Merge remote-tracking branch 'upstream/main' into pr/Ba4bes/1892-1

Author: Ba4bes

.azure/deployment-plan.md

@@ -0,0 +1,190 @@
+# Azure Deployment Plan
+
+> **Status:** Planning
+
+Generated: 2026-04-14
+
+---
+
+## 1. Project Overview
+
+**Goal:** Create and deploy a new production Node.js/TypeScript web application on Azure VMSS with Azure SQL backend, autoscaling, and Application Gateway load balancing.
+
+**Path:** New Project
+
+---
+
+## 2. Requirements
+
+| Attribute | Value |
+|-----------|-------|
+| Classification | Production |
+| Scale | Large (high traffic, autoscaling) |
+| Budget | Balanced |
+| **Subscription** | Playground - 01 (`4b0a7581-9eea-4d30-a166-f8fac23b6edd`) |
+| **Location** | East US |
+| OS | Linux (Ubuntu) |
+| VM Size | Standard_D4s_v5 (4 vCPUs, 16 GB RAM) |
+| Hosting Model | VMSS (Flexible orchestration) |
+
+---
+
+## 3. Components Detected
+
+| Component | Type | Technology | Path |
+|-----------|------|------------|------|
+| Web App | SSR Web Server | Node.js / TypeScript / Express | `src/web/` |
+| Database | Relational DB | Azure SQL | (managed service) |
+
+---
+
+## 4. Recipe Selection
+
+**Selected:** Bicep
+
+**Rationale:** User preference for native Azure IaC. Bicep provides first-class ARM integration, strong typing, and is ideal for VMSS + networking + SQL deployments.
+
+---
+
+## 5. Architecture
+
+**Stack:** VMSS (Virtual Machine Scale Set) + Azure SQL
+
+### Service Mapping
+
+| Component | Azure Service | SKU / Config |
+|-----------|---------------|--------------|
+| Web App (VMSS) | Microsoft.Compute/virtualMachineScaleSets | Standard_D4s_v5, Flexible orchestration, 2–6 instances |
+| Load Balancer | Microsoft.Network/applicationGateways | Application Gateway v2 (L7, TLS offload) |
+| Database | Microsoft.Sql/servers + databases | Azure SQL S2 (50 DTU) |
+| Virtual Network | Microsoft.Network/virtualNetworks | /16 VNet with subnets for VMSS, AppGW, SQL |
+| NSG | Microsoft.Network/networkSecurityGroups | Allow HTTP/HTTPS inbound, restrict SSH |
+| Public IP | Microsoft.Network/publicIPAddresses | Standard SKU, static, for AppGW frontend |
+
+### Supporting Services
+
+| Service | Purpose |
+|---------|---------|
+| Log Analytics | Centralized logging |
+| Application Insights | Monitoring & APM |
+| Key Vault | Secrets management (DB connection string) |
+| Managed Identity | VMSS-to-SQL and VMSS-to-KeyVault auth |
+
+### Autoscale Configuration
+
+| Setting | Value |
+|---------|-------|
+| Metric | CPU percentage |
+| Scale-out threshold | 70% avg CPU for 5 min |
+| Scale-in threshold | 30% avg CPU for 10 min |
+| Min instances | 2 |
+| Max instances | 6 |
+| Cooldown | 5 minutes |
+
+### Network Architecture
+
+```
+Internet → Public IP → Application Gateway (L7/TLS) → VMSS Subnet → VM instances
+                                                                    ↓
+                                                              SQL Private Endpoint
+```
+
+---
+
+## 6. Provisioning Limit Checklist
+
+### Resource Inventory & Quota Validation
+
+| Resource Type | Number to Deploy | Total After Deployment | Limit/Quota | Notes |
+|---------------|------------------|------------------------|-------------|-------|
+| Microsoft.Compute vCPUs (standardDSv5Family) | 24 (6×4 max) | 24 | 350 | ✅ Fetched from: az vm list-usage |
+| Microsoft.Compute vCPUs (Total Regional) | 24 | 180 | 350 | ✅ Fetched from: az vm list-usage |
+| Microsoft.Compute/virtualMachines | 6 (max) | 47 | 25,000 | ✅ Fetched from: az vm list-usage |
+| Microsoft.Network/virtualNetworks | 1 | 62 | 1,000 | ✅ Fetched from: az network list-usages |
+| Microsoft.Network/publicIPAddresses | 1 | 70 | 1,000 | ✅ Fetched from: az network list-usages |
+| Microsoft.Network/networkSecurityGroups | 2 | 216 | 5,000 | ✅ Fetched from: az network list-usages |
+| Microsoft.Network/loadBalancers (Standard) | 1 (AppGW) | 49 | 1,000 | ✅ Fetched from: az network list-usages |
+| Microsoft.Sql/servers | 1 | 2 | 20 per region | ✅ Fetched from: Azure Resource Graph + official docs |
+| Microsoft.KeyVault/vaults | 1 | ~1 | 10,000 per region | ✅ Fetched from: official docs |
+| Microsoft.OperationalInsights/workspaces | 1 | ~1 | 50 per region | ✅ Fetched from: official docs |
+
+**Status:** ✅ All resources within limits
+
+---
+
+## 7. Execution Checklist
+
+### Phase 1: Planning
+- [x] Analyze workspace (new project)
+- [x] Gather requirements (production, large, balanced, Linux)
+- [x] Confirm subscription and location with user (Playground - 01, eastus)
+- [x] Prepare resource inventory
+- [x] Fetch quotas and validate capacity
+- [x] Scan codebase (N/A — new project)
+- [x] Select recipe (Bicep)
+- [x] Plan architecture (VMSS + AppGW + SQL)
+- [ ] **User approved this plan**
+
+### Phase 2: Execution
+- [ ] Research components (load Bicep references)
+- [ ] Generate infrastructure files (`infra/main.bicep`, modules)
+- [ ] Generate application code (`src/web/` — Express/TypeScript app)
+- [ ] Generate custom-data script (cloud-init to bootstrap Node.js on VMs)
+- [ ] Generate application configuration
+- [ ] Apply security hardening (NSG rules, Key Vault, managed identity)
+- [ ] ⛔ Update plan status to "Ready for Validation"
+
+### Phase 3: Validation
+- [ ] Invoke azure-validate skill
+- [ ] All validation checks pass
+- [ ] Update plan status to "Validated"
+
+### Phase 4: Deployment
+- [ ] Invoke azure-deploy skill
+- [ ] Deployment successful
+- [ ] Report deployed endpoint URLs
+- [ ] Update plan status to "Deployed"
+
+---
+
+## 8. Files to Generate
+
+| File | Purpose | Status |
+|------|---------|--------|
+| `.azure/deployment-plan.md` | This plan | ✅ |
+| `infra/main.bicep` | Root Bicep template | ⏳ |
+| `infra/modules/vmss.bicep` | VMSS + autoscale config | ⏳ |
+| `infra/modules/network.bicep` | VNet, subnets, NSG, AppGW | ⏳ |
+| `infra/modules/sql.bicep` | Azure SQL Server + Database | ⏳ |
+| `infra/modules/monitoring.bicep` | Log Analytics + App Insights | ⏳ |
+| `infra/modules/keyvault.bicep` | Key Vault + secrets | ⏳ |
+| `infra/cloud-init.yaml` | VM bootstrap script (Node.js setup) | ⏳ |
+| `src/web/package.json` | Node.js dependencies | ⏳ |
+| `src/web/tsconfig.json` | TypeScript config | ⏳ |
+| `src/web/src/index.ts` | Express app entry point | ⏳ |
+
+---
+
+## 9. Cost Estimate
+
+| Resource | Unit Cost | Monthly Estimate |
+|----------|-----------|-----------------|
+| VMSS (2–6× Standard_D4s_v5) | $0.192/hr per VM | $280–$840 |
+| Application Gateway v2 | ~$0.246/hr + data | ~$180 |
+| Azure SQL S2 (50 DTU) | ~$75/mo | ~$75 |
+| Log Analytics (5 GB/day) | ~$2.30/GB | ~$350 |
+| Key Vault | ~$0.03/10K ops | <$5 |
+| **Total estimate** | | **~$885–$1,450/mo** |
+
+> 💡 Consider 1-year reserved instances for VMSS to save ~35%.
+
+---
+
+## 10. Next Steps
+
+> Current: Awaiting user approval
+
+1. User approves this plan
+2. Generate all infrastructure and application files
+3. Validate with azure-validate
+4. Deploy with azure-deploy

.github/CODEOWNERS

@@ -8,27 +8,28 @@
 /.github/workflows/ @microsoft/ghcp4a
 
 # Plugin skills owners
-/plugin/skills/appinsights-instrumentation/ @JasonYeMSFT
-/plugin/skills/azure-ai/ @charris-msft
-/plugin/skills/azure-aigateway/ @azaslonov
-/plugin/skills/azure-cloud-migrate/ @saikoumudi @MadhuraBharadwaj-MSFT
-/plugin/skills/azure-compliance/ @saikoumudi
-/plugin/skills/azure-compute/ @alex-thompson @rakal-dyh @joybb @rmmue21
-/plugin/skills/azure-cost-optimization/ @saikoumudi
-/plugin/skills/azure-deploy/ @tmeschter @wbreza @kvenkatrajan @paulyuk
-/plugin/skills/azure-diagnostics/ @tmeschter @saikoumudi
-/plugin/skills/azure-enterprise-infra-planner/ @Jbrocket @micha31r @arunrab
+/plugin/skills/airunway-aks-setup/ @jongio
+/plugin/skills/appinsights-instrumentation/ @JasonYeMSFT @jongio
+/plugin/skills/azure-ai/ @charris-msft @jongio
+/plugin/skills/azure-aigateway/ @azaslonov @jongio
+/plugin/skills/azure-cloud-migrate/ @saikoumudi @MadhuraBharadwaj-MSFT @jongio
+/plugin/skills/azure-compliance/ @saikoumudi @jongio
+/plugin/skills/azure-compute/ @alex-thompson @rakal-dyh @joybb @rmmue21 @jongio
+/plugin/skills/azure-cost/ @saikoumudi @jongio
+/plugin/skills/azure-deploy/ @tmeschter @wbreza @kvenkatrajan @paulyuk @jongio
+/plugin/skills/azure-diagnostics/ @tmeschter @saikoumudi @jongio
+/plugin/skills/azure-enterprise-infra-planner/ @Jbrocket @micha31r @arunrab @jongio
 /plugin/skills/azure-hosted-copilot-sdk/ @jongio
-/plugin/skills/azure-kubernetes/ @saikoumudi @chandraneel
-/plugin/skills/azure-kusto/ @saikoumudi
-/plugin/skills/azure-messaging/ @kashifkhan
-/plugin/skills/azure-prepare/ @tmeschter @wbreza @kvenkatrajan
-/plugin/skills/azure-quotas/ @rakal-dyh
-/plugin/skills/azure-rbac/ @JasonYeMSFT @msalaman
-/plugin/skills/azure-resource-lookup/ @charris-msft
-/plugin/skills/azure-resource-visualizer/ @tmeschter
-/plugin/skills/azure-storage/ @charris-msft
-/plugin/skills/azure-upgrade/ @MadhuraBharadwaj-MSFT @saikoumudi
-/plugin/skills/azure-validate/ @wbreza @tmeschter @kvenkatrajan
-/plugin/skills/entra-app-registration/ @JasonYeMSFT @kvenkatrajan
-/plugin/skills/microsoft-foundry/ @ankitbko @tendau @XOEEst
+/plugin/skills/azure-kubernetes/ @saikoumudi @chandraneel @gambtho @jongio
+/plugin/skills/azure-kusto/ @saikoumudi @jongio
+/plugin/skills/azure-messaging/ @kashifkhan @jongio
+/plugin/skills/azure-prepare/ @tmeschter @wbreza @kvenkatrajan @jongio
+/plugin/skills/azure-quotas/ @rakal-dyh @jongio
+/plugin/skills/azure-rbac/ @JasonYeMSFT @msalaman @jongio
+/plugin/skills/azure-resource-lookup/ @charris-msft @jongio
+/plugin/skills/azure-resource-visualizer/ @tmeschter @jongio
+/plugin/skills/azure-storage/ @charris-msft @jongio
+/plugin/skills/azure-upgrade/ @MadhuraBharadwaj-MSFT @saikoumudi @jongio
+/plugin/skills/azure-validate/ @wbreza @tmeschter @kvenkatrajan @jongio
+/plugin/skills/entra-app-registration/ @JasonYeMSFT @kvenkatrajan @jongio
+/plugin/skills/microsoft-foundry/ @ankitbko @tendau @XOEEst @jongio @anchenyi @XiaofuHuang

.github/aw/actions-lock.json

@@ -5,16 +5,16 @@
       "version": "v8",
       "sha": "ed597411d8f924073f98dfc5c65a23a2325f34cd"
     },
+    "actions/github-script@v9": {
+      "repo": "actions/github-script",
+      "version": "v9",
+      "sha": "373c709c69115d41ff229c7e5df9f8788daa9553"
+    },
     "actions/github-script@v9.0.0": {
       "repo": "actions/github-script",
       "version": "v9.0.0",
       "sha": "d746ffe35508b1917358783b479e04febd2b8f71"
     },
-    "github/gh-aw-actions/setup@v0.68.1": {
-      "repo": "github/gh-aw-actions/setup",
-      "version": "v0.68.1",
-      "sha": "2fe53acc038ba01c3bbdc767d4b25df31ca5bdfc"
-    },
     "github/gh-aw/actions/setup@v0.68.1": {
       "repo": "github/gh-aw/actions/setup",
       "version": "v0.68.1",

.github/instructions/skill-files.instructions.md

@@ -25,7 +25,7 @@ metadata:
 - **description**: 1-1024 characters, explain WHAT the skill does and WHEN to use it. Include trigger phrases.
 - **license**: Required for all skills. Use `MIT` unless there is a documented exception.
 - **metadata.author**: Recommended value is `Microsoft`.
-- **metadata.version**: Semver format (`X.Y.Z`). Set to `"1.0.0"` for new skills. Must be bumped in the same PR that modifies the skill.
+- **metadata.version**: Semver format (`X.Y.Z`). Set to `"1.0.0"` for new skills. For skills under `plugin/`, versions are stamped automatically at build time by NBGV — use `"0.0.0-placeholder"` in source. For skills elsewhere (e.g., `.github/skills/`), set a real version and bump it in the same PR that modifies the skill.
 
 ## Size Limits
 

.github/skills/investigate-integration-test/SKILL.md

@@ -0,0 +1,26 @@
+---
+name: investigate-integration-test
+description: "Investigate a failing integration test from a GitHub issue. Downloads logs/artifacts, analyzes the failure, examines relevant skills, and suggests fixes. TRIGGERS: investigate integration test, debug integration test, failing integration test, test failure investigation, diagnose test failure, analyze test issue"
+license: MIT
+metadata:
+  author: Microsoft
+  version: "1.0.0"
+---
+
+# Integration Test Investigation
+
+Investigates a failing integration test given a GitHub issue in `microsoft/GitHub-Copilot-for-Azure`.
+
+## When to Use This Skill
+
+- A GitHub issue links to a failing integration test run
+- You need to diagnose why an integration test is failing
+- You want to understand a test failure before implementing a fix
+
+## Steps
+
+1. Read the GitHub issue.
+2. Download the test logs and artifacts from the linked run.
+3. Look through the logs/artifacts and analyze the test with the prompt specified in the issue to diagnose the failure.
+4. Examine the relevant skills under `plugin/skills` for context.
+5. Offer a suggested fix for each identified problem. Do not implement any fixes without the user's approval.

.github/skills/submit-skill-fix-pr/SKILL.md

@@ -0,0 +1,28 @@
+---
+name: submit-skill-fix-pr
+description: "Submit a pull request with skill fixes. Validates skill structure, bumps versions, and creates a PR with a proper description. TRIGGERS: submit skill fix, create fix PR, skill fix pull request, submit PR, push skill fix"
+license: MIT
+metadata:
+  author: Microsoft
+  version: "1.0.0"
+---
+
+# Submit Skill Fix PR
+
+Creates a pull request after committing skill fixes in `microsoft/GitHub-Copilot-for-Azure`.
+
+## When to Use This Skill
+
+- You have committed skill fixes and need to submit a PR
+- You need to validate skill structure before pushing
+- You want to create a properly formatted fix PR
+
+## Steps
+
+1. Install NPM dependencies in the `scripts` directory, if necessary.
+2. From the `scripts` directory run `npm run frontmatter` and `npm run references` to validate the skill structure. Fix and commit any problems.
+3. Ensure that skill version has been bumped for any updated SKILL.md.
+4. Push the branch to origin and create a PR into upstream. The PR description should include:
+   1. A brief description of the problem(s).
+   2. A brief description of the fix(es) and how they address the problems.
+   3. A "Fixes #<issue_number>" note. Ask the user if you don't know the issue number.