Add workflow to sync contrib resource types and publish Bicep extensions

[kachawla]

Overview

Today the radius Bicep extension is published to biceptypes.azurecr.io via the existing build-and-push-bicep-types job in build.yaml, which dispatches to the radius-publisher pipeline on every push to main and on version tag pushes. With #11915 updating make generate-bicep-types to include contrib types, the existing publish pipeline automatically produces the combined extension -- no new publish workflow is needed.

However, there is no automation to pull updated resource type manifests from resource-types-contrib into this repo. When someone merges a schema change or a new resource type in contrib, the manifest copies committed under deploy/manifest/built-in-providers/ must be refreshed manually via make update-resource-types before the next publish picks them up.

This PR adds a workflow that closes that gap by automating the manifest sync.

How it works

resource-types-contrib merges to main
  |
  +--> notify-radius.yaml (contrib repo, PR 4) fires repository_dispatch
         |
         +--> contrib-update-resource-types.yaml (this PR) receives dispatch
                |
                +--> Runs 'make update-resource-types' to refresh manifest copies
                +--> Opens/updates PR on bot/update-resource-types branch
                       |
                       +--> Human reviews and merges the PR
                              |
                              +--> Push to main triggers build.yaml's existing
                                   build-and-push-bicep-types job
                                     |
                                     +--> Dispatches to radius-publisher
                                     +--> radius-publisher runs make generate-bicep-types
                                          (now includes contrib) and publishes
                                          radius:latest to biceptypes.azurecr.io

What this PR adds

contrib-update-resource-types.yaml

Handles repository_dispatch events (type: resource-types-contrib-updated) from resource-types-contrib.

Triggers:

• repository_dispatch -- fired by the contrib repo's notify-radius.yaml workflow (PR 4)
• workflow_dispatch -- commented out for production, can be enabled during development

Steps:

1. Validates contrib_ref as a hex commit SHA (informational only -- the actual version fetched is determined by make update-resource-types which runs go get ...@latest)
2. Installs yq (required by make update-resource-types to parse defaults.yaml)
3. Runs make update-resource-types to bump go.mod to latest contrib and copy manifests
4. If changes are detected (using git status --porcelain to catch both modified and new untracked files), opens or updates a PR on the bot/update-resource-types branch
5. Merging that PR triggers the existing publish pipeline to republish radius:latest

Security:

• contrib_ref is validated against ^[a-f0-9]{7,40}$ and passed via environment variables (not inline ${{ }} interpolation) to prevent shell and script injection
• Uses GH_RAD_CI_BOT_PAT for checkout and PR creation so the resulting push triggers CI checks (the default GITHUB_TOKEN cannot trigger workflows on pushes it creates)

Note: This workflow depends on make update-resource-types from #11911. It includes a pre-flight check that fails fast with a descriptive error if the target is not yet available.

Dependencies

• Integrate contrib types into unified Bicep extension
• Automated default resource type registration (provides make update-resource-types)
• Required secret: GH_RAD_CI_BOT_PAT

Changes

• .github/workflows/contrib-update-resource-types.yaml: New workflow

Part of

Unified Bicep extension publishing (PR 3/4). See design doc.

[github-actions]

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

OpenSSF Scorecard

Package	Version	Score	Details
actions/actions/checkout	de0fac2e4500dabe0009e67214ff5f5447ce83dd	🟢 5.7	Details Check Score Reason Code-Review 🟢 10 all changesets reviewed Maintained ⚠️ 0 1 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Binary-Artifacts 🟢 10 no binaries found in the repo Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Packaging ⚠️ -1 packaging workflow not detected Pinned-Dependencies ⚠️ 3 dependency not pinned by hash detected -- score normalized to 3 Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Security-Policy 🟢 9 security policy file detected Branch-Protection 🟢 5 branch protection is not maximal on development and all release branches SAST 🟢 8 SAST tool detected but not run on all commits
actions/actions/github-script	3a2844b7e9c422d3c10d287c895573f7108da1b3	🟢 7.7	Details Check Score Reason Code-Review 🟢 10 all changesets reviewed Binary-Artifacts 🟢 10 no binaries found in the repo Packaging ⚠️ -1 packaging workflow not detected Maintained 🟢 10 21 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 10 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions 🟢 9 detected GitHub workflow tokens with excessive permissions CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Pinned-Dependencies ⚠️ 1 dependency not pinned by hash detected -- score normalized to 1 License 🟢 10 license file detected Fuzzing ⚠️ 0 project is not fuzzed Signed-Releases ⚠️ -1 no releases found SAST 🟢 10 SAST tool is run on all commits Security-Policy 🟢 9 security policy file detected Branch-Protection 🟢 5 branch protection is not maximal on development and all release branches
actions/actions/setup-go	4a3601121dd01d1626a1e23e37211e3254c1c06c	🟢 5.6	Details Check Score Reason Code-Review 🟢 10 all changesets reviewed Maintained 🟢 5 6 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 5 Binary-Artifacts 🟢 10 no binaries found in the repo Packaging ⚠️ -1 packaging workflow not detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Security-Policy 🟢 9 security policy file detected Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches SAST 🟢 10 SAST tool is run on all commits

Scanned Files

• .github/workflows/contrib-update-resource-types.yaml

[Copilot]

Pull request overview

Adds a new GitHub Actions workflow that listens for repository_dispatch events from radius-project/resource-types-contrib, runs make update-resource-types to refresh the manifest copies under deploy/manifest/built-in-providers/, and opens (or refreshes) a PR on bot/update-resource-types. Merging that PR triggers the existing build-and-push-bicep-types job to republish the unified Bicep extension.

Changes:

• New workflow contrib-update-resource-types.yaml reacting to resource-types-contrib-updated dispatch events
• Validates the optional contrib_ref payload as a hex SHA, installs Go + yq, runs make update-resource-types, and force-pushes to bot/update-resource-types
• Uses actions/github-script with GH_RAD_CI_BOT_PAT to create or update the PR idempotently

[github-actions]

Unit Tests

    2 files  ±0    423 suites  ±0   7m 14s ⏱️ +6s
5 136 tests ±0  5 134 ✅ ±0  2 💤 ±0  0 ❌ ±0 
6 173 runs  ±0  6 171 ✅ ±0  2 💤 ±0  0 ❌ ±0 

Results for commit ef7e043. ± Comparison against base commit a7e610b.

♻️ This comment has been updated with latest results.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 51.69%. Comparing base (9a15c2d) to head (ef7e043).
⚠️ Report is 5 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main   #11916      +/-   ##
==========================================
- Coverage   51.72%   51.69%   -0.04%     
==========================================
  Files         726      724       -2     
  Lines       45608    45507     -101     
==========================================
- Hits        23591    23524      -67     
+ Misses      19793    19763      -30     
+ Partials     2224     2220       -4     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[DariuszPorowski]

issue: related to radius-project/resource-types-contrib#160 (comment) we must eliminate PATs/fake accounts and use GH Apps

[kachawla]

We use this PAT in rest of the workflows in the repo as well. Given that we have to plan migrate all of the workflows to GH app in the near future, can we include this in the same effort instead of blocking this PR?

[DariuszPorowski]

suggestion: if the tool releases official binaries, then we should use them (with checksums validation if possible) instead of compiling the source on us.

[kachawla]

Good point, updated.

Also, broader question for you and @brooke-hamilton - do we have a convention for tool installation in workflows? Right now yq is installed separately in each workflow that needs it. Should we consolidate this into a composite action so the version/checksum management lives in one place, or is the preference to keep installing tools directly in each workflow?

[DariuszPorowski]

issue: same here what I mentioned above - use GH Apps instead of PATs/fake accounts

[radius-functional-tests]

Radius functional test overview

🔍 Go to test action run

Click here to see the test run details

Name	Value
Repository	radius-project/radius
Commit ref	ef7e043
Unique ID	funcd064912440
Image tag	pr-funcd064912440

• gotestsum 1.13.0
• KinD: v0.29.0
• Dapr: 1.14.4
• Azure KeyVault CSI driver: 1.4.2
• Azure Workload identity webhook: 1.3.0
• Bicep recipe location ghcr.io/radius-project/dev/test/testrecipes/test-bicep-recipes/<name>:pr-funcd064912440
• Terraform recipe location http://tf-module-server.radius-test-tf-module-server.svc.cluster.local/<name>.zip (in cluster)
• applications-rp test image location: ghcr.io/radius-project/dev/applications-rp:pr-funcd064912440
• dynamic-rp test image location: ghcr.io/radius-project/dev/dynamic-rp:pr-funcd064912440
• controller test image location: ghcr.io/radius-project/dev/controller:pr-funcd064912440
• ucp test image location: ghcr.io/radius-project/dev/ucpd:pr-funcd064912440
• deployment-engine test image location: ghcr.io/radius-project/deployment-engine:latest

Test Status

⌛ Building Radius and pushing container images for functional tests...
✅ Recipe publishing succeeded
⌛ Starting ucp-cloud functional tests...
⌛ Starting corerp-cloud functional tests...
✅ Container images build succeeded
⌛ Publishing Bicep Recipes for functional tests...
✅ Recipe publishing succeeded
✅ ucp-cloud functional tests succeeded
⌛ Starting ucp-cloud functional tests...
⌛ Starting corerp-cloud functional tests...
✅ ucp-cloud functional tests succeeded
✅ corerp-cloud functional tests succeeded
✅ corerp-cloud functional tests succeeded