Merge branch 'main' into demo

# Conflicts:
#	.devcontainer/Dockerfile
#	.github/workflows/bicep-audit.yml
#	.github/workflows/broken-links-checker.yml
#	.github/workflows/build-docker.yml
#	.github/workflows/ci.yml
#	.github/workflows/comment_coverage.yml
#	.github/workflows/create-release.yml
#	.github/workflows/scheduled-Dependabot-PRs-Auto-Merge.yml
#	.github/workflows/stale-bot.yml
#	.github/workflows/test-automation.yml
#	.github/workflows/tests.yml
#	code/create_app.py
#	code/frontend/package-lock.json
#	code/frontend/package.json
#	code/frontend/src/components/CitationPanel/CitationPanel.tsx
#	code/tests/functional/tests/backend_api/sk_orchestrator/test_response_without_tool_call.py
#	code/tests/test_create_app.py
#	docs/LOCAL_DEPLOYMENT.md
#	infra/main.bicep
#	infra/main.json
#	infra/main.parameters.json
#	infra/main.waf.parameters.json
#	infra/modules/app/function.bicep
#	poetry.lock
#	pyproject.toml
#	tests/e2e-test/tests/test_chat_with_your_data.py
#	tests/integration/ui/package-lock.json
#	tests/integration/ui/package.json

Author: Roopan-Microsoft

.devcontainer/Dockerfile

@@ -1,5 +1,8 @@
 FROM mcr.microsoft.com/devcontainers/python:3.11-bookworm
 
+# Remove Yarn repository to avoid GPG key expiration issue
+RUN rm -f /etc/apt/sources.list.d/yarn.list
+
 # install git
 RUN apt-get update && export DEBIAN_FRONTEND=noninteractive \
     && apt-get -y install --no-install-recommends git libgtk2.0-0 libgtk-3-0 libgbm-dev libnotify-dev libnss3 libxss1 libasound2 libxtst6 xauth xvfb

.github/workflows/bicep-audit.yml

@@ -19,7 +19,7 @@ jobs:
       security-events: write
     steps:
       - name: Checkout
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
 
       - name: Run Microsoft Security DevOps Analysis
         uses: microsoft/security-devops-action@preview
@@ -29,7 +29,7 @@ jobs:
           tools: templateanalyzer
 
       - name: Upload alerts to Security tab
-        uses: github/codeql-action/upload-sarif@v3
+        uses: github/codeql-action/upload-sarif@v4
         if: github.repository_owner == 'Azure-Samples'
         with:
           sarif_file: ${{ steps.msdo.outputs.sarifFile }}

.github/workflows/broken-links-checker.yml

@@ -2,8 +2,6 @@ name: Broken Link Checker
 
 on:
   pull_request:
-    paths:
-      - '**/*.md'
   workflow_dispatch:
 
 permissions:
@@ -16,7 +14,7 @@ jobs:
 
     steps:
       - name: Checkout Repo
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
         with:
           fetch-depth: 0
 
@@ -29,15 +27,18 @@ jobs:
           files: |
             **/*.md
 
+      - name: Skip - No Markdown Files Changed
+        if: github.event_name == 'pull_request' && steps.changed-markdown-files.outputs.any_changed != 'true'
+        run: echo "No markdown files changed. Skipping broken link check."
 
       # For PR: Check broken links only in changed files
       - name: Check Broken Links in Changed Markdown Files
         id: lychee-check-pr
         if: github.event_name == 'pull_request' && steps.changed-markdown-files.outputs.any_changed == 'true'
-        uses: lycheeverse/lychee-action@v2.4.1
+        uses: lycheeverse/lychee-action@v2.7.0
         with:
           args: >
-            --verbose --exclude-mail --no-progress --exclude ^https?://
+            --verbose --no-progress --exclude ^https?://
             ${{ steps.changed-markdown-files.outputs.all_changed_files }}
           failIfEmpty: false
         env:
@@ -47,10 +48,10 @@ jobs:
       - name: Check Broken Links in All Markdown Files in Entire Repo (Manual Trigger)
         id: lychee-check-manual
         if: github.event_name == 'workflow_dispatch'
-        uses: lycheeverse/lychee-action@v2.6.1
+        uses: lycheeverse/lychee-action@v2.7.0
         with:
           args: >
-            --verbose --exclude-mail --no-progress --exclude ^https?://
+            --verbose --no-progress --exclude ^https?://
             '**/*.md'
           failIfEmpty: false
         env:

.github/workflows/build-docker-images.yml

@@ -35,7 +35,37 @@ on:
   workflow_dispatch:
 
 jobs:
+  check-changes:
+    runs-on: ubuntu-latest
+    outputs:
+      should_build: ${{ steps.filter.outputs.docker_related }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v6
+        with:
+          fetch-depth: 0
+
+      - name: Check for relevant changes
+        id: filter
+        uses: dorny/paths-filter@v3
+        with:
+          filters: |
+            docker_related:
+              - 'code/**'
+              - '!code/tests/**'
+              - 'docker/**'
+              - 'package.json'
+              - 'pyproject.toml'
+              - '.github/workflows/build-docker-images.yml'
+              - '.github/workflows/build-docker.yml'
+
+      - name: Skip - No Relevant Changes
+        if: steps.filter.outputs.docker_related != 'true' && github.event_name != 'workflow_dispatch'
+        run: echo "No relevant changes detected. Skipping docker build."
+
   docker-build:
+    needs: check-changes
+    if: needs.check-changes.outputs.should_build == 'true' || github.event_name == 'workflow_dispatch'
     strategy:
       matrix:
         include:

.github/workflows/build-docker.yml

@@ -29,7 +29,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - name: Checkout
-      uses: actions/checkout@v5
+      uses: actions/checkout@v6
 
     - name: Docker Login to cwydcontainerreg (Main)
       if: ${{ inputs.push == true && github.ref_name == 'main' }}

.github/workflows/ci.yml

@@ -25,7 +25,36 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
 
 jobs:
+  check-changes:
+    runs-on: ubuntu-latest
+    outputs:
+      should_deploy: ${{ steps.filter.outputs.deploy_related }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v6
+        with:
+          fetch-depth: 0
+
+      - name: Check for relevant changes
+        id: filter
+        uses: dorny/paths-filter@v3
+        with:
+          filters: |
+            deploy_related:
+              - 'infra/**'
+              - 'scripts/**'
+              - 'azure.yaml'
+              - 'pyproject.toml'
+              - 'Makefile'
+              - '.github/workflows/ci.yml'
+
+      - name: Skip - No Relevant Changes
+        if: steps.filter.outputs.deploy_related != 'true' && github.event_name != 'workflow_dispatch' && github.event_name != 'schedule'
+        run: echo "No relevant changes detected. Skipping deployment validation."
+
   deploy:
+    needs: check-changes
+    if: needs.check-changes.outputs.should_deploy == 'true' || github.event_name == 'workflow_dispatch' || github.event_name == 'schedule'
     runs-on: ubuntu-latest
     env:
       AZURE_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }}
@@ -48,12 +77,8 @@ jobs:
       - name: Checkout code
         uses: actions/checkout@v5
 
-      - name: Install AZD
-        run: |
-          set -e
-          echo "Fetching deployment output..."
-          # Install azd (Azure Developer CLI) - required by process_sample_data.sh
-          curl -fsSL https://aka.ms/install-azd.sh | bash
+      - name: Install azd
+        uses: Azure/setup-azd@v2
 
       - name: Run Quota Check
         id: quota-check
@@ -391,17 +416,17 @@ jobs:
 
 
   e2e-test:
-    needs: deploy
-    if: needs.deploy.outputs.DEPLOYMENT_SUCCESS == 'true'
+    needs: [check-changes, deploy]
+    if: always() && needs.deploy.result == 'success' && needs.deploy.outputs.DEPLOYMENT_SUCCESS == 'true'
     uses: ./.github/workflows/test-automation.yml
     with:
       web_url: ${{ needs.deploy.outputs.web_url }}
       admin_url: ${{ needs.deploy.outputs.admin_url }}
 
 
   cleanup:
-    if: always()
-    needs: [deploy, e2e-test]
+    if: always() && needs.deploy.result != 'skipped'
+    needs: [check-changes, deploy, e2e-test]
     runs-on: ubuntu-latest
 
     env:
@@ -416,7 +441,7 @@ jobs:
 
     steps:
       - name: Checkout code
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
 
       - name: Destroy resources
         uses: devcontainers/ci@v0.3

.github/workflows/comment_coverage.yml

@@ -18,7 +18,7 @@ jobs:
       github.event.workflow_run.conclusion != 'cancelled'
     steps:
       - name: Download artifact
-        uses: actions/download-artifact@v5
+        uses: actions/download-artifact@v7
         with:
           name: coverage
           github-token: ${{ secrets.GITHUB_TOKEN }}
@@ -39,7 +39,7 @@ jobs:
             return response.data[0]?.number ?? "";
           retries: 3
       - name: Comment coverage
-        uses: MishaKav/pytest-coverage-comment@13d3c18e21895566c746187c9ea74736372e5e91
+        uses: MishaKav/pytest-coverage-comment@ae0e8a539a3f310aefb3bfb6a2209778a21fa42b
         with:
           pytest-xml-coverage-path: coverage.xml
           junitxml-path: coverage-junit.xml

.github/workflows/create-release.yml

@@ -17,7 +17,7 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
         with:
           ref: ${{ github.event.workflow_run.head_sha }}
 

.github/workflows/deploy-orchestrator.yml

@@ -0,0 +1,144 @@
+name: Deployment orchestrator
+
+on:
+  workflow_call:
+    inputs:
+      runner_os:
+        description: 'Runner OS (ubuntu-latest or windows-latest)'
+        required: true
+        type: string
+      resource_group_name:
+        description: 'Resource Group Name (Optional)'
+        required: false
+        default: ''
+        type: string
+      waf_enabled:
+        description: 'Enable WAF'
+        required: false
+        default: false
+        type: boolean
+      EXP:
+        description: 'Enable EXP'
+        required: false
+        default: false
+        type: boolean
+      cleanup_resources:
+        description: 'Cleanup Deployed Resources'
+        required: false
+        default: false
+        type: boolean
+      run_e2e_tests:
+        description: 'Run End-to-End Tests'
+        required: false
+        default: 'GoldenPath-Testing'
+        type: string
+      existing_webapp_url:
+        description: 'Existing Container WebApp URL (Skips Deployment)'
+        required: false
+        default: ''
+        type: string
+      existing_admin_app_url:
+        description: 'Existing Admin WebApp URL (Skips Deployment)'
+        required: false
+        default: ''
+        type: string
+      trigger_type:
+        description: 'Trigger type (workflow_dispatch, pull_request, schedule)'
+        required: true
+        type: string
+      AZURE_ENV_LOG_ANALYTICS_WORKSPACE_ID:
+        description: 'Log Analytics Workspace ID (Optional)'
+        required: false
+        default: ''
+        type: string
+      AZURE_SEARCH_USE_INTEGRATED_VECTORIZATION:
+        description: 'Enable Azure Search Integrated Vectorization'
+        required: false
+        default: 'false'
+        type: string
+      AZURE_SEARCH_USE_SEMANTIC_SEARCH:
+        description: 'Enable Azure Search Semantic Search'
+        required: false
+        default: 'false'
+        type: string
+      USE_ADVANCED_IMAGE_PROCESSING:
+        description: 'Use Advanced Image Processing'
+        required: false
+        default: 'false'
+        type: string
+      DATABASE_TYPE:
+        description: 'Type of database to use'
+        required: false
+        default: 'PostgreSQL'
+        type: string
+
+env:
+  AZURE_DEV_COLLECT_TELEMETRY: ${{ vars.AZURE_DEV_COLLECT_TELEMETRY }}
+
+jobs:
+  deploy:
+    if: "!cancelled() && (inputs.trigger_type != 'workflow_dispatch' || inputs.existing_webapp_url == '' || inputs.existing_webapp_url == null)"
+    uses: ./.github/workflows/job-deploy.yml
+    with:
+      trigger_type: ${{ inputs.trigger_type }}
+      runner_os: ${{ inputs.runner_os }}
+      resource_group_name: ${{ inputs.resource_group_name }}
+      waf_enabled: ${{ inputs.waf_enabled }}
+      EXP: ${{ inputs.EXP }}
+      existing_webapp_url: ${{ inputs.existing_webapp_url }}
+      run_e2e_tests: ${{ inputs.run_e2e_tests }}
+      AZURE_ENV_LOG_ANALYTICS_WORKSPACE_ID: ${{ inputs.AZURE_ENV_LOG_ANALYTICS_WORKSPACE_ID }}
+      cleanup_resources: ${{ inputs.cleanup_resources }}
+      AZURE_SEARCH_USE_INTEGRATED_VECTORIZATION: ${{ inputs.AZURE_SEARCH_USE_INTEGRATED_VECTORIZATION }}
+      AZURE_SEARCH_USE_SEMANTIC_SEARCH: ${{ inputs.AZURE_SEARCH_USE_SEMANTIC_SEARCH }}
+      USE_ADVANCED_IMAGE_PROCESSING: ${{ inputs.USE_ADVANCED_IMAGE_PROCESSING }}
+      DATABASE_TYPE: ${{ inputs.DATABASE_TYPE }}
+    secrets: inherit
+
+
+
+  e2e-test:
+    if: "!cancelled() && ((needs.deploy.result == 'success' && needs.deploy.outputs.WEB_APPURL != '' && needs.deploy.outputs.ADMIN_APPURL != '') || (inputs.existing_webapp_url != '' && inputs.existing_webapp_url != null && inputs.existing_admin_app_url != '' && inputs.existing_admin_app_url != null)) && (inputs.trigger_type != 'workflow_dispatch' || (inputs.run_e2e_tests != 'None' && inputs.run_e2e_tests != '' && inputs.run_e2e_tests != null))"
+    needs: [deploy]
+    uses: ./.github/workflows/test-automation-v2.yml
+    with:
+      TEST_URL: ${{ needs.deploy.outputs.WEB_APPURL || inputs.existing_webapp_url }}
+      ADMIN_APPURL: ${{ needs.deploy.outputs.ADMIN_APPURL || inputs.existing_admin_app_url }}
+      TEST_SUITE: ${{ inputs.trigger_type == 'workflow_dispatch' && inputs.run_e2e_tests || 'GoldenPath-Testing' }}
+    secrets: inherit
+
+  send-notification:
+    if: "!cancelled()"
+    needs: [deploy, e2e-test]
+    uses: ./.github/workflows/job-send-notification.yml
+    with:
+      trigger_type: ${{ inputs.trigger_type }}
+      waf_enabled: ${{ inputs.waf_enabled }}
+      EXP: ${{ inputs.EXP }}
+      run_e2e_tests: ${{ inputs.run_e2e_tests }}
+      existing_webapp_url: ${{ inputs.existing_webapp_url }}
+      deploy_result: ${{ needs.deploy.result }}
+      e2e_test_result: ${{ needs.e2e-test.result }}
+      WEB_APPURL: ${{ needs.deploy.outputs.WEB_APPURL || inputs.existing_webapp_url }}
+      RESOURCE_GROUP_NAME: ${{ needs.deploy.outputs.RESOURCE_GROUP_NAME }}
+      QUOTA_FAILED: ${{ needs.deploy.outputs.QUOTA_FAILED }}
+      TEST_SUCCESS: ${{ needs.e2e-test.outputs.TEST_SUCCESS }}
+      TEST_REPORT_URL: ${{ needs.e2e-test.outputs.TEST_REPORT_URL }}
+    secrets: inherit
+
+  cleanup-deployment:
+    if: "!cancelled() && needs.deploy.outputs.RESOURCE_GROUP_NAME != '' && inputs.existing_webapp_url == '' && (inputs.trigger_type != 'workflow_dispatch' || inputs.cleanup_resources)"
+    needs: [deploy, e2e-test]
+    uses: ./.github/workflows/job-cleanup-deployment.yml
+    with:
+      runner_os: ${{ inputs.runner_os }}
+      trigger_type: ${{ inputs.trigger_type }}
+      cleanup_resources: ${{ inputs.cleanup_resources }}
+      existing_webapp_url: ${{ inputs.existing_webapp_url }}
+      RESOURCE_GROUP_NAME: ${{ needs.deploy.outputs.RESOURCE_GROUP_NAME }}
+      AZURE_LOCATION: ${{ needs.deploy.outputs.AZURE_LOCATION }}
+      AZURE_ENV_OPENAI_LOCATION: ${{ needs.deploy.outputs.AZURE_ENV_OPENAI_LOCATION }}
+      ENV_NAME: ${{ needs.deploy.outputs.ENV_NAME }}
+      IMAGE_TAG: ${{ needs.deploy.outputs.IMAGE_TAG }}
+      RESOURCE_TOKEN: ${{ needs.deploy.outputs.RESOURCE_TOKEN }}
+    secrets: inherit