From 5f932b3ba4a5aad940e123312e9e6e2da61a103c Mon Sep 17 00:00:00 2001 From: Daniel McIlvaney Date: Fri, 15 May 2026 09:12:32 -0700 Subject: [PATCH] chore: pin azldev version via `.azldev-version` file --- .azldev-version | 1 + .../pr-check-workflows.instructions.md | 3 ++- .github/workflows/ado/sources-upload.yml | 1 - .../ado/templates/sources-upload-stages.yml | 7 +++---- .github/workflows/check-rendered-specs.yml | 2 ++ .../workflows/containers/azldev-runner.Dockerfile | 14 ++++++++------ .github/workflows/lint.yaml | 4 ++-- DEVELOPING.md | 2 +- 8 files changed, 19 insertions(+), 15 deletions(-) create mode 100644 .azldev-version diff --git a/.azldev-version b/.azldev-version new file mode 100644 index 00000000000..4fadd5328ed --- /dev/null +++ b/.azldev-version @@ -0,0 +1 @@ +ab4a1581cd1d793ff800240f3c14062849675057 diff --git a/.github/instructions/pr-check-workflows.instructions.md b/.github/instructions/pr-check-workflows.instructions.md index 95464fdb8f4..c2f0acf559b 100644 --- a/.github/instructions/pr-check-workflows.instructions.md +++ b/.github/instructions/pr-check-workflows.instructions.md @@ -31,7 +31,7 @@ If the check builds, renders, or runs PR code, do the whole thing inside the bui The shared runner image is [`.github/workflows/containers/azldev-runner.Dockerfile`](../workflows/containers/azldev-runner.Dockerfile). It's a minimal Azure Linux base with `mock`, `git`, `python3`, `sudo`, and `azldev` itself (installed to `/usr/local/bin` during image build) — enough to run any `azldev` subcommand. Reuse it rather than building a per-check image; add extras via a derived `FROM localhost/azldev-runner` stage if a check genuinely needs more. -`azldev` is baked in via `go install …/azldev@main` during image build. The pin lives in the Dockerfile so it can be reviewed and bumped deliberately. Image build context is `.github/workflows/containers/` only — keep it that way so the build can never see PR-controlled files. +`azldev` is baked in via `go install` during image build. The version is pinned in `.azldev-version` at the repo root and passed to the Dockerfile as `--build-arg AZLDEV_VERSION=…`. All CI workflows (GH Actions, ADO, Dockerfile) read from the same file. Image build context is `.github/workflows/containers/` only — keep it that way so the build can never see PR-controlled files. Build it with the caller's UID so bind-mounted writes don't end up root-owned: @@ -40,6 +40,7 @@ Build it with the caller's UID so bind-mounted writes don't end up root-owned: run: | docker build \ --build-arg UID=$(id -u) \ + --build-arg AZLDEV_VERSION="$(cat .azldev-version)" \ -t localhost/azldev-runner \ -f .github/workflows/containers/azldev-runner.Dockerfile \ .github/workflows/containers/ diff --git a/.github/workflows/ado/sources-upload.yml b/.github/workflows/ado/sources-upload.yml index 81fbf1c1015..778444887d7 100644 --- a/.github/workflows/ado/sources-upload.yml +++ b/.github/workflows/ado/sources-upload.yml @@ -32,7 +32,6 @@ # Required variables: # - ApiAudience : Entra ID audience URI for the Control Tower app # - ApiBaseDirectUrl : Direct base URL of the Control Tower APIM endpoint (bypasses Azure Front Door) -# - AzldevCommit : Commit hash for azldev (go install ...@) # Trigger controlled by ADO branch policy — not YAML triggers. trigger: none diff --git a/.github/workflows/ado/templates/sources-upload-stages.yml b/.github/workflows/ado/templates/sources-upload-stages.yml index 644ca1e88db..cb9707fd7a2 100644 --- a/.github/workflows/ado/templates/sources-upload-stages.yml +++ b/.github/workflows/ado/templates/sources-upload-stages.yml @@ -101,8 +101,9 @@ stages: echo "##[endgroup]" echo "##[group]Azldev" - echo "Installing azldev@${AZLDEV_COMMIT}..." - go install "github.com/microsoft/azure-linux-dev-tools/cmd/azldev@${AZLDEV_COMMIT}" + AZLDEV_VERSION=$(cat .azldev-version) + echo "Installing azldev@${AZLDEV_VERSION}..." + go install "github.com/microsoft/azure-linux-dev-tools/cmd/azldev@${AZLDEV_VERSION}" go_bin_path="$(go env GOPATH)/bin" echo "##vso[task.prependpath]$go_bin_path" @@ -114,8 +115,6 @@ stages: pip install -r .github/workflows/scripts/control-tower/requirements.txt echo "##[endgroup]" displayName: "Install dependencies" - env: - AZLDEV_COMMIT: $(AzldevCommit) # Verify lock files are current. --check-only validates without # writing, exits nonzero if any lock would change. diff --git a/.github/workflows/check-rendered-specs.yml b/.github/workflows/check-rendered-specs.yml index 5c2f9688664..ab312357aab 100644 --- a/.github/workflows/check-rendered-specs.yml +++ b/.github/workflows/check-rendered-specs.yml @@ -77,6 +77,7 @@ jobs: run: | docker build \ --build-arg UID=$(id -u) \ + --build-arg AZLDEV_VERSION="$(cat .azldev-version)" \ -t localhost/azldev-runner \ -f .github/workflows/containers/azldev-runner.Dockerfile \ .github/workflows/containers/ @@ -238,6 +239,7 @@ jobs: run: | docker build \ --build-arg UID=$(id -u) \ + --build-arg AZLDEV_VERSION="$(cat .azldev-version)" \ -t localhost/azldev-runner \ -f .github/workflows/containers/azldev-runner.Dockerfile \ .github/workflows/containers/ diff --git a/.github/workflows/containers/azldev-runner.Dockerfile b/.github/workflows/containers/azldev-runner.Dockerfile index 494d896eaab..7f733883e4e 100644 --- a/.github/workflows/containers/azldev-runner.Dockerfile +++ b/.github/workflows/containers/azldev-runner.Dockerfile @@ -35,12 +35,14 @@ RUN tdnf -y install \ symcrypt-openssl \ && tdnf clean all -# TODO: pin to a tagged release once azure-linux-dev-tools cuts one. -# `@main` is a moving target — fine while azldev is pre-1.0 and we want -# CI to track upstream, but we should swap to `@vX.Y.Z` (and bump it -# deliberately) once the tool stabilizes. ADO #18834 -RUN GOBIN=/usr/local/bin go install \ - github.com/microsoft/azure-linux-dev-tools/cmd/azldev@main \ +# The version is passed in as a build arg from .azldev-version in the repo +# root. Callers (check-rendered-specs.yml, etc.) read the file and pass it +# via --build-arg so the Dockerfile never needs repo-root build context. +# No default — omitting --build-arg will fail the build loudly. +ARG AZLDEV_VERSION +RUN test -n "${AZLDEV_VERSION}" || { echo "ERROR: AZLDEV_VERSION build-arg is required (read from .azldev-version)" >&2; exit 1; } \ + && GOBIN=/usr/local/bin go install \ + "github.com/microsoft/azure-linux-dev-tools/cmd/azldev@${AZLDEV_VERSION}" \ && rm -rf /root/go /root/.cache ARG UID=1000 diff --git a/.github/workflows/lint.yaml b/.github/workflows/lint.yaml index 2ea5eeb3199..42c9c864146 100644 --- a/.github/workflows/lint.yaml +++ b/.github/workflows/lint.yaml @@ -30,8 +30,8 @@ jobs: cache: false - name: Install azldev - run: go install github.com/microsoft/azure-linux-dev-tools/cmd/azldev@main + run: | + go install "github.com/microsoft/azure-linux-dev-tools/cmd/azldev@$(cat .azldev-version)" - name: "Validate config (strict)" run: azldev config dump > /dev/null - \ No newline at end of file diff --git a/DEVELOPING.md b/DEVELOPING.md index c7dd67446f9..3ed74ea6642 100644 --- a/DEVELOPING.md +++ b/DEVELOPING.md @@ -7,7 +7,7 @@ The [`azldev`](https://github.com/microsoft/azure-linux-dev-tools) CLI tool drives all component, image, and build workflows. Install it from source (requires Go): ```bash -go install github.com/microsoft/azure-linux-dev-tools/cmd/azldev@main +go install "github.com/microsoft/azure-linux-dev-tools/cmd/azldev@$(cat .azldev-version)" ``` > **Note:** azldev is still in active development, using the latest commit from the `main` branch is recommended for the most up-to-date features and fixes.