
1919
# Step 2: Validate the Azure template using microsoft/template-validation-action
2020
- name: Validate Azure Template
21-
uses: microsoft/template-validation-action@Latest
21+
uses: microsoft/template-validation-action@bae4895d0a8abd4f0d5aad68ae8647b3027f4c91
2222
with:
2323
validateAzd: true
2424
useDevContainer: false

.github/workflows/deploy-linux.yml

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,8 @@
11
name: Deploy-Test-Cleanup (v2) Linux
2+
3+
permissions:
4+
contents: read
5+
actions: read
26
on:
37
workflow_run:
48
workflows: ["Build Docker and Optional Push v4"]

.github/workflows/deploy-orchestrator.yml

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,9 @@
11
name: Deployment orchestrator
22

3+
permissions:
4+
contents: read
5+
actions: read
6+
37
on:
48
workflow_call:
59
inputs:

.github/workflows/deploy-waf.yml

Lines changed: 12 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,8 @@
11
name: Validate WAF Deployment v4
22

3+
permissions:
4+
contents: read
5+
actions: read
36
on:
47
push:
58
branches:
@@ -20,16 +23,16 @@ jobs:
2023

2124
- name: Run Quota Check
2225
id: quota-check
26+
env:
27+
AZURE_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }}
28+
AZURE_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}
29+
AZURE_CLIENT_SECRET: ${{ secrets.AZURE_CLIENT_SECRET }}
30+
AZURE_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
31+
GPT_MIN_CAPACITY: ${{ env.GPT_MIN_CAPACITY }}
32+
O4_MINI_MIN_CAPACITY: ${{ env.O4_MINI_MIN_CAPACITY }}
33+
GPT41_MINI_MIN_CAPACITY: ${{ env.GPT41_MINI_MIN_CAPACITY }}
34+
AZURE_REGIONS: ${{ vars.AZURE_REGIONS }}
2335
run: |
24-
export AZURE_CLIENT_ID=${{ secrets.AZURE_CLIENT_ID }}
25-
export AZURE_TENANT_ID=${{ secrets.AZURE_TENANT_ID }}
26-
export AZURE_CLIENT_SECRET=${{ secrets.AZURE_CLIENT_SECRET }}
27-
export AZURE_SUBSCRIPTION_ID="${{ secrets.AZURE_SUBSCRIPTION_ID }}"
28-
export GPT_MIN_CAPACITY="1"
29-
export O4_MINI_MIN_CAPACITY="1"
30-
export GPT41_MINI_MIN_CAPACITY="1"
31-
export AZURE_REGIONS="${{ vars.AZURE_REGIONS }}"
32-
3336
chmod +x infra/scripts/checkquota.sh
3437
if ! infra/scripts/checkquota.sh; then
3538
# If quota check fails due to insufficient quota, set the flag

.github/workflows/deploy-windows.yml

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,8 @@
11
name: Deploy-Test-Cleanup (v2) Windows
2+
3+
permissions:
4+
contents: read
5+
actions: read
26
on:
37
# workflow_run:
48
# workflows: ["Build Docker and Optional Push v3"]

.github/workflows/deploy.yml

Lines changed: 12 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,8 @@
11
name: Validate Deployment v4
22

3+
permissions:
4+
contents: read
5+
actions: read
36
on:
47
workflow_run:
58
workflows: ["Build Docker and Optional Push v4"]
@@ -33,16 +36,16 @@ jobs:
3336

3437
- name: Run Quota Check
3538
id: quota-check
39+
env:
40+
AZURE_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }}
41+
AZURE_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}
42+
AZURE_CLIENT_SECRET: ${{ secrets.AZURE_CLIENT_SECRET }}
43+
AZURE_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
44+
GPT_MIN_CAPACITY: ${{ env.GPT_MIN_CAPACITY }}
45+
O4_MINI_MIN_CAPACITY: ${{ env.O4_MINI_MIN_CAPACITY }}
46+
GPT41_MINI_MIN_CAPACITY: ${{ env.GPT41_MINI_MIN_CAPACITY }}
47+
AZURE_REGIONS: ${{ vars.AZURE_REGIONS }}
3648
run: |
37-
export AZURE_CLIENT_ID=${{ secrets.AZURE_CLIENT_ID }}
38-
export AZURE_TENANT_ID=${{ secrets.AZURE_TENANT_ID }}
39-
export AZURE_CLIENT_SECRET=${{ secrets.AZURE_CLIENT_SECRET }}
40-
export AZURE_SUBSCRIPTION_ID="${{ secrets.AZURE_SUBSCRIPTION_ID }}"
41-
export GPT_MIN_CAPACITY="150"
42-
export O4_MINI_MIN_CAPACITY="50"
43-
export GPT41_MINI_MIN_CAPACITY="50"
44-
export AZURE_REGIONS="${{ vars.AZURE_REGIONS }}"
45-
4649
chmod +x infra/scripts/checkquota.sh
4750
if ! infra/scripts/checkquota.sh; then
4851
# If quota check fails due to insufficient quota, set the flag

.github/workflows/docker-build-and-push.yml

Lines changed: 7 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -44,16 +44,20 @@ on:
4444
- 'azure_custom.yaml'
4545
workflow_dispatch:
4646

47+
permissions:
48+
contents: read
49+
actions: read
50+
4751
jobs:
4852
build-and-push:
4953
runs-on: ubuntu-latest
5054

5155
steps:
5256
- name: Checkout repository
53-
uses: actions/checkout@v2
57+
uses: actions/checkout@v4
5458

5559
- name: Set up Docker Buildx
56-
uses: docker/setup-buildx-action@v1
60+
uses: docker/setup-buildx-action@v3
5761

5862
- name: Log in to Azure Container Registry
5963
if: ${{ github.ref_name == 'main' || github.ref_name == 'dev-v4'|| github.ref_name == 'demo-v4' || github.ref_name == 'hotfix' }}
@@ -70,7 +74,7 @@ jobs:
7074
- name: Get registry
7175
id: registry
7276
run: |
73-
echo "ext_registry=${{ secrets.ACR_LOGIN_SERVER || 'acrlogin.azurecr.io'}}" >> $GITHUB_OUTPUT
77+
echo "ext_registry=${{ secrets.ACR_LOGIN_SERVER || 'acrlogin.azurecr.io' }}" >> $GITHUB_OUTPUT
7478
7579
- name: Determine Tag Name Based on Branch
7680
id: determine_tag

.github/workflows/job-cleanup-deployment.yml

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,8 @@
11
name: Cleanup Deployment Job
22

3+
permissions:
4+
contents: read
5+
actions: read
36
on:
47
workflow_call:
58
inputs:

.github/workflows/job-deploy-linux.yml

Lines changed: 12 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,9 @@
11
name: Deploy Steps - Linux
22

3+
permissions:
4+
contents: read
5+
actions: read
6+
37
on:
48
workflow_call:
59
inputs:
@@ -316,19 +320,17 @@ jobs:
316320
- name: Run Post deployment scripts
317321
env:
318322
INPUT_RESOURCE_GROUP_NAME: ${{ inputs.RESOURCE_GROUP_NAME }}
323+
AZURE_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
324+
AZURE_RESOURCE_GROUP: ${{ inputs.RESOURCE_GROUP_NAME }}
325+
BACKEND_URL: ${{ steps.get_output_linux.outputs.BACKEND_URL }}
326+
AZURE_STORAGE_ACCOUNT_NAME: ${{ steps.get_output_linux.outputs.AZURE_STORAGE_ACCOUNT_NAME }}
327+
AZURE_STORAGE_CONTAINER_NAME: sample-dataset
328+
AZURE_AI_SEARCH_NAME: ${{ steps.get_output_linux.outputs.AZURE_AI_SEARCH_NAME }}
329+
AZURE_AI_SEARCH_INDEX_NAME: sample-dataset-index
330+
AZURE_ENV_NAME: ${{ steps.get_output_linux.outputs.AZURE_ENV_NAME }}
319331
run: |
320332
set -e
321333
az account set --subscription "${{ secrets.AZURE_SUBSCRIPTION_ID }}"
322-
323-
# Set environment variables for selecting_team_config_and_data.sh
324-
export AZURE_SUBSCRIPTION_ID="${{ secrets.AZURE_SUBSCRIPTION_ID }}"
325-
export AZURE_RESOURCE_GROUP="$INPUT_RESOURCE_GROUP_NAME"
326-
export BACKEND_URL="${{ steps.get_output_linux.outputs.BACKEND_URL }}"
327-
export AZURE_STORAGE_ACCOUNT_NAME="${{ steps.get_output_linux.outputs.AZURE_STORAGE_ACCOUNT_NAME }}"
328-
export AZURE_STORAGE_CONTAINER_NAME="sample-dataset"
329-
export AZURE_AI_SEARCH_NAME="${{ steps.get_output_linux.outputs.AZURE_AI_SEARCH_NAME }}"
330-
export AZURE_AI_SEARCH_INDEX_NAME="sample-dataset-index"
331-
export AZURE_ENV_NAME="${{ steps.get_output_linux.outputs.AZURE_ENV_NAME }}"
332334
333335
# Upload team configurations and index sample data in one step
334336
# Automatically select "6" (All use cases) for non-interactive deployment

.github/workflows/job-deploy-windows.yml

Lines changed: 16 additions & 16 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,9 @@
11
name: Deploy Steps - Windows
22

3+
permissions:
4+
contents: read
5+
actions: read
6+
37
on:
48
workflow_call:
59
inputs:
@@ -307,28 +311,24 @@ jobs:
307311
"WEBAPP_URL=$WEBAPP_URL" | Out-File -FilePath $env:GITHUB_OUTPUT -Encoding utf8 -Append
308312
309313
- name: Run Post deployment scripts
310-
shell: pwsh
314+
shell: bash
311315
env:
312316
INPUT_RESOURCE_GROUP_NAME: ${{ inputs.RESOURCE_GROUP_NAME }}
317+
AZURE_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
318+
AZURE_RESOURCE_GROUP: ${{ inputs.RESOURCE_GROUP_NAME }}
319+
BACKEND_URL: ${{ steps.get_output_windows.outputs.BACKEND_URL }}
320+
AZURE_STORAGE_ACCOUNT_NAME: ${{ steps.get_output_windows.outputs.AZURE_STORAGE_ACCOUNT_NAME }}
321+
AZURE_STORAGE_CONTAINER_NAME: sample-dataset
322+
AZURE_AI_SEARCH_NAME: ${{ steps.get_output_windows.outputs.AZURE_AI_SEARCH_NAME }}
323+
AZURE_AI_SEARCH_INDEX_NAME: sample-dataset-index
324+
AZURE_ENV_NAME: ${{ steps.get_output_windows.outputs.AZURE_ENV_NAME }}
313325
run: |
314-
Set-StrictMode -Version Latest
315-
$ErrorActionPreference = "Stop"
316-
326+
set -e
317327
az account set --subscription "${{ secrets.AZURE_SUBSCRIPTION_ID }}"
318-
319-
# Set environment variables for team_config_and_data.ps1
320-
$env:AZURE_SUBSCRIPTION_ID = "${{ secrets.AZURE_SUBSCRIPTION_ID }}"
321-
$env:AZURE_RESOURCE_GROUP = "$env:INPUT_RESOURCE_GROUP_NAME"
322-
$env:BACKEND_URL = "${{ steps.get_output_windows.outputs.BACKEND_URL }}"
323-
$env:AZURE_STORAGE_ACCOUNT_NAME = "${{ steps.get_output_windows.outputs.AZURE_STORAGE_ACCOUNT_NAME }}"
324-
$env:AZURE_STORAGE_CONTAINER_NAME = "sample-dataset"
325-
$env:AZURE_AI_SEARCH_NAME = "${{ steps.get_output_windows.outputs.AZURE_AI_SEARCH_NAME }}"
326-
$env:AZURE_AI_SEARCH_INDEX_NAME = "sample-dataset-index"
327-
$env:AZURE_ENV_NAME = "${{ steps.get_output_windows.outputs.AZURE_ENV_NAME }}"
328-
328+
329329
# Upload team configurations and index sample data in one step
330330
# Automatically select "6" (All use cases) for non-interactive deployment
331-
bash -c "echo 6 | pwsh -File infra/scripts/Selecting-Team-Config-And-Data.ps1"
331+
echo "6" | bash infra/scripts/selecting_team_config_and_data.sh
332332
333333
- name: Generate Deployment Summary
334334
if: always()

0 commit comments

Comments
 (0)