Volunteer Engagement V2 - EDM + SPA#41
Conversation
Add deployment, security, operations, and migration checklists plus a documentation improvement plan under VolunteerEngagement/docs. Simplify the top-level README and align titles, link text, and cross-references across docs. Fix incorrect Prettier/.editorconfig notes in the Portal src coding-guidelines README and remove the obsolete Power Pages 9.7.4.x prerequisite.
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
Restructure the Volunteer Engagement README to match the other solution READMEs (intro, capability bullets, Common Data Model connective paragraph, Deploy and Use sections). Remove the Contents table and overlapping headings.
Roman-Pilip
changed the title
- Add proactive guidance rule for provisioning/migration flow - Add environment selection, JS upload unblocking, site reactivation, restart, and URL lookup instructions - Fix restart script to pick newest site instance when multiple exist for the same websiteRecordId
| @@ -0,0 +1,119 @@ | |||
| # Volunteer Engagement AI instructions | |||
There was a problem hiding this comment.
This is focused only on upgrade path. We should also consider vanilla new deploy path.
There was a problem hiding this comment.
Added changes to instructions
| The SPA uses: | ||
|
|
||
| - npm, not Bun. | ||
| - Node.js `>=20.18.1 <25`. |
There was a problem hiding this comment.
Node 24 Active Support Ends in 4 months (20 Oct 2026)
I'd consider upgrade or at least not to cap the version.
There was a problem hiding this comment.
Node 24 is active LTS but we should not limit it by < 25
Added changes
- Delete stale bot-setup.md (superseded by site-agent-setup.md) - Add site-agent-setup.md with correct powerpages-site-agent:* script references - Add site agent scripts: patch-roles, customize-ve-vm, configure-advanced - Update deployment-validation.md with site agent flow - Update README and package.json with new script names
…ntrolled format string' Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
- Add new deployment section with instruction file references to README.md - Cross-reference deployment-validation.md from spa-development.md - Remove Node.js <25 upper cap from package.json and spa-development.md
| npm run sync | ||
| ``` | ||
|
|
||
| Use PAC CLI to select the target environment: |
There was a problem hiding this comment.
Maybe also state the minimal pac version to avoid potential missing features
There was a problem hiding this comment.
Added/kept PAC CLI minimum version guidance: 1.44.x or later, matching Microsoft’s SPA code-site docs
| - Do not migrate site settings by default. Classify them and require review. | ||
| - Do not copy authentication configuration, secrets, or tenant-specific values. | ||
| - Preserve least privilege for web roles, table permissions, Web API fields, and bot visibility. | ||
| - Prefer React, TypeScript, Fluent UI v9, and the existing `Portal-EDM` service patterns over legacy Liquid or Bootstrap implementation details. |
There was a problem hiding this comment.
We repeat some same info over and over on different places. Can you ask AI to consolidate information presented in instructions/docs?
There was a problem hiding this comment.
Consolidated duplicated AI guidance. Removed stale nested AI guidance and merged useful coding/project rules into the root AI guidance. Removed the obsolete documentation improvement plan.
| @@ -0,0 +1,58 @@ | |||
| # Volunteer Engagement Documentation Improvement Plan | |||
|
|
|||
| Keep the Volunteer Engagement documentation simple, task-focused, and easy to maintain. The documentation should help a reader choose the right path, complete the setup, validate the site, and find official Microsoft guidance when they need more detail. | |||
There was a problem hiding this comment.
This sounds like an AI instructions, not the actual docs
| @@ -0,0 +1,65 @@ | |||
| # Volunteer Engagement Operational Notes | |||
There was a problem hiding this comment.
Another separate docs. Can we consolidate them?
There was a problem hiding this comment.
Removed the plan-like docs artifact and kept human docs task-focused: deployment, migration, security, and operations. AI-specific behavior remains in AI instruction files.
There was a problem hiding this comment.
High generate-snippets.ps1:37 advertises non-English snippet generation through -Language, but snippet IDs are generated only from the localization key at generate-snippets.ps1:149-170. That means MSVE_SPA/Common/Save gets the same deterministic GUID for en-US, fr-FR, de-DE, and every other language. I verified the current en-US snippet ID for MSVE_SPA/Common/Save is exactly the GUID produced from the key-only seed. Creating a non-English variant through this script can therefore collide with the English Content Snippet primary key during upload, or overwrite/update the wrong record. Include the language in the GUID seed for non-English snippets while preserving existing en-US IDs.
There was a problem hiding this comment.
Fixed. English snippets preserve their existing deterministic IDs. Non-English snippets now include the language code in the deterministic GUID seed, avoiding collisions across languages.
There was a problem hiding this comment.
Localized snippet ID generation should include the language code in the deterministic ID input. Using only the snippet key can cause ID collisions between default-language and localized snippets.
There was a problem hiding this comment.
Fixed. Localized snippet ID generation now includes the language code in the deterministic ID seed for non-default languages, so localized snippets no longer collide with the default-language snippet IDs.
There was a problem hiding this comment.
The script output should include enough context to diagnose multi-site issues, such as the selected website ID, selected language record ID, language code, and number of pages/snippets created or updated for that website.
There was a problem hiding this comment.
Fixed. The localization script now prints the target context it resolved and the work it performed, so multi-site/language issues are easier to diagnose.
There was a problem hiding this comment.
We shouldn't include those hardcoded (our) GUIDs
There was a problem hiding this comment.
Some GUIDs are required Power Pages metadata IDs, so they cannot all be removed from .powerpages-site
There was a problem hiding this comment.
Localization workflow does not validate runtime bootstrap, only metadata presence
The validation flow can report snippet coverage while the actual portal runtime still cannot use those snippets. In the test, the cs-CZ snippets existed, but the page did not contain #ve-bootstrap-data, so the SPA loaded html lang="cs-CZ" but still initialized as __VE_LOCALE = "en-US". The check should include a runtime/template validation step, or at least verify that the active page template emits the bootstrap element expected by portalBootstrap.ts.
There was a problem hiding this comment.
Runtime bootstrap validation: added to check-strings.ps1 and documented.
There was a problem hiding this comment.
The documented localization path does not account for synced Enhanced sites using generic templates
After syncing the Enhanced site, the local metadata reflected the actual runtime shape: a generic Default studio template with the SPA HTML in page copy. The localization scripts cloned snippets and content pages, but did not detect that the runtime template was missing the VE bootstrap required by the SPA. The instructions should call out this post-sync verification explicitly, because a successful sync/add-language/deploy/restart sequence is not enough to prove the portal will render localized UI.
There was a problem hiding this comment.
The Power Pages template renders the SPA shell twice.
MSVE_Home.webtemplate.source.html:35-37 already injects
There was a problem hiding this comment.
Fixed
Good catch
|
There was a problem hiding this comment.
The post-deploy scripts currently depend on Get-AzAccessToken, which ties them to the caller’s global Az PowerShell context. That makes the deploy fragile when PAC is authenticated to one environment but Az PowerShell is logged into a different tenant/account.
A simpler and more portable fix would be to use Azure CLI for Dataverse tokens instead, with an optional override for custom CLI wrappers.
Then normal users can rely on their default az login, while test/CI environments can set AZ_CLI to an isolated wrapper without changing global Az PowerShell state.
There was a problem hiding this comment.
Done. Get-DataverseAccessToken now prefers Azure CLI (az account get-access-token) so the token follows the same account used for deploy, with an AZ_CLI env override for isolated CI wrappers, and falls back to Az PowerShell when CLI isn't present. Also consolidated the three duplicated fallback helpers so all deploy/permissions/site-agent scripts use the single shared function. Verified it returns a valid token via the CLI path and falls back correctly when AZ_CLI is invalid.
There was a problem hiding this comment.
npm run deploy rewrites generated assets under [.powerpages-site/web-files] and also normalizes [Home.webpage.copy.html]. These files are currently tracked, so a fresh deploy leaves the working tree dirty even when the user did not make source changes.
Can we avoid tracking generated Vite/PAC output here, or adjust the deploy flow so it does not mutate tracked metadata? If these files are meant to be generated from dist, adding .gitignore alone will not be enough because they are already tracked; they would need to be removed from the index as well.
There was a problem hiding this comment.
Fixed. Untracked the generated Vite bundle web-files index.html, index.css, index.js, vendor-*.js and added them to .gitignore. Authored stock assets (favicon, theme, profile, etc.) stay tracked. Root cause is pac rewriting an environment-specific annotationid into each .webfile.yml on every upload — the bundle churn is now gone. If you want zero churn on the remaining authored .webfile.yml too, I can add a .gitattributes clean filter that strips annotationid on checkin — say the word.
|
|
||
| For a fresh deployment, run `npm run deploy` after the target environment and prerequisites are ready. The command builds the SPA and uploads the code site by using `powerpages.config.json`. | ||
|
|
||
| After the initial deployment, the site can appear in Power Pages under **Inactive sites** and does not have an assigned, usable URL until it is reactivated. In [Power Pages](https://make.powerpages.microsoft.com/), open the target environment, select **Inactive sites**, select the Volunteer Engagement site, and then select **Reactivate**. Do not run `npm run site:restart`, rely on PAC/API portal URLs, or start browser validation until reactivation is complete. For more information, see [Reactivate sites](https://learn.microsoft.com/en-us/power-pages/admin/reactivate-website). |
There was a problem hiding this comment.
Fresh pac pages upload-code-site creates the Dataverse website metadata, but it does not create/activate the running Power Pages host URL. After upload, the site exists as an inactive code site, so the Power Platform websites API can still return an empty list until the host is provisioned/reactivated.
The README mentions the manual Power Pages UI reactivation step, but for automated/test deployments we should document or script the Admin API equivalent:
POST https://api.powerplatform.com/powerpages/environments/{environmentId}/websites?api-version=2024-10-01
with the existing Dataverse websiteRecordId in the request body. That completes the second phase by creating the actual Power Pages host.
There was a problem hiding this comment.
Looked into scripting this. Reactivation is intentionally a manual maker step: it's where the web address/subdomain is chosen, and there's no supported public API for it — the official create-code-sites and reactivate-website docs only describe the UI flow. The internal api.powerplatform.com/.../websites POST isn't documented for code sites, and in testing it created duplicate host instances for the same websiteRecordId. So we're keeping reactivation manual and documented rather than scripting a POST that risks duplicate hosts.
… web-files Get-DataverseAccessToken now prefers az CLI with an AZ_CLI override and Az PowerShell fallback, and the duplicated fallback helpers in the site-agent and permission scripts were consolidated to use it. Untrack the generated Vite bundle web-files (index.*, vendor-*) and gitignore them; npm run deploy recreates them from dist.
Add a Localization section to Portal-EDM README documenting the scripts/localization helpers, trim redundant deploy wording, and align the deployment checklist with the localized-site string check.
4 participants
No description provided.