ci: fix pipeline vulnerabilities

[Vamshi-Microsoft]

Purpose

This pull request makes several improvements to the GitHub Actions workflows for deployment, focusing on enhancing security, maintainability, and reliability. The main changes include adding explicit permissions to workflows, removing redundant Azure CLI installation steps, improving environment variable handling, and introducing robust input parameter validation for Linux deployments.

Security and Permissions:

• Added explicit permissions blocks (with contents: read and actions: read) to all deployment-related workflow YAML files to follow GitHub's least-privilege principle and improve security. [1] [2] [3] [4] [5] [6] [7]

Workflow Maintenance and Simplification:

• Removed redundant manual Azure CLI installation steps from all workflows, relying instead on pre-installed tools or dedicated setup actions, which simplifies maintenance and reduces the risk of errors. [1] [2] [3] [4]
• Replaced manual Azure Developer CLI (azd) installation with the official Azure/setup-azd@v2 GitHub Action for better reliability and maintainability.

Input Validation and Environment Handling:

• Introduced a comprehensive input parameter validation step at the start of the Linux deployment workflow (job-deploy-linux.yml). This step checks for required fields, validates formats, and provides clear error messages, preventing misconfigured deployments early in the process.
• Improved handling of environment variables and workflow inputs throughout the Linux deployment workflow, ensuring that secrets and parameters are passed securely and consistently to scripts and deployment steps. [1] [2] [3] [4]

These changes collectively improve the security, reliability, and maintainability of the deployment workflows.

Does this introduce a breaking change?

• Yes
• No

Golden Path Validation

• I have tested the primary workflows (the "golden path") to ensure they function correctly without errors.

Deployment Validation

• I have validated the deployment process successfully and all services are running as expected with this change.

What to Check

Verify that the following are valid

• I have built and tested the code locally and in a deployed app
• For frontend changes, I have pulled the latest code from main, built the frontend, and committed all static files.
• This is a change for all users of this app. No code or asset is specific to my use case or my organization.

[github-actions]

🎉 This PR is included in version 1.7.2 🎉

The release is available on GitHub release

Your semantic-release bot 📦🚀