[pull] main from Azure:main

.github/actions-config/mlc_config.json

@@ -6,6 +6,9 @@
     {
       "pattern": "^(https:\\/\\/)?([www.]?)+(microsoft.com\\/)+[\\w\\-\\._~:/?#[\\]@!\\$&'\\(\\)\\*\\+,;=.]+$"
     }
+    {
+      "pattern": "^mailto:"
+    }
   ],
   "httpHeaders": [
     {
@@ -27,4 +30,4 @@
     203,
     206
   ]
-}
+}

.github/dependabot.yml

@@ -7,3 +7,6 @@ updates:
     labels:
       - "Type: Hygiene :broom:"
       - "Needs: Attention :wave:"
+    commit-message:
+      prefix: 'build: '
+

.github/scripts/Invoke-PolicyToBicep.ps1

@@ -43,9 +43,10 @@ param (
 if (-not (Get-Module -ListAvailable -Name ALZ)) {
   # Module doesn't exist, so install it
   Write-Information "====> ALZ module isn't already installed. Installing..." -InformationAction Continue
-  Install-Module -Name ALZ -Force -Scope CurrentUser -ErrorAction Stop
+  Install-Module -Name ALZ -Force -Scope CurrentUser -ErrorAction Stop -RequiredVersion '4.1.5'
   Write-Information "====> ALZ module now installed." -InformationAction Continue
-} else {
+}
+else {
   Write-Information "====> ALZ module is already installed." -InformationAction Continue
 }
 
@@ -157,14 +158,24 @@ function New-PolicySetDefinitionsBicepInputTxtFile {
     [System.Collections.Hashtable]$policySetDefinitionsOutputForBicep = [ordered]@{}
 
     # Loop through child Policy Set/Initiative Definitions if HashTable not == 0
-    if (($policyDefinitions.Count) -ne 0) {
+    if ($policyDefinitions.Count -ne 0) {
       $policyDefinitions | Sort-Object | ForEach-Object {
         if ($null -ne $_.groupNames -and $_.groupNames.Count -ne 0) {
           $joinedGroupNames = "'" + ($_.groupNames -join "','" ) + "'"
-          $policySetDefinitionsOutputForBicep.Add($_.policyDefinitionReferenceId, @($_.policyDefinitionId, $joinedGroupNames))
+          if (![string]::IsNullOrEmpty($_.definitionVersion)) {
+            $policySetDefinitionsOutputForBicep.Add($_.policyDefinitionReferenceId, @($_.policyDefinitionId, $joinedGroupNames, $_.definitionVersion))
+          }
+          else {
+            $policySetDefinitionsOutputForBicep.Add($_.policyDefinitionReferenceId, @($_.policyDefinitionId, $joinedGroupNames, ""))
+          }
         }
         else {
-          $policySetDefinitionsOutputForBicep.Add($_.policyDefinitionReferenceId, @($_.policyDefinitionId, ""))
+          if (![string]::IsNullOrEmpty($_.definitionVersion)) {
+            $policySetDefinitionsOutputForBicep.Add($_.policyDefinitionReferenceId, @($_.policyDefinitionId, "", $_.definitionVersion))
+          }
+          else {
+            $policySetDefinitionsOutputForBicep.Add($_.policyDefinitionReferenceId, @($_.policyDefinitionId, "", ""))
+          }
         }
       }
     }
@@ -183,11 +194,20 @@ function New-PolicySetDefinitionsBicepInputTxtFile {
     if (($policySetDefinitionsOutputForBicep.Count) -ne 0) {
       $policySetDefinitionsOutputForBicep.Keys | Sort-Object | ForEach-Object {
         $definitionReferenceId = $_
+
         $definitionReferenceIdForParameters = $_
         $definitionId = $($policySetDefinitionsOutputForBicep[$_][0])
         $groups = $($policySetDefinitionsOutputForBicep[$_][1])
+        $definitionVersion = $($policySetDefinitionsOutputForBicep[$_][2])
+
+        # Ensure definitionVersion is always set to '' if empty, otherwise wrap it in single quotes
+        if ([string]::IsNullOrEmpty($definitionVersion)) {
+          $definitionVersion = "''"
+        } else {
+          $definitionVersion = "'$definitionVersion'"
+        }
 
-        # If definitionReferenceId or definitionReferenceIdForParameters contains apostrophes, replace that apostrophe with a backslash and an apostrohphe for Bicep string escaping
+        # If definitionReferenceId or definitionReferenceIdForParameters contains apostrophes, replace that apostrophe with a backslash and an apostrophe for Bicep string escaping
         if ($definitionReferenceId.Contains("'")) {
           $definitionReferenceId = $definitionReferenceId.Replace("'", "\'")
         }
@@ -201,11 +221,10 @@ function New-PolicySetDefinitionsBicepInputTxtFile {
           $definitionReferenceIdForParameters = "['$definitionReferenceIdForParameters']"
 
           # Add nested array of objects to each Policy Set/Initiative Definition in the Bicep variable, without the '.' before the definitionReferenceId to make it an accessor
-          Add-Content -Path "$rootPath/$definitionsSetLongPath/$defintionsSetTxtFileName" -Encoding "utf8" -Value "`t`t`t{`r`n`t`t`t`tdefinitionReferenceId: '$definitionReferenceId'`r`n`t`t`t`tdefinitionId: '$definitionId'`r`n`t`t`t`tdefinitionParameters: $policySetDefParamVarCreation$definitionReferenceIdForParameters.parameters`r`n`t`t`t`tdefinitionGroups: [$groups]`r`n`t`t`t}"
-        }
-        else {
+          Add-Content -Path "$rootPath/$definitionsSetLongPath/$defintionsSetTxtFileName" -Encoding "utf8" -Value "`t`t`t{`r`n`t`t`t`tdefinitionReferenceId: '$definitionReferenceId'`r`n`t`t`t`tdefinitionId: '$definitionId'`r`n`t`t`t`tdefinitionParameters: $policySetDefParamVarCreation$definitionReferenceIdForParameters.parameters`r`n`t`t`t`tdefinitionGroups: [$groups]`r`n`t`t`t`tdefinitionVersion: $definitionVersion`r`n`t`t`t}"
+        } else {
           # Add nested array of objects to each Policy Set/Initiative Definition in the Bicep variable
-          Add-Content -Path "$rootPath/$definitionsSetLongPath/$defintionsSetTxtFileName" -Encoding "utf8" -Value "`t`t`t{`r`n`t`t`t`tdefinitionReferenceId: '$definitionReferenceId'`r`n`t`t`t`tdefinitionId: '$definitionId'`r`n`t`t`t`tdefinitionParameters: $policySetDefParamVarCreation.$definitionReferenceIdForParameters.parameters`r`n`t`t`t`tdefinitionGroups: [$groups]`r`n`t`t`t}"
+          Add-Content -Path "$rootPath/$definitionsSetLongPath/$defintionsSetTxtFileName" -Encoding "utf8" -Value "`t`t`t{`r`n`t`t`t`tdefinitionReferenceId: '$definitionReferenceId'`r`n`t`t`t`tdefinitionId: '$definitionId'`r`n`t`t`t`tdefinitionParameters: $policySetDefParamVarCreation.$definitionReferenceIdForParameters.parameters`r`n`t`t`t`tdefinitionGroups: [$groups]`r`n`t`t`t`tdefinitionVersion: $definitionVersion`r`n`t`t`t}"
         }
       }
     }

.github/workflows/bicep-build-to-validate.yml

@@ -11,14 +11,21 @@ on:
       - "**/bicepconfig.json"
   workflow_dispatch: {}
 
+permissions:
+  contents: read
+
 jobs:
   bicep_unit_tests:
     name: Bicep Build & Lint All Modules
     runs-on: ubuntu-latest
-
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@cb605e52c26070c328afc4562f0b4ada7618a84e # v2.10.4
+        with:
+          egress-policy: audit
+
       - name: Checkout Repo
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           fetch-depth: 0
 
@@ -112,17 +119,21 @@ jobs:
   azure_waf:
     name: Test Azure Well-Architected Framework (PSRule)
     runs-on: ubuntu-latest
-
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@cb605e52c26070c328afc4562f0b4ada7618a84e # v2.10.4
+        with:
+          egress-policy: audit
+
       - name: Checkout Repo
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           fetch-depth: 0
 
       # Add pipeline tests for Azure Well-Architected Framework.
       # See https://aka.ms/ps-rule-action for configuration options.
       - name: Run PSRule analysis
-        uses: Microsoft/ps-rule@v2
+        uses: Microsoft/ps-rule@46451b8f5258c41beb5ae69ed7190ccbba84112c # v2.9.0
         with:
           modules: PSRule.Rules.Azure
           baseline: Azure.Preview

.github/workflows/code-review.yml

@@ -7,20 +7,29 @@ on:
       - main
   workflow_dispatch: {}
 
+permissions:
+  contents: read
+
 jobs:
   lint:
+    permissions:
+      contents: read  # for actions/checkout to fetch code
+      statuses: write  # for github/super-linter to mark status of each linter run
     name: Lint code base
     runs-on: ubuntu-latest
-
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@cb605e52c26070c328afc4562f0b4ada7618a84e # v2.10.4
+        with:
+          egress-policy: audit
 
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           fetch-depth: 0
 
       - name: Run github/super-linter
-        uses: github/super-linter@v7
+        uses: github/super-linter@b807e99ddd37e444d189cfd2c2ca1274d8ae8ef1 # v7
         env:
           # Lint all code - disabled in as part of #262
           VALIDATE_ALL_CODEBASE: false
@@ -40,15 +49,19 @@ jobs:
   markdown-link-check:
     name: Markdown Link Check
     runs-on: ubuntu-latest
-
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@cb605e52c26070c328afc4562f0b4ada7618a84e # v2.10.4
+        with:
+          egress-policy: audit
+
       - name: Checkout code
-        uses: actions/checkout@master
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # master
         with:
           fetch-depth: 0
 
       - name: Check links in markdown files
-        uses: gaurav-nelson/[email protected].15
+        uses: gaurav-nelson/github-action-markdown-link-check@1b916f2cf6c36510a6059943104e3c42ce6c16bc # 1.0.16
         with:
           config-file: ".github/actions-config/mlc_config.json"
           use-verbose-mode: "yes"

.github/workflows/dependency-review.yml

@@ -0,0 +1,27 @@
+# Dependency Review Action
+#
+# This Action will scan dependency manifest files that change as part of a Pull Request,
+# surfacing known-vulnerable versions of the packages declared or updated in the PR.
+# Once installed, if the workflow run is marked as required,
+# PRs introducing known-vulnerable packages will be blocked from merging.
+#
+# Source repository: https://github.com/actions/dependency-review-action
+name: 'Dependency Review'
+on: [pull_request]
+
+permissions:
+  contents: read
+
+jobs:
+  dependency-review:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@cb605e52c26070c328afc4562f0b4ada7618a84e # v2.10.4
+        with:
+          egress-policy: audit
+
+      - name: 'Checkout Repository'
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - name: 'Dependency Review'
+        uses: actions/dependency-review-action@3b139cfc5fae8b618d3eae3675e383bb1769c019 # v4.5.0

.github/workflows/pr-title-check.yml

@@ -7,11 +7,22 @@ on:
       - edited
       - synchronize
 
+permissions:
+  contents: read
+
 jobs:
   main:
+    permissions:
+      pull-requests: read  # for amannn/action-semantic-pull-request to analyze PRs
+      statuses: write  # for amannn/action-semantic-pull-request to mark status of analyzed PR
     name: Validate PR Title
     runs-on: ubuntu-latest
     steps:
-      - uses: amannn/action-semantic-pull-request@v5
+      - name: Harden Runner
+        uses: step-security/harden-runner@cb605e52c26070c328afc4562f0b4ada7618a84e # v2.10.4
+        with:
+          egress-policy: audit
+
+      - uses: amannn/action-semantic-pull-request@0723387faaf9b38adef4775cd42cfd5155ed6017 # v5.5.3
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/psdocs-mdtogit.yml

@@ -19,15 +19,23 @@ env:
   github_pr_repo: ${{ github.event.pull_request.head.repo.full_name }}
 
 permissions:
-  contents: write
+  contents: read
 
 jobs:
   arm_docs:
     name: Generate Markdown
+    permissions:
+      contents: write
     runs-on: ubuntu-latest
+    environment: BicepUpdateDocumentation
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@cb605e52c26070c328afc4562f0b4ada7618a84e # v2.10.4
+        with:
+          egress-policy: audit
+
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - name: Show env
         run: env | sort

.github/workflows/release-tests.yml

@@ -6,22 +6,30 @@ on:
       - main
   workflow_dispatch: {}
 
+permissions:
+  contents: read
+
 jobs:
   release-tests:
     name: Pre-Release Tests
     runs-on: ubuntu-latest
 
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@cb605e52c26070c328afc4562f0b4ada7618a84e # v2.10.4
+        with:
+          egress-policy: audit
+
       - name: Checkout Repo
         id: checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           fetch-depth: 0
 
       - name: Pester Tests
         id: pester
         if: startsWith(github.head_ref, 'release')
-        uses: azure/powershell@v2
+        uses: azure/powershell@53dd145408794f7e80f97cfcca04155c85234709 # v2.0.0
         with:
           inlineScript: |
             Import-Module Pester -Force

.github/workflows/release.yml

@@ -9,14 +9,21 @@ on:
       - main
 
 permissions:
-  contents: write
+  contents: read
 
 jobs:
   release:
     name: Generate Accelerator Release Artifacts
+    permissions:
+      contents: write
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v4
+    - name: Harden Runner
+      uses: step-security/harden-runner@cb605e52c26070c328afc4562f0b4ada7618a84e # v2.10.4
+      with:
+        egress-policy: audit
+
+    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
     - name: Zip and Tar
       run: |
@@ -28,15 +35,15 @@ jobs:
         zip -r ../accelerator.zip .
 
     - name: Upload Artifacts to Action
-      uses: actions/upload-artifact@v4.4.0
+      uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
       with:
         name: accelerator
         path: |
           accelerator.tar.gz
           accelerator.zip
 
     - name: Add Artifacts to Release
-      uses: softprops/action-gh-release@v2
+      uses: softprops/action-gh-release@c95fe1489396fe8a9eb87c0abf8aa5b2ef267fda # v2.2.1
       if: startsWith(github.ref, 'refs/tags/')
       with:
         files: |