Azure-Samples
diff --git a/‎.github/workflows/build-docker-images.yml‎
Lines changed: 5 additions & 1 deletion b/‎.github/workflows/build-docker-images.yml‎
Lines changed: 5 additions & 1 deletion
diff --git a/‎.github/workflows/build-docker.yml‎
Lines changed: 12 additions & 22 deletions b/‎.github/workflows/build-docker.yml‎
Lines changed: 12 additions & 22 deletions
diff --git a/‎.github/workflows/ci.yml‎
Lines changed: 33 additions & 25 deletions b/‎.github/workflows/ci.yml‎
Lines changed: 33 additions & 25 deletions
diff --git a/‎.github/workflows/deploy-orchestrator.yml‎
Lines changed: 18 additions & 18 deletions b/‎.github/workflows/deploy-orchestrator.yml‎
Lines changed: 18 additions & 18 deletions
diff --git a/‎.github/workflows/deploy-v2.yml‎
Lines changed: 12 additions & 7 deletions b/‎.github/workflows/deploy-v2.yml‎
Lines changed: 12 additions & 7 deletions
@@ -19,6 +19,11 @@ on:
   merge_group:
   workflow_dispatch:
 
+permissions:
+  id-token: write
+  contents: read
+  packages: write
+
 jobs:
   check-changes:
     runs-on: ubuntu-latest
@@ -63,7 +68,6 @@ jobs:
     uses: ./.github/workflows/build-docker.yml
     with:
       new_registry: 'cwydcontainerreg.azurecr.io'
-      new_username: 'cwydcontainerreg'
       app_name: ${{ matrix.app_name }}
       dockerfile: ${{ matrix.dockerfile }}
       push: ${{ github.ref_name == 'main' || github.ref_name == 'dev' || github.ref_name == 'demo'|| github.ref_name == 'dependabotchanges' }}
 
@@ -6,9 +6,6 @@ on:
       new_registry:
         required: true
         type: string
-      new_username:
-        required: true
-        type: string
       app_name:
         required: true
         type: string
@@ -18,35 +15,28 @@ on:
       push:
         required: true
         type: boolean
-    secrets:
-      DOCKER_PASSWORD:
-        required: false
-      DEV_DOCKER_PASSWORD:
-        required: false
 
 jobs:
   docker-build:
     runs-on: ubuntu-latest
+    environment: production
     steps:
     - name: Checkout
       uses: actions/checkout@v6
 
-    - name: Docker Login to cwydcontainerreg (Main)
-      if: ${{ inputs.push == true && github.ref_name == 'main' }}
-      uses: docker/login-action@v3
+    - name: Login to Azure via OIDC
+      if: ${{ inputs.push == true }}
+      uses: azure/login@v2
       with:
-        registry: ${{ inputs.new_registry }}
-        username: ${{ inputs.new_username }}
-        password: ${{ secrets.DEV_DOCKER_PASSWORD }}
+        client-id: ${{ secrets.AZURE_CLIENT_ID }}
+        tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+        subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
 
-    # Login for 'dev' and 'demo' branches to cwydcontainerreg only
-    - name: Docker Login to cwydcontainerreg (Dev/Demo)
-      if: ${{ inputs.push == true && (github.ref_name == 'dev' || github.ref_name == 'demo' || github.ref_name == 'dependabotchanges') }}
-      uses: docker/login-action@v3
-      with:
-        registry: ${{ inputs.new_registry }}
-        username: ${{ inputs.new_username }}
-        password: ${{ secrets.DEV_DOCKER_PASSWORD }}
+    - name: Login to ACR
+      if: ${{ inputs.push == true }}
+      run: |
+        REGISTRY_NAME=$(echo "${{ inputs.new_registry }}" | sed 's/.azurecr.io//')
+        az acr login --name "$REGISTRY_NAME"
 
     - name: Set up Docker Buildx
       uses: docker/setup-buildx-action@v3
 
@@ -11,6 +11,7 @@ on:
   workflow_dispatch:
 
 permissions:
+  id-token: write
   contents: read
   packages: write
 
@@ -49,11 +50,11 @@ jobs:
     needs: check-changes
     if: needs.check-changes.outputs.should_deploy == 'true' || github.event_name == 'workflow_dispatch' || github.event_name == 'schedule'
     runs-on: ubuntu-latest
+    environment: production
     env:
       AZURE_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }}
       AZURE_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}
       AZURE_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
-      AZURE_CLIENT_SECRET: ${{ secrets.AZURE_CLIENT_SECRET }}
       PRINCIPAL_ID: ${{ secrets.PRINCIPAL_ID }}
       PRINCIPAL_NAME: ${{ secrets.PRINCIPAL_NAME }}
       PRINCIPAL_TYPE: 'ServicePrincipal'
@@ -73,12 +74,16 @@ jobs:
       - name: Install azd
         uses: Azure/setup-azd@v2
 
+      - name: Login to Azure
+        uses: azure/login@v2
+        with:
+          client-id: ${{ secrets.AZURE_CLIENT_ID }}
+          tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+          subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+
       - name: Run Quota Check
         id: quota-check
         run: |
-          export AZURE_CLIENT_ID=${{ secrets.AZURE_CLIENT_ID }}
-          export AZURE_TENANT_ID=${{ secrets.AZURE_TENANT_ID }}
-          export AZURE_CLIENT_SECRET=${{ secrets.AZURE_CLIENT_SECRET }}
           export AZURE_SUBSCRIPTION_ID="${{ secrets.AZURE_SUBSCRIPTION_ID }}"
           export GPT_MIN_CAPACITY="150"
           export TEXT_EMBEDDING_MIN_CAPACITY="30"
@@ -191,8 +196,9 @@ jobs:
                             runCmd: |
                               export optional_args="./code/tests"
 
-                              # Azure login first
-                              az login --service-principal -u $AZURE_CLIENT_ID -p $AZURE_CLIENT_SECRET --tenant $AZURE_TENANT_ID
+                              # Azure login via OIDC federated token
+                              OIDC_TOKEN=$(curl -s -H "Authorization: bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" "${ACTIONS_ID_TOKEN_REQUEST_URL}&audience=api://AzureADTokenExchange" | jq -r '.value')
+                              az login --service-principal -u "$AZURE_CLIENT_ID" --tenant "$AZURE_TENANT_ID" --federated-token "$OIDC_TOKEN"
                               az account set --subscription $AZURE_SUBSCRIPTION_ID
 
                               # Capture deployment output to a log file
@@ -214,9 +220,10 @@ jobs:
                               echo "Frontend URL from logs: $(cat log_web_url.txt)"
                             env: |
                               AZURE_CLIENT_ID
-                              AZURE_CLIENT_SECRET
                               AZURE_TENANT_ID
                               AZURE_SUBSCRIPTION_ID
+                              ACTIONS_ID_TOKEN_REQUEST_URL
+                              ACTIONS_ID_TOKEN_REQUEST_TOKEN
                               AZURE_ENV_NAME
                               AZURE_LOCATION
                               AZURE_RESOURCE_GROUP
@@ -308,10 +315,6 @@ jobs:
         env:
                 FRONTEND_WEBSITE_URL: ${{ env.FRONTEND_WEBSITE_URL }}
                 ADMIN_WEBSITE_URL: ${{ env.ADMIN_WEBSITE_URL }}
-                AZURE_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }}
-                AZURE_CLIENT_SECRET: ${{ secrets.AZURE_CLIENT_SECRET }}
-                AZURE_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}
-                AZURE_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
 
       - name: Export PostgreSQL Host Endpoint from Makefile
         run: |
@@ -348,19 +351,23 @@ jobs:
           python - <<EOF
           import os
           import psycopg2
-          from azure.identity import ClientSecretCredential
+          from azure.identity import DefaultAzureCredential
 
-          tenant_id = os.environ["AZURE_TENANT_ID"]
-          client_id = os.environ["AZURE_CLIENT_ID"]
-          client_secret = os.environ["AZURE_CLIENT_SECRET"]
           pg_host = os.environ.get("PG_HOST_DESTINATION", "localhost")
 
-          # Acquire Azure AD access token for PostgreSQL
-          credential = ClientSecretCredential(tenant_id, client_id, client_secret)
+          # Acquire Azure AD access token for PostgreSQL via OIDC (Azure CLI credential)
+          credential = DefaultAzureCredential()
           token = credential.get_token("https://ossrdbms-aad.database.windows.net/.default").token
 
+          # Get the service principal display name for PostgreSQL user
+          import subprocess
+          sp_display_name = subprocess.run(
+              ["az", "ad", "sp", "show", "--id", os.environ["AZURE_CLIENT_ID"], "--query", "displayName", "-o", "tsv"],
+              capture_output=True, text=True
+          ).stdout.strip()
+
           db_params = {
-              "user": client_id,   # Use service principal clientId
+              "user": sp_display_name,   # Use service principal display name
               "password": token,   # Use AAD token instead of password
               "host": pg_host,
               "port": "5432",
@@ -382,10 +389,6 @@ jobs:
           except Exception as e:
               print(f"❌ Error during import: {e}")
           EOF
-        env:
-          AZURE_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }}
-          AZURE_CLIENT_SECRET: ${{ secrets.AZURE_CLIENT_SECRET }}
-          AZURE_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}
 
       - name: Final Status Check
         id: final-status
@@ -421,12 +424,12 @@ jobs:
     if: always() && needs.deploy.result != 'skipped'
     needs: [check-changes, deploy, e2e-test]
     runs-on: ubuntu-latest
+    environment: production
 
     env:
       AZURE_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }}
       AZURE_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}
       AZURE_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
-      AZURE_CLIENT_SECRET: ${{ secrets.AZURE_CLIENT_SECRET }}
       AZURE_ENV_NAME: ${{ needs.deploy.outputs.solution_suffix }}  # Get from deploy job
       AZURE_LOCATION: ${{ vars.AZURE_LOCATION }}
       imageTag: ${{ needs.deploy.outputs.imageTag }}
@@ -442,12 +445,17 @@ jobs:
           push: never
           imageName: ghcr.io/azure-samples/chat-with-your-data-solution-accelerator
           imageTag: ${{ env.imageTag }}
-          runCmd: make destroy
+          runCmd: |
+            OIDC_TOKEN=$(curl -s -H "Authorization: bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" "${ACTIONS_ID_TOKEN_REQUEST_URL}&audience=api://AzureADTokenExchange" | jq -r '.value')
+            az login --service-principal -u "$AZURE_CLIENT_ID" --tenant "$AZURE_TENANT_ID" --federated-token "$OIDC_TOKEN"
+            az account set --subscription $AZURE_SUBSCRIPTION_ID
+            make destroy
           env: |
             AZURE_CLIENT_ID
-            AZURE_CLIENT_SECRET
             AZURE_TENANT_ID
             AZURE_SUBSCRIPTION_ID
+            ACTIONS_ID_TOKEN_REQUEST_URL
+            ACTIONS_ID_TOKEN_REQUEST_TOKEN
             AZURE_ENV_NAME
             AZURE_LOCATION
             AZURE_RESOURCE_GROUP
 
@@ -107,9 +107,25 @@ jobs:
       TEST_SUITE: ${{ inputs.trigger_type == 'workflow_dispatch' && inputs.run_e2e_tests || 'GoldenPath-Testing' }}
     secrets: inherit
 
+  cleanup-deployment:
+    if: "!cancelled() && needs.deploy.outputs.RESOURCE_GROUP_NAME != '' && inputs.existing_webapp_url == '' && (inputs.trigger_type != 'workflow_dispatch' || inputs.cleanup_resources)"
+    needs: [deploy, e2e-test]
+    uses: ./.github/workflows/job-cleanup-deployment.yml
+    with:
+      runner_os: ${{ inputs.runner_os }}
+      trigger_type: ${{ inputs.trigger_type }}
+      cleanup_resources: ${{ inputs.cleanup_resources }}
+      existing_webapp_url: ${{ inputs.existing_webapp_url }}
+      RESOURCE_GROUP_NAME: ${{ needs.deploy.outputs.RESOURCE_GROUP_NAME }}
+      AZURE_LOCATION: ${{ needs.deploy.outputs.AZURE_LOCATION }}
+      AZURE_ENV_OPENAI_LOCATION: ${{ needs.deploy.outputs.AZURE_ENV_OPENAI_LOCATION }}
+      ENV_NAME: ${{ needs.deploy.outputs.ENV_NAME }}
+      IMAGE_TAG: ${{ needs.deploy.outputs.IMAGE_TAG }}
+    secrets: inherit
+
   send-notification:
     if: "!cancelled()"
-    needs: [deploy, e2e-test]
+    needs: [deploy, e2e-test, cleanup-deployment]
     uses: ./.github/workflows/job-send-notification.yml
     with:
       trigger_type: ${{ inputs.trigger_type }}
@@ -119,26 +135,10 @@ jobs:
       existing_webapp_url: ${{ inputs.existing_webapp_url }}
       deploy_result: ${{ needs.deploy.result }}
       e2e_test_result: ${{ needs.e2e-test.result }}
+      cleanup_result: ${{ needs.cleanup-deployment.result }}
       WEB_APPURL: ${{ needs.deploy.outputs.WEB_APPURL || inputs.existing_webapp_url }}
       RESOURCE_GROUP_NAME: ${{ needs.deploy.outputs.RESOURCE_GROUP_NAME }}
       QUOTA_FAILED: ${{ needs.deploy.outputs.QUOTA_FAILED }}
       TEST_SUCCESS: ${{ needs.e2e-test.outputs.TEST_SUCCESS }}
       TEST_REPORT_URL: ${{ needs.e2e-test.outputs.TEST_REPORT_URL }}
     secrets: inherit
-
-  cleanup-deployment:
-    if: "!cancelled() && needs.deploy.outputs.RESOURCE_GROUP_NAME != '' && inputs.existing_webapp_url == '' && (inputs.trigger_type != 'workflow_dispatch' || inputs.cleanup_resources)"
-    needs: [deploy, e2e-test]
-    uses: ./.github/workflows/job-cleanup-deployment.yml
-    with:
-      runner_os: ${{ inputs.runner_os }}
-      trigger_type: ${{ inputs.trigger_type }}
-      cleanup_resources: ${{ inputs.cleanup_resources }}
-      existing_webapp_url: ${{ inputs.existing_webapp_url }}
-      RESOURCE_GROUP_NAME: ${{ needs.deploy.outputs.RESOURCE_GROUP_NAME }}
-      AZURE_LOCATION: ${{ needs.deploy.outputs.AZURE_LOCATION }}
-      AZURE_ENV_OPENAI_LOCATION: ${{ needs.deploy.outputs.AZURE_ENV_OPENAI_LOCATION }}
-      ENV_NAME: ${{ needs.deploy.outputs.ENV_NAME }}
-      IMAGE_TAG: ${{ needs.deploy.outputs.IMAGE_TAG }}
-      RESOURCE_TOKEN: ${{ needs.deploy.outputs.RESOURCE_TOKEN }}
-    secrets: inherit
@@ -22,11 +22,12 @@ on:
         options:
           - 'codespace'
           - 'Local'
-        default: 'codespace'
+        default: 'Local'
 
       resource_group_name:
-        description: 'Existing Resource Group Name'
-        required: true
+        description: 'Resource Group Name (Optional - auto-generated if not provided)'
+        required: false
+        default: ''
         type: string
 
       DATABASE_TYPE:
@@ -108,6 +109,10 @@ on:
   schedule:
     - cron: '0 9,21 * * *'  # Runs at 9:00 AM and 9:00 PM GMT
 
+permissions:
+  id-token: write
+  contents: read
+
 # concurrency:
 #   group: ${{ github.event_name == 'workflow_dispatch' && format('manual-{0}', github.run_id) || 'deploy-auto-triggered' }}
 #   cancel-in-progress: false
@@ -174,7 +179,7 @@ jobs:
           echo "✅ runner_os derived as: '$RUNNER_OS'"
 
           # Validate resource_group_name (Azure naming convention)
-          RESOURCE_GROUP="${INPUT_RESOURCE_GROUP_NAME:-rg-cwyd-ci}"
+          RESOURCE_GROUP="${INPUT_RESOURCE_GROUP_NAME}"
           if [[ -n "$RESOURCE_GROUP" ]]; then
             if [[ ! "$RESOURCE_GROUP" =~ ^[a-zA-Z0-9._\(\)-]+$ ]] || [[ "$RESOURCE_GROUP" =~ \.$ ]]; then
               echo "❌ ERROR: resource_group_name '$RESOURCE_GROUP' is invalid. Must contain only alphanumerics, periods, underscores, hyphens, and parentheses. Cannot end with period."
@@ -188,7 +193,7 @@ jobs:
               echo "✅ resource_group_name: '$RESOURCE_GROUP' is valid"
             fi
           else
-            echo "✅ resource_group_name: Not provided (will use default 'rg-cwyd-ci')"
+            echo "✅ resource_group_name: Not provided (will be auto-generated during deployment)"
           fi
 
           # Validate DATABASE_TYPE (specific allowed values)
@@ -370,8 +375,8 @@ jobs:
     needs: validate-inputs
     uses: ./.github/workflows/deploy-orchestrator.yml
     with:
-      runner_os: ${{ needs.validate-inputs.outputs.runner_os || 'ubuntu-latest' }}
-      resource_group_name: ${{ github.event_name == 'workflow_dispatch' && needs.validate-inputs.outputs.resource_group_name || 'rg-cwyd-ci' }}
+      runner_os: ${{ needs.validate-inputs.outputs.runner_os || 'windows-latest' }}
+      resource_group_name: ${{ needs.validate-inputs.outputs.resource_group_name || '' }}
       waf_enabled: ${{ needs.validate-inputs.outputs.waf_enabled == 'true' }}
       EXP: ${{ needs.validate-inputs.outputs.exp == 'true' }}
       cleanup_resources: ${{ github.event_name != 'workflow_dispatch' || needs.validate-inputs.outputs.cleanup_resources == 'true' }}