@@ -12,53 +12,93 @@ permissions:
1212jobs :
1313 template_validation_job :
1414 runs-on : ubuntu-latest
15- # Using an environment named 'production' may require approvals; adjust if that caused prior failures.
16- environment : production
15+ environment : validation
1716 name : Template validation
1817 steps :
1918 - name : Checkout code
2019 uses : actions/checkout@v4
2120
22- - name : Azure Login
21+ - name : Pre-flight secret check
22+ id : secret_check
23+ run : |
24+ missing=0
25+ for var in AZURE_CLIENT_ID AZURE_TENANT_ID AZURE_SUBSCRIPTION_ID; do
26+ if [ -z "${{ secrets[format('{0}', var)] }}" ]; then
27+ echo "::error::Required secret $var is missing." >&2
28+ missing=1
29+ fi
30+ done
31+ if [ "$missing" -eq 1 ]; then
32+ echo "Missing required secrets. Failing early." >&2
33+ exit 1
34+ fi
35+ echo "All required auth secrets present (client secret not required for OIDC)."
36+
37+ name : Azure Login (OIDC)
2338 uses : azure/login@v1
2439 with :
2540 client-id : ${{ secrets.AZURE_CLIENT_ID }}
2641 tenant-id : ${{ secrets.AZURE_TENANT_ID }}
2742 subscription-id : ${{ secrets.AZURE_SUBSCRIPTION_ID }}
2843
44+ - name : Debug Azure context
45+ run : |
46+ az account show || echo "Could not show account (ensure privileges)" >&2
47+ echo "Listing bicep version (if installed):"; az bicep version || true
48+ echo "Listing repo root:"; ls -1 . || true
49+ echo "Infra directory content:"; ls -1 infra || true
50+
2951name : Validate Azure Template
3052 id : validation
3153 uses : microsoft/template-validation-action@main
3254 env :
33- # These env vars are optional for the action but retained in case the action consumes them.
3455 AZURE_CLIENT_ID : ${{ secrets.AZURE_CLIENT_ID }}
35- AZURE_CLIENT_SECRET : ${{ secrets.AZURE_CLIENT_SECRET }}
3656 AZURE_TENANT_ID : ${{ secrets.AZURE_TENANT_ID }}
3757 AZURE_SUBSCRIPTION_ID : ${{ secrets.AZURE_SUBSCRIPTION_ID }}
38- AZURE_ENV_NAME : ${{ secrets.AZURE_ENV_NAME }}
3958 AZURE_LOCATION : ${{ secrets.AZURE_LOCATION }}
4059 GITHUB_TOKEN : ${{ secrets.GITHUB_TOKEN }}
60+ continue-on-error : true
61+
62+ - name : Capture validation output
63+ id : capture
64+ run : |
65+ out="${{ steps.validation.outputs.resultFile }}"
66+ if [ -n "$out" ] && [ -f "$out" ]; then
67+ cp "$out" validation-result.json
68+ else
69+ echo '{"warning":"No resultFile produced by action"}' > validation-result.json
70+ fi
71+ echo "result_path=validation-result.json" >> $GITHUB_OUTPUT
4172
4273name : Print validation result
4374 if : always()
4475 run : |
45- if [ -n "${{ steps.validation.outputs.resultFile }}" ] && [ -f "${{ steps.validation.outputs.resultFile }}" ]; then
46- echo "--- Validation Result File ---"
47- cat "${{ steps.validation.outputs.resultFile }}"
48- else
49- echo "Result file not found (output: '${{ steps.validation.outputs.resultFile }}')." >&2
50- fi
76+ echo "--- validation-result.json ---"
77+ cat validation-result.json || echo "No validation-result.json present" >&2
78+
79+ name : Upload validation result artifact
80+ if : always()
81+ uses : actions/upload-artifact@v4
82+ with :
83+ name : validation-result
84+ path : validation-result.json
85+ retention-days : 7
5186
5287 - name : Fail if validation errors detected
5388 run : |
54- file='${{ steps. validation.outputs.resultFile }} '
89+ file='validation-result.json '
5590 if [ ! -f "$file" ]; then
5691 echo "No validation result file produced; failing." >&2
5792 exit 1
5893 fi
59- # Heuristic: look for common error markers.
6094 if grep -Ei '"(status|level)" *: *"error"' "$file" || grep -Ei '\b(error|failed)\b' "$file"; then
6195 echo "Errors detected in template validation output." >&2
96+ cat "$file"
97+ exit 1
98+ fi
99+ # Also treat underlying action non-zero exit as failure even if heuristic passes.
100+ if [ "${{ steps.validation.outcome }}" = "failure" ]; then
101+ echo "Underlying validation action reported failure (steps.validation.outcome)." >&2
62102 exit 1
63103 fi
64104 echo "No blocking errors detected in validation output."
0 commit comments