Skip to content

ci: Fixed Pipeline Security vulnerabliity #318

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
Kanchan-Microsoft wants to merge 3 commits into
base: main
Choose a base branch
from
Open

ci: Fixed Pipeline Security vulnerabliity #318

Kanchan-Microsoft wants to merge 3 commits into from

Conversation

@Kanchan-Microsoft
Copy link
Contributor

@Kanchan-Microsoft Kanchan-Microsoft commented Jan 9, 2026

Purpose

This pull request introduces several improvements to the GitHub Actions workflows for deployment and infrastructure automation. The main focus is on enhancing workflow security by explicitly setting permissions, increasing input validation robustness, and modernizing environment and credential handling for Azure deployments. It also removes redundant steps and streamlines the setup of required tools.

The most important changes are:

Security and Permissions

  • Explicitly set minimal permissions (contents: read, actions: read) for all major workflow files to follow GitHub Actions best practices and reduce the risk surface.

Input Validation and Robustness

  • Introduced a comprehensive input parameter validation step in job-deploy-linux.yml, checking for required values, correct formats, and valid Azure resource IDs. This prevents misconfigured deployments by failing fast with clear error messages.

Azure Environment and Credential Handling

  • Updated environment variable usage for Azure credentials and deployment parameters, switching from inline export statements to the more secure and readable env: block in workflow steps.
  • Modernized setup of Azure CLI and Azure Developer CLI by removing manual installation commands and using the official Azure/setup-azd@v2 action for better reliability and maintainability.

Workflow Step Improvements

  • Improved the deployment summary generation and role assignment steps to use environment variables, making the code more maintainable and less error-prone.
  • Updated the Azure template validation action to use a specific commit hash for better reproducibility and security.

These changes collectively improve the reliability, security, and maintainability of the CI/CD pipeline for Azure deployments.

Does this introduce a breaking change?

  • Yes
  • No

Golden Path Validation

  • I have tested the primary workflows (the "golden path") to ensure they function correctly without errors.

Deployment Validation

  • I have validated the deployment process successfully and all services are running as expected with this change.

What to Check

Verify that the following are valid

  • ...

Other Information

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Avijit-Microsoft Avijit-Microsoft Awaiting requested review from Avijit-Microsoft Avijit-Microsoft is a code owner

@Roopan-Microsoft Roopan-Microsoft Awaiting requested review from Roopan-Microsoft Roopan-Microsoft is a code owner

@Prajwal-Microsoft Prajwal-Microsoft Awaiting requested review from Prajwal-Microsoft Prajwal-Microsoft is a code owner

@aniaroramsft aniaroramsft Awaiting requested review from aniaroramsft aniaroramsft is a code owner

@marktayl1 marktayl1 Awaiting requested review from marktayl1 marktayl1 is a code owner

@Vinay-Microsoft Vinay-Microsoft Awaiting requested review from Vinay-Microsoft Vinay-Microsoft is a code owner

@toherman-msft toherman-msft Awaiting requested review from toherman-msft toherman-msft is a code owner

@nchandhi nchandhi Awaiting requested review from nchandhi nchandhi is a code owner

@dgp10801 dgp10801 Awaiting requested review from dgp10801 dgp10801 is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Kanchan-Microsoft