From e912cede476dfafb0f1732827693034509c74f3b Mon Sep 17 00:00:00 2001 From: Eljo George Date: Tue, 5 Dec 2023 11:01:55 -0800 Subject: [PATCH 1/5] Azure Login with OpenID Connect authentication for Dev images action (#871) --- .github/workflows/push-dev.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/workflows/push-dev.yml b/.github/workflows/push-dev.yml index 4187e87e2..627e6bd95 100644 --- a/.github/workflows/push-dev.yml +++ b/.github/workflows/push-dev.yml @@ -33,7 +33,9 @@ jobs: id: az_login uses: azure/login@v1 with: - creds: ${{ secrets.AZ_ACR_CREDS }} + client-id: ${{ secrets.AZURE_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} - name: Build and push dev tags id: build_and_push From b490e9490d28cd77e48b3e18ecc78f9c62fed96f Mon Sep 17 00:00:00 2001 From: Eljo George Date: Tue, 5 Dec 2023 11:13:15 -0800 Subject: [PATCH 2/5] Add permissions for OpenID connect auth to work on action workflows (#872) --- .github/workflows/push-dev.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/push-dev.yml b/.github/workflows/push-dev.yml index 627e6bd95..55616227b 100644 --- a/.github/workflows/push-dev.yml +++ b/.github/workflows/push-dev.yml @@ -5,6 +5,10 @@ on: schedule: - cron: '0 14 * * MON' +permissions: + id-token: write + contents: read + jobs: build-and-push: name: Build and push From 4fb6a319a191c8eebb1574be3798588b41b9859f Mon Sep 17 00:00:00 2001 From: Eljo George Date: Tue, 5 Dec 2023 11:25:14 -0800 Subject: [PATCH 3/5] Try with removing contents permission so that nested jobs can override (#873) --- .github/workflows/push-dev.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/push-dev.yml b/.github/workflows/push-dev.yml index 55616227b..764be1d39 100644 --- a/.github/workflows/push-dev.yml +++ b/.github/workflows/push-dev.yml @@ -7,7 +7,6 @@ on: permissions: id-token: write - contents: read jobs: build-and-push: From 5b8866c7b3a8571b14ed9cc8462220fa047d743e Mon Sep 17 00:00:00 2001 From: Eljo George Date: Tue, 5 Dec 2023 11:49:45 -0800 Subject: [PATCH 4/5] Grant permissions required by nested pipeline, on push-dev.yml (#874) --- .github/workflows/push-dev.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/push-dev.yml b/.github/workflows/push-dev.yml index 764be1d39..30bdd0bfd 100644 --- a/.github/workflows/push-dev.yml +++ b/.github/workflows/push-dev.yml @@ -7,6 +7,8 @@ on: permissions: id-token: write + contents: write + pull-requests: write jobs: build-and-push: From 804db60b30d808899e1aa5e14882d4370fa904a9 Mon Sep 17 00:00:00 2001 From: Eljo George Date: Tue, 5 Dec 2023 14:55:43 -0800 Subject: [PATCH 5/5] Use environments for easier secret management and protection rules for actions (#875) * Use environments for easier secret management and protection rules for actions * use documentation env --- .github/workflows/push-dev.yml | 1 + .github/workflows/version-history.yml | 4 +++- 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/.github/workflows/push-dev.yml b/.github/workflows/push-dev.yml index 30bdd0bfd..a0ff8a1da 100644 --- a/.github/workflows/push-dev.yml +++ b/.github/workflows/push-dev.yml @@ -20,6 +20,7 @@ jobs: page-total: [66] fail-fast: false runs-on: devcontainer-image-builder-ubuntu + environment: documentation steps: - name: Free more space id: free_space diff --git a/.github/workflows/version-history.yml b/.github/workflows/version-history.yml index d395b9123..154acda75 100644 --- a/.github/workflows/version-history.yml +++ b/.github/workflows/version-history.yml @@ -52,7 +52,9 @@ jobs: id: az_login uses: azure/login@v1 with: - creds: ${{ secrets.AZ_ACR_CREDS }} + client-id: ${{ secrets.AZURE_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} - name: Get image info id: Get_image_info