chore: pin azldev version via .azldev-version file

.azldev-version

@@ -0,0 +1 @@
+ab4a1581cd1d793ff800240f3c14062849675057

.github/instructions/pr-check-workflows.instructions.md

@@ -31,7 +31,7 @@ If the check builds, renders, or runs PR code, do the whole thing inside the bui
 
 The shared runner image is [`.github/workflows/containers/azldev-runner.Dockerfile`](../workflows/containers/azldev-runner.Dockerfile). It's a minimal Azure Linux base with `mock`, `git`, `python3`, `sudo`, and `azldev` itself (installed to `/usr/local/bin` during image build) — enough to run any `azldev` subcommand. Reuse it rather than building a per-check image; add extras via a derived `FROM localhost/azldev-runner` stage if a check genuinely needs more.
 
-`azldev` is baked in via `go install …/azldev@main` during image build. The pin lives in the Dockerfile so it can be reviewed and bumped deliberately. Image build context is `.github/workflows/containers/` only — keep it that way so the build can never see PR-controlled files.
+`azldev` is baked in via `go install` during image build. The version is pinned in `.azldev-version` at the repo root and passed to the Dockerfile as `--build-arg AZLDEV_VERSION=…`. All CI workflows (GH Actions, ADO, Dockerfile) read from the same file. Image build context is `.github/workflows/containers/` only — keep it that way so the build can never see PR-controlled files.
 
 Build it with the caller's UID so bind-mounted writes don't end up root-owned:
 
@@ -40,6 +40,7 @@ Build it with the caller's UID so bind-mounted writes don't end up root-owned:
   run: |
     docker build \
       --build-arg UID=$(id -u) \
+      --build-arg AZLDEV_VERSION="$(cat .azldev-version)" \
       -t localhost/azldev-runner \
       -f .github/workflows/containers/azldev-runner.Dockerfile \
       .github/workflows/containers/

.github/workflows/ado/sources-upload.yml

@@ -32,7 +32,6 @@
 #   Required variables:
 #     - ApiAudience          : Entra ID audience URI for the Control Tower app
 #     - ApiBaseDirectUrl     : Direct base URL of the Control Tower APIM endpoint (bypasses Azure Front Door)
-#     - AzldevCommit         : Commit hash for azldev (go install ...@<commit>)
 
 # Trigger controlled by ADO branch policy — not YAML triggers.
 trigger: none

.github/workflows/ado/templates/sources-upload-stages.yml

@@ -101,8 +101,9 @@ stages:
               echo "##[endgroup]"
 
               echo "##[group]Azldev"
-              echo "Installing azldev@${AZLDEV_COMMIT}..."
-              go install "github.com/microsoft/azure-linux-dev-tools/cmd/azldev@${AZLDEV_COMMIT}"
+              AZLDEV_VERSION=$(cat .azldev-version)
+              echo "Installing azldev@${AZLDEV_VERSION}..."
+              go install "github.com/microsoft/azure-linux-dev-tools/cmd/azldev@${AZLDEV_VERSION}"
 
               go_bin_path="$(go env GOPATH)/bin"
               echo "##vso[task.prependpath]$go_bin_path"
@@ -114,8 +115,6 @@ stages:
               pip install -r .github/workflows/scripts/control-tower/requirements.txt
               echo "##[endgroup]"
             displayName: "Install dependencies"
-            env:
-              AZLDEV_COMMIT: $(AzldevCommit)
 
           # Verify lock files are current. --check-only validates without
           # writing, exits nonzero if any lock would change.

.github/workflows/check-rendered-specs.yml

@@ -77,6 +77,7 @@ jobs:
         run: |
           docker build \
             --build-arg UID=$(id -u) \
+            --build-arg AZLDEV_VERSION="$(cat .azldev-version)" \
             -t localhost/azldev-runner \
             -f .github/workflows/containers/azldev-runner.Dockerfile \
             .github/workflows/containers/
@@ -238,6 +239,7 @@ jobs:
         run: |
           docker build \
             --build-arg UID=$(id -u) \
+            --build-arg AZLDEV_VERSION="$(cat .azldev-version)" \
             -t localhost/azldev-runner \
             -f .github/workflows/containers/azldev-runner.Dockerfile \
             .github/workflows/containers/

.github/workflows/containers/azldev-runner.Dockerfile

@@ -35,12 +35,14 @@ RUN tdnf -y install \
     symcrypt-openssl \
     && tdnf clean all
 
-# TODO: pin to a tagged release once azure-linux-dev-tools cuts one.
-# `@main` is a moving target — fine while azldev is pre-1.0 and we want
-# CI to track upstream, but we should swap to `@vX.Y.Z` (and bump it
-# deliberately) once the tool stabilizes. ADO #18834
-RUN GOBIN=/usr/local/bin go install \
-    github.com/microsoft/azure-linux-dev-tools/cmd/azldev@main \
+# The version is passed in as a build arg from .azldev-version in the repo
+# root.  Callers (check-rendered-specs.yml, etc.) read the file and pass it
+# via --build-arg so the Dockerfile never needs repo-root build context.
+# No default — omitting --build-arg will fail the build loudly.
+ARG AZLDEV_VERSION
+RUN test -n "${AZLDEV_VERSION}" || { echo "ERROR: AZLDEV_VERSION build-arg is required (read from .azldev-version)" >&2; exit 1; } \
+    && GOBIN=/usr/local/bin go install \
+    "github.com/microsoft/azure-linux-dev-tools/cmd/azldev@${AZLDEV_VERSION}" \
     && rm -rf /root/go /root/.cache
 
 ARG UID=1000

.github/workflows/lint.yaml

@@ -30,8 +30,8 @@ jobs:
           cache: false
 
       - name: Install azldev
-        run: go install github.com/microsoft/azure-linux-dev-tools/cmd/azldev@main
+        run: |
+          go install "github.com/microsoft/azure-linux-dev-tools/cmd/azldev@$(cat .azldev-version)"
 
       - name: "Validate config (strict)"
         run: azldev config dump > /dev/null
-

DEVELOPING.md

@@ -7,7 +7,7 @@
 The [`azldev`](https://github.com/microsoft/azure-linux-dev-tools) CLI tool drives all component, image, and build workflows. Install it from source (requires Go):
 
 ```bash
-go install github.com/microsoft/azure-linux-dev-tools/cmd/azldev@main
+go install "github.com/microsoft/azure-linux-dev-tools/cmd/azldev@$(cat .azldev-version)"
 ```
 
 > **Note:** azldev is still in active development, using the latest commit from the `main` branch is recommended for the most up-to-date features and fixes.