Sync from dev @ 252c1cf

Source: main (252c1cf)
Excluded: live tenant exports, generated artifacts, and dev-only tooling.

templates/variables-common.yml

@@ -0,0 +1,48 @@
+# Common variables shared across backup and review-sync pipelines.
+# Include with: variables: [ template: templates/variables-common.yml ]
+
+variables:
+  - name: BASELINE_BRANCH
+    value: main
+  - name: DRIFT_BRANCH_INTUNE
+    value: drift/intune
+  - name: DRIFT_BRANCH_ENTRA
+    value: drift/entra
+  - name: BACKUP_FOLDER
+    value: tenant-state
+  - name: REPORTS_SUBDIR
+    value: reports
+  - name: ENABLE_WORKLOAD_INTUNE
+    value: true
+  - name: ENABLE_WORKLOAD_ENTRA
+    value: true
+  - name: ENABLE_PR_REVIEW_SUMMARY
+    value: true
+  - name: ENABLE_PR_REVIEWER_DECISIONS
+    value: true
+  - name: ENABLE_PR_AI_SUMMARY
+    value: true
+  - name: ROLLING_PR_DELAY_REVIEWER_NOTIFICATIONS
+    value: true
+  - name: REQUIRE_CHANGE_TICKETS
+    value: false
+  - name: CHANGE_TICKET_REGEX
+    value: "[A-Z][A-Z0-9]+-[0-9]+"
+  - name: DEBUG_CHANGE_TICKET_THREADS
+    value: false
+  - name: AZURE_OPENAI_API_VERSION
+    value: "2024-12-01-preview"
+  - name: AUTO_REMEDIATE_AFTER_MERGE
+    value: true
+  - name: AUTO_REMEDIATE_AFTER_MERGE_LOOKBACK_HOURS
+    value: 168
+  - name: AUTO_REMEDIATE_DRY_RUN
+    value: false
+  - name: AUTO_REMEDIATE_UPDATE_ASSIGNMENTS
+    value: true
+  - name: AUTO_REMEDIATE_REMOVE_OBJECTS
+    value: false
+  - name: AUTO_REMEDIATE_MAX_WORKERS
+    value: 10
+  - name: AUTO_REMEDIATE_EXCLUDE_CSV
+    value: ""

templates/variables-tenant.yml

@@ -0,0 +1,59 @@
+# Tenant-specific variables for ASTRAL
+#
+# Copy these variables into an Azure DevOps Variable Group (e.g. vg-astral-tenant)
+# and reference that group in your pipeline YAMLs. Do not commit secrets to Git.
+#
+# Example pipeline reference:
+#   variables:
+#     - group: vg-astral-tenant
+#     - template: templates/variables-common.yml
+
+variables:
+  # Required: Microsoft 365 tenant domain
+  - name: TENANT_NAME
+    value: contoso.onmicrosoft.com
+
+  # Required: Azure DevOps service connection name (workload federated credential)
+  - name: SERVICE_CONNECTION_NAME
+    value: sc-astral-backup
+
+  # Required: Git commit identity used by the pipeline
+  - name: USER_NAME
+    value: ASTRAL Backup Service
+
+  # Required: Git commit email used by the pipeline
+  - name: USER_EMAIL
+    value: astral-backup@contoso.com
+
+  # Optional: Agent pool name. Default uses Azure-hosted agents.
+  - name: AGENT_POOL_NAME
+    value: Azure Pipelines
+
+  # Optional: Timezone for light/full run decisions. Must be a valid tz database name.
+  - name: BACKUP_TIMEZONE
+    value: Europe/Prague
+
+  # Optional: Full-run hour in BACKUP_TIMEZONE (24h format, zero-padded).
+  # The main pipeline runs hourly; only this hour triggers a full export.
+  - name: FULL_RUN_HOUR
+    value: "00"
+
+  # Optional: Cron schedule for the main backup pipeline.
+  - name: SCHEDULE_CRON
+    value: "0 * * * *"
+
+  # Optional but recommended: pipeline definition ID of azure-pipelines-restore.yml.
+  # Set this after you have imported the restore pipeline into Azure DevOps.
+  - name: AUTO_REMEDIATE_RESTORE_PIPELINE_ID
+    value: ""
+
+  # Optional: Azure OpenAI settings for AI-assisted PR summaries.
+  # Store AZURE_OPENAI_API_KEY as a secret variable.
+  - name: ENABLE_PR_AI_SUMMARY
+    value: false
+  - name: AZURE_OPENAI_ENDPOINT
+    value: ""
+  - name: AZURE_OPENAI_DEPLOYMENT
+    value: ""
+  - name: AZURE_OPENAI_API_KEY
+    value: ""