Users/jbujula/maaf cli actions

install-ms-cli/action.yml

@@ -0,0 +1,61 @@
+# Copyright (c) Microsoft Corporation.
+# Licensed under the MIT License.
+#
+# install-ms-cli/action.yml
+#
+# Installs the MAAF `ms` CLI (@microsoft/managed-apps-cli) on the GitHub Actions runner.
+#
+# Defaults to the public npm registry — @microsoft/managed-apps-cli is published there
+# (since 2026-05-14). No inputs are required for standard usage:
+#
+#   - uses: microsoft/powerplatform-actions/install-ms-cli@v1
+#
+# For preview/dev builds from the internal Azure DevOps feed, override the
+# registry inputs:
+#
+#   - uses: microsoft/powerplatform-actions/install-ms-cli@v1
+#     with:
+#       version: '0.3.1-dev.20260511.4'
+#       registry-url: 'https://pkgs.dev.azure.com/msazure/OneAgile/_packaging/PowerPlatform-Managed-Host-consumption/npm/registry/'
+#       registry-auth-token: ${{ secrets.AZURE_DEVOPS_PAT }}
+#
+name: 'install-ms-cli'
+description: 'Power Platform Install MS CLI — installs @microsoft/managed-apps-cli (binary: ms)'
+
+inputs:
+  version:
+    description: >
+      Version of @microsoft/managed-apps-cli to install. Use 'latest' or a specific
+      semver / dev tag. Defaults to 'latest'.
+    required: false
+    default: 'latest'
+
+  registry-url:
+    description: >
+      npm registry URL. Defaults to public npmjs.com. Override for internal
+      Azure DevOps feeds when installing preview/dev builds.
+    required: false
+    default: 'https://registry.npmjs.org'
+
+  registry-auth-token:
+    description: >
+      Auth token for the npm registry. Required when registry-url is a private
+      feed (e.g. Azure DevOps Artifacts). For Azure DevOps, generate a PAT with
+      Packaging (Read) scope in the same organization as the feed.
+    required: false
+    default: ''
+
+  npm-package-name:
+    description: >
+      npm package to install. Defaults to @microsoft/managed-apps-cli, which provides
+      the `ms` binary. Override only for testing alternate builds.
+    required: false
+    default: '@microsoft/managed-apps-cli'
+
+outputs:
+  cli-version:
+    description: 'The installed ms CLI version'
+
+runs:
+  using: 'node24'
+  main: '../dist/actions/install-ms-cli/index.js'

ms-app-deploy/action.yml

@@ -0,0 +1,125 @@
+# Copyright (c) Microsoft Corporation.
+# Licensed under the MIT License.
+#
+# ms-app-deploy/action.yml
+#
+# Deploys a MAAF code app via `ms app deploy`. For escape-hatch apps
+# (repoType:'none'), the artifact must already exist under
+# .ms/packed/apps/<appId>/client/ — produced by the `ms-app-pack` action.
+# For git-backed apps (native/github), deploy resolves the commit and uses
+# the corresponding server-side build.
+#
+# Once the upcoming CLI PR adds `ms app deploy --artifact <path>` and folds
+# pack into deploy for repoType:'none' apps, you can drop the
+# `- uses: ms-app-pack` step from your workflow.
+#
+# The action reads `appId` and `environmentId` from `ms.config.json` in the
+# working directory (written by `ms app create`).
+#
+# CALLER PREREQUISITES:
+#   - install-ms-cli has run earlier in the job.
+#   - For repoType:'none' apps: `ms-app-pack` ran earlier in the job (which
+#     itself requires a prior `npm ci`).
+#
+# ---------------------------------------------------------------------------
+# KNOWN BLOCKER (as of 2026-05):
+#   The Power Apps RP currently rejects Service Principal identities for MAAF
+#   operations (error: ServicePrincipalNotSupportedForMaafOperations). This
+#   action's auth inputs (`app-id`, `client-secret`, `tenant-id`) are wired
+#   to the CLI's documented SPN env vars, but the server will reject them
+#   until either:
+#     (a) the RP enables SPN for MAAF operations, OR
+#     (b) the CLI adds federated/OIDC auth and the RP accepts it.
+#   Track the ask with the MAAF CLI team (Anshul / Casey).
+# ---------------------------------------------------------------------------
+#
+# Example usage:
+#
+#   - uses: actions/checkout@v4
+#   - uses: actions/setup-node@v4
+#     with:
+#       node-version: '22'
+#   - run: npm ci
+#     working-directory: 'maaf-apps'
+#   - uses: microsoft/powerplatform-actions/install-ms-cli@v1
+#   - uses: microsoft/powerplatform-actions/ms-app-pack@v1
+#     with:
+#       working-directory: 'maaf-apps'
+#   - uses: microsoft/powerplatform-actions/ms-app-deploy@v1
+#     with:
+#       working-directory: 'maaf-apps'
+#       app-id:        ${{ secrets.PP_SP_CLIENT_ID }}
+#       client-secret: ${{ secrets.PP_SP_CLIENT_SECRET }}
+#       tenant-id:     ${{ secrets.PP_SP_TENANT_ID }}
+#
+name: 'ms-app-deploy'
+description: 'Power Platform MS App Deploy — deploys a MAAF code app for the given commit'
+
+inputs:
+  # ── App context ───────────────────────────────────────────────────────────
+
+  app-name:
+    description: >
+      Optional override for the MAAF app name. By default the CLI reads
+      `appId` from ms.config.json in the working directory, so this is
+      rarely needed.
+    required: false
+    default: ''
+
+  commit-sha:
+    description: >
+      Commit SHA to deploy. Defaults to GITHUB_SHA (the commit that triggered
+      the workflow). The CLI also falls back to the current git HEAD if
+      neither this input nor GITHUB_SHA is set.
+    required: false
+    default: ''
+
+  cloud:
+    description: >
+      Cloud instance to target. One of: prod, test, preprod, preview,
+      gccmoderate, dev. The MAAF end-to-end flow is currently supported only
+      in 'test'. Maps to MS_CLI_CLOUD_INSTANCE.
+    required: false
+    default: 'test'
+
+  working-directory:
+    description: >
+      Path to the app directory containing ms.config.json and package.json.
+      Defaults to GITHUB_WORKSPACE.
+    required: false
+    default: ''
+
+  # ── Service Principal authentication (optional, currently RP-blocked) ─────
+  # All three must be provided together to enable SPN mode. If any is empty,
+  # the action will not set MS_CLI_USE_SP_AUTH and the CLI will fail with a
+  # clear "not signed in" error rather than silently using a stale identity.
+
+  app-id:
+    description: 'SPN client ID. Maps to MS_CLI_SP_CLIENT_ID.'
+    required: false
+    default: ''
+
+  client-secret:
+    description: >
+      SPN client secret. Maps to MS_CLI_SP_CLIENT_SECRET. Pass as a secret.
+    required: false
+    default: ''
+
+  tenant-id:
+    description: 'AAD tenant ID. Maps to MS_CLI_SP_TENANT_ID.'
+    required: false
+    default: ''
+
+outputs:
+  app-id:
+    description: 'Deployed app id (GUID), parsed from `ms app deploy --json`.'
+
+  environment-id:
+    description: 'Environment id the app was deployed to.'
+
+  commit-sha:
+    description: 'The commit SHA that was deployed.'
+
+runs:
+  using: 'node24'
+  main: '../dist/actions/ms-app-deploy/index.js'

ms-app-pack/action.yml

@@ -0,0 +1,79 @@
+# Copyright (c) Microsoft Corporation.
+# Licensed under the MIT License.
+#
+# ms-app-pack/action.yml
+#
+# Packs a MAAF code app into a deployable artifact by invoking `ms app pack`.
+# Pack runs the `buildCommand` from ms.config.json (default `npm run build`)
+# and copies the build output to the canonical packed layout at
+#   <workingDirectory>/.ms/packed/apps/<appId>/client/
+#
+# After pack, `ms-app-deploy` picks up the artifact automatically.
+#
+# This action is a transitional step. The MAAF CLI is adding a `--artifact`
+# flag to `ms app deploy` that will fold pack into deploy for repoType:'none'
+# apps. Once that ships, you can drop the `- uses: ms-app-pack` step from
+# your workflow.
+#
+# CALLER PREREQUISITES:
+#   - install-ms-cli has run earlier in the job.
+#   - `npm ci` (or `npm install`) was run in the working directory so that
+#     `npm run build` can resolve node_modules.
+#
+# Example usage:
+#
+#   - uses: actions/checkout@v4
+#   - uses: actions/setup-node@v4
+#     with:
+#       node-version: '22'
+#   - run: npm ci
+#     working-directory: 'maaf-apps'
+#   - uses: microsoft/powerplatform-actions/install-ms-cli@v1
+#   - uses: microsoft/powerplatform-actions/ms-app-pack@v1
+#     with:
+#       working-directory: 'maaf-apps'
+#       app-id:        ${{ secrets.PP_SP_CLIENT_ID }}
+#       client-secret: ${{ secrets.PP_SP_CLIENT_SECRET }}
+#       tenant-id:     ${{ secrets.PP_SP_TENANT_ID }}
+#   - uses: microsoft/powerplatform-actions/ms-app-deploy@v1
+#     with:
+#       working-directory: 'maaf-apps'
+#       app-id:        ${{ secrets.PP_SP_CLIENT_ID }}
+#       client-secret: ${{ secrets.PP_SP_CLIENT_SECRET }}
+#       tenant-id:     ${{ secrets.PP_SP_TENANT_ID }}
+#
+name: 'ms-app-pack'
+description: 'Power Platform MS App Pack — builds and packs a MAAF code app into a deployable artifact'
+
+inputs:
+  working-directory:
+    description: >
+      Path to the app directory containing ms.config.json and package.json.
+      Defaults to GITHUB_WORKSPACE.
+    required: false
+    default: ''
+
+  # ── Service Principal authentication ──
+  # Required even for pack (which doesn't make any RP calls itself), because
+  # the CLI auto-activates SP auth in CI mode (CI=true is set by GitHub
+  # Actions) and validates that MS_CLI_SP_* env vars are present at startup.
+
+  app-id:
+    description: 'SPN client ID. Maps to MS_CLI_SP_CLIENT_ID.'
+    required: false
+    default: ''
+
+  client-secret:
+    description: >
+      SPN client secret. Maps to MS_CLI_SP_CLIENT_SECRET. Pass as a secret.
+    required: false
+    default: ''
+
+  tenant-id:
+    description: 'AAD tenant ID. Maps to MS_CLI_SP_TENANT_ID.'
+    required: false
+    default: ''
+
+runs:
+  using: 'node24'
+  main: '../dist/actions/ms-app-pack/index.js'