feat: replace azure-validate Aspire Functions secret-storage scan with a script#2854
Open
tmeschter wants to merge 2 commits into
Open
feat: replace azure-validate Aspire Functions secret-storage scan with a script#2854tmeschter wants to merge 2 commits into
tmeschter wants to merge 2 commits into
Conversation
…h a script
Replace the inline bash + PowerShell detection one-liners in
aspire-functions-secrets.md with a tested cross-platform script pair
(scan-aspire-functions-secrets.{sh,ps1}) that scans *.cs for
AddAzureFunctionsProject, checks each match for AzureWebJobsSecretStorageType,
and prints a single NOT APPLICABLE / ALREADY CONFIGURED / FIX REQUIRED verdict.
Only the scan + verdict is scripted; the source fix stays in prose.
Fixes microsoft#2505
Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
Copilot-Session: 6bffc710-2569-48cd-8d36-b3447f7106ff
Contributor
There was a problem hiding this comment.
Pull request overview
This PR updates the azure-validate skill’s Aspire + Azure Functions secret-storage pre-provisioning check by replacing inline bash/PowerShell one-liners with dedicated cross-platform scan scripts, and updates the reference doc to invoke those scripts and interpret a standardized verdict.
Changes:
- Added bash + PowerShell scripts to scan
*.csforAddAzureFunctionsProjectand determine whetherAzureWebJobsSecretStorageTypeis already set. - Updated
aspire-functions-secrets.mdto link/run the scripts and document the three possible verdicts. - Kept the remediation guidance (“Fix”) as prose; only the detection/verdict is scripted.
Show a summary per file
| File | Description |
|---|---|
| plugin/skills/azure-validate/references/scripts/scan-aspire-functions-secrets.sh | Adds bash implementation of the scan + verdict logic. |
| plugin/skills/azure-validate/references/scripts/scan-aspire-functions-secrets.ps1 | Adds PowerShell implementation of the scan + verdict logic. |
| plugin/skills/azure-validate/references/aspire-functions-secrets.md | Replaces inline one-liners with script invocation + verdict table. |
Review details
- Files reviewed: 3/3 changed files
- Comments generated: 4
- Review effort level: Low
tmeschter
commented
Jul 16, 2026
Bash: - Use arrays instead of a newline-joined string so file paths are genuinely NUL-safe (paths with newlines/spaces are preserved end to end). - Use fixed-string grep (-F) for the literal markers. - Treat grep read errors (exit code 2) as a fatal environment error (exit 3) instead of silently reporting no match, since this is a critical pre-provision scan. PowerShell: - Remove the $ErrorActionPreference = "Stop" line so it defaults to "Continue"; Write-Error is then non-terminating and the explicit exit codes (e.g. exit 2 for a bad directory) are honored. Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com> Copilot-Session: 6bffc710-2569-48cd-8d36-b3447f7106ff
JasonYeMSFT
approved these changes
Jul 16, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Fixes #2505.
Replaces the
azure-validateskill's Aspire + Azure Functions secret-storage scan (previously inline parallel bash/PowerShell one-liners, including an error-pronefind | xargs | greppipeline) with a tested cross-platform script pair.The scan is a deterministic, CRITICAL pre-provisioning check: before
azd provision, decide whether theAzureWebJobsSecretStorageType=Filesfix is required for an Aspire app that uses Azure Functions.Changes
New scripts in
plugin/skills/azure-validate/references/scripts/:scan-aspire-functions-secrets.sh(bash)scan-aspire-functions-secrets.ps1(PowerShell)Each scans
*.csfiles forAddAzureFunctionsProject, checks whether each match already setsAzureWebJobsSecretStorageType, and prints one self-explanatory verdict:NOT APPLICABLE— noAddAzureFunctionsProjectfound → skip the checkALREADY CONFIGURED— every matching file already sets the value → no changeFIX REQUIRED— matching file(s) listed with file/line → apply the fixExit code is
0for every verdict; non-zero only on usage/environment errors.references/aspire-functions-secrets.md: replaced the inline detection one-liners with a markdown-linked script invocation, a one-line description, per-platform sample calls, and a verdict table. The Fix (editing the builder chain) and all rationale prose are unchanged — only the scan + verdict is scripted.Scope note
Only the scan/verdict is scripted; applying the fix (adding
.WithEnvironment("AzureWebJobsSecretStorageType", "Files")) still requires source-editing judgment and stays in prose. The shared AppHost*.csscan-helper refactor mentioned in the issue (overlap with #2499 / #2494) is intentionally out of scope.Validation
npm run build— version stamping succeeds; scripts are copied intooutput/.cd scripts && npm run references— ✅ (markdown links stay within the skill directory).npm run tokens check— the edited reference is within limits (net −8 lines).cd tests && npm test -- --testPathPatterns=azure-validate— 32 trigger tests pass..shnormalized to LF line endings.Related tests / evals
No test invokes the script by name; graders assert the resulting
AppHost.csedit. The scan-and-verdict flow this script backs is exercised by thedotnet/aspire-samplessamples/aspire-with-azure-functionsscenarios:evals/azure-validate/e2e-eval.yaml→ "Brownfield - AzureWebJobsSecretStorageType for Aspire Functions" — requires theazure-validateskill, early-terminates beforeazd provision, and grades that**/AppHost.csgainsAzureWebJobsSecretStorageTypewhile deploy never runs.evals/azure-prepare/e2e-eval.yaml→ "Aspire With Azure Functions - Services Section" — same sample; loadsaspire.md(which links this scan) but grades theazure.yamlservices section.tests/azure-deploy/integration.test.ts→test("deploys aspire azure functions")— full end-to-end deploy of the same sample; hits the pre-provision scan along the way.