refactor(ci): consolidate kind, kubectl, dapr, helm, and oras installs into make targets

[DariuszPorowski]

Description

Follow-up to #12248, which consolidated the yq and bicep installs into pinned, checksum-verified make install-<tool> targets. This PR applies the same pattern to the remaining CI tools — kind, kubectl, dapr, helm, and oras — replacing inline curl/wget | bash installs and the third-party azure/setup-helm and oras-project/setup-oras actions.

Each tool now has:

• a generic, no-sudo build/scripts/install-<tool>.sh that detects OS/arch, verifies the download against a SHA-256 checksum, installs into a user-owned dir, and adds it to $GITHUB_PATH for later steps; and
• a build/tools.mk block that pins the version + per-platform checksums and exposes a make install-<tool> target.

Versions pinned in this PR: kind v0.32.0, kubectl v1.36.2, dapr v1.18.0, helm v4.2.2, oras v1.3.2.

Why

• Single source of truth for tool versions in build/tools.mk, instead of versions scattered across workflow env: blocks and step inputs.
• Supply-chain hardening: every binary is checksum-verified; the unpinned dapr install.sh | bash pipe and the setup-helm / setup-oras third-party actions are removed.
• Consistent local + CI behavior: the same make install-<tool> runs on a contributor's machine and on the runner.

Files

• New: build/scripts/install-{kind,kubectl,dapr,helm,oras}.sh
• build/tools.mk: new KIND / KUBECTL / DAPR / HELM / ORAS version + checksum blocks and install-* targets
• Workflows/action switched to make install-<tool> (dropping the now-unused version env vars): build.yaml, lint.yaml, unit-tests.yaml, copilot-setup-steps.yml, functional-test-cloud.yaml, functional-test-noncloud.yaml, validate-installers.yaml, actions/create-kind-cluster/action.yaml

Type of change

• This pull request is a minor refactor, code cleanup, test improvement, or other maintenance task and doesn't change the functionality of Radius (issue link optional).

Follow-up to #12248.

Contributor checklist

Please verify that the PR meets the following requirements, where applicable:

• An overview of proposed schema changes is included in a linked GitHub issue.
  • Yes
  • Not applicable
• A design document is added or updated under eng/design-notes/ in this repository, if new APIs are being introduced.
  • Yes
  • Not applicable
• The design document has been reviewed and approved by Radius maintainers/approvers.
  • Yes
  • Not applicable
• A PR for resource-types-contrib is created, if resource types or recipes are affected by the changes in this PR.
  • Yes
  • Not applicable
• A PR for dashboard is created, if the Radius Dashboard is affected by the changes in this PR.
  • Yes
  • Not applicable
• A PR for the documentation repository is created, if the changes in this PR affect the documentation or any user facing updates are made.
  • Yes
  • Not applicable

[github-actions]

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

Scanned Files

• .github/workflows/lint.yaml
• .github/workflows/validate-installers.yaml

[Copilot]

Pull request overview

This PR continues the CI tool installer hardening work by centralizing installation of commonly used CI binaries (kind, kubectl, dapr, helm, oras) behind pinned, checksum-verified make install-<tool> targets. It reduces duplicated workflow logic and removes reliance on third-party setup actions and unpinned install scripts, making CI and local developer setup more reproducible and auditable.

Changes:

• Added new no-sudo installer scripts under build/scripts/ for kind, kubectl, dapr, helm, and oras that validate SHA-256 checksums and (in GitHub Actions) append the install dir to GITHUB_PATH.
• Extended build/tools.mk to pin versions + per-platform checksums and expose make install-kind|kubectl|dapr|helm|oras.
• Updated workflows and the create-kind-cluster composite action to use the new Make targets instead of inline curl/wget | bash installs and azure/setup-helm / oras-project/setup-oras.

Reviewed changes

Copilot reviewed 14 out of 14 changed files in this pull request and generated no comments.

Show a summary per file

File	Description
build/tools.mk	Adds pinned versions + checksums and install-* targets for kind/kubectl/dapr/helm/oras.
build/scripts/install-kind.sh	New checksum-verified installer for kind (GitHub release assets).
build/scripts/install-kubectl.sh	New checksum-verified installer for kubectl (dl.k8s.io stable channel / versioned downloads).
build/scripts/install-dapr.sh	New checksum-verified installer for the Dapr CLI (GitHub release tarballs).
build/scripts/install-helm.sh	New checksum-verified installer for Helm (get.helm.sh tarballs; latest resolved via GitHub redirect).
build/scripts/install-oras.sh	New checksum-verified installer for oras (GitHub release tarballs + goreleaser checksums file).
.github/workflows/validate-installers.yaml	Replaces setup-oras usage with make install-oras in installer validation job.
.github/workflows/unit-tests.yaml	Replaces setup-helm with make install-helm for unit test workflow.
.github/workflows/lint.yaml	Replaces setup-helm with make install-helm for Helm linting.
.github/workflows/functional-test-noncloud.yaml	Removes per-workflow tool version env vars; installs helm/dapr via Make; relies on action for kind install.
.github/workflows/functional-test-cloud.yaml	Installs helm + kind via Make and removes inline kind download logic.
.github/workflows/copilot-setup-steps.yml	Uses `make install-helm
.github/workflows/build.yaml	Replaces setup-oras and setup-helm with make install-oras / make install-helm.
.github/actions/create-kind-cluster/action.yaml	Removes kind-version input and installs kind via make install-kind.

[github-actions]

Unit Tests

    2 files  ±0    450 suites  ±0   7m 28s ⏱️ +53s
5 591 tests ±0  5 589 ✅ ±0  2 💤 ±0  0 ❌ ±0 
6 788 runs  ±0  6 786 ✅ ±0  2 💤 ±0  0 ❌ ±0 

Results for commit 874271d. ± Comparison against base commit cac6c0f.

♻️ This comment has been updated with latest results.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 52.88%. Comparing base (cac6c0f) to head (874271d).

Additional details and impacted files

@@           Coverage Diff           @@
##             main   #12251   +/-   ##
=======================================
  Coverage   52.88%   52.88%           
=======================================
  Files         751      751           
  Lines       48353    48353           
=======================================
  Hits        25570    25570           
  Misses      20385    20385           
  Partials     2398     2398           

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[brooke-hamilton]

🚀

[github-actions]

Functional Tests - upgrade-noncloud

3 tests  ±0   3 ✅ ±0   3m 36s ⏱️ ±0s
1 suites ±0   0 💤 ±0 
1 files   ±0   0 ❌ ±0 

Results for commit 874271d. ± Comparison against base commit cac6c0f.

♻️ This comment has been updated with latest results.

[radius-functional-tests]

Radius functional test overview

🔍 Go to test action run

Click here to see the test run details

Name	Value
Repository	radius-project/radius
Commit ref	874271d
Unique ID	func63a398d755
Image tag	pr-func63a398d755

• KinD: v0.29.0
• Dapr: 1.14.4
• Azure KeyVault CSI driver: 1.4.2
• Azure Workload identity webhook: 1.3.0
• Bicep recipe location ghcr.io/radius-project/dev/test/testrecipes/test-bicep-recipes/<name>:pr-func63a398d755
• Terraform recipe location http://tf-module-server.radius-test-tf-module-server.svc.cluster.local/<name>.zip (in cluster)
• applications-rp test image location: ghcr.io/radius-project/dev/applications-rp:pr-func63a398d755
• dynamic-rp test image location: ghcr.io/radius-project/dev/dynamic-rp:pr-func63a398d755
• controller test image location: ghcr.io/radius-project/dev/controller:pr-func63a398d755
• ucp test image location: ghcr.io/radius-project/dev/ucpd:pr-func63a398d755
• deployment-engine test image location: ghcr.io/radius-project/deployment-engine:latest

Test Status

⌛ Building Radius and pushing container images for functional tests...
✅ Container images build succeeded
⌛ Publishing Bicep Recipes for functional tests...
✅ Recipe publishing succeeded
⌛ Starting corerp-cloud functional tests...
⌛ Starting ucp-cloud functional tests...
✅ ucp-cloud functional tests succeeded
✅ corerp-cloud functional tests succeeded