diff --git a/.github/workflows/trigger-azure-cd.yml b/.github/workflows/trigger-azure-cd.yml new file mode 100644 index 00000000..c51ae242 --- /dev/null +++ b/.github/workflows/trigger-azure-cd.yml @@ -0,0 +1,61 @@ +name: Trigger Azure DevOps Build + +# Manually start a build in Azure DevOps from any branch. +# +# Access is restricted via the "protected" GitHub Environment, which must be +# configured in the repository Settings → Environments with required reviewers +# and/or deployment branch rules before the job is allowed to run. +# +# Required repository secrets (Settings → Secrets and variables → Actions): +# AZURE_DEVOPS_TOKEN – Azure DevOps Personal Access Token with +# "Build: Read & execute" scope +# +# Required repository variables (Settings → Secrets and variables → Actions): +# AZURE_PIPELINE_ID – Azure DevOps pipeline definition ID to trigger + +on: + workflow_dispatch: + inputs: + branch: + description: 'Branch to build' + required: true + default: 'main' + +jobs: + trigger-build: + name: Trigger Azure DevOps build + runs-on: ubuntu-latest + permissions: {} + # The "protected" environment enforces required-reviewer approval before + # this job proceeds. Configure reviewers and branch policies in: + # Settings → Environments → protected + environment: protected + steps: + - name: Queue Azure DevOps build + env: + AZURE_DEVOPS_TOKEN: ${{ secrets.AZURE_DEVOPS_TOKEN }} + # Pass user-controlled value via env var to prevent script injection + INPUT_BRANCH: ${{ inputs.branch }} + run: | + BRANCH_REF="refs/heads/${INPUT_BRANCH}" + + HTTP_STATUS=$(curl -s -o /tmp/response.json -w "%{http_code}" \ + -X POST \ + -H "Authorization: Basic $(echo -n ":${AZURE_DEVOPS_TOKEN}" | base64 -w 0)" \ + -H "Content-Type: application/json" \ + -d "{ + \"definition\": {\"id\": ${{ vars.AZURE_PIPELINE_ID }} }, + \"sourceBranch\": \"${BRANCH_REF}\" + }" \ + "https://dev.azure.com/dips/DIPS/_apis/build/builds?api-version=7.0") + + echo "HTTP status: $HTTP_STATUS" + cat /tmp/response.json + + if [ "$HTTP_STATUS" != "200" ] && [ "$HTTP_STATUS" != "201" ]; then + echo "❌ Failed to queue build (HTTP $HTTP_STATUS)" + exit 1 + fi + + BUILD_URL=$(python3 -c "import sys, json; d=json.load(open('/tmp/response.json')); print(d.get('_links',{}).get('web',{}).get('href','N/A'))") + echo "✅ Build queued: $BUILD_URL" diff --git a/.github/workflows/trigger-azure-ci.yml b/.github/workflows/trigger-azure-ci.yml new file mode 100644 index 00000000..3354e1c0 --- /dev/null +++ b/.github/workflows/trigger-azure-ci.yml @@ -0,0 +1,50 @@ +name: Trigger Azure DevOps CI + +on: + push: + branches: [main] + pull_request: + branches: [main] + types: [opened, synchronize, reopened] + +jobs: + trigger-ci: + name: Trigger CI pipeline + runs-on: ubuntu-latest + permissions: {} + steps: + - name: Queue Azure DevOps CI build + env: + AZURE_DEVOPS_TOKEN: ${{ secrets.AZURE_DEVOPS_TOKEN }} + # Pass user-controlled values via env vars to prevent script injection + GH_EVENT_NAME: ${{ github.event_name }} + GH_HEAD_REF: ${{ github.head_ref }} + GH_REF: ${{ github.ref }} + run: | + if [ "${GH_EVENT_NAME}" = "pull_request" ]; then + BRANCH_REF="refs/heads/${GH_HEAD_REF}" + else + BRANCH_REF="${GH_REF}" + fi + + HTTP_STATUS=$(curl -s -o /tmp/response.json -w "%{http_code}" \ + -X POST \ + -H "Authorization: Basic $(echo -n ":${AZURE_DEVOPS_TOKEN}" | base64 -w 0)" \ + -H "Content-Type: application/json" \ + -d "{ + \"definition\": {\"id\": ${{ vars.AZURE_CI_PIPELINE_ID }} }, + \"sourceBranch\": \"${BRANCH_REF}\", + \"parameters\": \"{\\\"GitHubRunId\\\":\\\"${{ github.run_id }}\\\",\\\"GitHubRef\\\":\\\"${{ github.ref }}\\\",\\\"GitHubSHA\\\":\\\"${{ github.sha }}\\\"}\" + }" \ + "https://dev.azure.com/dips/DIPS/_apis/build/builds?api-version=7.0") + + echo "HTTP status: $HTTP_STATUS" + cat /tmp/response.json + + if [ "$HTTP_STATUS" != "200" ] && [ "$HTTP_STATUS" != "201" ]; then + echo "❌ Failed to queue build (HTTP $HTTP_STATUS)" + exit 1 + fi + + BUILD_URL=$(python3 -c "import sys, json; d=json.load(open('/tmp/response.json')); print(d.get('_links',{}).get('web',{}).get('href','N/A'))") + echo "✅ CI build queued: $BUILD_URL" diff --git a/CHANGELOG.md b/CHANGELOG.md index 566fc835..4f1d3768 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,6 @@ +## [55.2.3] +- [CI/CD] Added GitHub workflows to trigger Azure DevOps CI and CD pipelines, with access restriction via GitHub Environments. + ## [55.2.2] - [iOS26][Tip] Added more padding.