From 36399574f4796f34462916e153cc5eaa5965f960 Mon Sep 17 00:00:00 2001 From: Akash Singhal Date: Wed, 8 May 2024 13:07:00 -0700 Subject: [PATCH] ci: update azure SP federated credentials (#1442) --- .github/workflows/build-pr.yml | 5 +++- .github/workflows/e2e-aks.yml | 33 +++++++++++++++++++++-- .github/workflows/run-full-validation.yml | 5 +++- 3 files changed, 39 insertions(+), 4 deletions(-) diff --git a/.github/workflows/build-pr.yml b/.github/workflows/build-pr.yml index 36496e392..25134f953 100644 --- a/.github/workflows/build-pr.yml +++ b/.github/workflows/build-pr.yml @@ -69,6 +69,7 @@ jobs: permissions: id-token: write contents: read + environment: azure-test steps: - name: Check out code into the Go module directory uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5 @@ -80,7 +81,9 @@ jobs: - name: Az CLI login uses: azure/login@6b2456866fc08b011acb422a92a4aa20e2c4de32 # v2.1.0 with: - creds: '{"clientId":"${{ env.AZURE_CLIENT_ID }}","clientSecret":"${{ secrets.AZURE_CLIENT_SECRET }}","subscriptionId":"${{ env.AZURE_SUBSCRIPTION_ID }}","tenantId":"${{ env.AZURE_TENANT_ID }}"}' + client-id: ${{ env.AZURE_CLIENT_ID }} + tenant-id: ${{ env.AZURE_TENANT_ID }} + subscription-id: ${{ env.AZURE_SUBSCRIPTION_ID }} - name: clean up run: | diff --git a/.github/workflows/e2e-aks.yml b/.github/workflows/e2e-aks.yml index 960b9e711..45f9b7422 100644 --- a/.github/workflows/e2e-aks.yml +++ b/.github/workflows/e2e-aks.yml @@ -26,6 +26,10 @@ jobs: AZURE_SUBSCRIPTION_ID: daae1e1a-63dc-454f-825d-b39289070f79 runs-on: ubuntu-latest timeout-minutes: 30 + environment: azure-test + permissions: + id-token: write + contents: read steps: - name: Check out code into the Go module directory uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5 @@ -33,11 +37,36 @@ jobs: uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1 with: go-version: '1.21' - + - name: Update az cli # TODO: remove after az cli is updated in the runnger image to be >= 2.60.0 + run: | + sudo apt-get update + sudo apt-get install apt-transport-https ca-certificates curl gnupg lsb-release + sudo mkdir -p /etc/apt/keyrings + curl -sLS https://packages.microsoft.com/keys/microsoft.asc | + sudo gpg --dearmor -o /etc/apt/keyrings/microsoft.gpg + sudo chmod go+r /etc/apt/keyrings/microsoft.gpg + AZ_DIST=$(lsb_release -cs) + echo "Types: deb + URIs: https://packages.microsoft.com/repos/azure-cli/ + Suites: ${AZ_DIST} + Components: main + Architectures: $(dpkg --print-architecture) + Signed-by: /etc/apt/keyrings/microsoft.gpg" | sudo tee /etc/apt/sources.list.d/azure-cli.sources + AZ_VER=2.60.0 + sudo apt-get update && sudo apt-get install azure-cli - name: Az CLI login uses: azure/login@6b2456866fc08b011acb422a92a4aa20e2c4de32 # v2.1.0 with: - creds: '{"clientId":"${{ env.AZURE_CLIENT_ID }}","clientSecret":"${{ secrets.AZURE_CLIENT_SECRET }}","subscriptionId":"${{ env.AZURE_SUBSCRIPTION_ID }}","tenantId":"${{ env.AZURE_TENANT_ID }}"}' + client-id: ${{ env.AZURE_CLIENT_ID }} + tenant-id: ${{ env.AZURE_TENANT_ID }} + subscription-id: ${{ env.AZURE_SUBSCRIPTION_ID }} + - name: Cache AAD tokens + run: | + az version + # Key Vault: + az account get-access-token --scope https://vault.azure.net/.default --output none + # Container Registry: + az account get-access-token --scope https://containerregistry.azure.net/.default --output none - name: Dependencies e2e run: | diff --git a/.github/workflows/run-full-validation.yml b/.github/workflows/run-full-validation.yml index b3191b30e..0b387ef6e 100644 --- a/.github/workflows/run-full-validation.yml +++ b/.github/workflows/run-full-validation.yml @@ -59,6 +59,7 @@ jobs: permissions: id-token: write contents: read + environment: azure-test steps: - name: Check out code into the Go module directory uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5 @@ -70,7 +71,9 @@ jobs: - name: Az CLI login uses: azure/login@6b2456866fc08b011acb422a92a4aa20e2c4de32 # v2.1.0 with: - creds: '{"clientId":"${{ env.AZURE_CLIENT_ID }}","clientSecret":"${{ secrets.AZURE_CLIENT_SECRET }}","subscriptionId":"${{ env.AZURE_SUBSCRIPTION_ID }}","tenantId":"${{ env.AZURE_TENANT_ID }}"}' + client-id: ${{ env.AZURE_CLIENT_ID }} + tenant-id: ${{ env.AZURE_TENANT_ID }} + subscription-id: ${{ env.AZURE_SUBSCRIPTION_ID }} - name: clean up run: |