Skip to content

ci: Migrated GitHub Actions authentication from client secrets to OIDC #730

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
Vamshi-Microsoft wants to merge 4 commits into
base: main
Choose a base branch
from
Open

ci: Migrated GitHub Actions authentication from client secrets to OIDC #730

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
f435ed2
Migrated GitHub Actions authentication from client secrets to OIDC an…
Vamshi-Microsoft Feb 20, 2026
cd2c7a2
refactor: update ACR name extraction logic in deployment workflows fo…
Vamshi-Microsoft Feb 20, 2026
046bd35
chore: temporarily disable send-notification job in deployment orches…
Vamshi-Microsoft Feb 20, 2026
3f15d65
Renamed the deployment workflow
Vamshi-Microsoft Feb 20, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 2 additions & 6 deletions .github/workflows/deploy-orchestrator.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ on:
workflow_call:
inputs:
runner_os:
description: 'Runner OS (ubuntu-latest, windows-latest, or devcontainer)'
description: 'Runner OS (ubuntu-latest or windows-latest)'
required: true
type: string
azure_location:
Expand Down Expand Up @@ -69,11 +69,7 @@ on:

env:
AZURE_DEV_COLLECT_TELEMETRY: ${{ vars.AZURE_DEV_COLLECT_TELEMETRY }}
permissions:
contents: read
actions: read
packages: write # Required by job-deploy → job-deploy-devcontainer to push devcontainer image to GHCR


jobs:
docker-build:
uses: ./.github/workflows/job-docker-build.yml
Expand Down
10 changes: 4 additions & 6 deletions .github/workflows/deploy-ci.yml → .github/workflows/deploy-v2.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,6 @@ on:
type: choice
options:
- 'codespace'
- 'Devcontainer'
- 'Local'
default: 'codespace'

Expand Down Expand Up @@ -116,7 +115,8 @@ on:
permissions:
contents: read
actions: read
packages: write # Required by deploy-orchestrator → job-deploy → job-deploy-devcontainer for GHCR
id-token: write # Required for OIDC-based Azure authentication
packages: write # Required for GHCR operations
jobs:
validate-inputs:
runs-on: ubuntu-latest
Expand Down Expand Up @@ -157,8 +157,8 @@ jobs:

# Validate runner_os (specific allowed values) and derive actual runner
RUNNER_OS_INPUT="${INPUT_RUNNER_OS:-codespace}"
if [[ "$RUNNER_OS_INPUT" != "codespace" && "$RUNNER_OS_INPUT" != "Devcontainer" && "$RUNNER_OS_INPUT" != "Local" ]]; then
echo "❌ ERROR: runner_os must be one of: codespace, Devcontainer, Local, got: '$RUNNER_OS_INPUT'"
if [[ "$RUNNER_OS_INPUT" != "codespace" && "$RUNNER_OS_INPUT" != "Local" ]]; then
echo "❌ ERROR: runner_os must be one of: codespace, Local, got: '$RUNNER_OS_INPUT'"
VALIDATION_FAILED=true
else
echo "✅ runner_os: '$RUNNER_OS_INPUT' is valid"
Expand All @@ -167,8 +167,6 @@ jobs:
# Derive actual runner from runner_os input
if [[ "$RUNNER_OS_INPUT" == "codespace" ]]; then
RUNNER_OS="ubuntu-latest"
elif [[ "$RUNNER_OS_INPUT" == "Devcontainer" ]]; then
RUNNER_OS="devcontainer"
else
RUNNER_OS="windows-latest"
fi
Expand Down
275 changes: 0 additions & 275 deletions .github/workflows/deploy-windows.yml
View file
Open in desktop

This file was deleted.

17 changes: 12 additions & 5 deletions .github/workflows/docker-build.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -31,9 +31,11 @@ on:
permissions:
contents: read
actions: read
id-token: write # Required for OIDC-based Azure authentication
jobs:
build-and-push:
runs-on: ubuntu-latest
environment: production

steps:
- name: Checkout repository
Expand All @@ -42,13 +44,18 @@ jobs:
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3

- name: Log in to Azure Container Registry
- name: Login to Azure (OIDC)
if: ${{ (github.event_name == 'push' && (github.ref_name == 'main' || github.ref_name == 'dev' || github.ref_name == 'demo')) || (github.event_name == 'workflow_dispatch' && (github.ref_name == 'dependabotchanges'||github.ref_name == 'main' || github.ref_name == 'dev' || github.ref_name == 'demo')) }}
uses: azure/docker-login@v2
uses: azure/login@v2
with:
login-server: ${{ secrets.ACR_LOGIN_SERVER }}
username: ${{ secrets.ACR_USERNAME }}
password: ${{ secrets.ACR_PASSWORD }}
client-id: ${{ secrets.AZURE_CLIENT_ID }}
tenant-id: ${{ secrets.AZURE_TENANT_ID }}
subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}

- name: Log in to Azure Container Registry
if: ${{ (github.event_name == 'push' && (github.ref_name == 'main' || github.ref_name == 'dev' || github.ref_name == 'demo')) || (github.event_name == 'workflow_dispatch' && (github.ref_name == 'dependabotchanges'||github.ref_name == 'main' || github.ref_name == 'dev' || github.ref_name == 'demo')) }}
shell: bash
run: az acr login --name ${{ secrets.ACR_LOGIN_SERVER }}

- name: Get current date
id: date
Expand Down
Loading