github: use federated auth for Azure login

Use federated authentication with GitHub Actions and Azure Entra ID for the Azure login commands during build-git-installers.yml builds. This will allow us to drop the use of a client secret to authenticate as the signing identity for Trusted Code Signing. Signed-off-by: Matthew John Cheetham <mjcheetham@outlook.com>
microsoft · Jul 17, 2024 · 8a7f3f4 · 8a7f3f4
1 parent 85bef5f
commit 8a7f3f4
Showing 1 changed file with 10 additions and 2 deletions.
diff --git a/.github/workflows/build-git-installers.yml b/.github/workflows/build-git-installers.yml
@@ -5,6 +5,9 @@ on:
     tags:
       - 'v[0-9]*vfs*' # matches "v<number><any characters>vfs<any characters>"
 
+permissions:
+  id-token: write # required for Azure login via OIDC
+
 jobs:
   # Check prerequisites for the workflow
   prereqs:
@@ -546,7 +549,9 @@ jobs:
       - name: Log into Azure
         uses: azure/login@v1
         with:
-          creds: ${{ secrets.AZURE_CREDENTIALS }}
+          client-id: ${{ secrets.AZURE_CLIENT_ID }}
+          tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+          subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
 
       - name: Prepare for GPG signing
         env:
@@ -661,6 +666,7 @@ jobs:
     runs-on: ubuntu-latest
     permissions:
       contents: write
+      id-token: write # required for Azure login via OIDC
     needs:
       - validate-installers
       - create-linux-artifacts
@@ -704,7 +710,9 @@ jobs:
       - name: Log into Azure
         uses: azure/login@v1
         with:
-          creds: ${{ secrets.AZURE_CREDENTIALS }}
+          client-id: ${{ secrets.AZURE_CLIENT_ID }}
+          tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+          subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
 
       - name: Download GPG public key signature file
         run: |