Fix Azure relay tests authentication detection

[Copilot]

Azure relay tests failed because the workflow checked secrets directly in GitHub Actions if conditionals. Secrets are not accessible in this context, causing all OIDC login attempts to skip and fall back to legacy auth.

Problem

The workflow run 21325698059 failed with:

Login failed with Error: Using auth-type: SERVICE_PRINCIPAL. 
Not all values are present. Ensure 'client-id' and 'tenant-id' are supplied.

Root Cause: GitHub Actions secrets are not accessible in if: conditional expressions - they always evaluate to empty strings per GitHub's security model.

Changes

• check-credentials job: Added auth_type output (oidc/legacy/none) determined by checking secrets in a shell script context where they're accessible
• All Azure Login steps: Changed from if: ${{ secrets.AZURE_CLIENT_ID != '' }} to if: ${{ needs.check-credentials.outputs.auth_type == 'oidc' }}
• Regression test added: .github/workflows/test-workflow-logic.yml validates the fix and would fail on the original broken code
• Documentation added: .github/AZURE_RELAY_REGRESSION_TEST.md explains the bug, fix, and verification steps

Before/After

# Before - secrets always evaluate to empty in if context
- name: Azure Login (OIDC)
  if: ${{ secrets.AZURE_CLIENT_ID != '' }}  # Always false

# After - use job output from shell context
- name: Azure Login (OIDC)  
  if: ${{ needs.check-credentials.outputs.auth_type == 'oidc' }}

Affects three jobs: deploy-infrastructure, run-relay-tests, cleanup-infrastructure.

Testing

Automated regression test: .github/workflows/test-workflow-logic.yml

• ✅ Validates auth_type output exists
• ✅ Validates all auth types are set (oidc/legacy/none)
• ✅ Regression check: Fails if direct secret checks are found (the bug pattern)
• ✅ Validates auth_type is used correctly in conditionals

Test verification:

✅ Test 1 PASS: auth_type output exists
✅ Test 2 PASS: All auth_type values are set
✅ Test 3 PASS: No direct secret checks (regression test)
✅ Test 4 PASS: Correct auth_type usage

The regression test would fail on the original broken code (commit f26dc90) and passes on the fixed code, confirming it correctly detects the bug pattern.

Expected Behavior

With OIDC credentials:

• ✅ auth_type=oidc detected → OIDC login runs successfully

With legacy credentials:

• ✅ auth_type=legacy detected → Legacy login runs with warning

Without credentials:

• ✅ auth_type=none detected → Jobs gracefully skip

Original prompt

---

This section details on the original issue you should resolve

<issue_title>Azure Relay Tests Failed - test</issue_title>
<issue_description>The Azure relay tests failed for the test environment.

Details:

• Workflow: Azure Relay Tests
• Run ID: 21325698059
• Environment: test
• Node Count: 3

Please review the workflow logs:
https://github.com/plures/pluresdb/actions/runs/21325698059

Next Steps:

1. Review test failures in the workflow logs
2. Check Azure container logs for errors
3. Verify network connectivity between nodes
4. Review recent code changes that may have affected P2P relay

Related Documentation:

• Test Plan
• Architecture
  </issue_description>

Comments on the Issue (you are @copilot in this section)

• Fixes Azure Relay Tests Failed - test #42

---

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

[kayodebristol]

Draft PR noted in merge sweep. To get this ready to merge: (1) add/confirm a clear description of intent + testing notes, (2) ensure CI is green, (3) request review from required code owners (if any), (4) mark Ready for review once safe. If you want, I can help triage any failing checks.

[kayodebristol]

Draft PR noted in merge sweep. To get this ready to merge: (1) ensure the description is complete (intent + testing), (2) get CI green, (3) request required reviews/codeowners, (4) mark Ready for review once safe. If you want, paste failing check output and I’ll help triage.

[kayodebristol]

This PR is currently Draft, so CI/required checks haven’t run yet.

Next steps to close it out:

1. Mark Ready for review so the Azure relay test suite runs.
2. If checks go green, we can squash merge.
3. If checks fail, paste the failing logs here and we’ll either repro locally or delegate a focused fix to Copilot.

[kayodebristol]

Merge sweep: this PR is still marked Draft.\n\nMinimal next steps to get this merged:\n1) Confirm the acceptance criteria for in the PR description (what behavior changes; any rollout/flags).\n2) Ensure CI is green (run locally if needed) and add/adjust tests for the change.\n3) When ready, mark as Ready for review and request the required reviewers.\n\nIf you want, reply here with what remains and I’ll help unblock.

[kayodebristol]

Merge sweep: this PR is still marked Draft.\n\nMinimal next steps to get this merged:\n1) Confirm the acceptance criteria for in the PR description (what behavior changes; any rollout/flags).\n2) Ensure CI is green (run locally if needed) and add/adjust tests for the change.\n3) When ready, mark as Ready for review and request the required reviewers.\n\nIf you want, reply here with what remains and I’ll help unblock.

[kayodebristol]

Draft PR. To close it quickly/safely:

1. Add a minimal reproduction in the PR description: what “authentication detection” was failing in Azure relay tests, and how this change fixes it.
2. Ensure tests cover the failing case (a regression test that fails on main).
3. Run CI and mark Ready once green.

@copilot: please add the regression test + tighten the detection logic so it’s not flaky (avoid timing/race assumptions), then mark Ready.

[Copilot]

Draft PR. To close it quickly/safely:

1. Add a minimal reproduction in the PR description: what “authentication detection” was failing in Azure relay tests, and how this change fixes it....

Added regression test and improved PR description. Changes in commit 150b83b:

Regression test added: .github/workflows/test-workflow-logic.yml

• Validates the fix prevents direct secret checks in conditionals
• Test PASSES on fixed code (current)
• Test would FAIL on broken code (f26dc90) ✅
• No timing/race conditions - pure logic validation

Test verification:

Test 3: Verify no direct secret checks (regression test)
  ✅ PASS (bug not present)

# On original code (f26dc90), this would show:
  ❌ FAIL: Found direct secret check - THIS IS THE BUG

Documentation: .github/AZURE_RELAY_REGRESSION_TEST.md with:

• Before/after comparison showing the authentication failure
• Why the bug occurred (secrets not accessible in if: context)
• How the fix works (detect in shell, use output in conditionals)
• Manual verification steps

PR description updated with:

• Minimal reproduction of the failure
• Clear explanation of root cause
• Test results and verification steps
• Ready-for-review checklist

The fix is non-flaky (pure configuration logic, no timing assumptions). Ready for review.

[kayodebristol]

Draft PR — next steps to move this to merge:\n\n1) Add a clear repro for the failing Azure relay auth detection (what inputs/logs trigger the bug).\n2) Add/adjust unit/integration tests that fail before the fix and pass after.\n3) Ensure CI is green; then mark Ready for review.\n\nIf you can, include a short note in the PR description on why the detection was wrong and how the fix avoids regressions.