Deploy: Add secrets, workload identity, ACR support, and fix identity role assignments

[gambtho]

Summary

• Add per-variable secret toggle in the Deploy Wizard environment variables step — secret values are masked in the UI, stored as a Kubernetes Secret resource, and referenced via valueFrom.secretKeyRef in the Deployment manifest
• Add a new "Workload Identity" stepper step that creates (or selects existing) Azure managed identities, configures federated credentials against the cluster's OIDC issuer, and generates a ServiceAccount with azure.workload.identity/client-id annotation plus pod labels/serviceAccountName on the Deployment
• Update GitHub Pipeline agent templates to include workload identity ServiceAccount creation and pod configuration in generated workflows
• Fix managed identity role assignments: assign the full required role matrix (AcrPush, Container Registry Tasks Contributor, AKS RBAC Writer, AKS Namespace User) scoped correctly for both normal and managed namespaces
• Add ACR selection/creation to the pipeline wizard so the generated workflow can build and push container images
• Extract shared identity setup logic into reusable utilities, eliminating duplication between the GitHub Pipeline and Deploy Wizard flows

Type of Change

• New feature (non-breaking change which adds functionality)
• Bug fix (non-breaking change which fixes an issue)

Related Issues

Closes #467

Changes Made

Secrets support

• Extended ContainerConfig.envVars type with isSecret: boolean
• Added lock icon toggle and password masking in ConfigureContainer.tsx
• Updated yamlGenerator.ts to emit a Secret resource and secretKeyRef entries for secret env vars
• Updated extractContainerConfig.ts to round-trip secretKeyRef entries

Workload Identity

• Added getAksOidcIssuerUrl, listManagedIdentities, createK8sFederatedCredential to az-cli.ts
• Created useDeployWorkloadIdentity hook (adapts existing GitHub Pipeline pattern)
• Added new stepper step with "Create new" / "Use existing" identity modes
• Updated yamlGenerator.ts to emit ServiceAccount, pod label, and serviceAccountName
• Threaded Azure context from ClusterDeployCard through DeployWizard to ConfigureContainer

Identity role assignment fixes

• Added assignRolesToIdentity() — generalized multi-role assignment function replacing the single hardcoded role
• Added computeRequiredRoles() in new identityRoles.ts — computes the correct role set based on namespace type (normal vs managed), ACR presence, and Azure RBAC status
• Normal namespace roles: AcrPush (ACR), Container Registry Tasks Contributor (ACR), AKS Cluster User Role (cluster), AKS RBAC Writer (cluster, if Azure RBAC enabled)
• Managed namespace roles: AcrPush (ACR), Container Registry Tasks Contributor (ACR), AKS RBAC Writer (MNS scope), AKS Namespace User (MNS scope)
• Extracted ensureIdentityAndResourceGroup() into shared identitySetup.ts — eliminates ~80% duplication between the two identity hooks
• Added getManagedNamespaceResourceId() and buildClusterScope() helpers to az-cli.ts

ACR support in pipeline wizard

• Added AcrSelector component — lists existing ACRs, supports creating new registries, shows a warning if skipped
• Added createContainerRegistry() to az-cli.ts
• Added acrResourceId and acrLoginServer to PipelineConfig
• Agent templates now include az acr build instructions when ACR is configured
• Pipeline secrets now include AZURE_ACR_NAME when ACR is selected

Pipeline integration

• Added generateWorkloadIdentityWorkflowInstructions to agentTemplates.ts
• Included workload identity config summary in generated agent markdown

Testing

• Unit tests pass
• Manual testing completed

Test Cases

1. All 208 related tests pass (identity roles, identity setup, pipeline hooks, pipeline components, agent templates, pipeline orchestration)
2. TypeScript type check passes
3. ESLint and Prettier pass
4. No new test failures introduced
5. New test files: identityRoles.test.ts (10 tests), identitySetup.test.ts (8 tests)

Checklist

• My code follows the project's style guidelines
• I have performed a self-review of my own code
• My changes generate no new warnings
• New and existing unit tests pass locally with my changes

Performance Impact

• No performance impact

Reviewer Notes

• The workload identity step is disabled when Azure context is unavailable (non-Azure clusters or not signed in)
• Secret values are visible in the YAML preview step (acceptable since this is a local desktop app and the user just typed them)
• The Secret resource is placed first in the generated YAML so it exists before the Deployment that references it
• ACR selection is optional with a warning — pipelines can still be created without an ACR for pre-built image scenarios
• The old assignRoleToIdentity() function is preserved for backward compatibility but should be removed once all callers are migrated
• getClusterCapabilities() already returns azureRbacEnabled — callers just need to thread it through to the identity hooks

[Copilot]

Pull request overview

Adds Deploy Wizard support for (1) marking environment variables as secrets (emitted as a Kubernetes Secret + valueFrom.secretKeyRef) and (2) configuring Azure Workload Identity (managed identity + federated credential flow), plus updates to pipeline agent templates/tests to account for the expanded container config shape.

Changes:

• Extend ContainerConfig to include envVars[].isSecret and Workload Identity fields, and update fixtures/stories/tests accordingly.
• Update Deploy Wizard UI + YAML generator to create Secret/ServiceAccount manifests and label/pod spec wiring for workload identity.
• Add Azure CLI helpers and a new hook to automate managed identity + role assignment + OIDC issuer lookup + federated credential creation.

Reviewed changes

Copilot reviewed 33 out of 33 changed files in this pull request and generated 6 comments.

Show a summary per file

File	Description
plugins/aks-desktop/src/utils/azure/az-cli.ts	Adds AKS OIDC issuer lookup, managed identity listing, and K8s federated credential creation helpers.
plugins/aks-desktop/src/components/GitHubPipeline/utils/pipelineOrchestration.test.ts	Updates tests to include the new envVars[].isSecret field.
plugins/aks-desktop/src/components/GitHubPipeline/utils/agentTemplates.ts	Adds pipeline workflow instructions for workload identity and surfaces it in generated agent config.
plugins/aks-desktop/src/components/GitHubPipeline/utils/agentTemplates.test.ts	Updates agent template tests for the new env var shape.
plugins/aks-desktop/src/components/GitHubPipeline/fixtures/pipelineConfig.ts	Extends fixture defaults with isSecret and workload identity fields.
plugins/aks-desktop/src/components/DeployWizard/utils/yamlGenerator.ts	Emits Secret + Workload Identity ServiceAccount/labels/serviceAccountName into generated YAML.
plugins/aks-desktop/src/components/DeployWizard/hooks/useDeployWorkloadIdentity.ts	New hook to set up managed identity + role assignment + federated credentials for a K8s service account.
plugins/aks-desktop/src/components/DeployWizard/hooks/useContainerConfiguration.ts	Extends ContainerConfig type and default state to include secrets + workload identity fields.
plugins/aks-desktop/src/components/DeployWizard/components/DeployWizardPure.stories.tsx	Updates story stub config for new fields.
plugins/aks-desktop/src/components/DeployWizard/components/ConfigureContainer.tsx	Adds env var secret toggle UI and a new Workload Identity step with “create”/“existing” identity flows.
plugins/aks-desktop/src/components/DeployWizard/DeployWizard.tsx	Passes Azure context/namespace into ConfigureContainer for workload identity configuration.
plugins/aks-desktop/src/components/DeployTab/utils/extractContainerConfig.ts	Extracts secret env vars and workload identity label/serviceAccountName from live deployments.
plugins/aks-desktop/src/components/DeployTab/utils/extractContainerConfig.test.ts	Updates extraction tests for isSecret.
plugins/aks-desktop/src/components/DeployTab/components/ClusterDeployCard.tsx	Supplies Azure context to Deploy Wizard from the Deploy Tab.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

You can also share your feedback on Copilot code review. Take the survey.

[Copilot]

Pull request overview

This PR extends AKS Desktop’s Deploy Wizard and GitHub Pipeline flows to support per-env-var Kubernetes Secrets, Azure Workload Identity (with shared identity/role setup utilities), and optional Azure Container Registry (ACR) integration for build/push workflows, while correcting managed identity role assignment behavior.

Changes:

• Introduces shared Azure identity setup utilities (identitySetup, identityRoles, identityWithRoles) and updates pipeline/deploy hooks to use multi-role assignment.
• Adds Workload Identity configuration to deploy/pipeline flows (OIDC issuer discovery, federated credential creation, ServiceAccount + pod config generation).
• Adds ACR selection/creation support and threads ACR context into pipeline secrets and agent instructions; adds per-variable secret env var support in YAML generation + extraction.

Reviewed changes

Copilot reviewed 48 out of 48 changed files in this pull request and generated 9 comments.

Show a summary per file

File	Description
plugins/aks-desktop/src/utils/azure/identityWithRoles.ts	New shared orchestration for identity creation + required role assignments
plugins/aks-desktop/src/utils/azure/identitySetup.ts	New utility to ensure RG + identity exist
plugins/aks-desktop/src/utils/azure/identitySetup.test.ts	Tests for identity setup utility
plugins/aks-desktop/src/utils/azure/identityRoles.ts	New role-matrix computation for normal vs managed namespaces + ACR + Azure RBAC
plugins/aks-desktop/src/utils/azure/identityRoles.test.ts	Tests for role computation
plugins/aks-desktop/src/utils/azure/az-cli.ts	Adds ACR typing, multi-role assignment, OIDC issuer discovery, identity listing, K8s federated credential creation, ACR creation helpers
plugins/aks-desktop/src/components/GitHubPipeline/utils/pipelineOrchestration.ts	Adds ACR name secret creation for workflows
plugins/aks-desktop/src/components/GitHubPipeline/utils/pipelineOrchestration.test.ts	Updates env var fixtures for new isSecret field
plugins/aks-desktop/src/components/GitHubPipeline/utils/agentTemplates.ts	Adds workload identity + ACR build/push instructions and summary output
plugins/aks-desktop/src/components/GitHubPipeline/utils/agentTemplates.test.ts	Updates env var fixtures for new isSecret field
plugins/aks-desktop/src/components/GitHubPipeline/types.ts	Extends pipeline config with ACR fields
plugins/aks-desktop/src/components/GitHubPipeline/hooks/useWorkloadIdentitySetup.ts	Switches to shared identity+roles utility; adds cluster/ACR/namespace context
plugins/aks-desktop/src/components/GitHubPipeline/hooks/useWorkloadIdentitySetup.test.ts	Updates mocks/expectations for multi-role assignment + shared utility
plugins/aks-desktop/src/components/GitHubPipeline/components/WorkloadIdentitySetup.tsx	Updates UI step wording/status for role assignments and threads new inputs
plugins/aks-desktop/src/components/GitHubPipeline/components/WorkloadIdentitySetup.test.tsx	Adds clusterName prop to fixture
plugins/aks-desktop/src/components/GitHubPipeline/components/AcrSelector.tsx	New UI component to select/create/skip ACR
plugins/aks-desktop/src/components/GitHubPipeline/fixtures/pipelineConfig.ts	Updates fixture for isSecret and workload identity fields
plugins/aks-desktop/src/components/GitHubPipeline/GitHubPipelineWizard.tsx	Threads clusterName into workload identity setup component
plugins/aks-desktop/src/components/DeployWizard/utils/yamlGenerator.ts	Emits Secret + secretKeyRef env vars; emits ServiceAccount + WI pod config
plugins/aks-desktop/src/components/DeployWizard/hooks/useDeployWorkloadIdentity.ts	New deploy-side workload identity setup hook (OIDC issuer + K8s federated cred)
plugins/aks-desktop/src/components/DeployWizard/hooks/useContainerConfiguration.ts	Extends container config with isSecret env vars and workload identity fields
plugins/aks-desktop/src/components/DeployWizard/components/DeployWizardPure.stories.tsx	Updates stub config for new fields
plugins/aks-desktop/src/components/DeployWizard/components/ConfigureContainer.tsx	Adds env var secret toggle/masking; adds workload identity step (create/select identity)
plugins/aks-desktop/src/components/DeployWizard/DeployWizard.tsx	Threads Azure context + namespace into container configuration UI
plugins/aks-desktop/src/components/DeployTab/utils/extractContainerConfig.ts	Adds round-trip support for secretKeyRef env vars and WI pod config detection
plugins/aks-desktop/src/components/DeployTab/utils/extractContainerConfig.test.ts	Updates expected env var structure with isSecret
plugins/aks-desktop/src/components/DeployTab/components/ClusterDeployCard.tsx	Threads Azure context into Deploy Wizard
Localize/locales/en/plugin-translation.json	Updates localized strings set
Localize/locales/en/frontend-translation.json	Adds new localized string key

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

You can also share your feedback on Copilot code review. Take the survey.

[Copilot]

Pull request overview

This PR enhances the AKS Desktop deploy and GitHub pipeline wizards with Kubernetes secret-backed env vars, Azure Workload Identity setup, ACR selection/creation, and a more complete/accurate managed-identity role assignment matrix—extracting shared identity setup logic into reusable utilities.

Changes:

• Add per-env-var “secret” handling (UI masking + YAML generation of Secret + valueFrom.secretKeyRef) and round-trip extraction support.
• Add Workload Identity setup for deploy + pipeline flows (managed identity creation/selection, federated credential creation, ServiceAccount/pod config generation).
• Add ACR support for pipeline creation and generalize identity role assignment to compute/assign the required multi-role set with correct scopes.

Reviewed changes

Copilot reviewed 49 out of 49 changed files in this pull request and generated 7 comments.

Show a summary per file

File	Description
plugins/aks-desktop/src/utils/azure/identityWithRoles.ts	New shared helper to ensure identity + compute/assign required roles.
plugins/aks-desktop/src/utils/azure/identityWithRoles.test.ts	Unit tests for ensureIdentityWithRoles scenarios.
plugins/aks-desktop/src/utils/azure/identitySetup.ts	New shared helper to ensure RG + managed identity existence.
plugins/aks-desktop/src/utils/azure/identitySetup.test.ts	Unit tests for identity setup helper.
plugins/aks-desktop/src/utils/azure/identityRoles.ts	New role-matrix computation for NS vs MNS, ACR, Azure RBAC.
plugins/aks-desktop/src/utils/azure/identityRoles.test.ts	Unit tests for role computation logic.
plugins/aks-desktop/src/utils/azure/az-cli.ts	Add ACR typing/listing, multi-role assignment, scope helpers, OIDC issuer lookup, MI listing, k8s federated credential creation, ACR creation.
plugins/aks-desktop/src/components/GitHubPipeline/utils/pipelineOrchestration.ts	Add AZURE_ACR_NAME pipeline secret derivation.
plugins/aks-desktop/src/components/GitHubPipeline/utils/pipelineOrchestration.test.ts	Update fixtures for env var isSecret field.
plugins/aks-desktop/src/components/GitHubPipeline/utils/agentTemplates.ts	Add workload identity and ACR build/push instructions + config summary.
plugins/aks-desktop/src/components/GitHubPipeline/utils/agentTemplates.test.ts	Update fixtures for env var isSecret field.
plugins/aks-desktop/src/components/GitHubPipeline/types.ts	Extend PipelineConfig with ACR resource ID + login server.
plugins/aks-desktop/src/components/GitHubPipeline/hooks/useWorkloadIdentitySetup.ts	Switch pipeline WI setup to shared ensureIdentityWithRoles; add new inputs (clusterName, ACR, MNS, Azure RBAC).
plugins/aks-desktop/src/components/GitHubPipeline/hooks/useWorkloadIdentitySetup.test.ts	Update mocks/assertions for new shared role assignment path.
plugins/aks-desktop/src/components/GitHubPipeline/components/WorkloadIdentitySetup.tsx	UI updates for new “assigning-roles” step and passing new WI config inputs.
plugins/aks-desktop/src/components/GitHubPipeline/components/WorkloadIdentitySetup.test.tsx	Update props to include clusterName.
plugins/aks-desktop/src/components/GitHubPipeline/components/AcrSelector.tsx	New component for selecting/creating/skipping an ACR.
plugins/aks-desktop/src/components/GitHubPipeline/fixtures/pipelineConfig.ts	Extend container config fixture with isSecret and WI fields.
plugins/aks-desktop/src/components/GitHubPipeline/GitHubPipelineWizard.tsx	Pass clusterName into WorkloadIdentitySetup.
plugins/aks-desktop/src/components/DeployWizard/utils/yamlGenerator.ts	Generate Secret + secretKeyRef env vars; generate ServiceAccount + WI pod/serviceAccount config.
plugins/aks-desktop/src/components/DeployWizard/hooks/useDeployWorkloadIdentity.ts	New deploy-flow WI hook using shared identity+roles and AKS OIDC issuer lookup.
plugins/aks-desktop/src/components/DeployWizard/hooks/useContainerConfiguration.ts	Extend ContainerConfig with env var isSecret and WI fields + defaults.
plugins/aks-desktop/src/components/DeployWizard/components/DeployWizardPure.stories.tsx	Update story fixture with new ContainerConfig fields.
plugins/aks-desktop/src/components/DeployWizard/components/ConfigureContainer.tsx	Add env var secret toggle/masking and new Workload Identity step (create/select identity).
plugins/aks-desktop/src/components/DeployWizard/DeployWizard.tsx	Thread Azure context into ConfigureContainer.
plugins/aks-desktop/src/components/DeployTab/utils/extractContainerConfig.ts	Round-trip env var secretKeyRef + detect WI label/serviceAccountName.
plugins/aks-desktop/src/components/DeployTab/utils/extractContainerConfig.test.ts	Update expected env var shape with isSecret.
plugins/aks-desktop/src/components/DeployTab/components/ClusterDeployCard.tsx	Pass azureContext into DeployWizard from cluster context.
plugins/aks-desktop/locales/zh-Hans/translation.json	Add/update translations for new WI/ACR/secret strings and wording changes.
plugins/aks-desktop/locales/tr/translation.json	Add/update translations for new WI/ACR/secret strings and wording changes.
plugins/aks-desktop/locales/sv/translation.json	Add/update translations for new WI/ACR/secret strings and wording changes.
plugins/aks-desktop/locales/pt-PT/translation.json	Add/update translations for new WI/ACR/secret strings and wording changes.
plugins/aks-desktop/locales/nl/translation.json	Add/update translations for new WI/ACR/secret strings and wording changes.
plugins/aks-desktop/locales/id/translation.json	Add/update translations for new WI/ACR/secret strings and wording changes.
plugins/aks-desktop/locales/hu/translation.json	Add/update translations for new WI/ACR/secret strings and wording changes.
plugins/aks-desktop/locales/en/translation.json	Add English strings for WI/ACR/secret UI and updated wording.
Localize/locales/en/plugin-translation.json	Update localization keys for new strings and removed/renamed ones.
Localize/locales/en/frontend-translation.json	Add new frontend localization key (“Debug Image”).

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

You can also share your feedback on Copilot code review. Take the survey.

[Copilot]

Pull request overview

Adds shared Azure identity + role assignment utilities and integrates workload identity, per-env-var secrets, and optional ACR support into the Deploy Wizard and GitHub Pipeline flows (per #467).

Changes:

• Introduces reusable identity setup utilities (ensureIdentityAndResourceGroup, ensureIdentityWithRoles) and role computation (computeRequiredRoles).
• Extends Deploy Wizard YAML generation to emit Secret + secretKeyRef for secret env vars, and optionally emits ServiceAccount + WI pod wiring.
• Updates GitHub Pipeline workflow instructions and secret creation to account for workload identity and ACR configuration.

Reviewed changes

Copilot reviewed 29 out of 29 changed files in this pull request and generated 8 comments.

Show a summary per file

File	Description
plugins/aks-desktop/src/utils/azure/identityWithRoles.ts	Shared “ensure identity + assign required roles” utility used across flows.
plugins/aks-desktop/src/utils/azure/identityWithRoles.test.ts	Unit tests for identity+roles orchestration.
plugins/aks-desktop/src/utils/azure/identitySetup.ts	Shared “ensure RG + ensure identity” building block.
plugins/aks-desktop/src/utils/azure/identitySetup.test.ts	Unit tests for RG/identity setup logic.
plugins/aks-desktop/src/utils/azure/identityRoles.ts	Computes required Azure RBAC role assignments for NS vs MNS + optional ACR.
plugins/aks-desktop/src/utils/azure/identityRoles.test.ts	Unit tests covering role matrix composition.
plugins/aks-desktop/src/utils/azure/az-cli.ts	Adds ACR typing + create ACR, cluster scope helper, multi-role assignment, OIDC issuer lookup, managed identity listing, K8s federated credential creation.
plugins/aks-desktop/src/components/DeployWizard/utils/yamlGenerator.ts	Emits Secret + secretKeyRef for secret env vars; emits ServiceAccount + WI pod wiring.
plugins/aks-desktop/src/components/DeployWizard/hooks/useDeployWorkloadIdentity.ts	New hook to configure workload identity for Deploy Wizard via shared identity+roles utility.
plugins/aks-desktop/src/components/DeployWizard/hooks/useContainerConfiguration.ts	Extends ContainerConfig for isSecret env vars and WI fields.
plugins/aks-desktop/src/components/DeployWizard/components/ConfigureContainer.tsx	UI support for per-var secrets + new Workload Identity step (create/select identity).
plugins/aks-desktop/src/components/DeployWizard/DeployWizard.tsx	Threads Azure context + namespace into container configuration UI.
plugins/aks-desktop/src/components/DeployTab/utils/extractContainerConfig.ts	Round-trips secretKeyRef env vars and detects WI label/serviceAccountName.
plugins/aks-desktop/src/components/DeployTab/components/ClusterDeployCard.tsx	Passes Azure context into DeployWizard for WI setup.
plugins/aks-desktop/src/components/GitHubPipeline/hooks/useWorkloadIdentitySetup.ts	Refactors to use shared ensureIdentityWithRoles; status renamed to assigning-roles.
plugins/aks-desktop/src/components/GitHubPipeline/components/WorkloadIdentitySetup.tsx	UI text/step updates for multi-role assignment; threads additional config fields.
plugins/aks-desktop/src/components/GitHubPipeline/utils/agentTemplates.ts	Adds workload identity and ACR build/push instructions to generated agent docs.
plugins/aks-desktop/src/components/GitHubPipeline/utils/pipelineOrchestration.ts	Adds AZURE_ACR_NAME secret creation based on selected ACR.
plugins/aks-desktop/src/components/GitHubPipeline/types.ts	Adds acrResourceId/acrLoginServer to PipelineConfig.
plugins/aks-desktop/src/components/GitHubPipeline/components/AcrSelector.tsx	New UI component to select/create/skip ACR for pipelines.
plugins/aks-desktop/src/components/GitHubPipeline/GitHubPipelineWizard.tsx	Passes clusterName into workload identity setup step.
Localize/locales/en/plugin-translation.json	Adds i18n strings for secrets/WI/ACR UI text.

Comments suppressed due to low confidence (1)

plugins/aks-desktop/src/components/GitHubPipeline/GitHubPipelineWizard.tsx:244

• WorkloadIdentitySetup now accepts acrResourceId, isManagedNamespace, namespaceName, and azureRbacEnabled to compute/assign the correct role matrix, but the wizard doesn’t pass any of these (only clusterName). This means identity setup will miss ACR roles and may scope AKS roles incorrectly. Please thread the needed values into this component (or drop the unused props and keep the role computation local until wiring is complete).

      case 'WorkloadIdentitySetup': {
        if (!selectedRepo) return <LoadingSpinner message={t('Loading...')} />;
        return (
          <WorkloadIdentitySetup
            subscriptionId={subscriptionId}
            resourceGroup={resourceGroup}
            clusterName={clusterName}
            repo={selectedRepo}
            identitySetup={identitySetup}
            projectName={resolvedProjectName ?? namespace}
          />

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pull request overview

Copilot reviewed 29 out of 29 changed files in this pull request and generated 5 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pull request overview

Copilot reviewed 51 out of 68 changed files in this pull request and generated 1 comment.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pull request overview

Copilot reviewed 51 out of 68 changed files in this pull request and generated 4 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[gambtho]

found an issue with the acr selection, fixing now

[Copilot]

Pull request overview

Copilot reviewed 56 out of 73 changed files in this pull request and generated 4 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pull request overview

Copilot reviewed 56 out of 73 changed files in this pull request and generated no new comments.

Comments suppressed due to low confidence (6)

plugins/aks-desktop/src/components/GitHubPipeline/components/AcrSelector.tsx:1

• getResourceGroupLocation()can return an empty/undefined location (the identity setup flow in this PR explicitly guards for this), but AcrSelector passeslocationstraight intocreateContainerRegistry. Add an explicit check (and user-facing error) when locationis falsy before callingcreateContainerRegistry`, so the failure is deterministic and actionable.
  plugins/aks-desktop/src/components/GitHubPipeline/components/AcrSelector.tsx:1
• On initial render selectedValue is set to '' when no ACR is selected, but there is no <MenuItem value="">... option. MUI Select typically logs an “out-of-range value” warning and may render inconsistently. Consider adding an explicit empty option (e.g., “Select a registry…”) using displayEmpty, or initialize selectedValue to SKIP_VALUE/CREATE_NEW_VALUE depending on intended default behavior.
  plugins/aks-desktop/src/components/GitHubPipeline/utils/pipelineOrchestration.ts:1
• The error message hard-codes the azurecr.io suffix, but ACR login servers can vary by cloud (e.g., azurecr.us, azurecr.cn). Since the derivation logic only needs a non-empty first DNS label, consider making the message suffix-agnostic (e.g., “Expected format: .”) or validating against *.azurecr.* if that’s the intent.
  plugins/aks-desktop/src/utils/kubernetes/serviceAccountNames.ts:1
• The || 'app-sa' fallback is effectively unreachable because normalizeK8sName() delegates to sanitizeDnsName() which already provides a non-empty fallback ('app'). This also makes the JSDoc and behavior diverge for edge cases (e.g., empty appName yields sa, not app-sa). Consider either (a) letting callers pass an explicit fallback and wiring it through sanitizeDnsName, or (b) removing the unreachable fallback and updating the comment to match the actual behavior.
  plugins/aks-desktop/src/hooks/useNamespaceCapabilities.ts:1
• On API rejection, the hook sets isManagedNamespace to false, which can misclassify a managed namespace as “regular” during transient/auth/network failures. Since this value is used to drive role scope selection (MNS vs cluster scope), misclassification can lead to incorrect role assignments and downstream failures that are harder to diagnose. Consider keeping isManagedNamespace as undefined on rejection (indeterminate) and forcing the caller UI to block/ask the user to retry when capabilities can’t be resolved.
  plugins/aks-desktop/src/components/GitHubPipeline/components/AcrSelector.tsx:1
• The helper text says “5-50 alphanumeric characters”, but the validation (ACR_NAME_PATTERN) requires lowercase alphanumeric only. Updating the helper text to explicitly mention lowercase would make the UI guidance consistent with the actual rules and prevent confusion.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.