fix(workflows): use SCANNER_URL secret in scan workflows and add deploy summary AB#2137

.github/workflows/deploy-all.yml

@@ -148,6 +148,52 @@ jobs:
             --name infra-deploy \
             --query 'properties.outputs.webAppUrl.value' -o tsv)
           echo "Deployed scan demo app to: $SITE_URL"
+          echo "scanner_url=$SITE_URL" >> "$GITHUB_OUTPUT"
+        id: deploy-scanner
+
+  # ── Deployment summary with clickable links ──
+  summary:
+    name: Deployment Summary
+    runs-on: ubuntu-latest
+    needs:
+      - dispatch-apps
+      - deploy-scan-demo
+    steps:
+      - name: Azure Login
+        uses: azure/login@v2
+        with:
+          client-id: ${{ secrets.AZURE_CLIENT_ID }}
+          tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+          subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+
+      - name: Generate deployment summary
+        run: |
+          echo "## 🚀 All Demo Apps Deployed" >> $GITHUB_STEP_SUMMARY
+          echo "" >> $GITHUB_STEP_SUMMARY
+          echo "| App | Language | URL |" >> $GITHUB_STEP_SUMMARY
+          echo "|-----|----------|-----|" >> $GITHUB_STEP_SUMMARY
+          for i in 001 002 003 004 005; do
+            RG="rg-a11y-demo-app-${i}"
+            URL=$(az deployment group show \
+              --resource-group "$RG" \
+              --name infra-deploy \
+              --query 'properties.outputs.webAppUrl.value' -o tsv 2>/dev/null || echo "N/A")
+            case $i in
+              001) LANG="Rust" ;;
+              002) LANG="C#" ;;
+              003) LANG="Java" ;;
+              004) LANG="Python" ;;
+              005) LANG="Go" ;;
+            esac
+            echo "| App ${i} | ${LANG} | [${URL}](${URL}) |" >> $GITHUB_STEP_SUMMARY
+          done
+          SCANNER_URL=$(az deployment group show \
+            --resource-group rg-a11y-scan-demo \
+            --name infra-deploy \
+            --query 'properties.outputs.webAppUrl.value' -o tsv 2>/dev/null || echo "N/A")
+          echo "" >> $GITHUB_STEP_SUMMARY
+          echo "### Scanner App" >> $GITHUB_STEP_SUMMARY
+          echo "**URL:** [${SCANNER_URL}](${SCANNER_URL})" >> $GITHUB_STEP_SUMMARY
 
   # ── Teardown (requires approval via 'teardown' environment) ──
   teardown:

a11y-demo-app-001/.github/workflows/a11y-scan.yml

@@ -6,7 +6,7 @@ on:
   workflow_dispatch:
 
 env:
-  SCANNER_BASE_URL: https://a11y-scan-demo-app.azurewebsites.net
+  SCANNER_BASE_URL: ${{ secrets.SCANNER_URL }}
 
 permissions:
   security-events: write

a11y-demo-app-002/.github/workflows/a11y-scan.yml

@@ -6,7 +6,7 @@ on:
   workflow_dispatch:
 
 env:
-  SCANNER_BASE_URL: https://a11y-scan-demo-app.azurewebsites.net
+  SCANNER_BASE_URL: ${{ secrets.SCANNER_URL }}
 
 permissions:
   security-events: write

a11y-demo-app-003/.github/workflows/a11y-scan.yml

@@ -6,7 +6,7 @@ on:
   workflow_dispatch:
 
 env:
-  SCANNER_BASE_URL: https://a11y-scan-demo-app.azurewebsites.net
+  SCANNER_BASE_URL: ${{ secrets.SCANNER_URL }}
 
 permissions:
   security-events: write

a11y-demo-app-004/.github/workflows/a11y-scan.yml

@@ -6,7 +6,7 @@ on:
   workflow_dispatch:
 
 env:
-  SCANNER_BASE_URL: https://a11y-scan-demo-app.azurewebsites.net
+  SCANNER_BASE_URL: ${{ secrets.SCANNER_URL }}
 
 permissions:
   security-events: write

a11y-demo-app-005/.github/workflows/a11y-scan.yml

@@ -6,7 +6,7 @@ on:
   workflow_dispatch:
 
 env:
-  SCANNER_BASE_URL: https://a11y-scan-demo-app.azurewebsites.net
+  SCANNER_BASE_URL: ${{ secrets.SCANNER_URL }}
 
 permissions:
   security-events: write

scripts/bootstrap-demo-apps.ps1

@@ -59,6 +59,18 @@ if ($null -eq $OrgAdminToken) {
     $OrgAdminToken = Read-Host -Prompt 'Enter ORG_ADMIN_TOKEN for wiki push (or press Enter to skip)'
 }
 
+# Resolve scanner URL from Azure deployment or environment variable
+$ScannerUrl = $env:SCANNER_URL
+if (-not $ScannerUrl) {
+    $null = az account show 2>&1
+    if ($LASTEXITCODE -eq 0) {
+        $ScannerUrl = az deployment group show --resource-group rg-a11y-scan-demo --name infra-deploy --query 'properties.outputs.webAppUrl.value' -o tsv 2>$null
+    }
+}
+if (-not $ScannerUrl) {
+    $ScannerUrl = Read-Host -Prompt 'Enter SCANNER_URL (scanner app base URL, or press Enter to skip)'
+}
+
 # Run OIDC setup if Azure CLI is logged in and secrets are being configured
 if ($ConfigureSecrets) {
     $null = az account show 2>&1
@@ -213,6 +225,17 @@ foreach ($app in $DemoApps) {
         }
     }
 
+    if ($ScannerUrl) {
+        Write-Host "  Configuring SCANNER_URL for a11y scan workflow..." -ForegroundColor Gray
+        try {
+            gh secret set SCANNER_URL --repo $fullRepo --body $ScannerUrl
+            Write-Host "  SCANNER_URL configured." -ForegroundColor Green
+        }
+        catch {
+            Write-Host "  Warning: Could not configure SCANNER_URL: $_" -ForegroundColor Yellow
+        }
+    }
+
     # Initialize wiki (required before workflows can push to it)
     if ($OrgAdminToken) {
         Write-Host "  Initializing wiki..." -ForegroundColor Gray