From 5352bd6e4c3d529fe3b4afc102c4e0bc040117f6 Mon Sep 17 00:00:00 2001
From: Emmanuel Knafo <emknafo@microsoft.com>
Date: Thu, 26 Mar 2026 02:03:26 -0400
Subject: [PATCH] ops: add ADO pipeline configurations synced from ADO repo
 Fixes AB#2102
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- add a11y-scan, ci-cd, deploy-all, and scan-all pipelines
- add deploy-app-stage and teardown-stage templates

🔧 - Generated by Copilot
---
 .azuredevops/pipelines/a11y-scan.yml          |   6 +
 .azuredevops/pipelines/ci-cd.yml              | 157 ++++++++++++++++
 .azuredevops/pipelines/deploy-all.yml         | 167 ++++++++++++++++++
 .azuredevops/pipelines/scan-all.yml           |  73 ++++++++
 .../pipelines/templates/deploy-app-stage.yml  |  95 ++++++++++
 .../pipelines/templates/teardown-stage.yml    |  50 ++++++
 6 files changed, 548 insertions(+)
 create mode 100644 .azuredevops/pipelines/ci-cd.yml
 create mode 100644 .azuredevops/pipelines/deploy-all.yml
 create mode 100644 .azuredevops/pipelines/scan-all.yml
 create mode 100644 .azuredevops/pipelines/templates/deploy-app-stage.yml
 create mode 100644 .azuredevops/pipelines/templates/teardown-stage.yml

diff --git a/.azuredevops/pipelines/a11y-scan.yml b/.azuredevops/pipelines/a11y-scan.yml
index e906644..27af80d 100644
--- a/.azuredevops/pipelines/a11y-scan.yml
+++ b/.azuredevops/pipelines/a11y-scan.yml
@@ -65,3 +65,9 @@ steps:
       pathToPublish: 'results'
       artifactName: 'CodeAnalysisLogs'
     displayName: 'Publish to Scans tab - $(siteName)'
+
+  - task: AdvancedSecurity-Publish@1
+    condition: always()
+    inputs:
+      SarifsInputDirectory: '$(Build.SourcesDirectory)/results'
+    displayName: 'Publish SARIF to Advanced Security - $(siteName)'
diff --git a/.azuredevops/pipelines/ci-cd.yml b/.azuredevops/pipelines/ci-cd.yml
new file mode 100644
index 0000000..7283450
--- /dev/null
+++ b/.azuredevops/pipelines/ci-cd.yml
@@ -0,0 +1,157 @@
+trigger:
+  branches:
+    include:
+      - main
+
+pool:
+  vmImage: 'ubuntu-latest'
+
+variables:
+  - group: wiki-access
+  - name: serviceConnection
+    value: 'AODA-svc-conn'
+  - name: appName
+    value: 'a11y-scan-demo'
+  - name: resourceGroup
+    value: 'rg-a11y-scan-demo'
+  - name: location
+    value: 'canadacentral'
+  - name: imageTag
+    value: '$(Build.BuildId)'
+
+stages:
+  - stage: Build
+    displayName: 'Build & Push Image'
+    jobs:
+      - job: BuildAndPush
+        displayName: 'Deploy infra, build and push to ACR'
+        steps:
+          - checkout: self
+
+          - task: AzureCLI@2
+            displayName: 'Deploy infrastructure'
+            inputs:
+              azureSubscription: '$(serviceConnection)'
+              scriptType: bash
+              scriptLocation: inlineScript
+              inlineScript: |
+                set -e
+                az group create --name $(resourceGroup) --location $(location)
+                az deployment group create \
+                  --resource-group $(resourceGroup) \
+                  --name infra-deploy \
+                  --template-file infra/main.bicep \
+                  --parameters infra/main.parameters.json \
+                  --parameters imageTag=$(imageTag)
+
+          - task: AzureCLI@2
+            displayName: 'Build and push Docker image'
+            inputs:
+              azureSubscription: '$(serviceConnection)'
+              scriptType: bash
+              scriptLocation: inlineScript
+              inlineScript: |
+                set -e
+                ACR_NAME=$(az deployment group show \
+                  --resource-group $(resourceGroup) \
+                  --name infra-deploy \
+                  --query 'properties.outputs.acrName.value' -o tsv)
+                echo "ACR: $ACR_NAME"
+                az acr build \
+                  --registry "$ACR_NAME" \
+                  --image $(appName):$(imageTag) .
+
+  - stage: Deploy
+    displayName: 'Deploy to Azure'
+    dependsOn: Build
+    jobs:
+      - deployment: DeployWebApp
+        displayName: 'Deploy container to Web App'
+        environment: 'deploy'
+        strategy:
+          runOnce:
+            deploy:
+              steps:
+                - checkout: self
+
+                - task: AzureCLI@2
+                  name: deployStep
+                  displayName: 'Update Web App container'
+                  inputs:
+                    azureSubscription: '$(serviceConnection)'
+                    scriptType: bash
+                    scriptLocation: inlineScript
+                    inlineScript: |
+                      WEB_APP_NAME=$(az deployment group show \
+                        --resource-group $(resourceGroup) \
+                        --name infra-deploy \
+                        --query 'properties.outputs.webAppName.value' -o tsv)
+                      ACR_LOGIN=$(az deployment group show \
+                        --resource-group $(resourceGroup) \
+                        --name infra-deploy \
+                        --query 'properties.outputs.acrLoginServer.value' -o tsv)
+                      az webapp config container set \
+                        --name $WEB_APP_NAME \
+                        --resource-group $(resourceGroup) \
+                        --container-image-name "$ACR_LOGIN/$(appName):$(imageTag)"
+                      az webapp restart \
+                        --name $WEB_APP_NAME \
+                        --resource-group $(resourceGroup)
+                      SITE_URL="https://$WEB_APP_NAME.azurewebsites.net"
+                      echo "Deployed to: $SITE_URL"
+                      echo "##vso[task.setvariable variable=siteUrl;isOutput=true]$SITE_URL"
+
+                - script: |
+                    echo "Waiting for app to warm up..."
+                    sleep 30
+                    npx --yes playwright install --with-deps chromium
+                    npx playwright screenshot \
+                      --viewport-size="1280,900" \
+                      --wait-for-timeout=5000 \
+                      --full-page \
+                      "$(deployStep.siteUrl)" \
+                      screenshot.png
+                    echo "Screenshot captured"
+                  displayName: 'Capture deployment screenshot'
+
+                - script: |
+                    set -e
+                    WIKI_REPO="https://$(WIKI_PAT)@dev.azure.com/MngEnvMCAP675646/AODA%20WCAG%20compliance/_git/AODA-WCAG-compliance.wiki"
+                    SITE_URL="$(deployStep.siteUrl)"
+                    APP="$(appName)"
+                    BUILD_NUM="$(Build.BuildNumber)"
+                    BUILD_ID="$(Build.BuildId)"
+                    BUILD_URL="https://dev.azure.com/MngEnvMCAP675646/AODA%20WCAG%20compliance/_build/results?buildId=$BUILD_ID"
+                    ATTACH_NAME="${APP}-${BUILD_ID}.png"
+
+                    git clone --depth 1 "$WIKI_REPO" wiki
+                    mkdir -p wiki/.attachments wiki/Deployments
+                    cp screenshot.png "wiki/.attachments/$ATTACH_NAME"
+
+                    cat > "wiki/Deployments/${APP}.md" <<EOF
+                    # ${APP}
+
+                    **Latest Deployment:** ${BUILD_NUM}
+
+                    **Date:** $(date -u '+%Y-%m-%d %H:%M UTC')
+
+                    **Site:** [${SITE_URL}](${SITE_URL})
+
+                    **Pipeline:** [Build ${BUILD_ID}](${BUILD_URL})
+
+                    ---
+
+                    ![Deployment Screenshot](/.attachments/${ATTACH_NAME})
+                    EOF
+                    sed -i 's/^                    //g' "wiki/Deployments/${APP}.md"
+
+                    cd wiki
+                    git config user.email "pipeline@dev.azure.com"
+                    git config user.name "Azure Pipeline"
+                    git add -A
+                    git diff --cached --quiet && echo "No wiki changes" || {
+                      git commit -m "Update deployment screenshot for ${APP} (build ${BUILD_ID})"
+                      git push origin wikiMaster
+                      echo "Wiki updated: /Deployments/${APP}"
+                    }
+                  displayName: 'Update wiki with deployment screenshot'
diff --git a/.azuredevops/pipelines/deploy-all.yml b/.azuredevops/pipelines/deploy-all.yml
new file mode 100644
index 0000000..eb7f775
--- /dev/null
+++ b/.azuredevops/pipelines/deploy-all.yml
@@ -0,0 +1,167 @@
+# Orchestrating pipeline: Deploy all demo apps and teardown after demo
+# Manually triggered - deploys all 6 apps in parallel, then tears down with approval
+trigger: none
+
+resources:
+  repositories:
+    - repository: app001
+      type: git
+      name: a11y-demo-app-001
+    - repository: app002
+      type: git
+      name: a11y-demo-app-002
+    - repository: app003
+      type: git
+      name: a11y-demo-app-003
+    - repository: app004
+      type: git
+      name: a11y-demo-app-004
+    - repository: app005
+      type: git
+      name: a11y-demo-app-005
+
+pool:
+  vmImage: 'ubuntu-latest'
+
+variables:
+  serviceConnection: 'AODA-svc-conn'
+  location: 'canadacentral'
+
+stages:
+  # ── Deploy demo apps 001-005 (all in parallel) ──
+  - template: templates/deploy-app-stage.yml
+    parameters:
+      stageId: 'Deploy_001'
+      stageName: 'Deploy App 001 (Rust)'
+      appName: 'a11y-demo-app-001'
+      resourceGroup: 'rg-a11y-demo-app-001'
+      repository: 'app001'
+      containerPort: '8080'
+
+  - template: templates/deploy-app-stage.yml
+    parameters:
+      stageId: 'Deploy_002'
+      stageName: 'Deploy App 002 (C#)'
+      appName: 'a11y-demo-app-002'
+      resourceGroup: 'rg-a11y-demo-app-002'
+      repository: 'app002'
+      containerPort: '8080'
+
+  - template: templates/deploy-app-stage.yml
+    parameters:
+      stageId: 'Deploy_003'
+      stageName: 'Deploy App 003 (Java)'
+      appName: 'a11y-demo-app-003'
+      resourceGroup: 'rg-a11y-demo-app-003'
+      repository: 'app003'
+      containerPort: '8080'
+
+  - template: templates/deploy-app-stage.yml
+    parameters:
+      stageId: 'Deploy_004'
+      stageName: 'Deploy App 004 (Python)'
+      appName: 'a11y-demo-app-004'
+      resourceGroup: 'rg-a11y-demo-app-004'
+      repository: 'app004'
+      containerPort: '8080'
+
+  - template: templates/deploy-app-stage.yml
+    parameters:
+      stageId: 'Deploy_005'
+      stageName: 'Deploy App 005 (Go)'
+      appName: 'a11y-demo-app-005'
+      resourceGroup: 'rg-a11y-demo-app-005'
+      repository: 'app005'
+      containerPort: '8080'
+
+  # ── Deploy scan demo app (self repo, parallel with others) ──
+  - stage: Deploy_ScanDemo
+    displayName: 'Deploy Scan Demo App (Next.js)'
+    dependsOn: []
+    jobs:
+      - job: DeployApp
+        displayName: 'Deploy a11y-scan-demo'
+        steps:
+          - checkout: self
+
+          - task: AzureCLI@2
+            displayName: 'Deploy infrastructure'
+            inputs:
+              azureSubscription: '$(serviceConnection)'
+              scriptType: bash
+              scriptLocation: inlineScript
+              inlineScript: |
+                set -e
+                az group create \
+                  --name rg-a11y-scan-demo \
+                  --location $(location)
+                az deployment group create \
+                  --resource-group rg-a11y-scan-demo \
+                  --name infra-deploy \
+                  --template-file infra/main.bicep \
+                  --parameters infra/main.parameters.json \
+                  --parameters imageTag=$(Build.BuildId)
+
+          - task: AzureCLI@2
+            displayName: 'Build and push Docker image'
+            inputs:
+              azureSubscription: '$(serviceConnection)'
+              scriptType: bash
+              scriptLocation: inlineScript
+              inlineScript: |
+                set -e
+                ACR_NAME=$(az deployment group show \
+                  --resource-group rg-a11y-scan-demo \
+                  --name infra-deploy \
+                  --query 'properties.outputs.acrName.value' -o tsv)
+                echo "ACR: $ACR_NAME"
+                az acr build \
+                  --registry "$ACR_NAME" \
+                  --image a11y-scan-demo:$(Build.BuildId) .
+
+          - task: AzureCLI@2
+            displayName: 'Deploy container to Web App'
+            inputs:
+              azureSubscription: '$(serviceConnection)'
+              scriptType: bash
+              scriptLocation: inlineScript
+              inlineScript: |
+                set -e
+                WEB_APP_NAME=$(az deployment group show \
+                  --resource-group rg-a11y-scan-demo \
+                  --name infra-deploy \
+                  --query 'properties.outputs.webAppName.value' -o tsv)
+                ACR_LOGIN=$(az deployment group show \
+                  --resource-group rg-a11y-scan-demo \
+                  --name infra-deploy \
+                  --query 'properties.outputs.acrLoginServer.value' -o tsv)
+                az webapp config container set \
+                  --name $WEB_APP_NAME \
+                  --resource-group rg-a11y-scan-demo \
+                  --container-image-name "$ACR_LOGIN/a11y-scan-demo:$(Build.BuildId)"
+                az webapp restart \
+                  --name $WEB_APP_NAME \
+                  --resource-group rg-a11y-scan-demo
+                SITE_URL=$(az deployment group show \
+                  --resource-group rg-a11y-scan-demo \
+                  --name infra-deploy \
+                  --query 'properties.outputs.webAppUrl.value' -o tsv)
+                echo "Deployed scan demo app to: $SITE_URL"
+
+  # ── Teardown (requires approval on 'teardown' environment) ──
+  - template: templates/teardown-stage.yml
+    parameters:
+      dependsOn:
+        - Deploy_001
+        - Deploy_002
+        - Deploy_003
+        - Deploy_004
+        - Deploy_005
+        - Deploy_ScanDemo
+      resourceGroups:
+        - 'rg-a11y-demo-app-001'
+        - 'rg-a11y-demo-app-002'
+        - 'rg-a11y-demo-app-003'
+        - 'rg-a11y-demo-app-004'
+        - 'rg-a11y-demo-app-005'
+        - 'rg-a11y-scan-demo'
diff --git a/.azuredevops/pipelines/scan-all.yml b/.azuredevops/pipelines/scan-all.yml
new file mode 100644
index 0000000..1476ee6
--- /dev/null
+++ b/.azuredevops/pipelines/scan-all.yml
@@ -0,0 +1,73 @@
+# Orchestrating pipeline: Scan all demo apps in parallel
+# Manually triggered - runs accessibility scans on all 5 demo apps simultaneously
+trigger: none
+
+pool:
+  vmImage: 'ubuntu-latest'
+
+variables:
+  SCANNER_BASE_URL: 'https://a11y-scan-demo-app.azurewebsites.net'
+
+strategy:
+  matrix:
+    a11y-demo-app-001:
+      siteName: 'a11y-demo-app-001'
+      siteUrl: 'https://a11y-demo-app-001-app.azurewebsites.net/'
+    a11y-demo-app-002:
+      siteName: 'a11y-demo-app-002'
+      siteUrl: 'https://a11y-demo-app-002-app.azurewebsites.net/'
+    a11y-demo-app-003:
+      siteName: 'a11y-demo-app-003'
+      siteUrl: 'https://a11y-demo-app-003-app.azurewebsites.net/'
+    a11y-demo-app-004:
+      siteName: 'a11y-demo-app-004'
+      siteUrl: 'https://a11y-demo-app-004-app.azurewebsites.net/'
+    a11y-demo-app-005:
+      siteName: 'a11y-demo-app-005'
+      siteUrl: 'https://a11y-demo-app-005-app.azurewebsites.net/'
+  maxParallel: 5
+
+steps:
+  - checkout: self
+    displayName: 'Checkout repository'
+
+  - script: |
+      mkdir -p results
+      HTTP_STATUS=$(curl -s -o results/$(siteName).sarif -w "%{http_code}" \
+        -X POST "$(SCANNER_BASE_URL)/api/ci/scan" \
+        -H "Content-Type: application/json" \
+        -d '{"url": "$(siteUrl)", "format": "sarif"}' \
+        --max-time 120)
+
+      echo "HTTP status: $HTTP_STATUS"
+
+      if [ "$HTTP_STATUS" -ne 200 ]; then
+        echo "##vso[task.logissue type=error]Scan failed for $(siteUrl) (HTTP $HTTP_STATUS)"
+        cat results/$(siteName).sarif
+        exit 1
+      fi
+
+      echo "SARIF file written: results/$(siteName).sarif"
+      echo "File size: $(wc -c < results/$(siteName).sarif) bytes"
+    displayName: 'Run accessibility scan - $(siteName)'
+    timeoutInMinutes: 5
+
+  - task: PublishBuildArtifacts@1
+    condition: always()
+    inputs:
+      pathToPublish: 'results'
+      artifactName: 'a11y-sarif-$(siteName)'
+    displayName: 'Publish SARIF artifact - $(siteName)'
+
+  - task: PublishBuildArtifacts@1
+    condition: always()
+    inputs:
+      pathToPublish: 'results'
+      artifactName: 'CodeAnalysisLogs'
+    displayName: 'Publish to Scans tab - $(siteName)'
+
+  - task: AdvancedSecurity-Publish@1
+    condition: always()
+    inputs:
+      SarifsInputDirectory: '$(Build.SourcesDirectory)/results'
+    displayName: 'Publish SARIF to Advanced Security - $(siteName)'
diff --git a/.azuredevops/pipelines/templates/deploy-app-stage.yml b/.azuredevops/pipelines/templates/deploy-app-stage.yml
new file mode 100644
index 0000000..c49c6ad
--- /dev/null
+++ b/.azuredevops/pipelines/templates/deploy-app-stage.yml
@@ -0,0 +1,95 @@
+# Reusable template: Deploy a single app (infra + build + deploy)
+# Called from deploy-all.yml for each demo app
+
+parameters:
+  - name: stageId
+    type: string
+  - name: stageName
+    type: string
+  - name: appName
+    type: string
+  - name: resourceGroup
+    type: string
+  - name: repository
+    type: string
+  - name: containerPort
+    type: string
+    default: '8080'
+
+stages:
+  - stage: ${{ parameters.stageId }}
+    displayName: ${{ parameters.stageName }}
+    dependsOn: []
+    jobs:
+      - job: DeployApp
+        displayName: 'Deploy ${{ parameters.appName }}'
+        steps:
+          - checkout: ${{ parameters.repository }}
+
+          - task: AzureCLI@2
+            displayName: 'Deploy infrastructure'
+            inputs:
+              azureSubscription: '$(serviceConnection)'
+              scriptType: bash
+              scriptLocation: inlineScript
+              inlineScript: |
+                set -e
+                cd "$(Build.SourcesDirectory)/${{ parameters.repository }}"
+                ls -la infra/
+                az group create \
+                  --name ${{ parameters.resourceGroup }} \
+                  --location $(location)
+                az deployment group create \
+                  --resource-group ${{ parameters.resourceGroup }} \
+                  --name infra-deploy \
+                  --template-file infra/main.bicep \
+                  --parameters infra/main.parameters.json \
+                  --parameters imageTag=$(Build.BuildId) \
+                               containerPort=${{ parameters.containerPort }}
+
+          - task: AzureCLI@2
+            displayName: 'Build and push Docker image'
+            inputs:
+              azureSubscription: '$(serviceConnection)'
+              scriptType: bash
+              scriptLocation: inlineScript
+              inlineScript: |
+                set -e
+                cd "$(Build.SourcesDirectory)/${{ parameters.repository }}"
+                ACR_NAME=$(az deployment group show \
+                  --resource-group ${{ parameters.resourceGroup }} \
+                  --name infra-deploy \
+                  --query 'properties.outputs.acrName.value' -o tsv)
+                echo "ACR: $ACR_NAME"
+                az acr build \
+                  --registry "$ACR_NAME" \
+                  --image ${{ parameters.appName }}:$(Build.BuildId) .
+
+          - task: AzureCLI@2
+            displayName: 'Deploy container to Web App'
+            inputs:
+              azureSubscription: '$(serviceConnection)'
+              scriptType: bash
+              scriptLocation: inlineScript
+              inlineScript: |
+                set -e
+                WEB_APP_NAME=$(az deployment group show \
+                  --resource-group ${{ parameters.resourceGroup }} \
+                  --name infra-deploy \
+                  --query 'properties.outputs.webAppName.value' -o tsv)
+                ACR_LOGIN=$(az deployment group show \
+                  --resource-group ${{ parameters.resourceGroup }} \
+                  --name infra-deploy \
+                  --query 'properties.outputs.acrLoginServer.value' -o tsv)
+                az webapp config container set \
+                  --name $WEB_APP_NAME \
+                  --resource-group ${{ parameters.resourceGroup }} \
+                  --container-image-name "$ACR_LOGIN/${{ parameters.appName }}:$(Build.BuildId)"
+                az webapp restart \
+                  --name $WEB_APP_NAME \
+                  --resource-group ${{ parameters.resourceGroup }}
+                SITE_URL=$(az deployment group show \
+                  --resource-group ${{ parameters.resourceGroup }} \
+                  --name infra-deploy \
+                  --query 'properties.outputs.webAppUrl.value' -o tsv)
+                echo "Deployed ${{ parameters.appName }} to: $SITE_URL"
diff --git a/.azuredevops/pipelines/templates/teardown-stage.yml b/.azuredevops/pipelines/templates/teardown-stage.yml
new file mode 100644
index 0000000..2612e25
--- /dev/null
+++ b/.azuredevops/pipelines/templates/teardown-stage.yml
@@ -0,0 +1,50 @@
+# Reusable template: Teardown all demo resource groups
+# Uses the 'teardown' environment which should have an approval gate configured
+
+parameters:
+  - name: resourceGroups
+    type: object
+    default:
+      - 'rg-a11y-demo-app-001'
+      - 'rg-a11y-demo-app-002'
+      - 'rg-a11y-demo-app-003'
+      - 'rg-a11y-demo-app-004'
+      - 'rg-a11y-demo-app-005'
+      - 'rg-a11y-scan-demo'
+  - name: dependsOn
+    type: object
+    default: []
+
+stages:
+  - stage: Teardown
+    displayName: 'Teardown All Resources'
+    dependsOn: ${{ parameters.dependsOn }}
+    condition: succeeded()
+    jobs:
+      - deployment: TeardownAll
+        displayName: 'Delete all demo resource groups'
+        environment: 'teardown'
+        strategy:
+          runOnce:
+            deploy:
+              steps:
+                - ${{ each rg in parameters.resourceGroups }}:
+                  - task: AzureCLI@2
+                    displayName: 'Delete ${{ rg }}'
+                    inputs:
+                      azureSubscription: '$(serviceConnection)'
+                      scriptType: bash
+                      scriptLocation: inlineScript
+                      inlineScript: |
+                        if az group exists --name ${{ rg }} | grep -q true; then
+                          echo "Deleting resource group: ${{ rg }}"
+                          az group delete --name ${{ rg }} --yes --no-wait
+                          echo "Deletion initiated for ${{ rg }}"
+                        else
+                          echo "Resource group ${{ rg }} does not exist, skipping."
+                        fi
+
+                - script: |
+                    echo "Teardown initiated for all resource groups."
+                    echo "Resource group deletions are running asynchronously."
+                  displayName: 'Teardown summary'