Merge branch 'main' into corm/containerapp-up-buildpack

.github/fabricbot.json

@@ -4200,7 +4200,7 @@
           {
             "name": "requestReviewer",
             "parameters": {
-              "reviewer": "wangzelin007"
+              "reviewer": "yanzhudd"
             }
           }
         ]
@@ -12647,6 +12647,146 @@
           }
         ]
       }
+    },
+    {
+      "taskType": "trigger",
+      "capabilityId": "IssueResponder",
+      "subCapability": "PullRequestResponder",
+      "version": "1.0",
+      "config": {
+        "conditions": {
+          "operator": "and",
+          "operands": [
+            {
+              "name": "isAction",
+              "parameters": {
+                "action": "opened"
+              }
+            },
+            {
+              "operator": "or",
+              "operands": [
+                {
+                  "name": "titleContains",
+                  "parameters": {
+                    "titlePattern": "[Vv]m-repair",
+                    "isRegex": true
+                  }
+                },
+                {
+                  "name": "bodyContains",
+                  "parameters": {
+                    "bodyPattern": "[Vv]m-repair",
+                    "isRegex": true
+                  }
+                }
+              ]
+            }
+          ]
+        },
+        "eventType": "pull_request",
+        "eventNames": [
+          "pull_request",
+          "issues",
+          "project_card"
+        ],
+        "taskName": "[vm-repair] Auto assign labels and reviewers based on PR title/description.",
+        "actions": [
+          {
+            "name": "requestReviewer",
+            "parameters": {
+              "reviewer": "zhoxing-ms"
+            }
+          },
+          {
+            "name": "requestReviewer",
+            "parameters": {
+              "reviewer": "yanzhudd"
+            }
+          },
+          {
+            "name": "addLabel",
+            "parameters": {
+              "label": "Auto-Assign"
+            }
+          },
+          {
+            "name": "assignToUser",
+            "parameters": {
+              "user": "zhoxing-ms"
+            }
+          }
+        ]
+      }
+    },
+    {
+      "taskType": "trigger",
+      "capabilityId": "IssueResponder",
+      "subCapability": "IssuesOnlyResponder",
+      "version": "1.0",
+      "config": {
+        "conditions": {
+          "operator": "and",
+          "operands": [
+            {
+              "operator": "or",
+              "operands": [
+                {
+                  "name": "titleContains",
+                  "parameters": {
+                    "titlePattern": "az azurestackhci",
+                    "isRegex": true
+                  }
+                },
+                {
+                  "name": "bodyContains",
+                  "parameters": {
+                    "bodyPattern": "az azurestackhci",
+                    "isRegex": true
+                  }
+                }
+              ]
+            },
+            {
+              "operator": "or",
+              "operands": [
+                {
+                  "name": "isAction",
+                  "parameters": {
+                    "action": "opened"
+                  }
+                }
+              ]
+            }
+          ]
+        },
+        "eventType": "issue",
+        "eventNames": [
+          "issues",
+          "project_card"
+        ],
+        "taskName": "[azurestackhci] auto assign labels and users based on issue description.",
+        "actions": [
+          {
+            "name": "addLabel",
+            "parameters": {
+              "label": "Auto-Assign"
+            }
+          },
+          {
+            "name": "addLabel",
+            "parameters": {
+              "label": "AzureStackHCI"
+            }
+          },
+          {
+            "name": "addLabel",
+            "parameters": {
+              "label": "CXP Attention"
+            }
+          }
+        ]
+      }
     }
   ],
   "userGroups": [

.github/workflows/AddPRComment.yml

@@ -11,8 +11,10 @@ jobs:
     name: Say thanks for the PR
     steps:
       - name: get message
+        env:
+          TITLE: ${{ github.event.pull_request.title }}
         run: |
-          message=$(echo '${{ github.event.pull_request.title }}' | grep -oP '[{\[][^}\]]+[}\]]' | sed 's/{\|}\|\[\|\]//g')
+          message=$(echo "$TITLE" | grep -oP '[{\[][^}\]]+[}\]]' | sed 's/{\|}\|\[\|\]//g')
           echo "message=$message" >> $GITHUB_ENV
           if [ -z $message ]; then
               echo "message=$(echo 'Thank you for your contribution! We will review the pull request and get back to you soon.')" >> $GITHUB_ENV

src/containerapp/azext_containerapp/_help.py

@@ -1271,3 +1271,15 @@
               --environment MyContainerappEnv \\
               --compose-file-path "path/to/docker-compose.yml"
 """
+
+helps['containerapp patch list'] = """
+    type: command
+    short-summary: List patchable and unpatchable container apps.
+    examples:
+    - name: List patchable container apps.
+      text: |
+          az containerapp list -g MyResourceGroup --environment MyContainerappEnv
+    - name: List patchable and non-patchable container apps.
+      text: |
+          az containerapp list -g MyResourceGroup --environment MyContainerappEnv --showAll
+"""

src/containerapp/azext_containerapp/_models.py

@@ -293,3 +293,26 @@
         "validationMethod": None  # str
     }
 }
+
+# ContainerApp Patch
+ImageProperties = {
+    "imageName": None,
+    "targetContainerAppName": None
+}
+
+ImagePatchableCheck = {
+    "targetContainerAppName": None,
+    "oldRunImage": None,
+    "newRunImage": None,
+    "id": None,
+    "reason": None
+}
+
+OryxMarinerRunImgTagProperty = {
+    "fullTag": None,
+    "framework": None,
+    "version": None,
+    "marinerVersion": None,
+    "architectures": None,
+    "support": None,
+}

src/containerapp/azext_containerapp/_params.py

@@ -414,3 +414,8 @@ def load_arguments(self, _):
         c.argument('workload_profile_type', help="The type of workload profile to add or update. Run 'az containerapp env workload-profile list-supported -l <region>' to check the options for your region.")
         c.argument('min_nodes', help="The minimum node count for the workload profile")
         c.argument('max_nodes', help="The maximum node count for the workload profile")
+
+    with self.argument_context('containerapp patch list') as c:
+        c.argument('resource_group_name', options_list=['--rg','-g'], configured_default='resource_group_name', id_part=None)
+        c.argument('environment', options_list=['--environment'], help='Name or resource id of the Container App environment.')
+        c.argument('show_all', options_list=['--show-all'],help='Show all patchable and non-patchable containerapps')

src/containerapp/azext_containerapp/_utils.py

@@ -10,6 +10,9 @@
 import docker
 import os
 import requests
+import hashlib
+import packaging.version as SemVer
+import re
 
 from urllib.parse import urlparse
 from datetime import datetime
@@ -34,6 +37,7 @@
                          LOG_ANALYTICS_RP, CONTAINER_APPS_RP, CHECK_CERTIFICATE_NAME_AVAILABILITY_TYPE, ACR_IMAGE_SUFFIX,
                          LOGS_STRING, PENDING_STATUS, SUCCEEDED_STATUS, UPDATING_STATUS)
 from ._models import (ContainerAppCustomDomainEnvelope as ContainerAppCustomDomainEnvelopeModel, ManagedCertificateEnvelop as ManagedCertificateEnvelopModel)
+from ._models import ImagePatchableCheck, OryxMarinerRunImgTagProperty
 
 logger = get_logger(__name__)
 
@@ -1770,3 +1774,76 @@ def get_pack_exec_path():
         print(f"Failed to install pack CLI: {e}\n")
 
     return ""
+
+
+def patchableCheck(repoTagSplit: str, oryxBuilderRunImgTags, bom):
+    tagProp = parseOryxMarinerTag(repoTagSplit)
+    repoTagSplit = repoTagSplit.split("-")
+    if repoTagSplit[1] == "dotnet":
+        matchingVersionInfo = oryxBuilderRunImgTags[repoTagSplit[2]][str(tagProp["version"].major) + "." + str(tagProp["version"].minor)][tagProp["support"]][tagProp["marinerVersion"]]
+
+    # Check if the image minor version is four less than the latest minor version
+    if tagProp["version"] < matchingVersionInfo[0]["version"]:
+        result = ImagePatchableCheck
+        result["targetContainerAppName"] = bom["targetContainerAppName"]
+        result["oldRunImage"] = tagProp["fullTag"]
+        if (tagProp["version"].minor == matchingVersionInfo[0]["version"].minor) and (tagProp["version"].micro < matchingVersionInfo[0]["version"].micro):
+            # Patchable
+            result["newRunImage"] = "mcr.microsoft.com/oryx/builder:" + matchingVersionInfo[0]["fullTag"]
+            result["id"] = hashlib.md5(str(result["oldRunImage"] + result["targetContainerAppName"] + result["newRunImage"]).encode()).hexdigest()
+            result["reason"] = "New security patch released for your current run image."
+        else:
+            # Not patchable
+            result["newRunImage"] = "mcr.microsoft.com/oryx/builder:" + matchingVersionInfo[0]["fullTag"]
+            result["reason"] = "The image is not pachable Please check for major or minor version upgrade."
+    else:
+        result = ImagePatchableCheck
+        result["targetContainerAppName"] = bom["targetContainerAppName"]
+        result["oldRunImage"] = tagProp["fullTag"]
+        result["reason"] = "You're already up to date!"
+    return result
+
+
+def getCurrentMarinerTags() -> list(OryxMarinerRunImgTagProperty):
+    r = requests.get("https://mcr.microsoft.com/v2/oryx/builder/tags/list")
+    tags = r.json()
+    # tags = dict(tags=["run-dotnet-aspnet-7.0.1-cbl-mariner2.0", "run-dotnet-aspnet-7.0.1-cbl-mariner1.0", "run-dotnet-aspnet-7.1.0-cbl-mariner2.0"])
+    tagList = {}
+    # only keep entries that container keyword "mariner"
+    tags = [tag for tag in tags["tags"] if "mariner" in tag]
+    for tag in tags:
+        tagObj = parseOryxMarinerTag(tag)
+        if tagObj:
+            majorMinorVer = str(tagObj["version"].major) + "." + str(tagObj["version"].minor)
+            support = tagObj["support"]
+            framework = tagObj["framework"]
+            marinerVer = tagObj["marinerVersion"]
+            if framework in tagList.keys():
+                if majorMinorVer in tagList[framework].keys():
+                    if support in tagList[framework][majorMinorVer].keys():
+                        if marinerVer in tagList[framework][majorMinorVer][support].keys():
+                            tagList[framework][majorMinorVer][support][marinerVer].append(tagObj)
+                            tagList[framework][majorMinorVer][support][marinerVer].sort(reverse=True, key=lambda x: x["version"])
+                        else:
+                            tagList[framework][majorMinorVer][support][marinerVer] = [tagObj]
+                    else:
+                        tagList[framework][majorMinorVer][support] = {marinerVer: [tagObj]}
+                else:
+                    tagList[framework][majorMinorVer] = {support: {marinerVer: [tagObj]}}
+            else:
+                tagList[framework] = {majorMinorVer: {support: {marinerVer: [tagObj]}}}
+    return tagList
+
+
+def parseOryxMarinerTag(tag: str) -> OryxMarinerRunImgTagProperty:
+    tagSplit = tag.split("-")
+    if tagSplit[0] == "run" and tagSplit[1] == "dotnet":
+        versionRE = r"(\d+\.\d+(\.\d+)?).*?(cbl-mariner(\d+\.\d+))"
+        REmatches = re.findall(versionRE, tag)
+        if REmatches.count == 0:
+            tagObj = None
+        else:
+            tagObj = dict(fullTag=tag, version=SemVer.parse(REmatches[0][0]), framework=tagSplit[2], marinerVersion=REmatches[0][2], architectures=None, support="lts")
+    else:
+        tagObj = None
+    return tagObj

src/containerapp/azext_containerapp/commands.py

@@ -199,3 +199,6 @@ def load_command_table(self, _):
         g.custom_show_command('show', 'show_workload_profile')
         g.custom_command('set', 'set_workload_profile')
         g.custom_command('delete', 'delete_workload_profile')
+
+    with self.command_group('containerapp patch', is_preview=True) as g:
+        g.custom_command('list', 'patch_list')