ci: parity for GH workflows with ADO pipelines + ACR build retry fix#12
Merged
Merged
Conversation
…etry Adds .github/workflows equivalents for the ADO pipelines that had no GitHub counterpart: - load-test.yml -> mirrors .azuredevops/pipelines/load-test.yml (Locust, workshop-dev environment, EnricoMi JUnit publish, HTML/CSV artifact). - ui-tests.yml -> mirrors .azuredevops/pipelines/ui-tests.yml (Playwright Chromium, EnricoMi JUnit publish, full report artifact). Wiki-publish step intentionally dropped; artifact + Checks summary are the GH-native equivalent. - codeql.yml -> mirrors .azuredevops/pipelines/adv-sec.yml using github/codeql-action (matrix csharp/javascript/python with explicit --no-incremental /p:UseSharedCompilation=false build for the C# leg) plus actions/dependency-review-action on PRs to cover the ADO AdvancedSecurity dependency scanning task. Also fixes the deploy.yml ACR build failure (ParentResourceNotFound on listBuildSourceUploadUrl right after azd provision) by: - pinning az CLI to AZURE_SUBSCRIPTION_ID with az account set, - waiting for ACR ARM propagation via az acr show poll (5 min cap), - wrapping az acr build in a 5-attempt retry with 20s backoff. The same retry/propagation guard is applied to .azuredevops/pipelines/deploy.yml to keep both pipelines in lockstep. Deploy concurrency: adds concurrency group scoped to the target azd env so back-to-back runs against the same rg-<env> are serialized (mirrors the ADO lockBehavior: runLatest on the workshop-dev environment). Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
emmanuelknafo
temporarily deployed
to
workshop-dev
GitHub Actions
Inactive
Repo has GitHub default code scanning enabled, which rejects SARIF uploads from advanced configurations with: 'CodeQL analyses from advanced configurations cannot be processed when the default setup is enabled'. Default setup already runs CodeQL across all detected languages, providing full parity with the ADO AdvancedSecurity-Codeql tasks. Keep only the actions/dependency-review-action piece since GitHub default scanning does not include a dependency-review-on-PR equivalent. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
emmanuelknafo
temporarily deployed
to
workshop-dev
GitHub Actions
Inactive
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Brings the .github/workflows set up to parity with .azuredevops/pipelines and fixes the recent deploy.yml failure where
az acr buildreturnedParentResourceNotFoundimmediately afterazd provision.New workflows (parity)
load-test.yml.github/workflows/load-test.ymlrg-<env>. Publishes JUnit to Checks tab viaEnricoMi/publish-unit-test-result-action; full Locust HTML + CSV uploaded as artifactload-test-report.ui-tests.yml.github/workflows/ui-tests.ymlplaywright-report+ screenshots as artifactui-test-report. ADO wiki-publish step intentionally dropped (no GH-native consumer).adv-sec.yml.github/workflows/codeql.ymlcsharp,javascript,python) usinggithub/codeql-action. C# leg does an explicitdotnet build --no-incremental /p:UseSharedCompilation=falseso the extractor sees everycscinvocation (mirrors ADO comment). PR runs additionally executeactions/dependency-review-actionto cover the ADOAdvancedSecurity-Dependency-Scanningtask.Deploy hardening (root cause of the recent failure)
ParentResourceNotFound from
registries/listBuildSourceUploadUrlis a known ARM propagation race right after a fresh ACR is created. Both.github/workflows/deploy.ymland.azuredevops/pipelines/deploy.ymlnow:az account set --subscription "$AZURE_SUBSCRIPTION_ID"afterazd provisionso the az CLI is pinned to the right sub.az acr show(10s x 30, 5 min cap) until the registry is queryable.az acr buildin a 5-attempt retry with 20s backoff to absorb the residual RP window.Deploy concurrency
Added
concurrency: { group: deploy-<azureEnvName>, cancel-in-progress: false }todeploy.ymlso back-to-back runs against the samerg-<env>serialize, mirroring the ADO pipeline'slockBehavior: runLateston theworkshop-devenvironment. Prevents theDeploymentActiverace on shared ARM deployment names.Validation
tests/load/locustfile.py,tests/load/locust_stats_to_junit.py,tests/ui/playwright.config.ts->test-results/junit.xml) already exist and have not been touched.