refactor(ci): consolidate kind, kubectl, dapr, helm, and oras installs into make targets

.github/actions/create-kind-cluster/action.yaml

@@ -12,10 +12,6 @@ inputs:
     description: The temporary directory where the certificates are stored
     required: false
     default: ""
-  kind-version:
-    description: The version of KinD to install
-    required: false
-    default: v0.29.0
   with-local-registry:
     description: Whether the KinD cluster should be created with a local registry configuration
     required: false
@@ -36,10 +32,10 @@ runs:
   using: composite
   steps:
     - name: Install KinD
+      # Installs the version pinned in build/tools.mk (KIND_VERSION) and adds the
+      # install dir to the job PATH, so the cluster-create steps below find kind.
       shell: bash
-      run: |
-        curl -sSLo "kind" "https://github.com/kubernetes-sigs/kind/releases/download/${{ inputs.kind-version }}/kind-linux-amd64"
-        chmod +x ./kind
+      run: make install-kind
 
     - name: Create a KinD cluster without a local registry
       if: ${{ inputs.with-local-registry == 'false' }}

.github/workflows/build.yaml

@@ -55,9 +55,6 @@ env:
   # Local file path to the release binaries.
   RELEASE_PATH: ./release
 
-  # ORAS (OCI Registry As Storage) CLI version
-  ORAS_VERSION: 1.1.0
-
   # URL to get source code for building the image
   IMAGE_SRC: https://github.com/radius-project/radius
 
@@ -158,10 +155,10 @@ jobs:
           username: ${{ github.actor }}
           password: ${{ github.token }}
 
-      - uses: oras-project/setup-oras@38de303aac69abb66f3e6255b7198bff35f323e3 # v2.0.0
+      - name: Install oras
         if: needs.changes.outputs.only_changed != 'true'
-        with:
-          version: ${{ env.ORAS_VERSION }}
+        # Version pinned in build/tools.mk (ORAS_VERSION).
+        run: make install-oras
 
       - name: Push latest rad cli binary to GHCR (unix-like)
         if: github.ref == 'refs/heads/main' && matrix.target_os != 'windows' && needs.changes.outputs.only_changed != 'true'
@@ -329,9 +326,8 @@ jobs:
           persist-credentials: false
 
       - name: Install helm
-        uses: azure/setup-helm@dda3372f752e03dde6b3237bc9431cdc2f7a02a2 # v5.0.0
-        with:
-          version: v4.2.2
+        # Version pinned in build/tools.mk (HELM_VERSION).
+        run: make install-helm
 
       - name: Setup Python
         uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0

.github/workflows/copilot-setup-steps.yml

@@ -100,20 +100,13 @@ jobs:
         with:
           python-version-file: .python-version
 
-      - name: Setup Helm
-        uses: azure/setup-helm@dda3372f752e03dde6b3237bc9431cdc2f7a02a2 # v5.0.0
-        with:
-          version: v4.2.2
+      - name: Install helm
+        # Version pinned in build/tools.mk (HELM_VERSION).
+        run: make install-helm
 
       - name: Install kubectl
-        run: |
-          KUBECTL_VER="v1.30.0"
-          KUBECTL_LINUX_AMD64_SHA256="7c3807c0f5c1b30110a2ff1e55da1d112a6d0096201f1beb81b269f582b5d1c5"
-          curl -fsSLo ./kubectl "https://dl.k8s.io/release/${KUBECTL_VER}/bin/linux/amd64/kubectl"
-          echo "${KUBECTL_LINUX_AMD64_SHA256}  ./kubectl" | sha256sum -c -
-          chmod +x ./kubectl
-          sudo mv ./kubectl /usr/local/bin/kubectl
-          kubectl version --client
+        # Version pinned in build/tools.mk (KUBECTL_VERSION).
+        run: make install-kubectl
 
       - name: Install pnpm and TypeSpec tooling
         # `make generate-tsp-installed` enables corepack with the pinned pnpm
@@ -167,13 +160,8 @@ jobs:
 
       - name: Install KinD
         # Lets the agent create a local Kubernetes cluster for integration and
-        # functional tests.
-        run: |
-          KIND_VER="v0.29.0"
-          curl -fsSLo ./kind "https://kind.sigs.k8s.io/dl/${KIND_VER}/kind-linux-amd64"
-          chmod +x ./kind
-          sudo mv ./kind /usr/local/bin/kind
-          kind --version
+        # functional tests. Version pinned in build/tools.mk (KIND_VERSION).
+        run: make install-kind
 
       - name: Install k3d
         # Used by the local debug environment (make debug-start) to create a
@@ -195,11 +183,8 @@ jobs:
           stern --version
 
       - name: Install Dapr CLI
-        run: |
-          DAPR_CLI_VER="1.15.1"
-          wget -q https://raw.githubusercontent.com/dapr/cli/master/install/install.sh -O - \
-            | /bin/bash -s "${DAPR_CLI_VER}"
-          dapr --version
+        # Version pinned in build/tools.mk (DAPR_VERSION).
+        run: make install-dapr
 
       - name: Install Terraform
         # Version is read from .terraform-version, the source of truth also

.github/workflows/functional-test-cloud.yaml

@@ -67,12 +67,6 @@ concurrency:
 
 env:
   GOPROXY: https://proxy.golang.org
-  # Helm version
-  HELM_VER: v4.2.2
-  # KinD cluster version
-  KIND_VER: v0.29.0
-  # Kubectl version
-  KUBECTL_VER: v1.25.0
   # Azure Keyvault CSI driver chart version
   AZURE_KEYVAULT_CSI_DRIVER_VER: 1.4.2
   # Azure workload identity webhook chart version
@@ -147,7 +141,7 @@ jobs:
         run: |
           # Same-repo PRs are always trusted (requires write access to push branches)
           if [ "${HEAD_REPO}" = "${BASE_REPO}" ]; then
-            echo "Same-repo PR from ${PR_AUTHOR} — trusted"
+            echo "Same-repo PR from ${PR_AUTHOR} - trusted"
             echo "is-external=false" >> "${GITHUB_OUTPUT}"
             exit 0
           fi
@@ -156,10 +150,10 @@ jobs:
           # Uses app token which can read org membership regardless of visibility settings.
           # gh api returns exit code 0 for 204 (member) and non-zero for 404/302 (not a member).
           if gh api "orgs/${ORG}/members/${PR_AUTHOR}" --silent 2>/dev/null; then
-            echo "Fork PR from org member ${PR_AUTHOR} — trusted"
+            echo "Fork PR from org member ${PR_AUTHOR} - trusted"
             echo "is-external=false" >> "${GITHUB_OUTPUT}"
           else
-            echo "Fork PR from ${PR_AUTHOR} — external"
+            echo "Fork PR from ${PR_AUTHOR} - external"
             echo "is-external=true" >> "${GITHUB_OUTPUT}"
           fi
 
@@ -182,7 +176,7 @@ jobs:
   # approval gate so every downstream job keys off one result
   # (needs.authorize.result == 'success') instead of repeating the boolean.
   #
-  # Runs unless the whole run was cancelled, then fails — blocking the run — when:
+  # Runs unless the whole run was cancelled, then fails - blocking the run - when:
   #   - check-trust did not pass (fail-safe if the trust check itself errored), or
   #   - approval-gate did not pass (an external contributor's approval was
   #     rejected/'cancelled' or failed).
@@ -202,11 +196,11 @@ jobs:
           APPROVAL_GATE_RESULT: ${{ needs.approval-gate.result }}
         run: |
           if [ "${CHECK_TRUST_RESULT}" != "success" ] && [ "${CHECK_TRUST_RESULT}" != "skipped" ]; then
-            echo "::error::Blocked — trust check did not pass (result=${CHECK_TRUST_RESULT})."
+            echo "::error::Blocked - trust check did not pass (result=${CHECK_TRUST_RESULT})."
             exit 1
           fi
           if [ "${APPROVAL_GATE_RESULT}" != "success" ] && [ "${APPROVAL_GATE_RESULT}" != "skipped" ]; then
-            echo "::error::Blocked — approval was not granted (result=${APPROVAL_GATE_RESULT})."
+            echo "::error::Blocked - approval was not granted (result=${APPROVAL_GATE_RESULT})."
             exit 1
           fi
           echo "Authorized to proceed."
@@ -426,7 +420,6 @@ jobs:
             |**Unique ID** | ${{ env.UNIQUE_ID }} |
             |**Image tag** | ${{ env.REL_VERSION }} |
 
-            * KinD: ${{ env.KIND_VER }}
             * Dapr: ${{ env.DAPR_VER }}
             * Azure KeyVault CSI driver: ${{ env.AZURE_KEYVAULT_CSI_DRIVER_VER }}
             * Azure Workload identity webhook: ${{ env.AZURE_WORKLOAD_IDENTITY_WEBHOOK_VER }}
@@ -758,9 +751,9 @@ jobs:
           RESOURCE_GROUP: ${{ env.AZURE_TEST_RESOURCE_GROUP }}
           AZURE_SUBSCRIPTIONID_TESTS: ${{ secrets.AZURE_SUBSCRIPTIONID_TESTS }}
 
-      - uses: azure/setup-helm@dda3372f752e03dde6b3237bc9431cdc2f7a02a2 # v5.0.0
-        with:
-          version: ${{ env.HELM_VER }}
+      - name: Install helm
+        # Version pinned in build/tools.mk (HELM_VERSION).
+        run: make install-helm
 
       # The role-to-assume is the role that the github action will assume to execute aws commands and
       # construct cloud control client in test code.
@@ -771,6 +764,11 @@ jobs:
           role-session-name: GitHub_to_AWS_via_FederatedOIDC
           aws-region: ${{ env.AWS_REGION }}
 
+      - name: Install KinD
+        # Installs the version pinned in build/tools.mk (KIND_VERSION) and adds
+        # the install dir to the job PATH for the cluster-create step below.
+        run: make install-kind
+
       # create kind cluster with OIDC provider.
       - name: Create KinD cluster
         env:
@@ -779,9 +777,6 @@ jobs:
         run: |
           set -euo pipefail
 
-          curl -sSLo "kind" "https://github.com/kubernetes-sigs/kind/releases/download/${KIND_VER}/kind-linux-amd64"
-          chmod +x ./kind
-
           # Parse and validate Azure workload identity values from secret JSON.
           OIDC_JSON="${FUNCTEST_AZURE_OIDC_JSON}"
           if ! echo "${OIDC_JSON}" | jq -e . >/dev/null; then
@@ -803,7 +798,7 @@ jobs:
           openssl pkey -pubin -in sa.pub -noout >/dev/null
           openssl pkey -in sa.key -check -noout >/dev/null
 
-          cat <<EOF | ./kind create cluster --name radius --config=-
+          cat <<EOF | kind create cluster --name radius --config=-
           kind: Cluster
           apiVersion: kind.x-k8s.io/v1alpha4
           nodes:

.github/workflows/functional-test-noncloud.yaml

@@ -50,14 +50,6 @@ on:
 permissions: {}
 
 env:
-  # Helm version
-  HELM_VER: v4.2.2
-  # KinD cluster version
-  KIND_VER: v0.29.0
-  # Kubectl version
-  KUBECTL_VER: v1.30.0
-  # Dapr CLI version
-  DAPR_CLI_VER: 1.15.1
   # Dapr runtime version
   DAPR_RUNTIME_VER: 1.15.4
   # Dapr dashboard version
@@ -316,16 +308,15 @@ jobs:
           rad bicep download
           rad version
 
-      - uses: azure/setup-helm@dda3372f752e03dde6b3237bc9431cdc2f7a02a2 # v5.0.0
-        with:
-          version: ${{ env.HELM_VER }}
+      - name: Install helm
+        # Version pinned in build/tools.mk (HELM_VERSION).
+        run: make install-helm
 
       - name: Create a KinD cluster with a local registry
         uses: ./.github/actions/create-kind-cluster
         with:
           secure: "true"
           temp-cert-dir: ${{ steps.create-local-registry.outputs.temp-cert-dir }}
-          kind-version: ${{ env.KIND_VER }}
           with-local-registry: "true"
           registry-name: ${{ env.LOCAL_REGISTRY_NAME }}
           registry-server: ${{ env.LOCAL_REGISTRY_SERVER }}
@@ -342,7 +333,7 @@ jobs:
           # before "Install Radius" so the control plane can be installed with the
           # target-cluster mount enabled (avoiding a post-install helm upgrade,
           # which conflicts with the field manager rad install uses).
-          ./kind create cluster --name external
+          kind create cluster --name external
 
           # Two kubeconfigs are derived from the same external cluster:
           # 1. An "internal" kubeconfig reachable from pods running inside the
@@ -358,7 +349,7 @@ jobs:
           mkdir -p "${RUNNER_TEMP}/external-cluster"
           INTERNAL_KUBECONFIG="${RUNNER_TEMP}/external-cluster/internal.kubeconfig"
           HOST_KUBECONFIG="${RUNNER_TEMP}/external-cluster/host.kubeconfig"
-          ./kind get kubeconfig --name external > "${HOST_KUBECONFIG}"
+          kind get kubeconfig --name external > "${HOST_KUBECONFIG}"
 
           EXTERNAL_IP="$(docker inspect -f '{{(index .NetworkSettings.Networks "kind").IPAddress}}' external-control-plane)"
           if [ -z "${EXTERNAL_IP}" ]; then
@@ -389,7 +380,7 @@ jobs:
           MAGPIE_HOST_IMAGE="${LOCAL_REGISTRY_SERVER}:${LOCAL_REGISTRY_PORT}/magpiego:${REL_VERSION}"
           MAGPIE_CLUSTER_IMAGE="${LOCAL_REGISTRY_NAME}:${LOCAL_REGISTRY_PORT}/magpiego:${REL_VERSION}"
           docker tag "${MAGPIE_HOST_IMAGE}" "${MAGPIE_CLUSTER_IMAGE}"
-          ./kind load docker-image "${MAGPIE_CLUSTER_IMAGE}" --name external
+          kind load docker-image "${MAGPIE_CLUSTER_IMAGE}" --name external
 
           # Pre-create the radius-system namespace and the target-kubeconfig secret
           # so the secret exists before the Radius pods start (the deployments mount
@@ -529,11 +520,14 @@ jobs:
 
           echo "Port forwarding established successfully"
 
-      - name: Install Dapr CLI and control plane
+      - name: Install Dapr CLI
         if: matrix.name == 'daprrp-noncloud'
-        run: |
-          wget -q https://raw.githubusercontent.com/dapr/cli/master/install/install.sh -O - | /bin/bash -s "${DAPR_CLI_VER}"
-          dapr init -k --wait --timeout 600 --runtime-version "${DAPR_RUNTIME_VER}" --dashboard-version "${DAPR_DASHBOARD_VER}"
+        # Version pinned in build/tools.mk (DAPR_VERSION).
+        run: make install-dapr
+
+      - name: Install Dapr control plane
+        if: matrix.name == 'daprrp-noncloud'
+        run: dapr init -k --wait --timeout 600 --runtime-version "${DAPR_RUNTIME_VER}" --dashboard-version "${DAPR_DASHBOARD_VER}"
 
       - name: Publish Terraform test recipes
         run: |

.github/workflows/lint.yaml

@@ -79,9 +79,8 @@ jobs:
         run: make install-yq
 
       - name: Install helm
-        uses: azure/setup-helm@dda3372f752e03dde6b3237bc9431cdc2f7a02a2 # v5.0.0
-        with:
-          version: v4.2.2
+        # Version pinned in build/tools.mk (HELM_VERSION).
+        run: make install-helm
 
       - name: Run Helm linter
         run: |

.github/workflows/unit-tests.yaml

@@ -67,9 +67,8 @@ jobs:
       # Helm is required because `make test` depends on the `test-helm` target,
       # which installs the helm-unittest plugin and runs the chart unit tests.
       - name: Install helm
-        uses: azure/setup-helm@dda3372f752e03dde6b3237bc9431cdc2f7a02a2 # v5.0.0
-        with:
-          version: v4.2.2
+        # Version pinned in build/tools.mk (HELM_VERSION).
+        run: make install-helm
 
       - name: Run make test (unit tests)
         env:

.github/workflows/validate-installers.yaml

@@ -116,7 +116,9 @@ jobs:
         with:
           persist-credentials: false
 
-      - uses: oras-project/setup-oras@38de303aac69abb66f3e6255b7198bff35f323e3 # v2.0.0
+      - name: Install oras
+        # Version pinned in build/tools.mk (ORAS_VERSION).
+        run: make install-oras
 
       - name: Run installer test script
         run: deploy/test-install.sh