diff --git a/.github/triage-bot/triage-bot-config.yaml b/.github/configs/label-actions.yaml similarity index 99% rename from .github/triage-bot/triage-bot-config.yaml rename to .github/configs/label-actions.yaml index 00cd0cdfd3f..146711c8c7c 100644 --- a/.github/triage-bot/triage-bot-config.yaml +++ b/.github/configs/label-actions.yaml @@ -18,7 +18,6 @@ # # See: https://github.com/dessant/label-actions for documentation. - # Creation labels --- bug: @@ -49,7 +48,6 @@ maintenance: _For more information on our triage process please visit our [triage overview](https://github.com/radius-project/radius/blob/main/docs/contributing/triage/triage-process.md)_ - # Processing labels needs-more-information: @@ -78,7 +76,7 @@ important: _For more information on our triage process please visit our [triage overview](https://github.com/radius-project/radius/blob/main/docs/contributing/triage/triage-process.md)_ -'good first issue': +"good first issue": comment: | This issue is a great one to pickup for new contributors. It should only require small changes and not assume a deep knowledge of the Radius architecture. diff --git a/.github/workflows/__changes.yml b/.github/workflows/__changes.yml index dbbe4ab3f78..7945fa6a97c 100644 --- a/.github/workflows/__changes.yml +++ b/.github/workflows/__changes.yml @@ -5,6 +5,12 @@ name: Changes on: workflow_call: inputs: + # The default list enumerates paths that can NEVER affect the outcome of + # the heavy CI workflows that consume this one (build, unit-tests, lint, + # validate-bicep, functional tests, reference-docs). When ONLY these paths + # change, `only_changed` is `true` and those workflows are skipped. Only + # add a pattern here if a change to it cannot break compilation, tests, + # linting, bicep validation, functional tests, or generated reference docs. files: description: File patterns to detect changes required: false @@ -14,17 +20,24 @@ on: .github/*.md docs/**/*.md docs/*.md + docs/**/*.png + docs/**/*.svg eng/design-notes/**/*.md eng/design-notes/**/*.png + eng/design-notes/**/*.svg specs/**/*.md test/**/*.md test/*.md *.md + LICENSE + .gitignore .cspellignore versions.yaml !docs/release-notes/v*.md .codecov.yml .devcontainer/** + grafana/** + .github/CODEOWNERS .github/configs/** .github/linters/** .github/dependabot.yml @@ -32,9 +45,16 @@ on: .github/release.yml .github/runners/** .github/triage-bot/** + .github/workflows/c9k-failure-report.yml + .github/workflows/c9k-nightly.yml .github/workflows/close-stale-prs.yml + .github/workflows/contrib-update-resource-types.yaml + .github/workflows/dependabot-manager.yml .github/workflows/devcontainer-feature-release.yaml .github/workflows/devcontainer-feature-test.yaml + .github/workflows/issue-metrics.yml + .github/workflows/long-running-azure.yaml + .github/workflows/nightly-rad-CLI-tests.yaml .github/workflows/publish-*.yaml .github/workflows/purge-*.yaml .github/workflows/radius-bot.yaml diff --git a/.github/workflows/contrib-update-resource-types.yaml b/.github/workflows/contrib-update-resource-types.yaml index da8e279d7e6..fa6743a073e 100644 --- a/.github/workflows/contrib-update-resource-types.yaml +++ b/.github/workflows/contrib-update-resource-types.yaml @@ -51,8 +51,6 @@ concurrency: env: PR_BRANCH: bot/update-resource-types CONTRIB_REPO: radius-project/resource-types-contrib - YQ_VERSION: v4.44.3 - YQ_LINUX_AMD64_SHA256: a2c097180dd884a8d50c956ee16a9cec070f30a7947cf4ebf87d5f36213e9ed7 jobs: open-update-pr: @@ -123,12 +121,7 @@ jobs: - name: Install yq # Required by make update-resource-types / sync-resource-types to parse # deploy/manifest/defaults.yaml. - run: | - mkdir -p "${RUNNER_TEMP}/bin" - curl -fsSL "https://github.com/mikefarah/yq/releases/download/${YQ_VERSION}/yq_linux_amd64" -o "${RUNNER_TEMP}/bin/yq" - echo "${YQ_LINUX_AMD64_SHA256} ${RUNNER_TEMP}/bin/yq" | sha256sum -c - - chmod +x "${RUNNER_TEMP}/bin/yq" - echo "${RUNNER_TEMP}/bin" >> "${GITHUB_PATH}" + run: make install-yq - name: Run make update-resource-types # Bumps go.mod to the latest resource-types-contrib version and copies diff --git a/.github/workflows/copilot-setup-steps.yml b/.github/workflows/copilot-setup-steps.yml index 035c0502046..7c507e25ffc 100644 --- a/.github/workflows/copilot-setup-steps.yml +++ b/.github/workflows/copilot-setup-steps.yml @@ -163,14 +163,7 @@ jobs: - name: Install yq # Required by Bicep type generation to parse YAML defaults. - run: | - YQ_VERSION="v4.44.3" - YQ_LINUX_AMD64_SHA256="a2c097180dd884a8d50c956ee16a9cec070f30a7947cf4ebf87d5f36213e9ed7" - mkdir -p "${RUNNER_TEMP}/bin" - curl -fsSL "https://github.com/mikefarah/yq/releases/download/${YQ_VERSION}/yq_linux_amd64" -o "${RUNNER_TEMP}/bin/yq" - echo "${YQ_LINUX_AMD64_SHA256} ${RUNNER_TEMP}/bin/yq" | sha256sum -c - - chmod +x "${RUNNER_TEMP}/bin/yq" - echo "${RUNNER_TEMP}/bin" >> "${GITHUB_PATH}" + run: make install-yq - name: Install KinD # Lets the agent create a local Kubernetes cluster for integration and @@ -224,14 +217,8 @@ jobs: - name: Install Bicep CLI # Required by Bicep type publishing (make publish-bicep-extension) and - # rad bicep flows. Pinned to v0.42.1: v0.40+ rejects br:localhost - # registries used by the local functional tests. - run: | - BICEP_VER="v0.42.1" - curl -fsSLo ./bicep "https://github.com/Azure/bicep/releases/download/${BICEP_VER}/bicep-linux-x64" - chmod +x ./bicep - sudo mv ./bicep /usr/local/bin/bicep - bicep --version + # rad bicep flows. Pinned version + checksum live in build/tools.mk. + run: make install-bicep - name: Install PostgreSQL client # psql is used by the debug environment to verify control-plane database diff --git a/.github/workflows/functional-test-cloud.yaml b/.github/workflows/functional-test-cloud.yaml index b4a9fcd5efb..1a6faf46513 100644 --- a/.github/workflows/functional-test-cloud.yaml +++ b/.github/workflows/functional-test-cloud.yaml @@ -67,9 +67,6 @@ concurrency: env: GOPROXY: https://proxy.golang.org - # yq version - YQ_VERSION: v4.44.3 - YQ_LINUX_AMD64_SHA256: a2c097180dd884a8d50c956ee16a9cec070f30a7947cf4ebf87d5f36213e9ed7 # Helm version HELM_VER: v4.2.2 # KinD cluster version @@ -181,20 +178,45 @@ jobs: - name: Approved run: echo "Tests approved to run" + # Single authorization decision for the whole run. Centralizes the trust + + # approval gate so every downstream job keys off one result + # (needs.authorize.result == 'success') instead of repeating the boolean. + # + # Runs unless the whole run was cancelled, then fails — blocking the run — when: + # - check-trust did not pass (fail-safe if the trust check itself errored), or + # - approval-gate did not pass (an external contributor's approval was + # rejected/'cancelled' or failed). + # 'skipped' is allowed: check-trust and approval-gate are skipped for trusted + # authors and for non-PR events (schedule, repository_dispatch, merge_group). + authorize: + name: Authorize + needs: [check-trust, approval-gate] + runs-on: ubuntu-24.04 + timeout-minutes: 5 + permissions: {} + if: ${{ !cancelled() }} + steps: + - name: Evaluate trust and approval + env: + CHECK_TRUST_RESULT: ${{ needs.check-trust.result }} + APPROVAL_GATE_RESULT: ${{ needs.approval-gate.result }} + run: | + if [ "${CHECK_TRUST_RESULT}" != "success" ] && [ "${CHECK_TRUST_RESULT}" != "skipped" ]; then + echo "::error::Blocked — trust check did not pass (result=${CHECK_TRUST_RESULT})." + exit 1 + fi + if [ "${APPROVAL_GATE_RESULT}" != "success" ] && [ "${APPROVAL_GATE_RESULT}" != "skipped" ]; then + echo "::error::Blocked — approval was not granted (result=${APPROVAL_GATE_RESULT})." + exit 1 + fi + echo "Authorized to proceed." + setup: name: Setup - needs: [check-trust, approval-gate] - # Run for all events. For PRs: - # - check-trust determines if the author is external - # - approval-gate runs only for external contributors and requires manual approval - # - If check-trust or approval-gate are skipped (non-PR events), setup proceeds - # For pull_request_target, require approval-gate to be 'success' or 'skipped' — block - # on 'cancelled' (rejected approval) to prevent running PR code with secrets. - if: | - !cancelled() && - (needs.check-trust.result == 'success' || needs.check-trust.result == 'skipped') && - (needs.approval-gate.result == 'success' || needs.approval-gate.result == 'skipped') && - (github.event_name != 'schedule' || github.repository == vars.RADIUS_REPOSITORY) + needs: [authorize] + # Gate on the single authorize decision; the schedule guard keeps scheduled + # runs limited to the canonical repository. + if: needs.authorize.result == 'success' && (github.event_name != 'schedule' || github.repository == vars.RADIUS_REPOSITORY) runs-on: ubuntu-24.04 timeout-minutes: 5 permissions: @@ -488,12 +510,7 @@ jobs: - name: Install yq # Required by make generate-bicep-types-contrib to parse defaults.yaml. - run: | - mkdir -p "${RUNNER_TEMP}/bin" - curl -fsSL "https://github.com/mikefarah/yq/releases/download/${YQ_VERSION}/yq_linux_amd64" -o "${RUNNER_TEMP}/bin/yq" - echo "${YQ_LINUX_AMD64_SHA256} ${RUNNER_TEMP}/bin/yq" | sha256sum -c - - chmod +x "${RUNNER_TEMP}/bin/yq" - echo "${RUNNER_TEMP}/bin" >> "${GITHUB_PATH}" + run: make install-yq - name: Generate Bicep extensibility types from OpenAPI specs env: @@ -501,12 +518,10 @@ jobs: run: | make generate-bicep-types VERSION="${BICEP_TYPES_VERSION}" - - name: Setup and verify bicep CLI - run: | - curl -Lo bicep https://github.com/Azure/bicep/releases/latest/download/bicep-linux-x64 - chmod +x ./bicep - sudo mv ./bicep /usr/local/bin/bicep - bicep --version + - name: Install bicep CLI + # Pinned version + checksum live in build/tools.mk (previously installed + # the unpinned 'latest', which could pull v0.43+). + run: make install-bicep - name: Login to Azure (for private test bicep-types ACR) uses: azure/login@532459ea530d8321f2fb9bb10d1e0bcf23869a43 # v3.0.0 diff --git a/.github/workflows/functional-test-noncloud.yaml b/.github/workflows/functional-test-noncloud.yaml index 5cab6ef2529..33b2221acbf 100644 --- a/.github/workflows/functional-test-noncloud.yaml +++ b/.github/workflows/functional-test-noncloud.yaml @@ -50,9 +50,6 @@ on: permissions: {} env: - # yq version - YQ_VERSION: v4.44.3 - YQ_LINUX_AMD64_SHA256: a2c097180dd884a8d50c956ee16a9cec070f30a7947cf4ebf87d5f36213e9ed7 # Helm version HELM_VER: v4.2.2 # KinD cluster version @@ -95,9 +92,6 @@ env: GIT_HTTP_PASSWORD: not-a-secret-password # Kubernetes client QPS and Burst settings for high-concurrency CI environments RADIUS_QPS_AND_BURST: "800" - # Bicep CLI pinned: v0.40+ rejects br:localhost:5000/... (ThrowIfRegistryNotTrusted). - # Bump only after verifying localhost support or adding allowedUntrustedRegistries to bicepconfig.json. - BICEP_VER: v0.42.1 jobs: changes: @@ -255,12 +249,7 @@ jobs: - name: Install yq # Required by make generate-bicep-types-contrib to parse defaults.yaml. - run: | - mkdir -p "${RUNNER_TEMP}/bin" - curl -fsSL "https://github.com/mikefarah/yq/releases/download/${YQ_VERSION}/yq_linux_amd64" -o "${RUNNER_TEMP}/bin/yq" - echo "${YQ_LINUX_AMD64_SHA256} ${RUNNER_TEMP}/bin/yq" | sha256sum -c - - chmod +x "${RUNNER_TEMP}/bin/yq" - echo "${RUNNER_TEMP}/bin" >> "${GITHUB_PATH}" + run: make install-yq - name: Generate Bicep extensibility types from OpenAPI specs env: @@ -284,12 +273,9 @@ jobs: registry-server: ${{ env.LOCAL_REGISTRY_SERVER }} registry-port: ${{ env.LOCAL_REGISTRY_PORT }} - - name: Setup and verify bicep CLI - run: | - curl -Lo bicep "https://github.com/Azure/bicep/releases/download/${BICEP_VER}/bicep-linux-x64" - chmod +x ./bicep - sudo mv ./bicep /usr/local/bin/bicep - bicep --version + - name: Install bicep CLI + # Pinned version + checksum live in build/tools.mk. + run: make install-bicep - name: Publish bicep types env: diff --git a/.github/workflows/lint.yaml b/.github/workflows/lint.yaml index ac63bd4a483..15676d00e91 100644 --- a/.github/workflows/lint.yaml +++ b/.github/workflows/lint.yaml @@ -35,10 +35,6 @@ concurrency: group: lint-${{ github.event.pull_request.number || github.sha }} cancel-in-progress: true -env: - YQ_VERSION: v4.44.3 - YQ_LINUX_AMD64_SHA256: a2c097180dd884a8d50c956ee16a9cec070f30a7947cf4ebf87d5f36213e9ed7 - permissions: {} jobs: @@ -80,12 +76,7 @@ jobs: - name: Install yq # Required by make generate-bicep-types-contrib to parse defaults.yaml. - run: | - mkdir -p "${RUNNER_TEMP}/bin" - curl -fsSL "https://github.com/mikefarah/yq/releases/download/${YQ_VERSION}/yq_linux_amd64" -o "${RUNNER_TEMP}/bin/yq" - echo "${YQ_LINUX_AMD64_SHA256} ${RUNNER_TEMP}/bin/yq" | sha256sum -c - - chmod +x "${RUNNER_TEMP}/bin/yq" - echo "${RUNNER_TEMP}/bin" >> "${GITHUB_PATH}" + run: make install-yq - name: Install helm uses: azure/setup-helm@dda3372f752e03dde6b3237bc9431cdc2f7a02a2 # v5.0.0 diff --git a/.github/workflows/publish-docs.yaml b/.github/workflows/publish-docs.yaml index 7f1ff577f70..b66b0c6b9fd 100644 --- a/.github/workflows/publish-docs.yaml +++ b/.github/workflows/publish-docs.yaml @@ -24,10 +24,6 @@ on: permissions: {} -env: - YQ_VERSION: v4.44.3 - YQ_LINUX_AMD64_SHA256: a2c097180dd884a8d50c956ee16a9cec070f30a7947cf4ebf87d5f36213e9ed7 - jobs: changes: name: Changes @@ -98,18 +94,13 @@ jobs: - name: Install yq # Required by make generate-bicep-types-contrib to parse defaults.yaml. - run: | - mkdir -p "${RUNNER_TEMP}/bin" - curl -fsSL "https://github.com/mikefarah/yq/releases/download/${YQ_VERSION}/yq_linux_amd64" -o "${RUNNER_TEMP}/bin/yq" - echo "${YQ_LINUX_AMD64_SHA256} ${RUNNER_TEMP}/bin/yq" | sha256sum -c - - chmod +x "${RUNNER_TEMP}/bin/yq" - echo "${RUNNER_TEMP}/bin" >> "${GITHUB_PATH}" + run: make install-yq + working-directory: radius # Generate Bicep docs - name: Generate Bicep docs - run: | - cd radius - make generate + run: make generate + working-directory: radius # Generate resource reference docs - name: Generate resource reference docs diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index dd258339b7b..675f1774b01 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -52,12 +52,12 @@ jobs: with: persist-credentials: false + - name: Install yq + run: make install-yq + - name: Get supported versions from versions.yaml id: get-supported-versions - uses: mikefarah/yq@1b9b4ac5187171d2e5e3129be0cfa827c7f9d53d # v4.53.3 - with: - # Get a comma-separated list of supported versions - cmd: yq '.supported[].version' versions.yaml | tr '\n' ',' | sed 's/,$//' + run: echo "result=$(yq '.supported[].version' versions.yaml | tr '\n' ',' | sed 's/,$//')" >> "$GITHUB_OUTPUT" - name: Determine desired release version id: get-version @@ -237,12 +237,12 @@ jobs: GIT_USER_NAME: ${{ steps.bot-details.outputs.name }} GIT_USER_EMAIL: ${{ steps.bot-details.outputs.email }} + - name: Install yq + run: make install-yq + - name: Get supported versions from versions.yaml id: get-supported-versions - uses: mikefarah/yq@1b9b4ac5187171d2e5e3129be0cfa827c7f9d53d # v4.53.3 - with: - # Get a comma-separated list of supported versions - cmd: yq '.supported[].version' ./radius/versions.yaml | tr '\n' ',' | sed 's/,$//' + run: echo "result=$(yq '.supported[].version' ./radius/versions.yaml | tr '\n' ',' | sed 's/,$//')" >> "$GITHUB_OUTPUT" - name: Determine desired release version id: get-version diff --git a/.github/workflows/triage-bot.yaml b/.github/workflows/triage-bot.yaml index 2e21bc37b61..04ad57dc5c4 100644 --- a/.github/workflows/triage-bot.yaml +++ b/.github/workflows/triage-bot.yaml @@ -45,5 +45,5 @@ jobs: - uses: dessant/label-actions@65225c179d3b2502f6eda7b3d15101a3f412366b # v5.0.3 with: github-token: ${{ steps.get_installation_token.outputs.token }} - config-path: .github/triage-bot/triage-bot-config.yaml + config-path: .github/configs/label-actions.yaml process-only: issues diff --git a/.github/workflows/unit-tests.yaml b/.github/workflows/unit-tests.yaml index cd27745e136..a4bb57e0791 100644 --- a/.github/workflows/unit-tests.yaml +++ b/.github/workflows/unit-tests.yaml @@ -24,7 +24,7 @@ on: permissions: {} concurrency: - group: ${{ format('{0}-{1}-{2}-{3}-{4}', github.workflow, github.event_name, github.event.pull_request.number || github.event.pull_request_target.number || github.ref, github.base_ref || null, github.head_ref || null) }} + group: ${{ format('{0}-{1}-{2}-{3}-{4}', github.workflow, github.event_name, github.event.pull_request.number || github.ref, github.base_ref || null, github.head_ref || null) }} cancel-in-progress: true jobs: diff --git a/.github/workflows/validate-bicep.yaml b/.github/workflows/validate-bicep.yaml index ef912d5bb2f..b9429a7978f 100644 --- a/.github/workflows/validate-bicep.yaml +++ b/.github/workflows/validate-bicep.yaml @@ -38,9 +38,6 @@ env: LOCAL_REGISTRY_SERVER: localhost # Local Docker registry port LOCAL_REGISTRY_PORT: "5000" - # Bicep CLI pinned: v0.43+ rejects br:localhost:5000/... (ThrowIfRegistryNotTrusted). - # Bump only after verifying localhost support or adding allowedUntrustedRegistries to bicepconfig.json. - BICEP_VER: v0.42.1 concurrency: # Cancel the previously triggered build for only PR build. @@ -77,24 +74,11 @@ jobs: go-version-file: go.mod cache: true - - name: Setup and verify bicep CLI - run: | - # Download bicep CLI - curl -Lo bicep "https://github.com/Azure/bicep/releases/download/${BICEP_VER}/bicep-linux-x64" - chmod +x ./bicep - - # Install in both locations for maximum compatibility - sudo mv ./bicep /usr/local/bin/bicep - - # Verify bicep works - bicep --version - - # Also ensure rad CLI can find bicep by creating the expected directory structure - mkdir -p ~/.rad/bin - cp /usr/local/bin/bicep ~/.rad/bin/bicep - - # Verify bicep also works - ~/.rad/bin/bicep --version + - name: Install bicep CLI + # Install into ~/.rad/bin so the rad CLI finds it; the script also adds + # the dir to PATH for subsequent steps. Pinned version + checksum live in + # build/tools.mk. + run: make install-bicep BICEP_INSTALL_DIR="$HOME/.rad/bin" - name: Create a temporary file system run: | diff --git a/.github/workflows/verify-resource-types.yaml b/.github/workflows/verify-resource-types.yaml index 88b71978820..8e24552ba2b 100644 --- a/.github/workflows/verify-resource-types.yaml +++ b/.github/workflows/verify-resource-types.yaml @@ -61,10 +61,6 @@ on: permissions: {} -env: - YQ_VERSION: v4.44.3 - YQ_LINUX_AMD64_SHA256: a2c097180dd884a8d50c956ee16a9cec070f30a7947cf4ebf87d5f36213e9ed7 - concurrency: group: verify-resource-types-${{ github.event.pull_request.number || github.sha }} cancel-in-progress: true @@ -87,12 +83,7 @@ jobs: go-version-file: go.mod - name: Install yq - run: | - mkdir -p "${RUNNER_TEMP}/bin" - curl -fsSL "https://github.com/mikefarah/yq/releases/download/${YQ_VERSION}/yq_linux_amd64" -o "${RUNNER_TEMP}/bin/yq" - echo "${YQ_LINUX_AMD64_SHA256} ${RUNNER_TEMP}/bin/yq" | sha256sum -c - - chmod +x "${RUNNER_TEMP}/bin/yq" - echo "${RUNNER_TEMP}/bin" >> "${GITHUB_PATH}" + run: make install-yq # Re-run the copy step (without bumping the version) to regenerate the # manifest files from the module version pinned in go.mod. diff --git a/CODEOWNERS b/CODEOWNERS deleted file mode 100644 index 4e008a6d178..00000000000 --- a/CODEOWNERS +++ /dev/null @@ -1 +0,0 @@ -# See the owners for this repo at .github/CODEOWNERS \ No newline at end of file diff --git a/Makefile b/Makefile index 6ee912c191a..aeaa291be4a 100644 --- a/Makefile +++ b/Makefile @@ -17,4 +17,4 @@ ARROW := \033[34;1m=>\033[0m # order matters for these -include build/help.mk build/version.mk build/build.mk build/generate.mk build/test.mk build/docker.mk build/artifacts.mk build/recipes.mk build/install.mk build/db.mk build/prettier.mk build/spellcheck.mk build/debug.mk build/workflow.mk build/resource-types.mk +include build/help.mk build/version.mk build/build.mk build/generate.mk build/test.mk build/docker.mk build/artifacts.mk build/recipes.mk build/install.mk build/db.mk build/prettier.mk build/spellcheck.mk build/debug.mk build/workflow.mk build/resource-types.mk build/tools.mk diff --git a/build/build.mk b/build/build.mk index ef4e72e547b..ae1e83c09fc 100644 --- a/build/build.mk +++ b/build/build.mk @@ -4,7 +4,7 @@ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at -# +# # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software @@ -92,7 +92,7 @@ endef # $(2): the ARCH # $(3): the binary name for the target # $(4): the binary main directory -# +# # Note: testrp and magpiego have their own modules. # That is why we need to change the directory to the binary main directory as we do on line 101. # Otherwise we get the following error: @@ -167,7 +167,8 @@ define generateBicepBuildTarget build-bicep-$(1)-$(2): $(eval BINS_OUT_DIR_$(1)_$(2) := $(OUT_DIR)/$(1)_$(2)/$(BUILDTYPE_DIR)) @echo "$(ARROW) Building bicep container on $(1)/$(2) to $(BINS_OUT_DIR_$(1)_$(2))/bicep" - ./build/install-bicep.sh $(REL_CHANNEL) $(BINS_OUT_DIR_$(1)_$(2))/bicep $(2) + BICEP_VERSION="$$(BICEP_VERSION)" BICEP_CHECKSUM_LINUX_AMD64="$$(BICEP_CHECKSUM_LINUX_AMD64)" BICEP_CHECKSUM_LINUX_ARM64="$$(BICEP_CHECKSUM_LINUX_ARM64)" BICEP_OS=linux BICEP_ARCH=$(2) bash build/scripts/install-bicep.sh $(BINS_OUT_DIR_$(1)_$(2))/bicep + ./build/scripts/generate-bicepconfig.sh $(REL_CHANNEL) $(BINS_OUT_DIR_$(1)_$(2))/bicep endef # Generate bicep build targets for each combination of OS and ARCH diff --git a/build/generate.mk b/build/generate.mk index 7ddf75e7280..dbc93032b22 100644 --- a/build/generate.mk +++ b/build/generate.mk @@ -176,8 +176,6 @@ generate-go: ## Generates go with 'go generate' (Mocks). # # Per-type manifest files live under deploy/manifest/built-in-providers/self-hosted/ # as individual YAML files (e.g. containers.yaml, routes.yaml). -YQ_VERSION ?= v4.44.3 - DEFAULTS_YAML := deploy/manifest/defaults.yaml BICEP_TYPES_CONTRIB_API_VERSION ?= 2025-08-01-preview BICEP_TYPES_OUTPUT_BASE := hack/bicep-types-radius/generated/radius @@ -200,7 +198,7 @@ generate-bicep-types-core: generate-node-installed generate-pnpm-installed ## Ge .PHONY: generate-yq-installed generate-yq-installed: @echo "$(ARROW) Detecting yq..." - @which yq > /dev/null || { echo "run 'go install github.com/mikefarah/yq/v4@$(YQ_VERSION)' to install yq, then ensure ~/go/bin is on your PATH"; exit 1; } + @which yq > /dev/null || { echo "yq not found. Run 'make install-yq' to install the pinned version into a user-owned bin dir."; exit 1; } @echo "$(ARROW) OK" .PHONY: generate-bicep-types-contrib diff --git a/build/install-bicep.sh b/build/install-bicep.sh deleted file mode 100755 index 720cbefecd5..00000000000 --- a/build/install-bicep.sh +++ /dev/null @@ -1,77 +0,0 @@ -#!/bin/bash - -# This script installs the latest version of the Bicep CLI -# and creates a configuration file for Bicep with the specified release channel. -# This is used to build the Bicep container image, and is called automatically -# by the `make build-bicep` and `make docker-build-bicep` commands. - -# Usage: ./install-bicep.sh -# Example: ./install-bicep.sh edge ./output amd64 - -REL_CHANNEL=$1 -OUTPUT_DIR=$2 -ARCH=$3 - -if [ -z "$REL_CHANNEL" ]; then - echo "Release channel is required. Please provide it as the first argument." - exit 1 -fi - -if [ -z "$OUTPUT_DIR" ]; then - echo "Output directory is required. Please provide it as the second argument." - exit 1 -fi - -if [ -z "$ARCH" ]; then - echo "Architecture is required. Please provide it as the third argument." - exit 1 -fi - -# Radius Bicep types uses latest tag -if [ "$REL_CHANNEL" = "edge" ]; then - REL_CHANNEL="latest" -fi - -# Check if curl is installed -if ! command -v curl &> /dev/null -then - echo "curl could not be found, please install it first." - exit 1 -fi - -# Create versioned bicepconfig.json -mkdir -p "$OUTPUT_DIR" -cat < $OUTPUT_DIR/bicepconfig.json -{ - "extensions": { - "radius": "br:biceptypes.azurecr.io/radius:${REL_CHANNEL}", - "aws": "br:biceptypes.azurecr.io/aws:${REL_CHANNEL}" - } -} -EOF - -# Bicep CLI uses x64 or arm64 -BICEP_ARCH="x64" -if [ "$ARCH" = "arm64" ]; then - BICEP_ARCH="arm64" -fi - -# Bicep CLI version. Pinned because Bicep v0.43+ tightened -# ContainerRegistryClientFactory.ThrowIfRegistryNotTrusted to reject br:localhost:5000/... targets, -# breaking publish-extension to local registries used by our CI and local dev workflows. -BICEP_VER="v0.42.1" - -# Check if bicep binary already exists in the target location -if [ -f "$OUTPUT_DIR/bicep" ]; then - echo "Bicep CLI already exists at $OUTPUT_DIR/bicep, skipping download." -else - echo "Downloading Bicep CLI ${BICEP_VER}..." - if ! curl -Lo bicep "https://github.com/Azure/bicep/releases/download/${BICEP_VER}/bicep-linux-${BICEP_ARCH}"; then - echo "Failed to download Bicep CLI. Please check your internet connection or the URL." - exit 1 - fi - - chmod +x bicep - mv bicep "$OUTPUT_DIR"/bicep - echo "Bicep CLI installed successfully at $OUTPUT_DIR/bicep" -fi diff --git a/build/resource-types.mk b/build/resource-types.mk index b9e921d00b6..896ab3adeb5 100644 --- a/build/resource-types.mk +++ b/build/resource-types.mk @@ -76,7 +76,7 @@ update-resource-types: ## Bump resource-types-contrib to latest and sync manifes .PHONY: sync-resource-types sync-resource-types: ## Copy manifest files listed in defaults.yaml from the pinned resource-types-contrib version @# Verify required tools are available before making any changes. - @command -v yq >/dev/null 2>&1 || { echo "ERROR: yq is required but not found. Install via: go install github.com/mikefarah/yq/v4@latest"; exit 1; } + @command -v yq >/dev/null 2>&1 || { echo "ERROR: yq is required but not found. Install via: make install-yq"; exit 1; } @command -v jq >/dev/null 2>&1 || { echo "ERROR: jq is required but not found. Install via: brew install jq (macOS) or apt-get install jq (Linux)"; exit 1; } @echo "Syncing default resource types from resource-types-contrib..." @# Resolve the module's local cache directory from the version pinned in diff --git a/build/scripts/generate-bicepconfig.sh b/build/scripts/generate-bicepconfig.sh new file mode 100755 index 00000000000..23e8b27c696 --- /dev/null +++ b/build/scripts/generate-bicepconfig.sh @@ -0,0 +1,38 @@ +#!/bin/bash + +# Generates the versioned bicepconfig.json used by the Bicep container image, +# pointing the Radius and AWS Bicep extensions at the registry tag for the given +# release channel. The Bicep CLI binary itself is installed separately by +# build/scripts/install-bicep.sh, the single source of truth for that. +# +# Usage: ./gen-bicepconfig.sh +# Example: ./gen-bicepconfig.sh edge ./output + +REL_CHANNEL=$1 +OUTPUT_DIR=$2 + +if [ -z "$REL_CHANNEL" ]; then + echo "Release channel is required. Please provide it as the first argument." + exit 1 +fi + +if [ -z "$OUTPUT_DIR" ]; then + echo "Output directory is required. Please provide it as the second argument." + exit 1 +fi + +# Radius Bicep types uses latest tag +if [ "$REL_CHANNEL" = "edge" ]; then + REL_CHANNEL="latest" +fi + +# Create versioned bicepconfig.json +mkdir -p "${OUTPUT_DIR}" +cat < "${OUTPUT_DIR}/bicepconfig.json" +{ + "extensions": { + "radius": "br:biceptypes.azurecr.io/radius:${REL_CHANNEL}", + "aws": "br:biceptypes.azurecr.io/aws:${REL_CHANNEL}" + } +} +EOF diff --git a/build/scripts/install-bicep.sh b/build/scripts/install-bicep.sh new file mode 100755 index 00000000000..c57e7cb37c7 --- /dev/null +++ b/build/scripts/install-bicep.sh @@ -0,0 +1,191 @@ +#!/usr/bin/env bash + +set -euo pipefail + +# Installs the Bicep CLI into a user-owned directory (no sudo) for the current +# platform. Works on linux and darwin, amd64 and arm64, for both CI and local +# development; under GitHub Actions the install dir is added to the job PATH so +# later steps can run bicep. +# +# The pinned version and per-platform SHA-256 checksums are normally provided by +# build/tools.mk through the environment. The script is generic, so when a value +# is not supplied it is resolved at runtime: +# * empty BICEP_VERSION -> the latest published release +# * missing checksum for platform -> install without verification (a warning is +# printed; Azure/bicep publishes no checksums file to fall back to) +# +# Usage: install-bicep.sh [install_dir] +# +# Environment (all optional): +# BICEP_VERSION Release tag, e.g. v0.42.1. Empty selects latest. +# BICEP_CHECKSUM__ SHA-256 for that platform (e.g. +# BICEP_CHECKSUM_LINUX_AMD64). +# BICEP_OS / BICEP_ARCH Override the target platform (default: host). +# Used to stage a binary for another architecture, +# e.g. the multi-arch bicep container image build. +# When the target is not the host, the post-install +# run check and PATH export are skipped. +# BICEP_INSTALL_DIR Install directory. Default: $HOME/.local/bin. +# GITHUB_TOKEN If set, authenticates GitHub requests (higher +# rate limits; required for private repositories). + +readonly REPO="Azure/bicep" +readonly RELEASES_URL="https://github.com/${REPO}/releases" + +log() { echo "[install-bicep] $*" >&2; } +fail() { + echo "[install-bicep] ERROR: $*" >&2 + exit 1 +} + +# Temporary working directory for downloads, removed on exit. Uses an explicit +# 'if' (not '&&') so the function returns 0 when WORKDIR is unset; otherwise the +# failing test would become the EXIT trap's status and abort an otherwise +# successful run, e.g. the early return when the tool is already installed. +WORKDIR="" +cleanup() { + if [ -n "${WORKDIR:-}" ] && [ -d "${WORKDIR}" ]; then + rm -rf "${WORKDIR}" + fi +} + +# curl wrapper for GitHub requests: enforces HTTPS + TLS 1.2, sets a User-Agent, +# and adds an Authorization header when GITHUB_TOKEN is set (raises API rate +# limits and allows private repositories). curl drops the Authorization header on +# cross-host redirects, so the token is not sent to the download CDN. The array is +# seeded with the User-Agent so it is never empty -- expanding an empty array +# under 'set -u' is an error on bash 3.2 (macOS). +gh_curl() { + local headers=(-H "User-Agent: ${REPO##*/}-installer") + if [ -n "${GITHUB_TOKEN:-}" ]; then + headers+=(-H "Authorization: Bearer ${GITHUB_TOKEN}") + fi + curl --proto '=https' --tlsv1.2 "${headers[@]}" "$@" +} + +detect_os() { + case "$(uname -s)" in + Linux) echo "linux" ;; + Darwin) echo "darwin" ;; + *) fail "unsupported OS '$(uname -s)' (supported: Linux, Darwin)" ;; + esac +} + +detect_arch() { + case "$(uname -m)" in + x86_64 | amd64) echo "amd64" ;; + aarch64 | arm64) echo "arm64" ;; + *) fail "unsupported architecture '$(uname -m)' (supported: amd64, arm64)" ;; + esac +} + +# Resolve the latest release tag by following the /releases/latest redirect. +# Avoids the GitHub API (no token, no rate limit). +resolve_latest_version() { + local effective_url + effective_url="$(gh_curl -fsSLI -o /dev/null -w '%{url_effective}' "${RELEASES_URL}/latest")" \ + || fail "could not resolve the latest bicep version" + printf '%s\n' "${effective_url##*/tag/}" +} + +verify_checksum() { + local expected="$1" file="$2" + if command -v sha256sum >/dev/null 2>&1; then + echo "${expected} ${file}" | sha256sum -c - >/dev/null + elif command -v shasum >/dev/null 2>&1; then + echo "${expected} ${file}" | shasum -a 256 -c - >/dev/null + else + fail "neither sha256sum nor shasum is available for checksum verification" + fi +} + +main() { + local install_dir host_os host_arch os arch platform asset checksum version runnable + + command -v curl >/dev/null 2>&1 || fail "curl is required but was not found" + + install_dir="${1:-${BICEP_INSTALL_DIR:-}}" + [ -n "$install_dir" ] || install_dir="${HOME}/.local/bin" + + # Default to the host platform; BICEP_OS/BICEP_ARCH override the target so the + # bicep container image build can stage a binary for another architecture. + host_os="$(detect_os)" + host_arch="$(detect_arch)" + os="${BICEP_OS:-$host_os}" + arch="${BICEP_ARCH:-$host_arch}" + platform="${os}_${arch}" + + # Map the platform to the bicep release asset and its checksum. Bicep names + # assets bicep-- with os in {linux,osx}, arch in {x64,arm64}; it has + # no linux 32-bit build, so linux/arm falls back to the x64 binary. + case "$platform" in + linux_amd64) asset="bicep-linux-x64"; checksum="${BICEP_CHECKSUM_LINUX_AMD64:-}" ;; + linux_arm64) asset="bicep-linux-arm64"; checksum="${BICEP_CHECKSUM_LINUX_ARM64:-}" ;; + linux_arm) asset="bicep-linux-x64"; checksum="${BICEP_CHECKSUM_LINUX_AMD64:-}" ;; + darwin_amd64) asset="bicep-osx-x64"; checksum="${BICEP_CHECKSUM_DARWIN_AMD64:-}" ;; + darwin_arm64) asset="bicep-osx-arm64"; checksum="${BICEP_CHECKSUM_DARWIN_ARM64:-}" ;; + *) fail "unsupported platform '${platform}'" ;; + esac + + # The downloaded binary is runnable here only when it targets the host. + if [ "$os" = "$host_os" ] && [ "$arch" = "$host_arch" ]; then + runnable=true + else + runnable=false + fi + + # Normalize the requested version: strip whitespace, treat empty as the latest + # release, and accept a bare number (0.42.1) as well as a tag (v0.42.1). + version="${BICEP_VERSION:-}" + version="${version//[[:space:]]/}" + if [ -z "$version" ]; then + log "resolving latest bicep version..." + version="$(resolve_latest_version)" + elif [ "${version#[0-9]}" != "$version" ]; then + version="v${version}" + fi + [ -n "$version" ] || fail "could not determine the bicep version to install" + + # Skip if already present in the target directory, verifying the version when + # the binary can run on this host. + if [ -x "${install_dir}/bicep" ]; then + if ! $runnable; then + log "bicep already present at ${install_dir}/bicep" + return 0 + elif "${install_dir}/bicep" --version 2>/dev/null | grep -q "${version#v}"; then + log "bicep ${version} already installed: ${install_dir}/bicep" + return 0 + fi + fi + + WORKDIR="$(mktemp -d)" + + log "downloading ${asset} ${version}..." + gh_curl -fsSL "${RELEASES_URL}/download/${version}/${asset}" -o "${WORKDIR}/bicep" \ + || fail "could not download ${asset} ${version}" + + # Azure/bicep does not publish checksums, so verification only happens when a + # pinned checksum is supplied (the common case via build/tools.mk). + if [ -n "$checksum" ]; then + verify_checksum "$checksum" "${WORKDIR}/bicep" + else + log "WARNING: no checksum supplied for ${platform}; installing without verification." + fi + chmod 0755 "${WORKDIR}/bicep" + + mkdir -p "$install_dir" + mv "${WORKDIR}/bicep" "${install_dir}/bicep" + log "installed bicep ${version} (${asset}) to ${install_dir}/bicep" + + # Verify it runs and expose it on PATH only when it targets the host. + if $runnable; then + "${install_dir}/bicep" --version >/dev/null 2>&1 \ + || fail "installed bicep failed to run (${install_dir}/bicep)" + if [ -n "${GITHUB_PATH:-}" ]; then + echo "$install_dir" >> "$GITHUB_PATH" + fi + fi +} + +trap cleanup EXIT +main "$@" diff --git a/build/scripts/install-yq.sh b/build/scripts/install-yq.sh new file mode 100755 index 00000000000..639b4e4bb34 --- /dev/null +++ b/build/scripts/install-yq.sh @@ -0,0 +1,179 @@ +#!/usr/bin/env bash + +set -euo pipefail + +# Installs the yq YAML processor into a user-owned directory (no sudo) for the +# current platform. Works on linux and darwin, amd64 and arm64, for both CI and +# local development; under GitHub Actions the install dir is added to the job +# PATH so later steps can run yq. +# +# The pinned version and per-platform SHA-256 checksums are normally provided by +# build/tools.mk through the environment. The script is generic, so when a value +# is not supplied it is resolved at runtime: +# * empty YQ_VERSION -> the latest published release +# * missing checksum for platform -> read from the release's own checksums file +# +# Usage: install-yq.sh [install_dir] +# +# Environment (all optional): +# YQ_VERSION Release tag, e.g. v4.53.3. Empty selects latest. +# YQ_CHECKSUM__ SHA-256 for that platform (e.g. +# YQ_CHECKSUM_LINUX_AMD64). Empty fetches it from the +# release's published checksums file. +# YQ_INSTALL_DIR Install directory. Default: $HOME/.local/bin. +# GITHUB_TOKEN If set, authenticates GitHub requests (higher rate +# limits; required for private repositories). + +readonly REPO="mikefarah/yq" +readonly RELEASES_URL="https://github.com/${REPO}/releases" + +log() { echo "[install-yq] $*" >&2; } +fail() { + echo "[install-yq] ERROR: $*" >&2 + exit 1 +} + +# Temporary working directory for downloads, removed on exit. Uses an explicit +# 'if' (not '&&') so the function returns 0 when WORKDIR is unset; otherwise the +# failing test would become the EXIT trap's status and abort an otherwise +# successful run, e.g. the early return when the tool is already installed. +WORKDIR="" +cleanup() { + if [ -n "${WORKDIR:-}" ] && [ -d "${WORKDIR}" ]; then + rm -rf "${WORKDIR}" + fi +} + +# curl wrapper for GitHub requests: enforces HTTPS + TLS 1.2, sets a User-Agent, +# and adds an Authorization header when GITHUB_TOKEN is set (raises API rate +# limits and allows private repositories). curl drops the Authorization header on +# cross-host redirects, so the token is not sent to the download CDN. The array is +# seeded with the User-Agent so it is never empty -- expanding an empty array +# under 'set -u' is an error on bash 3.2 (macOS). +gh_curl() { + local headers=(-H "User-Agent: ${REPO##*/}-installer") + if [ -n "${GITHUB_TOKEN:-}" ]; then + headers+=(-H "Authorization: Bearer ${GITHUB_TOKEN}") + fi + curl --proto '=https' --tlsv1.2 "${headers[@]}" "$@" +} + +detect_os() { + case "$(uname -s)" in + Linux) echo "linux" ;; + Darwin) echo "darwin" ;; + *) fail "unsupported OS '$(uname -s)' (supported: Linux, Darwin)" ;; + esac +} + +detect_arch() { + case "$(uname -m)" in + x86_64 | amd64) echo "amd64" ;; + aarch64 | arm64) echo "arm64" ;; + *) fail "unsupported architecture '$(uname -m)' (supported: amd64, arm64)" ;; + esac +} + +# Resolve the latest release tag by following the /releases/latest redirect. +# Avoids the GitHub API (no token, no rate limit). +resolve_latest_version() { + local effective_url + effective_url="$(gh_curl -fsSLI -o /dev/null -w '%{url_effective}' "${RELEASES_URL}/latest")" \ + || fail "could not resolve the latest yq version" + printf '%s\n' "${effective_url##*/tag/}" +} + +# Print the SHA-256 of an asset, read from the release's own checksums. yq +# publishes 'checksums' (one row per asset, many hash columns) alongside +# 'checksums_hashes_order' (the algorithm name for each column). +checksum_from_release() { + local version="$1" asset="$2" order_index + gh_curl -fsSL "${RELEASES_URL}/download/${version}/checksums_hashes_order" -o "${WORKDIR}/order" \ + || fail "could not download checksums_hashes_order for ${version}" + gh_curl -fsSL "${RELEASES_URL}/download/${version}/checksums" -o "${WORKDIR}/checksums" \ + || fail "could not download checksums for ${version}" + order_index="$(grep -n '^SHA-256$' "${WORKDIR}/order" | head -n1 | cut -d: -f1)" \ + || fail "SHA-256 column not found in checksums_hashes_order" + # Column 1 is the filename; hash N is in column N+1. + awk -v asset="$asset" -v col="$((order_index + 1))" \ + '$1 == asset { print $col }' "${WORKDIR}/checksums" +} + +verify_checksum() { + local expected="$1" file="$2" + if command -v sha256sum >/dev/null 2>&1; then + echo "${expected} ${file}" | sha256sum -c - >/dev/null + elif command -v shasum >/dev/null 2>&1; then + echo "${expected} ${file}" | shasum -a 256 -c - >/dev/null + else + fail "neither sha256sum nor shasum is available for checksum verification" + fi +} + +main() { + local install_dir os arch platform asset version checksum + + command -v curl >/dev/null 2>&1 || fail "curl is required but was not found" + + install_dir="${1:-${YQ_INSTALL_DIR:-}}" + [ -n "$install_dir" ] || install_dir="${HOME}/.local/bin" + + os="$(detect_os)" + arch="$(detect_arch)" + platform="${os}_${arch}" + asset="yq_${platform}" + + # Normalize the requested version: strip whitespace, treat empty as the + # latest release, and accept a bare number (4.53.3) as well as a tag (v4.53.3). + version="${YQ_VERSION:-}" + version="${version//[[:space:]]/}" + if [ -z "$version" ]; then + log "resolving latest yq version..." + version="$(resolve_latest_version)" + elif [ "${version#[0-9]}" != "$version" ]; then + version="v${version}" + fi + [ -n "$version" ] || fail "could not determine the yq version to install" + + if command -v yq >/dev/null 2>&1 && yq --version 2>/dev/null | grep -q "${version#v}"; then + log "yq ${version} already installed: $(command -v yq)" + return 0 + fi + + WORKDIR="$(mktemp -d)" + + # Expected checksum: prefer the value supplied for this platform, otherwise + # read it from the release's own published checksums. + case "$platform" in + linux_amd64) checksum="${YQ_CHECKSUM_LINUX_AMD64:-}" ;; + linux_arm64) checksum="${YQ_CHECKSUM_LINUX_ARM64:-}" ;; + darwin_amd64) checksum="${YQ_CHECKSUM_DARWIN_AMD64:-}" ;; + darwin_arm64) checksum="${YQ_CHECKSUM_DARWIN_ARM64:-}" ;; + *) checksum="" ;; + esac + if [ -z "$checksum" ]; then + log "no checksum supplied for ${platform}; reading it from the ${version} release..." + checksum="$(checksum_from_release "$version" "$asset")" + fi + [ -n "$checksum" ] || fail "could not determine the SHA-256 checksum for ${asset} ${version}" + + log "downloading ${asset} ${version}..." + gh_curl -fsSL "${RELEASES_URL}/download/${version}/${asset}" -o "${WORKDIR}/yq" \ + || fail "could not download ${asset} ${version}" + verify_checksum "$checksum" "${WORKDIR}/yq" + chmod 0755 "${WORKDIR}/yq" + + mkdir -p "$install_dir" + mv "${WORKDIR}/yq" "${install_dir}/yq" + "${install_dir}/yq" --version >/dev/null 2>&1 \ + || fail "installed yq failed to run (${install_dir}/yq)" + log "installed yq ${version} to ${install_dir}/yq" + + # Make yq available to later GitHub Actions steps. + if [ -n "${GITHUB_PATH:-}" ]; then + echo "$install_dir" >> "$GITHUB_PATH" + fi +} + +trap cleanup EXIT +main "$@" diff --git a/build/tools.mk b/build/tools.mk new file mode 100644 index 00000000000..7dc7664cb35 --- /dev/null +++ b/build/tools.mk @@ -0,0 +1,59 @@ +# ------------------------------------------------------------ +# Copyright 2023 The Radius Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# ------------------------------------------------------------ + +##@ Tools + +# yq - pinned version and per-platform SHA-256 checksums consumed by +# build/scripts/install-yq.sh. The script is generic: clear YQ_VERSION to install +# the latest release, and clear a checksum to have it read from the release's own +# published checksums file. Keep the checksums in sync when bumping YQ_VERSION. +YQ_VERSION ?= v4.53.3 +YQ_CHECKSUM_LINUX_AMD64 ?= fa52a4e758c63d38299163fbdd1edfb4c4963247918bf9c1c5d31d84789eded4 +YQ_CHECKSUM_LINUX_ARM64 ?= 578648e463a11c1b6db6010cbf41eafed6bee79466fcffa1bb446672cf7945ea +YQ_CHECKSUM_DARWIN_AMD64 ?= b4ba1ecce3c47f00803f4f964de38394326c7a32eb6540616e04fb2935a0f08d +YQ_CHECKSUM_DARWIN_ARM64 ?= 877de31753a4dd2401aa048937aa9a7fc4d5f6ce858cf31508c5802954297213 + +.PHONY: install-yq +install-yq: ## Install the pinned yq YAML processor into a user-owned bin dir (no sudo). + @YQ_VERSION="$(YQ_VERSION)" \ + YQ_CHECKSUM_LINUX_AMD64="$(YQ_CHECKSUM_LINUX_AMD64)" \ + YQ_CHECKSUM_LINUX_ARM64="$(YQ_CHECKSUM_LINUX_ARM64)" \ + YQ_CHECKSUM_DARWIN_AMD64="$(YQ_CHECKSUM_DARWIN_AMD64)" \ + YQ_CHECKSUM_DARWIN_ARM64="$(YQ_CHECKSUM_DARWIN_ARM64)" \ + YQ_INSTALL_DIR="$(YQ_INSTALL_DIR)" \ + ./build/scripts/install-yq.sh + +# bicep CLI - pinned version and per-platform SHA-256 checksums consumed by +# build/scripts/install-bicep.sh. Pinned to v0.42.1: v0.43+ rejects br:localhost +# registries used by the local functional tests; bump only after verifying +# localhost support. Azure/bicep publishes no checksums file, so these are +# computed from the pinned release - recompute them (download each +# bicep-- asset and sha256sum it) when bumping BICEP_VERSION. +BICEP_VERSION ?= v0.42.1 +BICEP_CHECKSUM_LINUX_AMD64 ?= aed90eb2c69a6ee2bd70dc0d4354408ac4d04fd9911d3ec8e0cd74ad173e7139 +BICEP_CHECKSUM_LINUX_ARM64 ?= b01ac3bb5259096dfbe548138a538d1c4e4a55e6f87f3827e2299fbc2d4e6796 +BICEP_CHECKSUM_DARWIN_AMD64 ?= 8219bfd0601a514cc0a814b4b194aed588f4efa68b7c7ac7c9b64f3d84713dd7 +BICEP_CHECKSUM_DARWIN_ARM64 ?= 1c66533af4d4d47f875623d88074d28ca7fe7e9dc1f783a62570e8724700aca1 + +.PHONY: install-bicep +install-bicep: ## Install the pinned Bicep CLI into a user-owned bin dir (no sudo). + @BICEP_VERSION="$(BICEP_VERSION)" \ + BICEP_CHECKSUM_LINUX_AMD64="$(BICEP_CHECKSUM_LINUX_AMD64)" \ + BICEP_CHECKSUM_LINUX_ARM64="$(BICEP_CHECKSUM_LINUX_ARM64)" \ + BICEP_CHECKSUM_DARWIN_AMD64="$(BICEP_CHECKSUM_DARWIN_AMD64)" \ + BICEP_CHECKSUM_DARWIN_ARM64="$(BICEP_CHECKSUM_DARWIN_ARM64)" \ + BICEP_INSTALL_DIR="$(BICEP_INSTALL_DIR)" \ + ./build/scripts/install-bicep.sh