From 2e9909b03ef4b34716172465adb9965a8a915685 Mon Sep 17 00:00:00 2001 From: Matthew John Cheetham Date: Mon, 24 Jun 2024 14:27:45 -0700 Subject: [PATCH] github: use federated auth for Azure login Use federated authentication with GitHub Actions and Azure Entra ID for the Azure login commands during build-git-installers.yml builds. This will allow us to drop the use of a client secret to authenticate as the signing identity for Trusted Code Signing. Signed-off-by: Matthew John Cheetham --- .github/workflows/build-git-installers.yml | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build-git-installers.yml b/.github/workflows/build-git-installers.yml index 3eb4bda2d90771..a8b5919328f5ba 100644 --- a/.github/workflows/build-git-installers.yml +++ b/.github/workflows/build-git-installers.yml @@ -5,6 +5,9 @@ on: tags: - 'v[0-9]*vfs*' # matches "vvfs" +permissions: + id-token: write # required for Azure login via OIDC + jobs: # Check prerequisites for the workflow prereqs: @@ -546,7 +549,9 @@ jobs: - name: Log into Azure uses: azure/login@v1 with: - creds: ${{ secrets.AZURE_CREDENTIALS }} + client-id: ${{ secrets.AZURE_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} - name: Prepare for GPG signing env: @@ -661,6 +666,7 @@ jobs: runs-on: ubuntu-latest permissions: contents: write + id-token: write # required for Azure login via OIDC needs: - validate-installers - create-linux-artifacts @@ -704,7 +710,9 @@ jobs: - name: Log into Azure uses: azure/login@v1 with: - creds: ${{ secrets.AZURE_CREDENTIALS }} + client-id: ${{ secrets.AZURE_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} - name: Download GPG public key signature file run: |