sec(ci): replace secrets:inherit and static Azure creds with OIDC

[cristim]

Summary

• deploy-all.yml: Replace all four secrets: inherit blocks with explicit secret maps containing only the secrets each downstream workflow actually uses (audited from each callee's ${{ secrets.* }} references). No downstream workflow can now receive secrets it does not need.
• rollback.yml (2 occurrences) and database-migration.yml (1 occurrence): Replace creds: ${{ secrets.AZURE_CREDENTIALS }} (long-lived static service-principal JSON blob) with the OIDC-federation form using client-id, tenant-id, and subscription-id. Both workflows already declare id-token: write at the top-level permissions block, so no permission change is required.

Closes #433

Test plan

• Confirm azure/login OIDC form works by checking that AZURE_CLIENT_ID, AZURE_TENANT_ID, AZURE_SUBSCRIPTION_ID secrets are configured in the repo (they are already used by azure_sanity.yml)
• Run a dry-run rollback dispatch targeting azure to confirm the OIDC login step succeeds
• Grep for remaining secrets: inherit in workflow files to confirm none remain: grep -r "secrets: inherit" .github/workflows/
• Grep for remaining AZURE_CREDENTIALS references: grep -r "AZURE_CREDENTIALS" .github/workflows/

Summary by CodeRabbit

• Chores
  • Updated CI workflows for database migrations, deployments, and rollback to use federated Azure authentication and explicit secret inputs.
  • Refined secret handling across deployment workflows with explicit mappings and newly required backend secrets for AWS, GCP, and Azure.
  • Declared additional optional/required secret inputs for AWS Lambda and Fargate, GCP, and Azure deployment callers.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 02f39d27-c6ad-4322-be38-276f87cfd68a

📥 Commits

Reviewing files that changed from the base of the PR and between ddda64f and b810919.

📒 Files selected for processing (4)

• .github/workflows/deploy-aws-fargate.yml
• .github/workflows/deploy-aws-lambda.yml
• .github/workflows/deploy-azure.yml
• .github/workflows/deploy-gcp.yml

---

📝 Walkthrough

Walkthrough

GitHub Actions workflows updated to harden CI security: Azure authentication migrated from static credentials to OIDC federation across database-migration.yml and rollback.yml; deploy-all.yml replaces blanket secrets: inherit with explicit per-cloud-provider secret mappings, and provider workflows declare required TF backend secrets.

Changes

Workflow Security Hardening

Layer / File(s)	Summary
Azure OIDC Federation Migration .github/workflows/database-migration.yml, .github/workflows/rollback.yml	Header comment updated and azure/login@v3 steps changed to use client-id, tenant-id, and subscription-id secrets instead of a single AZURE_CREDENTIALS value in migration, image verification, and rollback jobs.
Deploy-all Explicit Secret Mappings .github/workflows/deploy-all.yml	Replaces secrets: inherit with explicit secrets: mappings for provider reusable-workflow jobs: AWS Lambda (ADMIN_EMAIL, DASHBOARD_URL, FROM_EMAIL, TF_BACKEND_AWS), AWS Fargate (ADMIN_EMAIL, TF_BACKEND_AWS), GCP (ADMIN_EMAIL, TF_BACKEND_GCP), Azure (ADMIN_EMAIL, AZURE_CLIENT_ID, AZURE_SUBSCRIPTION_ID, AZURE_TENANT_ID, TF_BACKEND_AZURE).
Provider workflow_call Secret Contracts .github/workflows/deploy-aws-fargate.yml, .github/workflows/deploy-aws-lambda.yml, .github/workflows/deploy-azure.yml, .github/workflows/deploy-gcp.yml	workflow_call interfaces updated: deploy-aws-fargate.yml adds required TF_BACKEND_AWS; deploy-aws-lambda.yml adds required TF_BACKEND_AWS and optional DASHBOARD_URL/FROM_EMAIL; deploy-azure.yml adds required TF_BACKEND_AZURE; deploy-gcp.yml adds required TF_BACKEND_GCP alongside ADMIN_EMAIL.

Sequence Diagram(s)

sequenceDiagram
  participant Workflow as GitHub_Actions_Workflow
  participant AzureLogin as azure/login@v3
  participant AzureAPI as Azure_API
  Workflow->>AzureLogin: pass client-id, tenant-id, subscription-id
  AzureLogin->>AzureAPI: request OIDC token exchange
  AzureAPI-->>AzureLogin: return short-lived access token
  AzureLogin-->>Workflow: provide authenticated session for Azure steps

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

I hop through YAML lines and cheer,
Secrets trimmed so only what's clear—
Azure sheds the ancient key,
OIDC breezes set it free,
Safer CI, one carrot cheer! 🐇

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main changes: replacing secrets:inherit with explicit secret mappings and migrating Azure credentials from static creds to OIDC federation.
Linked Issues check	✅ Passed	The PR comprehensively addresses all requirements from issue #433: replacing secrets:inherit with explicit per-workflow secret mappings in deploy-all.yml and converting Azure authentication from static credentials to OIDC federation in rollback.yml and database-migration.yml.
Out of Scope Changes check	✅ Passed	All changes are directly aligned with the stated objectives: updating deploy-all.yml with explicit secrets, migrating Azure workflows to OIDC, and adding missing workflow_call.secrets declarations to ensure proper secret contract validation.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch sec/ci-oidc-secrets

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[cristim]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[cristim]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/deploy-all.yml:
- Around line 125-129: Add the missing secret declarations under each reusable
workflow's on.workflow_call.secrets: in deploy-aws-lambda.yml declare
ADMIN_EMAIL, DASHBOARD_URL, FROM_EMAIL, TF_BACKEND_AWS; in
deploy-aws-fargate.yml declare ADMIN_EMAIL, TF_BACKEND_AWS; in deploy-gcp.yml
declare ADMIN_EMAIL, TF_BACKEND_GCP; and in deploy-azure.yml declare
ADMIN_EMAIL, AZURE_CLIENT_ID, AZURE_SUBSCRIPTION_ID, AZURE_TENANT_ID,
TF_BACKEND_AZURE so that the called workflows accept the secrets passed from
deploy-all.yml.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 6867b8bf-c99d-4293-94be-da168d5383f2

📥 Commits

Reviewing files that changed from the base of the PR and between b1ea4b1 and ddda64f.

📒 Files selected for processing (3)

• .github/workflows/database-migration.yml
• .github/workflows/deploy-all.yml
• .github/workflows/rollback.yml

[cristim]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[cristim]

@coderabbitai resolve

[coderabbitai]

✅ Actions performed

Comments resolved. Approval is disabled; enable reviews.request_changes_workflow to allow explicit top-level @coderabbitai resolve or @coderabbitai approve commands.

[cristim]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[cristim]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[cristim]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[cristim]

CR finding addressed: missing workflow_call.secrets declarations

The CodeRabbit finding (critical) was already fixed in commit b810919 (pushed 2026-05-20), which was not included in the reviewed commit set (ddda64f). Verified:

• All four callee workflows now declare the exact secrets CR required under on.workflow_call.secrets
• YAML syntax is clean across all five workflow files (deploy-all.yml + the four callees)
• No further changes are needed

@coderabbitai review

[coderabbitai]

@cristim: Thanks for the confirmation and the detailed verification summary. I'll pick up commit b8109194 in the new review pass and validate the on.workflow_call.secrets declarations across all five workflow files.

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[cristim]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.