microsoft · freddydk · Jun 25, 2024 · May 30, 2024 · May 31, 2024 · May 31, 2024
@@ -182,7 +182,7 @@ jobs:
           Write-Host "scenarios=$scenariosJson"
 
   Scenario:
-    runs-on: [ ubuntu-latest ]
+    runs-on: [ windows-latest ]
     needs: [ Check, SetupRepositories, Analyze ]
     if: github.event.inputs.runScenarios == 'true'
     strategy: ${{ fromJson(needs.Analyze.outputs.scenarios) }}

@@ -6,7 +6,7 @@ repos:
     rev: 0.7.17
     hooks:
       - id: mdformat
-        args: [--end-of-line=crlf]
+        args: [--end-of-line=keep]
 
   - repo: https://github.com/pre-commit/pre-commit-hooks
     rev: v4.5.0

@@ -1269,21 +1269,25 @@ function GetProjectFolders {
     $projectFolders
 }
 
-function installModules {
+function InstallModule {
     Param(
-        [String[]] $modules
+        [String] $name,
+        [System.Version] $minimumVersion = $null
     )
 
-    $modules | ForEach-Object {
-        if (-not (get-installedmodule -Name $_ -ErrorAction SilentlyContinue)) {
-            Write-Host "Installing module $_"
-            Install-Module $_ -Force | Out-Null
-        }
+    if ($null -eq $minimumVersion) {
+        $minimumVersion = [System.Version](GetPackageVersion -packageName $name)
+    }
+    $module = Get-Module -name $name -ListAvailable | Select-Object -First 1
+    if ($module -and $module.Version -ge $minimumVersion) {
+        Write-Host "Module $name is available in version $($module.Version)"
     }
-    $modules | ForEach-Object {
-        Write-Host "Importing module $_"
-        Import-Module $_ -DisableNameChecking -WarningAction SilentlyContinue | Out-Null
+    else {
+        Write-Host "Installing module $name (minimum version $minimumVersion)"
+        Install-Module -Name $name -MinimumVersion "$minimumVersion" -Force | Out-Null
     }
+    Write-Host "Importing module $name (minimum version $minimumVersion)"
+    Import-Module -Name $name -MinimumVersion $minimumVersion -DisableNameChecking -WarningAction SilentlyContinue | Out-Null
 }
 
 function CloneIntoNewFolder {
@@ -1329,7 +1333,7 @@ function CommitFromNewFolder {
     Param(
         [string] $serverUrl,
         [string] $commitMessage,
-        [string] $body = '',
+        [string] $body = $commitMessage,
         [string] $branch
     )
 
@@ -1664,7 +1668,7 @@ function CreateDevEnv {
 
             if (($settings.keyVaultName) -and -not ($bcAuthContext)) {
                 Write-Host "Reading Key Vault $($settings.keyVaultName)"
-                installModules -modules @('Az.KeyVault')
+                InstallAzModuleIfNeeded -name 'Az.KeyVault'
 
                 if ($kind -eq "local") {
                     $LicenseFileSecret = Get-AzKeyVaultSecret -VaultName $settings.keyVaultName -Name $settings.licenseFileUrlSecretName
@@ -2357,14 +2361,80 @@ function GetProjectsFromRepository {
     return @(GetMatchingProjects -projects $projects -selectProjects $selectProjects)
 }
 
-function Get-PackageVersion($PackageName) {
+function GetPackageVersion($packageName) {
     $alGoPackages = Get-Content -Path "$PSScriptRoot\Packages.json" | ConvertFrom-Json
 
     # Check if the package is in the list of packages
-    if ($alGoPackages.PSobject.Properties.name -match $PackageName) {
-        return $alGoPackages.$PackageName
+    if ($alGoPackages.PSobject.Properties.name -eq $PackageName) {
+        return $alGoPackages."$PackageName"
     }
     else {
         throw "Package $PackageName is not in the list of packages"
     }
 }
+
+function InstallAzModuleIfNeeded {
+    Param(
+        [string] $name,
+        [System.version] $minimumVersion = $null
+    )
+
+    if ($null -eq $minimumVersion) {
+        $minimumVersion = [System.Version](GetPackageVersion -packageName $name)
+    }
+    $azModule = Get-Module -Name $name
+    if ($azModule -and $azModule.Version -ge $minimumVersion) {
+        # Already installed
+        return
+    }
+    # GitHub hosted Linux runners have AZ PowerShell module saved in /usr/share/powershell/Modules/Az.*
+    if ($isWindows) {
+        # GitHub hosted Windows Runners have AzureRm PowerShell modules installed (deprecated)
+        # GitHub hosted Windows Runners have AZ PowerShell module saved in C:\Modules\az_*
+        # Remove AzureRm modules from PSModulePath and add AZ modules
+        if (Test-Path 'C:\Modules\az_*') {
+            $azModulesPath = Get-ChildItem 'C:\Modules\az_*' | Where-Object { $_.PSIsContainer }
+            if ($azModulesPath) {
+              Write-Host "Adding AZ module path: $($azModulesPath.FullName)"
+              $ENV:PSModulePath = "$($azModulesPath.FullName);$(("$ENV:PSModulePath".Split(';') | Where-Object { $_ -notlike 'C:\\Modules\Azure*' }) -join ';')"
+            }
+        }
+    }
+    InstallModule -name $name -minimumVersion $minimumVersion
+}
+
+function ConnectAz {
+    [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSAvoidUsingConvertToSecureStringWithPlainText', '', Justification = 'GitHub Secrets come in as plain text')]
+    param(
+        [PsCustomObject] $azureCredentials
+    )
+    try {
+        Clear-AzContext -Scope Process
+        Clear-AzContext -Scope CurrentUser -Force -ErrorAction SilentlyContinue
+        if ($azureCredentials.PSObject.Properties.Name -eq 'ClientSecret' -and $azureCredentials.ClientSecret) {
+            Write-Host "Connecting to Azure using clientId and clientSecret."
+            $credential = New-Object pscredential -ArgumentList $azureCredentials.ClientId, (ConvertTo-SecureString -string $azureCredentials.ClientSecret -AsPlainText -Force)
+            Connect-AzAccount -ServicePrincipal -Tenant $azureCredentials.TenantId -Credential $credential -WarningAction SilentlyContinue | Out-Null
+        }
+        else {
+            try {
+                Write-Host "Query federated token"
+                $result = Invoke-RestMethod -Method GET -UseBasicParsing -Headers @{ "Authorization" = "bearer $ENV:ACTIONS_ID_TOKEN_REQUEST_TOKEN"; "Accept" = "application/vnd.github+json" } -Uri "$ENV:ACTIONS_ID_TOKEN_REQUEST_URL&audience=api://AzureADTokenExchange"
+            }
+            catch {
+                throw "Unable to get federated token, maybe id_token: write permissions are missing. Error was $($_.Exception.Message)"
+            }
+            Write-Host "Connecting to Azure using clientId and federated token."
+            Connect-AzAccount -ApplicationId $azureCredentials.ClientId -Tenant $azureCredentials.TenantId -FederatedToken $result.value -WarningAction SilentlyContinue | Out-Null
+        }
+        if ($azureCredentials.PSObject.Properties.Name -eq 'SubscriptionId' -and $azureCredentials.SubscriptionId) {
+            Write-Host "Selecting subscription $($azureCredentials.SubscriptionId)"
+            Set-AzContext -SubscriptionId $azureCredentials.SubscriptionId -Tenant $azureCredentials.TenantId -ErrorAction SilentlyContinue -WarningAction SilentlyContinue | Out-Null
+        }
+        $script:keyvaultConnectionExists = $true
+        Write-Host "Successfully connected to Azure"
+    }
+    catch {
+        throw "Error trying to authenticate to Azure. Error was $($_.Exception.Message)"
+    }
+}
@@ -20,31 +20,49 @@
     [bool] $goLive
 )
 
-$telemetryScope = $null
-
-function EnsureAzStorageModule() {
-    if (get-command New-AzStorageContext -ErrorAction SilentlyContinue) {
-        Write-Host "Using Az.Storage PowerShell module"
+function ConnectAzStorageAccount {
+    Param(
+        [PSCustomObject] $storageAccountCredentials
+    )
+
+    $azStorageContext = $null
+    if ($storageAccountCredentials.PSObject.Properties.Name -eq 'sastoken') {
+        try {
+            Write-Host "Creating AzStorageContext based on StorageAccountName and sastoken"
+            $azStorageContext = New-AzStorageContext -StorageAccountName $storageAccountCredentials.StorageAccountName -SasToken $storageAccountCredentials.sastoken
+        }
+        catch {
+            throw "Unable to create AzStorageContext based on StorageAccountName and sastoken. Error was: $($_.Exception.Message)"
+        }
     }
-    else {
-        $azureStorageModule = Get-Module -name 'Azure.Storage' -ListAvailable | Select-Object -First 1
-        if ($azureStorageModule) {
-            Write-Host "Azure.Storage Module is available in version $($azureStorageModule.Version)"
-            Write-Host "Using Azure.Storage version $($azureStorageModule.Version)"
-            Import-Module  'Azure.Storage' -DisableNameChecking -WarningAction SilentlyContinue | Out-Null
-            Set-Alias -Name New-AzStorageContext -Value New-AzureStorageContext -Scope Script
-            Set-Alias -Name Get-AzStorageContainer -Value Get-AzureStorageContainer -Scope Script
-            Set-Alias -Name New-AzStorageContainer -Value New-AzureStorageContainer -Scope Script
-            Set-Alias -Name Set-AzStorageBlobContent -Value Set-AzureStorageBlobContent -Scope Script
+    elseif ($storageAccountCredentials.PSObject.Properties.Name -eq 'StorageAccountKey') {
+        try {
+            Write-Host "Creating AzStorageContext based on StorageAccountName and StorageAccountKey"
+            $azStorageContext = New-AzStorageContext -StorageAccountName $storageAccountCredentials.StorageAccountName -StorageAccountKey $storageAccountCredentials.StorageAccountKey
         }
-        else {
-            Write-Host "Installing and importing Az.Storage."
-            Install-Module 'Az.Storage' -Force
-            Import-Module  'Az.Storage' -DisableNameChecking -WarningAction SilentlyContinue | Out-Null
+        catch {
+            throw "Unable to create AzStorageContext based on StorageAccountName and StorageAccountKey. Error was: $($_.Exception.Message)"
         }
     }
+    elseif (($storageAccountCredentials.PSObject.Properties.Name -eq 'clientID') -and ($storageAccountCredentials.PSObject.Properties.Name -eq 'tenantID')) {
+        try {
+            InstallAzModuleIfNeeded -name 'Az.Accounts'
+            ConnectAz -azureCredentials $storageAccountCredentials
+            Write-Host "Creating AzStorageContext based on StorageAccountName and managed identity/app registration"
+            $azStorageContext = New-AzStorageContext -StorageAccountName $storageAccountCredentials.StorageAccountName -UseConnectedAccount
+        }
+        catch {
+            throw "Unable to create AzStorageContext based on StorageAccountName and managed identity. Error was: $($_.Exception.Message)"
+        }
+    }
+    else {
+        throw "Insufficient information in StorageContext secret. See https://aka.ms/algosettings#storagecontext for details"
+    }
+    return $azStorageContext
 }
 
+$telemetryScope = $null
+
 try {
     . (Join-Path -Path $PSScriptRoot -ChildPath "../AL-Go-Helper.ps1" -Resolve)
     DownloadAndImportBcContainerHelper
@@ -315,35 +333,17 @@ try {
             Push-BcNuGetPackage -nuGetServerUrl $nuGetServerUrl -nuGetToken $nuGetToken -bcNuGetPackage $package
         }
         elseif ($deliveryTarget -eq "Storage") {
-            EnsureAzStorageModule
+            InstallAzModuleIfNeeded -name 'Az.Storage'
             try {
-                $storageAccount = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($secrets.storageContext)) | ConvertFrom-Json | ConvertTo-HashTable
-                # Check that containerName and blobName are present
-                $storageAccount.containerName | Out-Null
-                $storageAccount.blobName | Out-Null
+                $storageAccountCredentials = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($secrets.storageContext)) | ConvertFrom-Json
+                $storageAccountCredentials.StorageAccountName | Out-Null
+                $storageContainerName =  $storageAccountCredentials.ContainerName.ToLowerInvariant().replace('{project}',$projectName).replace('{branch}',$refname).ToLowerInvariant()
+                $storageBlobName = $storageAccountCredentials.BlobName.ToLowerInvariant()
             }
             catch {
-                throw "StorageContext secret is malformed. Needs to be formatted as Json, containing StorageAccountName, containerName, blobName and sastoken or storageAccountKey.`nError was: $($_.Exception.Message)"
-            }
-            if ($storageAccount.Keys -contains 'sastoken') {
-                try {
-                    $azStorageContext = New-AzStorageContext -StorageAccountName $storageAccount.StorageAccountName -SasToken $storageAccount.sastoken
-                }
-                catch {
-                    throw "Unable to create AzStorageContext based on StorageAccountName and sastoken.`nError was: $($_.Exception.Message)"
-                }
+                throw "StorageContext secret is malformed. Needs to be formatted as Json, containing StorageAccountName, containerName, blobName.`nError was: $($_.Exception.Message)"
             }
-            else {
-                try {
-                    $azStorageContext = New-AzStorageContext -StorageAccountName $storageAccount.StorageAccountName -StorageAccountKey $storageAccount.StorageAccountKey
-                }
-                catch {
-                    throw "Unable to create AzStorageContext based on StorageAccountName and StorageAccountKey.`nError was: $($_.Exception.Message)"
-                }
-            }
-
-            $storageContainerName =  $storageAccount.ContainerName.ToLowerInvariant().replace('{project}',$projectName).replace('{branch}',$refname).ToLowerInvariant()
-            $storageBlobName = $storageAccount.BlobName.ToLowerInvariant()
+            $azStorageContext = ConnectAzStorageAccount -storageAccountCredentials $storageAccountCredentials
             Write-Host "Storage Container Name is $storageContainerName"
             Write-Host "Storage Blob Name is $storageBlobName"
 
@@ -360,7 +360,7 @@ try {
                 New-AzStorageContainer -Context $azStorageContext -Name $storageContainerName | Out-Null
             }
 
-            Write-Host "Delivering to $storageContainerName in $($storageAccount.StorageAccountName)"
+            Write-Host "Delivering to $storageContainerName in $($storageAccountCredentials.StorageAccountName)"
             $atypes.Split(',') | ForEach-Object {
                 $atype = $_
                 Write-Host "Looking for: $project-$refname-$atype-*.*.*.*"
@@ -415,7 +415,8 @@ try {
             # if type is Release, we only get here with the projects that needs to be delivered to AppSource
             # if type is CD, we get here for all projects, but should only deliver to AppSource if AppSourceContinuousDelivery is set to true
             if ($type -eq 'Release' -or $projectSettings.deliverToAppSource.continuousDelivery) {
-                EnsureAzStorageModule
+                # AppSource submission requires the Az.Storage module
+                InstallAzModuleIfNeeded -name 'Az.Storage'
                 $appSourceContext = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($secrets.appSourceContext)) | ConvertFrom-Json | ConvertTo-HashTable
                 if (!$appSourceContext) {
                     throw "appSourceContext secret is missing"

@@ -20,16 +20,6 @@ $deploymentSettings = $deploymentEnvironments."$environmentName"
 $envName = $environmentName.Split(' ')[0]
 $secrets = $env:Secrets | ConvertFrom-Json
 
-# Check obsolete secrets
-"$($envName)-EnvironmentName","$($envName)_EnvironmentName","EnvironmentName" | ForEach-Object {
-    if ($secrets."$_") {
-        throw "The secret $_ is obsolete and should be replaced by using the EnvironmentName property in the DeployTo$envName setting in .github/AL-Go-Settings.json instead"
-    }
-}
-if ($secrets.Projects) {
-    throw "The secret Projects is obsolete and should be replaced by using the Projects property in the DeployTo$envName setting in .github/AL-Go-Settings.json instead"
-}
-
 $authContext = $null
 foreach($secretName in "$($envName)-AuthContext","$($envName)_AuthContext","AuthContext") {
     if ($secrets."$secretName") {
@@ -110,7 +100,7 @@ else {
 
     try {
         $sandboxEnvironment = ($response.environmentType -eq 1)
-        if ($sandboxEnvironment -and !($bcAuthContext.ClientSecret)) {
+        if ($sandboxEnvironment -and !($bcAuthContext.ClientSecret -or $bcAuthContext.ClientAssertion)) {
             # Sandbox and not S2S -> use dev endpoint (Publish-BcContainerApp)
             $parameters = @{
                 "bcAuthContext" = $bcAuthContext

@@ -8,7 +8,7 @@
 function IncludeBranch([string] $deliveryTarget) {
     $settingsName = "DeliverTo$deliveryTarget"
     if ($settings.Contains($settingsName) -and $settings."$settingsName".Contains('Branches')) {
-        Write-Host "- Branches defined: $($settings."$settingsName".Branches -join ', ') - "
+        Write-Host "- Branches defined: $($settings."$settingsName".Branches -join ', ')"
         return ($null -ne ($settings."$settingsName".Branches | Where-Object { $ENV:GITHUB_REF_NAME -like $_ }))
     }
     else {
@@ -18,7 +18,7 @@ function IncludeBranch([string] $deliveryTarget) {
 }
 
 function IncludeDeliveryTarget([string] $deliveryTarget) {
-    Write-Host "DeliveryTarget $_ - "
+    Write-Host "DeliveryTarget $_"
     # DeliveryTarget Context Secret needs to be specified for a delivery target to be included
     $contextName = "$($_)Context"
     $secrets = $env:Secrets | ConvertFrom-Json
@@ -38,7 +38,7 @@ if ($settings.type -eq "AppSource App") {
     ($projectsJson | ConvertFrom-Json) | ForEach-Object {
         $projectSettings = ReadSettings -project $_
         if ($projectSettings.deliverToAppSource.ContinuousDelivery -or ($projectSettings.Contains('AppSourceContinuousDelivery') -and $projectSettings.AppSourceContinuousDelivery)) {
-            Write-Host "Project $_ is setup for Continuous Delivery"
+            Write-Host "Project $_ is setup for Continuous Delivery to AppSource"
             $deliveryTargets += @("AppSource")
         }
     }

@@ -1,3 +1,6 @@
 {
-    "sign": "0.9.1-beta.24123.2"
+    "sign": "0.9.1-beta.24123.2",
+    "Az.Accounts": "2.15.1",
+    "Az.Storage": "6.1.1",
+    "Az.KeyVault": "5.2.0"
 }
@@ -100,6 +100,17 @@ try {
                             MaskValue -key "$($secretName).$($keyName)" -value "$($json."$keyName")"
                         }
                     }
+                    if ($json.ContainsKey('clientID') -and !($json.ContainsKey('clientSecret') -or $json.ContainsKey('refreshToken'))) {
+                        try {
+                            Write-Host "Query federated token"
+                            $result = Invoke-RestMethod -Method GET -UseBasicParsing -Headers @{ "Authorization" = "bearer $ENV:ACTIONS_ID_TOKEN_REQUEST_TOKEN"; "Accept" = "application/vnd.github+json" } -Uri "$ENV:ACTIONS_ID_TOKEN_REQUEST_URL&audience=api://AzureADTokenExchange"
+                            $json += @{ "clientAssertion" = $result.value }
+                            $secretValue = $json | ConvertTo-Json -Compress
+                        }
+                        catch {
+                            throw "$SecretName doesn't contain any ClientSecret and AL-Go is unable to acquire an ID_TOKEN. Error was $($_.Exception.Message)"
+                        }
+                    }
                 }
                 $base64value = [Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes($secretValue))
                 $outSecrets += @{ "$secretsProperty" = $base64value }