Merge pull request #556 from microsoft/psl-inputvalidation-oidc

ci: Added Input Validation and Migrated GitHub Actions authentication from client secrets to OIDC

Author: Prajwal-Microsoft

.github/workflows/CI.yml

@@ -16,6 +16,7 @@ on:
   schedule:
     - cron: "0 10,22 * * *" # Runs at 10:00 AM and 10:00 PM GMT
 permissions:
+  id-token: write
   contents: read
   actions: read
 env:
@@ -25,6 +26,7 @@ env:
 jobs:
   deploy:
     runs-on: ubuntu-latest
+    environment: production
     outputs:
       RESOURCE_GROUP_NAME: ${{ steps.get_webapp_url.outputs.RESOURCE_GROUP_NAME }}
       KUBERNETES_RESOURCE_GROUP_NAME: ${{ steps.get_webapp_url.outputs.KUBERNETES_RESOURCE_GROUP_NAME }}
@@ -78,6 +80,14 @@ jobs:
         with:
           driver: docker
 
+      - name: Login to Azure
+        uses: azure/login@v2
+        with:
+          client-id: ${{ secrets.AZURE_CLIENT_ID }}
+          tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+          subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+          enable-AzPSSession: true
+
       - name: Run Quota Check
         id: quota-check
         shell: pwsh
@@ -105,9 +115,6 @@ jobs:
           }
         env:
           AZURE_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
-          AZURE_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}
-          AZURE_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }}
-          AZURE_CLIENT_SECRET: ${{ secrets.AZURE_CLIENT_SECRET }}
           GPT_MIN_CAPACITY: ${{ env.GPT_CAPACITY }}
           TEXT_EMBEDDING_MIN_CAPACITY: ${{ env.TEXT_EMBEDDING_CAPACITY }}
           AZURE_REGIONS: "${{ vars.AZURE_REGIONS }}"
@@ -158,11 +165,6 @@ jobs:
           echo "RESOURCE_GROUP_NAME=${UNIQUE_RG_NAME}" >> $GITHUB_ENV
           echo "Generated RESOURCE_GROUP_NAME: ${UNIQUE_RG_NAME}"
 
-      - name: Login to Azure
-        run: |
-          az login --service-principal -u ${{ secrets.AZURE_CLIENT_ID }} -p ${{ secrets.AZURE_CLIENT_SECRET }} --tenant ${{ secrets.AZURE_TENANT_ID }}
-          az account set --subscription ${{ secrets.AZURE_SUBSCRIPTION_ID }}
-
       - name: Check and Create Resource Group
         id: check_create_rg
         run: |
@@ -252,11 +254,8 @@ jobs:
           Write-Host "Resource Group Name is ${{ env.RESOURCE_GROUP_NAME }}"
           Write-Host "Kubernetes resource group is ${{ env.AZURE_AKS_NAME }}"
         env:
-          # From GitHub secrets (for login)
+          # From GitHub secrets
           AZURE_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
-          AZURE_TENANT_ID:       ${{ secrets.AZURE_TENANT_ID }}
-          AZURE_CLIENT_ID:       ${{ secrets.AZURE_CLIENT_ID }}
-          AZURE_CLIENT_SECRET:   ${{ secrets.AZURE_CLIENT_SECRET }}
 
           # From deployment outputs step (these come from $GITHUB_ENV)
           RESOURCE_GROUP_NAME:          ${{ env.RESOURCE_GROUP_NAME }}
@@ -292,10 +291,9 @@ jobs:
           if az account show &> /dev/null; then
             echo "Azure CLI is authenticated."
           else
-            echo "Azure CLI is not authenticated. Logging in..."
-            az login --service-principal --username ${{ secrets.AZURE_CLIENT_ID }} --password ${{ secrets.AZURE_CLIENT_SECRET }} --tenant ${{ secrets.AZURE_TENANT_ID }}
+            echo "Azure CLI is not authenticated. Please check the OIDC login step."
+            exit 1
           fi
-          az account set --subscription ${{ secrets.AZURE_SUBSCRIPTION_ID }}
 
           # Get the Web App URL and save it to GITHUB_OUTPUT
           echo "Retrieving Web App URL..."
@@ -393,6 +391,7 @@ jobs:
     if: always()
     needs: [deploy, e2e-test]
     runs-on: ubuntu-latest
+    environment: production
     env:
       RESOURCE_GROUP_NAME: ${{ needs.deploy.outputs.RESOURCE_GROUP_NAME }}
       KUBERNETES_RESOURCE_GROUP_NAME: ${{ needs.deploy.outputs.KUBERNETES_RESOURCE_GROUP_NAME }}
@@ -402,10 +401,11 @@ jobs:
 
     steps:
       - name: Login to Azure
-        shell: bash
-        run: |
-          az login --service-principal --username ${{ secrets.AZURE_CLIENT_ID }} --password ${{ secrets.AZURE_CLIENT_SECRET }} --tenant ${{ secrets.AZURE_TENANT_ID }}
-          az account set --subscription "${{ secrets.AZURE_SUBSCRIPTION_ID }}"
+        uses: azure/login@v2
+        with:
+          client-id: ${{ secrets.AZURE_CLIENT_ID }}
+          tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+          subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
 
       - name: Delete Resource Groups
         if: env.RESOURCE_GROUP_NAME != ''

.github/workflows/codeql.yml

@@ -8,21 +8,13 @@ on:
       - 'App/frontend-app/**'
       - 'App/kernel-memory/**'
       - '.github/workflows/codeql.yml'
-    paths-ignore:
-      - '**/.gitignore'
-      - '**/Dockerfile'
-      - '**/.dockerignore'
   pull_request:
     branches: [ "main", "dev", "demo" ]
     paths:
       - 'App/backend-api/**'
       - 'App/frontend-app/**'
       - 'App/kernel-memory/**'
       - '.github/workflows/codeql.yml'
-    paths-ignore:
-      - '**/.gitignore'
-      - '**/Dockerfile'
-      - '**/.dockerignore'
   schedule:
     - cron: '37 2 * * 5'
 

.github/workflows/deploy-linux.yml

@@ -77,7 +77,8 @@ jobs:
     secrets: inherit
 
   send-notification:
-    if: "!cancelled()"
+    # if: "!cancelled()"
+    if: false # Temporarily disable notification job
     needs: [deploy, e2e-test]
     uses: ./.github/workflows/job-send-notification.yml
     with:
@@ -96,7 +97,7 @@ jobs:
     secrets: inherit
 
   cleanup-deployment:
-    if: "!cancelled() && needs.deploy.result == 'success' && needs.deploy.outputs.RESOURCE_GROUP_NAME != '' && inputs.existing_webapp_url == '' && (inputs.trigger_type != 'workflow_dispatch' || inputs.cleanup_resources)"
+    if: "!cancelled() && needs.deploy.outputs.RESOURCE_GROUP_NAME != '' && inputs.existing_webapp_url == '' && (inputs.trigger_type != 'workflow_dispatch' || inputs.cleanup_resources)"
     needs: [deploy, e2e-test]
     uses: ./.github/workflows/job-cleanup-deployment.yml
     with: