When running the azure/webapps-deploy@v2 action, I received the following error:

(node:2000) [DEP0128] DeprecationWarning: Invalid 'main' field in '/home/runner/work/_actions/azure/webapps-deploy/v2/node_modules/actions-secret-parser/package.json' of 'lib/index.js'. Please either fix that or report it to the module author

The configuration seems correct in this repository because /packages/secret-parser/tsconfig.json outputs into a /lib directory and the 'main' field in package.json is referencing that directory.

The problem is that the npm package actions-secret-parser is different from the configuration. index.js is in the root directory, the /lib directory does not exist. See https://www.npmjs.com/package/actions-secret-parser?activeTab=explore

Tested on both webapp-action and functions-action.
The Github Action POST api/zipdeploy request does not contain proper UserAgent field.
in webClient.ts, process.env.AZURE_HTTP_USER_AGENT is undefined.

Kusto Table:

Suggestion:
Should lazily initialize webClient. Suspect that the environment variable is propagated later than webClient initialization.

I just started working with github actions and noticed this call to getAppSettings is logging the response in its entirety into the actions console. This is exposing what would otherwise be secret app settings only accessible from the azure portal. In my particular deployment it is only using this call to warm up kudu before calling the zip deploy.

Could this be configured to be silent? Or is there a different call that could be used for warming up kudu? I notice this call is also used where appsettings are actually needed however it shouldn't log them by default in that case either.

There are important files that Microsoft projects should all have that are not present in this repository. A pull request has been opened to add the missing file(s). When the pr is merged this issue will be closed automatically.

Microsoft teams can learn more about this effort and share feedback within the open source guidance available internally.

Merge this pull request

When trying to use appservice-actions Webapp deployer, I tried using the package syntax with a relative path (or variable) and glob (example: ./target/*.jar or ${GITHUB_WORKSPACE/target/*.jar}) and it was not able to pick up the package that I wanted.

    - uses: azure/appservice-actions/webapp@master
      with: 
        app-name: example
        publish-profile: ${{ secrets.azureWebAppPublishProfile }}
        package:  ./target/example*.jar 

When I set it to a direct path with glob it worked.

    - uses: azure/appservice-actions/webapp@master
      with: 
        app-name: example
        publish-profile: ${{ secrets.azureWebAppPublishProfile }}
        package:  /home/runner/work/example/example/target/example*.jar 

I was able to trace it back to this package and I believe there is something wrong in the utility not respecting linux relative paths or environment variables in the path.

"Credentials" typo on

We just need to update the config and not do an explicit restart operation. The config change triggers a restart.

Azure/functions-action#116

The following "app doesn't exist" error appears even if the function app is already there and exists for hours.

Error: Resource func-my-function doesn't exist.
    at Function.<anonymous> (/home/runner/work/_actions/Azure/functions-action/v1/node_modules/azure-actions-appservice-rest/Utilities/AzureResourceFilterUtility.js:21:23)
    at Generator.next (<anonymous>)
    at fulfilled (/home/runner/work/_actions/Azure/functions-action/v1/node_modules/azure-actions-appservice-rest/Utilities/AzureResourceFilterUtility.js:5:58)
    at processTicksAndRejections (internal/process/task_queues.js:97:5)

Error is generated from the code here:

1. pipelines-appservice-lib/src/RestUtilities/AzureResourceFilterUtility.ts

   Lines 10 to 12 in 2b66f5b

   	if(!filteredResources || filteredResources.length == 0) {
   	throw new Error('ResourceDoesntExist');
   	}

2. pipelines-appservice-lib/src/ArmRest/azure-arm-resource.ts

   Lines 14 to 18 in 2b66f5b

   	var httpRequest: webClient.WebRequest = {
   	method: 'GET',
   	uri: this._client.getRequestUri('//subscriptions/{subscriptionId}/resources', {},
   	[`$filter=resourceType EQ \'${encodeURIComponent(resourceType)}\' AND name EQ \'${encodeURIComponent(resourceName)}\'`], '2016-07-01')
   	};

I'd like to be able to add / update App Settings. This can be accomplished via

POST /api/settings

{"somenewsetting": "somevalue",
"oldsettingtoupdate": "newvalue"}

Similarly, you can delete settings via
DELETE /api/settings/somesettingnamehere

Could you please implement these methods in your API client so that I can use this in GitHub Actions? :)

See:
https://github.com/projectkudu/kudu/wiki/REST-API#settings

xmldom<=0.6.0 allows multiple root nodes in a DOM is regarded as a critical vulnerability scanned by GitHub Dependabot.

Impact

xmldom parses XML that is not well-formed because it contains multiple top level elements, and adds all root nodes to the childNodes collection of the Document, without reporting any error or throwing.
This breaks the assumption that there is only a single root node in the tree, which led to https://nvd.nist.gov/vuln/detail/CVE-2022-39299 and is a potential issue for dependents.

Patches

Update to @xmldom/xmldom@~0.7.7, @xmldom/xmldom@~0.8.4 (dist-tag latest) or @xmldom/xmldom@>=0.9.0-beta.4 (dist-tag next).

Please bump the version of xmldom, otherwise anyone depends on actions-secret-parser will be affected by this vulnerability.

In https://github.com/microsoft/pipelines-appservice-lib/blob/93ad0ec841bd909e0e834118ee36c3e0f2737071/packages/webclient/package.json, the dependencies for actions/core is "@actions/core": "^1.1.3",

This needs to be updated to 1.2.6 per

https://github.blog/changelog/2020-10-01-github-actions-deprecating-set-env-and-add-path-commands/