Users/jbujula/maaf cli actions#698
Open
jbujula wants to merge 14 commits into
Open
Conversation
Update src/pacPackageInfo.json to the latest stable PAC CLI release on NuGet. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Introduces two new GitHub Actions wrapping the @microsoft/apps-cli (binary: ms) for Microsoft Apps Authoring Framework (MAAF) code-app workflows: - setup-ms: installs the ms CLI on the runner. Supports the internal Azure DevOps feed (PowerPlatform-Managed-Host-consumption) since the public @microsoft/apps-cli on npm is currently a placeholder. - ms-app-deploy: orchestrates the dogfood publish flow for the current commit — triggers ms app build, polls ms app build-status until terminal, then runs ms app deploy. Reads appId and environmentId from ms.config.json. Both actions target node24 to match the recent runtime migration. Known constraint: the Power Apps RP currently rejects service principal identities for MAAF operations (ServicePrincipalNotSupportedForMaafOperations). The action exposes SPN inputs against the CLI's documented env-var contract but will fail at the RP gate until SPN is enabled or federated auth lands. See action.yml comments for the tracking ask with the MAAF CLI team. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Renames the install action to match the repository's existing `actions-install` precedent and remove ambiguity around the bare "ms" name. The companion `ms-app-deploy` action keeps its name since it mirrors the underlying `ms app deploy` CLI command. No behavior change. Updates: - Folder: setup-ms/ → install-ms-cli/ - Folder: src/actions/setup-ms/ → src/actions/install-ms-cli/ - Folder: dist/actions/setup-ms/ → dist/actions/install-ms-cli/ - action.yml `name:` field, description, and inline example - ms-app-deploy import path and prereq error message - Group label and tmp-dir prefix in the install action Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Azure DevOps Artifacts npm feeds use HTTP basic auth with a base64-encoded PAT in the `_password` field. The `_authToken` field expects an OAuth bearer token, which a PAT is not — passing a PAT there returns "npm error code E401 Incorrect or missing password". Detect the ADO host pattern (pkgs.dev.azure.com) and emit username + base64 `_password` + email instead of `_authToken`. Non-ADO feeds continue to use `_authToken` as before. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| // PAT in `_password`. The `_authToken` field expects an OAuth bearer token, | ||
| // which a PAT is NOT — using it produces a 401 "Incorrect or missing password". | ||
| // For non-ADO feeds, the bearer-style `_authToken` is the correct form. | ||
| const isAzureDevOps = /pkgs\.dev\.azure\.com/i.test(registryUrl); |
The ms-app-deploy bundle was built before the setup-ms → install-ms-cli rename completed cleanly, so it still embedded the old core.startGroup label "setup-ms:". The label is bundled at build time because ms-app-deploy imports MsInstalledEnvVarName from install-ms-cli, which also triggers install-ms-cli's top-level IIFE on require. Clean-rebuild (gulp clean + compile + dist) regenerates the bundle against the current install-ms-cli source. No behavior change. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
The MAAF Git Inner Loop spec (§7.1) makes builds JIT — `ms app deploy` auto-triggers a server-side build for a commit if one doesn't exist. The older `ms app build` verb is deprecated, and the CLI itself now rejects it: "`ms app build-app` is deprecated and the `--environment-id` flag has been removed. The replacement flow is `ms app create` (scaffolds the app and writes power.config.json) followed by `ms app deploy`." Changes: - Remove runBuild() and pollBuildStatus() — only ms app deploy is called. - Drop unused inputs: build-timeout-seconds, build-poll-interval-seconds, skip-build. Drop unused output: build-operation-id. - Look for power.config.json first (current CLI), fall back to ms.config.json. - Refresh action.yml example: install-ms-cli needs no inputs by default now that @microsoft/apps-cli@0.4.0 is on public npm (published 2026-05-14). - Update install-ms-cli docs to lead with the public-npm zero-input pattern. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
The CLI's deprecated `ms app build-app` error message references `power.config.json`, but the active config filename in current @microsoft/apps-cli releases (0.3.x, 0.4.x) is still `ms.config.json` (see microsoft-apps-common AppConfig.ts). Only check ms.config.json and update the action.yml comments accordingly. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Switches the action to the MAAF artifact / escape-hatch deploy path (spec §7.5). Calls `ms app pack` to build and pack a deployable artifact locally, then `ms app deploy` to upload and deploy it. This bypasses the server-side build and the Repositories.MicrosoftApps.Build.Write permission requirement that blocked the previous git-build flow. Matches the working local flow: npm ci → ms app pack → ms app deploy Caller is expected to run `npm ci` (or `npm install`) in the working directory before the action — `ms app pack` runs `npm run build` and needs node_modules to be present. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Separates pack from deploy so each is a distinct workflow step. Matches the repo's existing one-verb-per-action convention (export-solution, import-solution, etc.). When the upcoming CLI PR ships `ms app deploy --artifact` and folds pack into deploy for repoType:'none' apps, consumers will be able to drop the `- uses: ms-app-pack` step from their workflow with no other changes. ms-app-pack: - Invokes `ms app pack --non-interactive --json` - Inputs: working-directory (only). No auth or cloud needed for pack. - Requires install-ms-cli to have run earlier. - Requires a prior `npm ci` so `npm run build` can resolve node_modules. ms-app-deploy: - Drops the internal runPack() call. - Description updated; example workflow shows the explicit pack step. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
`ms app pack` does not make RP calls, but the CLI auto-activates Service Principal auth in CI mode (CI=true is set by GitHub Actions runners) and validates that MS_CLI_SP_CLIENT_ID / MS_CLI_SP_CLIENT_SECRET / MS_CLI_SP_TENANT_ID are set at startup. Without them, pack exits with: "Service principal environment variables MS_CLI_SP_CLIENT_ID, MS_CLI_SP_CLIENT_SECRET, and MS_CLI_SP_TENANT_ID must be set" Add the same app-id / client-secret / tenant-id inputs to ms-app-pack as ms-app-deploy has, and forward them to the child process's env. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
The MAAF CLI was republished on public npm under a new name: @microsoft/apps-cli → @microsoft/managed-apps-cli Source files (install-ms-cli/action.yml, src/actions/install-ms-cli/index.ts) were already updated to reference the new package name, but the dist bundles still embedded the old name and are out of sync. Also picks up the ms-app-deploy repoType branching: reads `repoType` from ms.config.json and skips `--commit` when repoType is 'none' (escape-hatch apps that pack and upload an artifact, with no git binding on the server). No behavior change beyond the package-name rename and the existing repoType-aware deploy logic that was already in the source. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.