From e7d45280154e3e273eb228de33eefabc471a311f Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Thu, 21 May 2026 19:17:24 +0000 Subject: [PATCH 1/4] Initial plan From 526493783b281b461258d6a29a7570590d17025f Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Thu, 21 May 2026 19:24:23 +0000 Subject: [PATCH 2/4] Propagate sensitive template params from porter explain --- devops/scripts/register_bundle_with_api.sh | 18 +++++++++++++++++- .../airlock_notifier/template_schema.json | 3 +-- .../porter.yaml | 1 + .../template_schema.json | 3 +-- .../porter.yaml | 1 + .../template_schema.json | 3 +-- .../airlock-import-review/porter.yaml | 1 + .../airlock-import-review/template_schema.json | 1 - templates/workspaces/base/porter.yaml | 1 + templates/workspaces/base/template_schema.json | 3 +-- templates/workspaces/unrestricted/porter.yaml | 1 + .../unrestricted/template_schema.json | 1 - 12 files changed, 26 insertions(+), 11 deletions(-) diff --git a/devops/scripts/register_bundle_with_api.sh b/devops/scripts/register_bundle_with_api.sh index 61fb3202c7..2cc48611c0 100755 --- a/devops/scripts/register_bundle_with_api.sh +++ b/devops/scripts/register_bundle_with_api.sh @@ -99,7 +99,23 @@ fi acr_domain_suffix=$(az cloud show --query suffixes.acrLoginServerEndpoint --output tsv) explain_json=$(porter explain --reference "${acr_name}${acr_domain_suffix}"/"$(yq eval '.name' porter.yaml)":v"$(yq eval '.version' porter.yaml)" -o json) -payload=$(echo "${explain_json}" | jq --slurpfile json_schema template_schema.json --arg current "${current}" --arg bundle_type "${bundle_type}" '. + {"json_schema": $json_schema[0], "resourceType": $bundle_type, "current": $current}') +payload=$(echo "${explain_json}" | jq --slurpfile json_schema template_schema.json --arg current "${current}" --arg bundle_type "${bundle_type}" ' + . as $explain + | ($explain.parameters // [] | map(select(.sensitive == true) | .name) | unique) as $sensitive_parameter_names + | ($json_schema[0] | walk( + if type == "object" and has("properties") and (.properties | type) == "object" + then .properties |= with_entries( + .key as $parameter_name + | if ($sensitive_parameter_names | index($parameter_name)) != null + then .value |= (. + {"sensitive": true}) + else . + end + ) + else . + end + )) as $schema + | $explain + {"json_schema": $schema, "resourceType": $bundle_type, "current": $current} +') if [ "${dry_run}" == "true" ]; then echo "--dry-run specified - automatic bundle registration disabled. Use the script output to self-register." diff --git a/templates/shared_services/airlock_notifier/template_schema.json b/templates/shared_services/airlock_notifier/template_schema.json index fb22366da2..169bf341ef 100644 --- a/templates/shared_services/airlock_notifier/template_schema.json +++ b/templates/shared_services/airlock_notifier/template_schema.json @@ -39,8 +39,7 @@ "type": "string", "title": "SMTP Password", "description": "SMTP Password", - "updateable": false, - "sensitive": true + "updateable": false }, "smtp_from_email": { "$id": "#/properties/smtp_from_email", diff --git a/templates/workspace_services/guacamole/user_resources/guacamole-azure-export-reviewvm/porter.yaml b/templates/workspace_services/guacamole/user_resources/guacamole-azure-export-reviewvm/porter.yaml index b8fdcf7f0e..471e65d04c 100644 --- a/templates/workspace_services/guacamole/user_resources/guacamole-azure-export-reviewvm/porter.yaml +++ b/templates/workspace_services/guacamole/user_resources/guacamole-azure-export-reviewvm/porter.yaml @@ -81,6 +81,7 @@ parameters: type: string description: "A SAS token to access storage resource in workspace under review" env: airlock_request_sas_url + sensitive: true - name: enable_cmk_encryption type: boolean default: false diff --git a/templates/workspace_services/guacamole/user_resources/guacamole-azure-export-reviewvm/template_schema.json b/templates/workspace_services/guacamole/user_resources/guacamole-azure-export-reviewvm/template_schema.json index f7041a8c82..4166c3c839 100644 --- a/templates/workspace_services/guacamole/user_resources/guacamole-azure-export-reviewvm/template_schema.json +++ b/templates/workspace_services/guacamole/user_resources/guacamole-azure-export-reviewvm/template_schema.json @@ -34,8 +34,7 @@ "type": "string", "title": "Airlock request SAS Token", "description": "SAS Token for airlock request", - "updateable": false, - "sensitive": true + "updateable": false } } } diff --git a/templates/workspace_services/guacamole/user_resources/guacamole-azure-import-reviewvm/porter.yaml b/templates/workspace_services/guacamole/user_resources/guacamole-azure-import-reviewvm/porter.yaml index 685da7e5a3..4925db12c6 100644 --- a/templates/workspace_services/guacamole/user_resources/guacamole-azure-import-reviewvm/porter.yaml +++ b/templates/workspace_services/guacamole/user_resources/guacamole-azure-import-reviewvm/porter.yaml @@ -88,6 +88,7 @@ parameters: type: string description: "A SAS token to access storage resource in workspace under review" env: airlock_request_sas_url + sensitive: true - name: enable_cmk_encryption type: boolean default: false diff --git a/templates/workspace_services/guacamole/user_resources/guacamole-azure-import-reviewvm/template_schema.json b/templates/workspace_services/guacamole/user_resources/guacamole-azure-import-reviewvm/template_schema.json index fe51c46fa8..9c93934902 100644 --- a/templates/workspace_services/guacamole/user_resources/guacamole-azure-import-reviewvm/template_schema.json +++ b/templates/workspace_services/guacamole/user_resources/guacamole-azure-import-reviewvm/template_schema.json @@ -34,8 +34,7 @@ "type": "string", "title": "Airlock request SAS Token", "description": "SAS Token for airlock request", - "updateable": false, - "sensitive": true + "updateable": false } } } diff --git a/templates/workspaces/airlock-import-review/porter.yaml b/templates/workspaces/airlock-import-review/porter.yaml index 25fd654f57..cd308b2304 100644 --- a/templates/workspaces/airlock-import-review/porter.yaml +++ b/templates/workspaces/airlock-import-review/porter.yaml @@ -87,6 +87,7 @@ parameters: "The client secret of the workspace in the identity provider. This value is typically provided to you when you create the ws application" default: "" + sensitive: true - name: ui_client_id type: string default: "" diff --git a/templates/workspaces/airlock-import-review/template_schema.json b/templates/workspaces/airlock-import-review/template_schema.json index 09d7d6be87..4e0fccb4d9 100644 --- a/templates/workspaces/airlock-import-review/template_schema.json +++ b/templates/workspaces/airlock-import-review/template_schema.json @@ -103,7 +103,6 @@ "type": "string", "title": "Application (Client) Secret", "description": "The AAD Application Registration secret for the workspace. This value will be stored in the Workspace Key Vault.", - "sensitive": true, "updateable": true } }, diff --git a/templates/workspaces/base/porter.yaml b/templates/workspaces/base/porter.yaml index 368df54022..4092901d9b 100644 --- a/templates/workspaces/base/porter.yaml +++ b/templates/workspaces/base/porter.yaml @@ -90,6 +90,7 @@ parameters: "The client secret of the workspace in the identity provider. This value is typically provided to you when you create the ws application" default: "" + sensitive: true - name: ui_client_id type: string default: "" diff --git a/templates/workspaces/base/template_schema.json b/templates/workspaces/base/template_schema.json index c69024b8e8..afe85d3d50 100644 --- a/templates/workspaces/base/template_schema.json +++ b/templates/workspaces/base/template_schema.json @@ -249,7 +249,6 @@ "type": "string", "title": "Application (Client) Secret", "description": "The AAD Application Registration secret for the workspace. This value will be stored in the Workspace Key Vault.", - "sensitive": true, "updateable": true } }, @@ -357,4 +356,4 @@ "*" ] } -} \ No newline at end of file +} diff --git a/templates/workspaces/unrestricted/porter.yaml b/templates/workspaces/unrestricted/porter.yaml index bd4373b587..e4209f6cde 100644 --- a/templates/workspaces/unrestricted/porter.yaml +++ b/templates/workspaces/unrestricted/porter.yaml @@ -98,6 +98,7 @@ parameters: "The client secret of the workspace in the identity provider. This value is typically provided to you when you create the ws application" default: "" + sensitive: true - name: ui_client_id type: string default: "" diff --git a/templates/workspaces/unrestricted/template_schema.json b/templates/workspaces/unrestricted/template_schema.json index cea34ab8f4..45ffcd80ee 100644 --- a/templates/workspaces/unrestricted/template_schema.json +++ b/templates/workspaces/unrestricted/template_schema.json @@ -132,7 +132,6 @@ "type": "string", "title": "Application (Client) Secret", "description": "The AAD Application Registration secret for the workspace. This value will be stored in the Workspace Key Vault.", - "sensitive": true, "updateable": true } }, From b1da83a3af84c19923acc0cc6ffee8a519b0b240 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Thu, 21 May 2026 20:09:11 +0000 Subject: [PATCH 3/4] Add unreleased changelog note for sensitive Porter params --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 1284b51429..edb0bbbc1c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,7 @@ ENHANCEMENTS: * Specify default_outbound_access_enabled = false setting for all subnets ([#4757](https://github.com/microsoft/AzureTRE/pull/4757)) * Pin all GitHub Actions workflow steps to full commit SHAs to prevent supply chain attacks plus update to latest releases ([#4886](https://github.com/microsoft/AzureTRE/pull/4886)) +* Propagate sensitive Porter parameters into template registration schema to remove duplicate sensitivity metadata from template schemas. ## (0.28.0) (March 2, 2026) **BREAKING CHANGES** @@ -1700,4 +1701,3 @@ FEATURES: * Centrally manage the firewall share service state to enable other services to ask for rule changes Many more enhancements are listed on the [release page](https://github.com/microsoft/AzureTRE/releases/tag/v0.4) - From cfcafca15c7203ce458aa6c9b00b7d22cdee526d Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Thu, 21 May 2026 20:10:03 +0000 Subject: [PATCH 4/4] Add changelog enhancement note with PR reference --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index edb0bbbc1c..a3a765b44e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,7 +4,7 @@ ENHANCEMENTS: * Specify default_outbound_access_enabled = false setting for all subnets ([#4757](https://github.com/microsoft/AzureTRE/pull/4757)) * Pin all GitHub Actions workflow steps to full commit SHAs to prevent supply chain attacks plus update to latest releases ([#4886](https://github.com/microsoft/AzureTRE/pull/4886)) -* Propagate sensitive Porter parameters into template registration schema to remove duplicate sensitivity metadata from template schemas. +* Propagate sensitive Porter parameters into template registration schema to remove duplicate sensitivity metadata from template schemas ([#4910](https://github.com/microsoft/AzureTRE/pull/4910)). ## (0.28.0) (March 2, 2026) **BREAKING CHANGES**