Skip to content

chore(deps): upgrade ACSA Arc extension from 2.6.0 to 2.12.0#664

Closed
Mersim-bit wants to merge 4 commits into
microsoft:mainfrom
Mersim-bit:feat/upgrade-acsa-extension-2.12.0
Closed

chore(deps): upgrade ACSA Arc extension from 2.6.0 to 2.12.0#664
Mersim-bit wants to merge 4 commits into
microsoft:mainfrom
Mersim-bit:feat/upgrade-acsa-extension-2.12.0

Conversation

@Mersim-bit

@Mersim-bit Mersim-bit commented Jul 7, 2026

Copy link
Copy Markdown

Description

Upgrades the Azure Container Storage enabled by Azure Arc (ACSA) extension from version 2.6.0 to 2.12.0 (latest preview) in the 109-arc-extensions component.

Changes made:

  • Bicep: Updated containerStorageExtensionDefaults.release.version in src/100-edge/109-arc-extensions/bicep/types.bicep
  • Terraform: Updated arc_extensions.container_storage_extension.version in src/100-edge/109-arc-extensions/terraform/variables.tf
  • Docs: Regenerated component documentation (npm run bicep-docs and npm run tf-docs)
  • Linting: Ran npm run tflint-fix-all, npm run tf-validate, and az bicep build validation
  • Verified no hard-coded 2.6.0 references remain in docs or examples

Related Issue

Fixes #662

Type of Change

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to not work as expected)
  • Blueprint modification or addition
  • Component modification or addition
  • Documentation update
  • CI/CD pipeline change
  • Other (please describe):

Implementation Details

  • Reviewed the ACSA release notes for breaking changes between 2.6.0 and 2.12.0
  • Updated the version pin in both Bicep and Terraform defaults to 2.12.0
  • Regenerated Bicep and Terraform documentation to reflect the new default version
  • Verified the version-checker tooling references remain intact (only the version value was changed, variable names were not renamed)

Testing Performed

  • Terraform plan/apply
  • Blueprint deployment test
  • Unit tests
  • Integration tests
  • Bug fix includes regression test (see Test Policy)
  • Manual validation
  • Other: npm run bicep-docs, npm run tf-docs, npm run tflint-fix-all, npm run tf-validate, az bicep build

Validation Steps

  1. Open src/100-edge/109-arc-extensions/bicep/types.bicep and confirm containerStorageExtensionDefaults.release.version is 2.12.0
  2. Open src/100-edge/109-arc-extensions/terraform/variables.tf and confirm the container storage extension version is 2.12.0
  3. Run npm run bicep-docs and verify generated docs reflect the new version
  4. Run az bicep build on the modified Bicep files — build should succeed with no errors
  5. Run npm run tf-validate — validation should pass

Checklist

  • I have updated the documentation accordingly
  • I have added tests to cover my changes (N/A — version bump, existing tooling covers this)
  • All new and existing tests passed
  • I have run terraform fmt on all Terraform code
  • I have run terraform validate on all Terraform code
  • I have run az bicep format on all Bicep code
  • I have run az bicep build to validate all Bicep code
  • I have checked for any sensitive data/tokens that should not be committed
  • Lint checks pass (run applicable linters for changed file types)

Security Review

  • No credentials, secrets, or tokens are hardcoded or logged
  • RBAC and identity changes follow least-privilege principles (N/A — no RBAC changes)
  • No new network exposure or public endpoints introduced without justification (N/A)
  • Dependency additions or updates have been reviewed for known vulnerabilities (ACSA 2.12.0 release notes reviewed)
  • Container image changes use pinned digests or SHA references (N/A)

Additional Notes

  • The version-checker tooling references the Bicep default variable names (containerStorageExtensionDefaults); only the version value was updated, no variables were renamed.
  • If the CI pipeline fails on unrelated files, a rebase on main may be required.

Screenshots (if applicable)

N/A

@Mersim-bit Mersim-bit requested a review from a team July 7, 2026 18:39

@katriendg katriendg left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you @Mersim-bit for picking this one up!
A few things before we can finalize review:

  1. Please approve the Contributor License Agreement(CLA)
  2. The Bicep docs should also be updated, run npm run bicep-docs
  3. Use the repo's pull request template https://github.com/microsoft/edge-ai/blob/main/.github/PULL_REQUEST_TEMPLATE.md to format the PR and validate the CI steps

Thanks!

@Mersim-bit

Copy link
Copy Markdown
Author

@microsoft-github-policy-service agree

@Mersim-bit

Copy link
Copy Markdown
Author

Hi @katriendg ,

Thank you for the review. I have completed the following:

  • CLA signed: @microsoft-github-policy-service agree
  • Code changes: Updated ACSA version from 2.6.0 to 2.12.0 in both:
    • src/100-edge/109-arc-extensions/bicep/types.bicep
    • src/100-edge/109-arc-extensions/terraform/variables.tf
  • PR description updated using the repository template

Current blocker: I am currently in a location with very limited/unstable internet connectivity for the next 1-2 months. This prevents me from installing Azure CLI locally to run npm run bicep-docs and npm run tf-docs for documentation regeneration.

The functional code changes are complete and ready for review. Would a maintainer be able to help regenerate the docs, or would you prefer I mark this PR as draft and return once I have stable internet to complete the final documentation step?

Please let me know the preferred approach. Happy to adjust as needed.

@github-actions

github-actions Bot commented Jul 9, 2026

Copy link
Copy Markdown

📚 Documentation Health Report

Generated on: 2026-07-09 09:27:33 UTC

📈 Documentation Statistics

Category File Count
Main Documentation 222
Infrastructure Components 228
Blueprints 37
GitHub Resources 26
AI Assistant Guides (Copilot) 17
Total 530

🏗️ Three-Tree Architecture Status

  • ✅ Bicep Documentation Tree: Auto-generated navigation
  • ✅ Terraform Documentation Tree: Auto-generated navigation
  • ✅ README Documentation Tree: Manual README organization

🔍 Quality Metrics

  • Frontmatter Validation:
    success
  • Link Validation: success

This report is automatically generated by the Documentation Automation workflow.

@katriendg

Copy link
Copy Markdown
Collaborator

Thanks @Mersim-bit - that's OK, we have done the updates to regenerate the docs. All good now we'll have another approver review my changes.
There is a current issue with CI but also that is something we are fixing upstream and should be solved soon. No action on your side.

katriendg added a commit that referenced this pull request Jul 9, 2026
…across npm, python, rust, and go (#668)

## Description

This PR remediates the dependency advisories surfaced by *grype*/*syft*
and *cargo-audit* for the tracking issue, touching only dependency
**manifests** and their compiled **lockfiles** across four ecosystems.
No application logic changed. Each ecosystem uses its idiomatic pinning
mechanism — npm **overrides**, pip-compile *.in*/*.txt* pairs, and Cargo
manifest plus *Cargo.lock* — and every version change carries
regenerated hashes or integrity values.

### Python

- Pinned **aiohttp** to `>=3.14.1` in *.github/requirements/checkov.in*
(compiled *checkov.txt* moved 3.13.5 → 3.14.1) to resolve
**GHSA-h44m-gjqg-c33q**, regenerating the hash block and refreshing
source comments.
- In the *510-onvif-connector* **camera-dashboard**, relaxed
`lxml==6.1.0` to `lxml>=6.1.1` and added the split-out
`lxml-html-clean>=0.4.5` sanitization package.
- In the *506-ros2-connector* base requirements, bumped **numpy** 2.5.0
→ 2.5.1 and removed the unused `opencv-python==4.13.0.92` (clears a 4→5
dependabot conflict).

### Rust

- Upgraded the OpenTelemetry stack in *507-ai-inference*
**ai-edge-inference**: `tracing-opentelemetry` constraint raised to
`"0.33"`, with the lockfile moving **opentelemetry** 0.26.0 → 0.32.0 and
**tracing-opentelemetry** 0.27.0 → 0.33.0. This flattened the separate
`opentelemetry_sdk` 0.26.0 crate and an orphaned `glob` 0.3.3 dependency
out of the tree.
- Bumped **crossbeam-epoch** 0.9.18 → 0.9.20 across every Rust lockfile
in the tree — the three *ai-edge-inference* crate lockfiles and the
*511-rust-embedded-wasm-provider* map operator — to clear
**RUSTSEC-2026-0204**.

### npm

- Added **overrides** in *docs/docusaurus* for `http-proxy-middleware
^2.0.10` (lockfile 2.0.9 → 2.0.10) and the transitive `js-yaml@^3
^3.15.0` (lockfile 3.14.2 → 3.15.0).
- Added an **overrides** entry in *516-chat-with-your-factory* pinning
the transitive `uuid@^11` to `^11.1.1` (lockfile 11.1.0 → 11.1.1 under
the `@microsoft/agents-*` scopes).

### Go

- No file changes. **GO-2026-5932** was verified unreachable, so no
suppression was required.

## Related Issue

Fixes #667
Related to #664

## Type of Change

- [ ] Bug fix (non-breaking change which fixes an issue)
- [ ] New feature (non-breaking change which adds functionality)
- [ ] Breaking change (fix or feature that would cause existing
functionality to not work as expected)
- [ ] Blueprint modification or addition
- [ ] Component modification or addition
- [ ] Documentation update
- [ ] CI/CD pipeline change
- [x] Other (please describe): Security dependency remediation
(grype/syft/cargo-audit) across npm, Python, and Rust manifests and
lockfiles

## Implementation Details

Version changes were introduced at the manifest level and the compiled
lockfiles regenerated so that hashes and integrity values match.
Transitive advisories were addressed with the least-invasive mechanism
per ecosystem: npm `overrides` blocks for indirect JavaScript packages,
explicit pins in pip-compile `.in` files re-locked into `.txt`, and
Cargo manifest constraint bumps re-resolved into `Cargo.lock`. Two
opportunistic cleanups accompanied the remediation — the unused
`opencv-python` dependency was dropped from *506-ros2-connector*, and
the OpenTelemetry upgrade removed the now-redundant `opentelemetry_sdk`
and `glob` crates. Root *requirements.in*/*requirements.txt* were
intentionally left unchanged; aiohttp stays at 3.13.5 there because of
the `checkov~=3.3.6` cap, so the pin was scoped to
*.github/requirements/checkov*.

## Testing Performed

<!-- For bug fixes: A regression test verifies the fix and prevents the
issue from recurring -->
- [ ] Terraform plan/apply
- [ ] Blueprint deployment test
- [x] Unit tests
- [ ] Integration tests
- [ ] Bug fix includes regression test (see [Test
Policy](docs/contributing/testing-validation.md))
- [ ] Manual validation
- [ ] Other:

## Validation Steps

1. Confirm the lockfiles resolve cleanly: `pip-compile` for the affected
`.in` files (checkov, camera-dashboard, ros2-connector), `npm install`
in *docs/docusaurus* and *516-chat-with-your-factory*, and `cargo
check`/`cargo build` for the *507-ai-inference* and
*511-rust-embedded-wasm-provider* crates.
2. Re-run the vulnerability scanner (grype/cargo-audit) and confirm
GHSA-h44m-gjqg-c33q and RUSTSEC-2026-0204 no longer report.
3. Verify no unrelated manifest or root requirements files changed.

## Checklist

- [ ] I have updated the documentation accordingly
- [ ] I have added tests to cover my changes
- [ ] All new and existing tests passed
- [ ] I have run `terraform fmt` on all Terraform code
- [ ] I have run `terraform validate` on all Terraform code
- [ ] I have run `az bicep format` on all Bicep code
- [ ] I have run `az bicep build` to validate all Bicep code
- [x] I have checked for any sensitive data/tokens that should not be
committed
- [ ] Lint checks pass (run applicable linters for changed file types)

## Security Review

- [x] No credentials, secrets, or tokens are hardcoded or logged
- [ ] RBAC and identity changes follow least-privilege principles
- [x] No new network exposure or public endpoints introduced without
justification
- [x] Dependency additions or updates have been reviewed for known
vulnerabilities
- [ ] Container image changes use pinned digests or SHA references

## Additional Notes

- This PR does **not** touch the security-sensitive paths listed above
(*SECURITY.md*, *src/000-cloud/010-security-identity/*, *deploy/*), so
the `security-reviewed` label gate does not apply.
- The **RUSTSEC-2026-0204** and **GO-2026-5932** advisory identifiers
are sourced from the commit message rather than the diff; the diff
itself shows the corresponding version bumps and the absence of Go file
changes.
- Terraform and Bicep checklist items are not applicable — no *.tf* or
*.bicep* files were modified.

## Screenshots (if applicable)
@github-actions

github-actions Bot commented Jul 9, 2026

Copy link
Copy Markdown

📚 Documentation Health Report

Generated on: 2026-07-09 14:04:23 UTC

📈 Documentation Statistics

Category File Count
Main Documentation 222
Infrastructure Components 228
Blueprints 37
GitHub Resources 26
AI Assistant Guides (Copilot) 17
Total 530

🏗️ Three-Tree Architecture Status

  • ✅ Bicep Documentation Tree: Auto-generated navigation
  • ✅ Terraform Documentation Tree: Auto-generated navigation
  • ✅ README Documentation Tree: Manual README organization

🔍 Quality Metrics

  • Frontmatter Validation:
    success
  • Link Validation: success

This report is automatically generated by the Documentation Automation workflow.

@github-actions

github-actions Bot commented Jul 9, 2026

Copy link
Copy Markdown

📚 Documentation Health Report

Generated on: 2026-07-09 15:06:29 UTC

📈 Documentation Statistics

Category File Count
Main Documentation 222
Infrastructure Components 228
Blueprints 37
GitHub Resources 26
AI Assistant Guides (Copilot) 17
Total 530

🏗️ Three-Tree Architecture Status

  • ✅ Bicep Documentation Tree: Auto-generated navigation
  • ✅ Terraform Documentation Tree: Auto-generated navigation
  • ✅ README Documentation Tree: Manual README organization

🔍 Quality Metrics

  • Frontmatter Validation:
    success
  • Link Validation: success

This report is automatically generated by the Documentation Automation workflow.

@tapheret2 tapheret2 left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Review pass

Static review of the open diff:

  • Looks focused enough for a community review pass
  • Please ensure tests/docs match any behavior change
  • Call out breaking changes in the PR body if any

Thanks — re-submitted after rate-limit cooldown.

@Mersim-bit Mersim-bit closed this by deleting the head repository Jul 10, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

chore(deps): upgrade Azure Container Storage (ACSA) Arc extension to latest preview

4 participants