fixup! ci(prcheck): use 'azldev component changed' for affected-component detection

dmcilvaney · dmcilvaney · commit b463476d04d5 · 2026-05-08T12:53:17.000-07:00
diff --git a/.github/workflows/ado/templates/sources-upload-stages.yml b/.github/workflows/ado/templates/sources-upload-stages.yml
@@ -117,43 +117,11 @@ stages:
             env:
               AZLDEV_COMMIT: $(AzldevCommit)
 
+          # Re-generate lock files and fail if any drifted from what's committed.
           - script: |
-              set -euo pipefail
-
-              # Workaround for an ADO git config error.
-              # The config key may not be present on every agent image, so tolerate its absence.
-              git config --unset extensions.worktreeConfig || true
-
-              # Full history is needed for lock resolution and spec rendering.
-              if [ "$(git rev-parse --is-shallow-repository)" = "true" ]; then
-                echo "##[group]Fetching full git history"
-                git fetch --unshallow
-                echo "##[endgroup]"
-              fi
-
-              echo "##[group]Updating lock files"
-              lock_update_file="$ARTIFACT_STAGING_DIR/lock-update.json"
-              azldev component update -a -q -O json > "$lock_update_file"
-              echo "##[endgroup]"
-
-              # Also copy into ob_outputDirectory so OneBranch auto-publishes the
-              # lock-update artifact for post-mortem triage.
-              ob_lock_dir="$OB_OUTPUT_DIR/lock-update"
-              mkdir -p "$ob_lock_dir"
-              cp "$lock_update_file" "$ob_lock_dir/"
-
-              # Check if any locks drifted -- azldev tells us directly.
-              # If locks are not valid, we can't guarantee that any further steps are valid, so fail the PR check immediately.
-              # azldev emits a JSON 'null' when nothing changed; '. // []' coerces that to an
-              # empty array so the downstream '[.[] | ...]' pipeline is well-typed.
-              drifted=$(jq '(. // []) | [.[] | select(.changed == true)] | length' "$lock_update_file")
-              if [[ "$drifted" -gt 0 ]]; then
-                echo "##[error]$drifted lock file(s) are not up to date. Run 'azldev component update -a' and commit the result."
-                echo "##[group]Drifted components"
-                jq -r '(. // []) | .[] | select(.changed == true) | .component' "$lock_update_file"
-                echo "##[endgroup]"
-                exit 1
-              fi
+              .github/workflows/scripts/control-tower/verify_locks.sh \
+                --artifact-dir "$ARTIFACT_STAGING_DIR" \
+                --ob-output-dir "$OB_OUTPUT_DIR"
             displayName: "Verify lock files are up to date"
             env:
               ARTIFACT_STAGING_DIR: $(Build.ArtifactStagingDirectory)
@@ -162,40 +130,14 @@ stages:
               AZLDEV_ALLOW_ROOT: "1"
               OB_OUTPUT_DIR: $(ob_outputDirectory)
 
+          # Diff source vs target to find added/changed/deleted components and
+          # emit the changed-components JSON consumed by later steps.
           - script: |
-              set -euo pipefail
-
-              artifact_dir="$ARTIFACT_STAGING_DIR/changed-components"
-              json_file="$artifact_dir/changed-components.json"
-              mkdir -p "$artifact_dir"
-
-              # 'azldev component changed' compares the source and target commits and emits one
-              # entry per component with its 'changeType' ('added', 'changed', 'unchanged', or
-              # 'deleted') plus a 'sourcesChange' flag indicating whether the rendered 'sources'
-              # file differs between commits. Only components with sourcesChange == true AND
-              # changeType != 'deleted' are forwarded to Control Tower for upload.
-
-              echo "##[group]Computing changed components"
-              azldev component changed --from "$TARGET_COMMIT" --to "$SOURCE_COMMIT" -a --include-unchanged -O json > "$json_file"
-              echo "##[endgroup]"
-
-              echo "##[group]Changed components (non-unchanged only)"
-              jq '(. // []) | [.[] | select(.changeType != "unchanged")]' "$json_file"
-              echo "##[endgroup]"
-
-              echo "##[group]Upload set (sourcesChange == true, changeType in {added, changed})"
-              upload_count=$(jq -r '(. // []) | [.[] | select(.sourcesChange == true and (.changeType | IN("added", "changed")))] | length' "$json_file")
-              jq -r '(. // []) | .[] | select(.sourcesChange == true and (.changeType | IN("added", "changed"))) | .component' "$json_file" | sort
-              echo "Total: $upload_count component(s) to upload."
-              echo "##[endgroup]"
-
-              # Also write into ob_outputDirectory so OneBranch auto-publishes it
-              # as a build artifact (explicit PublishPipelineArtifact is forbidden).
-              ob_dir="$OB_OUTPUT_DIR/changed-components"
-              mkdir -p "$ob_dir"
-              cp "$json_file" "$ob_dir/"
-
-              echo "##vso[task.setvariable variable=changedComponentsFile;isreadonly=true]$json_file"
+              .github/workflows/scripts/control-tower/compute_changed.sh \
+                --artifact-dir "$ARTIFACT_STAGING_DIR" \
+                --ob-output-dir "$OB_OUTPUT_DIR" \
+                --source-commit "$SOURCE_COMMIT" \
+                --target-commit "$TARGET_COMMIT"
             env:
               ARTIFACT_STAGING_DIR: $(Build.ArtifactStagingDirectory)
               # OneBranch containers run as root. azldev refuses to run as root
@@ -206,28 +148,10 @@ stages:
               TARGET_COMMIT: $(targetCommit)
             displayName: "Compute changed components"
 
+          # Fail if any component's sources file changed without an identity change.
           - script: |
-              set -euo pipefail
-
-              # Source/identity consistency tripwire. The rendered 'sources' file
-              # describes the lookaside tarballs Control Tower will fetch and serve to
-              # builds. If a PR mutates that file but the component's input fingerprint
-              # is unchanged, we cannot tell from this side whether that's a hostile
-              # supply-chain swap or an accidental hand-edit / renderer non-determinism
-              # bug. We treat any such record as hostile-by-default and hard-fail, so
-              # the new bytes never reach the lookaside under an existing identity.
-              #
-              # The legitimate cases are explicitly enumerated as an allow-list (added,
-              # changed, deleted) so any future 'changeType' value -- e.g. 'renamed'
-              # that doesn't pull the sources blob into the input fingerprint -- fails
-              # closed until the policy here is reviewed.
-              bogus_count=$(jq -r '(. // []) | [.[] | select(.sourcesChange == true and (.changeType | IN("added", "changed", "deleted") | not))] | length' "$CHANGED_COMPONENTS_FILE")
-              if [[ "$bogus_count" -gt 0 ]]; then
-                echo "##[error]$bogus_count component(s) report a sources change without an accompanying identity change. Refusing to forward to Control Tower."
-                jq -r '(. // []) | .[] | select(.sourcesChange == true and (.changeType | IN("added", "changed", "deleted") | not)) | "  - " + .component + " (changeType=" + (.changeType // "null") + ")"' "$CHANGED_COMPONENTS_FILE"
-                exit 1
-              fi
-              echo "OK: every sources change is accompanied by an identity change."
+              .github/workflows/scripts/control-tower/consistency_check.sh \
+                --changed-components-file "$CHANGED_COMPONENTS_FILE"
             # When this step fails, subsequent steps in the job are skipped -- the
             # bad data never reaches Control Tower. However, the job-level
             # continueOnError: true means the PR check still reports green to
@@ -237,65 +161,14 @@ stages:
               CHANGED_COMPONENTS_FILE: $(changedComponentsFile)
             displayName: "Source/identity consistency check"
 
+          # Render specs for changed components and verify the tree has no
+          # uncommitted modifications or untracked files.
           - script: |
-              set -euo pipefail
-
-              # azldev's renderedSpecsDir is absolute. Translate to repo-relative
-              # so it matches git's output ('git diff --name-only' always emits
-              # repo-relative paths regardless of the path arg form).
-              specs_dir_abs="$(azldev config dump -q -f json | jq -r '.project.renderedSpecsDir')"
-              specs_dir="$(realpath --relative-to="$(pwd)" "$specs_dir_abs")"
-
-              # Capture git diff under the specs tree so the render set can
-              # include components whose specs were edited directly (which
-              # azldev's input-fingerprint view of "changed" would miss).
-              # --no-renames prevents collapse of delete+add into a rename
-              # entry which would lose the old path. The Python script
-              # filters out deleted/unknown components using the full
-              # changed-components JSON.
-              specs_diff_file="$ARTIFACT_STAGING_DIR/specs-diff.txt"
-              git diff --no-renames --name-only "$TARGET_COMMIT" "$SOURCE_COMMIT" -- "$specs_dir" > "$specs_diff_file"
-
-              # Render set is the union of:
-              #   - components flagged by 'azldev component changed' (inputs differ)
-              #   - components whose spec tree was touched directly in the PR
-              changed=$(python3 .github/workflows/scripts/control-tower/compute_render_set.py \
+              .github/workflows/scripts/control-tower/render_and_verify.sh \
+                --artifact-dir "$ARTIFACT_STAGING_DIR" \
                 --changed-components-file "$CHANGED_COMPONENTS_FILE" \
-                --specs-diff-file "$specs_diff_file" \
-                --specs-dir "$specs_dir")
-
-              if [[ -z "$changed" ]]; then
-                echo "No changed components -- skipping render."
-              else
-                changed_count=$(echo "$changed" | wc -l)
-                echo "Rendering $changed_count component(s) (azldev dedupes internally)..."
-                echo "##[group]Render set"
-                echo "$changed" | sed 's/^/  - /'
-                echo "##[endgroup]"
-                echo "##[group]Specs rendering"
-                printf '%s\n' "$changed" | xargs -d '\n' azldev component render -q --
-                echo "##[endgroup]"
-              fi
-
-              # Quick sanity check: no modified or untracked files under specs/.
-              drift=0
-              if ! git diff --quiet -- "$specs_dir"; then
-                echo "##[group]Git diff"
-                git --no-pager diff -- "$specs_dir"
-                echo "##[endgroup]"
-                drift=1
-              fi
-              untracked=$(git ls-files --others -- "$specs_dir")
-              if [[ -n "$untracked" ]]; then
-                echo "##[group]Untracked files"
-                echo "$untracked"
-                echo "##[endgroup]"
-                drift=1
-              fi
-              if [[ "$drift" -ne 0 ]]; then
-                echo "##[error]Specs are not up to date. Run 'azldev component render -q -a --clean-stale' and try again."
-                exit 1
-              fi
+                --source-commit "$SOURCE_COMMIT" \
+                --target-commit "$TARGET_COMMIT"
             env:
               ARTIFACT_STAGING_DIR: $(Build.ArtifactStagingDirectory)
               # OneBranch containers run as root. azldev refuses to run as root
diff --git a/.github/workflows/scripts/control-tower/compute_changed.sh b/.github/workflows/scripts/control-tower/compute_changed.sh
@@ -0,0 +1,52 @@
+#!/usr/bin/env bash
+# Compute the set of changed components between source and target commits.
+#
+# Outputs (ADO variables):
+#   changedComponentsFile — path to the changed-components JSON file
+
+set -euo pipefail
+
+usage() { echo "Usage: $0 --artifact-dir DIR --ob-output-dir DIR --source-commit SHA --target-commit SHA" >&2; exit 1; }
+
+while [[ $# -gt 0 ]]; do
+  case "$1" in
+    --artifact-dir)    artifact_staging_dir="$2"; shift 2 ;;
+    --ob-output-dir)   ob_output_dir="$2"; shift 2 ;;
+    --source-commit)   source_commit="$2"; shift 2 ;;
+    --target-commit)   target_commit="$2"; shift 2 ;;
+    *) usage ;;
+  esac
+done
+[[ -z "${artifact_staging_dir:-}" || -z "${ob_output_dir:-}" || -z "${source_commit:-}" || -z "${target_commit:-}" ]] && usage
+
+artifact_dir="$artifact_staging_dir/changed-components"
+json_file="$artifact_dir/changed-components.json"
+mkdir -p "$artifact_dir"
+
+# 'azldev component changed' compares the source and target commits and emits one
+# entry per component with its 'changeType' ('added', 'changed', 'unchanged', or
+# 'deleted') plus a 'sourcesChange' flag indicating whether the rendered 'sources'
+# file differs between commits. Only components with sourcesChange == true AND
+# changeType != 'deleted' are forwarded to Control Tower for upload.
+
+echo "##[group]Computing changed components"
+azldev component changed --from "$target_commit" --to "$source_commit" -a --include-unchanged -O json > "$json_file"
+echo "##[endgroup]"
+
+echo "##[group]Changed components (non-unchanged only)"
+jq '(. // []) | [.[] | select(.changeType != "unchanged")]' "$json_file"
+echo "##[endgroup]"
+
+echo "##[group]Upload set (sourcesChange == true, changeType in {added, changed})"
+upload_count=$(jq -r '(. // []) | [.[] | select(.sourcesChange == true and (.changeType | IN("added", "changed")))] | length' "$json_file")
+jq -r '(. // []) | .[] | select(.sourcesChange == true and (.changeType | IN("added", "changed"))) | .component' "$json_file" | sort
+echo "Total: $upload_count component(s) to upload."
+echo "##[endgroup]"
+
+# Also write into ob_outputDirectory so OneBranch auto-publishes it
+# as a build artifact (explicit PublishPipelineArtifact is forbidden).
+ob_dir="$ob_output_dir/changed-components"
+mkdir -p "$ob_dir"
+cp "$json_file" "$ob_dir/"
+
+echo "##vso[task.setvariable variable=changedComponentsFile;isreadonly=true]$json_file"
diff --git a/.github/workflows/scripts/control-tower/consistency_check.sh b/.github/workflows/scripts/control-tower/consistency_check.sh
@@ -0,0 +1,37 @@
+#!/usr/bin/env bash
+# Source/identity consistency check.
+#
+# Ensures every component with a sources change also has an identity
+# (input fingerprint) change. Fails closed on unknown changeTypes.
+
+set -euo pipefail
+
+usage() { echo "Usage: $0 --changed-components-file FILE" >&2; exit 1; }
+
+while [[ $# -gt 0 ]]; do
+  case "$1" in
+    --changed-components-file) changed_components_file="$2"; shift 2 ;;
+    *) usage ;;
+  esac
+done
+[[ -z "${changed_components_file:-}" ]] && usage
+
+# Source/identity consistency tripwire. The rendered 'sources' file
+# describes the lookaside tarballs Control Tower will fetch and serve to
+# builds. If a PR mutates that file but the component's input fingerprint
+# is unchanged, we cannot tell from this side whether that's a hostile
+# supply-chain swap or an accidental hand-edit / renderer non-determinism
+# bug. We treat any such record as hostile-by-default and hard-fail, so
+# the new bytes never reach the lookaside under an existing identity.
+#
+# The legitimate cases are explicitly enumerated as an allow-list (added,
+# changed, deleted) so any future 'changeType' value -- e.g. 'renamed'
+# that doesn't pull the sources blob into the input fingerprint -- fails
+# closed until the policy here is reviewed.
+bogus_count=$(jq -r '(. // []) | [.[] | select(.sourcesChange == true and (.changeType | IN("added", "changed", "deleted") | not))] | length' "$changed_components_file")
+if [[ "$bogus_count" -gt 0 ]]; then
+  echo "##[error]$bogus_count component(s) report a sources change without an accompanying identity change. Refusing to forward to Control Tower."
+  jq -r '(. // []) | .[] | select(.sourcesChange == true and (.changeType | IN("added", "changed", "deleted") | not)) | "  - " + .component + " (changeType=" + (.changeType // "null") + ")"' "$changed_components_file"
+  exit 1
+fi
+echo "OK: every sources change is accompanied by an identity change."
diff --git a/.github/workflows/scripts/control-tower/render_and_verify.sh b/.github/workflows/scripts/control-tower/render_and_verify.sh
@@ -0,0 +1,74 @@
+#!/usr/bin/env bash
+# Render changed specs and verify the rendered tree is clean.
+
+set -euo pipefail
+
+usage() { echo "Usage: $0 --artifact-dir DIR --changed-components-file FILE --source-commit SHA --target-commit SHA" >&2; exit 1; }
+
+while [[ $# -gt 0 ]]; do
+  case "$1" in
+    --artifact-dir)            artifact_dir="$2"; shift 2 ;;
+    --changed-components-file) changed_components_file="$2"; shift 2 ;;
+    --source-commit)           source_commit="$2"; shift 2 ;;
+    --target-commit)           target_commit="$2"; shift 2 ;;
+    *) usage ;;
+  esac
+done
+[[ -z "${artifact_dir:-}" || -z "${changed_components_file:-}" || -z "${source_commit:-}" || -z "${target_commit:-}" ]] && usage
+
+# azldev's renderedSpecsDir is absolute. Translate to repo-relative
+# so it matches git's output ('git diff --name-only' always emits
+# repo-relative paths regardless of the path arg form).
+specs_dir_abs="$(azldev config dump -q -f json | jq -r '.project.renderedSpecsDir')"
+specs_dir="$(realpath --relative-to="$(pwd)" "$specs_dir_abs")"
+
+# Capture git diff under the specs tree so the render set can
+# include components whose specs were edited directly (which
+# azldev's input-fingerprint view of "changed" would miss).
+# --no-renames prevents collapse of delete+add into a rename
+# entry which would lose the old path. The Python script
+# filters out deleted/unknown components using the full
+# changed-components JSON.
+specs_diff_file="$artifact_dir/specs-diff.txt"
+git diff --no-renames --name-only "$target_commit" "$source_commit" -- "$specs_dir" > "$specs_diff_file"
+
+# Render set is the union of:
+#   - components flagged by 'azldev component changed' (inputs differ)
+#   - components whose spec tree was touched directly in the PR
+changed=$(python3 .github/workflows/scripts/control-tower/compute_render_set.py \
+  --changed-components-file "$changed_components_file" \
+  --specs-diff-file "$specs_diff_file" \
+  --specs-dir "$specs_dir")
+
+if [[ -z "$changed" ]]; then
+  echo "No changed components -- skipping render."
+else
+  changed_count=$(echo "$changed" | wc -l)
+  echo "Rendering $changed_count component(s) (azldev dedupes internally)..."
+  echo "##[group]Render set"
+  echo "$changed" | sed 's/^/  - /'
+  echo "##[endgroup]"
+  echo "##[group]Specs rendering"
+  printf '%s\n' "$changed" | xargs -d '\n' azldev component render -q --
+  echo "##[endgroup]"
+fi
+
+# Quick sanity check: no modified or untracked files under specs/.
+drift=0
+if ! git diff --quiet -- "$specs_dir"; then
+  echo "##[group]Git diff"
+  git --no-pager diff -- "$specs_dir"
+  echo "##[endgroup]"
+  drift=1
+fi
+untracked=$(git ls-files --others -- "$specs_dir")
+if [[ -n "$untracked" ]]; then
+  echo "##[group]Untracked files"
+  echo "$untracked"
+  echo "##[endgroup]"
+  drift=1
+fi
+if [[ "$drift" -ne 0 ]]; then
+  echo "##[error]Specs are not up to date. Run 'azldev component render -q -a --clean-stale' and try again."
+  exit 1
+fi
diff --git a/.github/workflows/scripts/control-tower/verify_locks.sh b/.github/workflows/scripts/control-tower/verify_locks.sh
