From d417d1014c0209eb3e209bf4cf8d24d2df6ea875 Mon Sep 17 00:00:00 2001
From: akashsinghal <akashsinghal@microsoft.com>
Date: Mon, 6 May 2024 18:25:12 +0000
Subject: [PATCH 1/7] ci: update Azure SP  federated credentials

---
 .github/workflows/build-pr.yml            | 5 ++++-
 .github/workflows/e2e-aks.yml             | 5 ++++-
 .github/workflows/run-full-validation.yml | 5 ++++-
 3 files changed, 12 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/build-pr.yml b/.github/workflows/build-pr.yml
index 80862ce7e..8f42f4ba0 100644
--- a/.github/workflows/build-pr.yml
+++ b/.github/workflows/build-pr.yml
@@ -69,6 +69,7 @@ jobs:
     permissions:
       id-token: write
       contents: read
+    environment: aks-deploy
     steps:
       - name: Check out code into the Go module directory
         uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
@@ -80,7 +81,9 @@ jobs:
       - name: Az CLI login
         uses: azure/login@6b2456866fc08b011acb422a92a4aa20e2c4de32 # v2.1.0
         with:
-          creds: '{"clientId":"${{ env.AZURE_CLIENT_ID }}","clientSecret":"${{ secrets.AZURE_CLIENT_SECRET }}","subscriptionId":"${{ env.AZURE_SUBSCRIPTION_ID }}","tenantId":"${{ env.AZURE_TENANT_ID }}"}'
+          client-id: ${{ env.AZURE_CLIENT_ID }}
+          tenant-id: ${{ env.AZURE_TENANT_ID }}
+          subscription-id: ${{ env.AZURE_SUBSCRIPTION_ID }}
 
       - name: clean up
         run: |
diff --git a/.github/workflows/e2e-aks.yml b/.github/workflows/e2e-aks.yml
index 8bbe6c45d..3364dadf6 100644
--- a/.github/workflows/e2e-aks.yml
+++ b/.github/workflows/e2e-aks.yml
@@ -26,6 +26,7 @@ jobs:
       AZURE_SUBSCRIPTION_ID: daae1e1a-63dc-454f-825d-b39289070f79
     runs-on: ubuntu-latest
     timeout-minutes: 30
+    environment: aks-deploy
     steps:
       - name: Check out code into the Go module directory
         uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
@@ -37,7 +38,9 @@ jobs:
       - name: Az CLI login
         uses: azure/login@6b2456866fc08b011acb422a92a4aa20e2c4de32 # v2.1.0
         with:
-          creds: '{"clientId":"${{ env.AZURE_CLIENT_ID }}","clientSecret":"${{ secrets.AZURE_CLIENT_SECRET }}","subscriptionId":"${{ env.AZURE_SUBSCRIPTION_ID }}","tenantId":"${{ env.AZURE_TENANT_ID }}"}'
+          client-id: ${{ env.AZURE_CLIENT_ID }}
+          tenant-id: ${{ env.AZURE_TENANT_ID }}
+          subscription-id: ${{ env.AZURE_SUBSCRIPTION_ID }}
 
       - name: Dependencies e2e
         run: |
diff --git a/.github/workflows/run-full-validation.yml b/.github/workflows/run-full-validation.yml
index 6c015d156..b4862e9e1 100644
--- a/.github/workflows/run-full-validation.yml
+++ b/.github/workflows/run-full-validation.yml
@@ -59,6 +59,7 @@ jobs:
     permissions:
       id-token: write
       contents: read
+    environment: aks-deploy
     steps:
       - name: Check out code into the Go module directory
         uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
@@ -70,7 +71,9 @@ jobs:
       - name: Az CLI login
         uses: azure/login@6b2456866fc08b011acb422a92a4aa20e2c4de32 # v2.1.0
         with:
-          creds: '{"clientId":"${{ env.AZURE_CLIENT_ID }}","clientSecret":"${{ secrets.AZURE_CLIENT_SECRET }}","subscriptionId":"${{ env.AZURE_SUBSCRIPTION_ID }}","tenantId":"${{ env.AZURE_TENANT_ID }}"}'
+          client-id: ${{ env.AZURE_CLIENT_ID }}
+          tenant-id: ${{ env.AZURE_TENANT_ID }}
+          subscription-id: ${{ env.AZURE_SUBSCRIPTION_ID }}
 
       - name: clean up
         run: |

From d7b5bc400d805f2738136d1cd4bb6189e5f289bf Mon Sep 17 00:00:00 2001
From: akashsinghal <akashsinghal@microsoft.com>
Date: Mon, 6 May 2024 18:38:57 +0000
Subject: [PATCH 2/7] fix token scope

---
 .github/workflows/e2e-aks.yml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.github/workflows/e2e-aks.yml b/.github/workflows/e2e-aks.yml
index 3364dadf6..7757370c0 100644
--- a/.github/workflows/e2e-aks.yml
+++ b/.github/workflows/e2e-aks.yml
@@ -27,6 +27,9 @@ jobs:
     runs-on: ubuntu-latest
     timeout-minutes: 30
     environment: aks-deploy
+    permissions:
+      id-token: write
+      contents: read
     steps:
       - name: Check out code into the Go module directory
         uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4

From 0608d04d85d0f27f2bdea450b2cd0b3dd6aadc9b Mon Sep 17 00:00:00 2001
From: akashsinghal <akashsinghal@microsoft.com>
Date: Mon, 6 May 2024 19:29:24 +0000
Subject: [PATCH 3/7] upgrade az cli

---
 .github/workflows/e2e-aks.yml | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/.github/workflows/e2e-aks.yml b/.github/workflows/e2e-aks.yml
index 7757370c0..239aab182 100644
--- a/.github/workflows/e2e-aks.yml
+++ b/.github/workflows/e2e-aks.yml
@@ -44,6 +44,16 @@ jobs:
           client-id: ${{ env.AZURE_CLIENT_ID }}
           tenant-id: ${{ env.AZURE_TENANT_ID }}
           subscription-id: ${{ env.AZURE_SUBSCRIPTION_ID }}
+      - name: Update az cli
+        run: |
+          az upgrade --yes
+      - name: Cache AAD tokens
+        run: |
+          az version
+          # Key Vault: 
+          az account get-access-token --scope https://vault.azure.net/.default --output none
+          # Container Registry:
+          az account get-access-token --scope https://containerregistry.azure.net/.default --output none
 
       - name: Dependencies e2e
         run: |

From 096f28e8e439c9b7b3b8e9b1c777780de274b4f4 Mon Sep 17 00:00:00 2001
From: akashsinghal <akashsinghal@microsoft.com>
Date: Mon, 6 May 2024 19:44:35 +0000
Subject: [PATCH 4/7] fix

---
 .github/workflows/e2e-aks.yml | 21 +++++++++++++++++----
 1 file changed, 17 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/e2e-aks.yml b/.github/workflows/e2e-aks.yml
index 239aab182..bac03e494 100644
--- a/.github/workflows/e2e-aks.yml
+++ b/.github/workflows/e2e-aks.yml
@@ -37,16 +37,29 @@ jobs:
         uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
         with:
           go-version: '1.21'
-
+      - name: Update az cli
+        run: |
+          sudo apt-get update
+          sudo apt-get install apt-transport-https ca-certificates curl gnupg lsb-release
+          sudo mkdir -p /etc/apt/keyrings
+          curl -sLS https://packages.microsoft.com/keys/microsoft.asc |
+              sudo gpg --dearmor -o /etc/apt/keyrings/microsoft.gpg
+          sudo chmod go+r /etc/apt/keyrings/microsoft.gpg
+          AZ_DIST=$(lsb_release -cs)
+          echo "Types: deb
+          URIs: https://packages.microsoft.com/repos/azure-cli/
+          Suites: ${AZ_DIST}
+          Components: main
+          Architectures: $(dpkg --print-architecture)
+          Signed-by: /etc/apt/keyrings/microsoft.gpg" | sudo tee /etc/apt/sources.list.d/azure-cli.sources
+          AZ_VER=2.60.0
+          sudo apt-get update && sudo apt-get install azure-cli
       - name: Az CLI login
         uses: azure/login@6b2456866fc08b011acb422a92a4aa20e2c4de32 # v2.1.0
         with:
           client-id: ${{ env.AZURE_CLIENT_ID }}
           tenant-id: ${{ env.AZURE_TENANT_ID }}
           subscription-id: ${{ env.AZURE_SUBSCRIPTION_ID }}
-      - name: Update az cli
-        run: |
-          az upgrade --yes
       - name: Cache AAD tokens
         run: |
           az version

From d8693242a779b64457df5ed929e1554a48c7e16d Mon Sep 17 00:00:00 2001
From: akashsinghal <akashsinghal@microsoft.com>
Date: Tue, 7 May 2024 17:15:52 +0000
Subject: [PATCH 5/7] update clean up trigger

---
 .github/workflows/build-pr.yml            | 1 +
 .github/workflows/e2e-aks.yml             | 2 +-
 .github/workflows/run-full-validation.yml | 1 +
 3 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/build-pr.yml b/.github/workflows/build-pr.yml
index 8f42f4ba0..ce3821e7c 100644
--- a/.github/workflows/build-pr.yml
+++ b/.github/workflows/build-pr.yml
@@ -64,6 +64,7 @@ jobs:
       AZURE_SUBSCRIPTION_ID: daae1e1a-63dc-454f-825d-b39289070f79
       AZURE_CLIENT_ID: 814e6e97-120c-4534-b8a9-f1645bc99500
       AZURE_TENANT_ID: 72f988bf-86f1-41af-91ab-2d7cd011db47
+    if: ${{ always() }}
     needs: ['build_test_aks_e2e_conditional']
     runs-on: ubuntu-latest
     permissions:
diff --git a/.github/workflows/e2e-aks.yml b/.github/workflows/e2e-aks.yml
index bac03e494..02d452551 100644
--- a/.github/workflows/e2e-aks.yml
+++ b/.github/workflows/e2e-aks.yml
@@ -37,7 +37,7 @@ jobs:
         uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
         with:
           go-version: '1.21'
-      - name: Update az cli
+      - name: Update az cli # TODO: remove after az cli is updated in the runnger image to be >= 2.60.0
         run: |
           sudo apt-get update
           sudo apt-get install apt-transport-https ca-certificates curl gnupg lsb-release
diff --git a/.github/workflows/run-full-validation.yml b/.github/workflows/run-full-validation.yml
index b4862e9e1..ab87b4c97 100644
--- a/.github/workflows/run-full-validation.yml
+++ b/.github/workflows/run-full-validation.yml
@@ -54,6 +54,7 @@ jobs:
       AZURE_SUBSCRIPTION_ID: daae1e1a-63dc-454f-825d-b39289070f79
       AZURE_CLIENT_ID: 814e6e97-120c-4534-b8a9-f1645bc99500
       AZURE_TENANT_ID: 72f988bf-86f1-41af-91ab-2d7cd011db47
+    if: ${{ always() }}
     needs: ['build_test_aks_e2e']
     runs-on: ubuntu-latest
     permissions:

From c2a464766355b74551bd869eb9b22ec28f9d3787 Mon Sep 17 00:00:00 2001
From: akashsinghal <akashsinghal@microsoft.com>
Date: Tue, 7 May 2024 17:19:22 +0000
Subject: [PATCH 6/7] update trigger

---
 .github/workflows/build-pr.yml            | 2 +-
 .github/workflows/run-full-validation.yml | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/build-pr.yml b/.github/workflows/build-pr.yml
index ce3821e7c..22c1ad811 100644
--- a/.github/workflows/build-pr.yml
+++ b/.github/workflows/build-pr.yml
@@ -64,7 +64,7 @@ jobs:
       AZURE_SUBSCRIPTION_ID: daae1e1a-63dc-454f-825d-b39289070f79
       AZURE_CLIENT_ID: 814e6e97-120c-4534-b8a9-f1645bc99500
       AZURE_TENANT_ID: 72f988bf-86f1-41af-91ab-2d7cd011db47
-    if: ${{ always() }}
+    if: contains(github.event.pull_request.labels.*.name, 'safe to test') || github.event_name == 'workflow_dispatch' || github.event_name == 'push'
     needs: ['build_test_aks_e2e_conditional']
     runs-on: ubuntu-latest
     permissions:
diff --git a/.github/workflows/run-full-validation.yml b/.github/workflows/run-full-validation.yml
index ab87b4c97..929a8995c 100644
--- a/.github/workflows/run-full-validation.yml
+++ b/.github/workflows/run-full-validation.yml
@@ -54,7 +54,7 @@ jobs:
       AZURE_SUBSCRIPTION_ID: daae1e1a-63dc-454f-825d-b39289070f79
       AZURE_CLIENT_ID: 814e6e97-120c-4534-b8a9-f1645bc99500
       AZURE_TENANT_ID: 72f988bf-86f1-41af-91ab-2d7cd011db47
-    if: ${{ always() }}
+    if: contains(github.event.pull_request.labels.*.name, 'safe to test') || github.event_name == 'workflow_dispatch' || github.event_name == 'push'
     needs: ['build_test_aks_e2e']
     runs-on: ubuntu-latest
     permissions:

From 7e64999098f770ca81757907e7582328cbeeb574 Mon Sep 17 00:00:00 2001
From: akashsinghal <akashsinghal@microsoft.com>
Date: Tue, 7 May 2024 18:02:21 +0000
Subject: [PATCH 7/7] updates

---
 .github/workflows/build-pr.yml            | 3 +--
 .github/workflows/e2e-aks.yml             | 2 +-
 .github/workflows/run-full-validation.yml | 3 +--
 3 files changed, 3 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/build-pr.yml b/.github/workflows/build-pr.yml
index dccbd4376..25134f953 100644
--- a/.github/workflows/build-pr.yml
+++ b/.github/workflows/build-pr.yml
@@ -64,13 +64,12 @@ jobs:
       AZURE_SUBSCRIPTION_ID: daae1e1a-63dc-454f-825d-b39289070f79
       AZURE_CLIENT_ID: 814e6e97-120c-4534-b8a9-f1645bc99500
       AZURE_TENANT_ID: 72f988bf-86f1-41af-91ab-2d7cd011db47
-    if: contains(github.event.pull_request.labels.*.name, 'safe to test') || github.event_name == 'workflow_dispatch' || github.event_name == 'push'
     needs: ['build_test_aks_e2e_conditional']
     runs-on: ubuntu-latest
     permissions:
       id-token: write
       contents: read
-    environment: aks-deploy
+    environment: azure-test
     steps:
       - name: Check out code into the Go module directory
         uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
diff --git a/.github/workflows/e2e-aks.yml b/.github/workflows/e2e-aks.yml
index 970f72668..45f9b7422 100644
--- a/.github/workflows/e2e-aks.yml
+++ b/.github/workflows/e2e-aks.yml
@@ -26,7 +26,7 @@ jobs:
       AZURE_SUBSCRIPTION_ID: daae1e1a-63dc-454f-825d-b39289070f79
     runs-on: ubuntu-latest
     timeout-minutes: 30
-    environment: aks-deploy
+    environment: azure-test
     permissions:
       id-token: write
       contents: read
diff --git a/.github/workflows/run-full-validation.yml b/.github/workflows/run-full-validation.yml
index 4564e1e9c..0b387ef6e 100644
--- a/.github/workflows/run-full-validation.yml
+++ b/.github/workflows/run-full-validation.yml
@@ -54,13 +54,12 @@ jobs:
       AZURE_SUBSCRIPTION_ID: daae1e1a-63dc-454f-825d-b39289070f79
       AZURE_CLIENT_ID: 814e6e97-120c-4534-b8a9-f1645bc99500
       AZURE_TENANT_ID: 72f988bf-86f1-41af-91ab-2d7cd011db47
-    if: contains(github.event.pull_request.labels.*.name, 'safe to test') || github.event_name == 'workflow_dispatch' || github.event_name == 'push'
     needs: ['build_test_aks_e2e']
     runs-on: ubuntu-latest
     permissions:
       id-token: write
       contents: read
-    environment: aks-deploy
+    environment: azure-test
     steps:
       - name: Check out code into the Go module directory
         uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5