ci: Refactor Docker workflow

[Vamshi-Microsoft]

Purpose

This pull request updates our GitHub Actions workflows to improve how we handle Azure Container Registry (ACR) configuration, primarily by switching from using GitHub secrets to using GitHub environment variables (vars). It also refines the Docker build workflow triggers and permissions for better security and maintainability.

Key changes include:

ACR Configuration Updates:

• Replaced all references to secrets.ACR_TEST_LOGIN_SERVER with vars.ACR_TEST_LOGIN_SERVER in the Docker build and deploy workflows, ensuring that ACR endpoints are now sourced from environment variables instead of secrets. This change affects the Docker login step, image tagging, and deployment scripts in both Linux and Windows jobs. [1] [2] [3] [4] [5] [6]

Workflow Triggers and Inputs:

• Removed workflow inputs (trigger_type, build_docker_image) from job-docker-build.yml, and added a workflow_dispatch trigger. This simplifies how the workflow is triggered and removes unnecessary complexity.
• Updated the deploy-orchestrator.yml workflow to add a conditional check on the docker-build job, now only running it when triggered manually and when building Docker images, aligning with the new trigger logic.

Permissions:

• Explicitly set permissions for the Docker build workflow, granting read access to contents and write access to the ID token, which is a best practice for secure workflows.

Does this introduce a breaking change?

• Yes
• No

Golden Path Validation

• I have tested the primary workflows (the "golden path") to ensure they function correctly without errors.

Deployment Validation

• I have validated the deployment process successfully and all services are running as expected with this change.

What to Check

Verify that the following are valid

• ...

Other Information

[Copilot]

Pull request overview

This PR refactors CI workflows around Docker build/deploy by moving the ACR test registry endpoint from GitHub secrets to GitHub variables (vars), simplifying how the reusable Docker build workflow is triggered, and tightening workflow permissions for OIDC usage.

Changes:

• Switched ACR endpoint references from secrets.ACR_TEST_LOGIN_SERVER to vars.ACR_TEST_LOGIN_SERVER across Docker build and deploy reusable workflows.
• Simplified job-docker-build.yml by removing workflow_call inputs, adding workflow_dispatch, and defining explicit permissions.
• Updated deploy-orchestrator.yml to conditionally run the reusable docker build job without passing the removed inputs.

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 2 comments.

File	Description
.github/workflows/job-docker-build.yml	Adds workflow_dispatch + explicit permissions; switches ACR endpoint to vars; removes workflow_call inputs.
.github/workflows/job-deploy-windows.yml	Uses vars.ACR_TEST_LOGIN_SERVER for setting the AZD container registry endpoint during Windows deploy.
.github/workflows/job-deploy-linux.yml	Uses vars.ACR_TEST_LOGIN_SERVER for setting the AZD container registry endpoint during Linux deploy.
.github/workflows/deploy-orchestrator.yml	Stops passing removed inputs to the docker build reusable workflow; keeps orchestration conditional logic.

Comments suppressed due to low confidence (1)

.github/workflows/job-docker-build.yml:95

• The Docker build summary script assigns ACR_NAME to the full login server (e.g. myacr.azurecr.io) and then later appends .azurecr.io again, which will produce incorrect image URLs in the step summary (e.g. myacr.azurecr.io.azurecr.io/...). The summary also reports the wrong image count and uses km-web even though the workflow tags the WebApp image as km-app.

          ACR_NAME=$(echo "${{ vars.ACR_TEST_LOGIN_SERVER }}")
          echo "## 🐳 Docker Build Job Summary" >> $GITHUB_STEP_SUMMARY
          echo "" >> $GITHUB_STEP_SUMMARY
          echo "| Field | Value |" >> $GITHUB_STEP_SUMMARY
          echo "|-------|--------|" >> $GITHUB_STEP_SUMMARY

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.