Merge branch 'main' into testfork

.github/CODEOWNERS

@@ -1,9 +1,2 @@
-# Documentation and examples for what this does:
-#
-#  https://docs.github.com/en/github/creating-cloning-and-archiving-repositories/about-code-owners
-
-# This file is a list of rules, with the last rule being most specific
-# All of the people (and only those people) from the matching rule will be notified
-
-# Default rule: anything that doesn't match a more specific rule goes here
-* @radius-project/maintainers-radius @radius-project/approvers-radius @sk593
+# These owners are the maintainers and approvers of this repo
+*       @radius-project/maintainers-bicep-types-aws @radius-project/approvers-bicep-types-aws

.github/actions/download-pr-data-artifact/action.yaml

@@ -0,0 +1,43 @@
+name: "Download PR number saved as an artifact"
+description: |
+  This action can be used together with save-pr-as-artifact custom action which uploads the PR number as an artifact.
+  This action downloads the artifact to retrieve the PR number.
+outputs:
+  "pr_number":
+    value: ${{ steps.set-pr-number.outputs.pr_number }}
+    description: The PR number downloaded from the artifact
+runs:
+  using: "composite"
+  steps:
+    - name: Download artifact
+      uses: actions/github-script@v7
+      with:
+        script: |
+          let allArtifacts = await github.rest.actions.listWorkflowRunArtifacts({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              run_id: context.payload.workflow_run.id,
+          });
+          let matchArtifact = allArtifacts.data.artifacts.filter((artifact) => {
+            return artifact.name == "pr_number"
+          })[0];
+          let download = await github.rest.actions.downloadArtifact({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              artifact_id: matchArtifact.id,
+              archive_format: 'zip',
+          });
+          let fs = require('fs');
+          fs.writeFileSync(`${process.env.GITHUB_WORKSPACE}/pr_number.zip`, Buffer.from(download.data));
+    - name: "Unzip artifact"
+      shell: bash
+      run: unzip pr_number.zip
+    - name: Set PR number
+      id: set-pr-number
+      uses: actions/github-script@v7
+      with:
+        script: |
+          let fs = require('fs');
+          PR_NUMBER=fs.readFileSync('./pr_number').toString();
+          console.log(`Setting output: pr_number=${PR_NUMBER}`);
+          core.setOutput('pr_number', PR_NUMBER);

.github/actions/save-pr-as-artifact/action.yaml

@@ -0,0 +1,16 @@
+name: "Save PR number as artifact"
+description: "Save PR number as artifact"
+runs:
+  using: "composite"
+  steps:
+    - name: Save PR number
+      shell: bash
+      env:
+        PR_NUMBER: ${{ github.event.number }}
+      run: |
+        mkdir -p ./pr
+        echo $PR_NUMBER > ./pr/pr_number
+    - uses: actions/upload-artifact@v4
+      with:
+        name: pr_number
+        path: pr/

.github/workflows/approve-publish.yaml

@@ -0,0 +1,23 @@
+name: Approve Publish Bicep Types
+
+on:
+  pull_request:
+    branches:
+      - main
+      - features/*
+      - release/*
+
+jobs:
+  approve-publish:
+    name: "Approve Publish Bicep Types"
+    runs-on: ubuntu-latest
+    environment: publish-bicep
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Save PR number
+        uses: ./.github/actions/save-pr-as-artifact
+
+      - name: Publish Bicep
+        run: echo "Publishing Bicep types..."

.github/workflows/devops-board.yaml

@@ -35,7 +35,7 @@ jobs:
           # https://learn.microsoft.com/azure/devops/integrate/get-started/authentication/service-principal-managed-identity
           echo "ADO_TOKEN=$(az account get-access-token --resource 499b84ac-1321-427f-aa17-267ca6975798 --query "accessToken" --output tsv)" >> $GITHUB_ENV
       - name: Sync issue to Azure DevOps
-        uses: danhellem/github-actions-issue-to-work-item@v2.3
+        uses: danhellem/github-actions-issue-to-work-item@v2.4
         env:
           ado_token: ${{ env.ADO_TOKEN }}
           github_token: '${{ secrets.GH_RAD_CI_BOT_PAT }}'

.github/workflows/publish-bicep.yaml

@@ -21,88 +21,165 @@ on:
       - main
     tags:
       - v*
-  pull_request:
-    branches:
-      - main
+  workflow_run:
+    workflows: ["Approve Publish Bicep Types"]
+    types:
+      - completed
   workflow_dispatch:
     inputs: {}
 
 permissions:
       id-token: write
       contents: read
+      checks: write
 
 env: 
   # bicep-types ACR url for uploading AWS Bicep types
   BICEP_TYPES_REGISTRY: 'biceptypes.azurecr.io'
   AWS_REGION: us-west-2
   CI_PUBLISH_RELEASE: ${{ github.repository == 'radius-project/bicep-types-aws' && startsWith(github.ref, 'refs/tags/v') && github.event_name == 'push' }}
   CI_PUBLISH_LATEST: ${{ github.repository == 'radius-project/bicep-types-aws' && github.ref == 'refs/heads/main' && github.event_name == 'push' }}
+  PUBLISH_BICEP_APP_ID: 1077084
 
 jobs:
   build-and-push-bicep-types:
     name: Publish Radius bicep types to ACR
     runs-on: ubuntu-latest
-    environment: publish-bicep
-    steps: 
+    steps:
+      - name: Get GitHub app token
+        uses: tibdex/github-app-token@v2
+        id: get_installation_token
+        with:
+          app_id: ${{ env.PUBLISH_BICEP_APP_ID }}
+          private_key: ${{ secrets.PUBLISH_BICEP_APP_PRIVATE_KEY }}
+
+      - name: Set up checkout target (push)
+        if: github.event_name == 'push'
+        run: |
+          echo "CHECKOUT_REPO=${{ github.repository }}" >> $GITHUB_ENV
+          echo "CHECKOUT_REF=refs/heads/main" >> $GITHUB_ENV
+
       - name: Check out code
         uses: actions/checkout@v4
+
+      - name: "Download PR data artifacts"
+        if: github.event_name == 'workflow_run'
+        uses: ./.github/actions/download-pr-data-artifact
+        id: get-pr-number
+
+      - name: "Set PR context (workflow_run)"
+        if: github.event_name == 'workflow_run'
+        uses: actions/github-script@v7
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          script: |
+            const payload = context.payload.workflow_run;
+            let fs = require('fs');
+            // Set environment variables
+            fs.appendFileSync(process.env.GITHUB_ENV,
+              `CHECKOUT_REPO=${payload.head_repository.full_name}\n`+
+              `CHECKOUT_REF=${payload.head_sha}\n` +
+              `PR_NUMBER=${{ steps.get-pr-number.outputs.pr_number }}\n`);
+
+      - uses: LouisBrunner/[email protected]
+        id: create_check_run
+        if: always()
+        with:
+          token: ${{ steps.get_installation_token.outputs.token }}
+          name: "Publish Radius bicep types to ACR"
+          status: in_progress
+          repo: ${{ github.repository }}
+          sha: ${{ env.CHECKOUT_REF }}
+          details_url: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
+
+      - name: Checkout Radius repository
+        uses: actions/checkout@v4
+        with:
+          repository: ${{ env.CHECKOUT_REPO }}
+          ref: ${{ env.CHECKOUT_REF }}
+
       - name: Parse release version and set environment variables
         run: python ./.github/scripts/get_release_version.py
+
       - name: Set up Go ${{ env.GOVER }}
         uses: actions/setup-go@v5
         with:
           go-version: ${{ env.GOVER }}
+
       - name: Setup Node.js
         uses: actions/setup-node@v4
         with:
           node-version: '18'
+
       - name: Configure AWS Credentials
         uses: aws-actions/configure-aws-credentials@v4
         with:
           aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
           aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
           aws-region: ${{ env.AWS_REGION }}
+
       - name: 'Build aws-type-downloader'
         env:
           GOPROXY: "https://proxy.golang.org"
         working-directory: 'src/aws-type-downloader'
         run: go build .
+
       - name: Download AWS specs from CloudControl 
         run: |
           cd src/aws-type-downloader && go run main.go --output ../../artifacts/types --clean
+
       - name: 'Initialize submodule'
         run: | 
           git submodule update --init --recursive
           npm --prefix bicep-types/src/bicep-types ci && npm --prefix bicep-types/src/bicep-types run build; \
+
       - name: Generate Bicep extensibility types for AWS
         env:
           VERSION: ${{ env.REL_CHANNEL == 'edge' && 'latest' || env.REL_CHANNEL }}
         run: |
           npm --prefix ./src/aws-type-generator install
           npm run --prefix ./src/aws-type-generator start -- --input ../../artifacts/types --output ../../artifacts/bicep --release-version ${{ env.VERSION }}
+
       - name: Upload AWS Bicep types artifacts
         uses: actions/upload-artifact@v4
         with:
           name: aws-bicep-types
           path: ./artifacts/bicep
           if-no-files-found: error
+
       - name: 'Login via Azure CLI'
         if: ${{ env.CI_PUBLISH_LATEST == 'true' || env.CI_PUBLISH_RELEASE == 'true' }}
         uses: azure/login@v2
         with:
           client-id: ${{ secrets.BICEPTYPES_CLIENT_ID }}
           tenant-id: ${{ secrets.BICEPTYPES_TENANT_ID }}
           subscription-id: ${{ secrets.BICEPTYPES_SUBSCRIPTION_ID }}
+
       - name: Setup and verify bicep CLI
         if: ${{ env.CI_PUBLISH_LATEST == 'true' || env.CI_PUBLISH_RELEASE == 'true' }}
         run: |
           curl -Lo bicep https://github.com/Azure/bicep/releases/latest/download/bicep-linux-x64
           chmod +x ./bicep
           sudo mv ./bicep /usr/local/bin/bicep
           bicep --version
+
       - name: Publish bicep types 
         if: ${{ env.CI_PUBLISH_LATEST == 'true' || env.CI_PUBLISH_RELEASE == 'true' }}
         env: 
           VERSION: ${{ env.REL_CHANNEL == 'edge' && 'latest' || env.REL_CHANNEL }}
         run: |
-          bicep publish-extension ./artifacts/bicep/index.json --target br:${{ env.BICEP_TYPES_REGISTRY }}/aws:${{ env.VERSION }} --force
+          bicep publish-extension ./artifacts/bicep/index.json --target br:${{ env.BICEP_TYPES_REGISTRY }}/aws:${{ env.VERSION }} --force
+      
+      - uses: LouisBrunner/[email protected]
+        if: always()
+        with:
+          token: ${{ steps.get_installation_token.outputs.token }}
+          check_run_id: ${{ steps.create_check_run.outputs.check_run_id }}
+          name: "Publish Radius bicep types to ACR"
+          repo: ${{ github.repository }}
+          sha: ${{ env.CHECKOUT_REF }}
+          status: completed
+          conclusion: ${{ job.status == 'success' && 'success' || 'failure' }}
+          output: |
+            {"summary":"Publish Bicep Types run completed. See links for more information.","title":"Publish Radius bicep types to ACR"}
+          details_url: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}

CODEOWNERS

@@ -1,2 +1 @@
-# These owners are the maintainers and approvers of this repo
-*       @radius-project/maintainers-bicep-types-aws @radius-project/approvers-bicep-types-aws
+# See the owners for this repo at .github/CODEOWNERS