Merge pull request #825 from microsoft/psl-oidc

ci: Migrated GitHub Actions authentication from client secrets to OIDC and combined Ubuntu & Windows workflows into a single pipeline

Author: Prajwal-Microsoft

.github/workflows/azure-dev.yml

@@ -25,7 +25,6 @@ jobs:
         id: validation
         env:
           AZURE_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }} 
-          AZURE_CLIENT_SECRET: ${{ secrets.AZURE_CLIENT_SECRET }} 
           AZURE_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }} 
           AZURE_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }} 
           AZURE_ENV_NAME: ${{ secrets.AZURE_ENV_NAME }} 

.github/workflows/deploy-orchestrator.yml

@@ -1,9 +1,5 @@
 name: Deployment orchestrator
 
-permissions:
-  contents: read
-  actions: read
-
 on:
   workflow_call:
     inputs:

.github/workflows/deploy-linux.yml .github/workflows/deploy-v2.yml.github/workflows/deploy-linux.yml renamed to .github/workflows/deploy-v2.yml

@@ -1,6 +1,7 @@
-name: Deploy-Test-Cleanup (v2) Linux
+name: Deploy-Test-Cleanup (v2)
 
 permissions:
+  id-token: write
   contents: read
   actions: read
 on:
@@ -14,6 +15,14 @@ on:
       - hotfix
   workflow_dispatch:
     inputs:
+      runner_os:
+        description: 'Deployment Environment'
+        required: false
+        type: choice
+        options:
+          - 'codespace'
+          - 'Local'
+        default: 'codespace'
       azure_location:
         description: 'Azure Location For Deployment'
         required: false
@@ -90,6 +99,7 @@ jobs:
     runs-on: ubuntu-latest
     outputs:
       validation_passed: ${{ steps.validate.outputs.passed }}
+      runner_os: ${{ steps.validate.outputs.runner_os }}
       azure_location: ${{ steps.validate.outputs.azure_location }}
       resource_group_name: ${{ steps.validate.outputs.resource_group_name }}
       waf_enabled: ${{ steps.validate.outputs.waf_enabled }}
@@ -105,6 +115,7 @@ jobs:
         id: validate
         shell: bash
         env:
+          INPUT_RUNNER_OS: ${{ github.event.inputs.runner_os }}
           INPUT_AZURE_LOCATION: ${{ github.event.inputs.azure_location }}
           INPUT_RESOURCE_GROUP_NAME: ${{ github.event.inputs.resource_group_name }}
           INPUT_WAF_ENABLED: ${{ github.event.inputs.waf_enabled }}
@@ -118,6 +129,20 @@ jobs:
         run: |
           echo "🔍 Validating workflow input parameters..."
           VALIDATION_FAILED=false
+
+          # Resolve runner_os from Deployment Environment selection
+          DEPLOY_ENV="${INPUT_RUNNER_OS:-codespace}"
+          if [[ "$DEPLOY_ENV" == "codespace" ]]; then
+            RUNNER_OS="ubuntu-latest"
+            echo "✅ Deployment Environment: 'codespace' → runner: ubuntu-latest"
+          elif [[ "$DEPLOY_ENV" == "Local" ]]; then
+            RUNNER_OS="windows-latest"
+            echo "✅ Deployment Environment: 'Local' → runner: windows-latest"
+          else
+            echo "❌ ERROR: Deployment Environment must be 'codespace' or 'Local', got: '$DEPLOY_ENV'"
+            VALIDATION_FAILED=true
+            RUNNER_OS="ubuntu-latest"
+          fi
           
           # Validate azure_location (Azure region format)
           LOCATION="${INPUT_AZURE_LOCATION:-australiaeast}"
@@ -241,6 +266,7 @@ jobs:
           
           # Output validated values
           echo "passed=true" >> $GITHUB_OUTPUT
+          echo "runner_os=$RUNNER_OS" >> $GITHUB_OUTPUT
           echo "azure_location=$LOCATION" >> $GITHUB_OUTPUT
           echo "resource_group_name=$INPUT_RESOURCE_GROUP_NAME" >> $GITHUB_OUTPUT
           echo "waf_enabled=$WAF_ENABLED" >> $GITHUB_OUTPUT
@@ -257,7 +283,7 @@ jobs:
     if: needs.validate-inputs.outputs.validation_passed == 'true'
     uses: ./.github/workflows/deploy-orchestrator.yml
     with:
-      runner_os: ubuntu-latest
+      runner_os: ${{ needs.validate-inputs.outputs.runner_os || 'ubuntu-latest' }}
       azure_location: ${{ needs.validate-inputs.outputs.azure_location || 'australiaeast' }}
       resource_group_name: ${{ needs.validate-inputs.outputs.resource_group_name || '' }}
       waf_enabled: ${{ needs.validate-inputs.outputs.waf_enabled == 'true' }}

.github/workflows/deploy-waf.yml

@@ -1,6 +1,7 @@
 name: Validate WAF Deployment v4
 
 permissions:
+  id-token: write
   contents: read
   actions: read
 on:
@@ -13,6 +14,7 @@ on:
 jobs:
   deploy:
     runs-on: ubuntu-latest
+    environment: production
     env:
       GPT_MIN_CAPACITY: 1
       O4_MINI_MIN_CAPACITY: 1
@@ -21,12 +23,16 @@ jobs:
       - name: Checkout Code
         uses: actions/checkout@v4
 
+      - name: Login to Azure
+        uses: azure/login@v2
+        with:
+          client-id: ${{ secrets.AZURE_CLIENT_ID }}
+          tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+          subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+
       - name: Run Quota Check
         id: quota-check
         env:
-          AZURE_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }}
-          AZURE_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}
-          AZURE_CLIENT_SECRET: ${{ secrets.AZURE_CLIENT_SECRET }}
           AZURE_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
           GPT_MIN_CAPACITY: ${{ env.GPT_MIN_CAPACITY }}
           O4_MINI_MIN_CAPACITY: ${{ env.O4_MINI_MIN_CAPACITY }}
@@ -66,10 +72,6 @@ jobs:
           echo "Selected Region: $VALID_REGION"
           echo "AZURE_LOCATION=$VALID_REGION" >> $GITHUB_ENV
 
-      - name: Login to Azure
-        run: |
-          az login --service-principal -u ${{ secrets.AZURE_CLIENT_ID }} -p ${{ secrets.AZURE_CLIENT_SECRET }} --tenant ${{ secrets.AZURE_TENANT_ID }}
-
       - name: Install Bicep CLI
         run: az bicep install