chore: Use OIDC to authenticate to Azure in Github Actions (#3253)

* chore: Use federated credential in readme.py * chore: Update cli workflows to use federated credentials * chore: Update tutorial workflows to use federated credentials * chore: Update sdk workflows to use federated credentials * chore: Normalize line-ending for sdk-foundation-models-azure_openai-oai-v1-openai_completions_finetune.yml * chore: Use federated credentials in sdk-foundation-models-azure_openai-oai-v1-openai_completions_finetune.yml * chore: Update remaining workflows to use federated credentials
Azure · Jun 19, 2024 · 9be775a · 9be775a
1 parent 51297a7
commit 9be775a
Show file tree

Hide file tree

Showing 386 changed files with 2,035 additions and 480 deletions.
diff --git a/.github/workflows/automated-cleanup-resources.yml b/.github/workflows/automated-cleanup-resources.yml
@@ -10,6 +10,8 @@ on:
       - .github/workflows/automated-cleanup-resources.yml
       - infra/bootstrapping/**
       - infra/scripts/**
+permissions:
+  id-token: write
 concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
   cancel-in-progress: true
@@ -26,7 +28,9 @@ jobs:
     - name: azure login
       uses: azure/login@v1
       with:
-        creds: ${{secrets.AZUREML_CREDENTIALS}}
+        client-id: ${{ secrets.OIDC_AZURE_CLIENT_ID }}
+        tenant-id: ${{ secrets.OIDC_AZURE_TENANT_ID }}
+        subscription-id: ${{ secrets.OIDC_AZURE_SUBSCRIPTION_ID }}
         enable-AzPSSession: true
       continue-on-error: true
     - name: "Install Az Modules"

diff --git a/.github/workflows/bootstrapping-infra.yml b/.github/workflows/bootstrapping-infra.yml
@@ -24,6 +24,8 @@ on:
       - cli/**
       - infra/bootstrapping/**
 
+permissions:
+  id-token: write
 concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
   cancel-in-progress: true
@@ -46,7 +48,9 @@ jobs:
     - name: azure login
       uses: azure/login@v1
       with:
-        creds: ${{secrets.AZUREML_CREDENTIALS}}
+        client-id: ${{ secrets.OIDC_AZURE_CLIENT_ID }}
+        tenant-id: ${{ secrets.OIDC_AZURE_TENANT_ID }}
+        subscription-id: ${{ secrets.OIDC_AZURE_SUBSCRIPTION_ID }}
     - name: bootstrap infra resources
       run: |
           [[ -z "${RUN_BOOTSTRAP:-}" ]] && RUN_BOOTSTRAP='true'

diff --git a/.github/workflows/bootstrapping-resources.yml b/.github/workflows/bootstrapping-resources.yml
@@ -11,6 +11,8 @@ on:
       - .github/workflows/bootstrapping-resources.yml
       - cli/**
       - infra/bootstrapping/**
+permissions:
+  id-token: write
 concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
   cancel-in-progress: true
@@ -29,7 +31,9 @@ jobs:
     - name: azure login
       uses: azure/login@v1
       with:
-        creds: ${{secrets.AZUREML_CREDENTIALS}}
+        client-id: ${{ secrets.OIDC_AZURE_CLIENT_ID }}
+        tenant-id: ${{ secrets.OIDC_AZURE_TENANT_ID }}
+        subscription-id: ${{ secrets.OIDC_AZURE_SUBSCRIPTION_ID }}
     - name: bootstrap resources
       run: |
           echo '${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}';

diff --git a/.github/workflows/cli-assets-component-pipeline.yml b/.github/workflows/cli-assets-component-pipeline.yml
@@ -16,6 +16,8 @@ on:
       - infra/bootstrapping/**
       - .github/workflows/cli-assets-component-pipeline.yml
       - cli/setup.sh
+permissions:
+  id-token: write
 concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
   cancel-in-progress: true
@@ -28,7 +30,9 @@ jobs:
     - name: azure login
       uses: azure/login@v1
       with:
-        creds: ${{secrets.AZUREML_CREDENTIALS}}
+        client-id: ${{ secrets.OIDC_AZURE_CLIENT_ID }}
+        tenant-id: ${{ secrets.OIDC_AZURE_TENANT_ID }}
+        subscription-id: ${{ secrets.OIDC_AZURE_SUBSCRIPTION_ID }}
     - name: bootstrap resources
       run: |
           bash bootstrap.sh

diff --git a/.github/workflows/cli-assets-component-train.yml b/.github/workflows/cli-assets-component-train.yml
@@ -16,6 +16,8 @@ on:
       - infra/bootstrapping/**
       - .github/workflows/cli-assets-component-train.yml
       - cli/setup.sh
+permissions:
+  id-token: write
 concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
   cancel-in-progress: true
@@ -28,7 +30,9 @@ jobs:
     - name: azure login
       uses: azure/login@v1
       with:
-        creds: ${{secrets.AZUREML_CREDENTIALS}}
+        client-id: ${{ secrets.OIDC_AZURE_CLIENT_ID }}
+        tenant-id: ${{ secrets.OIDC_AZURE_TENANT_ID }}
+        subscription-id: ${{ secrets.OIDC_AZURE_SUBSCRIPTION_ID }}
     - name: bootstrap resources
       run: |
           bash bootstrap.sh

diff --git a/.github/workflows/cli-assets-data-cloud-file-https.yml b/.github/workflows/cli-assets-data-cloud-file-https.yml
@@ -16,6 +16,8 @@ on:
       - infra/bootstrapping/**
       - .github/workflows/cli-assets-data-cloud-file-https.yml
       - cli/setup.sh
+permissions:
+  id-token: write
 concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
   cancel-in-progress: true
@@ -28,7 +30,9 @@ jobs:
     - name: azure login
       uses: azure/login@v1
       with:
-        creds: ${{secrets.AZUREML_CREDENTIALS}}
+        client-id: ${{ secrets.OIDC_AZURE_CLIENT_ID }}
+        tenant-id: ${{ secrets.OIDC_AZURE_TENANT_ID }}
+        subscription-id: ${{ secrets.OIDC_AZURE_SUBSCRIPTION_ID }}
     - name: bootstrap resources
       run: |
           bash bootstrap.sh

diff --git a/.github/workflows/cli-assets-data-cloud-file-wasbs.yml b/.github/workflows/cli-assets-data-cloud-file-wasbs.yml
@@ -16,6 +16,8 @@ on:
       - infra/bootstrapping/**
       - .github/workflows/cli-assets-data-cloud-file-wasbs.yml
       - cli/setup.sh
+permissions:
+  id-token: write
 concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
   cancel-in-progress: true
@@ -28,7 +30,9 @@ jobs:
     - name: azure login
       uses: azure/login@v1
       with:
-        creds: ${{secrets.AZUREML_CREDENTIALS}}
+        client-id: ${{ secrets.OIDC_AZURE_CLIENT_ID }}
+        tenant-id: ${{ secrets.OIDC_AZURE_TENANT_ID }}
+        subscription-id: ${{ secrets.OIDC_AZURE_SUBSCRIPTION_ID }}
     - name: bootstrap resources
       run: |
           bash bootstrap.sh

diff --git a/.github/workflows/cli-assets-data-cloud-file.yml b/.github/workflows/cli-assets-data-cloud-file.yml
@@ -16,6 +16,8 @@ on:
       - infra/bootstrapping/**
       - .github/workflows/cli-assets-data-cloud-file.yml
       - cli/setup.sh
+permissions:
+  id-token: write
 concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
   cancel-in-progress: true
@@ -28,7 +30,9 @@ jobs:
     - name: azure login
       uses: azure/login@v1
       with:
-        creds: ${{secrets.AZUREML_CREDENTIALS}}
+        client-id: ${{ secrets.OIDC_AZURE_CLIENT_ID }}
+        tenant-id: ${{ secrets.OIDC_AZURE_TENANT_ID }}
+        subscription-id: ${{ secrets.OIDC_AZURE_SUBSCRIPTION_ID }}
     - name: bootstrap resources
       run: |
           bash bootstrap.sh

diff --git a/.github/workflows/cli-assets-data-cloud-folder-https.yml b/.github/workflows/cli-assets-data-cloud-folder-https.yml
@@ -16,6 +16,8 @@ on:
       - infra/bootstrapping/**
       - .github/workflows/cli-assets-data-cloud-folder-https.yml
       - cli/setup.sh
+permissions:
+  id-token: write
 concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
   cancel-in-progress: true
@@ -28,7 +30,9 @@ jobs:
     - name: azure login
       uses: azure/login@v1
       with:
-        creds: ${{secrets.AZUREML_CREDENTIALS}}
+        client-id: ${{ secrets.OIDC_AZURE_CLIENT_ID }}
+        tenant-id: ${{ secrets.OIDC_AZURE_TENANT_ID }}
+        subscription-id: ${{ secrets.OIDC_AZURE_SUBSCRIPTION_ID }}
     - name: bootstrap resources
       run: |
           bash bootstrap.sh

diff --git a/.github/workflows/cli-assets-data-cloud-folder.yml b/.github/workflows/cli-assets-data-cloud-folder.yml
@@ -16,6 +16,8 @@ on:
       - infra/bootstrapping/**
       - .github/workflows/cli-assets-data-cloud-folder.yml
       - cli/setup.sh
+permissions:
+  id-token: write
 concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
   cancel-in-progress: true
@@ -28,7 +30,9 @@ jobs:
     - name: azure login
       uses: azure/login@v1
       with:
-        creds: ${{secrets.AZUREML_CREDENTIALS}}
+        client-id: ${{ secrets.OIDC_AZURE_CLIENT_ID }}
+        tenant-id: ${{ secrets.OIDC_AZURE_TENANT_ID }}
+        subscription-id: ${{ secrets.OIDC_AZURE_SUBSCRIPTION_ID }}
     - name: bootstrap resources
       run: |
           bash bootstrap.sh

diff --git a/.github/workflows/cli-assets-data-cloud-mltable.yml b/.github/workflows/cli-assets-data-cloud-mltable.yml
@@ -16,6 +16,8 @@ on:
       - infra/bootstrapping/**
       - .github/workflows/cli-assets-data-cloud-mltable.yml
       - cli/setup.sh
+permissions:
+  id-token: write
 concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
   cancel-in-progress: true
@@ -28,7 +30,9 @@ jobs:
     - name: azure login
       uses: azure/login@v1
       with:
-        creds: ${{secrets.AZUREML_CREDENTIALS}}
+        client-id: ${{ secrets.OIDC_AZURE_CLIENT_ID }}
+        tenant-id: ${{ secrets.OIDC_AZURE_TENANT_ID }}
+        subscription-id: ${{ secrets.OIDC_AZURE_SUBSCRIPTION_ID }}
     - name: bootstrap resources
       run: |
           bash bootstrap.sh

diff --git a/.github/workflows/cli-assets-data-iris-csv-example.yml b/.github/workflows/cli-assets-data-iris-csv-example.yml
@@ -16,6 +16,8 @@ on:
       - infra/bootstrapping/**
       - .github/workflows/cli-assets-data-iris-csv-example.yml
       - cli/setup.sh
+permissions:
+  id-token: write
 concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
   cancel-in-progress: true
@@ -28,7 +30,9 @@ jobs:
     - name: azure login
       uses: azure/login@v1
       with:
-        creds: ${{secrets.AZUREML_CREDENTIALS}}
+        client-id: ${{ secrets.OIDC_AZURE_CLIENT_ID }}
+        tenant-id: ${{ secrets.OIDC_AZURE_TENANT_ID }}
+        subscription-id: ${{ secrets.OIDC_AZURE_SUBSCRIPTION_ID }}
     - name: bootstrap resources
       run: |
           bash bootstrap.sh

diff --git a/.github/workflows/cli-assets-data-local-file.yml b/.github/workflows/cli-assets-data-local-file.yml
@@ -16,6 +16,8 @@ on:
       - infra/bootstrapping/**
       - .github/workflows/cli-assets-data-local-file.yml
       - cli/setup.sh
+permissions:
+  id-token: write
 concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
   cancel-in-progress: true
@@ -28,7 +30,9 @@ jobs:
     - name: azure login
       uses: azure/login@v1
       with:
-        creds: ${{secrets.AZUREML_CREDENTIALS}}
+        client-id: ${{ secrets.OIDC_AZURE_CLIENT_ID }}
+        tenant-id: ${{ secrets.OIDC_AZURE_TENANT_ID }}
+        subscription-id: ${{ secrets.OIDC_AZURE_SUBSCRIPTION_ID }}
     - name: bootstrap resources
       run: |
           bash bootstrap.sh

diff --git a/.github/workflows/cli-assets-data-local-folder-sampledata.yml b/.github/workflows/cli-assets-data-local-folder-sampledata.yml
@@ -16,6 +16,8 @@ on:
       - infra/bootstrapping/**
       - .github/workflows/cli-assets-data-local-folder-sampledata.yml
       - cli/setup.sh
+permissions:
+  id-token: write
 concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
   cancel-in-progress: true
@@ -28,7 +30,9 @@ jobs:
     - name: azure login
       uses: azure/login@v1
       with:
-        creds: ${{secrets.AZUREML_CREDENTIALS}}
+        client-id: ${{ secrets.OIDC_AZURE_CLIENT_ID }}
+        tenant-id: ${{ secrets.OIDC_AZURE_TENANT_ID }}
+        subscription-id: ${{ secrets.OIDC_AZURE_SUBSCRIPTION_ID }}
     - name: bootstrap resources
       run: |
           bash bootstrap.sh

diff --git a/.github/workflows/cli-assets-data-local-folder.yml b/.github/workflows/cli-assets-data-local-folder.yml
@@ -16,6 +16,8 @@ on:
       - infra/bootstrapping/**
       - .github/workflows/cli-assets-data-local-folder.yml
       - cli/setup.sh
+permissions:
+  id-token: write
 concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
   cancel-in-progress: true
@@ -28,7 +30,9 @@ jobs:
     - name: azure login
       uses: azure/login@v1
       with:
-        creds: ${{secrets.AZUREML_CREDENTIALS}}
+        client-id: ${{ secrets.OIDC_AZURE_CLIENT_ID }}
+        tenant-id: ${{ secrets.OIDC_AZURE_TENANT_ID }}
+        subscription-id: ${{ secrets.OIDC_AZURE_SUBSCRIPTION_ID }}
     - name: bootstrap resources
       run: |
           bash bootstrap.sh

diff --git a/.github/workflows/cli-assets-data-local-mltable.yml b/.github/workflows/cli-assets-data-local-mltable.yml
@@ -16,6 +16,8 @@ on:
       - infra/bootstrapping/**
       - .github/workflows/cli-assets-data-local-mltable.yml
       - cli/setup.sh
+permissions:
+  id-token: write
 concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
   cancel-in-progress: true
@@ -28,7 +30,9 @@ jobs:
     - name: azure login
       uses: azure/login@v1
       with:
-        creds: ${{secrets.AZUREML_CREDENTIALS}}
+        client-id: ${{ secrets.OIDC_AZURE_CLIENT_ID }}
+        tenant-id: ${{ secrets.OIDC_AZURE_TENANT_ID }}
+        subscription-id: ${{ secrets.OIDC_AZURE_SUBSCRIPTION_ID }}
     - name: bootstrap resources
       run: |
           bash bootstrap.sh

diff --git a/.github/workflows/cli-assets-data-public-file-https.yml b/.github/workflows/cli-assets-data-public-file-https.yml
@@ -16,6 +16,8 @@ on:
       - infra/bootstrapping/**
       - .github/workflows/cli-assets-data-public-file-https.yml
       - cli/setup.sh
+permissions:
+  id-token: write
 concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
   cancel-in-progress: true
@@ -28,7 +30,9 @@ jobs:
     - name: azure login
       uses: azure/login@v1
       with:
-        creds: ${{secrets.AZUREML_CREDENTIALS}}
+        client-id: ${{ secrets.OIDC_AZURE_CLIENT_ID }}
+        tenant-id: ${{ secrets.OIDC_AZURE_TENANT_ID }}
+        subscription-id: ${{ secrets.OIDC_AZURE_SUBSCRIPTION_ID }}
     - name: bootstrap resources
       run: |
           bash bootstrap.sh

diff --git a/.github/workflows/cli-assets-environment-docker-context.yml b/.github/workflows/cli-assets-environment-docker-context.yml
@@ -16,6 +16,8 @@ on:
       - infra/bootstrapping/**
       - .github/workflows/cli-assets-environment-docker-context.yml
       - cli/setup.sh
+permissions:
+  id-token: write
 concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
   cancel-in-progress: true
@@ -28,7 +30,9 @@ jobs:
     - name: azure login
       uses: azure/login@v1
       with:
-        creds: ${{secrets.AZUREML_CREDENTIALS}}
+        client-id: ${{ secrets.OIDC_AZURE_CLIENT_ID }}
+        tenant-id: ${{ secrets.OIDC_AZURE_TENANT_ID }}
+        subscription-id: ${{ secrets.OIDC_AZURE_SUBSCRIPTION_ID }}
     - name: bootstrap resources
       run: |
           bash bootstrap.sh

diff --git a/.github/workflows/cli-assets-environment-docker-image-plus-conda.yaml b/.github/workflows/cli-assets-environment-docker-image-plus-conda.yaml
@@ -16,6 +16,8 @@ on:
       - infra/bootstrapping/**
       - .github/workflows/cli-assets-environment-docker-image-plus-conda.yaml
       - cli/setup.sh
+permissions:
+  id-token: write
 concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
   cancel-in-progress: true
@@ -28,7 +30,9 @@ jobs:
     - name: azure login
       uses: azure/login@v1
       with:
-        creds: ${{secrets.AZUREML_CREDENTIALS}}
+        client-id: ${{ secrets.OIDC_AZURE_CLIENT_ID }}
+        tenant-id: ${{ secrets.OIDC_AZURE_TENANT_ID }}
+        subscription-id: ${{ secrets.OIDC_AZURE_SUBSCRIPTION_ID }}
     - name: bootstrap resources
       run: |
           bash bootstrap.sh

diff --git a/.github/workflows/cli-assets-environment-docker-image.yml b/.github/workflows/cli-assets-environment-docker-image.yml
@@ -16,6 +16,8 @@ on:
       - infra/bootstrapping/**
       - .github/workflows/cli-assets-environment-docker-image.yml
       - cli/setup.sh
+permissions:
+  id-token: write
 concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
   cancel-in-progress: true
@@ -28,7 +30,9 @@ jobs:
     - name: azure login
       uses: azure/login@v1
       with:
-        creds: ${{secrets.AZUREML_CREDENTIALS}}
+        client-id: ${{ secrets.OIDC_AZURE_CLIENT_ID }}
+        tenant-id: ${{ secrets.OIDC_AZURE_TENANT_ID }}
+        subscription-id: ${{ secrets.OIDC_AZURE_SUBSCRIPTION_ID }}
     - name: bootstrap resources
       run: |
           bash bootstrap.sh