fix(workflows): restart App Services after UAMI SQL grant (AB#2228)#8
Merged
Merged
Conversation
- restart mapaq-* App Services after Entra group-add so SqlClient drops the cached failed-auth token captured before membership - promote silent group-add error to fatal; tolerate already-member - mirror behaviour of working .azuredevops/pipelines/deploy.yml Fixes AB#2228 🔁 - Generated by Copilot
emmanuelknafo
added a commit
that referenced
this pull request
May 1, 2026
Rewrite the root README.md to fully reflect the current codebase and infrastructure, and add a distinct README.fr.md as its French peer so the bilingual parity rule from CONTRIBUTING.md is honoured at the repo root. README.md updates - Add bilingual language switcher row linking to README.fr.md. - Document the full architecture (mermaid) including UAMI, VNet, private endpoints, Application Insights and Log Analytics. - Pin the current tech stack: .NET 10 (10.0.100, latestFeature), EF Core 10, SqlClient 6.1.1, Azure.Monitor.OpenTelemetry.AspNetCore 1.4.0 (SamplingRatio = 1.0, TracesPerSecond = null), Microsoft.Identity.Web 3.5.0, Azure.Identity 1.14.2. - Expand repository navigation to cover src/, tests/ (xUnit + Locust + Playwright), infra/main.bicep + infra/modules/ + infra/scripts/, scripts/, slides/, boards/, data/seed/, .github/workflows/, .azuredevops/pipelines/ and .devcontainer/. - Add quick-start, local-dev (in-memory fallback), tests, lab map, Bicep parameters and outputs, and CI/CD sections. - Document the post-provision UAMI-grant + App Service restart pattern introduced by AB#2228 / PR #8 in both the GitHub Actions and Azure DevOps Pipelines flows. README.fr.md - New file mirroring every section of README.md in Quebec French. - Cross-linked back to README.md at the top. - Same markdownlint-disable header preserved. Fixes AB#2229
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Restart the workshop App Services after the deploy workflow adds the UAMI to the SQL admin Entra group, so the API stops returning 500 on the first run.
Why
deploy.ymldoesazd upfirst, which starts the API before the UAMI is a SQL admin.Microsoft.Data.SqlClientcaches the failed-auth result on the connection pool. The follow-upGrant UAMI SQL access via Entra groupstep adds the UAMI toazureSqlDBAdminsvia Microsoft Graph, but nothing tells the App Service to drop its cached token, soGET /api/establishmentskeeps returning 500 Internal Server Error until someone restarts the site by hand.The ADO equivalent (.azuredevops/pipelines/deploy.yml) already solved this with an
az webapp restart. This PR ports the same fix to GitHub Actions.Changes
Grant UAMI SQL access via Entra group2>/dev/nullalready-a-memberas success, fails fast on anything elseRestart App Services to refresh SQL token (AB#2228)mapaq-*sites in the RG and restarts each; writes the list to the run summaryValidation
yamllint/ VS Code YAML linter cleandeploy.ymlagainstworkshop-dev: the new restart step should run,GET /api/establishmentsreturns 200 on the first attemptGITHUB_STEP_SUMMARYwill list every site that was restarted, for traceabilityOut of scope
rg-dev-001deployment is already broken with the cached failed-auth state. After this PR merges, the next deploy will self-heal — but I will manually restartmapaq-api-*andmapaq-web-*once now to unblock the user immediately.Fixes AB#2228