Add workflow to sync contrib resource types and publish Bicep extensions

[kachawla]

Overview

Today the radius Bicep extension is published to biceptypes.azurecr.io via the existing build-and-push-bicep-types job in build.yaml, which dispatches to the radius-publisher pipeline on every push to main and on version tag pushes. With #11915 updating make generate-bicep-types to include contrib types, the existing publish pipeline automatically produces the combined extension -- no new publish workflow is needed.

However, there is no automation to pull updated resource type manifests from resource-types-contrib into this repo. When someone merges a schema change or a new resource type in contrib, the manifest copies committed under deploy/manifest/built-in-providers/ must be refreshed manually via make update-resource-types before the next publish picks them up.

This PR adds a workflow that closes that gap by automating the manifest sync.

How it works

resource-types-contrib merges to main
  |
  +--> notify-radius.yaml (contrib repo, PR 4) fires repository_dispatch
         |
         +--> contrib-update-resource-types.yaml (this PR) receives dispatch
                |
                +--> Runs 'make update-resource-types' to refresh manifest copies
                +--> Opens/updates PR on bot/update-resource-types branch
                       |
                       +--> Human reviews and merges the PR
                              |
                              +--> Push to main triggers build.yaml's existing
                                   build-and-push-bicep-types job
                                     |
                                     +--> Dispatches to radius-publisher
                                     +--> radius-publisher runs make generate-bicep-types
                                          (now includes contrib) and publishes
                                          radius:latest to biceptypes.azurecr.io

What this PR adds

contrib-update-resource-types.yaml

Handles repository_dispatch events (type: resource-types-contrib-updated) from resource-types-contrib.

Triggers:

• repository_dispatch -- fired by the contrib repo's notify-radius.yaml workflow (PR 4)
• workflow_dispatch -- commented out for production, can be enabled during development

Steps:

1. Validates contrib_ref as a hex commit SHA (informational only -- the actual version fetched is determined by make update-resource-types which runs go get ...@latest)
2. Installs yq (required by make update-resource-types to parse defaults.yaml)
3. Runs make update-resource-types to bump go.mod to latest contrib and copy manifests
4. If changes are detected (using git status --porcelain to catch both modified and new untracked files), opens or updates a PR on the bot/update-resource-types branch
5. Merging that PR triggers the existing publish pipeline to republish radius:latest

Security:

• contrib_ref is validated against ^[a-f0-9]{7,40}$ and passed via environment variables (not inline ${{ }} interpolation) to prevent shell and script injection
• Uses GH_RAD_CI_BOT_PAT for checkout and PR creation so the resulting push triggers CI checks (the default GITHUB_TOKEN cannot trigger workflows on pushes it creates)

Note: This workflow depends on make update-resource-types from #11911. It includes a pre-flight check that fails fast with a descriptive error if the target is not yet available.

Dependencies

• Integrate contrib types into unified Bicep extension
• Automated default resource type registration (provides make update-resource-types)
• Required secret: GH_RAD_CI_BOT_PAT

Changes

• .github/workflows/contrib-update-resource-types.yaml: New workflow

Part of

Unified Bicep extension publishing (PR 3/4). See design doc.

[github-actions]

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

OpenSSF Scorecard

Package	Version	Score	Details
actions/actions/checkout	de0fac2e4500dabe0009e67214ff5f5447ce83dd	🟢 5.7	Details Check Score Reason Maintained ⚠️ 0 1 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0 Binary-Artifacts 🟢 10 no binaries found in the repo Code-Review 🟢 10 all changesets reviewed Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Pinned-Dependencies ⚠️ 3 dependency not pinned by hash detected -- score normalized to 3 Packaging ⚠️ -1 packaging workflow not detected License 🟢 10 license file detected Fuzzing ⚠️ 0 project is not fuzzed Signed-Releases ⚠️ -1 no releases found Security-Policy 🟢 9 security policy file detected Branch-Protection 🟢 5 branch protection is not maximal on development and all release branches SAST 🟢 8 SAST tool detected but not run on all commits
actions/actions/github-script	3a2844b7e9c422d3c10d287c895573f7108da1b3	🟢 7.8	Details Check Score Reason Code-Review 🟢 10 all changesets reviewed Maintained 🟢 10 21 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 10 Packaging ⚠️ -1 packaging workflow not detected Binary-Artifacts 🟢 10 no binaries found in the repo Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Token-Permissions 🟢 9 detected GitHub workflow tokens with excessive permissions Pinned-Dependencies ⚠️ 1 dependency not pinned by hash detected -- score normalized to 1 Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Security-Policy 🟢 9 security policy file detected SAST 🟢 10 SAST tool is run on all commits Branch-Protection 🟢 6 branch protection is not maximal on development and all release branches
actions/actions/setup-go	4a3601121dd01d1626a1e23e37211e3254c1c06c	🟢 5.6	Details Check Score Reason Code-Review 🟢 10 all changesets reviewed Maintained 🟢 5 6 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 5 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Binary-Artifacts 🟢 10 no binaries found in the repo CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Packaging ⚠️ -1 packaging workflow not detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Security-Policy 🟢 9 security policy file detected Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches SAST 🟢 10 SAST tool is run on all commits

Scanned Files

• .github/workflows/contrib-update-resource-types.yaml

[Copilot]

Pull request overview

Adds a new GitHub Actions workflow that listens for repository_dispatch events from radius-project/resource-types-contrib, runs make update-resource-types to refresh the manifest copies under deploy/manifest/built-in-providers/, and opens (or refreshes) a PR on bot/update-resource-types. Merging that PR triggers the existing build-and-push-bicep-types job to republish the unified Bicep extension.

Changes:

• New workflow contrib-update-resource-types.yaml reacting to resource-types-contrib-updated dispatch events
• Validates the optional contrib_ref payload as a hex SHA, installs Go + yq, runs make update-resource-types, and force-pushes to bot/update-resource-types
• Uses actions/github-script with GH_RAD_CI_BOT_PAT to create or update the PR idempotently

[github-actions]

Unit Tests

    2 files  ±0    423 suites  ±0   6m 57s ⏱️ -4s
5 128 tests ±0  5 126 ✅ ±0  2 💤 ±0  0 ❌ ±0 
6 157 runs  ±0  6 155 ✅ ±0  2 💤 ±0  0 ❌ ±0 

Results for commit a8e2c90. ± Comparison against base commit 7766024.

♻️ This comment has been updated with latest results.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 51.72%. Comparing base (7766024) to head (a8e2c90).

Additional details and impacted files

@@            Coverage Diff             @@
##             main   #11916      +/-   ##
==========================================
- Coverage   51.72%   51.72%   -0.01%     
==========================================
  Files         726      726              
  Lines       45608    45608              
==========================================
- Hits        23593    23589       -4     
- Misses      19792    19794       +2     
- Partials     2223     2225       +2     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[radius-functional-tests]

Radius functional test overview

🔍 Go to test action run

Click here to see the test run details

Name	Value
Repository	radius-project/radius
Commit ref	a8e2c90
Unique ID	funccd15fd3ee4
Image tag	pr-funccd15fd3ee4

• gotestsum 1.13.0
• KinD: v0.29.0
• Dapr: 1.14.4
• Azure KeyVault CSI driver: 1.4.2
• Azure Workload identity webhook: 1.3.0
• Bicep recipe location ghcr.io/radius-project/dev/test/testrecipes/test-bicep-recipes/<name>:pr-funccd15fd3ee4
• Terraform recipe location http://tf-module-server.radius-test-tf-module-server.svc.cluster.local/<name>.zip (in cluster)
• applications-rp test image location: ghcr.io/radius-project/dev/applications-rp:pr-funccd15fd3ee4
• dynamic-rp test image location: ghcr.io/radius-project/dev/dynamic-rp:pr-funccd15fd3ee4
• controller test image location: ghcr.io/radius-project/dev/controller:pr-funccd15fd3ee4
• ucp test image location: ghcr.io/radius-project/dev/ucpd:pr-funccd15fd3ee4
• deployment-engine test image location: ghcr.io/radius-project/deployment-engine:latest

Test Status

⌛ Building Radius and pushing container images for functional tests...
✅ Container images build succeeded
⌛ Publishing Bicep Recipes for functional tests...
✅ corerp-cloud functional tests succeeded
✅ Recipe publishing succeeded
⌛ Starting corerp-cloud functional tests...
⌛ Starting ucp-cloud functional tests...
✅ ucp-cloud functional tests succeeded
✅ corerp-cloud functional tests succeeded

[DariuszPorowski]

issue: related to radius-project/resource-types-contrib#160 (comment) we must eliminate PATs/fake accounts and use GH Apps

[DariuszPorowski]

suggestion: if the tool releases official binaries, then we should use them (with checksums validation if possible) instead of compiling the source on us.

[DariuszPorowski]

issue: same here what I mentioned above - use GH Apps instead of PATs/fake accounts