Wire Azure authorization request to init command

[kin0992]

After workspace initialization, the init command now automatically requests Azure authorization for each newly initialized cloud account by creating a PR on eng-azure-authorization to add the bootstrap identity to directory readers.

This wires the requestAuthorization use case (introduced in #1256) into the init flow.

Closes CES-1522

[changeset-bot]

🦋 Changeset detected

Latest commit: 24d8941

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 1 package

Name	Type
@pagopa/dx-cli	Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[Copilot]

Pull request overview

This PR wires the Azure authorization request flow into the dx init command so that, after initializing a workspace/environment, the CLI also opens PR(s) on eng-azure-authorization to add the bootstrap identity to directory readers for newly initialized cloud accounts.

Changes:

• runDeploymentEnvironmentGenerator now validates prompt answers with the generator schema and returns the parsed environment payload for downstream use.
• init command now calls authorizeCloudAccounts after environment initialization and GitHub repository setup, and prints authorization PR URLs in the summary (when available).
• Adds unit tests for authorizeCloudAccounts and a changeset for the CLI patch release.

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 4 comments.

File	Description
apps/cli/src/adapters/plop/index.ts	Returns the parsed environment payload from the environment generator so init can use initialization metadata.
apps/cli/src/adapters/commander/commands/init.ts	Introduces authorizeCloudAccounts, injects authorizationService, and integrates authorization PR creation into the init flow + summary output.
apps/cli/src/adapters/commander/commands/tests/init.test.ts	Adds unit tests covering the new authorizeCloudAccounts behavior.
.changeset/smart-planes-cheer.md	Declares a patch changeset for the CLI release.

Comments suppressed due to low confidence (1)

apps/cli/src/adapters/commander/commands/init.ts:103

• displaySummary only prints Azure authorization PR URLs inside the if (pr) branch. Since createPullRequest is explicitly allowed to fail (it returns undefined via .orElse(() => okAsync(undefined))), this can hide successfully-created authorization PRs from the user when the main repo PR couldn’t be created. Consider rendering authorizationPrs whenever authorizationPrs.length > 0, independently of whether pr exists (and adjust the messaging accordingly).

  if (pr) {
    let step = 1;
    console.log(chalk.green.bold("\nNext Steps:"));
    console.log(
      `${step++}. Review the Pull Request in the GitHub repository: ${chalk.underline(pr.url)}`,
    );

    if (authorizationPrs.length > 0) {
      console.log(`${step++}. Review the Azure authorization Pull Request(s):`);
      for (const authPr of authorizationPrs) {
        console.log(`   - ${chalk.underline(authPr.url)}`);
      }
    }

    console.log(
      `${step}. Visit ${chalk.underline("https://dx.pagopa.it/getting-started")} to deploy your first project\n`,
    );
  } else {
    console.log(
      chalk.yellow(`\n⚠️ There was an error during Pull Request creation.`),
    );
    console.log(
      `Please, manually create a Pull Request in the GitHub repository to review the scaffolded code.\n`,
    );
  }

[Copilot]

subscriptionName is derived from account.displayName, but Azure subscription display names can contain spaces and other characters. This will often fail requestAuthorizationInputSchema (only allows letters/numbers/hyphens) and silently skip authorization. Since the authorization adapter uses subscriptionName as a path/branch segment, consider normalizing the display name into the expected repo folder slug (e.g., lowercased, whitespace to -, strip unsupported chars) or using a dedicated field that already matches the eng-azure-authorization directory naming.

[Copilot]

authorizeCloudAccounts converts any unexpected exception thrown by requestAll() into an ok([]) (via fromPromise(..., () => []) + .orElse(() => okAsync([]))), and the error is not logged. This makes genuine failures (e.g. network/auth issues) invisible to users and hard to troubleshoot. Consider logging the caught exception (and/or returning an Err), or at least mapping the error to something meaningful instead of an empty array literal.

Suggested change

	return ResultAsync.fromPromise(requestAll(), () => []).orElse(() =>
	okAsync([]),
	);
	return ResultAsync.fromPromise(
	requestAll(),
	(error: unknown) =>
	error instanceof Error ? error : new Error(String(error)),
	).orElse((error) => {
	logger.error("Failed to authorize cloud accounts", { error });
	return okAsync([]);
	});

[Copilot]

The docstring says this authorizes "Azure Subscription, AWS Account, ..." but the current CloudAccount model only supports csp: "azure" and the implementation only handles Azure locations. Consider narrowing the comment to Azure to avoid misleading readers, or expanding the implementation/types if multi-cloud is intended.

Suggested change

	* Authorize a Cloud Account (Azure Subscription, AWS Account, ...), creating a Pull Request for each account that requires authorization.
	* Authorize Azure subscriptions, creating a Pull Request for each subscription that requires authorization.

[Copilot]

The test data uses csp: "azure" as const repeatedly. This type assertion is unnecessary here (TS will infer the literal type in a const object) and reduces the test’s type-safety signal. Prefer removing the assertion or using satisfies with the appropriate CloudAccount type to keep tests strongly typed without assertions.