feat(github-workspace): add GitHub Actions workspace kind with git-backed state persistence

[sylvainsf]

Description

Adds a new "github" workspace kind to Radius for use in GitHub Actions workflows. When this kind is active, Radius manages a k3d cluster for the duration of the workflow, persists database state between runs via a git orphan branch, and guards against concurrent or interrupted deploys with a deploy lock.

How it works

1. rad init --kind github — creates a k3d cluster, installs Radius with PostgreSQL as the state backend (database.enabled=true), checks the state orphan branch for prior backup state and restores it if the previous run shut down cleanly.
2. rad deploy — acquires a .deploy-lock on the radius-state orphan branch before deploying. A later retry of the same workflow run (higher GITHUB_RUN_ATTEMPT) automatically takes over a stale lock so the job can continue. A lock held by a completely different run returns an error immediately.
3. rad shutdown [--cleanup] — backs up PostgreSQL to the state worktree (via kubectl exec pg_dump), commits and pushes to radius-state, writes .backup-ok, and optionally deletes the k3d cluster.

State isolation — git worktree

State files (SQL dumps, .lock, .backup-ok, .deploy-lock) live only in the orphan branch, checked out into an OS temp directory via git worktree add. They are never written to the application working tree and never appear in git status on main.

Semaphore / spot-instance safety

.lock	.backup-ok	State	rad init behaviour
absent	absent	First run	start fresh
absent	present	Clean shutdown	restore from backup
present	—	Interrupted (spot eviction)	skip restore, log warning

Deploy lock (idempotent retry)

.deploy-lock present	Same RunID, lower RunAttempt	Same RunID, same RunAttempt	Different RunID
No	—	—	Lock acquired
Yes	Take over stale lock (retry)	ErrDeployLockHeld	ErrDeployLockHeld

Helm PostgreSQL fixes (pre-existing gaps)

• RP configmaps were hardcoded to provider: apiserver — now conditional on database.enabled.
• No init-db scripts were ever run — now mounted via /docker-entrypoint-initdb.d/.
• POSTGRES_DB secret value was the literal string "POSTGRES_DB" — fixed to "radius".

New packages

Package	Purpose
pkg/cli/k3d	k3d cluster lifecycle management via os/exec
pkg/cli/pgbackup	PostgreSQL backup/restore via kubectl exec pg_dump/psql
pkg/cli/gitstate	Orphan branch state via git worktree; semaphore + deploy lock

New commands

• rad init --kind github
• rad deploy (extended: acquires deploy lock for GitHub workspaces)
• rad shutdown [--cleanup]

New workflow

• .github/workflows/functional-test-github-workspace.yaml — end-to-end integration test exercising the full init → deploy → shutdown → restore lifecycle on a GitHub Actions runner.

Outstanding TODOs (tracked in code)

• rad resource type sync after restore (command does not yet exist)

Type of change

• This pull request adds or changes features of Radius and has an approved issue (issue link required).

Contributor checklist

Please verify that the PR meets the following requirements, where applicable:

• An overview of proposed schema changes is included in a linked GitHub issue.
  • Yes
  • Not applicable
• A design document PR is created in the design-notes repository, if new APIs are being introduced.
  • Yes
  • Not applicable
• The design document has been reviewed and approved by Radius maintainers/approvers.
  • Yes
  • Not applicable
• A PR for the samples repository is created, if existing samples are affected by the changes in this PR.
  • Yes
  • Not applicable
• A PR for the documentation repository is created, if the changes in this PR affect the documentation or any user facing updates are made.
  • Yes
  • Not applicable
• A PR for the recipes repository is created, if existing recipes are affected by the changes in this PR.
  • Yes
  • Not applicable

[github-actions]

Unit Tests

    2 files  ± 0    421 suites  +5   6m 43s ⏱️ -8s
4 946 tests +68  4 944 ✅ +68  2 💤 ±0  0 ❌ ±0 
5 888 runs  +95  5 886 ✅ +95  2 💤 ±0  0 ❌ ±0 

Results for commit 6077359. ± Comparison against base commit 1ad24df.

♻️ This comment has been updated with latest results.

[sk593]

the functional test workflow skips dev recipes but this sets them to true always. might have missed it but does this get overwritten?

[sylvainsf]

This would be used in the new workflow that is the end to end test for repo radius. I imagine we will extend that workflow with other end to end tests rather than shoehorn them into the existing functional tests.

[sylvainsf]

Correct — the functional-test-github-workspace.yaml workflow is a separate end-to-end test specific to the GitHub workspace lifecycle, not the existing functional test suite. Dev recipes are intentional here because the workflow tests a real Radius install with actual recipe execution. The flag difference is by design.

[radius-functional-tests]

Radius functional test overview

🔍 Go to test action run

Click here to see the test run details

Name	Value
Repository	radius-project/radius
Commit ref	ae3a26e
Unique ID	func74449e3c83
Image tag	pr-func74449e3c83

• gotestsum 1.13.0
• KinD: v0.29.0
• Dapr: 1.14.4
• Azure KeyVault CSI driver: 1.4.2
• Azure Workload identity webhook: 1.3.0
• Bicep recipe location ghcr.io/radius-project/dev/test/testrecipes/test-bicep-recipes/<name>:pr-func74449e3c83
• Terraform recipe location http://tf-module-server.radius-test-tf-module-server.svc.cluster.local/<name>.zip (in cluster)
• applications-rp test image location: ghcr.io/radius-project/dev/applications-rp:pr-func74449e3c83
• dynamic-rp test image location: ghcr.io/radius-project/dev/dynamic-rp:pr-func74449e3c83
• controller test image location: ghcr.io/radius-project/dev/controller:pr-func74449e3c83
• ucp test image location: ghcr.io/radius-project/dev/ucpd:pr-func74449e3c83
• deployment-engine test image location: ghcr.io/radius-project/deployment-engine:latest

Test Status

⌛ Building Radius and pushing container images for functional tests...
✅ Container images build succeeded
⌛ Publishing Bicep Recipes for functional tests...
✅ Recipe publishing succeeded
⌛ Starting ucp-cloud functional tests...
⌛ Starting corerp-cloud functional tests...
✅ ucp-cloud functional tests succeeded
✅ corerp-cloud functional tests succeeded

[codecov]

Codecov Report

❌ Patch coverage is 49.41634% with 260 lines in your changes missing coverage. Please review.
✅ Project coverage is 51.06%. Comparing base (1ad24df) to head (6077359).
⚠️ Report is 17 commits behind head on main.

Files with missing lines	Patch %	Lines
pkg/cli/pgbackup/pgbackup.go	6.00%	94 Missing ⚠️
pkg/cli/k3d/k3d.go	3.84%	50 Missing ⚠️
pkg/cli/cmd/radinit/github.go	37.09%	39 Missing ⚠️
pkg/cli/cmd/deploy/deploy.go	33.33%	16 Missing ⚠️
pkg/cli/workspaces/connection.go	40.00%	11 Missing and 4 partials ⚠️
pkg/cli/cmd/radinit/init.go	17.64%	10 Missing and 4 partials ⚠️
pkg/cli/cmd/shutdown/shutdown.go	82.19%	10 Missing and 3 partials ⚠️
pkg/cli/cmd/radinit/pgbackup_client.go	25.00%	6 Missing ⚠️
pkg/cli/gitstate/gitstate.go	95.58%	3 Missing and 3 partials ⚠️
...kg/components/database/databaseprovider/factory.go	0.00%	5 Missing ⚠️
... and 1 more

Additional details and impacted files

@@            Coverage Diff             @@
##             main   #11457      +/-   ##
==========================================
- Coverage   51.07%   51.06%   -0.01%     
==========================================
  Files         699      706       +7     
  Lines       44316    44821     +505     
==========================================
+ Hits        22634    22890     +256     
- Misses      19517    19743     +226     
- Partials     2165     2188      +23     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.