radius-project · willdavsmith · Feb 17, 2026 · Feb 17, 2026 · Feb 17, 2026 · Feb 17, 2026
@@ -105,7 +105,7 @@ install_radius() {
     echo "Installing Radius..."
     if ! rad install kubernetes \
         --set global.azureWorkloadIdentity.enabled=true \
-        --set database.enabled=true; then
+        --set database.enabled=false; then
         echo ""
         echo "============================================================================"
         echo "ERROR: Radius installation failed"

@@ -62,13 +62,13 @@ env:
   # Azure workload identity webhook chart version
   AZURE_WORKLOAD_IDENTITY_WEBHOOK_VER: 1.3.0
   # Container registry for storing container images
-  CONTAINER_REGISTRY: ghcr.io/radius-project/dev
+  CONTAINER_REGISTRY: ${{ vars.FUNCTIONAL_TEST_CONTAINER_REGISTRY }}
   # Container registry for storing Bicep recipe artifacts
-  BICEP_RECIPE_REGISTRY: ghcr.io/radius-project/dev
+  BICEP_RECIPE_REGISTRY: ${{ vars.FUNCTIONAL_TEST_BICEP_RECIPE_REGISTRY }}
   # The radius functional test timeout
   FUNCTIONALTEST_TIMEOUT: 60m
   # The Azure Location to store test resources
-  AZURE_LOCATION: westus3
+  AZURE_LOCATION: westus2
   # The base directory for storing test logs
   RADIUS_CONTAINER_LOG_BASE: dist/container_logs
   # The Radius helm chart location.
@@ -80,11 +80,13 @@ env:
   # Server where terraform test modules are deployed
   TF_RECIPE_MODULE_SERVER_URL: http://tf-module-server.radius-test-tf-module-server.svc.cluster.local
   # The functional test GitHub app id
-  FUNCTIONAL_TEST_APP_ID: 425843
+  FUNCTIONAL_TEST_APP_ID: ${{ vars.FUNCTIONAL_TEST_APP_ID }}
   # Private Git repository where terraform module for testing is stored.
   TF_RECIPE_PRIVATE_GIT_SOURCE: git::https://github.com/radius-project/terraform-private-modules//kubernetes-redis
-  # bicep-types ACR url for uploading Radius Bicep types
+  # bicep-types ACR url for pulling latest Radius Bicep types (AWS)
   BICEP_TYPES_REGISTRY: biceptypes.azurecr.io
+  # bicep-types ACR url for uploading test Radius Bicep types
+  TEST_BICEP_TYPES_REGISTRY: ${{ vars.TEST_BICEP_TYPES_REGISTRY }}
   # Kubernetes client QPS and Burst settings for high-concurrency CI environments
   RADIUS_QPS_AND_BURST: "800"
 
@@ -119,7 +121,7 @@ jobs:
     if: |
       always() &&
       (github.event_name != 'pull_request_target' || needs.approval-gate.result == 'success' || needs.approval-gate.result == 'skipped') &&
-      (github.event_name != 'schedule' || github.repository == 'radius-project/radius')
+      (github.event_name != 'schedule' || github.repository == vars.RADIUS_REPOSITORY)
     runs-on: ubuntu-24.04
     timeout-minutes: 5
     permissions:
@@ -219,6 +221,7 @@ jobs:
   changes:
     name: Changes
     needs: setup
+    if: always() && needs.setup.result == 'success'
     uses: ./.github/workflows/__changes.yml
     with:
       ref: ${{ needs.setup.outputs.CHECKOUT_REF }}
@@ -232,7 +235,7 @@ jobs:
     name: Build Radius for test
     needs: [setup, changes]
     # Skip if only docs/markdown changed
-    if: needs.changes.outputs.only_changed != 'true'
+    if: always() && needs.changes.outputs.only_changed != 'true'
     runs-on: ubuntu-24.04
     timeout-minutes: 15
     permissions:
@@ -253,7 +256,7 @@ jobs:
       ACTION_LINK: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
     steps:
       - name: Get GitHub app token
-        if: github.repository == 'radius-project/radius'
+        if: github.repository == vars.RADIUS_REPOSITORY
         uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1
         id: get_installation_token
         with:
@@ -387,64 +390,32 @@ jobs:
           message: |
             :hourglass: Publishing Bicep Recipes for functional tests...
 
-      - name: Get App Token (radius-publisher)
-        uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1
-        id: get_publisher_token
+      - name: Setup Node.js
+        uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0
         with:
-          app-id: ${{ secrets.RADIUS_PUBLISHER_BOT_APP_ID }}
-          private-key: ${{ secrets.RADIUS_PUBLISHER_BOT_PRIVATE_KEY }}
-          permission-metadata: read
-          permission-actions: read
-          permission-contents: write
-          owner: azure-octo
-          repositories: |
-            radius-publisher
+          node-version-file: .node-version
 
-      - name: Capture dispatch start time
-        id: dispatch-start
-        shell: bash
+      - name: Generate Bicep extensibility types from OpenAPI specs
         run: |
-          echo "started_at=$(date -u +%Y-%m-%dT%H:%M:%SZ)" >> "$GITHUB_OUTPUT"
+          make generate-bicep-types VERSION=${{ env.REL_VERSION == 'edge' && 'latest' || env.REL_VERSION }}
 
-      - name: Repository Dispatch (publish test bicep types)
-        id: repository-dispatch
-        uses: peter-evans/repository-dispatch@28959ce8df70de7be546dd1250a005dd32156697 # v4.0.1
-        with:
-          token: ${{ steps.get_publisher_token.outputs.token }}
-          repository: azure-octo/radius-publisher
-          event-type: bicep-types
-          client-payload: |-
-            {
-              "source_repository": "${{ github.repository }}",
-              "source_ref": "${{ github.ref }}",
-              "source_sha": "${{ github.sha }}",
-              "rel_channel": "${{ env.REL_VERSION }}",
-              "registry_target": "test/radius"
-            }
+      - name: Setup and verify bicep CLI
+        run: |
+          curl -Lo bicep https://github.com/Azure/bicep/releases/latest/download/bicep-linux-x64
+          chmod +x ./bicep
+          sudo mv ./bicep /usr/local/bin/bicep
+          bicep --version
 
-      - name: Monitor remote workflow
-        id: monitor-remote-workflow
-        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
+      - name: Login to Azure (for private test bicep-types ACR)
+        uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0
         with:
-          github-token: ${{ steps.get_publisher_token.outputs.token }}
-          script: |
-            const { default: script } = await import(`${process.env.GITHUB_WORKSPACE}/.github/scripts/monitor-remote-workflow.mjs`)
-            await script({context, github, core})
-        env:
-          INPUT_OWNER: azure-octo
-          INPUT_REPO: radius-publisher
-          INPUT_WORKFLOW_FILE: publish-bicep-types.yml
-          INPUT_DISPATCH_STARTED_AT: ${{ steps.dispatch-start.outputs.started_at }}
-          INPUT_MAX_WAIT_SECONDS: "900"
-          INPUT_POLL_INTERVAL_SECONDS: "10"
-
-      - name: Show failed logs
-        if: failure() && steps.monitor-remote-workflow.outputs.run_id != ''
-        shell: bash
-        env:
-          GH_TOKEN: ${{ steps.get_publisher_token.outputs.token }}
+          client-id: ${{ secrets.AZURE_SP_TESTS_APPID }}
+          tenant-id: ${{ secrets.AZURE_SP_TESTS_TENANTID }}
+          subscription-id: ${{ secrets.AZURE_SUBSCRIPTIONID_TESTS }}
+
+      - name: Publish Radius test bicep types
         run: |
-          gh run view "${{ steps.monitor-remote-workflow.outputs.run_id }}" --repo azure-octo/radius-publisher --log-failed || true
+          bicep publish-extension ./hack/bicep-types-radius/generated/index.json --target br:${{ env.TEST_BICEP_TYPES_REGISTRY }}/test/radius:${{ env.REL_VERSION == 'edge' && 'latest' || env.REL_VERSION }} --force
 
       - name: Generate test bicepconfig.json
         run: |
@@ -459,7 +430,7 @@ jobs:
               "extensibility": true
             },
             "extensions": {
-              "radius": "br:${{ env.BICEP_TYPES_REGISTRY }}/test/radius:$RADIUS_VERSION",
+              "radius": "br:${{ env.TEST_BICEP_TYPES_REGISTRY }}/test/radius:$RADIUS_VERSION",
               "aws": "br:${{ env.BICEP_TYPES_REGISTRY }}/aws:latest"
             }
           }
@@ -504,14 +475,14 @@ jobs:
   skip-tests:
     name: Skip Functional Tests
     needs: [setup, changes]
-    if: needs.changes.outputs.only_changed == 'true'
+    if: always() && needs.changes.outputs.only_changed == 'true'
     runs-on: ubuntu-24.04
     timeout-minutes: 5
     permissions:
       contents: read # Required for listing the commits
     steps:
       - name: Get GitHub app token
-        if: github.repository == 'radius-project/radius'
+        if: github.repository == vars.RADIUS_REPOSITORY
         uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1
         id: get_installation_token
         with:
@@ -533,6 +504,7 @@ jobs:
   tests:
     name: Run ${{ matrix.name }} functional tests
     needs: [setup, build]
+    if: always() && needs.setup.result == 'success' && needs.build.result == 'success'
     # Approval gate (via environment protection) ensures external contributors are approved before reaching here
     strategy:
       fail-fast: true
@@ -545,6 +517,7 @@ jobs:
       id-token: write # Required for requesting the JWT
       contents: read # Required for listing the commits
       checks: write # Required for publishing test results
+      packages: read # Required for pulling images from ghcr.io inside KinD
     env:
       UNIQUE_ID: ${{ needs.setup.outputs.UNIQUE_ID }}
       REL_VERSION: ${{ needs.setup.outputs.REL_VERSION }}
@@ -558,7 +531,7 @@ jobs:
       DE_TAG: ${{ needs.setup.outputs.DE_TAG }}
     steps:
       - name: Get GitHub app token
-        if: github.repository == 'radius-project/radius'
+        if: github.repository == vars.RADIUS_REPOSITORY
         uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1
         id: get_installation_token
         with:
@@ -666,21 +639,32 @@ jobs:
       # create kind cluster with OIDC provider.
       - name: Create KinD cluster
         run: |
+          set -euo pipefail
+
           curl -sSLo "kind" "https://github.com/kubernetes-sigs/kind/releases/download/${{ env.KIND_VER }}/kind-linux-amd64"
           chmod +x ./kind
 
-          # Populate the following environment variables for Azure workload identity from secrets.
-          # AZURE_OIDC_ISSUER_PUBLIC_KEY
-          # AZURE_OIDC_ISSUER_PRIVATE_KEY
-          # AZURE_OIDC_ISSUER
-          eval "export $(echo "${{ secrets.FUNCTEST_AZURE_OIDC_JSON }}" | jq -r 'to_entries | map("\(.key)=\(.value)") | @sh')"
+          # Parse and validate Azure workload identity values from secret JSON.
+          OIDC_JSON='${{ secrets.FUNCTEST_AZURE_OIDC_JSON }}'
+          if ! echo "${OIDC_JSON}" | jq -e . >/dev/null; then
+            echo "FUNCTEST_AZURE_OIDC_JSON is not valid JSON."
+            echo "Expected keys: AZURE_OIDC_ISSUER, AZURE_OIDC_ISSUER_PUBLIC_KEY, AZURE_OIDC_ISSUER_PRIVATE_KEY"
+            exit 1
+          fi
+
+          AZURE_OIDC_ISSUER="$(echo "${OIDC_JSON}" | jq -er '.AZURE_OIDC_ISSUER')"
+          AZURE_OIDC_ISSUER_PUBLIC_KEY="$(echo "${OIDC_JSON}" | jq -er '.AZURE_OIDC_ISSUER_PUBLIC_KEY')"
+          AZURE_OIDC_ISSUER_PRIVATE_KEY="$(echo "${OIDC_JSON}" | jq -er '.AZURE_OIDC_ISSUER_PRIVATE_KEY')"
 
-          AUTHKEY=$(echo -n "${{ github.actor }}:${{ secrets.GH_RAD_CI_BOT_PAT }}" | base64)
+          AUTHKEY=$(printf '%s' "${{ github.actor }}:${{ github.token }}" | base64)
           echo "{\"auths\":{\"ghcr.io\":{\"auth\":\"${AUTHKEY}\"}}}" > "./ghcr_secret.json"
 
           # Create KinD cluster with OIDC Issuer keys
-          echo $AZURE_OIDC_ISSUER_PUBLIC_KEY | base64 -d > sa.pub
-          echo $AZURE_OIDC_ISSUER_PRIVATE_KEY | base64 -d > sa.key
+          printf '%s' "${AZURE_OIDC_ISSUER_PUBLIC_KEY}" | base64 -d > sa.pub
+          printf '%s' "${AZURE_OIDC_ISSUER_PRIVATE_KEY}" | base64 -d > sa.key
+          openssl pkey -pubin -in sa.pub -noout >/dev/null
+          openssl pkey -in sa.key -check -noout >/dev/null
+
           cat <<EOF | ./kind create cluster --name radius --config=-
           kind: Cluster
           apiVersion: kind.x-k8s.io/v1alpha4
@@ -854,11 +838,11 @@ jobs:
               "extensibility": true
             },
             "extensions": {
-              "radius": "br:${{ env.BICEP_TYPES_REGISTRY }}/test/radius:$RADIUS_VERSION",
+              "radius": "br:${{ env.TEST_BICEP_TYPES_REGISTRY }}/test/radius:$RADIUS_VERSION",
               "aws": "br:${{ env.BICEP_TYPES_REGISTRY }}/aws:latest"
             },
             "cloud": {
-              "credentialPrecedence": ["Environment"]
+              "credentialPrecedence": ["AzureCLI", "Environment"]
             }
           }
           EOF
@@ -871,6 +855,8 @@ jobs:
           bicep restore ./test/functional-portable/corerp/cloud/resources/testdata/aws-logs-loggroup.bicep --force
       - name: Run functional tests
         run: |
+          set -euo pipefail
+
           # Ensure rad cli is in path before running tests.
           export PATH=$GITHUB_WORKSPACE/bin:$PATH
           # Make directory to capture functional test results
@@ -884,7 +870,17 @@ jobs:
           # AZURE_MSSQL_RESOURCE_ID
           # AZURE_MSSQL_USERNAME
           # AZURE_MSSQL_PASSWORD
-          eval "export $(echo "${{ secrets.FUNCTEST_PREPROVISIONED_RESOURCE_JSON }}" | jq -r 'to_entries | map("\(.key)=\(.value)") | @sh')"
+          PREPROVISIONED_JSON='${{ secrets.FUNCTEST_PREPROVISIONED_RESOURCE_JSON }}'
+          if ! echo "${PREPROVISIONED_JSON}" | jq -e . >/dev/null; then
+            echo "FUNCTEST_PREPROVISIONED_RESOURCE_JSON is not valid JSON."
+            echo "Expected keys: AZURE_COSMOS_MONGODB_ACCOUNT_ID, AZURE_MSSQL_RESOURCE_ID, AZURE_MSSQL_USERNAME, AZURE_MSSQL_PASSWORD"
+            exit 1
+          fi
+
+          export AZURE_COSMOS_MONGODB_ACCOUNT_ID="$(echo "${PREPROVISIONED_JSON}" | jq -er '.AZURE_COSMOS_MONGODB_ACCOUNT_ID')"
+          export AZURE_MSSQL_RESOURCE_ID="$(echo "${PREPROVISIONED_JSON}" | jq -er '.AZURE_MSSQL_RESOURCE_ID')"
+          export AZURE_MSSQL_USERNAME="$(echo "${PREPROVISIONED_JSON}" | jq -er '.AZURE_MSSQL_USERNAME')"
+          export AZURE_MSSQL_PASSWORD="$(echo "${PREPROVISIONED_JSON}" | jq -er '.AZURE_MSSQL_PASSWORD')"
 
           make test-functional-${{ matrix.name }}
         env:
@@ -906,7 +902,7 @@ jobs:
       - name: Process Functional Test Results
         uses: ./.github/actions/process-test-results
         # In case of failure, upload functional_test_results to artifacts so that they are not erased by subsequent runs.
-        if: failure() && github.repository == 'radius-project/radius'
+        if: failure() && github.repository == vars.RADIUS_REPOSITORY
         with:
           test_group_name: Functional Tests - ${{ matrix.name }}
           artifact_name: functional_test_results_${{ matrix.name }}
@@ -999,7 +995,7 @@ jobs:
 
   report-test-results:
     # Report final test status. Runs after all tests complete (or are skipped).
-    if: always() && github.repository == 'radius-project/radius'
+    if: always() && github.repository == vars.RADIUS_REPOSITORY
     name: Report test results
     needs: [setup, build, tests]
     runs-on: ubuntu-24.04
@@ -1057,8 +1053,7 @@ jobs:
     needs: [build, tests]
     runs-on: ubuntu-24.04
     timeout-minutes: 5
-    permissions: {}
-    if: failure() && github.event_name == 'schedule' && github.repository == 'radius-project/radius'
+    if: failure() && github.event_name == 'schedule' && github.repository == vars.RADIUS_REPOSITORY
     steps:
       - name: Create failure issue for failing scheduled run
         uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0

@@ -75,7 +75,7 @@ env:
   LOCAL_REGISTRY_SERVER: localhost
   # Local Docker registry port
   LOCAL_REGISTRY_PORT: "5000"
-  # bicep-types ACR url for uploading Radius Bicep types
+  # bicep-types ACR url for pulling public AWS Bicep types
   BICEP_TYPES_REGISTRY: biceptypes.azurecr.io
   # Git HTTP server URL
   GIT_HTTP_SERVER_URL: http://localhost:30080
@@ -508,7 +508,7 @@ jobs:
       - name: Process Functional Test Results
         uses: ./.github/actions/process-test-results
         # In case of failure, upload functional_test_results to artifacts so that they are not erased by subsequent runs.
-        if: failure() && github.repository == 'radius-project/radius'
+        if: failure() && github.repository == vars.RADIUS_REPOSITORY
         with:
           test_group_name: Functional Tests - ${{ matrix.name }}
           artifact_name: functional_test_results_${{ matrix.name }}
@@ -584,17 +584,18 @@ jobs:
           if-no-files-found: error
 
   report-failure:
-    if: failure() && github.event_name == 'schedule' && github.repository == 'radius-project/radius' && needs.changes.outputs.only_changed != 'true'
+    if: failure() && github.event_name == 'schedule' && github.repository == vars.RADIUS_REPOSITORY && needs.changes.outputs.only_changed != 'true'
     name: Report test failure
     needs: [changes, build, tests]
     runs-on: ubuntu-24.04
     timeout-minutes: 5
-    permissions: {}
+    permissions:
+      issues: write
     steps:
       - name: Create failure issue for failing scheduled run
         uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
         with:
-          github-token: ${{ secrets.GH_RAD_CI_BOT_PAT }}
+          github-token: ${{ github.token }}
           script: |
             github.rest.issues.create({
               ...context.repo,