feat(020): simplify nightly — single identity, mock Stripe, GH Action deploys infra#523
Merged
MikeWedderburn-Clarke merged 9 commits intomainfrom Apr 12, 2026
Conversation
- Define nightly GitHub Actions workflow spec separate from existing CI/deploy - Scheduled cron trigger (midnight UTC) with manual workflow_dispatch support - Full CI validation suite gating: tokens → typecheck → lint → build → tests → bundle size → E2E → i18n → Storybook - Docker image build, ACR push with nightly-specific tagging (date + commit) - Dedicated nightly Azure Container App environment isolated from staging/production - OIDC managed identity authentication pattern (Constitution XIV) - Smoke tests against deployed nightly environment - Concurrency controls, failure notifications, image traceability - Specification quality checklist: all 16 items passing Co-authored-by: MikeWedderburn-Clarke <5323631+MikeWedderburn-Clarke@users.noreply.github.com>
Co-authored-by: MikeWedderburn-Clarke <5323631+MikeWedderburn-Clarke@users.noreply.github.com>
Phase 0: Research (research.md) — 9 decisions covering cron scheduling, concurrency controls, trigger strategy, image tagging, workflow job structure, OIDC authentication architecture, Bicep infrastructure, smoke test strategy, and environment parameterisation. Phase 1: Design artifacts: - data-model.md: Infrastructure entities (resource group, managed identity, container app, database, key vault, storage, monitoring) and CI/CD configuration entities (GitHub environment, image tags, workflow definition) - contracts/nightly-workflow.yml: Full YAML contract for the 3-job workflow (validate → build-and-push → deploy-nightly) - contracts/infrastructure.md: Bicep parameter changes to make Front Door and Container Registry modules conditional - quickstart.md: Step-by-step setup guide for provisioning nightly infrastructure, configuring GitHub environment, and verification Agent context updated for GitHub Copilot. Co-authored-by: MikeWedderburn-Clarke <5323631+MikeWedderburn-Clarke@users.noreply.github.com>
Agent-Logs-Url: https://github.com/microsoft/CommunityManagement-Sample-Spec-Kit/sessions/4340bc9a-676f-42ad-9871-e8f81d815c2c Co-authored-by: MikeWedderburn-Clarke <5323631+MikeWedderburn-Clarke@users.noreply.github.com>
…, and nightly parameters Agent-Logs-Url: https://github.com/microsoft/CommunityManagement-Sample-Spec-Kit/sessions/4340bc9a-676f-42ad-9871-e8f81d815c2c Co-authored-by: MikeWedderburn-Clarke <5323631+MikeWedderburn-Clarke@users.noreply.github.com>
Agent-Logs-Url: https://github.com/microsoft/CommunityManagement-Sample-Spec-Kit/sessions/4340bc9a-676f-42ad-9871-e8f81d815c2c Co-authored-by: MikeWedderburn-Clarke <5323631+MikeWedderburn-Clarke@users.noreply.github.com>
…ightly-publish/ Agent-Logs-Url: https://github.com/microsoft/CommunityManagement-Sample-Spec-Kit/sessions/22fd65fe-319e-4b7c-9a31-a33ff81c99e7 Co-authored-by: MikeWedderburn-Clarke <5323631+MikeWedderburn-Clarke@users.noreply.github.com>
… deploys infra - Use single nightly managed identity for all jobs (no staging identity dependency) - All Azure jobs use `environment: nightly` with one OIDC FIC - Deploy job runs full Bicep deployment (GH Action creates all infrastructure) - Hardcode mock Stripe keys in nightly params (sk_test_nightly_mock_...) - Hardcode mock Entra IDs (no real Entra app registration needed) - Add deployDbWakeRole param to skip subscription-scoped custom role - Rewrite quickstart.md with minimal copy-paste manual steps - Reduce GitHub secrets from 5+Stripe to 5 total Agent-Logs-Url: https://github.com/microsoft/CommunityManagement-Sample-Spec-Kit/sessions/ebe70735-7fea-44ed-ae3d-80cbd2c5e986 Co-authored-by: MikeWedderburn-Clarke <5323631+MikeWedderburn-Clarke@users.noreply.github.com>
Copilot created this pull request from a session on behalf of
MikeWedderburn-Clarke
April 12, 2026 17:29
View session
Member
|
@copilot resolve conflicts and merge |
…publishing-gh-actions # Conflicts: # .github/agents/copilot-instructions.md Co-authored-by: MikeWedderburn-Clarke <5323631+MikeWedderburn-Clarke@users.noreply.github.com>
Contributor
Author
Resolved the merge conflict in |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Eliminates staging identity dependency and Stripe/Entra requirements from nightly builds. The GH Action now deploys all infrastructure via Bicep; manual Azure setup is reduced to identity + OIDC + role assignments (~5 min).
Workflow (
nightly.yml)AZURE_CLIENT_ID_NIGHTLYidentity for all jobs (build-and-push + deploy)environment: nightly→ one OIDC FIC instead of twodeployjob runsaz deployment group createwith Bicep before smoke testsenv.REGISTRY(incompatible with environment-scoped secrets)Bicep
deployDbWakeRoleparam ondatabase.bicep(defaulttrue) — skips subscription-scoped custom role creation when the deploying identity only has RG-scoped Ownermain.biceppasses through to database module; backward-compatibleNightly parameters
sk_test_nightly_mock_...) and zero-UUID Entra IDs — pass Zod validation, no real accounts needed${...}env var references (unsupported byazCLI; only work withazd)deployDbWakeRole: falseGitHub secrets (5 total)
AZURE_CLIENT_ID_NIGHTLY,AZURE_TENANT_ID,AZURE_SUBSCRIPTION_ID,AZURE_CONTAINER_REGISTRY,DB_ADMIN_PASSWORDQuickstart (
quickstart.md)Rewritten as a single copy-paste shell script covering: RG → identity → FIC → Owner on RG → AcrPush/AcrPull on shared ACR → print secret values.