ci: env var and token handling improvements

[DariuszPorowski]

Description

CI-only maintenance changes to the GitHub Actions workflows. No Radius runtime functionality is affected. Two logical changes are included:

1. Adopt the built-in github.token — replaces secrets.GH_RAD_CI_BOT_PAT (and a stray secrets.GITHUB_TOKEN) with the automatically provided github.token across nine workflows, reducing reliance on a long-lived bot PAT.

2. Improve environment variable usage in inline shell scripts — converts GitHub Actions ${{ ... }} expressions used inside bash run: blocks to native shell variable syntax ("${VAR}"). Values that are not already environment variables (secrets, matrix, inputs, steps.*.outputs) are mapped through step-level env: blocks so they are visible to the shell and no longer interpolated directly into the script body, hardening the workflows against shell script injection. YAML fields (if:, with:, name:, etc.), actions/github-script blocks, with: client payloads, and Markdown comment bodies are intentionally left unchanged.

Affected workflows

build.yaml, c9k-failure-report.yml, devcontainer-feature-test.yaml, functional-test-cloud.yaml, functional-test-noncloud.yaml, lint.yaml, long-running-azure.yaml, nightly-rad-CLI-tests.yaml, publish-de-image.yaml, publish-docs.yaml, purge-aws-test-resources.yaml, purge-azure-test-resources.yaml, purge-old-images.yaml, radius-bot.yaml, release-verification.yaml, release.yaml, spellcheck.yaml, unit-tests.yaml, validate-bicep.yaml

Type of change

• This pull request is a minor refactor, code cleanup, test improvement, or other maintenance task and doesn't change the functionality of Radius (issue link optional).

Contributor checklist

Please verify that the PR meets the following requirements, where applicable:

• An overview of proposed schema changes is included in a linked GitHub issue.
  • Yes
  • Not applicable
• A design document is added or updated under eng/design-notes/ in this repository, if new APIs are being introduced.
  • Yes
  • Not applicable
• The design document has been reviewed and approved by Radius maintainers/approvers.
  • Yes
  • Not applicable
• A PR for resource-types-contrib is created, if resource types or recipes are affected by the changes in this PR.
  • Yes
  • Not applicable
• A PR for dashboard is created, if the Radius Dashboard is affected by the changes in this PR.
  • Yes
  • Not applicable
• A PR for the documentation repository is created, if the changes in this PR affect the documentation or any user facing updates are made.
  • Yes
  • Not applicable

[github-actions]

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

Scanned Files

None

[Copilot]

Pull request overview

This PR performs CI-only maintenance across multiple GitHub Actions workflows by (1) standardizing on the built-in github.token instead of a bot PAT and (2) reducing direct ${{ ... }} expression interpolation inside run: blocks by mapping values through step env: and using shell variables, improving safety and consistency.

Changes:

• Replace secrets.GH_RAD_CI_BOT_PAT / secrets.GITHUB_TOKEN usage with ${{ github.token }} in affected workflows, paired with explicit job/step permissions where needed.
• Refactor inline bash scripts to use shell variables (e.g., "${VAR}") and step-level env: mappings instead of ${{ ... }} inside the script body.
• Minor quoting/consistency improvements around paths, gh CLI usage, and registry/login commands.

Reviewed changes

Copilot reviewed 19 out of 19 changed files in this pull request and generated 1 comment.

Show a summary per file

File	Description
.github/workflows/validate-bicep.yaml	Use ${BICEP_VER} and $GITHUB_WORKSPACE in shell to avoid expression interpolation in run: blocks.
.github/workflows/unit-tests.yaml	Install gotestsum using shell var expansion instead of workflow expression inside the script.
.github/workflows/spellcheck.yaml	Use ${ACTION_LINK} in the step summary script output.
.github/workflows/release.yaml	Pass step outputs via env: into scripts; remove ${{ ... }} from bash run: bodies.
.github/workflows/release-verification.yaml	Pass inputs.version through env: and quote in shell usage.
.github/workflows/radius-bot.yaml	Switch to ${{ github.token }} and add required issues: write permission for issue assignment.
.github/workflows/purge-old-images.yaml	Switch to ${{ github.token }} and scope permissions for issue creation on failure.
.github/workflows/purge-azure-test-resources.yaml	Replace ${{ ... }} usage inside shell with env vars; switch to ${{ github.token }} for issue creation.
.github/workflows/purge-aws-test-resources.yaml	Quote ${AWS_RESOURCE_TYPES} in script call and switch issue creation to ${{ github.token }}.
.github/workflows/publish-docs.yaml	Use shell variables and proper quoting when writing to $GITHUB_ENV.
.github/workflows/publish-de-image.yaml	Pass workflow run id via env: and use shell variable in gh run view.
.github/workflows/nightly-rad-CLI-tests.yaml	Map matrix values via env: for shell use; switch issue creation auth to ${{ github.token }}.
.github/workflows/long-running-azure.yaml	Replace expression interpolation with env vars in scripts; add permissions and secret-to-env mappings for shell usage.
.github/workflows/lint.yaml	Quote ${HELM_CHARTS_DIR} usage in shell.
.github/workflows/functional-test-noncloud.yaml	Map PR/input/matrix values to env: for shell use; reduce ${{ ... }} in run: blocks.
.github/workflows/functional-test-cloud.yaml	Map PR/input/matrix/secrets to env: for shell use; switch issue creation auth to ${{ github.token }}.
.github/workflows/devcontainer-feature-test.yaml	Pass matrix.baseImage via step env: and quote in shell usage.
.github/workflows/c9k-failure-report.yml	Replace secrets.GITHUB_TOKEN usage with ${{ github.token }}.
.github/workflows/build.yaml	Quote shell variables in copy/publish steps; use ${{ github.token }} for helm/gh auth via GH_TOKEN.

[github-actions]

Unit Tests

    2 files  ±0    438 suites  ±0   7m 29s ⏱️ +13s
5 322 tests ±0  5 320 ✅ ±0  2 💤 ±0  0 ❌ ±0 
6 476 runs  ±0  6 474 ✅ ±0  2 💤 ±0  0 ❌ ±0 

Results for commit eeffd52. ± Comparison against base commit 1dbd9a1.

♻️ This comment has been updated with latest results.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 52.13%. Comparing base (1dbd9a1) to head (eeffd52).

Additional details and impacted files

@@            Coverage Diff             @@
##             main   #12072      +/-   ##
==========================================
- Coverage   52.13%   52.13%   -0.01%     
==========================================
  Files         734      734              
  Lines       46704    46704              
==========================================
- Hits        24350    24349       -1     
- Misses      20017    20019       +2     
+ Partials     2337     2336       -1     

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[radius-functional-tests]

Radius functional test overview

🔍 Go to test action run

Click here to see the test run details

Name	Value
Repository	radius-project/radius
Commit ref	eeffd52
Unique ID	func3e0866d314
Image tag	pr-func3e0866d314

• gotestsum 1.13.0
• KinD: v0.29.0
• Dapr: 1.14.4
• Azure KeyVault CSI driver: 1.4.2
• Azure Workload identity webhook: 1.3.0
• Bicep recipe location ghcr.io/radius-project/dev/test/testrecipes/test-bicep-recipes/<name>:pr-func3e0866d314
• Terraform recipe location http://tf-module-server.radius-test-tf-module-server.svc.cluster.local/<name>.zip (in cluster)
• applications-rp test image location: ghcr.io/radius-project/dev/applications-rp:pr-func3e0866d314
• dynamic-rp test image location: ghcr.io/radius-project/dev/dynamic-rp:pr-func3e0866d314
• controller test image location: ghcr.io/radius-project/dev/controller:pr-func3e0866d314
• ucp test image location: ghcr.io/radius-project/dev/ucpd:pr-func3e0866d314
• deployment-engine test image location: ghcr.io/radius-project/deployment-engine:latest

Test Status

⌛ Building Radius and pushing container images for functional tests...
✅ Container images build succeeded
⌛ Publishing Bicep Recipes for functional tests...
✅ Recipe publishing succeeded
⌛ Starting corerp-cloud functional tests...
⌛ Starting ucp-cloud functional tests...
✅ ucp-cloud functional tests succeeded
✅ corerp-cloud functional tests succeeded