{CI} Fix merge-base diff in linter, style, and scan jobs

[naga-nandyala]

---

Problem

CI jobs (linter, style, scan) use git diff origin/main to find modified files in a PR, but without computing merge-base. In a shallow ADO checkout, this causes the diff to include files from other merged PRs, not just the current PR's changes. This leads to false positives — linter/style/scan running against code the PR author never touched.

Reported in #9714.

Root Causes

1. Unset env var — System.PullRequest.TargetBranch is None outside PR context → TypeError
2. Unexpanded ADO variable — literal $(System.PullRequest.TargetBranch) string → fatal: bad revision
3. No branch normalization — ADO passes refs/heads/main → origin/refs/heads/main is invalid
4. No merge-base — git diff origin/main picks up all commits between HEAD and tip of main, including other merged PRs
5. Scan-specific bugs — declare -A misused as integer counter (exit 1 unreachable), unquoted variables, backtick word-splitting

Fix

• scripts/ci/util.py: Added shared find_modified_files_against_master_branch() with:
  • Guard for unset/unexpanded System.PullRequest.TargetBranch
  • Branch name normalization (strips refs/heads/, origin/ prefixes)
  • git fetch --deepen=50 (safe incremental history, unlike --depth=1 which re-shallows)
  • git merge-base HEAD origin/<branch> for accurate PR diff
  • --diff-filter=ACMRT scoped to src/
• scripts/ci/azdev_linter_style.py: Removed local copy of the function, imports from util
• scripts/ci/azdev_scan.py: New file replacing inline bash scan logic with Python, reusing shared util function
• azure-pipelines.yml: Scan jobs now call python scripts/ci/azdev_scan.py consistently with linter/style

Testing

Locally proved on a 1-file test PR branch:

• Buggy diff (git diff origin/main): 6 files (1 ours + 5 from other PRs)
• Fixed diff (git merge-base + diff): 1 file (only our change)

Fixes #9714

Related command

CI pipeline scripts only — no extension commands affected.

General Guidelines

• Have you run azdev style locally? (pip install azdev required)
• Have you run python scripts/ci/test_index.py -q locally? (pip install wheel==0.30.0 required)
• My extension version conforms to the Extension version schema

For new extensions:

• My extension description/summary conforms to the Extension Summary Guidelines.

About Extension Publish

There is a pipeline to automatically build, upload and publish extension wheels.
Once your pull request is merged into main branch, a new pull request will be created to update src/index.json automatically.
You only need to update the version information in file setup.py and historical information in file HISTORY.rst in your PR but do not modify src/index.json.

[azure-client-tools-bot-prd]

️✔️Azure CLI Extensions Breaking Change Test

️✔️Non Breaking Changes

[azure-client-tools-bot-prd]

Hi @naga-nandyala,
Please write the description of changes which can be perceived by customers into HISTORY.rst.
If you want to release a new extension version, please update the version in setup.py as well.

[yonzhan]

Thank you for your contribution! We will review the pull request and get back to you soon.

[github-actions]

The git hooks are available for azure-cli and azure-cli-extensions repos. They could help you run required checks before creating the PR.

Please sync the latest code with latest dev branch (for azure-cli) or main branch (for azure-cli-extensions).
After that please run the following commands to enable git hooks:

pip install azdev --upgrade
azdev setup -c <your azure-cli repo path> -r <your azure-cli-extensions repo path>

[github-actions]

• For more info about extension versioning, please refer to Extension version schema

[Copilot]

Pull request overview

Updates PR-only CI (linter/style/scan) to compute modified files using a proper merge-base diff against the PR target branch, avoiding false positives from unrelated commits in shallow Azure DevOps checkouts.

Changes:

• Added a shared find_modified_files_against_master_branch() helper in scripts/ci/util.py that fetches target branch history and diffs against git merge-base.
• Updated azdev_linter_style.py to reuse the shared helper instead of maintaining a local copy.
• Replaced inline bash-based scan logic with a Python scripts/ci/azdev_scan.py, and updated pipeline scan jobs to call it.

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 4 comments.

File	Description
scripts/ci/util.py	Introduces shared merge-base-based modified-file detection for PR jobs.
scripts/ci/azdev_scan.py	New Python wrapper to run azdev scan on PR-modified files using the shared util helper.
scripts/ci/azdev_linter_style.py	Removes duplicated diff logic and imports shared util helper.
azure-pipelines.yml	Switches scan jobs from bash inline diff/scan to the new Python scan script and passes required env.

[github-actions]

CodeGen Tools Feedback Collection

Thank you for using our CodeGen tool. We value your feedback, and we would like to know how we can improve our product. Please take a few minutes to fill our codegen survey

[Copilot]

Pull request overview

Copilot reviewed 5 out of 5 changed files in this pull request and generated 2 comments.