@pagopa/dx-cli 0.21.4 → 0.21.6

package/dist/adapters/azure/__tests__/cloud-account-service.test.js

@@ -285,7 +285,7 @@ describe("initialize", () => {
             principalType: "ServicePrincipal",
             roleDefinitionId: "/subscriptions/sub-1/providers/Microsoft.Authorization/roleDefinitions/ba92f5b4-2d11-453d-a403-e96b0029c9fe",
         }));
-        expect(mockCreateFederatedIdentityCredential).toHaveBeenCalledWith("dx-d-itn-common-rg-01", "dx-d-itn-bootstrap-id-01", "bootstrapper-dev-cd", {
+        expect(mockCreateFederatedIdentityCredential).toHaveBeenCalledWith("dx-d-itn-common-rg-01", "dx-d-itn-bootstrap-id-01", "dx-bootstrapper-dev-cd", {
             audiences: ["api://AzureADTokenExchange"],
             issuer: "https://token.actions.githubusercontent.com",
             subject: "repo:pagopa/dx:environment:bootstrapper-dev-cd",
@@ -341,4 +341,38 @@ describe("initialize", () => {
             secretValue: "private-key",
         });
     });
+    test("uses a repository-specific federated credential name", async ({ cloudAccountService, }) => {
+        const createOrUpdateEnvironmentSecret = vi
+            .fn()
+            .mockResolvedValue(undefined);
+        await cloudAccountService.initialize({
+            csp: "azure",
+            defaultLocation: "italynorth",
+            displayName: "Test subscription",
+            id: "sub-1",
+        }, {
+            name: "dev",
+            prefix: "dx",
+        }, {
+            clientId: "app-client-id",
+            id: "app-id",
+            installationId: "installation-id",
+            key: "private-key\n",
+        }, {
+            owner: "pagopa",
+            repo: "dx-playground",
+        }, {
+            createBranch: vi.fn(),
+            createOrUpdateEnvironmentSecret,
+            createPullRequest: vi.fn(),
+            getFileContent: vi.fn(),
+            getRepository: vi.fn(),
+            updateFile: vi.fn(),
+        });
+        expect(mockCreateFederatedIdentityCredential).toHaveBeenCalledWith("dx-d-itn-common-rg-01", "dx-d-itn-bootstrap-id-01", "dx-playground-bootstrapper-dev-cd", {
+            audiences: ["api://AzureADTokenExchange"],
+            issuer: "https://token.actions.githubusercontent.com",
+            subject: "repo:pagopa/dx-playground:environment:bootstrapper-dev-cd",
+        });
+    });
 });

package/dist/adapters/azure/cloud-account-service.js

@@ -199,14 +199,19 @@ export class AzureCloudAccountService {
             })));
             logger.debug("Assigned bootstrap roles to identity {identityName} in subscription {subscriptionId}", { identityName, subscriptionId: cloudAccount.id });
             const githubEnvironmentName = `bootstrapper-${name}-cd`;
-            // Federate the bootstrap identity with the GitHub environment so workflows can exchange their OIDC token for Azure access.
-            await msiClient.federatedIdentityCredentials.createOrUpdate(resourceGroupName, identityName, githubEnvironmentName, {
+            const federatedCredentialName = this.#createFederatedCredentialName({
+                github,
+                githubEnvironmentName,
+            });
+            // Include a repository-derived suffix so different repositories can share
+            // the same bootstrap identity without overwriting each other's OIDC trust.
+            await msiClient.federatedIdentityCredentials.createOrUpdate(resourceGroupName, identityName, federatedCredentialName, {
                 audiences: ["api://AzureADTokenExchange"],
                 issuer: "https://token.actions.githubusercontent.com",
                 subject: `repo:${github.owner}/${github.repo}:environment:${githubEnvironmentName}`,
             });
             logger.debug("Configured federated identity credential {credentialName} for identity {identityName} in subscription {subscriptionId}", {
-                credentialName: githubEnvironmentName,
+                credentialName: federatedCredentialName,
                 identityName,
                 subscriptionId: cloudAccount.id,
             });
@@ -374,6 +379,10 @@ export class AzureCloudAccountService {
         logger.debug("Created key vault {keyVaultName} in subscription {subscriptionId}", { keyVaultName, subscriptionId: cloudAccount.id });
         return keyVaultName;
     }
+    #createFederatedCredentialName({ github, githubEnvironmentName, }) {
+        const repoName = github.repo.replaceAll(/[^a-zA-Z0-9-]/g, "-");
+        return `${repoName}-${githubEnvironmentName}`;
+    }
     #createRoleAssignmentName(scope, principalId, roleDefinitionId) {
         const hash = createHash("sha256")
             .update(`${scope}:${principalId}:${roleDefinitionId}`)

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@pagopa/dx-cli",
-  "version": "0.21.4",
+  "version": "0.21.6",
   "type": "module",
   "description": "A CLI useful to manage DX tools.",
   "repository": {

package/templates/monorepo/.github/copilot/settings.json

@@ -0,0 +1,17 @@
+{
+  "extraKnownMarketplaces": {
+    "pagopa-dx": {
+      "source": {
+        "source": "github",
+        "repo": "pagopa/dx"
+      }
+    }
+  },
+  "enabledPlugins": {
+    "terraform@pagopa-dx": true,
+    "azure@pagopa-dx": true,
+    "project-management@pagopa-dx": true,
+    "standards@pagopa-dx": true,
+    "typescript@pagopa-dx": true
+  }
+}

package/templates/monorepo/README.md.hbs

@@ -59,6 +59,16 @@ pnpm install
 pnpm nx run-many -t build
 ```
 
+### GitHub Copilot plugins
+
+This repository includes `.github/copilot/settings.json` with the
+recommended PagoPA DX marketplace and plugin suggestions for GitHub Copilot.
+
+Keep the file committed to avoid per-developer setup drift. If your team does
+not use some of the suggested plugins, edit the related flags in that file.
+See the DX documentation for details:
+https://dx.pagopa.it/docs/coding-with-ai/plugin-marketplace
+
 ## Useful commands
 
 This project uses `pnpm` and `nx` with workspaces to manage projects and dependencies. Here is a list of useful commands to work in this repo.