fix: Merging Dev changes to Main (#1530)

Co-authored-by: Ajit Padhi <[email protected]>
Azure-Samples · Nov 26, 2024 · 1ae5e9c · 1ae5e9c
1 parent 9483a06
commit 1ae5e9c
Show file tree

Hide file tree

Showing 15 changed files with 1,105 additions and 563 deletions.
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -7,31 +7,42 @@ updates:
   - package-ecosystem: "github-actions"
     directory: "/"
     schedule:
-      interval: "weekly"
+      interval: "monthly"
+
     commit-message:
       prefix: "build"
+    target-branch: "dependabotchanges"
   - package-ecosystem: "pip"
     directory: "/"
     schedule:
-      interval: "weekly"
+      interval: "monthly"
+
+
     commit-message:
       prefix: "build"
     groups:
       langchain:
         patterns:
           - "langchain*"
     open-pull-requests-limit: 50
+    target-branch: "dependabotchanges"
   - package-ecosystem: "npm"
     directory: "/code/frontend"
     schedule:
-      interval: "weekly"
+      interval: "monthly"
+
+
     commit-message:
       prefix: "build"
     open-pull-requests-limit: 50
+    target-branch: "dependabotchanges"
   - package-ecosystem: "npm"
     directory: "/tests/integration/ui"
     schedule:
-      interval: "weekly"
+      interval: "monthly"
+
+
     commit-message:
       prefix: "build"
     open-pull-requests-limit: 50
+    target-branch: "dependabotchanges"
diff --git a/.github/workflows/build-docker-images.yml b/.github/workflows/build-docker-images.yml
@@ -4,9 +4,15 @@ on:
   workflow_run:
     workflows: [Tests]
     types: [completed]
-    branches: [main]
+    branches:
+      - main
+      - dev
+      - demo
   pull_request:
-    branches: [main]
+    branches:
+      - main
+      - dev
+      - demo
     types:
     - opened
     - ready_for_review
@@ -28,9 +34,9 @@ jobs:
             dockerfile: docker/Frontend.Dockerfile
     uses: ./.github/workflows/build-docker.yml
     with:
-      registry: fruoccopublic.azurecr.io
-      username: fruoccopublic
+      registry: ${{ github.event.workflow_run.head_branch == 'main' && 'fruoccopublic.azurecr.io' || 'cwydcontainerreg.azurecr.io'}}
+      username: ${{ github.event.workflow_run.head_branch == 'main' && 'fruoccopublic' || 'cwydcontainerreg'}}
       app_name: ${{ matrix.app_name }}
       dockerfile: ${{ matrix.dockerfile }}
-      push: ${{ github.event_name == 'workflow_run' && github.event.workflow_run.head_branch == 'main' }}
+      push: ${{ github.event.workflow_run.head_branch == 'main' || github.event.workflow_run.head_branch == 'dev' || github.event.workflow_run.head_branch == 'demo' }}
     secrets: inherit
diff --git a/.github/workflows/build-docker.yml b/.github/workflows/build-docker.yml
@@ -21,6 +21,8 @@ on:
     secrets:
       DOCKER_PASSWORD:
         required: false
+      DEV_DOCKER_PASSWORD:
+        required: false
 
 jobs:
   docker-build:
@@ -31,13 +33,21 @@ jobs:
       uses: actions/checkout@v4
 
     - name: Docker Login
-      if: ${{ inputs.push }}
+      if: ${{ inputs.push == true && github.ref_name == 'main' }}
       uses: docker/login-action@v3
       with:
         registry: ${{ inputs.registry }}
         username: ${{ inputs.username }}
         password: ${{ secrets.DOCKER_PASSWORD }}
 
+    - name: Dev Docker Login
+      if: ${{ inputs.push == true && (github.ref_name == 'dev' || github.ref_name == 'demo') }}
+      uses: docker/login-action@v3
+      with:
+        registry: ${{ inputs.registry }}
+        username: ${{ inputs.username }}
+        password: ${{ secrets.DEV_DOCKER_PASSWORD }}
+
     - name: Set up Docker Buildx
       uses: docker/setup-buildx-action@v3
 
@@ -51,7 +61,7 @@ jobs:
         context: .
         file: ${{ inputs.dockerfile }}
         push: ${{ inputs.push }}
-        cache-from: type=registry,ref=${{ inputs.registry }}/${{ inputs.app_name}}:latest
+        cache-from: type=registry,ref=${{ inputs.registry }}/${{ inputs.app_name}}:${{ github.ref_name == 'main' && 'latest' || github.ref_name == 'dev' && 'dev' || github.ref_name == 'demo' && 'demo' || 'latest' }}
         tags: |
-          ${{ inputs.registry }}/${{ inputs.app_name}}:latest
+          ${{ inputs.registry }}/${{ inputs.app_name}}:${{ github.ref_name == 'main' && 'latest' || github.ref_name == 'dev' && 'dev' || github.ref_name == 'demo' && 'demo' || 'latest' }}
           ${{ inputs.registry }}/${{ inputs.app_name}}:${{ steps.date.outputs.date }}_${{ github.run_number }}
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -4,6 +4,8 @@ on:
   push:
     branches:
       - main
+      - dev
+      - demo
   schedule:
     - cron: '0 6,18 * * *'  # Runs at 6:00 AM and 6:00 PM GMT
 
@@ -34,6 +36,17 @@ jobs:
           username: ${{ github.repository_owner }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
+      - name: Set imageTag
+        id: set-image-tag
+        run: |
+          if [[ "${{ github.event_name }}" == "schedule" ]]; then
+            echo "imageTag=latest" >> $GITHUB_ENV
+          elif [[ "${{ github.ref_name }}" == "main" ]]; then
+            echo "imageTag=latest" >> $GITHUB_ENV
+          else
+            echo "imageTag=${{ github.ref_name }}" >> $GITHUB_ENV
+          fi
+
       - name: Pre-build image and run make in dev container
         uses: devcontainers/[email protected]
         env:
@@ -43,8 +56,9 @@ jobs:
         with:
           imageName: ghcr.io/azure-samples/chat-with-your-data-solution-accelerator
           cacheFrom: ghcr.io/azure-samples/chat-with-your-data-solution-accelerator
+          imageTag: ${{ env.imageTag }}
           runCmd: make ci && make deploy
-          refFilterForPush: refs/heads/main
+          refFilterForPush: refs/heads/${{ github.event_name == 'schedule' && 'main' || github.ref_name }}
           env: |
             AZURE_CLIENT_ID
             AZURE_CLIENT_SECRET
@@ -64,6 +78,7 @@ jobs:
         with:
           push: never
           imageName: ghcr.io/azure-samples/chat-with-your-data-solution-accelerator
+          imageTag: ${{ env.imageTag }}
           runCmd: make destroy
           env: |
             AZURE_CLIENT_ID
@@ -78,7 +93,6 @@ jobs:
         if: failure()
         run: |
           RUN_URL="https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}"
-
           # Construct the email body
           EMAIL_BODY=$(cat <<EOF
           {

diff --git a/.github/workflows/sync-branches.yml b/.github/workflows/sync-branches.yml
@@ -0,0 +1,44 @@
+name: Sync Main to dependabotchanges
+
+on:
+  # Schedule the sync job to run daily or customize as needed
+  schedule:
+    - cron: '0 1 * * *'  # Runs every day at 1 AM UTC
+  # Trigger the sync job on pushes to the main branch
+  push:
+    branches:
+      - main
+
+jobs:
+  sync:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0  # Fetch all history for accurate branch comparison
+
+      - name: Configure Git
+        run: |
+          git config user.name "github-actions[bot]"
+          git config user.email "github-actions[bot]@users.noreply.github.com"
+
+      - name: Sync main to dependabotchanges
+        run: |
+          # Ensure we're on the main branch
+          git checkout main
+          # Fetch the latest changes
+          git pull origin main
+
+          # Switch to dependabotchanges branch
+          git checkout dependabotchanges
+          # Merge main branch changes
+          git merge main --no-edit
+
+          # Push changes back to dependabotchanges branch
+          git push origin dependabotchanges
+
+      - name: Notify on Failure
+        if: failure()
+        run: echo "Sync from main to dependabotchanges failed!"
diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml
@@ -2,9 +2,9 @@ name: Tests
 
 on:
   push:
-    branches: [main]
+    branches: [main, dev, demo]
   pull_request:
-    branches: [main]
+    branches: [main, dev, demo]
     types:
       - opened
       - ready_for_review

diff --git a/code/create_app.py b/code/create_app.py
@@ -42,7 +42,7 @@ def get_markdown_url(source, title, container_sas):
 
 
 def get_citations(citation_list):
-    """Returns Formated Citations"""
+    """Returns Formated Citations."""
     blob_client = AzureBlobStorageClient()
     container_sas = blob_client.get_container_sas()
     citations_dict = {"citations": []}

diff --git a/infra/app/function.bicep b/infra/app/function.bicep
@@ -42,6 +42,7 @@ module function '../core/host/functions.bicep' = {
     runtimeName: runtimeName
     runtimeVersion: runtimeVersion
     dockerFullImageName: dockerFullImageName
+    useKeyVault: useKeyVault
     appSettings: union(appSettings, {
       WEBSITES_ENABLE_APP_SERVICE_STORAGE: 'false'
       AZURE_AUTH_TYPE: authType

diff --git a/infra/app/web.bicep b/infra/app/web.bicep
@@ -122,16 +122,16 @@ module web '../core/host/appservice.bicep' = {
             '2023-05-01'
           ).key1
       AZURE_COSMOSDB_ACCOUNT_KEY: (useKeyVault || cosmosDBKeyName == '')
-      ? cosmosDBKeyName
-      : listKeys(
-          resourceId(
-            subscription().subscriptionId,
-            resourceGroup().name,
-            'Microsoft.DocumentDB/databaseAccounts',
-            cosmosDBKeyName
-          ),
-          '2022-08-15'
-        ).primaryMasterKey
+        ? cosmosDBKeyName
+        : listKeys(
+            resourceId(
+              subscription().subscriptionId,
+              resourceGroup().name,
+              'Microsoft.DocumentDB/databaseAccounts',
+              cosmosDBKeyName
+            ),
+            '2022-08-15'
+          ).primaryMasterKey
     })
     keyVaultName: keyVaultName
     runtimeName: runtimeName
@@ -192,6 +192,22 @@ module webaccess '../core/security/keyvault-access.bicep' = if (useKeyVault) {
   }
 }
 
+resource cosmosRoleDefinition 'Microsoft.DocumentDB/databaseAccounts/sqlRoleDefinitions@2024-05-15' existing = {
+  name: '${json(appSettings.AZURE_COSMOSDB_INFO).accountName}/00000000-0000-0000-0000-000000000002'
+}
+
+module cosmosUserRole '../core/database/cosmos-sql-role-assign.bicep' = {
+  name: 'cosmos-sql-user-role-${web.name}'
+  params: {
+    accountName: json(appSettings.AZURE_COSMOSDB_INFO).accountName
+    roleDefinitionId: cosmosRoleDefinition.id
+    principalId: web.outputs.identityPrincipalId
+  }
+  dependsOn: [
+    cosmosRoleDefinition
+  ]
+}
+
 output FRONTEND_API_IDENTITY_PRINCIPAL_ID string = web.outputs.identityPrincipalId
 output FRONTEND_API_NAME string = web.outputs.name
 output FRONTEND_API_URI string = web.outputs.uri
diff --git a/infra/core/database/cosmos-sql-role-assign.bicep b/infra/core/database/cosmos-sql-role-assign.bicep
@@ -0,0 +1,19 @@
+metadata description = 'Creates a SQL role assignment under an Azure Cosmos DB account.'
+param accountName string
+
+param roleDefinitionId string
+param principalId string = ''
+
+resource role 'Microsoft.DocumentDB/databaseAccounts/sqlRoleAssignments@2022-05-15' = {
+  parent: cosmos
+  name: guid(roleDefinitionId, principalId, cosmos.id)
+  properties: {
+    principalId: principalId
+    roleDefinitionId: roleDefinitionId
+    scope: cosmos.id
+  }
+}
+
+resource cosmos 'Microsoft.DocumentDB/databaseAccounts@2022-08-15' existing = {
+  name: accountName
+}
diff --git a/infra/core/host/functions.bicep b/infra/core/host/functions.bicep
@@ -9,6 +9,7 @@ param appServicePlanId string
 param keyVaultName string = ''
 param managedIdentity bool = !empty(keyVaultName)
 param storageAccountName string
+param useKeyVault bool
 
 // Runtime Properties
 @allowed([
@@ -67,10 +68,14 @@ module functions 'appservice.bicep' = {
     appSettings: union(
       appSettings,
       {
-        AzureWebJobsStorage: 'DefaultEndpointsProtocol=https;AccountName=${storage.name};AccountKey=${storage.listKeys().keys[0].value};EndpointSuffix=${environment().suffixes.storage}'
         FUNCTIONS_EXTENSION_VERSION: extensionVersion
       },
-      !useDocker ? { FUNCTIONS_WORKER_RUNTIME: runtimeName } : {}
+      !useDocker ? { FUNCTIONS_WORKER_RUNTIME: runtimeName } : {},
+      useKeyVault
+        ? {
+            AzureWebJobsStorage: 'DefaultEndpointsProtocol=https;AccountName=${storage.name};AccountKey=${storage.listKeys().keys[0].value};EndpointSuffix=${environment().suffixes.storage}'
+          }
+        : { AzureWebJobsStorage__accountName: storage.name }
     )
     clientAffinityEnabled: clientAffinityEnabled
     enableOryxBuild: enableOryxBuild
@@ -90,6 +95,15 @@ module functions 'appservice.bicep' = {
   }
 }
 
+module storageBlobRoleFunction '../security/role.bicep' = {
+  name: 'storage-blob-role-function'
+  params: {
+    principalId: functions.outputs.identityPrincipalId
+    roleDefinitionId: 'ba92f5b4-2d11-453d-a403-e96b0029c9fe'
+    principalType: 'ServicePrincipal'
+  }
+}
+
 resource storage 'Microsoft.Storage/storageAccounts@2021-09-01' existing = {
   name: storageAccountName
 }

diff --git a/infra/core/storage/storage-account.bicep b/infra/core/storage/storage-account.bicep
@@ -11,7 +11,8 @@ param tags object = {}
 param accessTier string = 'Hot'
 param allowBlobPublicAccess bool = false
 param allowCrossTenantReplication bool = true
-param allowSharedKeyAccess bool = true
+param useKeyVault bool
+param allowSharedKeyAccess bool = useKeyVault
 param containers array = []
 param defaultToOAuthAuthentication bool = false
 param deleteRetentionPolicy object = {}