[DevOps] PR Builds: PR deployment and cleanup workflows

[flanakin]

🛠️ Description

Adds two GitHub Actions workflows for per-PR template deployment CI:

ftk-pr-deploy.yml

• Triggers on PRs that change src/templates/** files (excluding docs/tests)
• Parses PR body checkboxes (from [DevOps] PR Builds: Add deployment checkboxes to PR template #2031) to determine which deployments to run
• 6 deployment variants run in parallel with isolated resource groups (pr-{number}-{variant}):
  • Hubs with ADX (managed exports)
  • Hubs with Fabric (manual exports)
  • Hubs storage-only (manual exports)
  • Hubs storage-only (no data)
  • Workbooks
  • Alerts
• Posts PR comments with deployment status and Azure portal links
• Supports fork PRs via Needs: Deployment label + pull_request_target (verifies no .github/ modifications)
• Concurrency group cancels in-progress deployments on new pushes

ftk-pr-cleanup.yml

• Triggers on PR close (merged or not)
• Deletes all resource groups matching pr-{number}-*
• Posts cleanup confirmation comment
• Creates a GitHub issue assigned to the PR author if cleanup fails

Dependencies

• PR A ([DevOps] PR Builds: Add PR deployment support to Deploy-Hub #2030): Deploy-Hub -PR, -Scope, -ManagedExports parameters
• PR B ([DevOps] PR Builds: Add deployment checkboxes to PR template #2031): PR template deployment checkboxes
• PR C ([DevOps] PR Builds: Create Initialize-CI script to setup CI #2032): Initialize-CI.ps1 for one-time environment setup

This is PR D (final) of a multi-PR effort to add per-PR deployment CI.

📋 Checklist

🔬 How did you test this change?

• 🤏 Lint tests
• 🤞 PS -WhatIf / az validate
• 👍 Manually deployed + verified
• 💪 Unit tests
• 🙌 Integration tests

📦 Deploy to test?

• Hubs + ADX (managed)
• Hubs + Fabric (manual) — URI:
• Hubs (manual)
• Hubs (no data)
• Workbooks
• Alerts

🙋‍♀️ Do any of the following that apply?

• 🚨 This is a breaking change.
• 🤏 The change is less than 20 lines of code.

📑 Did you update docs/changelog.md?

• ✅ Updated changelog (required for dev PRs)
• ➡️ Will add log in a future PR (feature branch PRs only)
• ❎ Log not needed (small/internal change)

📖 Did you update documentation?

• ✅ Public docs in docs (required for dev)
• ✅ Public docs in docs-mslearn (required for dev)
• ✅ Internal dev docs in docs-wiki (required for dev)
• ✅ Internal dev docs in src (required for dev)
• ➡️ Will add docs in a future PR (feature branch PRs only)
• ❎ Docs not needed (small/internal change)

[Copilot]

Pull request overview

Adds GitHub Actions workflows to support per-PR Azure template deployments (FinOps hubs + variants, workbooks, alerts) and automatic cleanup of PR-specific resource groups, aligning with the toolkit’s CI automation goals for validating src/templates/** changes.

Changes:

• Introduces ftk-pr-deploy.yml to parse PR-body deployment checkboxes and run selected deployments with PR-scoped resource groups.
• Introduces ftk-pr-cleanup.yml to delete PR-scoped resource groups on PR close and notify via PR comment / issue on failure.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 10 comments.

File	Description
.github/workflows/ftk-pr-deploy.yml	New per-PR deployment workflow (checkbox parsing, fork label gating, parallel deployment jobs, PR comments).
.github/workflows/ftk-pr-cleanup.yml	New cleanup workflow to remove pr-{number}-* resource groups and report failures.

[flanakin]

🤖 [AI][Claude] PR Update Summary

Addressed: 9 thread(s)

• ✅ Implemented: 6
• 🤔 Needs discussion: 3

Changes:

• Tightened pull_request_target condition to only fire on Needs: Deployment label
• Expanded fork safety check to also block src/scripts/ changes (security)
• Added Fabric URI validation as first step in deploy-fabric job (fail fast)
• Changed cleanup trigger to pull_request_target for fork PR secret access
• Added -ErrorAction Stop to Remove-AzResourceGroup for proper try/catch behavior
• Split issue creation and assignee into separate steps with fallback for external contributors

Push-backs (code already correct):

• grep + escaping — patterns already use \+ which is correct in ERE
• PR body injection — already using env: var, not inlined in shell
• Deploy-Hub params dependency — known, covered by draft status

[flanakin]

🤖 [AI][Claude] PR Update Summary

Addressed: 5 thread(s)

• ✅ Implemented: 5

1. Fixed fabric-uri script injection — passed via env var instead of direct interpolation
2. Added environment approval gate comment for fork PR security (ftk-pr must have required reviewers)
3. Extracted Az module install to check-options with caching; deployment jobs restore from cache
4. Added timeout-minutes: 60 to all deployment jobs
5. Centralized Az module versions as workflow-level env vars

Also updated all Deploy-Hub calls to use -PR {number} -Name "{variant}" per PR #2030 changes.

[flanakin]

Pending environment setup and testing...

@MSBrett I need your help here. Let's chat.

[MSBrett]

Security review — fork PR deployment safety

CI is green and the workflow design is solid, but we found a critical security gap in the fork PR safety check that needs addressing before merge.

Blocker: fork PRs can deploy arbitrary code via src/templates/ modifications

File: .github/workflows/ftk-pr-deploy.yml (~line 67-80)

The pull_request_target safety check blocks .github/ and src/scripts/ but not src/templates/. Since deploy jobs check out github.event.pull_request.head.sha, a fork PR can modify Bicep templates and inject a Microsoft.Resources/deploymentScripts resource that runs arbitrary PowerShell with the hub managed identity / OIDC credentials.

The workflow comment states that the ftk-pr environment requires reviewers, but the environment currently has zero protection rules (verified via gh api repos/microsoft/finops-toolkit/environments/ftk-pr --jq ".protection_rules").

Suggested fix

Replace the existing fork safety step with one that also blocks src/templates/ modifications and verifies environment protection:

      - name: Verify fork PR safety
        if: github.event.pull_request.head.repo.full_name != github.repository
        env:
          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        run: |
          # 1. Block fork PRs from modifying privileged paths
          CHANGED_FILES=$(gh pr diff ${{ github.event.pull_request.number }} --name-only)
          if echo "$CHANGED_FILES" | grep -E '^(\.github/|src/scripts/|src/templates/)' > /dev/null; then
            echo '::error::Fork PRs may not modify .github/, src/scripts/, or src/templates/ when using PR deployment workflows.'
            exit 1
          fi
          # 2. Refuse to deploy if ftk-pr environment lacks required reviewers
          protection=$(gh api repos/${{ github.repository }}/environments/ftk-pr --jq '.protection_rules | length')
          if [ "$protection" = '0' ]; then
            echo '::error::ftk-pr environment has no protection rules. Configure required reviewers before fork PR deployment is permitted.'
            exit 1
          fi

Alternative (preferred): configure the ftk-pr GitHub Environment with required reviewers — that single setting eliminates the blocker without code changes. The workflow comment already documents this requirement; it just is not enforced. The code fix above is defense-in-depth.

Non-blocking recommendations

• Add Fabric URI format validation before passing to Deploy-Hub
• Add concurrency block to ftk-pr-cleanup.yml

Clean checks

• Permissions least-privilege ✓
• PR body parsing safe (env passthrough, no shell interpolation) ✓
• RG naming safe ✓
• Cleanup author assignment verified ✓
• Targets dev ✓, size within limits (2 files, ~522 LOC) ✓

[microsoft-github-policy-service]

@@flanakin: you have some new feedback!

Please review and resolve all comments and I'll let reviewers know by removing the Needs: Attention label. If I miss anything, just reply with #needs-review and I'll update the status.