Skip to content

Per-developer GitHub Environments architecture#402

Merged
james-tn merged 4 commits intoint-agenticfrom
james-dev
Feb 13, 2026
Merged

Per-developer GitHub Environments architecture#402
james-tn merged 4 commits intoint-agenticfrom
james-dev

Conversation

@james-tn
Copy link
Contributor

@james-tn james-tn commented Feb 13, 2026

Summary

Implements per-developer GitHub Environments architecture so each team member deploys to their own Azure subscription with isolated infrastructure, OIDC credentials, and Terraform state.

Changes

Workflow Updates (all 7 workflows)

  • orchestrate.yml: *-dev branch triggers with branch-to-environment mapping (james-dev to integration-james), removed auto-destroy
  • infrastructure.yml: Environment-scoped vars.* references, TF state key based on environment name (not branch), sanitize step for environment names
  • docker-application.yml / docker-mcp.yml / update-containers.yml: ACR name generation strips hyphens (tr -d '-') to match Terraform's replace("-", "")
  • agent-evaluation.yml: Added environment: binding for OIDC + eval variables
  • destroy.yml: Fixed iteration variable bug, environment-based state key

Infrastructure

  • prod.tfvars: New file for production environment

Documentation

  • GITHUB_ACTIONS_SETUP.md: Fully rewritten with per-developer onboarding guide, OIDC setup, environment variable reference

GitHub Environment Setup

  • Created 6 new environments: production, integration-james, integration-nicole, integration-heena, integration-tim, integration-matt
  • Each environment has 14 variables (subscription, tenant, client ID, region, etc.)
  • OIDC federated credentials scoped per environment
  • Deleted all 14 repo-level variables (superseded by environment-level)

Pipeline Test Results (Run #21995998887)

All 9 stages validated end-to-end:

  • ✅ pipeline-config (2s)
  • ✅ preflight / OIDC auth (27s)
  • ✅ Terraform deploy (3m18s)
  • ✅ Docker build MCP (59s)
  • ✅ Docker build backend (1m45s)
  • ✅ Update containers (54s)
  • ✅ Integration tests (2m26s)
  • ✅ Agent evaluation / Foundry (5m44s)
  • ✅ Terraform destroy (12m57s)

James N. added 2 commits February 13, 2026 08:22
feat: per-developer GitHub Environments with OIDC
f7c2943 
- Create 6 GitHub environments: production, integration-james,
  integration-nicole, integration-heena, integration-tim, integration-matt
- Move all variables from repo-level to environment-level
- Update orchestrate.yml: *-dev branch  integration-<name> mapping
- Uncomment environment: binding in all 7 reusable workflows
- Fix TF state key: use environment name instead of branch name
- Fix destroy.yml bugs: iteration var and unsanitized state key
- Remove auto-destroy (all environments persist)
- Add OIDC federated credentials for integration-james and production
- Create prod.tfvars for production environment
- Update GITHUB_ACTIONS_SETUP.md with developer onboarding guide
fix: strip hyphens from ACR name in Docker workflows
055915b
Add auto-import recovery for Terraform 'already exists' errors
0f10403 
When a Terraform apply fails midway (e.g., timeout, quota), resources may
exist in Azure but not in TF state. On retry, Terraform fails with 'already
exists'. This change adds a retry loop (max 3 attempts) that:
1. Detects 'already exists' errors in apply output
2. Parses the TF resource address and Azure resource ID
3. Auto-imports orphaned resources into state
4. Retries the apply

Eliminates need for manual deletion via Azure Portal.
@james-tn james-tn temporarily deployed to integration-james February 13, 2026 18:16 — with GitHub Actions Inactive
@james-tn james-tn temporarily deployed to integration-james February 13, 2026 18:16 — with GitHub Actions Inactive
Rename workflow to CI/CD Pipeline; fix PR trigger for int-agentic
1a93fc3 
- Rename 'Orchestrate Deployment' -> 'CI/CD Pipeline'
- Remove int-agentic from pull_request trigger  PRs to int-agentic
  were failing because environment 'integration' has no OIDC federated
  credential. PR validation only needed for main (production gate).
- Simplify base_ref case statement
@james-tn james-tn temporarily deployed to integration-james February 13, 2026 18:20 — with GitHub Actions Inactive
@james-tn james-tn temporarily deployed to integration-james February 13, 2026 18:27 — with GitHub Actions Inactive
@james-tn james-tn temporarily deployed to integration-james February 13, 2026 18:28 — with GitHub Actions Inactive
@james-tn james-tn temporarily deployed to integration-james February 13, 2026 18:30 — with GitHub Actions Inactive
@james-tn james-tn temporarily deployed to integration-james February 13, 2026 18:30 — with GitHub Actions Inactive
@james-tn james-tn temporarily deployed to integration-james February 13, 2026 18:32 — with GitHub Actions Inactive
@james-tn james-tn temporarily deployed to integration-james February 13, 2026 18:35 — with GitHub Actions Inactive
@james-tn james-tn merged commit 716dc10 into int-agentic Feb 13, 2026
20 of 21 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@james-tn