Automated sync from private repo (2026-06-13)#775
Merged
foundry-samples-repo-sync[bot] merged 4 commits intoJun 13, 2026
Conversation
…uardrail) (#526) * Add content safety guardrail hosted-agent sample Add a new Agent Framework / Responses hosted-agent sample that attaches a Responsible AI content safety guardrail via a definition-level policies block (type: rai_policy, rai_policy_name = full ARM resource ID). Includes a README covering prerequisites, azd and VS Code deploy paths, and runtime verification (benign prompt returns 200, a blocked prompt returns 400 content_filter). Add a learning-path entry to the hosted-agents catalog README. Verified end-to-end with azd deploy: the deployed agent reaches active with the rai_config persisted, and a harmful prompt is blocked at the input stage. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * Fix guardrail default-policy behavior note in content safety sample Omitting the policies block deploys the agent without a content safety guardrail; the Microsoft.DefaultV2 default only applies when the policies block is present but rai_policy_name is omitted. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * CI: inject RAI policy ARM ID into content-safety guardrail sample at deploy The content-safety guardrail sample commits a documented placeholder RAI policy ARM ID so it leaks no real resource details. Both E2E workflows live-deploy the sample, where the literal placeholder fails RAI validation. Replace the exact placeholder with a real policy ARM ID from a repo variable at deploy time: - cloud-e2e: rewrite agent.manifest.yaml before 'azd ai agent init' using AZURE_AI_RAI_POLICY_ID; assert the placeholder did not survive into the generated agent.yaml. - foundry-ext-e2e: rewrite the sample agent.yaml before the Playwright deploy using FOUNDRY_EXT_RAI_POLICY_ID. Both rewrites match only the exact documented placeholder (no-op for all other samples) and fail fast if the placeholder is present but the variable is unset or not a full ARM ID. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * CI: add functional invoke payload + guardrail block test for content-safety sample - Add internal/tools/.../python/responses/16-content-safety-guardrail/test-payload.txt so cloud-e2e runs a real benign multi-turn invoke instead of the generic default 'Hello from CI' payload. - Add a guardrail block-test step (cloud-e2e, gated to this sample + responses protocol): a benign prompt must return HTTP 200 and a policy-violating prompt must be blocked at the input stage (HTTP 400 + content_filter). The violating prompt is supplied via the CONTENT_SAFETY_TEST_PROMPT repo variable so no harmful text is committed; the step is a clean no-op when the variable is unset and retries to absorb the guardrail's fail-open behavior. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * CI: make azd env var sanitize() quote-safe (drop xargs) The 'Configure azd environment' step pushes every repo variable through a sanitize() helper that used xargs to trim whitespace. xargs treats single and double quotes specially and aborts with 'unmatched single quote' on values containing apostrophes (e.g. a sentence with "don't"), failing the whole step under 'bash -e' and breaking cloud-e2e for ALL samples whenever such a variable exists. Trim with sed instead so values are preserved verbatim. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --------- Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
…EADMEs (#537) Add documentation for the new enableContainerRegistry and developerIpCidr parameters across templates 11, 15, 15a, 16, 17, and 19. Updates include: - Added ACR to 'What Gets Deployed' resource tables/lists - Added enableContainerRegistry param (Premium SKU ACR with PE + DNS + AcrPull role) - Added developerIpCidr param (optional IP allowlist for push access) Co-authored-by: Karthik Saligrama <ksaligrama@microsoft.com> Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Port Bicep template 11 to Terraform. Creates a basic agent setup with VNet injection for network isolation: - VNet with agent subnet (delegated to Microsoft.App/environments) and PE subnet - AI Foundry account with network injection and public access disabled - Private endpoint and DNS zones for AI Services - AI Foundry project with capability host (basic agent, no BYO resources) - Configurable model deployment - Optional Azure Container Registry with private endpoint Tested: deployed successfully to canadacentral, verified idempotency. Co-authored-by: Karthik Saligrama <ksaligrama@microsoft.com> Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* just to commit. * add word comment notifications.
foundry-samples-repo-sync
Bot
deleted the
sync/private-to-public-20260613-000846
branch
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Automated sync from private repo.
Synced commits: 4
Authors: Adi Yadav,Amit Bhave Karthik Saligrama
Validation gate: mode=
none; tracked=0; blocked=0.Rollback point:
810884dbbd607be56ac8b6a15cb1c10db7b9ee20— to revert, force-push this SHA tomainand clear the sync-marks cache.Triggered by:
workflow_dispatchRun: https://github.com/microsoft-foundry/foundry-samples-pr/actions/runs/27450277393