refactor(ci): consolidate yq and bicep installs into make targets

[DariuszPorowski]

Description

Problem

Tool installation (yq and the Bicep CLI) was duplicated across many GitHub workflows using inline, hand-written download steps. This created several recurring problems:

• Version drift — yq versions were scattered across workflows and the Bicep CLI was installed from an unpinned latest, so different jobs could run different tool versions.
• No integrity verification — inline installs downloaded binaries without checksum validation, leaving a supply-chain gap.
• Duplicated, hard-to-maintain logic — the same install snippets were copy-pasted into multiple workflows, so any change (version bump, URL change, platform fix) had to be made in many places.
• No single source of truth — there was no one place to see or update the tool versions the project depends on.

Value proposition

This change centralizes tool installation behind Make targets backed by a single source of truth, making CI reproducible, verifiable, and easy to maintain:

• build/tools.mk as the single source of truth for tool versions and per-platform SHA-256 checksums (yq v4.53.3, Bicep v0.42.1).
• Reusable, hardened installer scripts — build/scripts/install-yq.sh and build/scripts/install-bicep.sh install into a user-owned bin dir (no sudo), support Linux and macOS on amd64/arm64, verify checksums, honor GITHUB_TOKEN for GitHub API calls, and fall back to the latest release when no version is pinned.
• make install-yq / make install-bicep targets — every workflow now calls these instead of bespoke inline steps, so versions are pinned consistently and updated in one place.
• De-duplicated Bicep tooling — build/install-bicep.sh is reduced to its sole remaining responsibility (generating bicepconfig.json); all download/install logic now lives in the single build/scripts/install-bicep.sh. build/build.mk calls the installer for cross-arch container staging.
• Stronger fork safety — functional-test-cloud.yaml gains an explicit authorize gate so external/fork contributions run only after the trust check and approval gate pass.
• CI cleanup — expands the __changes.yml ignore-list, normalizes the unit-tests concurrency group, relocates the triage-bot label config to .github/configs/label-actions.yaml, and removes the obsolete root CODEOWNERS.

Changed files

• Added: build/tools.mk, build/scripts/install-yq.sh, build/scripts/install-bicep.sh
• Modified (build): Makefile, build/build.mk, build/generate.mk, build/resource-types.mk, build/install-bicep.sh (stripped to bicepconfig.json generation)
• Modified (workflows): copilot-setup-steps.yml, functional-test-cloud.yaml, functional-test-noncloud.yaml, validate-bicep.yaml, contrib-update-resource-types.yaml, verify-resource-types.yaml, lint.yaml, publish-docs.yaml, release.yaml, triage-bot.yaml, unit-tests.yaml, __changes.yml
• Renamed: .github/triage-bot/triage-bot-config.yaml → .github/configs/label-actions.yaml
• Deleted: root CODEOWNERS

Type of change

• This pull request is a minor refactor, code cleanup, test improvement, or other maintenance task and doesn't change the functionality of Radius (issue link optional).

N/A — minor CI/build tooling refactor (issue link optional).

Contributor checklist

Please verify that the PR meets the following requirements, where applicable:

• An overview of proposed schema changes is included in a linked GitHub issue.
  • Yes
  • Not applicable
• A design document is added or updated under eng/design-notes/ in this repository, if new APIs are being introduced.
  • Yes
  • Not applicable
• The design document has been reviewed and approved by Radius maintainers/approvers.
  • Yes
  • Not applicable
• A PR for resource-types-contrib is created, if resource types or recipes are affected by the changes in this PR.
  • Yes
  • Not applicable
• A PR for dashboard is created, if the Radius Dashboard is affected by the changes in this PR.
  • Yes
  • Not applicable
• A PR for the documentation repository is created, if the changes in this PR affect the documentation or any user facing updates are made.
  • Yes
  • Not applicable

[github-actions]

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

Scanned Files

• .github/workflows/release.yaml

[Copilot]

Pull request overview

This PR centralizes installation of CI tooling (notably yq and the Bicep CLI) behind new Make targets and hardened installer scripts, replacing duplicated inline download logic across multiple GitHub workflows and build targets.

Changes:

• Add build/tools.mk and new installer scripts to pin tool versions and (where possible) verify SHA-256 checksums.
• Update build Make targets and multiple workflows to use make install-yq / make install-bicep instead of bespoke inline install steps.
• CI cleanup: adjust workflow concurrency/skip lists, move triage-bot label config, and remove the obsolete root CODEOWNERS.

Review notes (blocking):

• build/build.mk currently passes "$$(BICEP_VERSION)"-style values, which becomes shell command substitution ($(...)) and will fail at runtime.
• .github/workflows/release.yaml introduces ::set-output, which is deprecated in GitHub Actions; it should use $GITHUB_OUTPUT.

Reviewed changes

Copilot reviewed 22 out of 22 changed files in this pull request and generated 3 comments.

Show a summary per file

File	Description
Makefile	Includes build/tools.mk to expose shared tool install targets.
CODEOWNERS	Removes obsolete root-level pointer to .github/CODEOWNERS.
build/tools.mk	Defines pinned yq / bicep versions + checksums and provides install-* Make targets.
build/scripts/install-yq.sh	New cross-platform installer for yq with checksum verification.
build/scripts/install-bicep.sh	New cross-platform installer for Bicep CLI with optional checksum verification and cross-arch staging support.
build/resource-types.mk	Updates yq prerequisite message to use make install-yq.
build/install-bicep.sh	Narrows script responsibility to only generating bicepconfig.json.
build/generate.mk	Removes old YQ_VERSION pin and updates install guidance to make install-yq.
build/build.mk	Updates bicep container staging to use the new Bicep installer script.
.github/workflows/verify-resource-types.yaml	Replaces inline yq install with make install-yq.
.github/workflows/validate-bicep.yaml	Replaces inline bicep install with make install-bicep (installing into ~/.rad/bin).
.github/workflows/unit-tests.yaml	Normalizes concurrency group expression.
.github/workflows/triage-bot.yaml	Points label-actions config to new .github/configs/label-actions.yaml location.
.github/workflows/release.yaml	Switches from action-based yq usage to installing yq and invoking it directly (but uses deprecated ::set-output).
.github/workflows/publish-docs.yaml	Replaces inline yq install with make install-yq.
.github/workflows/lint.yaml	Replaces inline yq install with make install-yq.
.github/workflows/functional-test-noncloud.yaml	Replaces inline yq/bicep installs with Make targets.
.github/workflows/functional-test-cloud.yaml	Adds centralized authorize gate and replaces inline tool installs with Make targets.
.github/workflows/copilot-setup-steps.yml	Replaces inline yq/bicep installs with Make targets.
.github/workflows/contrib-update-resource-types.yaml	Replaces inline yq install with make install-yq.
.github/workflows/__changes.yml	Expands ignore list and adds documentation clarifying skip behavior.
.github/configs/label-actions.yaml	New location/name for triage-bot label-actions config (plus small YAML cleanup).

[github-actions]

Unit Tests

    2 files  ±0    450 suites  ±0   7m 24s ⏱️ -13s
5 591 tests ±0  5 589 ✅ ±0  2 💤 ±0  0 ❌ ±0 
6 788 runs  ±0  6 786 ✅ ±0  2 💤 ±0  0 ❌ ±0 

Results for commit 21c73ad. ± Comparison against base commit 2626297.

♻️ This comment has been updated with latest results.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 52.87%. Comparing base (2626297) to head (21c73ad).

Additional details and impacted files

@@            Coverage Diff             @@
##             main   #12248      +/-   ##
==========================================
- Coverage   52.88%   52.87%   -0.02%     
==========================================
  Files         751      751              
  Lines       48353    48353              
==========================================
- Hits        25573    25566       -7     
- Misses      20383    20387       +4     
- Partials     2397     2400       +3     

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[brooke-hamilton]

🚀

One non-blocking suggestion:

Rename the bicepconfig generator. After this change, build/install-bicep.sh no longer installs the Bicep CLI — it only generates bicepconfig.json — while the new build/scripts/install-bicep.sh does the actual CLI install. Two files sharing the basename install-bicep.sh with unrelated jobs is easy to confuse. Consider renaming build/install-bicep.sh to something like build/gen-bicepconfig.sh and updating its caller in build/build.mk.

[radius-functional-tests]

Radius functional test overview

🔍 Go to test action run

Click here to see the test run details

Name	Value
Repository	radius-project/radius
Commit ref	21c73ad
Unique ID	func4b494c8dd3
Image tag	pr-func4b494c8dd3

• KinD: v0.29.0
• Dapr: 1.14.4
• Azure KeyVault CSI driver: 1.4.2
• Azure Workload identity webhook: 1.3.0
• Bicep recipe location ghcr.io/radius-project/dev/test/testrecipes/test-bicep-recipes/<name>:pr-func4b494c8dd3
• Terraform recipe location http://tf-module-server.radius-test-tf-module-server.svc.cluster.local/<name>.zip (in cluster)
• applications-rp test image location: ghcr.io/radius-project/dev/applications-rp:pr-func4b494c8dd3
• dynamic-rp test image location: ghcr.io/radius-project/dev/dynamic-rp:pr-func4b494c8dd3
• controller test image location: ghcr.io/radius-project/dev/controller:pr-func4b494c8dd3
• ucp test image location: ghcr.io/radius-project/dev/ucpd:pr-func4b494c8dd3
• deployment-engine test image location: ghcr.io/radius-project/deployment-engine:latest

Test Status

⌛ Building Radius and pushing container images for functional tests...
✅ Container images build succeeded
⌛ Publishing Bicep Recipes for functional tests...
✅ Recipe publishing succeeded
⌛ Starting ucp-cloud functional tests...
⌛ Starting corerp-cloud functional tests...
✅ ucp-cloud functional tests succeeded
✅ corerp-cloud functional tests succeeded