Add workflow to sync contrib resource types and publish Bicep extensions#11916
Conversation
Add contrib-update-resource-types.yaml workflow that receives repository_dispatch events from resource-types-contrib whenever its main branch updates. The workflow: 1. Validates the contrib_ref from the dispatch payload as a hex SHA 2. Installs yq (required by make update-resource-types) 3. Runs make update-resource-types to bump go.mod to the latest resource-types-contrib version and copy manifests into deploy/manifest/built-in-providers/ 4. If changes are detected (including new untracked files), opens or updates a PR on the bot/update-resource-types branch 5. Merging that PR triggers the existing build-and-push-bicep-types job in build.yaml, which dispatches to radius-publisher to republish radius:latest with the refreshed contrib types Uses GH_RAD_CI_BOT_PAT for checkout and PR creation so the resulting push triggers CI checks (the default GITHUB_TOKEN cannot trigger workflows on pushes it creates). Part of: unified Bicep extension publishing (PR 3/4) Signed-off-by: Karishma Chawla <[email protected]>
Dependency Review✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.OpenSSF Scorecard
Scanned Files
|
There was a problem hiding this comment.
Pull request overview
Adds a new GitHub Actions workflow that listens for repository_dispatch events from radius-project/resource-types-contrib, runs make update-resource-types to refresh the manifest copies under deploy/manifest/built-in-providers/, and opens (or refreshes) a PR on bot/update-resource-types. Merging that PR triggers the existing build-and-push-bicep-types job to republish the unified Bicep extension.
Changes:
- New workflow
contrib-update-resource-types.yamlreacting toresource-types-contrib-updateddispatch events - Validates the optional
contrib_refpayload as a hex SHA, installs Go + yq, runsmake update-resource-types, and force-pushes tobot/update-resource-types - Uses
actions/github-scriptwithGH_RAD_CI_BOT_PATto create or update the PR idempotently
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #11916 +/- ##
==========================================
- Coverage 51.71% 51.71% -0.01%
==========================================
Files 725 725
Lines 45629 45629
==========================================
- Hits 23599 23595 -4
- Misses 19789 19791 +2
- Partials 2241 2243 +2 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
Signed-off-by: Karishma Chawla <[email protected]>
Signed-off-by: Karishma Chawla <[email protected]>
827c35c to
ef7e043
Compare
Signed-off-by: Karishma Chawla <[email protected]>
Signed-off-by: Karishma Chawla <[email protected]>
## Overview Today the `radius` Bicep extension published to `biceptypes.azurecr.io` includes core namespaces (`Applications.Core`, `Applications.Dapr`, etc.) and, with [radius#11915](radius-project/radius#11915), also includes contrib resource types (`Radius.Compute`, `Radius.Data`, `Radius.Security`). However, when resource type manifests change in this repo, there is no automation to notify the Radius repo so it can refresh its manifest copies and republish the extension. This PR adds a workflow that fires a `repository_dispatch` event to `radius-project/radius` whenever resource type manifests are updated on `main`, triggering the Radius repo's automated sync and publish pipeline. ## End-to-end flow ``` resource-types-contrib merges to main | +--> notify-radius.yaml (this PR) fires repository_dispatch | +--> contrib-update-resource-types.yaml (radius repo) receives dispatch | +--> Runs 'make update-resource-types' to refresh manifest copies +--> Opens/updates PR on bot/update-resource-types branch | +--> Human reviews and merges the PR | +--> Push to main triggers build.yaml's existing build-and-push-bicep-types job | +--> Dispatches to radius-publisher +--> Publishes radius:latest to biceptypes.azurecr.io ``` ## What this PR adds ### `notify-radius.yaml` **Trigger:** Push to `main` touching any YAML file, excluding `.github/` and `docs/`. This avoids hardcoding namespace folder names (`Compute/`, `Data/`, `Security/`) so new top-level namespace folders are automatically covered without workflow changes. **What it does:** 1. Sends a `resource-types-contrib-updated` dispatch event to `radius-project/radius` using `peter-evans/repository-dispatch@v3` 2. Includes the commit SHA in the payload for traceability (informational only -- the Radius workflow always fetches `@latest`) 3. Writes a summary to the GitHub Actions UI **What happens if a non-manifest YAML changes?** The Radius workflow runs `make update-resource-types`, finds no diff, and exits cleanly without opening a PR. A no-op CI run (~1 minute) is the only cost. **What happens if a new namespace folder is added here but not in `defaults.yaml`?** Only types listed in the Radius repo's `deploy/manifest/defaults.yaml` are included in the extension. The dispatch fires but `make update-resource-types` finds no changes for the unlisted namespace and no PR is opened. The new types only appear in the extension when someone adds them to `defaults.yaml` in the Radius repo. ## Dependencies - Radius repo: [Add workflow to sync contrib resource types and publish Bicep extensions](radius-project/radius#11916) -- the receiver of the dispatch - Required secret: `GH_RAD_CI_BOT_PAT` with `repo` scope on `radius-project/radius` ## Changes - `.github/workflows/notify-radius.yaml`: New workflow ## Part of Unified Bicep extension publishing (PR 4/4). See [design doc](radius-project/radius#11892). --------- Signed-off-by: Karishma Chawla <[email protected]>
Radius functional test overviewClick here to see the test run details
Test Status⌛ Building Radius and pushing container images for functional tests... |
…ons (radius-project#11916) ## Overview Today the `radius` Bicep extension is published to `biceptypes.azurecr.io` via the existing [`build-and-push-bicep-types`](https://github.com/radius-project/radius/blob/main/.github/workflows/build.yaml#L356) job in `build.yaml`, which dispatches to the `radius-publisher` pipeline on every push to `main` and on version tag pushes. With [radius-project#11915](radius-project#11915) updating `make generate-bicep-types` to include contrib types, the existing publish pipeline automatically produces the combined extension -- no new publish workflow is needed. However, there is no automation to pull updated resource type manifests from `resource-types-contrib` into this repo. When someone merges a schema change or a new resource type in contrib, the manifest copies committed under `deploy/manifest/built-in-providers/` must be refreshed manually via `make update-resource-types` before the next publish picks them up. This PR adds a workflow that closes that gap by automating the manifest sync. ## How it works ``` resource-types-contrib merges to main | +--> notify-radius.yaml (contrib repo, PR 4) fires repository_dispatch | +--> contrib-update-resource-types.yaml (this PR) receives dispatch | +--> Runs 'make update-resource-types' to refresh manifest copies +--> Opens/updates PR on bot/update-resource-types branch | +--> Human reviews and merges the PR | +--> Push to main triggers build.yaml's existing build-and-push-bicep-types job | +--> Dispatches to radius-publisher +--> radius-publisher runs make generate-bicep-types (now includes contrib) and publishes radius:latest to biceptypes.azurecr.io ``` ## What this PR adds ### `contrib-update-resource-types.yaml` Handles `repository_dispatch` events (type: `resource-types-contrib-updated`) from `resource-types-contrib`. **Triggers:** - `repository_dispatch` -- fired by the contrib repo's `notify-radius.yaml` workflow (PR 4) - `workflow_dispatch` -- commented out for production, can be enabled during development **Steps:** 1. Validates `contrib_ref` as a hex commit SHA (informational only -- the actual version fetched is determined by `make update-resource-types` which runs `go get ...@latest`) 2. Installs yq (required by `make update-resource-types` to parse `defaults.yaml`) 3. Runs `make update-resource-types` to bump `go.mod` to latest contrib and copy manifests 4. If changes are detected (using `git status --porcelain` to catch both modified and new untracked files), opens or updates a PR on the `bot/update-resource-types` branch 5. Merging that PR triggers the existing publish pipeline to republish `radius:latest` **Security:** - `contrib_ref` is validated against `^[a-f0-9]{7,40}$` and passed via environment variables (not inline `${{ }}` interpolation) to prevent shell and script injection - Uses `GH_RAD_CI_BOT_PAT` for checkout and PR creation so the resulting push triggers CI checks (the default `GITHUB_TOKEN` cannot trigger workflows on pushes it creates) **Note:** This workflow depends on `make update-resource-types` from [radius-project#11911](radius-project#11911). It includes a pre-flight check that fails fast with a descriptive error if the target is not yet available. ## Dependencies - [Integrate contrib types into unified Bicep extension](radius-project#11915) - [Automated default resource type registration](radius-project#11911) (provides `make update-resource-types`) - Required secret: `GH_RAD_CI_BOT_PAT` ## Changes - `.github/workflows/contrib-update-resource-types.yaml`: New workflow ## Part of Unified Bicep extension publishing (PR 3/4). See [design doc](radius-project#11892). --------- Signed-off-by: Karishma Chawla <[email protected]> Co-authored-by: Nicole James <[email protected]> Signed-off-by: Zach Casper <[email protected]>
…ons (radius-project#11916) ## Overview Today the `radius` Bicep extension is published to `biceptypes.azurecr.io` via the existing [`build-and-push-bicep-types`](https://github.com/radius-project/radius/blob/main/.github/workflows/build.yaml#L356) job in `build.yaml`, which dispatches to the `radius-publisher` pipeline on every push to `main` and on version tag pushes. With [radius-project#11915](radius-project#11915) updating `make generate-bicep-types` to include contrib types, the existing publish pipeline automatically produces the combined extension -- no new publish workflow is needed. However, there is no automation to pull updated resource type manifests from `resource-types-contrib` into this repo. When someone merges a schema change or a new resource type in contrib, the manifest copies committed under `deploy/manifest/built-in-providers/` must be refreshed manually via `make update-resource-types` before the next publish picks them up. This PR adds a workflow that closes that gap by automating the manifest sync. ## How it works ``` resource-types-contrib merges to main | +--> notify-radius.yaml (contrib repo, PR 4) fires repository_dispatch | +--> contrib-update-resource-types.yaml (this PR) receives dispatch | +--> Runs 'make update-resource-types' to refresh manifest copies +--> Opens/updates PR on bot/update-resource-types branch | +--> Human reviews and merges the PR | +--> Push to main triggers build.yaml's existing build-and-push-bicep-types job | +--> Dispatches to radius-publisher +--> radius-publisher runs make generate-bicep-types (now includes contrib) and publishes radius:latest to biceptypes.azurecr.io ``` ## What this PR adds ### `contrib-update-resource-types.yaml` Handles `repository_dispatch` events (type: `resource-types-contrib-updated`) from `resource-types-contrib`. **Triggers:** - `repository_dispatch` -- fired by the contrib repo's `notify-radius.yaml` workflow (PR 4) - `workflow_dispatch` -- commented out for production, can be enabled during development **Steps:** 1. Validates `contrib_ref` as a hex commit SHA (informational only -- the actual version fetched is determined by `make update-resource-types` which runs `go get ...@latest`) 2. Installs yq (required by `make update-resource-types` to parse `defaults.yaml`) 3. Runs `make update-resource-types` to bump `go.mod` to latest contrib and copy manifests 4. If changes are detected (using `git status --porcelain` to catch both modified and new untracked files), opens or updates a PR on the `bot/update-resource-types` branch 5. Merging that PR triggers the existing publish pipeline to republish `radius:latest` **Security:** - `contrib_ref` is validated against `^[a-f0-9]{7,40}$` and passed via environment variables (not inline `${{ }}` interpolation) to prevent shell and script injection - Uses `GH_RAD_CI_BOT_PAT` for checkout and PR creation so the resulting push triggers CI checks (the default `GITHUB_TOKEN` cannot trigger workflows on pushes it creates) **Note:** This workflow depends on `make update-resource-types` from [radius-project#11911](radius-project#11911). It includes a pre-flight check that fails fast with a descriptive error if the target is not yet available. ## Dependencies - [Integrate contrib types into unified Bicep extension](radius-project#11915) - [Automated default resource type registration](radius-project#11911) (provides `make update-resource-types`) - Required secret: `GH_RAD_CI_BOT_PAT` ## Changes - `.github/workflows/contrib-update-resource-types.yaml`: New workflow ## Part of Unified Bicep extension publishing (PR 3/4). See [design doc](radius-project#11892). --------- Signed-off-by: Karishma Chawla <[email protected]> Co-authored-by: Nicole James <[email protected]> Signed-off-by: Zach Casper <[email protected]>
…ons (radius-project#11916) ## Overview Today the `radius` Bicep extension is published to `biceptypes.azurecr.io` via the existing [`build-and-push-bicep-types`](https://github.com/radius-project/radius/blob/main/.github/workflows/build.yaml#L356) job in `build.yaml`, which dispatches to the `radius-publisher` pipeline on every push to `main` and on version tag pushes. With [radius-project#11915](radius-project#11915) updating `make generate-bicep-types` to include contrib types, the existing publish pipeline automatically produces the combined extension -- no new publish workflow is needed. However, there is no automation to pull updated resource type manifests from `resource-types-contrib` into this repo. When someone merges a schema change or a new resource type in contrib, the manifest copies committed under `deploy/manifest/built-in-providers/` must be refreshed manually via `make update-resource-types` before the next publish picks them up. This PR adds a workflow that closes that gap by automating the manifest sync. ## How it works ``` resource-types-contrib merges to main | +--> notify-radius.yaml (contrib repo, PR 4) fires repository_dispatch | +--> contrib-update-resource-types.yaml (this PR) receives dispatch | +--> Runs 'make update-resource-types' to refresh manifest copies +--> Opens/updates PR on bot/update-resource-types branch | +--> Human reviews and merges the PR | +--> Push to main triggers build.yaml's existing build-and-push-bicep-types job | +--> Dispatches to radius-publisher +--> radius-publisher runs make generate-bicep-types (now includes contrib) and publishes radius:latest to biceptypes.azurecr.io ``` ## What this PR adds ### `contrib-update-resource-types.yaml` Handles `repository_dispatch` events (type: `resource-types-contrib-updated`) from `resource-types-contrib`. **Triggers:** - `repository_dispatch` -- fired by the contrib repo's `notify-radius.yaml` workflow (PR 4) - `workflow_dispatch` -- commented out for production, can be enabled during development **Steps:** 1. Validates `contrib_ref` as a hex commit SHA (informational only -- the actual version fetched is determined by `make update-resource-types` which runs `go get ...@latest`) 2. Installs yq (required by `make update-resource-types` to parse `defaults.yaml`) 3. Runs `make update-resource-types` to bump `go.mod` to latest contrib and copy manifests 4. If changes are detected (using `git status --porcelain` to catch both modified and new untracked files), opens or updates a PR on the `bot/update-resource-types` branch 5. Merging that PR triggers the existing publish pipeline to republish `radius:latest` **Security:** - `contrib_ref` is validated against `^[a-f0-9]{7,40}$` and passed via environment variables (not inline `${{ }}` interpolation) to prevent shell and script injection - Uses `GH_RAD_CI_BOT_PAT` for checkout and PR creation so the resulting push triggers CI checks (the default `GITHUB_TOKEN` cannot trigger workflows on pushes it creates) **Note:** This workflow depends on `make update-resource-types` from [radius-project#11911](radius-project#11911). It includes a pre-flight check that fails fast with a descriptive error if the target is not yet available. ## Dependencies - [Integrate contrib types into unified Bicep extension](radius-project#11915) - [Automated default resource type registration](radius-project#11911) (provides `make update-resource-types`) - Required secret: `GH_RAD_CI_BOT_PAT` ## Changes - `.github/workflows/contrib-update-resource-types.yaml`: New workflow ## Part of Unified Bicep extension publishing (PR 3/4). See [design doc](radius-project#11892). --------- Signed-off-by: Karishma Chawla <[email protected]> Co-authored-by: Nicole James <[email protected]> Signed-off-by: Reshma Abdul Rahim <[email protected]>
Overview
Today the
radiusBicep extension is published tobiceptypes.azurecr.iovia the existingbuild-and-push-bicep-typesjob inbuild.yaml, which dispatches to theradius-publisherpipeline on every push tomainand on version tag pushes. With #11915 updatingmake generate-bicep-typesto include contrib types, the existing publish pipeline automatically produces the combined extension -- no new publish workflow is needed.However, there is no automation to pull updated resource type manifests from
resource-types-contribinto this repo. When someone merges a schema change or a new resource type in contrib, the manifest copies committed underdeploy/manifest/built-in-providers/must be refreshed manually viamake update-resource-typesbefore the next publish picks them up.This PR adds a workflow that closes that gap by automating the manifest sync.
How it works
What this PR adds
contrib-update-resource-types.yamlHandles
repository_dispatchevents (type:resource-types-contrib-updated) fromresource-types-contrib.Triggers:
repository_dispatch-- fired by the contrib repo'snotify-radius.yamlworkflow (PR 4)workflow_dispatch-- commented out for production, can be enabled during developmentSteps:
contrib_refas a hex commit SHA (informational only -- the actual version fetched is determined bymake update-resource-typeswhich runsgo get ...@latest)make update-resource-typesto parsedefaults.yaml)make update-resource-typesto bumpgo.modto latest contrib and copy manifestsgit status --porcelainto catch both modified and new untracked files), opens or updates a PR on thebot/update-resource-typesbranchradius:latestSecurity:
contrib_refis validated against^[a-f0-9]{7,40}$and passed via environment variables (not inline${{ }}interpolation) to prevent shell and script injectionGH_RAD_CI_BOT_PATfor checkout and PR creation so the resulting push triggers CI checks (the defaultGITHUB_TOKENcannot trigger workflows on pushes it creates)Note: This workflow depends on
make update-resource-typesfrom #11911. It includes a pre-flight check that fails fast with a descriptive error if the target is not yet available.Dependencies
make update-resource-types)GH_RAD_CI_BOT_PATChanges
.github/workflows/contrib-update-resource-types.yaml: New workflowPart of
Unified Bicep extension publishing (PR 3/4). See design doc.