Sync from dev @ 14435d1

Source: main (14435d1)
Excluded: live tenant exports, generated artifacts, and dev-only tooling.

azure-pipelines-restore.yml

@@ -64,6 +64,26 @@ jobs:
       - checkout: self
         persistCredentials: true
 
+      # Uncomment the block below for agent-side debugging.
+      # - task: Bash@3
+      #   displayName: DEBUG — dump agent state (restore)
+      #   inputs:
+      #     targetType: inline
+      #     script: |
+      #       set -euo pipefail
+      #       echo "=== Variables ==="
+      #       echo "BACKUP_FOLDER=$(BACKUP_FOLDER)"
+      #       echo "INTUNE_BACKUP_SUBDIR=$(INTUNE_BACKUP_SUBDIR)"
+      #       echo "BASELINE_BRANCH=$(BASELINE_BRANCH)"
+      #       echo "=== Git state ==="
+      #       git branch -a
+      #       git log --oneline -5
+      #       git status --short
+      #       echo "=== File system ==="
+      #       ls -la "$(Build.SourcesDirectory)"
+      #       find "$(BACKUP_FOLDER)" -maxdepth 2 -type d 2>/dev/null || true
+      #   workingDirectory: "$(Build.SourcesDirectory)"
+
       - task: Bash@3
         displayName: Checkout approved baseline snapshot
         inputs:

azure-pipelines-review-sync.yml

@@ -26,6 +26,26 @@ jobs:
       - checkout: self
         persistCredentials: true
 
+      # Uncomment the block below for agent-side debugging.
+      # - task: Bash@3
+      #   displayName: DEBUG — dump agent state (Intune review sync)
+      #   inputs:
+      #     targetType: inline
+      #     script: |
+      #       set -euo pipefail
+      #       echo "=== Variables ==="
+      #       echo "BACKUP_FOLDER=$(BACKUP_FOLDER)"
+      #       echo "DRIFT_BRANCH_INTUNE=$(DRIFT_BRANCH_INTUNE)"
+      #       echo "BASELINE_BRANCH=$(BASELINE_BRANCH)"
+      #       echo "=== Git state ==="
+      #       git branch -a
+      #       git log --oneline -5
+      #       git status --short
+      #       echo "=== File system ==="
+      #       ls -la "$(Build.SourcesDirectory)"
+      #       find "$(BACKUP_FOLDER)" -maxdepth 2 -type d 2>/dev/null || true
+      #   workingDirectory: "$(Build.SourcesDirectory)"
+
       - task: Bash@3
         displayName: Apply reviewer /reject decisions (Intune)
         condition: eq(variables['ENABLE_PR_REVIEWER_DECISIONS'], 'true')
@@ -114,6 +134,26 @@ jobs:
       - checkout: self
         persistCredentials: true
 
+      # Uncomment the block below for agent-side debugging.
+      # - task: Bash@3
+      #   displayName: DEBUG — dump agent state (Entra review sync)
+      #   inputs:
+      #     targetType: inline
+      #     script: |
+      #       set -euo pipefail
+      #       echo "=== Variables ==="
+      #       echo "BACKUP_FOLDER=$(BACKUP_FOLDER)"
+      #       echo "DRIFT_BRANCH_ENTRA=$(DRIFT_BRANCH_ENTRA)"
+      #       echo "BASELINE_BRANCH=$(BASELINE_BRANCH)"
+      #       echo "=== Git state ==="
+      #       git branch -a
+      #       git log --oneline -5
+      #       git status --short
+      #       echo "=== File system ==="
+      #       ls -la "$(Build.SourcesDirectory)"
+      #       find "$(BACKUP_FOLDER)" -maxdepth 2 -type d 2>/dev/null || true
+      #   workingDirectory: "$(Build.SourcesDirectory)"
+
       - task: Bash@3
         displayName: Apply reviewer /reject decisions (Entra)
         condition: eq(variables['ENABLE_PR_REVIEWER_DECISIONS'], 'true')

azure-pipelines.yml

@@ -85,6 +85,28 @@ jobs:
       - checkout: self
         persistCredentials: true
 
+      # Uncomment the block below for agent-side debugging.
+      # - task: Bash@3
+      #   displayName: DEBUG — dump agent state (Intune)
+      #   inputs:
+      #     targetType: inline
+      #     script: |
+      #       set -euo pipefail
+      #       echo "=== Variables ==="
+      #       echo "BACKUP_FOLDER=$(BACKUP_FOLDER)"
+      #       echo "INTUNE_BACKUP_SUBDIR=$(INTUNE_BACKUP_SUBDIR)"
+      #       echo "DRIFT_BRANCH_INTUNE=$(DRIFT_BRANCH_INTUNE)"
+      #       echo "BASELINE_BRANCH=$(BASELINE_BRANCH)"
+      #       echo "AGENT_POOL_NAME=$(AGENT_POOL_NAME)"
+      #       echo "=== Git state ==="
+      #       git branch -a
+      #       git log --oneline -5
+      #       git status --short
+      #       echo "=== File system ==="
+      #       ls -la "$(Build.SourcesDirectory)"
+      #       find "$(BACKUP_FOLDER)" -maxdepth 2 -type d 2>/dev/null || true
+      #   workingDirectory: "$(Build.SourcesDirectory)"
+
       - task: Bash@3
         displayName: Snapshot validation helper script (Intune job)
         inputs:
@@ -757,13 +779,23 @@ jobs:
             $generatedSplitMarkdownPattern = '^' + [Regex]::Escape("$(BACKUP_FOLDER)") + '/.*\.md$'
             $generatedReportPattern = '^' + [Regex]::Escape("$(BACKUP_FOLDER)/$(REPORTS_SUBDIR)/")
             $workloadConfigPattern = '^' + [Regex]::Escape("$(BACKUP_FOLDER)/$(INTUNE_BACKUP_SUBDIR)/")
-            $changedFile = $untrackedFile, $trackedFile | % { $_ } | ? {
+            Write-Host "DEBUG: BACKUP_FOLDER=$(BACKUP_FOLDER), INTUNE_BACKUP_SUBDIR=$(INTUNE_BACKUP_SUBDIR)"
+            Write-Host "DEBUG: workloadConfigPattern = $workloadConfigPattern"
+            Write-Host "DEBUG: untracked count = $($untrackedFile.Count), tracked count = $($trackedFile.Count)"
+            $allFiles = @()
+            if ($untrackedFile) { $allFiles += $untrackedFile }
+            if ($trackedFile) { $allFiles += $trackedFile }
+            $changedFile = $allFiles | ? {
               $_ -and
               $_ -match $workloadConfigPattern -and
               $_ -notmatch $generatedSplitMarkdownPattern -and
               $_ -notmatch $generatedReportPattern -and
               $_ -notlike "*/Assignment Report/*"
             }
+            Write-Host "DEBUG: changed count = $($changedFile.Count)"
+            if ($changedFile.Count -gt 0) {
+              $changedFile | Select-Object -First 5 | ForEach-Object { Write-Host "DEBUG: changed file: $_" }
+            }
 
             if ($changedFile) {
               git show-ref --verify --quiet "refs/remotes/origin/$(DRIFT_BRANCH_INTUNE)"
@@ -1337,6 +1369,28 @@ jobs:
       - checkout: self
         persistCredentials: true
 
+      # Uncomment the block below for agent-side debugging.
+      # - task: Bash@3
+      #   displayName: DEBUG — dump agent state (Entra)
+      #   inputs:
+      #     targetType: inline
+      #     script: |
+      #       set -euo pipefail
+      #       echo "=== Variables ==="
+      #       echo "BACKUP_FOLDER=$(BACKUP_FOLDER)"
+      #       echo "ENTRA_BACKUP_SUBDIR=$(ENTRA_BACKUP_SUBDIR)"
+      #       echo "DRIFT_BRANCH_ENTRA=$(DRIFT_BRANCH_ENTRA)"
+      #       echo "BASELINE_BRANCH=$(BASELINE_BRANCH)"
+      #       echo "AGENT_POOL_NAME=$(AGENT_POOL_NAME)"
+      #       echo "=== Git state ==="
+      #       git branch -a
+      #       git log --oneline -5
+      #       git status --short
+      #       echo "=== File system ==="
+      #       ls -la "$(Build.SourcesDirectory)"
+      #       find "$(BACKUP_FOLDER)" -maxdepth 2 -type d 2>/dev/null || true
+      #   workingDirectory: "$(Build.SourcesDirectory)"
+
       - task: Bash@3
         displayName: Snapshot export/validation helper scripts (Entra job)
         inputs:

scripts/apply_reviewer_rejections.py

@@ -205,7 +205,14 @@ def main() -> int:
     pr = prs[0]
     pr_id = int(pr.get("pullRequestId"))
 
-    _run_git(args.repo_root, ["fetch", "--quiet", "origin", baseline_branch, drift_branch])
+    _run_git(args.repo_root, ["fetch", "--quiet", "origin", baseline_branch])
+    try:
+        _run_git(args.repo_root, ["fetch", "--quiet", "origin", drift_branch])
+    except RuntimeError as exc:
+        if "couldn't find remote ref" in str(exc).lower() or "could not find remote ref" in str(exc).lower():
+            print(f"Drift branch '{drift_branch}' not found on origin; nothing to reject.")
+            return 0
+        raise
     diff_paths = _run_diff_name_only(args.repo_root, baseline_branch, drift_branch)
     changed_paths = {
         p.strip()

scripts/ensure_rolling_pr.py

@@ -512,7 +512,14 @@ def main() -> int:
         print("##vso[task.setvariable variable=DRIFT_PR_SUPPRESSED;isOutput=true]0")
         return 0
 
-    _run_git(args.repo_root, ["fetch", "--quiet", "origin", baseline_branch, drift_branch])
+    _run_git(args.repo_root, ["fetch", "--quiet", "origin", baseline_branch])
+    try:
+        _run_git(args.repo_root, ["fetch", "--quiet", "origin", drift_branch])
+    except RuntimeError as exc:
+        if "couldn't find remote ref" in str(exc).lower() or "could not find remote ref" in str(exc).lower():
+            pass  # Drift branch may not exist yet; fallback to HEAD below.
+        else:
+            raise
     baseline_commitish = f"origin/{baseline_branch}" if _ref_has_commit(args.repo_root, f"origin/{baseline_branch}") else baseline_branch
     drift_commitish = f"origin/{drift_branch}" if _ref_has_commit(args.repo_root, f"origin/{drift_branch}") else "HEAD"
     if not _workload_config_diff_exists(

scripts/update_pr_review_summary.py

@@ -2498,7 +2498,14 @@ def main() -> int:
             return 0
         _debug(f"Active rolling PR detected: pr_id={pr_id}, source={source_ref}, target={target_ref}")
 
-        _run_git(args.repo_root, ["fetch", "--quiet", "origin", baseline_branch, drift_branch])
+        _run_git(args.repo_root, ["fetch", "--quiet", "origin", baseline_branch])
+        try:
+            _run_git(args.repo_root, ["fetch", "--quiet", "origin", drift_branch])
+        except RuntimeError as exc:
+            if "couldn't find remote ref" in str(exc).lower() or "could not find remote ref" in str(exc).lower():
+                print(f"Drift branch '{drift_branch}' not found on origin; skipping summary update.")
+                return 0
+            raise
         diff_output = _run_diff_name_status(args.repo_root, baseline_branch, drift_branch)
         changes = _parse_changes(diff_output, args.backup_folder, args.reports_subdir)
         _debug(f"Parsed non-doc/report changes for summary: count={len(changes)}")