Skip to content

Commit 0b414ec

Browse files
Merge pull request #825 from microsoft/psl-oidc
ci: Migrated GitHub Actions authentication from client secrets to OIDC and combined Ubuntu & Windows workflows into a single pipeline
2 parents 8691b0c + 832d9f0 commit 0b414ec

17 files changed

Lines changed: 125 additions & 364 deletions

.github/workflows/azure-dev.yml

Lines changed: 0 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -25,7 +25,6 @@ jobs:
2525
id: validation
2626
env:
2727
AZURE_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }}
28-
AZURE_CLIENT_SECRET: ${{ secrets.AZURE_CLIENT_SECRET }}
2928
AZURE_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}
3029
AZURE_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
3130
AZURE_ENV_NAME: ${{ secrets.AZURE_ENV_NAME }}

.github/workflows/deploy-orchestrator.yml

Lines changed: 0 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -1,9 +1,5 @@
11
name: Deployment orchestrator
22

3-
permissions:
4-
contents: read
5-
actions: read
6-
73
on:
84
workflow_call:
95
inputs:
Lines changed: 28 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,7 @@
1-
name: Deploy-Test-Cleanup (v2) Linux
1+
name: Deploy-Test-Cleanup (v2)
22

33
permissions:
4+
id-token: write
45
contents: read
56
actions: read
67
on:
@@ -14,6 +15,14 @@ on:
1415
- hotfix
1516
workflow_dispatch:
1617
inputs:
18+
runner_os:
19+
description: 'Deployment Environment'
20+
required: false
21+
type: choice
22+
options:
23+
- 'codespace'
24+
- 'Local'
25+
default: 'codespace'
1726
azure_location:
1827
description: 'Azure Location For Deployment'
1928
required: false
@@ -90,6 +99,7 @@ jobs:
9099
runs-on: ubuntu-latest
91100
outputs:
92101
validation_passed: ${{ steps.validate.outputs.passed }}
102+
runner_os: ${{ steps.validate.outputs.runner_os }}
93103
azure_location: ${{ steps.validate.outputs.azure_location }}
94104
resource_group_name: ${{ steps.validate.outputs.resource_group_name }}
95105
waf_enabled: ${{ steps.validate.outputs.waf_enabled }}
@@ -105,6 +115,7 @@ jobs:
105115
id: validate
106116
shell: bash
107117
env:
118+
INPUT_RUNNER_OS: ${{ github.event.inputs.runner_os }}
108119
INPUT_AZURE_LOCATION: ${{ github.event.inputs.azure_location }}
109120
INPUT_RESOURCE_GROUP_NAME: ${{ github.event.inputs.resource_group_name }}
110121
INPUT_WAF_ENABLED: ${{ github.event.inputs.waf_enabled }}
@@ -118,6 +129,20 @@ jobs:
118129
run: |
119130
echo "🔍 Validating workflow input parameters..."
120131
VALIDATION_FAILED=false
132+
133+
# Resolve runner_os from Deployment Environment selection
134+
DEPLOY_ENV="${INPUT_RUNNER_OS:-codespace}"
135+
if [[ "$DEPLOY_ENV" == "codespace" ]]; then
136+
RUNNER_OS="ubuntu-latest"
137+
echo "✅ Deployment Environment: 'codespace' → runner: ubuntu-latest"
138+
elif [[ "$DEPLOY_ENV" == "Local" ]]; then
139+
RUNNER_OS="windows-latest"
140+
echo "✅ Deployment Environment: 'Local' → runner: windows-latest"
141+
else
142+
echo "❌ ERROR: Deployment Environment must be 'codespace' or 'Local', got: '$DEPLOY_ENV'"
143+
VALIDATION_FAILED=true
144+
RUNNER_OS="ubuntu-latest"
145+
fi
121146
122147
# Validate azure_location (Azure region format)
123148
LOCATION="${INPUT_AZURE_LOCATION:-australiaeast}"
@@ -241,6 +266,7 @@ jobs:
241266
242267
# Output validated values
243268
echo "passed=true" >> $GITHUB_OUTPUT
269+
echo "runner_os=$RUNNER_OS" >> $GITHUB_OUTPUT
244270
echo "azure_location=$LOCATION" >> $GITHUB_OUTPUT
245271
echo "resource_group_name=$INPUT_RESOURCE_GROUP_NAME" >> $GITHUB_OUTPUT
246272
echo "waf_enabled=$WAF_ENABLED" >> $GITHUB_OUTPUT
@@ -257,7 +283,7 @@ jobs:
257283
if: needs.validate-inputs.outputs.validation_passed == 'true'
258284
uses: ./.github/workflows/deploy-orchestrator.yml
259285
with:
260-
runner_os: ubuntu-latest
286+
runner_os: ${{ needs.validate-inputs.outputs.runner_os || 'ubuntu-latest' }}
261287
azure_location: ${{ needs.validate-inputs.outputs.azure_location || 'australiaeast' }}
262288
resource_group_name: ${{ needs.validate-inputs.outputs.resource_group_name || '' }}
263289
waf_enabled: ${{ needs.validate-inputs.outputs.waf_enabled == 'true' }}

.github/workflows/deploy-waf.yml

Lines changed: 9 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,7 @@
11
name: Validate WAF Deployment v4
22

33
permissions:
4+
id-token: write
45
contents: read
56
actions: read
67
on:
@@ -13,6 +14,7 @@ on:
1314
jobs:
1415
deploy:
1516
runs-on: ubuntu-latest
17+
environment: production
1618
env:
1719
GPT_MIN_CAPACITY: 1
1820
O4_MINI_MIN_CAPACITY: 1
@@ -21,12 +23,16 @@ jobs:
2123
- name: Checkout Code
2224
uses: actions/checkout@v4
2325

26+
- name: Login to Azure
27+
uses: azure/login@v2
28+
with:
29+
client-id: ${{ secrets.AZURE_CLIENT_ID }}
30+
tenant-id: ${{ secrets.AZURE_TENANT_ID }}
31+
subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
32+
2433
- name: Run Quota Check
2534
id: quota-check
2635
env:
27-
AZURE_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }}
28-
AZURE_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}
29-
AZURE_CLIENT_SECRET: ${{ secrets.AZURE_CLIENT_SECRET }}
3036
AZURE_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
3137
GPT_MIN_CAPACITY: ${{ env.GPT_MIN_CAPACITY }}
3238
O4_MINI_MIN_CAPACITY: ${{ env.O4_MINI_MIN_CAPACITY }}
@@ -66,10 +72,6 @@ jobs:
6672
echo "Selected Region: $VALID_REGION"
6773
echo "AZURE_LOCATION=$VALID_REGION" >> $GITHUB_ENV
6874
69-
- name: Login to Azure
70-
run: |
71-
az login --service-principal -u ${{ secrets.AZURE_CLIENT_ID }} -p ${{ secrets.AZURE_CLIENT_SECRET }} --tenant ${{ secrets.AZURE_TENANT_ID }}
72-
7375
- name: Install Bicep CLI
7476
run: az bicep install
7577

0 commit comments

Comments
 (0)