Workflow refinements

.github/workflows/ByoVnetCI.yml

@@ -4,18 +4,25 @@ name: InfraCI - ByoVnet cluster
 # 2. IAM Owner on the Vnet (we're making role assignments)
 
 on:
-  push:
-    paths:
-      #- ".github/workflows/ByoVnetCI.yml"
-      - ".github/workflows_dep/AksDeploy-ByoVnet.parameters.json"
-      - "bicep/*"
+# Triggering on push causes a problem with the Azure Login Federated Identity Subject Claim.
+# Disabling this trigger as having Push + PR is OTT
+#  push:
+#    paths:
+#      #- ".github/workflows/ByoVnetCI.yml"
+#      - ".github/workflows_dep/AksDeploy-ByoVnet.parameters.json"
+#      - "bicep/*"
 
   pull_request:
     branches: [main]
     paths:
       - "bicep/*"
       - ".github/workflows/ByoVnetCI.yml"
-
+    types: #Type filtering should stop CI/CD running on draft status workflows
+      - opened
+      - reopened
+      - synchronize
+      - ready_for_review
+
   #Running on a schedule helps trap issues like Kubernetes versions not being available in the region, or Well Architected recommendations changing
   schedule:
     # At 11:00pm, every Wednesday week
@@ -80,6 +87,7 @@ env:
 jobs:
   Well_Architected:
     runs-on: ubuntu-latest
+    needs: [Validation]
     if:  github.event_name != 'pull_request' || github.event.inputs.doWellArchitected == 'true' ||  contains( github.event.pull_request.labels.*.name, 'test-deploy-byoconfig')
     steps:
       - uses: actions/checkout@v3.3.0
@@ -89,10 +97,12 @@ jobs:
       # https://azure.github.io/PSRule.Rules.Azure/
       - name: PSRule for Azure - Well Architected
         uses: microsoft/ps-rule@v2.7.0
+        #uses: microsoft/ps-rule@main
         continue-on-error: true #Setting this whilst PSRule gets bedded in, in this project
         with:
           modules: 'PSRule.Rules.Azure'
           inputPath: "${{ env.ParamFilePath }}"
+          prerelease: true
 
       # In addition to the Well Architected analysis, we can also leverage the CAF rules
       # Run analysis against PSRule for Cloud Adoption Framework
@@ -102,6 +112,7 @@ jobs:
         with:
           modules: 'PSRule.Rules.CAF'
           inputPath: "${{ env.ParamFilePath }}"
+          prerelease: false
 
   CostEstimate:
     needs: [ReusableWF, Validation]
@@ -124,9 +135,9 @@ jobs:
   Validation:
     runs-on: ubuntu-latest
     environment: ${{ github.event.inputs.environment }}
-    if: ${{ !github.event.pull_request.head.repo.fork }}
+    if: ${{ !github.event.pull_request.head.repo.fork && !github.event.pull_request.draft }}
     outputs:
-      RESOURCEGROUP:  ${{ steps.params.outputs.RESOURCEGROUP}}
+      RESOURCEGROUP: ${{ steps.params.outputs.RESOURCEGROUP}}
       REGION: ${{ steps.params.outputs.REGION}}
       RESNAME: ${{ steps.params.outputs.NEWRESNAME}}
       PARAMOVERRIDES: ${{ steps.imperitiveparams.outputs.PARAMOVERRIDES}} #This won't work if the string includes any SECRETS!!!
@@ -135,7 +146,6 @@ jobs:
       - uses: actions/checkout@v3.3.0
 
       - name: Job parameter check
-        if: github.event.inputs.doDebugSteps == 'true'
         run: |
           echo "Param file path is: ${{ env.ParamFilePath }}"
           echo "Resource name is ${{ env.RESNAME }}"
@@ -145,6 +155,7 @@ jobs:
           echo "EventTrigger name is ${{github.event_name}}"
           echo "PR contains bug :  ${{contains(github.event.pull_request.labels.*.name, 'bug')}}"
           echo "PR labels :  ${{github.event.pull_request.labels.*.name}}"
+          echo "PR draft :  ${{github.event.pull_request.draft}}"  
           echo "AZCLIVERSION is ${{ env.AZCLIVERSION }}"
           echo "doDebugSteps is ${{ github.event.inputs.doDebugSteps }}"
           echo "doVerifySteps is ${{ github.event.inputs.doVerifySteps }}"

.github/workflows/ByoVnetPrivateCI.yml

@@ -52,16 +52,21 @@ on:
         type: boolean
         required: false
 
-  push:
-    paths:
-      - 'bicep/*'
+# Push trigger is excessive, we already trigger in PR.
+#  push:
+#    paths:
+#      - 'bicep/*'
 
   pull_request:
     branches: [ main ]
     paths:
       - 'bicep/*'
       - ".github/workflows/ByoVnetPrivateCI.yml"
-
+    types: #Type filtering should stop CI/CD running on draft status workflows
+      - opened
+      - reopened
+      - synchronize
+      - ready_for_review
 
   schedule:
     # At 11:00pm, every Tuesday week
@@ -77,6 +82,7 @@ concurrency: ci-${{ github.event.inputs.environment }}-${{ github.ref }}
 jobs:
   Well_Architected:
     runs-on: ubuntu-latest
+    needs: Validation
     environment: ${{ github.event.inputs.environment }}
     if:  github.event_name == 'pull_request' || github.event.inputs.doWellArchitected == 'true'
     steps:
@@ -92,9 +98,11 @@ jobs:
           modules: 'PSRule.Rules.Azure'
           inputType: repository
           inputPath: "${{ env.ParamFilePath }}"
+          prerelease: true
 
   ReusableWF:
     runs-on: ubuntu-latest
+    if: ${{ !github.event.pull_request.draft }}
     env:
       RG: ${{ github.event.inputs.ResourceGroup != '' && github.event.inputs.ResourceGroup || 'AksBicepAcc-Ci-PrivateCluster' }}
     outputs:
@@ -137,7 +145,7 @@ jobs:
   Validation:
     runs-on: ubuntu-latest
     environment: ${{ github.event.inputs.environment }}
-    if: ${{ !github.event.pull_request.head.repo.fork }}
+    if: ${{ !github.event.pull_request.head.repo.fork && !github.event.pull_request.draft }}
     env: #Default values if GitHub event obj is empty (eg. Initiated by PR)
       RG: 'AksBicepAcc-Ci-PrivateCluster'
       RESNAME: 'Prv'
@@ -150,13 +158,15 @@ jobs:
       - uses: actions/checkout@v3.3.0
 
       - name: Job parameter check
-        if: github.event.inputs.doVerifySteps == 'true'
         run: |
           echo "RG is: $RG"
           echo "Param file path is: ${{ env.ParamFilePath }}"
           echo "Resource name is ${{ env.RESNAME }}"
           echo "Deployment name is ${{ env.DEPNAME }}"
           echo "EventTrigger name is ${{github.event_name}}"
+          echo "Event action type is ${{github.event.action}}"
+          echo "Event state is ${{github.event.pull_request.state}}"
+          echo "Event PR is draft ${{github.event.pull_request.draft}}"
           echo "Default Deny is ${{ github.event.inputs.defaultdeny }}"
 
       - name: Arm Parameter file check

.github/workflows/StandardCI.yml

@@ -19,7 +19,12 @@ on:
     paths:
       - "bicep/*"
       - ".github/workflows/StandardCI.yml"
-
+    types: #Type filtering should stop CI/CD running on draft status workflows
+      - opened
+      - reopened
+      - synchronize
+      - ready_for_review
+
   #Run on a weekly schedule
   schedule:
     # At 11:00pm, every Tuesday week
@@ -40,6 +45,7 @@ concurrency: "StanCI-${{ github.event.inputs.Environment != '' && github.event.i
 jobs:
   ReusableWF:
     runs-on: ubuntu-latest
+    if: ${{ !github.event.pull_request.head.repo.fork && !github.event.pull_request.draft }}
     outputs:
       RG: ${{ env.RG }}
       ENVIRONMENT: ${{ github.event.inputs.Environment }}
@@ -53,7 +59,7 @@ jobs:
   Validation:
     runs-on: ubuntu-latest
     environment: ${{ github.event.inputs.environment }}
-    if: ${{ !github.event.pull_request.head.repo.fork }}
+    if: ${{ !github.event.pull_request.head.repo.fork && !github.event.pull_request.draft }}
 
     steps:
       #Get the code files from the repo