chore: Dev merge to Main#254
Merged
Merged
Conversation
Equivalent of #167. Applied as direct version bumps because the dependabot branch diverged heavily from main+dev. - actions/checkout v4 -> v6 - actions/setup-python v5 -> v6 - actions/upload-artifact v4 -> v7 - actions/stale v9 -> v10 - docker/setup-buildx-action v3 -> v4 - docker/build-push-action v6 -> v7 - codfish/semantic-release-action v3 -> v5 - amannn/action-semantic-pull-request v5 -> v6 - lycheeverse/lychee-action v2.4.1 -> v2.8.0 - tj-actions/changed-files v46 -> v47.0.5 Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
…for ADO #41266 Equivalent of #168. pyproject.toml versions bumped to dependabot recommendations and uv.lock regenerated via 'uv lock --upgrade'. - aiofiles 24.1.0 -> 25.1.0 - azure-ai-agents 1.2.0b3 -> 1.2.0b6 - azure-appconfiguration 1.7.1 -> 1.8.0 - azure-identity 1.25.0 -> 1.25.3 - azure-monitor-opentelemetry 1.7.0 -> 1.8.7 - azure-search-documents 11.6.0b12 -> 11.7.0b2 - azure-storage-blob 12.26.0 -> 12.28.0 - azure-storage-queue 12.13.0 -> 12.15.0 - fastapi[standard] 0.116.1 -> 0.135.3 - pydantic-settings 2.10.1 -> 2.13.1 - sas-cosmosdb 0.1.4 -> 0.1.5 - semantic-kernel[azure] 1.40.0 -> 1.41.1 - uvicorn 0.35.0 -> 0.42.0 Validation: all 13 upgraded modules import cleanly. Existing src/tests suite has pre-existing broken imports (libs/, routers/ missing in src/) on main and dev unrelated to this upgrade. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
… for ADO #41266 Equivalent of #214. pyproject.toml versions bumped and uv.lock regenerated via 'uv lock --upgrade'. Applied: - aiohttp 3.13.3 -> 3.13.5 - azure-ai-projects 2.0.0b3 -> 2.1.0 - azure-appconfiguration 1.7.2 -> 1.8.0 - fastmcp 2.14.5 -> 3.2.4 (major bump, API-compatible) - mcp 1.25.0 -> 1.27.0 - openai 2.15.0 -> 2.33.0 - psutil 7.2.1 -> 7.2.2 - pytz 2025.2 -> 2026.1.post1 - sas-cosmosdb 0.1.4 -> 0.1.5 Skipped (with rationale): - azure-ai-agents 1.2.0b6: blocked by agent-framework==1.0.0b260107 which pins azure-ai-agents==1.2.0b5 (kept current pin). - azure-identity 1.25.3: current pin (1.26.0b1) is newer than dependabot target. - azure-storage-queue 12.15.0: already at target. - semantic-kernel 1.41.3: not present in processor (removed from main+dev, replaced by agent-framework). Validation: fastmcp v3 'from fastmcp import FastMCP' API still works, all 4 processor mcp_server modules import successfully under v3. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
…n src/frontend for ADO #41266 Equivalent of #169, partial. This commit covers ONLY the minor/patch bumps. Major version bumps (React 18->19, MSAL 4->5, vite 6->8, tailwindcss 3->4, eslint 9->10, uuid 11->13, etc.) are intentionally deferred for explicit per-package review per AC-4. Applied (minor/patch): - @fluentui/react ^8.122.9 -> ^8.125.5 - @fluentui/react-components ^9.56.7 -> ^9.73.7 - @fluentui/react-file-type-icons ^8.12.7 -> ^8.17.0 - @fluentui/react-icons ^2.0.270 -> ^2.0.323 - @reduxjs/toolkit ^2.2.7 -> ^2.11.2 - @tailwindcss/vite ^4.0.0 -> ^4.2.2 - autoprefixer ^10.4.20 -> ^10.4.27 - postcss ^8.5.0 -> ^8.5.8 - react-icons ^5.5.0 -> ^5.6.0 - react-router-dom ^7.13.1 -> ^7.13.2 - sql-formatter ^15.4.11 -> ^15.7.3 - rollup-plugin-dts ^6.1.1 -> ^6.4.1 - eslint-plugin-react ^7.37.2 -> ^7.37.5 - rollup ^4.59.0 -> ^4.60.1 Validation: 'npm install' clean, 'npm run build' clean (vite production build OK). Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Applied 20 major version bumps from dependabot PR #169: - React 18 -> 19 (react, react-dom, @types/react, @types/react-dom) - @azure/msal-browser, @azure/msal-react 4 -> 5 - vite 6 -> 8 - tailwindcss 3 -> 4 (added @tailwindcss/postcss; updated postcss.config.js) - uuid 11 -> 13 - Plus other minor majors (recharts, react-router-dom, etc.) Skipped/reverted with rationale: - eslint kept at ^9.39.4 (eslint-plugin-react@7.37.5 and eslint-plugin-react-hooks@7.1.1 peer-cap at eslint ^9; no plugins compatible with eslint 10 yet) - @eslint/js kept at ^9 to match eslint - axios kept at 1.15.0 (newer than dependabot target 1.14.0) - js-yaml, lottie-react, react-markdown already at target versions Validation: npm install succeeded; npm run build succeeded (with expected fluentui peer-dep warnings around React 19; build output is clean). Refs ADO #41266 Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
- Fix lottie-react double-default CJS interop in processPage and progressModal - Fix highlight.js language registration with unwrap helper for rolldown - Remove sql-formatter and sql language registration - Switch Dockerfile build stage to node:20-slim (rolldown needs Node >=20.19) - Use npm ci instead of npm install in Dockerfile - Revert react-syntax-highlighter to v15.6.1 Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Keep our dependabot package versions, take dev code changes. Reapplied lottie-react unwrap fix and kept sql-formatter removed. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
…O #43311) Enables double encryption at rest by setting requireInfrastructureEncryption: true on the AVM storage-account modules used by both the standard and custom deployments, plus the (currently unreferenced) wrapper module for parity with Modernize PR #435. Files touched: - infra/main.bicep (inline AVM storage/storage-account:0.20.0) - infra/main_custom.bicep (inline AVM storage/storage-account:0.20.0) - infra/modules/storageAccount.bicep (wrapper around AVM 0.26.2) Addresses SFI item: "add encryption property and make requireInfrastructureEncryption: true for storage account". Mirrors the storage-account change in microsoft/Modernize-your-code-solution-accelerator#435. Work item: AB#43311 ADO: https://dev.azure.com/CSACTOSOL/CSA%20Solutioning/_workitems/edit/43311 Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
…ent (ADO #43311) Sets peerTrafficEncryption: true on the AVM app/managed-environment:0.11.2 module in both deployment variants. This toggles Microsoft.App/managedEnvironments.properties.peerTrafficConfiguration.encryption.enabled, which is the Container Apps equivalent of the App Service endToEndEncryptionEnabled property called out by the SFI scan (this repo deploys Container Apps, not App Service). Files touched: - infra/main.bicep (containerAppsEnvironment module ~L1121) - infra/main_custom.bicep (containerAppsEnvironment module ~L1074) Addresses SFI item: "endToEndEncryptionEnabled: true in App Service". Work item: AB#43311 ADO: https://dev.azure.com/CSACTOSOL/CSA%20Solutioning/_workitems/edit/43311 Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
…VM (ADO #43311)
Audited every resource in the Bicep templates against the SFI "identity required"
rule. Resources that support managed identity but were missing one:
* Microsoft.DocumentDB/databaseAccounts (cosmosDb) -> add SystemAssigned
* Microsoft.ContainerRegistry/registries (containerRegistry) -> add SystemAssigned
* Microsoft.Compute/virtualMachines (jumpboxVM) -> add SystemAssigned
The jumpbox VM also gains SystemAssigned because the Azure Monitor Agent extension
needs an identity to authenticate against the Log Analytics workspace when honoring
the SecurityAuditEvents data collection rule association (introduced in a later
commit on this branch).
Resources already compliant and left untouched:
* aiFoundryAiServices -> systemAssigned + userAssignedResourceIds already set
* aiFoundryProject -> identity.type = 'SystemAssigned' already set
* appConfiguration / avmAppConfigUpdated -> systemAssigned already set
* containerAppsEnvironment -> systemAssigned already set
* containerAppBackend / Frontend / Processor -> UAMI (appIdentity) already wired
* storageAccount -> systemAssigned already set
* appIdentity (UAMI itself, N/A)
* Bastion / ApplicationInsights / LAW / PrivateDnsZones (do not support / not in
SFI scope per user's authoritative list)
Files touched:
- infra/main.bicep (cosmosDb, jumpboxVM)
- infra/main_custom.bicep (cosmosDb, containerRegistry, jumpboxVM)
Addresses SFI item: "identity: { type: 'SystemAssigned' } or { type: 'UserAssigned' }".
Work item: AB#43311
ADO: https://dev.azure.com/CSACTOSOL/CSA%20Solutioning/_workitems/edit/43311
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
…DO #43311) Adds a Data Collection Rule that captures Windows audit success (EventID 4624) and audit failure (EventID 4625) Security events from the jumpbox VM and routes them to the Log Analytics workspace via the Microsoft-SecurityEvent stream. The DCR is associated with the VM through the Azure Monitor Agent extension (extensionMonitoringAgentConfig.dataCollectionRuleAssociations). The OMSGallery Security solution is installed on the workspace so the SecurityEvent table is populated for the routed stream. Pattern mirrors microsoft/Modernize-your-code-solution-accelerator#435 but the audit success and audit failure events are covered by a single xPath (Security!*[System[(EventID=4624 or EventID=4625)]]) routed via the Microsoft-SecurityEvent stream rather than Microsoft-WindowsEvent. All new resources are gated on enablePrivateNetworking && enableMonitoring so non-WAF / non-monitoring deployments are unaffected. Files touched: - infra/main.bicep (jumpboxVM AMA extension; new securitySolution + windowsVmDataCollectionRules) - infra/main_custom.bicep (same additions) Addresses SFI item: "data collection rule ['audit success','audit failure'] logs should be enabled". Work item: AB#43311 ADO: https://dev.azure.com/CSACTOSOL/CSA%20Solutioning/_workitems/edit/43311 Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Regenerated infra/main.json via 'az bicep build infra/main.bicep' to pick up the four SFI changes on this branch: * Container Apps Environment peerTrafficEncryption * Storage account requireInfrastructureEncryption * SystemAssigned identity on cosmos / ACR / jumpbox VM * Windows Security audit DCR + OMSGallery/Security solution The large diff is dominated by the inlined AVM data-collection-rule:0.11.0 module definition pulled into main.json by the new windowsVmDataCollectionRules module. No main_custom.json exists in this repo (main_custom.bicep is consumed by tooling that runs bicep on demand). Work item: AB#43311 ADO: https://dev.azure.com/CSACTOSOL/CSA%20Solutioning/_workitems/edit/43311 Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Resolve conflicts with origin/dev (ADO #41266): - backend-api/pyproject.toml: restore python-dotenv==1.2.2 pin; bump python-multipart 0.0.22 -> 0.0.27; bump urllib3 2.6.3 -> 2.7.0; add requests==2.33.0, werkzeug==3.1.4, pygments==2.20.0 to override-deps - processor/pyproject.toml: bump pytest 9.0.2 -> 9.0.3 - frontend/package.json: keep lucide-react ^1.7.0; bump mermaid ^11.13.0 -> ^11.15.0; bump uuid ^13.0.0 -> ^14.0.0 - .github/workflows/test.yml: keep actions/checkout@v6 + setup-python@v6 bumps; align processor_tests job to same versions - regenerated uv.lock and package-lock.json Validated: npm run build succeeds; uv lock resolves cleanly for both backend-api (156 packages) and processor (202 packages). Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Previous --legacy-peer-deps regen omitted typescript@6.0.3 (peer dep of rollup-plugin-dts) from the lockfile, causing `npm ci` to fail inside the frontend Dockerfile with "Missing: typescript@6.0.3 from lock file". Regenerated with --include=peer so all peer deps are pinned and CI's build-and-push (ContentProcessorWeb) succeeds. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
- Create-Release..yml: drop misleading ref override on push trigger (github.event.workflow_run.head_sha is empty on push events; let actions/checkout default to the pushed SHA) - batchView.tsx: register SQL language for the Light SyntaxHighlighter so getFileLanguageAndType()='sql' renders correctly - modernizationPage.tsx: register SQL language for the Light SyntaxHighlighter so translated SQL is highlighted instead of potentially erroring on the unregistered language - processPage.tsx: fix comment typo (missing space before hyphen) - package.json: declare highlight.js as a direct dependency since the Light highlighter imports highlight.js/lib/languages/* directly; pinned to ^10.7.3 to match the version already resolved transitively via react-syntax-highlighter Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
feat: Enhance email template, add RG owner tag, scalability input
The Microsoft.OperationsManagement/solutions 'Security' (OMSGallery/Security) resource is a legacy artifact from the Log Analytics Agent (MMA) era. With the modern Azure Monitor Agent + Data Collection Rule pipeline used here, the SecurityEvent table is auto-provisioned by Azure Monitor on first ingestion of the Microsoft-SecurityEvent stream. The OMSGallery solution is not required and adds a marketplace plan resource for no functional benefit. - Remove the securitySolution resource from infra/main.bicep and infra/main_custom.bicep. - Drop the now-unnecessary dependsOn: [securitySolution] from the windowsVmDataCollectionRules module. - Regenerate infra/main.json from main.bicep. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Shreyas-Microsoft
requested review from
Avijit-Microsoft,
Dongbumlee,
Prajwal-Microsoft,
Roopan-Microsoft,
Vinay-Microsoft,
aniaroramsft and
sethsteenken
as code owners
chore: Apply dependabot upgrades from dependabotchanges (ADO #41266)
Roopan-Microsoft
temporarily deployed
to
production
GitHub Actions
Inactive
Roopan-Microsoft
temporarily deployed
to
production
GitHub Actions
Inactive
Roopan-Microsoft
temporarily deployed
to
production
GitHub Actions
Inactive
Roopan-Microsoft
temporarily deployed
to
production
GitHub Actions
Inactive
Processor Coverage Report •
|
Coverage Report •
|
Roopan-Microsoft
temporarily deployed
to
production
GitHub Actions
Inactive
fix(infra): address SFI security compliance issues
Prajwal-Microsoft
temporarily deployed
to
production
GitHub Actions
Inactive
Prajwal-Microsoft
temporarily deployed
to
production
GitHub Actions
Inactive
Prajwal-Microsoft
temporarily deployed
to
production
GitHub Actions
Inactive
Prajwal-Microsoft
temporarily deployed
to
production
GitHub Actions
Inactive
fix: fixed copilot comments
Roopan-Microsoft
temporarily deployed
to
production
GitHub Actions
Inactive
Roopan-Microsoft
temporarily deployed
to
production
GitHub Actions
Inactive
Roopan-Microsoft
temporarily deployed
to
production
GitHub Actions
Inactive
Roopan-Microsoft
temporarily deployed
to
production
GitHub Actions
Inactive
Roopan-Microsoft
approved these changes
May 27, 2026
4 tasks
Prajwal-Microsoft
approved these changes
May 27, 2026
|
🎉 This PR is included in version 2.1.0 🎉 The release is available on GitHub release Your semantic-release bot 📦🚀 |
Roopan-Microsoft
added a commit
that referenced
this pull request
May 29, 2026
…grade chore: regenerate infra/main.json with Bicep CLI 0.43.8 (fix PR #254 version downgrade)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Purpose
This pull request introduces an opt-in scalability feature for WAF-enabled deployments across all deployment workflows, improves parameter validation, and enhances resource tagging and notification output. The main focus is on making the "enable scalability" option available, validated, and correctly passed through the deployment pipelines for both Linux and Windows targets, as well as improving the clarity of workflow inputs and notification formatting.
Key changes include:
Scalability Option Integration
enable_scalability(orENABLE_SCALABILITY) input parameter to all deployment workflows (deploy-orchestrator.yml,deploy-v2.yml,job-deploy.yml,job-deploy-linux.yml, andjob-deploy-windows.yml), making it available for WAF-enabled, opt-in deployments. [1] [2] [3] [4] [5]enable_scalabilityparameter is passed through all relevant steps and sub-jobs. [1] [2] [3] [4] [5] [6] [7] [8]Parameter Validation and Application
enable_scalabilityparameter in all workflows, ensuring onlytrueorfalsevalues are accepted and providing clear error messaging. [1] [2] [3] [4]enableScalabilityvalue into ARM template parameter files when WAF is enabled, using robust error handling and value checks. [1] [2]Workflow Input and Output Improvements
Resource Tagging Enhancement
Notification Workflow Enhancement
These changes collectively improve deployment flexibility, validation robustness, resource governance, and notification clarity across the CI/CD workflows.
Does this introduce a breaking change?
Golden Path Validation
Deployment Validation
What to Check
Verify that the following are valid
Other Information