From 2cbf8540e6ba3220a8c650f797fec2ceda00333d Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 8 Sep 2025 12:50:15 -0700 Subject: [PATCH 01/10] Bump actions/setup-node from 4 to 5 (#256) Bumps [actions/setup-node](https://github.com/actions/setup-node) from 4 to 5. - [Release notes](https://github.com/actions/setup-node/releases) - [Commits](https://github.com/actions/setup-node/compare/v4...v5) --- updated-dependencies: - dependency-name: actions/setup-node dependency-version: '5' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/app-tests.yaml | 2 +- .github/workflows/azure-dev.yaml | 2 +- .github/workflows/evaluate.yaml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/app-tests.yaml b/.github/workflows/app-tests.yaml index 3c1ca9c..0c7809c 100644 --- a/.github/workflows/app-tests.yaml +++ b/.github/workflows/app-tests.yaml @@ -104,7 +104,7 @@ jobs: python ./src/backend/fastapi_app/setup_postgres_seeddata.py - name: Setup node - uses: actions/setup-node@v4 + uses: actions/setup-node@v5 with: node-version: 18 diff --git a/.github/workflows/azure-dev.yaml b/.github/workflows/azure-dev.yaml index e0e3afb..6dc18f1 100644 --- a/.github/workflows/azure-dev.yaml +++ b/.github/workflows/azure-dev.yaml @@ -44,7 +44,7 @@ jobs: uses: Azure/setup-azd@v2.1.0 - name: Install Nodejs - uses: actions/setup-node@v4 + uses: actions/setup-node@v5 with: node-version: 20 diff --git a/.github/workflows/evaluate.yaml b/.github/workflows/evaluate.yaml index b9aa40f..3233dd8 100644 --- a/.github/workflows/evaluate.yaml +++ b/.github/workflows/evaluate.yaml @@ -114,7 +114,7 @@ jobs: python ./src/backend/fastapi_app/setup_postgres_seeddata.py - name: Setup node - uses: actions/setup-node@v4 + uses: actions/setup-node@v5 with: node-version: 18 From e5ce6a95db1496b87fbc6c00db335f5debbf258a Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 8 Sep 2025 12:50:25 -0700 Subject: [PATCH 02/10] Bump actions/setup-python from 5 to 6 (#258) Bumps [actions/setup-python](https://github.com/actions/setup-python) from 5 to 6. - [Release notes](https://github.com/actions/setup-python/releases) - [Commits](https://github.com/actions/setup-python/compare/v5...v6) --- updated-dependencies: - dependency-name: actions/setup-python dependency-version: '6' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/app-tests.yaml | 2 +- .github/workflows/evaluate.yaml | 2 +- .github/workflows/python-code-quality.yaml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/app-tests.yaml b/.github/workflows/app-tests.yaml index 0c7809c..1e67a97 100644 --- a/.github/workflows/app-tests.yaml +++ b/.github/workflows/app-tests.yaml @@ -77,7 +77,7 @@ jobs: sudo -u postgres psql -c 'CREATE EXTENSION vector' - name: Setup python - uses: actions/setup-python@v5 + uses: actions/setup-python@v6 with: python-version: ${{ matrix.python_version }} architecture: x64 diff --git a/.github/workflows/evaluate.yaml b/.github/workflows/evaluate.yaml index 3233dd8..b5c77c4 100644 --- a/.github/workflows/evaluate.yaml +++ b/.github/workflows/evaluate.yaml @@ -77,7 +77,7 @@ jobs: run: sudo -u postgres psql -c 'CREATE EXTENSION vector' - name: Install python - uses: actions/setup-python@v5 + uses: actions/setup-python@v6 with: python-version: '3.12' diff --git a/.github/workflows/python-code-quality.yaml b/.github/workflows/python-code-quality.yaml index fce62c6..bbf9d00 100644 --- a/.github/workflows/python-code-quality.yaml +++ b/.github/workflows/python-code-quality.yaml @@ -22,7 +22,7 @@ jobs: steps: - uses: actions/checkout@v4 - name: Set up Python 3 - uses: actions/setup-python@v5 + uses: actions/setup-python@v6 with: python-version: "3.12" cache: 'pip' From 227e97a6010a673169dbf53b88201afb361158a7 Mon Sep 17 00:00:00 2001 From: Pamela Fox Date: Fri, 3 Oct 2025 09:45:25 -0700 Subject: [PATCH 03/10] Tiny wording change --- docs/safety_evaluation.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/safety_evaluation.md b/docs/safety_evaluation.md index 4eb4028..a9dc116 100644 --- a/docs/safety_evaluation.md +++ b/docs/safety_evaluation.md @@ -4,7 +4,7 @@ When deploying a RAG app to production, you should evaluate the safety of the an * [Deploy an Azure AI project](#deploy-an-azure-ai-project) * [Setup the evaluation environment](#setup-the-evaluation-environment) -* [Run red teaming agent](#run-red-teaming-agent) +* [Run the red teaming agent](#run-the-red-teaming-agent) * [Review the red teaming results](#review-the-red-teaming-results) ## Deploy an Azure AI project From 9e53c6cd97ad6ff74433aba2c7823cb91ab0ce01 Mon Sep 17 00:00:00 2001 From: Pamela Fox Date: Fri, 3 Oct 2025 12:06:16 -0700 Subject: [PATCH 04/10] Restrict regions due to AppInsights error (#274) * Restrict regions due to AppInsights error * Update windows CI --- .github/workflows/app-tests.yaml | 6 ++-- infra/main.bicep | 60 ++++++++++++++++++++++++++++++++ 2 files changed, 63 insertions(+), 3 deletions(-) diff --git a/.github/workflows/app-tests.yaml b/.github/workflows/app-tests.yaml index 1e67a97..5c6784a 100644 --- a/.github/workflows/app-tests.yaml +++ b/.github/workflows/app-tests.yaml @@ -59,12 +59,12 @@ jobs: run: | call "C:\Program Files\Microsoft Visual Studio\2022\Enterprise\VC\Auxiliary\Build\vcvars64.bat" cd %TEMP% - git clone --branch v0.7.4 https://github.com/pgvector/pgvector.git + git clone --branch v0.8.1 https://github.com/pgvector/pgvector.git cd pgvector nmake /NOLOGO /F Makefile.win nmake /NOLOGO /F Makefile.win install - sc config postgresql-x64-14 start=auto - net start postgresql-x64-14 + sc config postgresql-x64-17 start=auto + net start postgresql-x64-17 "%PGBIN%/psql" -d postgres -c "CREATE EXTENSION vector" - name: (Linux) Install pgvector and set password diff --git a/infra/main.bicep b/infra/main.bicep index 6fc222f..65795e3 100644 --- a/infra/main.bicep +++ b/infra/main.bicep @@ -7,6 +7,66 @@ param name string @minLength(1) @description('Primary location for all resources') +// microsoft.insights/components has restricted regions +@allowed([ + 'eastus' + 'southcentralus' + 'northeurope' + 'westeurope' + 'southeastasia' + 'westus2' + 'uksouth' + 'canadacentral' + 'centralindia' + 'japaneast' + 'australiaeast' + 'koreacentral' + 'francecentral' + 'centralus' + 'eastus2' + 'eastasia' + 'westus' + 'southafricanorth' + 'northcentralus' + 'brazilsouth' + 'switzerlandnorth' + 'norwayeast' + 'norwaywest' + 'australiasoutheast' + 'australiacentral2' + 'germanywestcentral' + 'switzerlandwest' + 'uaecentral' + 'ukwest' + 'japanwest' + 'brazilsoutheast' + 'uaenorth' + 'australiacentral' + 'southindia' + 'westus3' + 'koreasouth' + 'swedencentral' + 'canadaeast' + 'jioindiacentral' + 'jioindiawest' + 'qatarcentral' + 'southafricawest' + 'germanynorth' + 'polandcentral' + 'israelcentral' + 'italynorth' + 'mexicocentral' + 'spaincentral' + 'newzealandnorth' + 'chilecentral' + 'indonesiacentral' + 'malaysiawest' +]) +@metadata({ + azd: { + type: 'location' + } +}) param location string @description('Whether the deployment is running on GitHub Actions') From 10402cae4d17bbd91ea1469fc7f7fb5817a93e5c Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 3 Oct 2025 12:51:56 -0700 Subject: [PATCH 05/10] Bump actions/cache from 4.2.3 to 4.3.0 (#272) Bumps [actions/cache](https://github.com/actions/cache) from 4.2.3 to 4.3.0. - [Release notes](https://github.com/actions/cache/releases) - [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md) - [Commits](https://github.com/actions/cache/compare/5a3ec84eff668545956fd18022155c47e93e2684...0057852bfaa89a56745cba8c7296529d2fc39830) --- updated-dependencies: - dependency-name: actions/cache dependency-version: 4.3.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/app-tests.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/app-tests.yaml b/.github/workflows/app-tests.yaml index 5c6784a..acf59b6 100644 --- a/.github/workflows/app-tests.yaml +++ b/.github/workflows/app-tests.yaml @@ -115,7 +115,7 @@ jobs: npm run build - name: Setup mypy cache - uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3 + uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 with: path: ./.mypy_cache key: mypy${{ matrix.os }}-${{ matrix.python_version }}-${{ hashFiles('requirements-dev.txt', 'src/backend/requirements.txt', 'src/backend/pyproject.toml') }} From 67914cab3c8a29fcb51011b112763fe497e93650 Mon Sep 17 00:00:00 2001 From: Pamela Fox Date: Fri, 3 Oct 2025 12:53:37 -0700 Subject: [PATCH 06/10] Configure Azure Developer Pipeline From 31131cec2cf9aaaa88d7f5acb01eadbe97d63fab Mon Sep 17 00:00:00 2001 From: Pamela Fox Date: Fri, 3 Oct 2025 14:07:44 -0700 Subject: [PATCH 07/10] Configure Azure Developer Pipeline From a7e6cde8e34535ce859f09c0bee57cf6572154af Mon Sep 17 00:00:00 2001 From: Pamela Fox Date: Fri, 3 Oct 2025 14:16:36 -0700 Subject: [PATCH 08/10] Get pipeline working (#275) --- .github/workflows/azure-dev.yaml | 15 +++++++++++++++ AGENTS.md | 10 ++++++++++ 2 files changed, 25 insertions(+) create mode 100644 AGENTS.md diff --git a/.github/workflows/azure-dev.yaml b/.github/workflows/azure-dev.yaml index 6dc18f1..572d5e4 100644 --- a/.github/workflows/azure-dev.yaml +++ b/.github/workflows/azure-dev.yaml @@ -25,16 +25,31 @@ jobs: AZURE_ENV_NAME: ${{ vars.AZURE_ENV_NAME }} AZURE_LOCATION: ${{ vars.AZURE_LOCATION }} # project specific + SERVICE_WEB_RESOURCE_EXISTS: ${{ vars.SERVICE_WEB_RESOURCE_EXISTS }} + AZURE_OPENAI_LOCATION: ${{ vars.AZURE_OPENAI_LOCATION }} DEPLOY_AZURE_OPENAI: ${{ vars.DEPLOY_AZURE_OPENAI }} + AZURE_OPENAI_KEY: ${{ secrets.AZURE_OPENAI_KEY }} + AZURE_OPENAI_ENDPOINT: ${{ vars.AZURE_OPENAI_ENDPOINT }} + OPENAI_CHAT_HOST: ${{ vars.OPENAI_CHAT_HOST }} AZURE_OPENAI_CHAT_MODEL: ${{ vars.AZURE_OPENAI_CHAT_MODEL }} AZURE_OPENAI_CHAT_DEPLOYMENT: ${{ vars.AZURE_OPENAI_CHAT_DEPLOYMENT }} AZURE_OPENAI_CHAT_DEPLOYMENT_VERSION: ${{ vars.AZURE_OPENAI_CHAT_DEPLOYMENT_VERSION }} + AZURE_OPENAI_CHAT_DEPLOYMENT_SKU: ${{ vars.AZURE_OPENAI_CHAT_DEPLOYMENT_SKU }} AZURE_OPENAI_CHAT_DEPLOYMENT_CAPACITY: ${{ vars.AZURE_OPENAI_CHAT_DEPLOYMENT_CAPACITY }} + DEPLOY_EVAL_MODEL: ${{ vars.DEPLOY_EVAL_MODEL }} + AZURE_OPENAI_EVAL_MODEL: ${{ vars.AZURE_OPENAI_EVAL_MODEL }} + AZURE_OPENAI_EVAL_DEPLOYMENT: ${{ vars.AZURE_OPENAI_EVAL_DEPLOYMENT }} + AZURE_OPENAI_EVAL_DEPLOYMENT_VERSION: ${{ vars.AZURE_OPENAI_EVAL_DEPLOYMENT_VERSION }} + AZURE_OPENAI_EVAL_DEPLOYMENT_SKU: ${{ vars.AZURE_OPENAI_EVAL_DEPLOYMENT_SKU }} + AZURE_OPENAI_EVAL_DEPLOYMENT_CAPACITY: ${{ vars.AZURE_OPENAI_EVAL_DEPLOYMENT_CAPACITY }} + OPENAI_EMBED_HOST: ${{ vars.OPENAI_EMBED_HOST }} AZURE_OPENAI_EMBED_MODEL: ${{ vars.AZURE_OPENAI_EMBED_MODEL }} AZURE_OPENAI_EMBED_DEPLOYMENT: ${{ vars.AZURE_OPENAI_EMBED_DEPLOYMENT }} AZURE_OPENAI_EMBED_DEPLOYMENT_VERSION: ${{ vars.AZURE_OPENAI_EMBED_DEPLOYMENT_VERSION }} + AZURE_OPENAI_EMBED_DEPLOYMENT_SKU: ${{ vars.AZURE_OPENAI_EMBED_DEPLOYMENT_SKU }} AZURE_OPENAI_EMBED_DEPLOYMENT_CAPACITY: ${{ vars.AZURE_OPENAI_EMBED_DEPLOYMENT_CAPACITY }} AZURE_OPENAI_EMBED_DIMENSIONS: ${{ vars.AZURE_OPENAI_EMBED_DIMENSIONS }} + OPENAICOM_KEY: ${{ secrets.OPENAICOM_KEY }} USE_AI_PROJECT: ${{ vars.USE_AI_PROJECT }} steps: - name: Checkout diff --git a/AGENTS.md b/AGENTS.md new file mode 100644 index 0000000..ae38cbf --- /dev/null +++ b/AGENTS.md @@ -0,0 +1,10 @@ +# Instructions for coding agents + +## Adding new azd environment variables + +An azd environment variable is stored by the azd CLI for each environment. It is passed to the "azd up" command and can configure both provisioning options and application settings. +When adding new azd environment variables, update: + +1. infra/main.parameters.json : Add the new parameter with a Bicep-friendly variable name and map to the new environment variable +1. infra/main.bicep: Add the new Bicep parameter at the top, and add it to the `webAppEnv` object +1. .github/workflows/azure-dev.yml: Add the new environment variable under `env` section. If it's a @secure variable in main.bicep, it should come from `secrets`, otherwise from `vars`. From 9ce9723a32572e74964818da54bb19618f1d20be Mon Sep 17 00:00:00 2001 From: Pamela Fox Date: Fri, 3 Oct 2025 14:17:11 -0700 Subject: [PATCH 09/10] Configure Azure Developer Pipeline From c50a5a35437ecb91f2add961897bf95206a4a0ed Mon Sep 17 00:00:00 2001 From: Pamela Fox Date: Fri, 3 Oct 2025 15:13:47 -0700 Subject: [PATCH 10/10] Use principalType consistently --- infra/main.bicep | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/infra/main.bicep b/infra/main.bicep index 65795e3..b6e5d9a 100644 --- a/infra/main.bicep +++ b/infra/main.bicep @@ -207,6 +207,8 @@ param useAiProject bool = false param webAppExists bool = false +var principalType = empty(runningOnGh) ? 'User' : 'ServicePrincipal' + var resourceToken = toLower(uniqueString(subscription().id, name, location)) var prefix = '${toLower(name)}-${resourceToken}' var tags = { 'azd-env-name': name } @@ -219,8 +221,6 @@ resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { var postgresServerName = '${prefix}-postgresql' var postgresDatabaseName = 'postgres' -var postgresEntraAdministratorObjectId = principalId -var postgresEntraAdministratorType = empty(runningOnGh) ? 'User' : 'ServicePrincipal' var postgresEntraAdministratorName = 'admin${uniqueString(resourceGroup.id, principalId)}' module postgresServer 'core/database/postgresql/flexibleserver.bicep' = { @@ -240,8 +240,8 @@ module postgresServer 'core/database/postgresql/flexibleserver.bicep' = { version: '15' authType: 'EntraOnly' entraAdministratorName: postgresEntraAdministratorName - entraAdministratorObjectId: postgresEntraAdministratorObjectId - entraAdministratorType: postgresEntraAdministratorType + entraAdministratorObjectId: principalId + entraAdministratorType: principalType allowAzureIPsFirewall: true allowAllIPsFirewall: true // Necessary for post-provision script, can be disabled after } @@ -542,7 +542,7 @@ module ai 'core/ai/ai-foundry.bicep' = if (useAiProject) { projectName: 'aiproject-${resourceToken}' storageAccountName: storage.outputs.name principalId: principalId - principalType: empty(runningOnGh) ? 'User' : 'ServicePrincipal' + principalType: principalType } } @@ -553,7 +553,7 @@ module openAIRoleUser 'core/security/role.bicep' = { params: { principalId: principalId roleDefinitionId: '5e0bd9bd-7b93-4f28-af87-19fc36ad61bd' // Cognitive Services OpenAI User - principalType: empty(runningOnGh) ? 'User' : 'ServicePrincipal' + principalType: principalType } } @@ -563,7 +563,7 @@ module azureAiUserRole 'core/security/role.bicep' = if (useAiProject && resource params: { principalId: principalId roleDefinitionId: '53ca6127-db72-4b80-b1b0-d745d6d5456d' // Azure AI User - principalType: empty(runningOnGh) ? 'User' : 'ServicePrincipal' + principalType: principalType } } @@ -586,7 +586,7 @@ module appInsightsReaderRole 'core/security/role.bicep' = { params: { principalId: principalId roleDefinitionId: '43d0d8ad-25c7-4714-9337-8ba259a9fe05' // Application Insights Component Reader - principalType: 'User' + principalType: principalType } }