Repo File Sync: Update to Mu DevOps v15.0.3 (#338)

synced local file(s) with
[microsoft/mu_devops](https://github.com/microsoft/mu_devops).

🤖: View the [Repo File Sync Configuration
File](https://github.com/microsoft/mu_devops/blob/main/.sync/Files.yml)
to see how files are synced.

---

This PR was created automatically by the
[repo-file-sync-action](https://github.com/BetaHuhn/repo-file-sync-action)
workflow run
[#16039182195](https://github.com/microsoft/mu_devops/actions/runs/16039182195)

Signed-off-by: Project Mu UEFI Bot <uefibot@microsoft.com>
Co-authored-by: mu-automation[bot] <204385837+mu-automation[bot]@users.noreply.github.com>

Author: mu-automation[bot]

.azurepipelines/MuDevOpsWrapper.yml

@@ -19,7 +19,7 @@ resources:
       type: github
       endpoint: microsoft
       name: microsoft/mu_devops
-      ref: refs/tags/v15.0.2
+      ref: refs/tags/v15.0.3
 
 parameters:
 - name: do_ci_build

.github/workflows/backport-to-release-branch.yml

@@ -148,7 +148,7 @@ jobs:
           core.setOutput('pr_number', prNumber);
           core.setOutput('backport_needed', 'true');
       env:
-        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        GITHUB_TOKEN: ${{ steps.app-token.outputs.token }}
 
     - name: Checkout a Local ${{ steps.backport_info.outputs.target_branch_name }} Branch (Destination Branch)
       if: steps.backport_check.outputs.backport_needed == 'true'

.github/workflows/codeql.yml

@@ -43,6 +43,8 @@ jobs:
   gather_packages:
     name: Gather Repo Packages
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     outputs:
       packages: ${{ steps.generate_matrix.outputs.packages }}
 
@@ -165,38 +167,44 @@ jobs:
     - name: Get Cargo Tool Details
       id: get_cargo_tool_details
       shell: python
+      env:
+        AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
       run: |
         import os
         import requests
         import sys
         import time
 
-        def get_response_with_retries(url, retries=5, wait_time=10):
+        def get_response_with_retries(url, headers, retries=5, wait_time=10):
           for attempt in range(retries):
-            response = requests.get(url)
+            response = requests.get(url, headers=headers)
             if response.status_code == 200:
               return response
-            print(f"::warning title=GitHub API Access Error!::Attempt {attempt + 1} failed. Retrying in {wait_time} seconds...")
+            print(f"::warning title=GitHub API Access Error!::Attempt {attempt + 1} failed ({response.status_code}). Retrying in {wait_time} seconds...")
             time.sleep(wait_time)
           return response
 
         GITHUB_REPO = "sagiegurari/cargo-make"
         api_url = f"https://api.github.com/repos/{GITHUB_REPO}/releases/tags/0.37.24"
+        headers = {
+          "Authorization": f"Bearer {os.environ['AUTH_TOKEN']}",
+          "Accept": "application/vnd.github.v3+json"
+        }
 
-        response = get_response_with_retries(api_url)
+        response = get_response_with_retries(api_url, headers)
         if response.status_code == 200:
           build_release_id = response.json()["id"]
         else:
-          print("::error title=GitHub Release Error!::Failed to get cargo-make release ID!")
+          print(f"::error title=GitHub Release Error!::Failed to get cargo-make release ID! ({response.status_code})")
           sys.exit(1)
 
         api_url = f"https://api.github.com/repos/{GITHUB_REPO}/releases/{build_release_id}"
 
-        response = get_response_with_retries(api_url)
+        response = get_response_with_retries(api_url, headers)
         if response.status_code == 200:
           latest_cargo_make_version = response.json()["tag_name"]
         else:
-          print("::error title=GitHub Release Error!::Failed to get cargo-make!")
+          print(f"::error title=GitHub Release Error!::Failed to get cargo-make! ({response.status_code})")
           sys.exit(1)
 
         cache_key = f'cargo-make-{latest_cargo_make_version}'
@@ -207,12 +215,18 @@ jobs:
           print(f'cargo_make_version={latest_cargo_make_version}', file=fh)
 
 
-    - name: Attempt to Load cargo-make From Cache
+    # Temporarily disable caching cargo-make as it stopped working in some repos recently
+    # and need to be investigated
+    # - name: Attempt to Load cargo-make From Cache
+    #   id: cargo_make_cache
+    #   uses: actions/cache@v4
+    #   with:
+    #     path: ${{ steps.get_cargo_tool_details.outputs.cargo_bin_path }}
+    #     key: ${{ steps.get_cargo_tool_details.outputs.cargo_make_cache_key }}
+
+    - name: Force cargo-make cache miss
       id: cargo_make_cache
-      uses: actions/cache@v4
-      with:
-        path: ${{ steps.get_cargo_tool_details.outputs.cargo_bin_path }}
-        key: ${{ steps.get_cargo_tool_details.outputs.cargo_make_cache_key }}
+      run: echo "cache-hit=false" >> $GITHUB_OUTPUT
 
     - name: Download cargo-make
       if: steps.cargo_make_cache.outputs.cache-hit != 'true'

.github/workflows/issue-assignment.yml

@@ -19,8 +19,5 @@ on:
 jobs:
   apply:
 
-    permissions:
-      contents: read
-      issues: write
-
-    uses: microsoft/mu_devops/.github/workflows/IssueAssignment.yml@v15.0.2
+    uses: microsoft/mu_devops/.github/workflows/IssueAssignment.yml@v15.0.3
+    secrets: inherit

.github/workflows/label-issues.yml

@@ -21,7 +21,7 @@ on:
     types:
       - edited
       - opened
-  pull_request:
+  pull_request_target:
     types:
       - edited
       - opened
@@ -31,9 +31,5 @@ on:
 
 jobs:
   apply:
-
-    permissions:
-      contents: read
-      pull-requests: write
-
-    uses: microsoft/mu_devops/.github/workflows/Labeler.yml@v15.0.2
+    uses: microsoft/mu_devops/.github/workflows/Labeler.yml@v15.0.3
+    secrets: inherit

.github/workflows/label-sync.yml

@@ -25,7 +25,5 @@ on:
 jobs:
   sync:
 
-    permissions:
-      issues: write
-
-    uses: microsoft/mu_devops/.github/workflows/LabelSyncer.yml@v15.0.2
+    uses: microsoft/mu_devops/.github/workflows/LabelSyncer.yml@v15.0.3
+    secrets: inherit

.github/workflows/pull-request-formatting-validator.yml

@@ -13,7 +13,7 @@
 name: Validate Pull Request Formatting
 
 on:
-  pull_request:
+  pull_request_target:
     types:
       - edited
       - opened
@@ -24,11 +24,15 @@ jobs:
   validate_pr:
     runs-on: ubuntu-latest
 
-    permissions:
-      contents: read
-      pull-requests: write
-
     steps:
+      - name: Generate Token
+        id: app-token
+        uses: actions/create-github-app-token@v2
+        with:
+          app-id: ${{ vars.MU_ACCESS_APP_ID }}
+          private-key: ${{ secrets.MU_ACCESS_APP_PRIVATE_KEY }}
+          owner: ${{ github.repository_owner }}
+
       - run: |
           prTitle="$(gh api graphql -F owner=$OWNER -F name=$REPO -F pr_number=$PR_NUMBER -f query='
             query($name: String!, $owner: String!, $pr_number: Int!) {
@@ -45,7 +49,7 @@ jobs:
           fi
 
         env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GITHUB_TOKEN: ${{ steps.app-token.outputs.token }}
           OWNER: ${{ github.repository_owner }}
           PR_NUMBER: ${{ github.event.number }}
           PR_URL: ${{ github.event.pull_request.html_url }}

.github/workflows/release-draft.yml

@@ -31,9 +31,5 @@ jobs:
   draft:
     name: Draft Releases
 
-    permissions:
-      contents: write
-      pull-requests: write
-
-    uses: microsoft/mu_devops/.github/workflows/ReleaseDrafter.yml@v15.0.2
+    uses: microsoft/mu_devops/.github/workflows/ReleaseDrafter.yml@v15.0.3
     secrets: inherit

.github/workflows/scheduled-maintenance.yml

@@ -25,17 +25,21 @@ jobs:
   repo_cleanup:
     runs-on: ubuntu-latest
 
-    permissions:
-      pull-requests: write
-      issues: write
-
     steps:
+      - name: Generate Token
+        id: app-token
+        uses: actions/create-github-app-token@v2
+        with:
+          app-id: ${{ vars.MU_ACCESS_APP_ID }}
+          private-key: ${{ secrets.MU_ACCESS_APP_PRIVATE_KEY }}
+          owner: ${{ github.repository_owner }}
+
       - name: Get Repository Info
         run: echo "REPOSITORY_NAME=${GITHUB_REPOSITORY#*/}" >> $GITHUB_ENV
 
       - name: Prune Won't Fix Pull Requests
         env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GITHUB_TOKEN: ${{ steps.app-token.outputs.token }}
           REPOSITORY: ${{ env.REPOSITORY_NAME }}
         run: |
           gh api \
@@ -50,7 +54,7 @@ jobs:
 
       - name: Prune Won't Fix Issues
         env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GITHUB_TOKEN: ${{ steps.app-token.outputs.token }}
           REPOSITORY: ${{ env.REPOSITORY_NAME }}
         run: |
           gh api \

.github/workflows/stale.yml

@@ -25,8 +25,5 @@ on:
 jobs:
   check:
 
-    permissions:
-      issues: write
-      pull-requests: write
-
-    uses: microsoft/mu_devops/.github/workflows/Stale.yml@v15.0.2
+    uses: microsoft/mu_devops/.github/workflows/Stale.yml@v15.0.3
+    secrets: inherit