Skip to content

feat: replace azure-validate Aspire Functions secret-storage scan with a script#2854

Open
tmeschter wants to merge 2 commits into
microsoft:mainfrom
tmeschter:tmeschter-azure-validate-secret-scan-script
Open

feat: replace azure-validate Aspire Functions secret-storage scan with a script#2854
tmeschter wants to merge 2 commits into
microsoft:mainfrom
tmeschter:tmeschter-azure-validate-secret-scan-script

Conversation

@tmeschter

Copy link
Copy Markdown
Member

Summary

Fixes #2505.

Replaces the azure-validate skill's Aspire + Azure Functions secret-storage scan (previously inline parallel bash/PowerShell one-liners, including an error-prone find | xargs | grep pipeline) with a tested cross-platform script pair.

The scan is a deterministic, CRITICAL pre-provisioning check: before azd provision, decide whether the AzureWebJobsSecretStorageType=Files fix is required for an Aspire app that uses Azure Functions.

Changes

  • New scripts in plugin/skills/azure-validate/references/scripts/:

    • scan-aspire-functions-secrets.sh (bash)
    • scan-aspire-functions-secrets.ps1 (PowerShell)

    Each scans *.cs files for AddAzureFunctionsProject, checks whether each match already sets AzureWebJobsSecretStorageType, and prints one self-explanatory verdict:

    • NOT APPLICABLE — no AddAzureFunctionsProject found → skip the check
    • ALREADY CONFIGURED — every matching file already sets the value → no change
    • FIX REQUIRED — matching file(s) listed with file/line → apply the fix

    Exit code is 0 for every verdict; non-zero only on usage/environment errors.

  • references/aspire-functions-secrets.md: replaced the inline detection one-liners with a markdown-linked script invocation, a one-line description, per-platform sample calls, and a verdict table. The Fix (editing the builder chain) and all rationale prose are unchanged — only the scan + verdict is scripted.

Scope note

Only the scan/verdict is scripted; applying the fix (adding .WithEnvironment("AzureWebJobsSecretStorageType", "Files")) still requires source-editing judgment and stays in prose. The shared AppHost *.cs scan-helper refactor mentioned in the issue (overlap with #2499 / #2494) is intentionally out of scope.

Validation

  • Manual fixture tests of both scripts (no call / call-only / call+setting) — identical, correct verdicts on bash (Git Bash) and PowerShell.
  • npm run build — version stamping succeeds; scripts are copied into output/.
  • cd scripts && npm run references — ✅ (markdown links stay within the skill directory).
  • npm run tokens check — the edited reference is within limits (net −8 lines).
  • cd tests && npm test -- --testPathPatterns=azure-validate — 32 trigger tests pass.
  • .sh normalized to LF line endings.

Related tests / evals

No test invokes the script by name; graders assert the resulting AppHost.cs edit. The scan-and-verdict flow this script backs is exercised by the dotnet/aspire-samples samples/aspire-with-azure-functions scenarios:

  • azure-validate (primary): evals/azure-validate/e2e-eval.yaml → "Brownfield - AzureWebJobsSecretStorageType for Aspire Functions" — requires the azure-validate skill, early-terminates before azd provision, and grades that **/AppHost.cs gains AzureWebJobsSecretStorageType while deploy never runs.
  • azure-prepare: evals/azure-prepare/e2e-eval.yaml → "Aspire With Azure Functions - Services Section" — same sample; loads aspire.md (which links this scan) but grades the azure.yaml services section.
  • azure-deploy: tests/azure-deploy/integration.test.tstest("deploys aspire azure functions") — full end-to-end deploy of the same sample; hits the pre-provision scan along the way.

…h a script

Replace the inline bash + PowerShell detection one-liners in
aspire-functions-secrets.md with a tested cross-platform script pair
(scan-aspire-functions-secrets.{sh,ps1}) that scans *.cs for
AddAzureFunctionsProject, checks each match for AzureWebJobsSecretStorageType,
and prints a single NOT APPLICABLE / ALREADY CONFIGURED / FIX REQUIRED verdict.

Only the scan + verdict is scripted; the source fix stays in prose.

Fixes microsoft#2505

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
Copilot-Session: 6bffc710-2569-48cd-8d36-b3447f7106ff
@tmeschter tmeschter requested a review from RickWinter as a code owner July 15, 2026 22:29
Copilot AI review requested due to automatic review settings July 15, 2026 22:29

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates the azure-validate skill’s Aspire + Azure Functions secret-storage pre-provisioning check by replacing inline bash/PowerShell one-liners with dedicated cross-platform scan scripts, and updates the reference doc to invoke those scripts and interpret a standardized verdict.

Changes:

  • Added bash + PowerShell scripts to scan *.cs for AddAzureFunctionsProject and determine whether AzureWebJobsSecretStorageType is already set.
  • Updated aspire-functions-secrets.md to link/run the scripts and document the three possible verdicts.
  • Kept the remediation guidance (“Fix”) as prose; only the detection/verdict is scripted.
Show a summary per file
File Description
plugin/skills/azure-validate/references/scripts/scan-aspire-functions-secrets.sh Adds bash implementation of the scan + verdict logic.
plugin/skills/azure-validate/references/scripts/scan-aspire-functions-secrets.ps1 Adds PowerShell implementation of the scan + verdict logic.
plugin/skills/azure-validate/references/aspire-functions-secrets.md Replaces inline one-liners with script invocation + verdict table.

Review details

  • Files reviewed: 3/3 changed files
  • Comments generated: 4
  • Review effort level: Low

Comment thread plugin/skills/azure-validate/references/scripts/scan-aspire-functions-secrets.sh Outdated
Comment thread plugin/skills/azure-validate/references/scripts/scan-aspire-functions-secrets.sh Outdated
Comment thread plugin/skills/azure-validate/references/scripts/scan-aspire-functions-secrets.ps1 Outdated
Bash:
- Use arrays instead of a newline-joined string so file paths are genuinely
  NUL-safe (paths with newlines/spaces are preserved end to end).
- Use fixed-string grep (-F) for the literal markers.
- Treat grep read errors (exit code 2) as a fatal environment error (exit 3)
  instead of silently reporting no match, since this is a critical
  pre-provision scan.

PowerShell:
- Remove the $ErrorActionPreference = "Stop" line so it defaults to "Continue";
  Write-Error is then non-terminating and the explicit exit codes (e.g. exit 2
  for a bad directory) are honored.

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
Copilot-Session: 6bffc710-2569-48cd-8d36-b3447f7106ff
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Replace azure-validate skill Aspire Functions secret-storage scan with a script

3 participants