ci: Migrated GitHub Actions authentication from client secrets to OIDC

Author: Vamshi-Microsoft

.github/workflows/azure-dev.yml

@@ -24,7 +24,6 @@ jobs:
         id: validation 
         env: 
           AZURE_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }} 
-          AZURE_CLIENT_SECRET: ${{ secrets.AZURE_CLIENT_SECRET }} 
           AZURE_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }} 
           AZURE_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }} 
           AZURE_ENV_NAME: ${{ secrets.AZURE_ENV_NAME }} 

.github/workflows/build-docker-images.yml

@@ -2,6 +2,7 @@ name: Build Docker and Optional Push
 permissions:
   contents: read
   actions: read
+  id-token: write
 on:
   push:
     branches:
@@ -50,15 +51,11 @@ jobs:
         include:
           - app_name: cmsabackend
             dockerfile: docker/Backend.Dockerfile
-            password_secret: DOCKER_PASSWORD
           - app_name: cmsafrontend
             dockerfile: docker/Frontend.Dockerfile
-            password_secret: DOCKER_PASSWORD
     uses: ./.github/workflows/build-docker.yml
     with:
       registry: cmsacontainerreg.azurecr.io
-      username: cmsacontainerreg
-      password_secret: ${{ matrix.password_secret }}
       app_name: ${{ matrix.app_name }}
       dockerfile: ${{ matrix.dockerfile }}
       push: ${{ github.ref_name == 'main' || github.ref_name == 'dev' || github.ref_name == 'demo' || github.ref_name == 'hotfix' }}

.github/workflows/build-docker.yml

@@ -6,12 +6,6 @@ on:
       registry:
         required: true
         type: string
-      username:
-        required: true
-        type: string
-      password_secret:
-        required: true
-        type: string
       app_name:
         required: true
         type: string
@@ -21,25 +15,27 @@ on:
       push:
         required: true
         type: boolean
-    secrets:
-      DOCKER_PASSWORD:
-        required: false
 
 jobs:
   docker-build:
     runs-on: ubuntu-latest
+    environment: production
     steps:
 
     - name: Checkout
       uses: actions/checkout@v6
 
-    - name: Docker Login
+    - name: Login to Azure
       if: ${{ inputs.push }}
-      uses: docker/login-action@v3
+      uses: azure/login@v2
       with:
-        registry: ${{ inputs.registry }}
-        username: ${{ inputs.username }}
-        password: ${{ secrets[inputs.password_secret] }}
+        client-id: ${{ secrets.AZURE_CLIENT_ID }}
+        tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+        subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+
+    - name: Login to ACR
+      if: ${{ inputs.push }}
+      run: az acr login --name ${{ inputs.registry }}
 
     - name: Set up Docker Buildx
       uses: docker/setup-buildx-action@v3

.github/workflows/deploy-linux.yml

@@ -2,6 +2,7 @@ name: Deploy-Test-Cleanup (v2) Linux
 permissions:
   contents: read
   actions: read
+  id-token: write
 on:
   workflow_run:
       workflows: ["Build Docker and Optional Push"]

.github/workflows/deploy-orchestrator.yml

@@ -1,9 +1,5 @@
 name: Deployment orchestrator
 
-permissions:
-  contents: read
-  actions: read
-
 on:
   workflow_call:
     inputs:

.github/workflows/deploy-windows.yml

@@ -2,6 +2,7 @@ name: Deploy-Test-Cleanup (v2) Windows
 permissions:
   contents: read
   actions: read
+  id-token: write
 on:
   workflow_dispatch:
     inputs:

.github/workflows/deploy.yml

@@ -3,6 +3,7 @@ name: Deploy-Test-Cleanup Pipeline
 permissions:
   contents: read
   actions: read
+  id-token: write
 on:
     workflow_run:
       workflows: ["Build Docker and Optional Push"]
@@ -23,6 +24,7 @@ env:
 jobs:
   deploy:
     runs-on: ubuntu-latest
+    environment: production
     outputs:
       RESOURCE_GROUP_NAME: ${{ steps.check_create_rg.outputs.RESOURCE_GROUP_NAME }}
       WEBAPP_URL: ${{ steps.get_output.outputs.WEBAPP_URL }}
@@ -31,15 +33,15 @@ jobs:
         uses: actions/checkout@v6
 
       - name: Login to Azure
-        run: |
-          az login --service-principal -u ${{ secrets.AZURE_CLIENT_ID }} -p ${{ secrets.AZURE_CLIENT_SECRET }} --tenant ${{ secrets.AZURE_TENANT_ID }}
+        uses: azure/login@v2
+        with:
+          client-id: ${{ secrets.AZURE_CLIENT_ID }}
+          tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+          subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
 
       - name: Run Quota Check
         id: quota-check
         env:
-          AZURE_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }}
-          AZURE_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}
-          AZURE_CLIENT_SECRET: ${{ secrets.AZURE_CLIENT_SECRET }}
           AZURE_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
           AZURE_REGIONS: ${{ vars.AZURE_REGIONS }}
           GPT_MIN_CAPACITY: ${{ env.GPT_MIN_CAPACITY }}
@@ -182,14 +184,17 @@ jobs:
     if: always() && needs.deploy.outputs.RESOURCE_GROUP_NAME != ''
     needs: [deploy, e2e-test]
     runs-on: ubuntu-latest
+    environment: production
     env:
       RESOURCE_GROUP_NAME: ${{ needs.deploy.outputs.RESOURCE_GROUP_NAME }}
     steps:
 
       - name: Login to Azure
-        run: |
-            az login --service-principal -u ${{ secrets.AZURE_CLIENT_ID }} -p ${{ secrets.AZURE_CLIENT_SECRET }} --tenant ${{ secrets.AZURE_TENANT_ID }}
-            az account set --subscription "${{ secrets.AZURE_SUBSCRIPTION_ID }}"
+        uses: azure/login@v2
+        with:
+          client-id: ${{ secrets.AZURE_CLIENT_ID }}
+          tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+          subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
 
       - name: Assign Contributor role to Service Principal
         if: always()

.github/workflows/job-cleanup-deployment.yml

@@ -1,8 +1,5 @@
 name: Cleanup Deployment Job
 
-permissions:
-  contents: read
-  actions: read
 on:
   workflow_call:
     inputs:
@@ -48,6 +45,7 @@ on:
 jobs:
   cleanup-deployment:
     runs-on: ${{ inputs.runner_os }}
+    environment: production
     continue-on-error: true
     env:
       RESOURCE_GROUP_NAME: ${{ inputs.RESOURCE_GROUP_NAME }}
@@ -58,10 +56,11 @@ jobs:
     steps:
 
       - name: Login to Azure
-        shell: bash
-        run: |
-          az login --service-principal -u ${{ secrets.AZURE_CLIENT_ID }} -p ${{ secrets.AZURE_CLIENT_SECRET }} --tenant ${{ secrets.AZURE_TENANT_ID }}
-          az account set --subscription ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+        uses: azure/login@v2
+        with:
+          client-id: ${{ secrets.AZURE_CLIENT_ID }}
+          tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+          subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
 
       - name: Delete Resource Group (Optimized Cleanup)
         id: delete_rg

.github/workflows/job-deploy-linux.yml

@@ -1,8 +1,5 @@
 name: Deploy Steps - Linux
 
-permissions:
-  contents: read
-  actions: read
 on:
   workflow_call:
     inputs:
@@ -45,6 +42,7 @@ on:
 jobs:
   deploy-linux:
     runs-on: ubuntu-latest
+    environment: production
     env:
       AZURE_DEV_COLLECT_TELEMETRY: ${{ vars.AZURE_DEV_COLLECT_TELEMETRY }}
     outputs:
@@ -201,13 +199,18 @@ jobs:
       - name: Install azd
         uses: Azure/setup-azd@v2
 
+      - name: Login to Azure
+        uses: azure/login@v2
+        with:
+          client-id: ${{ secrets.AZURE_CLIENT_ID }}
+          tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+          subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+
       - name: Login to AZD
         id: login-azure
         shell: bash
         run: |
-          az login --service-principal -u ${{ secrets.AZURE_CLIENT_ID }} -p ${{ secrets.AZURE_CLIENT_SECRET }} --tenant ${{ secrets.AZURE_TENANT_ID }}
-          az account set --subscription ${{ secrets.AZURE_SUBSCRIPTION_ID }}
-          azd auth login --client-id ${{ secrets.AZURE_CLIENT_ID }} --client-secret ${{ secrets.AZURE_CLIENT_SECRET }} --tenant-id ${{ secrets.AZURE_TENANT_ID }}
+          azd auth login --client-id ${{ secrets.AZURE_CLIENT_ID }} --federated-credential-provider "github" --tenant-id ${{ secrets.AZURE_TENANT_ID }}
 
       - name: Deploy using azd up and extract values (Linux)
         id: get_output_linux

.github/workflows/job-deploy-windows.yml

@@ -1,9 +1,5 @@
 name: Deploy Steps - Windows
 
-permissions:
-  contents: read
-  actions: read
-
 on:
   workflow_call:
     inputs:
@@ -46,6 +42,7 @@ on:
 jobs:
   deploy-windows:
     runs-on: windows-latest
+    environment: production
     env:
       AZURE_DEV_COLLECT_TELEMETRY: ${{ vars.AZURE_DEV_COLLECT_TELEMETRY }}
     outputs:
@@ -202,13 +199,18 @@ jobs:
       - name: Install azd
         uses: Azure/setup-azd@v2
 
+      - name: Login to Azure
+        uses: azure/login@v2
+        with:
+          client-id: ${{ secrets.AZURE_CLIENT_ID }}
+          tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+          subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+
       - name: Login to AZD
         id: login-azure
         shell: bash
         run: |
-          az login --service-principal -u ${{ secrets.AZURE_CLIENT_ID }} -p ${{ secrets.AZURE_CLIENT_SECRET }} --tenant ${{ secrets.AZURE_TENANT_ID }}
-          az account set --subscription ${{ secrets.AZURE_SUBSCRIPTION_ID }}
-          azd auth login --client-id ${{ secrets.AZURE_CLIENT_ID }} --client-secret ${{ secrets.AZURE_CLIENT_SECRET }} --tenant-id ${{ secrets.AZURE_TENANT_ID }}
+          azd auth login --client-id ${{ secrets.AZURE_CLIENT_ID }} --federated-credential-provider "github" --tenant-id ${{ secrets.AZURE_TENANT_ID }}
 
 
       - name: Deploy using azd up and extract values (Windows)