fix: Add missing dns zones in relevant policy assignment and adjust workflow permissions #1114
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Example: .github/workflows/arm-docs.yaml | |
| name: Generate Markdown | |
| on: | |
| pull_request_target: | |
| types: | |
| - edited | |
| - opened | |
| - reopened | |
| - synchronize | |
| paths: | |
| - '**.bicep' | |
| env: | |
| github_user_name: 'github-actions' | |
| github_email: '41898282+github-actions[bot]@users.noreply.github.com' | |
| github_commit_message: 'Generate Parameter Markdowns' | |
| github_pr_number: ${{ github.event.number }} | |
| github_pr_repo: ${{ github.event.pull_request.head.repo.full_name }} | |
| permissions: | |
| contents: write | |
| jobs: | |
| arm_docs: | |
| name: Generate Markdown | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Harden Runner | |
| uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 | |
| with: | |
| egress-policy: audit | |
| - name: Checkout | |
| uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| - name: Show env | |
| run: env | sort | |
| - name: Check out PR | |
| run: | | |
| echo "==> Check out PR..." | |
| gh pr checkout "$github_pr_number" | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Configure local git | |
| run: | | |
| echo "git user name : $github_user_name" | |
| git config --global user.name "$github_user_name" | |
| echo "git user email : $github_email" | |
| git config --global user.email "$github_email" | |
| - name: Bicep Build | |
| shell: pwsh | |
| run: | | |
| Get-ChildItem -Recurse -Path infra-as-code/bicep/ -Filter '*.bicep' -Exclude 'callModuleFromACR.example.bicep','orchHubSpoke.bicep' | ForEach-Object { | |
| Write-Information "==> Attempting Bicep Build For File: $_" -InformationAction Continue | |
| $output = bicep build $_.FullName 2>&1 | |
| if ($LastExitCode -ne 0) | |
| { | |
| throw $output | |
| } | |
| Else | |
| { | |
| echo $output | |
| } | |
| } | |
| - name: Generate ARM markdowns | |
| run: | | |
| Install-Module -Name 'PSDocs.Azure' -Repository PSGallery -force; | |
| # Scan for Azure template file recursively in the infra-as-code/bicep/ directory | |
| Get-AzDocTemplateFile -Path infra-as-code/bicep/ | ForEach-Object { | |
| # Generate a standard name of the markdown file. i.e. <name>_<version>.md | |
| $template = Get-Item -Path $_.TemplateFile; | |
| $templateraw = Get-Content -Raw -Path $_.Templatefile; | |
| $templateName = $template.Directory.Parent.Name; | |
| $version = $template.Directory.Name; | |
| $docNameWithoutExtension = [System.IO.Path]::GetFileNameWithoutExtension($template.Name); | |
| $docName = "$($docNameWithoutExtension)_$version"; | |
| $jobj = ConvertFrom-Json -InputObject $templateraw | |
| $outputpathformds = $template.DirectoryName+'/generateddocs' | |
| New-Item -Path $outputpathformds -ItemType Directory -Force | |
| # Conversion | |
| $templatepath = $template.DirectoryName | |
| $convertedtemplatename = $template.Name | |
| $convertedfullpath = $templatepath+"\"+$convertedtemplatename | |
| $jobj | ConvertTo-Json -Depth 100 | Set-Content -Path $convertedfullpath | |
| $mdname = ($docNameWithoutExtension)+'.bicep' | |
| # Generate markdown | |
| Invoke-PSDocument -Module PSDocs.Azure -OutputPath $outputpathformds -InputObject $template.FullName -InstanceName $mdname -Culture en-US; | |
| } | |
| shell: pwsh | |
| - name: Remove Generated JSONs | |
| shell: pwsh | |
| run: | | |
| Get-ChildItem -Recurse -Path infra-as-code/bicep/ -Filter '*.json' -Exclude 'bicepconfig.json','*.parameters.json','*.parameters.*.json','policy_*' | ForEach-Object { | |
| Write-Information "==> Removing generated JSON file $_ from Bicep Build" -InformationAction Continue | |
| Remove-Item -Path $_.FullName | |
| } | |
| - name: Check git status | |
| run: | | |
| echo "==> Check git status..." | |
| git status --short --branch | |
| - name: Stage changes | |
| run: | | |
| echo "==> Stage changes..." | |
| mapfile -t STATUS_LOG < <(git status --short | grep .) | |
| if [ ${#STATUS_LOG[@]} -gt 0 ]; then | |
| echo "Found changes to the following files:" | |
| printf "%s\n" "${STATUS_LOG[@]}" | |
| git add --all | |
| else | |
| echo "No changes to add." | |
| fi | |
| - name: Push changes | |
| run: | | |
| echo "==> Check git diff..." | |
| mapfile -t GIT_DIFF < <(git diff --cached) | |
| printf "%s\n" "${GIT_DIFF[@]}" | |
| if [ ${#GIT_DIFF[@]} -gt 0 ]; then | |
| echo "==> Commit changes..." | |
| git commit --message "$github_commit_message [$GITHUB_ACTOR/${GITHUB_SHA::8}]" | |
| echo "==> Push changes..." | |
| echo "Pushing changes to: $github_pr_repo" | |
| git push "https://$GITHUB_TOKEN@github.com/$github_pr_repo.git" | |
| else | |
| echo "No changes found." | |
| fi | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} |