DIPSAS · Copilot · Feb 28, 2026 · Feb 28, 2026 · Feb 28, 2026
diff --git a/.github/workflows/trigger-azure-cd.yml b/.github/workflows/trigger-azure-cd.yml
@@ -0,0 +1,61 @@
+name: Trigger Azure DevOps Build
+
+# Manually start a build in Azure DevOps from any branch.
+#
+# Access is restricted via the "protected" GitHub Environment, which must be
+# configured in the repository Settings → Environments with required reviewers
+# and/or deployment branch rules before the job is allowed to run.
+#
+# Required repository secrets (Settings → Secrets and variables → Actions):
+#   AZURE_DEVOPS_TOKEN  – Azure DevOps Personal Access Token with
+#                         "Build: Read & execute" scope
+#
+# Required repository variables (Settings → Secrets and variables → Actions):
+#   AZURE_PIPELINE_ID  – Azure DevOps pipeline definition ID to trigger
+
+on:
+  workflow_dispatch:
+    inputs:
+      branch:
+        description: 'Branch to build'
+        required: true
+        default: 'main'
+
+jobs:
+  trigger-build:
+    name: Trigger Azure DevOps build
+    runs-on: ubuntu-latest
+    permissions: {}
+    # The "protected" environment enforces required-reviewer approval before
+    # this job proceeds. Configure reviewers and branch policies in:
+    # Settings → Environments → protected
+    environment: protected
+    steps:
+      - name: Queue Azure DevOps build
+        env:
+          AZURE_DEVOPS_TOKEN: ${{ secrets.AZURE_DEVOPS_TOKEN }}
+          # Pass user-controlled value via env var to prevent script injection
+          INPUT_BRANCH: ${{ inputs.branch }}
+        run: |
+          BRANCH_REF="refs/heads/${INPUT_BRANCH}"
+
+          HTTP_STATUS=$(curl -s -o /tmp/response.json -w "%{http_code}" \
+            -X POST \
+            -H "Authorization: Basic $(echo -n ":${AZURE_DEVOPS_TOKEN}" | base64 -w 0)" \
+            -H "Content-Type: application/json" \
+            -d "{
+              \"definition\": {\"id\": ${{ vars.AZURE_PIPELINE_ID }} },
+              \"sourceBranch\": \"${BRANCH_REF}\"
+            }" \
+            "https://dev.azure.com/dips/DIPS/_apis/build/builds?api-version=7.0")
+
+          echo "HTTP status: $HTTP_STATUS"
+          cat /tmp/response.json
+
+          if [ "$HTTP_STATUS" != "200" ] && [ "$HTTP_STATUS" != "201" ]; then
+            echo "❌ Failed to queue build (HTTP $HTTP_STATUS)"
+            exit 1
+          fi
+
+          BUILD_URL=$(python3 -c "import sys, json; d=json.load(open('/tmp/response.json')); print(d.get('_links',{}).get('web',{}).get('href','N/A'))")
+          echo "✅ Build queued: $BUILD_URL"
diff --git a/.github/workflows/trigger-azure-ci.yml b/.github/workflows/trigger-azure-ci.yml
@@ -0,0 +1,50 @@
+name: Trigger Azure DevOps CI
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+    types: [opened, synchronize, reopened]
+
+jobs:
+  trigger-ci:
+    name: Trigger CI pipeline
+    runs-on: ubuntu-latest
+    permissions: {}
+    steps:
+      - name: Queue Azure DevOps CI build
+        env:
+          AZURE_DEVOPS_TOKEN: ${{ secrets.AZURE_DEVOPS_TOKEN }}
+          # Pass user-controlled values via env vars to prevent script injection
+          GH_EVENT_NAME: ${{ github.event_name }}
+          GH_HEAD_REF: ${{ github.head_ref }}
+          GH_REF: ${{ github.ref }}
+        run: |
+          if [ "${GH_EVENT_NAME}" = "pull_request" ]; then
+            BRANCH_REF="refs/heads/${GH_HEAD_REF}"
+          else
+            BRANCH_REF="${GH_REF}"
+          fi
+
+          HTTP_STATUS=$(curl -s -o /tmp/response.json -w "%{http_code}" \
+            -X POST \
+            -H "Authorization: Basic $(echo -n ":${AZURE_DEVOPS_TOKEN}" | base64 -w 0)" \
+            -H "Content-Type: application/json" \
+            -d "{
+              \"definition\": {\"id\": ${{ vars.AZURE_CI_PIPELINE_ID }} },
+              \"sourceBranch\": \"${BRANCH_REF}\",
+              \"parameters\": \"{\\\"GitHubRunId\\\":\\\"${{ github.run_id }}\\\",\\\"GitHubRef\\\":\\\"${{ github.ref }}\\\",\\\"GitHubSHA\\\":\\\"${{ github.sha }}\\\"}\"
+            }" \
+            "https://dev.azure.com/dips/DIPS/_apis/build/builds?api-version=7.0")
+
+          echo "HTTP status: $HTTP_STATUS"
+          cat /tmp/response.json
+
+          if [ "$HTTP_STATUS" != "200" ] && [ "$HTTP_STATUS" != "201" ]; then
+            echo "❌ Failed to queue build (HTTP $HTTP_STATUS)"
+            exit 1
+          fi
+
+          BUILD_URL=$(python3 -c "import sys, json; d=json.load(open('/tmp/response.json')); print(d.get('_links',{}).get('web',{}).get('href','N/A'))")
+          echo "✅ CI build queued: $BUILD_URL"
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,3 +1,6 @@
+## [55.2.3]
+- [CI/CD] Added GitHub workflows to trigger Azure DevOps CI and CD pipelines, with access restriction via GitHub Environments.
+
 ## [55.2.2]
 - [iOS26][Tip] Added more padding.