Skip to content

Commit

Permalink
Use Azure Federated login mechanism rather than secrets (#662)
Browse files Browse the repository at this point in the history
Use federated authentication with GitHub Actions and Azure Entra ID for
the Azure login commands during `build-git-installers.yml` builds.

This will allow us to drop the use of a client secret to authenticate as
the signing identity for Trusted Code Signing.

The `AZURE_CLIENT_ID`, `AZURE_TENANT_ID`, and `AZURE_SUBSCRIPTION_ID`
secrets have already been added to the `release` environment, and a test
of the `azure/login` step using this mechanism and a subsequent `az`
command has been successfully demonstrated here:
https://github.com/microsoft/git/actions/runs/9652892561/job/26624014573
  • Loading branch information
dscho committed Jul 17, 2024
2 parents e460874 + 2e9909b commit a76a7b4
Showing 1 changed file with 10 additions and 2 deletions.
12 changes: 10 additions & 2 deletions .github/workflows/build-git-installers.yml
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,9 @@ on:
tags:
- 'v[0-9]*vfs*' # matches "v<number><any characters>vfs<any characters>"

permissions:
id-token: write # required for Azure login via OIDC

jobs:
# Check prerequisites for the workflow
prereqs:
Expand Down Expand Up @@ -546,7 +549,9 @@ jobs:
- name: Log into Azure
uses: azure/login@v1
with:
creds: ${{ secrets.AZURE_CREDENTIALS }}
client-id: ${{ secrets.AZURE_CLIENT_ID }}
tenant-id: ${{ secrets.AZURE_TENANT_ID }}
subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}

- name: Prepare for GPG signing
env:
Expand Down Expand Up @@ -661,6 +666,7 @@ jobs:
runs-on: ubuntu-latest
permissions:
contents: write
id-token: write # required for Azure login via OIDC
needs:
- validate-installers
- create-linux-artifacts
Expand Down Expand Up @@ -704,7 +710,9 @@ jobs:
- name: Log into Azure
uses: azure/login@v1
with:
creds: ${{ secrets.AZURE_CREDENTIALS }}
client-id: ${{ secrets.AZURE_CLIENT_ID }}
tenant-id: ${{ secrets.AZURE_TENANT_ID }}
subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}

- name: Download GPG public key signature file
run: |
Expand Down

0 comments on commit a76a7b4

Please sign in to comment.