fixup! ci(prcheck): use 'azldev component changed' for affected-component detection

Author: dmcilvaney

.github/workflows/ado/templates/sources-upload-stages.yml

@@ -117,194 +117,67 @@ stages:
             env:
               AZLDEV_COMMIT: $(AzldevCommit)
 
+          # Verify lock files are current. --check-only validates without
+          # writing, exits nonzero if any lock would change.
           - script: |
               set -euo pipefail
-
-              # Workaround for an ADO git config error.
-              # The config key may not be present on every agent image, so tolerate its absence.
               git config --unset extensions.worktreeConfig || true
-
-              # Full history is needed for lock resolution and spec rendering.
               if [ "$(git rev-parse --is-shallow-repository)" = "true" ]; then
                 echo "##[group]Fetching full git history"
                 git fetch --unshallow
                 echo "##[endgroup]"
               fi
-
-              echo "##[group]Updating lock files"
-              lock_update_file="$ARTIFACT_STAGING_DIR/lock-update.json"
-              azldev component update -a -q -O json > "$lock_update_file"
-              echo "##[endgroup]"
-
-              # Also copy into ob_outputDirectory so OneBranch auto-publishes the
-              # lock-update artifact for post-mortem triage.
-              ob_lock_dir="$OB_OUTPUT_DIR/lock-update"
-              mkdir -p "$ob_lock_dir"
-              cp "$lock_update_file" "$ob_lock_dir/"
-
-              # Check if any locks drifted -- azldev tells us directly.
-              # If locks are not valid, we can't guarantee that any further steps are valid, so fail the PR check immediately.
-              # azldev emits a JSON 'null' when nothing changed; '. // []' coerces that to an
-              # empty array so the downstream '[.[] | ...]' pipeline is well-typed.
-              drifted=$(jq '(. // []) | [.[] | select(.changed == true)] | length' "$lock_update_file")
-              if [[ "$drifted" -gt 0 ]]; then
-                echo "##[error]$drifted lock file(s) are not up to date. Run 'azldev component update -a' and commit the result."
-                echo "##[group]Drifted components"
-                jq -r '(. // []) | .[] | select(.changed == true) | .component' "$lock_update_file"
-                echo "##[endgroup]"
-                exit 1
-              fi
+              azldev component update --check-only -a -q
             displayName: "Verify lock files are up to date"
             env:
-              ARTIFACT_STAGING_DIR: $(Build.ArtifactStagingDirectory)
-              # OneBranch containers run as root. azldev refuses to run as root
-              # by default, disable the root security check for this step.
               AZLDEV_ALLOW_ROOT: "1"
-              OB_OUTPUT_DIR: $(ob_outputDirectory)
 
+          # Detect changed components. azldev hard-fails if any component has
+          # sourcesChange == true without a corresponding identity change
+          # (supply-chain drift protection). --include-unchanged ensures the
+          # full component list is available for downstream consumers.
           - script: |
               set -euo pipefail
-
               artifact_dir="$ARTIFACT_STAGING_DIR/changed-components"
               json_file="$artifact_dir/changed-components.json"
               mkdir -p "$artifact_dir"
 
-              # 'azldev component changed' compares the source and target commits and emits one
-              # entry per component with its 'changeType' ('added', 'changed', 'unchanged', or
-              # 'deleted') plus a 'sourcesChange' flag indicating whether the rendered 'sources'
-              # file differs between commits. Only components with sourcesChange == true AND
-              # changeType != 'deleted' are forwarded to Control Tower for upload.
-
-              echo "##[group]Computing changed components"
-              azldev component changed --from "$TARGET_COMMIT" --to "$SOURCE_COMMIT" -a --include-unchanged -O json > "$json_file"
-              echo "##[endgroup]"
+              azldev component changed --from "$TARGET_COMMIT" --to "$SOURCE_COMMIT" \
+                -a --include-unchanged -O json > "$json_file"
 
               echo "##[group]Changed components (non-unchanged only)"
-              jq '(. // []) | [.[] | select(.changeType != "unchanged")]' "$json_file"
+              jq '[.[] | select(.changeType != "unchanged")]' "$json_file"
               echo "##[endgroup]"
 
               echo "##[group]Upload set (sourcesChange == true, changeType in {added, changed})"
-              upload_count=$(jq -r '(. // []) | [.[] | select(.sourcesChange == true and (.changeType | IN("added", "changed")))] | length' "$json_file")
-              jq -r '(. // []) | .[] | select(.sourcesChange == true and (.changeType | IN("added", "changed"))) | .component' "$json_file" | sort
+              upload_count=$(jq -r '[.[] | select(.sourcesChange == true and (.changeType | IN("added", "changed")))] | length' "$json_file")
+              jq -r '.[] | select(.sourcesChange == true and (.changeType | IN("added", "changed"))) | .component' "$json_file" | sort
               echo "Total: $upload_count component(s) to upload."
               echo "##[endgroup]"
 
-              # Also write into ob_outputDirectory so OneBranch auto-publishes it
-              # as a build artifact (explicit PublishPipelineArtifact is forbidden).
               ob_dir="$OB_OUTPUT_DIR/changed-components"
               mkdir -p "$ob_dir"
               cp "$json_file" "$ob_dir/"
 
               echo "##vso[task.setvariable variable=changedComponentsFile;isreadonly=true]$json_file"
             env:
               ARTIFACT_STAGING_DIR: $(Build.ArtifactStagingDirectory)
-              # OneBranch containers run as root. azldev refuses to run as root
-              # by default, disable the root security check for this step.
               AZLDEV_ALLOW_ROOT: "1"
               OB_OUTPUT_DIR: $(ob_outputDirectory)
               SOURCE_COMMIT: $(sourceCommit)
               TARGET_COMMIT: $(targetCommit)
             displayName: "Compute changed components"
 
+          # Render all specs to a staging area and diff against on-disk output.
+          # --check-only exits nonzero if any component's rendered output would
+          # change. --clean-stale detects orphan spec directories from deleted
+          # components.
           - script: |
               set -euo pipefail
-
-              # Source/identity consistency tripwire. The rendered 'sources' file
-              # describes the lookaside tarballs Control Tower will fetch and serve to
-              # builds. If a PR mutates that file but the component's input fingerprint
-              # is unchanged, we cannot tell from this side whether that's a hostile
-              # supply-chain swap or an accidental hand-edit / renderer non-determinism
-              # bug. We treat any such record as hostile-by-default and hard-fail, so
-              # the new bytes never reach the lookaside under an existing identity.
-              #
-              # The legitimate cases are explicitly enumerated as an allow-list (added,
-              # changed, deleted) so any future 'changeType' value -- e.g. 'renamed'
-              # that doesn't pull the sources blob into the input fingerprint -- fails
-              # closed until the policy here is reviewed.
-              bogus_count=$(jq -r '(. // []) | [.[] | select(.sourcesChange == true and (.changeType | IN("added", "changed", "deleted") | not))] | length' "$CHANGED_COMPONENTS_FILE")
-              if [[ "$bogus_count" -gt 0 ]]; then
-                echo "##[error]$bogus_count component(s) report a sources change without an accompanying identity change. Refusing to forward to Control Tower."
-                jq -r '(. // []) | .[] | select(.sourcesChange == true and (.changeType | IN("added", "changed", "deleted") | not)) | "  - " + .component + " (changeType=" + (.changeType // "null") + ")"' "$CHANGED_COMPONENTS_FILE"
-                exit 1
-              fi
-              echo "OK: every sources change is accompanied by an identity change."
-            # When this step fails, subsequent steps in the job are skipped -- the
-            # bad data never reaches Control Tower. However, the job-level
-            # continueOnError: true means the PR check still reports green to
-            # GitHub. The consistency tripwire becomes truly blocking once ADO
-            # task 19179 removes the job-level flag.
-            env:
-              CHANGED_COMPONENTS_FILE: $(changedComponentsFile)
-            displayName: "Source/identity consistency check"
-
-          - script: |
-              set -euo pipefail
-
-              # azldev's renderedSpecsDir is absolute. Translate to repo-relative
-              # so it matches git's output ('git diff --name-only' always emits
-              # repo-relative paths regardless of the path arg form).
-              specs_dir_abs="$(azldev config dump -q -f json | jq -r '.project.renderedSpecsDir')"
-              specs_dir="$(realpath --relative-to="$(pwd)" "$specs_dir_abs")"
-
-              # Capture git diff under the specs tree so the render set can
-              # include components whose specs were edited directly (which
-              # azldev's input-fingerprint view of "changed" would miss).
-              # --no-renames prevents collapse of delete+add into a rename
-              # entry which would lose the old path. The Python script
-              # filters out deleted/unknown components using the full
-              # changed-components JSON.
-              specs_diff_file="$ARTIFACT_STAGING_DIR/specs-diff.txt"
-              git diff --no-renames --name-only "$TARGET_COMMIT" "$SOURCE_COMMIT" -- "$specs_dir" > "$specs_diff_file"
-
-              # Render set is the union of:
-              #   - components flagged by 'azldev component changed' (inputs differ)
-              #   - components whose spec tree was touched directly in the PR
-              changed=$(python3 .github/workflows/scripts/control-tower/compute_render_set.py \
-                --changed-components-file "$CHANGED_COMPONENTS_FILE" \
-                --specs-diff-file "$specs_diff_file" \
-                --specs-dir "$specs_dir")
-
-              if [[ -z "$changed" ]]; then
-                echo "No changed components -- skipping render."
-              else
-                changed_count=$(echo "$changed" | wc -l)
-                echo "Rendering $changed_count component(s) (azldev dedupes internally)..."
-                echo "##[group]Render set"
-                echo "$changed" | sed 's/^/  - /'
-                echo "##[endgroup]"
-                echo "##[group]Specs rendering"
-                printf '%s\n' "$changed" | xargs -d '\n' azldev component render -q --
-                echo "##[endgroup]"
-              fi
-
-              # Quick sanity check: no modified or untracked files under specs/.
-              drift=0
-              if ! git diff --quiet -- "$specs_dir"; then
-                echo "##[group]Git diff"
-                git --no-pager diff -- "$specs_dir"
-                echo "##[endgroup]"
-                drift=1
-              fi
-              untracked=$(git ls-files --others -- "$specs_dir")
-              if [[ -n "$untracked" ]]; then
-                echo "##[group]Untracked files"
-                echo "$untracked"
-                echo "##[endgroup]"
-                drift=1
-              fi
-              if [[ "$drift" -ne 0 ]]; then
-                echo "##[error]Specs are not up to date. Run 'azldev component render -q -a --clean-stale' and try again."
-                exit 1
-              fi
+              azldev component render --check-only -a --clean-stale -q
+            displayName: "Verify rendered specs are up to date"
             env:
-              ARTIFACT_STAGING_DIR: $(Build.ArtifactStagingDirectory)
-              # OneBranch containers run as root. azldev refuses to run as root
-              # by default, disable the root security check for this step.
               AZLDEV_ALLOW_ROOT: "1"
-              CHANGED_COMPONENTS_FILE: $(changedComponentsFile)
-              SOURCE_COMMIT: $(sourceCommit)
-              TARGET_COMMIT: $(targetCommit)
-            displayName: "Render changed specs and verify rendered tree"
 
           - task: AzureCLI@2
             displayName: "Call Control Tower 'prcheck' API"

.github/workflows/scripts/control-tower/compute_changed.sh

@@ -0,0 +1,52 @@
+#!/usr/bin/env bash
+# Compute the set of changed components between source and target commits.
+#
+# Outputs (ADO variables):
+#   changedComponentsFile — path to the changed-components JSON file
+
+set -euo pipefail
+
+usage() { echo "Usage: $0 --artifact-dir DIR --ob-output-dir DIR --source-commit SHA --target-commit SHA" >&2; exit 1; }
+
+while [[ $# -gt 0 ]]; do
+  case "$1" in
+    --artifact-dir)    artifact_staging_dir="$2"; shift 2 ;;
+    --ob-output-dir)   ob_output_dir="$2"; shift 2 ;;
+    --source-commit)   source_commit="$2"; shift 2 ;;
+    --target-commit)   target_commit="$2"; shift 2 ;;
+    *) usage ;;
+  esac
+done
+[[ -z "${artifact_staging_dir:-}" || -z "${ob_output_dir:-}" || -z "${source_commit:-}" || -z "${target_commit:-}" ]] && usage
+
+artifact_dir="$artifact_staging_dir/changed-components"
+json_file="$artifact_dir/changed-components.json"
+mkdir -p "$artifact_dir"
+
+# 'azldev component changed' compares the source and target commits and emits one
+# entry per component with its 'changeType' ('added', 'changed', 'unchanged', or
+# 'deleted') plus a 'sourcesChange' flag indicating whether the rendered 'sources'
+# file differs between commits. Only components with sourcesChange == true AND
+# changeType != 'deleted' are forwarded to Control Tower for upload.
+
+echo "##[group]Computing changed components"
+azldev component changed --from "$target_commit" --to "$source_commit" -a --include-unchanged -O json > "$json_file"
+echo "##[endgroup]"
+
+echo "##[group]Changed components (non-unchanged only)"
+jq '[.[] | select(.changeType != "unchanged")]' "$json_file"
+echo "##[endgroup]"
+
+echo "##[group]Upload set (sourcesChange == true, changeType in {added, changed})"
+upload_count=$(jq -r '[.[] | select(.sourcesChange == true and (.changeType | IN("added", "changed")))] | length' "$json_file")
+jq -r '.[] | select(.sourcesChange == true and (.changeType | IN("added", "changed"))) | .component' "$json_file" | sort
+echo "Total: $upload_count component(s) to upload."
+echo "##[endgroup]"
+
+# Also write into ob_outputDirectory so OneBranch auto-publishes it
+# as a build artifact (explicit PublishPipelineArtifact is forbidden).
+ob_dir="$ob_output_dir/changed-components"
+mkdir -p "$ob_dir"
+cp "$json_file" "$ob_dir/"
+
+echo "##vso[task.setvariable variable=changedComponentsFile;isreadonly=true]$json_file"

.github/workflows/scripts/control-tower/compute_render_set.py

@@ -10,17 +10,13 @@
 
 
 def _load_entries(path: Path) -> list[dict]:
-    """Load the changed-components JSON, coercing null to []."""
-    return json.loads(path.read_text(encoding="utf-8")) or []
+    """Load the changed-components JSON."""
+    return json.loads(path.read_text(encoding="utf-8"))
 
 
 def _renderable_components(entries: list[dict]) -> set[str]:
     """Component names that azldev can still render (everything except deleted)."""
-    return {
-        e["component"]
-        for e in entries
-        if e.get("changeType") != "deleted"
-    }
+    return {e["component"] for e in entries if e.get("changeType") != "deleted"}
 
 
 def from_changed(entries: list[dict]) -> list[str]:
@@ -56,7 +52,7 @@ def from_specs_diff(path: Path, specs_dir: Path, renderable: set[str]) -> list[s
     for line in path.read_text(encoding="utf-8").splitlines():
         if not line.startswith(prefix):
             continue
-        parts = line[len(prefix):].split("/", 2)
+        parts = line[len(prefix) :].split("/", 2)
         if len(parts) >= 2 and parts[1]:
             name = parts[1]
             if name in renderable:

.github/workflows/scripts/control-tower/render_and_verify.sh

@@ -0,0 +1,57 @@
+#!/usr/bin/env bash
+# Render changed specs and verify the rendered tree is clean.
+
+set -euo pipefail
+
+usage() { echo "Usage: $0 --artifact-dir DIR --changed-components-file FILE --source-commit SHA --target-commit SHA" >&2; exit 1; }
+
+while [[ $# -gt 0 ]]; do
+  case "$1" in
+    --artifact-dir)            artifact_dir="$2"; shift 2 ;;
+    --changed-components-file) changed_components_file="$2"; shift 2 ;;
+    --source-commit)           source_commit="$2"; shift 2 ;;
+    --target-commit)           target_commit="$2"; shift 2 ;;
+    *) usage ;;
+  esac
+done
+[[ -z "${artifact_dir:-}" || -z "${changed_components_file:-}" || -z "${source_commit:-}" || -z "${target_commit:-}" ]] && usage
+
+# azldev's renderedSpecsDir is absolute. Translate to repo-relative
+# so it matches git's output ('git diff --name-only' always emits
+# repo-relative paths regardless of the path arg form).
+specs_dir_abs="$(azldev config dump -q -f json | jq -r '.project.renderedSpecsDir')"
+specs_dir="$(realpath --relative-to="$(pwd)" "$specs_dir_abs")"
+
+# Capture git diff under the specs tree so the render set can
+# include components whose specs were edited directly (which
+# azldev's input-fingerprint view of "changed" would miss).
+# --no-renames prevents collapse of delete+add into a rename
+# entry which would lose the old path. The Python script
+# filters out deleted/unknown components using the full
+# changed-components JSON.
+specs_diff_file="$artifact_dir/specs-diff.txt"
+git diff --no-renames --name-only "$target_commit" "$source_commit" -- "$specs_dir" > "$specs_diff_file"
+
+# Render set is the union of:
+#   - components flagged by 'azldev component changed' (inputs differ)
+#   - components whose spec tree was touched directly in the PR
+changed=$(python3 .github/workflows/scripts/control-tower/compute_render_set.py \
+  --changed-components-file "$changed_components_file" \
+  --specs-diff-file "$specs_diff_file" \
+  --specs-dir "$specs_dir")
+
+if [[ -z "$changed" ]]; then
+  echo "No changed components -- skipping render."
+else
+  changed_count=$(echo "$changed" | wc -l)
+  echo "Rendering $changed_count component(s) (azldev dedupes internally)..."
+  echo "##[group]Render set"
+  # shellcheck disable=SC2001
+  echo "$changed" | sed 's/^/  - /'
+  echo "##[endgroup]"
+  echo "##[group]Specs rendering + verification"
+  # --check-only renders to a staging area and diffs against on-disk specs.
+  # Exits nonzero if any rendered file differs from what's committed.
+  printf '%s\n' "$changed" | xargs -d '\n' azldev component render --check-only -q --
+  echo "##[endgroup]"
+fi

.github/workflows/scripts/control-tower/verify_locks.sh

@@ -0,0 +1,44 @@
+#!/usr/bin/env bash
+# Verify all lock files are up to date.
+
+set -euo pipefail
+
+usage() { echo "Usage: $0 --artifact-dir DIR --ob-output-dir DIR" >&2; exit 1; }
+
+while [[ $# -gt 0 ]]; do
+  case "$1" in
+    --artifact-dir)    artifact_dir="$2"; shift 2 ;;
+    --ob-output-dir)   ob_output_dir="$2"; shift 2 ;;
+    *) usage ;;
+  esac
+done
+[[ -z "${artifact_dir:-}" || -z "${ob_output_dir:-}" ]] && usage
+
+# Workaround for an ADO git config error.
+# The config key may not be present on every agent image, so tolerate its absence.
+git config --unset extensions.worktreeConfig || true
+
+# Full history is needed for lock resolution and spec rendering.
+if [ "$(git rev-parse --is-shallow-repository)" = "true" ]; then
+  echo "##[group]Fetching full git history"
+  git fetch --unshallow
+  echo "##[endgroup]"
+fi
+
+echo "##[group]Verifying lock files"
+lock_update_file="$artifact_dir/lock-update.json"
+# --check-only exits nonzero if any lock is stale, without modifying the tree.
+if ! azldev component update --check-only -a -q -O json 2>&1 | tee "$lock_update_file"; then
+  echo "##[endgroup]"
+  echo "##[error]Lock file(s) are not up to date. Run 'azldev component update -a' and commit the result."
+  echo "##[group]Drifted components"
+  jq -r '.[] | select(.changed == true) | .component' "$lock_update_file"
+  echo "##[endgroup]"
+  exit 1
+fi
+echo "##[endgroup]"
+
+# Copy into ob_outputDirectory for post-mortem triage artifact.
+ob_lock_dir="$ob_output_dir/lock-update"
+mkdir -p "$ob_lock_dir"
+cp "$lock_update_file" "$ob_lock_dir/"