feat: update publish from tag with token replacement (#1068)

## Description Add telemetry token replacement to publish from tag pipeline Tested by: 1. enforce publishing of a new tag 2. run the publish from tag pipeline on the new tag > Note: the publish from tag source code (e.g. `Publish-ModuleFromTagToPBR.ps1` script) is loaded from the codebase of the published tag. This means this new pipeline cannot be run for older module tags ## Pipeline Reference  | Pipeline | | -------- | | [![avm.platform.publish-tag](https://github.com/eriqua/bicep-registry-modules/actions/workflows/avm.platform.publish-tag.yml/badge.svg)](https://github.com/eriqua/bicep-registry-modules/actions/workflows/avm.platform.publish-tag.yml) (test from main, failure on the validation step as expected from a fork) | Ref to test run for token replacement logs https://github.com/eriqua/bicep-registry-modules/actions/runs/8048795026/job/21980879825#step:7:59 ## Type of Change  - [x] Update to CI Environment or utlities (Non-module effecting changes) - [ ] Azure Verified Module updates: - [ ] Bugfix containing backwards compatible bug fixes, and I have NOT bumped the MAJOR or MINOR version in `version.json`: - [ ] Someone has opened a bug report issue, and I have included "Closes #{bug_report_issue_number}" in the PR description. - [ ] The bug was found by the module author, and no one has opened an issue to report it yet. - [ ] Feature update backwards compatible feature updates, and I have bumped the MINOR version in `version.json`. - [ ] Breaking changes and I have bumped the MAJOR version in `version.json`. - [ ] Update to documentation ## Checklist - [x] I'm sure there are no other open Pull Requests for the same update/change - [ ] I have run `Set-AVMModule` locally to generate the supporting module files. - [ ] My corresponding pipelines / checks run clean and green without any errors or warnings
Azure · Feb 26, 2024 · 8932b7d · 8932b7d
1 parent 3d24028
commit 8932b7d
Show file tree

Hide file tree

Showing 2 changed files with 67 additions and 6 deletions.
diff --git a/.github/workflows/avm.platform.publish-tag.yml b/.github/workflows/avm.platform.publish-tag.yml
@@ -22,12 +22,15 @@ jobs:
         with:
           ref: ${{ github.event.inputs.tag }}
 
+      - name: Set environment
+        uses: ./.github/actions/templates/avm-setEnvironment
+
       - name: Log in to Azure
         uses: azure/login@v1
         with:
-          client-id: ${{ env.PUBLISH_CLIENT_ID }}
-          tenant-id: ${{ env.PUBLISH_TENANT_ID }}
-          subscription-id: ${{ env.PUBLISH_SUBSCRIPTION_ID }}
+          client-id: "${{ secrets.PUBLISH_CLIENT_ID }}"
+          tenant-id: "${{ secrets.PUBLISH_TENANT_ID }}"
+          subscription-id: "${{ secrets.PUBLISH_SUBSCRIPTION_ID }}"
 
       # Adding a step to explicitly install the latest Bicep CLI because there is
       # always a delay in updating Bicep CLI in the job runner environments.
@@ -40,6 +43,7 @@ jobs:
           bicep --version
 
       - name: "Publish tagged module to public bicep registry"
+        id: publish_tag
         uses: azure/powershell@v1
         with:
           azPSVersion: "latest"
@@ -59,6 +63,33 @@ jobs:
             Write-Verbose 'Invoke function with' -Verbose
             Write-Verbose ($functionInput | ConvertTo-Json | Out-String) -Verbose
 
-            Publish-ModuleFromTagToPBR @functionInput -Verbose
+            if($publishOutputs = Publish-ModuleFromTagToPBR @functionInput -Verbose) {
+              Write-Output ('{0}={1}' -f 'version', $publishOutputs.version) >> $env:GITHUB_OUTPUT
+              Write-Output ('{0}={1}' -f 'publishedModuleName', $publishOutputs.publishedModuleName) >> $env:GITHUB_OUTPUT
+            }
+
+            Write-Output '::endgroup::'
+
+      - name: "Validate publish"
+        uses: azure/powershell@v1
+        if: ${{ steps.publish_tag.outputs.version != '' && steps.publish_tag.outputs.publishedModuleName != '' }}
+        with:
+          azPSVersion: "latest"
+          inlineScript: |
+            # Grouping task logs
+            Write-Output '::group::Validate publish'
+
+            # Load used functions
+            . (Join-Path $env:GITHUB_WORKSPACE 'avm' 'utilities' 'pipelines'  'publish' 'Confirm-ModuleIsPublished.ps1')
+
+            $functionInput = @{
+              Version             = "${{ steps.publish_tag.outputs.version }}"
+              PublishedModuleName = "${{ steps.publish_tag.outputs.publishedModuleName }}"
+            }
+
+            Write-Verbose "Invoke function with" -Verbose
+            Write-Verbose ($functionInput | ConvertTo-Json | Out-String) -Verbose
+
+            Confirm-ModuleIsPublished @functionInput
 
             Write-Output '::endgroup::'
diff --git a/avm/utilities/pipelines/platform/Publish-ModuleFromTagToPBR.ps1 b/avm/utilities/pipelines/platform/Publish-ModuleFromTagToPBR.ps1
@@ -35,20 +35,45 @@ function Publish-ModuleFromTagToPBR {
 
   # Load used functions
   . (Join-Path $RepoRoot 'avm' 'utilities' 'pipelines' 'publish' 'helper' 'Get-ModuleReadmeLink.ps1')
+  . (Join-Path $RepoRoot 'avm' 'utilities' 'pipelines' 'sharedScripts' 'tokenReplacement' 'Convert-TokensInFileList.ps1')
 
   # 1. Extract information from the tag
   $targetVersion = Split-Path $ModuleReleaseTagName -Leaf
+  Write-Verbose "Version: [$targetVersion]" -Verbose
   $moduleRelativeFolderPath = $ModuleReleaseTagName -replace "\/$targetVersion$", ''
-  $moduleFolderPath = Join-Path $repositoryRoot $moduleRelativeFolderPath
+  Write-Verbose "Module: [$moduleRelativeFolderPath]" -Verbose
+  $moduleFolderPath = Join-Path $RepoRoot $moduleRelativeFolderPath
   $moduleBicepFilePath = Join-Path $moduleFolderPath 'main.bicep'
   Write-Verbose "Determined Bicep template path [$moduleBicepFilePath]"
 
   # 2. Get the documentation link
   $documentationUri = Get-ModuleReadmeLink -TagName $ModuleReleaseTagName -ModuleFolderPath $moduleFolderPath
   Write-Verbose "Determined documentation URI [$documentationUri]"
 
+  # 3. Replace telemetry version value (in Bicep)
+  $tokenConfiguration = @{
+    FilePathList   = @($moduleBicepFilePath)
+    AbsoluteTokens = @{
+      '-..--..-' = $targetVersion
+    }
+  }
+  Write-Verbose "Convert Tokens Input:`n $($tokenConfiguration | ConvertTo-Json -Depth 10)" -Verbose
+  $null = Convert-TokensInFileList @tokenConfiguration
+
+  # Double-check that tokens are correctly replaced
+  $templateContent = Get-Content -Path $moduleBicepFilePath
+  $incorrectLines = @()
+  for ($index = 0; $index -lt $templateContent.Count; $index++) {
+    if ($templateContent[$index] -match '-..--..-') {
+      $incorrectLines += ('You have the token [{0}] in line [{1}] of file [{2}]. Please seek advice from the AVM team.' -f $matches[0], ($index + 1), $moduleBicepFilePath)
+    }
+  }
+  if ($incorrectLines) {
+    throw ($incorrectLines | ConvertTo-Json)
+  }
+
   ###################
-  ## 3.  Publish   ##
+  ## 4.  Publish   ##
   ###################
   $plainPublicRegistryServer = ConvertFrom-SecureString $PublicRegistryServer -AsPlainText
 
@@ -65,4 +90,9 @@ function Publish-ModuleFromTagToPBR {
   if ($PSCmdlet.ShouldProcess("Module of tag [$ModuleReleaseTagName]", "Publish")) {
     bicep publish @publishInput
   }
+
+  return @{
+    version             = $targetVersion
+    publishedModuleName = $moduleRelativeFolderPath
+  }
 }