Skip to content

Add workflow to sync contrib resource types and publish Bicep extensions#11916

Merged
kachawla merged 8 commits into
mainfrom
kachawla/contrib-sync-workflow
May 19, 2026
Merged

Add workflow to sync contrib resource types and publish Bicep extensions#11916
kachawla merged 8 commits into
mainfrom
kachawla/contrib-sync-workflow

Conversation

@kachawla

@kachawla kachawla commented May 15, 2026

Copy link
Copy Markdown
Member

Overview

Today the radius Bicep extension is published to biceptypes.azurecr.io via the existing build-and-push-bicep-types job in build.yaml, which dispatches to the radius-publisher pipeline on every push to main and on version tag pushes. With #11915 updating make generate-bicep-types to include contrib types, the existing publish pipeline automatically produces the combined extension -- no new publish workflow is needed.

However, there is no automation to pull updated resource type manifests from resource-types-contrib into this repo. When someone merges a schema change or a new resource type in contrib, the manifest copies committed under deploy/manifest/built-in-providers/ must be refreshed manually via make update-resource-types before the next publish picks them up.

This PR adds a workflow that closes that gap by automating the manifest sync.

How it works

resource-types-contrib merges to main
  |
  +--> notify-radius.yaml (contrib repo, PR 4) fires repository_dispatch
         |
         +--> contrib-update-resource-types.yaml (this PR) receives dispatch
                |
                +--> Runs 'make update-resource-types' to refresh manifest copies
                +--> Opens/updates PR on bot/update-resource-types branch
                       |
                       +--> Human reviews and merges the PR
                              |
                              +--> Push to main triggers build.yaml's existing
                                   build-and-push-bicep-types job
                                     |
                                     +--> Dispatches to radius-publisher
                                     +--> radius-publisher runs make generate-bicep-types
                                          (now includes contrib) and publishes
                                          radius:latest to biceptypes.azurecr.io

What this PR adds

contrib-update-resource-types.yaml

Handles repository_dispatch events (type: resource-types-contrib-updated) from resource-types-contrib.

Triggers:

  • repository_dispatch -- fired by the contrib repo's notify-radius.yaml workflow (PR 4)
  • workflow_dispatch -- commented out for production, can be enabled during development

Steps:

  1. Validates contrib_ref as a hex commit SHA (informational only -- the actual version fetched is determined by make update-resource-types which runs go get ...@latest)
  2. Installs yq (required by make update-resource-types to parse defaults.yaml)
  3. Runs make update-resource-types to bump go.mod to latest contrib and copy manifests
  4. If changes are detected (using git status --porcelain to catch both modified and new untracked files), opens or updates a PR on the bot/update-resource-types branch
  5. Merging that PR triggers the existing publish pipeline to republish radius:latest

Security:

  • contrib_ref is validated against ^[a-f0-9]{7,40}$ and passed via environment variables (not inline ${{ }} interpolation) to prevent shell and script injection
  • Uses GH_RAD_CI_BOT_PAT for checkout and PR creation so the resulting push triggers CI checks (the default GITHUB_TOKEN cannot trigger workflows on pushes it creates)

Note: This workflow depends on make update-resource-types from #11911. It includes a pre-flight check that fails fast with a descriptive error if the target is not yet available.

Dependencies

Changes

  • .github/workflows/contrib-update-resource-types.yaml: New workflow

Part of

Unified Bicep extension publishing (PR 3/4). See design doc.

Add contrib-update-resource-types.yaml workflow that receives
repository_dispatch events from resource-types-contrib whenever its
main branch updates. The workflow:

1. Validates the contrib_ref from the dispatch payload as a hex SHA
2. Installs yq (required by make update-resource-types)
3. Runs make update-resource-types to bump go.mod to the latest
   resource-types-contrib version and copy manifests into
   deploy/manifest/built-in-providers/
4. If changes are detected (including new untracked files), opens or
   updates a PR on the bot/update-resource-types branch
5. Merging that PR triggers the existing build-and-push-bicep-types
   job in build.yaml, which dispatches to radius-publisher to
   republish radius:latest with the refreshed contrib types

Uses GH_RAD_CI_BOT_PAT for checkout and PR creation so the resulting
push triggers CI checks (the default GITHUB_TOKEN cannot trigger
workflows on pushes it creates).

Part of: unified Bicep extension publishing (PR 3/4)

Signed-off-by: Karishma Chawla <[email protected]>
Copilot AI review requested due to automatic review settings May 15, 2026 22:46
@kachawla kachawla requested review from a team as code owners May 15, 2026 22:46
@github-actions

github-actions Bot commented May 15, 2026

Copy link
Copy Markdown

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

OpenSSF Scorecard

PackageVersionScoreDetails
actions/actions/checkout de0fac2e4500dabe0009e67214ff5f5447ce83dd 🟢 5.7
Details
CheckScoreReason
Code-Review🟢 10all changesets reviewed
Maintained⚠️ 01 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Binary-Artifacts🟢 10no binaries found in the repo
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Packaging⚠️ -1packaging workflow not detected
Pinned-Dependencies⚠️ 3dependency not pinned by hash detected -- score normalized to 3
Fuzzing⚠️ 0project is not fuzzed
License🟢 10license file detected
Signed-Releases⚠️ -1no releases found
Security-Policy🟢 9security policy file detected
Branch-Protection🟢 5branch protection is not maximal on development and all release branches
SAST🟢 8SAST tool detected but not run on all commits
actions/actions/create-github-app-token bcd2ba49218906704ab6c1aa796996da409d3eb1 🟢 6.1
Details
CheckScoreReason
Code-Review⚠️ 2Found 3/14 approved changesets -- score normalized to 2
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Packaging⚠️ -1packaging workflow not detected
Maintained🟢 1030 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 10
Binary-Artifacts🟢 10no binaries found in the repo
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
Pinned-Dependencies🟢 7dependency not pinned by hash detected -- score normalized to 7
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Fuzzing⚠️ 0project is not fuzzed
License🟢 10license file detected
Signed-Releases⚠️ -1no releases found
Security-Policy🟢 9security policy file detected
SAST🟢 6SAST tool is not run on all commits -- score normalized to 6
Branch-Protection🟢 6branch protection is not maximal on development and all release branches
actions/actions/github-script 3a2844b7e9c422d3c10d287c895573f7108da1b3 🟢 7.7
Details
CheckScoreReason
Code-Review🟢 10all changesets reviewed
Binary-Artifacts🟢 10no binaries found in the repo
Packaging⚠️ -1packaging workflow not detected
Maintained🟢 1021 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 10
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Token-Permissions🟢 9detected GitHub workflow tokens with excessive permissions
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Pinned-Dependencies⚠️ 1dependency not pinned by hash detected -- score normalized to 1
License🟢 10license file detected
Fuzzing⚠️ 0project is not fuzzed
Signed-Releases⚠️ -1no releases found
SAST🟢 10SAST tool is run on all commits
Security-Policy🟢 9security policy file detected
Branch-Protection🟢 5branch protection is not maximal on development and all release branches
actions/actions/setup-go 4a3601121dd01d1626a1e23e37211e3254c1c06c 🟢 5.6
Details
CheckScoreReason
Code-Review🟢 10all changesets reviewed
Maintained🟢 56 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 5
Binary-Artifacts🟢 10no binaries found in the repo
Packaging⚠️ -1packaging workflow not detected
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Pinned-Dependencies⚠️ 0dependency not pinned by hash detected -- score normalized to 0
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
Fuzzing⚠️ 0project is not fuzzed
License🟢 10license file detected
Signed-Releases⚠️ -1no releases found
Security-Policy🟢 9security policy file detected
Branch-Protection⚠️ 0branch protection not enabled on development/release branches
SAST🟢 10SAST tool is run on all commits

Scanned Files

  • .github/workflows/contrib-update-resource-types.yaml

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds a new GitHub Actions workflow that listens for repository_dispatch events from radius-project/resource-types-contrib, runs make update-resource-types to refresh the manifest copies under deploy/manifest/built-in-providers/, and opens (or refreshes) a PR on bot/update-resource-types. Merging that PR triggers the existing build-and-push-bicep-types job to republish the unified Bicep extension.

Changes:

  • New workflow contrib-update-resource-types.yaml reacting to resource-types-contrib-updated dispatch events
  • Validates the optional contrib_ref payload as a hex SHA, installs Go + yq, runs make update-resource-types, and force-pushes to bot/update-resource-types
  • Uses actions/github-script with GH_RAD_CI_BOT_PAT to create or update the PR idempotently

@github-actions

github-actions Bot commented May 15, 2026

Copy link
Copy Markdown

Unit Tests

    2 files  ±0    423 suites  ±0   7m 7s ⏱️ -24s
5 145 tests ±0  5 143 ✅ ±0  2 💤 ±0  0 ❌ ±0 
6 183 runs  ±0  6 181 ✅ ±0  2 💤 ±0  0 ❌ ±0 

Results for commit f9e1e49. ± Comparison against base commit 1e0c593.

♻️ This comment has been updated with latest results.

@codecov

codecov Bot commented May 15, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 51.71%. Comparing base (1e0c593) to head (f9e1e49).

Additional details and impacted files
@@            Coverage Diff             @@
##             main   #11916      +/-   ##
==========================================
- Coverage   51.71%   51.71%   -0.01%     
==========================================
  Files         725      725              
  Lines       45629    45629              
==========================================
- Hits        23599    23595       -4     
- Misses      19789    19791       +2     
- Partials     2241     2243       +2     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

Signed-off-by: Karishma Chawla <[email protected]>
nithyatsu
nithyatsu previously approved these changes May 16, 2026
Comment thread .github/workflows/contrib-update-resource-types.yaml Outdated
Comment thread .github/workflows/contrib-update-resource-types.yaml Outdated
Comment thread .github/workflows/contrib-update-resource-types.yaml Outdated
@kachawla kachawla force-pushed the kachawla/contrib-sync-workflow branch from 827c35c to ef7e043 Compare May 18, 2026 22:47
kachawla added a commit to radius-project/resource-types-contrib that referenced this pull request May 19, 2026
## Overview

Today the `radius` Bicep extension published to `biceptypes.azurecr.io`
includes core namespaces (`Applications.Core`, `Applications.Dapr`,
etc.) and, with
[radius#11915](radius-project/radius#11915),
also includes contrib resource types (`Radius.Compute`, `Radius.Data`,
`Radius.Security`). However, when resource type manifests change in this
repo, there is no automation to notify the Radius repo so it can refresh
its manifest copies and republish the extension.

This PR adds a workflow that fires a `repository_dispatch` event to
`radius-project/radius` whenever resource type manifests are updated on
`main`, triggering the Radius repo's automated sync and publish
pipeline.

## End-to-end flow

```
resource-types-contrib merges to main
  |
  +--> notify-radius.yaml (this PR) fires repository_dispatch
         |
         +--> contrib-update-resource-types.yaml (radius repo) receives dispatch
                |
                +--> Runs 'make update-resource-types' to refresh manifest copies
                +--> Opens/updates PR on bot/update-resource-types branch
                       |
                       +--> Human reviews and merges the PR
                              |
                              +--> Push to main triggers build.yaml's existing
                                   build-and-push-bicep-types job
                                     |
                                     +--> Dispatches to radius-publisher
                                     +--> Publishes radius:latest to biceptypes.azurecr.io
```

## What this PR adds

### `notify-radius.yaml`

**Trigger:** Push to `main` touching any YAML file, excluding `.github/`
and `docs/`. This avoids hardcoding namespace folder names (`Compute/`,
`Data/`, `Security/`) so new top-level namespace folders are
automatically covered without workflow changes.

**What it does:**
1. Sends a `resource-types-contrib-updated` dispatch event to
`radius-project/radius` using `peter-evans/repository-dispatch@v3`
2. Includes the commit SHA in the payload for traceability
(informational only -- the Radius workflow always fetches `@latest`)
3. Writes a summary to the GitHub Actions UI

**What happens if a non-manifest YAML changes?** The Radius workflow
runs `make update-resource-types`, finds no diff, and exits cleanly
without opening a PR. A no-op CI run (~1 minute) is the only cost.

**What happens if a new namespace folder is added here but not in
`defaults.yaml`?** Only types listed in the Radius repo's
`deploy/manifest/defaults.yaml` are included in the extension. The
dispatch fires but `make update-resource-types` finds no changes for the
unlisted namespace and no PR is opened. The new types only appear in the
extension when someone adds them to `defaults.yaml` in the Radius repo.

## Dependencies

- Radius repo: [Add workflow to sync contrib resource types and publish
Bicep extensions](radius-project/radius#11916)
-- the receiver of the dispatch
- Required secret: `GH_RAD_CI_BOT_PAT` with `repo` scope on
`radius-project/radius`

## Changes

- `.github/workflows/notify-radius.yaml`: New workflow

## Part of

Unified Bicep extension publishing (PR 4/4). See [design
doc](radius-project/radius#11892).

---------

Signed-off-by: Karishma Chawla <[email protected]>
@radius-functional-tests

radius-functional-tests Bot commented May 19, 2026

Copy link
Copy Markdown

Radius functional test overview

🔍 Go to test action run

Click here to see the test run details
Name Value
Repository radius-project/radius
Commit ref f9e1e49
Unique ID func90db0362b6
Image tag pr-func90db0362b6
  • gotestsum 1.13.0
  • KinD: v0.29.0
  • Dapr: 1.14.4
  • Azure KeyVault CSI driver: 1.4.2
  • Azure Workload identity webhook: 1.3.0
  • Bicep recipe location ghcr.io/radius-project/dev/test/testrecipes/test-bicep-recipes/<name>:pr-func90db0362b6
  • Terraform recipe location http://tf-module-server.radius-test-tf-module-server.svc.cluster.local/<name>.zip (in cluster)
  • applications-rp test image location: ghcr.io/radius-project/dev/applications-rp:pr-func90db0362b6
  • dynamic-rp test image location: ghcr.io/radius-project/dev/dynamic-rp:pr-func90db0362b6
  • controller test image location: ghcr.io/radius-project/dev/controller:pr-func90db0362b6
  • ucp test image location: ghcr.io/radius-project/dev/ucpd:pr-func90db0362b6
  • deployment-engine test image location: ghcr.io/radius-project/deployment-engine:latest

Test Status

⌛ Building Radius and pushing container images for functional tests...
✅ Container images build succeeded
⌛ Publishing Bicep Recipes for functional tests...
✅ Recipe publishing succeeded
⌛ Starting ucp-cloud functional tests...
⌛ Starting corerp-cloud functional tests...
✅ ucp-cloud functional tests succeeded
✅ corerp-cloud functional tests succeeded

@DariuszPorowski DariuszPorowski linked an issue May 19, 2026 that may be closed by this pull request
@kachawla kachawla merged commit 4c2a92d into main May 19, 2026
57 checks passed
@kachawla kachawla deleted the kachawla/contrib-sync-workflow branch May 19, 2026 18:59
zachcasper pushed a commit to zachcasper/radius that referenced this pull request May 19, 2026
…ons (radius-project#11916)

## Overview

Today the `radius` Bicep extension is published to
`biceptypes.azurecr.io` via the existing
[`build-and-push-bicep-types`](https://github.com/radius-project/radius/blob/main/.github/workflows/build.yaml#L356)
job in `build.yaml`, which dispatches to the `radius-publisher` pipeline
on every push to `main` and on version tag pushes. With
[radius-project#11915](radius-project#11915) updating
`make generate-bicep-types` to include contrib types, the existing
publish pipeline automatically produces the combined extension -- no new
publish workflow is needed.

However, there is no automation to pull updated resource type manifests
from `resource-types-contrib` into this repo. When someone merges a
schema change or a new resource type in contrib, the manifest copies
committed under `deploy/manifest/built-in-providers/` must be refreshed
manually via `make update-resource-types` before the next publish picks
them up.

This PR adds a workflow that closes that gap by automating the manifest
sync.

## How it works

```
resource-types-contrib merges to main
  |
  +--> notify-radius.yaml (contrib repo, PR 4) fires repository_dispatch
         |
         +--> contrib-update-resource-types.yaml (this PR) receives dispatch
                |
                +--> Runs 'make update-resource-types' to refresh manifest copies
                +--> Opens/updates PR on bot/update-resource-types branch
                       |
                       +--> Human reviews and merges the PR
                              |
                              +--> Push to main triggers build.yaml's existing
                                   build-and-push-bicep-types job
                                     |
                                     +--> Dispatches to radius-publisher
                                     +--> radius-publisher runs make generate-bicep-types
                                          (now includes contrib) and publishes
                                          radius:latest to biceptypes.azurecr.io
```

## What this PR adds

### `contrib-update-resource-types.yaml`

Handles `repository_dispatch` events (type:
`resource-types-contrib-updated`) from `resource-types-contrib`.

**Triggers:**
- `repository_dispatch` -- fired by the contrib repo's
`notify-radius.yaml` workflow (PR 4)
- `workflow_dispatch` -- commented out for production, can be enabled
during development

**Steps:**
1. Validates `contrib_ref` as a hex commit SHA (informational only --
the actual version fetched is determined by `make update-resource-types`
which runs `go get ...@latest`)
2. Installs yq (required by `make update-resource-types` to parse
`defaults.yaml`)
3. Runs `make update-resource-types` to bump `go.mod` to latest contrib
and copy manifests
4. If changes are detected (using `git status --porcelain` to catch both
modified and new untracked files), opens or updates a PR on the
`bot/update-resource-types` branch
5. Merging that PR triggers the existing publish pipeline to republish
`radius:latest`

**Security:**
- `contrib_ref` is validated against `^[a-f0-9]{7,40}$` and passed via
environment variables (not inline `${{ }}` interpolation) to prevent
shell and script injection
- Uses `GH_RAD_CI_BOT_PAT` for checkout and PR creation so the resulting
push triggers CI checks (the default `GITHUB_TOKEN` cannot trigger
workflows on pushes it creates)

**Note:** This workflow depends on `make update-resource-types` from
[radius-project#11911](radius-project#11911). It
includes a pre-flight check that fails fast with a descriptive error if
the target is not yet available.

## Dependencies

- [Integrate contrib types into unified Bicep
extension](radius-project#11915)
- [Automated default resource type
registration](radius-project#11911)
(provides `make update-resource-types`)
- Required secret: `GH_RAD_CI_BOT_PAT`

## Changes

- `.github/workflows/contrib-update-resource-types.yaml`: New workflow

## Part of

Unified Bicep extension publishing (PR 3/4). See [design
doc](radius-project#11892).

---------

Signed-off-by: Karishma Chawla <[email protected]>
Co-authored-by: Nicole James <[email protected]>
Signed-off-by: Zach Casper <[email protected]>
zachcasper pushed a commit to zachcasper/radius that referenced this pull request May 19, 2026
…ons (radius-project#11916)

## Overview

Today the `radius` Bicep extension is published to
`biceptypes.azurecr.io` via the existing
[`build-and-push-bicep-types`](https://github.com/radius-project/radius/blob/main/.github/workflows/build.yaml#L356)
job in `build.yaml`, which dispatches to the `radius-publisher` pipeline
on every push to `main` and on version tag pushes. With
[radius-project#11915](radius-project#11915) updating
`make generate-bicep-types` to include contrib types, the existing
publish pipeline automatically produces the combined extension -- no new
publish workflow is needed.

However, there is no automation to pull updated resource type manifests
from `resource-types-contrib` into this repo. When someone merges a
schema change or a new resource type in contrib, the manifest copies
committed under `deploy/manifest/built-in-providers/` must be refreshed
manually via `make update-resource-types` before the next publish picks
them up.

This PR adds a workflow that closes that gap by automating the manifest
sync.

## How it works

```
resource-types-contrib merges to main
  |
  +--> notify-radius.yaml (contrib repo, PR 4) fires repository_dispatch
         |
         +--> contrib-update-resource-types.yaml (this PR) receives dispatch
                |
                +--> Runs 'make update-resource-types' to refresh manifest copies
                +--> Opens/updates PR on bot/update-resource-types branch
                       |
                       +--> Human reviews and merges the PR
                              |
                              +--> Push to main triggers build.yaml's existing
                                   build-and-push-bicep-types job
                                     |
                                     +--> Dispatches to radius-publisher
                                     +--> radius-publisher runs make generate-bicep-types
                                          (now includes contrib) and publishes
                                          radius:latest to biceptypes.azurecr.io
```

## What this PR adds

### `contrib-update-resource-types.yaml`

Handles `repository_dispatch` events (type:
`resource-types-contrib-updated`) from `resource-types-contrib`.

**Triggers:**
- `repository_dispatch` -- fired by the contrib repo's
`notify-radius.yaml` workflow (PR 4)
- `workflow_dispatch` -- commented out for production, can be enabled
during development

**Steps:**
1. Validates `contrib_ref` as a hex commit SHA (informational only --
the actual version fetched is determined by `make update-resource-types`
which runs `go get ...@latest`)
2. Installs yq (required by `make update-resource-types` to parse
`defaults.yaml`)
3. Runs `make update-resource-types` to bump `go.mod` to latest contrib
and copy manifests
4. If changes are detected (using `git status --porcelain` to catch both
modified and new untracked files), opens or updates a PR on the
`bot/update-resource-types` branch
5. Merging that PR triggers the existing publish pipeline to republish
`radius:latest`

**Security:**
- `contrib_ref` is validated against `^[a-f0-9]{7,40}$` and passed via
environment variables (not inline `${{ }}` interpolation) to prevent
shell and script injection
- Uses `GH_RAD_CI_BOT_PAT` for checkout and PR creation so the resulting
push triggers CI checks (the default `GITHUB_TOKEN` cannot trigger
workflows on pushes it creates)

**Note:** This workflow depends on `make update-resource-types` from
[radius-project#11911](radius-project#11911). It
includes a pre-flight check that fails fast with a descriptive error if
the target is not yet available.

## Dependencies

- [Integrate contrib types into unified Bicep
extension](radius-project#11915)
- [Automated default resource type
registration](radius-project#11911)
(provides `make update-resource-types`)
- Required secret: `GH_RAD_CI_BOT_PAT`

## Changes

- `.github/workflows/contrib-update-resource-types.yaml`: New workflow

## Part of

Unified Bicep extension publishing (PR 3/4). See [design
doc](radius-project#11892).

---------

Signed-off-by: Karishma Chawla <[email protected]>
Co-authored-by: Nicole James <[email protected]>
Signed-off-by: Zach Casper <[email protected]>
Reshrahim pushed a commit to Reshrahim/radius that referenced this pull request Jun 15, 2026
…ons (radius-project#11916)

## Overview

Today the `radius` Bicep extension is published to
`biceptypes.azurecr.io` via the existing
[`build-and-push-bicep-types`](https://github.com/radius-project/radius/blob/main/.github/workflows/build.yaml#L356)
job in `build.yaml`, which dispatches to the `radius-publisher` pipeline
on every push to `main` and on version tag pushes. With
[radius-project#11915](radius-project#11915) updating
`make generate-bicep-types` to include contrib types, the existing
publish pipeline automatically produces the combined extension -- no new
publish workflow is needed.

However, there is no automation to pull updated resource type manifests
from `resource-types-contrib` into this repo. When someone merges a
schema change or a new resource type in contrib, the manifest copies
committed under `deploy/manifest/built-in-providers/` must be refreshed
manually via `make update-resource-types` before the next publish picks
them up.

This PR adds a workflow that closes that gap by automating the manifest
sync.

## How it works

```
resource-types-contrib merges to main
  |
  +--> notify-radius.yaml (contrib repo, PR 4) fires repository_dispatch
         |
         +--> contrib-update-resource-types.yaml (this PR) receives dispatch
                |
                +--> Runs 'make update-resource-types' to refresh manifest copies
                +--> Opens/updates PR on bot/update-resource-types branch
                       |
                       +--> Human reviews and merges the PR
                              |
                              +--> Push to main triggers build.yaml's existing
                                   build-and-push-bicep-types job
                                     |
                                     +--> Dispatches to radius-publisher
                                     +--> radius-publisher runs make generate-bicep-types
                                          (now includes contrib) and publishes
                                          radius:latest to biceptypes.azurecr.io
```

## What this PR adds

### `contrib-update-resource-types.yaml`

Handles `repository_dispatch` events (type:
`resource-types-contrib-updated`) from `resource-types-contrib`.

**Triggers:**
- `repository_dispatch` -- fired by the contrib repo's
`notify-radius.yaml` workflow (PR 4)
- `workflow_dispatch` -- commented out for production, can be enabled
during development

**Steps:**
1. Validates `contrib_ref` as a hex commit SHA (informational only --
the actual version fetched is determined by `make update-resource-types`
which runs `go get ...@latest`)
2. Installs yq (required by `make update-resource-types` to parse
`defaults.yaml`)
3. Runs `make update-resource-types` to bump `go.mod` to latest contrib
and copy manifests
4. If changes are detected (using `git status --porcelain` to catch both
modified and new untracked files), opens or updates a PR on the
`bot/update-resource-types` branch
5. Merging that PR triggers the existing publish pipeline to republish
`radius:latest`

**Security:**
- `contrib_ref` is validated against `^[a-f0-9]{7,40}$` and passed via
environment variables (not inline `${{ }}` interpolation) to prevent
shell and script injection
- Uses `GH_RAD_CI_BOT_PAT` for checkout and PR creation so the resulting
push triggers CI checks (the default `GITHUB_TOKEN` cannot trigger
workflows on pushes it creates)

**Note:** This workflow depends on `make update-resource-types` from
[radius-project#11911](radius-project#11911). It
includes a pre-flight check that fails fast with a descriptive error if
the target is not yet available.

## Dependencies

- [Integrate contrib types into unified Bicep
extension](radius-project#11915)
- [Automated default resource type
registration](radius-project#11911)
(provides `make update-resource-types`)
- Required secret: `GH_RAD_CI_BOT_PAT`

## Changes

- `.github/workflows/contrib-update-resource-types.yaml`: New workflow

## Part of

Unified Bicep extension publishing (PR 3/4). See [design
doc](radius-project#11892).

---------

Signed-off-by: Karishma Chawla <[email protected]>
Co-authored-by: Nicole James <[email protected]>
Signed-off-by: Reshma Abdul Rahim <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

[Design and Implement] Automate publishing extensions

5 participants