radius-project · DariuszPorowski · Jun 25, 2026 · Jun 25, 2026 · Jun 25, 2026 · Jun 25, 2026
@@ -18,7 +18,6 @@
 #
 # See: https://github.com/dessant/label-actions for documentation.
 
-
 # Creation labels
 ---
 bug:
@@ -49,7 +48,6 @@ maintenance:
 
     _For more information on our triage process please visit our [triage overview](https://github.com/radius-project/radius/blob/main/docs/contributing/triage/triage-process.md)_
 
-
 # Processing labels
 
 needs-more-information:
@@ -78,7 +76,7 @@ important:
 
     _For more information on our triage process please visit our [triage overview](https://github.com/radius-project/radius/blob/main/docs/contributing/triage/triage-process.md)_
 
-'good first issue':
+"good first issue":
   comment: |
     This issue is a great one to pickup for new contributors. It should only require small changes and not assume a deep knowledge of the Radius architecture.
 

@@ -5,6 +5,12 @@ name: Changes
 on:
   workflow_call:
     inputs:
+      # The default list enumerates paths that can NEVER affect the outcome of
+      # the heavy CI workflows that consume this one (build, unit-tests, lint,
+      # validate-bicep, functional tests, reference-docs). When ONLY these paths
+      # change, `only_changed` is `true` and those workflows are skipped. Only
+      # add a pattern here if a change to it cannot break compilation, tests,
+      # linting, bicep validation, functional tests, or generated reference docs.
       files:
         description: File patterns to detect changes
         required: false
@@ -14,27 +20,41 @@ on:
           .github/*.md
           docs/**/*.md
           docs/*.md
+          docs/**/*.png
+          docs/**/*.svg
           eng/design-notes/**/*.md
           eng/design-notes/**/*.png
+          eng/design-notes/**/*.svg
           specs/**/*.md
           test/**/*.md
           test/*.md
           *.md
+          LICENSE
+          .gitignore
           .cspellignore
           versions.yaml
           !docs/release-notes/v*.md
           .codecov.yml
           .devcontainer/**
+          grafana/**
+          .github/CODEOWNERS
           .github/configs/**
           .github/linters/**
           .github/dependabot.yml
           .github/ISSUE_TEMPLATE/**
           .github/release.yml
           .github/runners/**
           .github/triage-bot/**
+          .github/workflows/c9k-failure-report.yml
+          .github/workflows/c9k-nightly.yml
           .github/workflows/close-stale-prs.yml
+          .github/workflows/contrib-update-resource-types.yaml
+          .github/workflows/dependabot-manager.yml
           .github/workflows/devcontainer-feature-release.yaml
           .github/workflows/devcontainer-feature-test.yaml
+          .github/workflows/issue-metrics.yml
+          .github/workflows/long-running-azure.yaml
+          .github/workflows/nightly-rad-CLI-tests.yaml
           .github/workflows/publish-*.yaml
           .github/workflows/purge-*.yaml
           .github/workflows/radius-bot.yaml

@@ -51,8 +51,6 @@ concurrency:
 env:
   PR_BRANCH: bot/update-resource-types
   CONTRIB_REPO: radius-project/resource-types-contrib
-  YQ_VERSION: v4.44.3
-  YQ_LINUX_AMD64_SHA256: a2c097180dd884a8d50c956ee16a9cec070f30a7947cf4ebf87d5f36213e9ed7
 
 jobs:
   open-update-pr:
@@ -123,12 +121,7 @@ jobs:
       - name: Install yq
         # Required by make update-resource-types / sync-resource-types to parse
         # deploy/manifest/defaults.yaml.
-        run: |
-          mkdir -p "${RUNNER_TEMP}/bin"
-          curl -fsSL "https://github.com/mikefarah/yq/releases/download/${YQ_VERSION}/yq_linux_amd64" -o "${RUNNER_TEMP}/bin/yq"
-          echo "${YQ_LINUX_AMD64_SHA256}  ${RUNNER_TEMP}/bin/yq" | sha256sum -c -
-          chmod +x "${RUNNER_TEMP}/bin/yq"
-          echo "${RUNNER_TEMP}/bin" >> "${GITHUB_PATH}"
+        run: make install-yq
 
       - name: Run make update-resource-types
         # Bumps go.mod to the latest resource-types-contrib version and copies

@@ -163,14 +163,7 @@ jobs:
 
       - name: Install yq
         # Required by Bicep type generation to parse YAML defaults.
-        run: |
-          YQ_VERSION="v4.44.3"
-          YQ_LINUX_AMD64_SHA256="a2c097180dd884a8d50c956ee16a9cec070f30a7947cf4ebf87d5f36213e9ed7"
-          mkdir -p "${RUNNER_TEMP}/bin"
-          curl -fsSL "https://github.com/mikefarah/yq/releases/download/${YQ_VERSION}/yq_linux_amd64" -o "${RUNNER_TEMP}/bin/yq"
-          echo "${YQ_LINUX_AMD64_SHA256}  ${RUNNER_TEMP}/bin/yq" | sha256sum -c -
-          chmod +x "${RUNNER_TEMP}/bin/yq"
-          echo "${RUNNER_TEMP}/bin" >> "${GITHUB_PATH}"
+        run: make install-yq
 
       - name: Install KinD
         # Lets the agent create a local Kubernetes cluster for integration and
@@ -224,14 +217,8 @@ jobs:
 
       - name: Install Bicep CLI
         # Required by Bicep type publishing (make publish-bicep-extension) and
-        # rad bicep flows. Pinned to v0.42.1: v0.40+ rejects br:localhost
-        # registries used by the local functional tests.
-        run: |
-          BICEP_VER="v0.42.1"
-          curl -fsSLo ./bicep "https://github.com/Azure/bicep/releases/download/${BICEP_VER}/bicep-linux-x64"
-          chmod +x ./bicep
-          sudo mv ./bicep /usr/local/bin/bicep
-          bicep --version
+        # rad bicep flows. Pinned version + checksum live in build/tools.mk.
+        run: make install-bicep
 
       - name: Install PostgreSQL client
         # psql is used by the debug environment to verify control-plane database

@@ -67,9 +67,6 @@ concurrency:
 
 env:
   GOPROXY: https://proxy.golang.org
-  # yq version
-  YQ_VERSION: v4.44.3
-  YQ_LINUX_AMD64_SHA256: a2c097180dd884a8d50c956ee16a9cec070f30a7947cf4ebf87d5f36213e9ed7
   # Helm version
   HELM_VER: v4.2.2
   # KinD cluster version
@@ -181,20 +178,45 @@ jobs:
       - name: Approved
         run: echo "Tests approved to run"
 
+  # Single authorization decision for the whole run. Centralizes the trust +
+  # approval gate so every downstream job keys off one result
+  # (needs.authorize.result == 'success') instead of repeating the boolean.
+  #
+  # Runs unless the whole run was cancelled, then fails — blocking the run — when:
+  #   - check-trust did not pass (fail-safe if the trust check itself errored), or
+  #   - approval-gate did not pass (an external contributor's approval was
+  #     rejected/'cancelled' or failed).
+  # 'skipped' is allowed: check-trust and approval-gate are skipped for trusted
+  # authors and for non-PR events (schedule, repository_dispatch, merge_group).
+  authorize:
+    name: Authorize
+    needs: [check-trust, approval-gate]
+    runs-on: ubuntu-24.04
+    timeout-minutes: 5
+    permissions: {}
+    if: ${{ !cancelled() }}
+    steps:
+      - name: Evaluate trust and approval
+        env:
+          CHECK_TRUST_RESULT: ${{ needs.check-trust.result }}
+          APPROVAL_GATE_RESULT: ${{ needs.approval-gate.result }}
+        run: |
+          if [ "${CHECK_TRUST_RESULT}" != "success" ] && [ "${CHECK_TRUST_RESULT}" != "skipped" ]; then
+            echo "::error::Blocked — trust check did not pass (result=${CHECK_TRUST_RESULT})."
+            exit 1
+          fi
+          if [ "${APPROVAL_GATE_RESULT}" != "success" ] && [ "${APPROVAL_GATE_RESULT}" != "skipped" ]; then
+            echo "::error::Blocked — approval was not granted (result=${APPROVAL_GATE_RESULT})."
+            exit 1
+          fi
+          echo "Authorized to proceed."
+
   setup:
     name: Setup
-    needs: [check-trust, approval-gate]
-    # Run for all events. For PRs:
-    #   - check-trust determines if the author is external
-    #   - approval-gate runs only for external contributors and requires manual approval
-    #   - If check-trust or approval-gate are skipped (non-PR events), setup proceeds
-    # For pull_request_target, require approval-gate to be 'success' or 'skipped' — block
-    # on 'cancelled' (rejected approval) to prevent running PR code with secrets.
-    if: |
-      !cancelled() &&
-      (needs.check-trust.result == 'success' || needs.check-trust.result == 'skipped') &&
-      (needs.approval-gate.result == 'success' || needs.approval-gate.result == 'skipped') &&
-      (github.event_name != 'schedule' || github.repository == vars.RADIUS_REPOSITORY)
+    needs: [authorize]
+    # Gate on the single authorize decision; the schedule guard keeps scheduled
+    # runs limited to the canonical repository.
+    if: needs.authorize.result == 'success' && (github.event_name != 'schedule' || github.repository == vars.RADIUS_REPOSITORY)
     runs-on: ubuntu-24.04
     timeout-minutes: 5
     permissions:
@@ -488,25 +510,18 @@ jobs:
 
       - name: Install yq
         # Required by make generate-bicep-types-contrib to parse defaults.yaml.
-        run: |
-          mkdir -p "${RUNNER_TEMP}/bin"
-          curl -fsSL "https://github.com/mikefarah/yq/releases/download/${YQ_VERSION}/yq_linux_amd64" -o "${RUNNER_TEMP}/bin/yq"
-          echo "${YQ_LINUX_AMD64_SHA256}  ${RUNNER_TEMP}/bin/yq" | sha256sum -c -
-          chmod +x "${RUNNER_TEMP}/bin/yq"
-          echo "${RUNNER_TEMP}/bin" >> "${GITHUB_PATH}"
+        run: make install-yq
 
       - name: Generate Bicep extensibility types from OpenAPI specs
         env:
           BICEP_TYPES_VERSION: ${{ env.REL_VERSION == 'edge' && 'latest' || env.REL_VERSION }}
         run: |
           make generate-bicep-types VERSION="${BICEP_TYPES_VERSION}"
 
-      - name: Setup and verify bicep CLI
-        run: |
-          curl -Lo bicep https://github.com/Azure/bicep/releases/latest/download/bicep-linux-x64
-          chmod +x ./bicep
-          sudo mv ./bicep /usr/local/bin/bicep
-          bicep --version
+      - name: Install bicep CLI
+        # Pinned version + checksum live in build/tools.mk (previously installed
+        # the unpinned 'latest', which could pull v0.43+).
+        run: make install-bicep
 
       - name: Login to Azure (for private test bicep-types ACR)
         uses: azure/login@532459ea530d8321f2fb9bb10d1e0bcf23869a43 # v3.0.0

@@ -50,9 +50,6 @@ on:
 permissions: {}
 
 env:
-  # yq version
-  YQ_VERSION: v4.44.3
-  YQ_LINUX_AMD64_SHA256: a2c097180dd884a8d50c956ee16a9cec070f30a7947cf4ebf87d5f36213e9ed7
   # Helm version
   HELM_VER: v4.2.2
   # KinD cluster version
@@ -95,9 +92,6 @@ env:
   GIT_HTTP_PASSWORD: not-a-secret-password
   # Kubernetes client QPS and Burst settings for high-concurrency CI environments
   RADIUS_QPS_AND_BURST: "800"
-  # Bicep CLI pinned: v0.40+ rejects br:localhost:5000/... (ThrowIfRegistryNotTrusted).
-  # Bump only after verifying localhost support or adding allowedUntrustedRegistries to bicepconfig.json.
-  BICEP_VER: v0.42.1
 
 jobs:
   changes:
@@ -255,12 +249,7 @@ jobs:
 
       - name: Install yq
         # Required by make generate-bicep-types-contrib to parse defaults.yaml.
-        run: |
-          mkdir -p "${RUNNER_TEMP}/bin"
-          curl -fsSL "https://github.com/mikefarah/yq/releases/download/${YQ_VERSION}/yq_linux_amd64" -o "${RUNNER_TEMP}/bin/yq"
-          echo "${YQ_LINUX_AMD64_SHA256}  ${RUNNER_TEMP}/bin/yq" | sha256sum -c -
-          chmod +x "${RUNNER_TEMP}/bin/yq"
-          echo "${RUNNER_TEMP}/bin" >> "${GITHUB_PATH}"
+        run: make install-yq
 
       - name: Generate Bicep extensibility types from OpenAPI specs
         env:
@@ -284,12 +273,9 @@ jobs:
           registry-server: ${{ env.LOCAL_REGISTRY_SERVER }}
           registry-port: ${{ env.LOCAL_REGISTRY_PORT }}
 
-      - name: Setup and verify bicep CLI
-        run: |
-          curl -Lo bicep "https://github.com/Azure/bicep/releases/download/${BICEP_VER}/bicep-linux-x64"
-          chmod +x ./bicep
-          sudo mv ./bicep /usr/local/bin/bicep
-          bicep --version
+      - name: Install bicep CLI
+        # Pinned version + checksum live in build/tools.mk.
+        run: make install-bicep
 
       - name: Publish bicep types
         env:

@@ -35,10 +35,6 @@ concurrency:
   group: lint-${{ github.event.pull_request.number || github.sha }}
   cancel-in-progress: true
 
-env:
-  YQ_VERSION: v4.44.3
-  YQ_LINUX_AMD64_SHA256: a2c097180dd884a8d50c956ee16a9cec070f30a7947cf4ebf87d5f36213e9ed7
-
 permissions: {}
 
 jobs:
@@ -80,12 +76,7 @@ jobs:
 
       - name: Install yq
         # Required by make generate-bicep-types-contrib to parse defaults.yaml.
-        run: |
-          mkdir -p "${RUNNER_TEMP}/bin"
-          curl -fsSL "https://github.com/mikefarah/yq/releases/download/${YQ_VERSION}/yq_linux_amd64" -o "${RUNNER_TEMP}/bin/yq"
-          echo "${YQ_LINUX_AMD64_SHA256}  ${RUNNER_TEMP}/bin/yq" | sha256sum -c -
-          chmod +x "${RUNNER_TEMP}/bin/yq"
-          echo "${RUNNER_TEMP}/bin" >> "${GITHUB_PATH}"
+        run: make install-yq
 
       - name: Install helm
         uses: azure/setup-helm@dda3372f752e03dde6b3237bc9431cdc2f7a02a2 # v5.0.0

@@ -24,10 +24,6 @@ on:
 
 permissions: {}
 
-env:
-  YQ_VERSION: v4.44.3
-  YQ_LINUX_AMD64_SHA256: a2c097180dd884a8d50c956ee16a9cec070f30a7947cf4ebf87d5f36213e9ed7
-
 jobs:
   changes:
     name: Changes
@@ -98,18 +94,13 @@ jobs:
 
       - name: Install yq
         # Required by make generate-bicep-types-contrib to parse defaults.yaml.
-        run: |
-          mkdir -p "${RUNNER_TEMP}/bin"
-          curl -fsSL "https://github.com/mikefarah/yq/releases/download/${YQ_VERSION}/yq_linux_amd64" -o "${RUNNER_TEMP}/bin/yq"
-          echo "${YQ_LINUX_AMD64_SHA256}  ${RUNNER_TEMP}/bin/yq" | sha256sum -c -
-          chmod +x "${RUNNER_TEMP}/bin/yq"
-          echo "${RUNNER_TEMP}/bin" >> "${GITHUB_PATH}"
+        run: make install-yq
+        working-directory: radius
 
       # Generate Bicep docs
       - name: Generate Bicep docs
-        run: |
-          cd radius
-          make generate
+        run: make generate
+        working-directory: radius
 
       # Generate resource reference docs
       - name: Generate resource reference docs

@@ -52,12 +52,12 @@ jobs:
         with:
           persist-credentials: false
 
+      - name: Install yq
+        run: make install-yq
+
       - name: Get supported versions from versions.yaml
         id: get-supported-versions
-        uses: mikefarah/yq@1b9b4ac5187171d2e5e3129be0cfa827c7f9d53d # v4.53.3
-        with:
-          # Get a comma-separated list of supported versions
-          cmd: yq '.supported[].version' versions.yaml | tr '\n' ',' | sed 's/,$//'
+        run: echo "result=$(yq '.supported[].version' versions.yaml | tr '\n' ',' | sed 's/,$//')" >> "$GITHUB_OUTPUT"
 
       - name: Determine desired release version
         id: get-version
@@ -237,12 +237,12 @@ jobs:
           GIT_USER_NAME: ${{ steps.bot-details.outputs.name }}
           GIT_USER_EMAIL: ${{ steps.bot-details.outputs.email }}
 
+      - name: Install yq
+        run: make install-yq
+
       - name: Get supported versions from versions.yaml
         id: get-supported-versions
-        uses: mikefarah/yq@1b9b4ac5187171d2e5e3129be0cfa827c7f9d53d # v4.53.3
-        with:
-          # Get a comma-separated list of supported versions
-          cmd: yq '.supported[].version' ./radius/versions.yaml | tr '\n' ',' | sed 's/,$//'
+        run: echo "result=$(yq '.supported[].version' ./radius/versions.yaml | tr '\n' ',' | sed 's/,$//')" >> "$GITHUB_OUTPUT"
 
       - name: Determine desired release version
         id: get-version

@@ -45,5 +45,5 @@ jobs:
       - uses: dessant/label-actions@65225c179d3b2502f6eda7b3d15101a3f412366b # v5.0.3
         with:
           github-token: ${{ steps.get_installation_token.outputs.token }}
-          config-path: .github/triage-bot/triage-bot-config.yaml
+          config-path: .github/configs/label-actions.yaml
           process-only: issues
@@ -24,7 +24,7 @@ on:
 permissions: {}
 
 concurrency:
-  group: ${{ format('{0}-{1}-{2}-{3}-{4}', github.workflow, github.event_name, github.event.pull_request.number || github.event.pull_request_target.number || github.ref, github.base_ref || null, github.head_ref || null) }}
+  group: ${{ format('{0}-{1}-{2}-{3}-{4}', github.workflow, github.event_name, github.event.pull_request.number || github.ref, github.base_ref || null, github.head_ref || null) }}
   cancel-in-progress: true
 
 jobs: