Add GitHub pipeline feature behind preview flag#378
Merged
Conversation
gambtho
changed the title
gambtho
force-pushed
the
thgamble/ghpipelines
branch
from
66329bb to
2177244
Compare
Contributor
There was a problem hiding this comment.
Pull request overview
This PR introduces a GitHub-based deployment pipeline flow (behind a “Preview Features” toggle) for AKS Desktop, including GitHub auth, repo readiness checks, pipeline orchestration, workload identity setup, and UI surfaces to configure and trigger deployments.
Changes:
- Add GitHub Pipelines preview feature settings and wire into plugin registration + UI.
- Implement end-to-end GitHub pipeline wizard (auth, repo selection, setup PR, agent trigger, PR/workflow polling, deployment status) and supporting GitHub/Azure utilities.
- Enhance deploy experience with pipeline run listing, pipeline redeploy dialog, and manual deploy edit prefill.
Reviewed changes
Copilot reviewed 57 out of 58 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
| plugins/aks-desktop/src/utils/github/github-auth.ts | Updates default GitHub App slug and adds lint suppression for window bridge typing. |
| plugins/aks-desktop/src/utils/github/github-api.ts | Adds repo readiness check for deploy workflow and adds Actions secrets management helpers. |
| plugins/aks-desktop/src/utils/github/github-api.test.ts | Updates readiness/app installation tests to match new workflow slug and readiness shape. |
| plugins/aks-desktop/src/utils/azure/az-cli.ts | Adds workload identity management helpers via Azure CLI (identity, roles, federated creds). |
| plugins/aks-desktop/src/types/github.ts | Extends RepoReadiness to include deploy workflow presence. |
| plugins/aks-desktop/src/index.tsx | Registers plugin settings, deploy tab, pipeline overview card, and header actions. |
| plugins/aks-desktop/src/hooks/usePreviewFeatures.ts | Adds hook to merge preview feature defaults with stored config. |
| plugins/aks-desktop/src/hooks/usePreviewFeatures.test.ts | Adds unit tests for preview feature defaults vs stored config. |
| plugins/aks-desktop/src/components/PluginSettings/previewFeaturesStore.ts | Introduces ConfigStore-backed preview feature configuration. |
| plugins/aks-desktop/src/components/PluginSettings/PreviewFeaturesSettings.tsx | Adds UI for toggling preview features (GitHub Pipelines). |
| plugins/aks-desktop/src/components/GitHubPipeline/utils/statusDisplay.ts | Adds functions for workflow/pod/check status presentation. |
| plugins/aks-desktop/src/components/GitHubPipeline/utils/probeHelpers.ts | Adds YAML escaping + probe rendering helpers for agent payloads. |
| plugins/aks-desktop/src/components/GitHubPipeline/utils/pipelineStorage.ts | Adds localStorage persistence helpers for active pipeline resume/cancel. |
| plugins/aks-desktop/src/components/GitHubPipeline/utils/pipelineOrchestration.ts | Implements setup PR creation, secrets creation, and Copilot agent triggering. |
| plugins/aks-desktop/src/components/GitHubPipeline/utils/pipelineOrchestration.test.ts | Adds unit tests for orchestration steps and issue payload security. |
| plugins/aks-desktop/src/components/GitHubPipeline/utils/getWizardStep.ts | Adds mapping from pipeline state → wizard step index. |
| plugins/aks-desktop/src/components/GitHubPipeline/utils/agentTemplates.ts | Adds agent config/workflow templates, branch naming, and config validation. |
| plugins/aks-desktop/src/components/GitHubPipeline/utils/agentTemplates.test.ts | Adds unit tests for generated agent config/templates and validation. |
| plugins/aks-desktop/src/components/GitHubPipeline/types.ts | Introduces pipeline state machine types and tracking shapes. |
| plugins/aks-desktop/src/components/GitHubPipeline/hooks/useWorkloadIdentitySetup.ts | Adds hook to orchestrate Azure managed identity + federated credential setup. |
| plugins/aks-desktop/src/components/GitHubPipeline/hooks/useWorkflowPolling.ts | Adds polling for GitHub Actions workflow runs after PR merge. |
| plugins/aks-desktop/src/components/GitHubPipeline/hooks/usePolling.ts | Adds generic polling hook used by PR/workflow/agent discovery polling. |
| plugins/aks-desktop/src/components/GitHubPipeline/hooks/usePipelineAnnotationSync.ts | Syncs configured pipeline repos + identity metadata into namespace annotations. |
| plugins/aks-desktop/src/components/GitHubPipeline/hooks/usePRPolling.ts | Adds polling for PR merge/close state and status checks. |
| plugins/aks-desktop/src/components/GitHubPipeline/hooks/useGitHubAuth.ts | Adds OAuth/token lifecycle management with cross-react-tree synchronization. |
| plugins/aks-desktop/src/components/GitHubPipeline/hooks/useDeploymentHealth.ts | Adds K8s deployment/pod/service health monitoring for pipeline deployments. |
| plugins/aks-desktop/src/components/GitHubPipeline/hooks/useAgentPRDiscovery.ts | Adds polling to discover Copilot agent-generated PR via issue timeline. |
| plugins/aks-desktop/src/components/GitHubPipeline/constants.ts | Adds web event constant for opening the pipeline wizard drawer. |
| plugins/aks-desktop/src/components/GitHubPipeline/components/WorkloadIdentitySetup.tsx | Adds UI for workload identity setup progress and error handling. |
| plugins/aks-desktop/src/components/GitHubPipeline/components/WizardShell.tsx | Adds reusable wizard shell with step indicator and cancel confirmation. |
| plugins/aks-desktop/src/components/GitHubPipeline/components/RepoSelector.tsx | Adds repository picker UI backed by GitHub repo listing. |
| plugins/aks-desktop/src/components/GitHubPipeline/components/PipelineConfiguredScreen.tsx | Adds post-configure completion UI. |
| plugins/aks-desktop/src/components/GitHubPipeline/components/PRStatusScreen.tsx | Adds UI for PR/issue progress and status checks. |
| plugins/aks-desktop/src/components/GitHubPipeline/components/GitHubAuthStatusButton.tsx | Adds header button showing GitHub auth status and sign-in action. |
| plugins/aks-desktop/src/components/GitHubPipeline/components/GitHubAuthScreen.tsx | Adds GitHub auth UX screen (permissions + browser auth waiting state). |
| plugins/aks-desktop/src/components/GitHubPipeline/components/DeploymentStatusScreen.tsx | Adds deployment progress UI combining workflow status and K8s health. |
| plugins/aks-desktop/src/components/GitHubPipeline/components/ConnectSourceStep.tsx | Adds connect-source step UI with app-installation guidance. |
| plugins/aks-desktop/src/components/GitHubPipeline/components/AgentSetupReview.tsx | Adds review screen for setup PR / agent trigger config, incl. container settings. |
| plugins/aks-desktop/src/components/GitHubPipeline/fixtures/pipelineConfig.ts | Adds fixtures for pipeline orchestration/template tests. |
| plugins/aks-desktop/src/components/GitHubPipeline/GitHubPipelineWizard.tsx | Adds the main GitHub pipeline wizard component and state-driven rendering. |
| plugins/aks-desktop/src/components/GitHubPipeline/GitHubAuthContext.tsx | Adds context/provider wrapper for GitHub auth usage across UI. |
| plugins/aks-desktop/src/components/Deployments/hooks/usePipelineRuns.ts | Adds hook to fetch recent workflow runs across configured repos. |
| plugins/aks-desktop/src/components/Deployments/PipelineCard.tsx | Adds overview card listing pipeline runs and opening wizard drawer. |
| plugins/aks-desktop/src/components/DeployWizard/utils/yamlGenerator.ts | Annotates manual deployments for provenance tracking. |
| plugins/aks-desktop/src/components/DeployWizard/hooks/useContainerConfiguration.ts | Adds support for initializing container config from partial overrides. |
| plugins/aks-desktop/src/components/DeployWizard/components/ConfigureContainer.tsx | Allows skipping container image requirement for pipeline setup path. |
| plugins/aks-desktop/src/components/DeployWizard/DeployWizard.tsx | Adds edit-mode support via initial container config to jump into configure step. |
| plugins/aks-desktop/src/components/DeployTab/utils/extractContainerConfig.ts | Adds extraction from live K8s resources to prefill DeployWizard for edits. |
| plugins/aks-desktop/src/components/DeployTab/utils/extractContainerConfig.test.ts | Adds unit tests for deployment/service → container config extraction. |
| plugins/aks-desktop/src/components/DeployTab/hooks/usePipelineStatus.ts | Adds pipeline configured repo discovery via namespace annotations + local fallback. |
| plugins/aks-desktop/src/components/DeployTab/hooks/usePipelineSettings.ts | Adds localStorage-backed per-user pipeline enablement settings. |
| plugins/aks-desktop/src/components/DeployTab/hooks/useClusterDeployStatus.ts | Adds deployment/service status watcher with provenance derived from annotations. |
| plugins/aks-desktop/src/components/DeployTab/components/PipelineDeployDialog.tsx | Adds dialog to dispatch workflow_dispatch with deployment parameters. |
| plugins/aks-desktop/src/components/DeployTab/components/ClusterDeployCard.tsx | Adds per-namespace deploy UI (manual deploy/edit + pipeline redeploy). |
| plugins/aks-desktop/src/components/DeployTab/DeployTab.tsx | Introduces a new Deploy tab gated by preview feature + user settings. |
| plugins/aks-desktop/src/components/ConfigurePipeline/ConfigurePipelineButton.tsx | Adds header button + drawer hosting the pipeline wizard. |
| plugins/aks-desktop/package.json | Adds libsodium-wrappers dependency and its TypeScript types. |
| plugins/aks-desktop/locales/en/translation.json | Adds strings for preview features UI. |
| plugins/aks-desktop/locales/zh-Hant/translation.json | Adds placeholder keys for new preview features strings. |
| plugins/aks-desktop/locales/zh-Hans/translation.json | Adds placeholder keys for new preview features strings. |
| plugins/aks-desktop/locales/tr/translation.json | Adds placeholder keys for new preview features strings. |
| plugins/aks-desktop/locales/sv/translation.json | Adds placeholder keys for new preview features strings. |
| plugins/aks-desktop/locales/ru/translation.json | Adds placeholder keys for new preview features strings. |
| plugins/aks-desktop/locales/pt-PT/translation.json | Adds placeholder keys for new preview features strings. |
| plugins/aks-desktop/locales/pt-BR/translation.json | Adds placeholder keys for new preview features strings. |
| plugins/aks-desktop/locales/pl/translation.json | Adds placeholder keys for new preview features strings. |
| plugins/aks-desktop/locales/nl/translation.json | Adds placeholder keys for new preview features strings. |
| plugins/aks-desktop/locales/ko/translation.json | Adds placeholder keys for new preview features strings. |
| plugins/aks-desktop/locales/ja/translation.json | Adds placeholder keys for new preview features strings. |
| plugins/aks-desktop/locales/it/translation.json | Adds placeholder keys for new preview features strings. |
| plugins/aks-desktop/locales/id/translation.json | Adds placeholder keys for new preview features strings. |
| plugins/aks-desktop/locales/hu/translation.json | Adds placeholder keys for new preview features strings. |
| plugins/aks-desktop/locales/fr/translation.json | Adds placeholder keys for new preview features strings. |
| plugins/aks-desktop/locales/es/translation.json | Adds placeholder keys for new preview features strings. |
| plugins/aks-desktop/locales/de/translation.json | Adds placeholder keys for new preview features strings. |
| plugins/aks-desktop/locales/cs/translation.json | Adds placeholder keys for new preview features strings. |
| headlamp | Updates Headlamp submodule pointer. |
Files not reviewed (1)
- plugins/aks-desktop/package-lock.json: Language not supported
Comments suppressed due to low confidence (5)
plugins/aks-desktop/src/utils/azure/az-cli.ts:1
- The same
GITHUB_NAME_PATTERNis used forbranch, but it disallows/. Git branch names commonly include slashes (e.g.feature/foo), which would cause false validation failures and block federated credential creation. Use a separate, branch-appropriate validator (allowing/while still preventing traversal like..) or relax the branch validation to support common Git branch naming.
plugins/aks-desktop/src/utils/azure/az-cli.ts:1 - The same
GITHUB_NAME_PATTERNis used forbranch, but it disallows/. Git branch names commonly include slashes (e.g.feature/foo), which would cause false validation failures and block federated credential creation. Use a separate, branch-appropriate validator (allowing/while still preventing traversal like..) or relax the branch validation to support common Git branch naming.
plugins/aks-desktop/src/components/GitHubPipeline/utils/pipelineStorage.ts:1 - Avoid leaving
console.logstatements in production code paths (especially ones that can reveal internal state like storage keys). Consider removing this or switching to the project's debug logging facility so it can be gated/disabled in production builds.
plugins/aks-desktop/src/components/Deployments/hooks/usePipelineRuns.ts:1 JSON.stringify(repos)in a dependency array adds repeated serialization cost and can still be unstable if key order changes. Prefer deriving a small deterministic key (e.g., join${owner}/${repo}@${defaultBranch}values) or requiring callers to pass a stablereposreference souseMemoisn't needed.
plugins/aks-desktop/src/components/GitHubPipeline/utils/probeHelpers.ts:1escapeYamlValueis security- and correctness-sensitive for embedding user-provided values into YAML. Add unit tests covering backslashes, quotes, newlines/CRLF, tabs, and a case with multiple escapes combined, plus a regression test that ensures the generated YAML remains parseable.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
You can also share your feedback on Copilot code review. Take the survey.
gambtho
force-pushed
the
thgamble/ghpipelines
branch
from
3bdeb17 to
f99c0d9
Compare
gambtho
force-pushed
the
thgamble/ghpipelines
branch
from
5c9e815 to
5912e09
Compare
Contributor
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 58 out of 59 changed files in this pull request and generated 1 comment.
Files not reviewed (1)
- plugins/aks-desktop/package-lock.json: Language not supported
Comments suppressed due to low confidence (8)
plugins/aks-desktop/src/components/GitHubPipeline/hooks/useAgentWorkflowProgress.ts:1
- After the first poll cycle,
runUrlis always returned as null, so consumers will lose the previously discovered URL once the next poll result overwrites the priordata. Persist the discovered run URL (e.g., store it in a ref/state and always include it in subsequent poll results, or return the last known URL whenrunIdRef.currentis set).
plugins/aks-desktop/src/utils/azure/az-cli.ts:1 - This validation rejects branch names containing
/(e.g.release/v1), which is a common Git branch naming pattern and can be a default branch. SincerunCommandAsyncis called with an argv array (not shell interpolation), you can safely relax the branch validation to allow/(while still excluding whitespace/control chars) so federated credential creation doesn't fail for legitimate repos.
plugins/aks-desktop/src/components/GitHubPipeline/hooks/useWorkflowPolling.ts:1 - This import is used only for typing (
octokit: Octokit | null) but is brought in as a runtime value import, which can increase bundle size. Switch to a type-only import (import type { Octokit } ...) here (and similarly in other hooks/components that only use Octokit as a type).
plugins/aks-desktop/src/components/GitHubPipeline/utils/pipelineStorage.ts:1 - Leftover
console.logwill be noisy in production and may leak internal state keys into logs. Prefer removing it or routing through an existing debug logging facility behind a dev flag.
plugins/aks-desktop/src/utils/github/github-api.ts:1 - New GitHub Actions secrets helpers (
getRepoPublicKey,createOrUpdateRepoSecret,setRepoSecrets) are added without corresponding unit tests, while this module already has comprehensive test coverage. Add tests that verify: (1) correct Octokit endpoints/params are called, (2) empty/whitespace secrets are filtered, and (3) encryption path is exercised by mockinglibsodium-wrappers(includingready,from_base64,crypto_box_seal,to_base64).
plugins/aks-desktop/src/utils/github/github-api.ts:1 - New GitHub Actions secrets helpers (
getRepoPublicKey,createOrUpdateRepoSecret,setRepoSecrets) are added without corresponding unit tests, while this module already has comprehensive test coverage. Add tests that verify: (1) correct Octokit endpoints/params are called, (2) empty/whitespace secrets are filtered, and (3) encryption path is exercised by mockinglibsodium-wrappers(includingready,from_base64,crypto_box_seal,to_base64).
plugins/aks-desktop/src/utils/github/github-api.ts:1 - New GitHub Actions secrets helpers (
getRepoPublicKey,createOrUpdateRepoSecret,setRepoSecrets) are added without corresponding unit tests, while this module already has comprehensive test coverage. Add tests that verify: (1) correct Octokit endpoints/params are called, (2) empty/whitespace secrets are filtered, and (3) encryption path is exercised by mockinglibsodium-wrappers(includingready,from_base64,crypto_box_seal,to_base64).
plugins/aks-desktop/src/index.tsx:1 - Introducing a new
@ts-ignorefor a public registration API makes this harder to maintain and can mask legitimate type breakages. If Headlamp supportsisEnabledhere, prefer updating/augmenting the local type definitions (or adding a small typed wrapper aroundregisterProjectOverviewSection) so this stays type-safe without suppressing errors.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
You can also share your feedback on Copilot code review. Take the survey.
gambtho
force-pushed
the
thgamble/ghpipelines
branch
2 times, most recently
from
f4c6e73 to
644d777
Compare
Contributor
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 64 out of 65 changed files in this pull request and generated 1 comment.
Files not reviewed (1)
- plugins/aks-desktop/package-lock.json: Language not supported
Comments suppressed due to low confidence (4)
plugins/aks-desktop/src/utils/github/github-api.ts:1
- issue.pull_request
on an issue timeline cross-reference does not includemerged_at(it typically only includes URLs), somergedwill be reported asfalseeven when the PR is merged. Since you're already fetching the PR details viaoctokit.pulls.get, setmergedbased on the PR response (pr.mergedorpr.merged_at`) instead of the issue payload.
plugins/aks-desktop/src/components/GitHubPipeline/hooks/useWorkflowPolling.ts:1 - This imports Octokit as a runtime value, but the file only uses it as a type. Switching to a type-only import (
import type { Octokit } ...) avoids bundling in Octokit unnecessarily. Same issue appears in other new modules in this PR (e.g., usePRPolling.ts, useAgentWorkflowProgress.ts, useAgentPRDiscovery.ts, usePipelineRuns.ts, RepoSelector.tsx).
plugins/aks-desktop/src/components/GitHubPipeline/components/WorkloadIdentitySetup.tsx:1 - setupWorkloadIdentity returns a Promise, but the click handler doesn't await it or explicitly mark it as intentionally fire-and-forget. To avoid unhandled-rejection edge cases (and to satisfy common
no-floating-promiseslint setups), either makehandleSetupasync andawait setupWorkloadIdentity(config), or call it withvoid setupWorkloadIdentity(config)and ensure errors are handled inside the hook (which you already do).
plugins/aks-desktop/src/utils/azure/az-cli.ts:1 - The namespace validation pattern is overly permissive (allows uppercase and underscores) and may accept values Kubernetes will reject, while also making validation behavior inconsistent across the codebase. Since this is guarding a JMESPath expression, consider validating against Kubernetes namespace DNS label rules (lowercase alphanumerics + '-', max 63, must start/end alphanumeric). This keeps the injection protection while avoiding confusing false-positives that later fail inside
az/K8s.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
You can also share your feedback on Copilot code review. Take the survey.
gambtho
force-pushed
the
thgamble/ghpipelines
branch
from
644d777 to
f828d4c
Compare
Add GitHub API functions for repo readiness checks, secret encryption, workflow dispatch, and PR/issue management. Add Azure CLI helpers for workload identity federation (managed identity, federated credentials, role assignments). Include libsodium-wrappers for GitHub Secrets API client-side encryption.
Add the core pipeline state management layer: PipelineDeploymentState discriminated union, useGitHubPipelineState reducer with validated transitions and localStorage persistence, pipeline storage utilities, wizard step mapping, and status display helpers. Includes comprehensive test coverage for state transitions, persistence, and display logic.
gambtho
force-pushed
the
thgamble/ghpipelines
branch
from
f828d4c to
79dc849
Compare
Contributor
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 63 out of 64 changed files in this pull request and generated 7 comments.
Files not reviewed (1)
- plugins/aks-desktop/package-lock.json: Language not supported
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
You can also share your feedback on Copilot code review. Take the survey.
Add orchestration utilities for GitHub Actions workflow creation, secret management, and PR operations. Add agent template generation for containerization config and setup workflows. Add polling hooks for PR status, workflow runs, agent progress, deployment health, and pipeline annotation sync. Includes YAML escaping utilities and probe helpers.
Add the pipeline wizard component with step-based navigation through GitHub OAuth, repo selection, workload identity federation setup, agent configuration review, PR creation/monitoring, and deployment status tracking. Includes GitHub auth hook with cross-tree sync, orchestration hook wiring state machine to UI, and all wizard step components.
…ration Add Deploy tab with cluster deploy status, pipeline settings, and pipeline deploy dialog. Add PipelineCard for project overview showing recent workflow runs. Add ConfigurePipelineButton for project header. Extend DeployWizard to accept initial container config for edit mode. Register all new components with Headlamp's plugin API (overview section, details tabs, header actions).
gambtho
force-pushed
the
thgamble/ghpipelines
branch
from
79dc849 to
9640e4b
Compare
Collaborator
|
tested without feature flag toggled just to make sure everything still works and it looks okay the only thing is some empty cards in an overview tab but that's not critical 
|
sniok
approved these changes
Mar 10, 2026
Closed
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds GitHub-based deployment pipelines for AKS projects, gated behind a new Preview Features toggle in plugin settings (off by default).
When enabled, users can:
The existing Deploy Application button is preserved — pipeline features are purely additive.
Key changes
PreviewFeaturesSettingsUI toggle +usePreviewFeatureshook; four entry-point components returnnullwhen disableduseGitHubPipelineStatewith 15+ states, persistent storage, and polling infrastructureTest plan
npm run tscpassesnpm run lintpassesnpm run format -- --checkpassesFor Issue: