Skip to content

ci: Use OIDC to log into Azure #11388

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jun 10, 2025
Merged

ci: Use OIDC to log into Azure #11388

merged 1 commit into from
Jun 10, 2025

Conversation

sprt
Copy link
Contributor

@sprt sprt commented Jun 6, 2025
edited
Loading

Please see commit message for details.

Test run: https://github.com/kata-containers/kata-containers/actions/runs/15499171566

Ready for review but let's wait until Monday 6/9 to merge this.

@zvonkok As explained in the commit message, I make use of the ci environment for this. I don't think there's any downside?

@sprt sprt force-pushed the sprt/azure-oidc branch from 7ed27a3 to 4ce2034 Compare June 6, 2025 15:52
@sprt sprt marked this pull request as ready for review June 6, 2025 15:54
stevenhorsman
stevenhorsman approved these changes Jun 6, 2025
View reviewed changes
Copy link
Member

@stevenhorsman stevenhorsman left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The code LGTM. Once the CI-dev job has completed can you link it here, so we can see that the CI is still good. Thanks!

@sprt
Copy link
Contributor Author

sprt commented Jun 6, 2025

Ah, these deployment comments (because of the ci environment) are a bit of an eyesore, but I vote to merge this as soon as reasonable and then potentially find a workaround for these.

image

@sprt sprt added the do-not-merge PR has problems or depends on another label Jun 6, 2025
@sprt
ci: Use OIDC to log into Azure
9dd3807 
This completely eliminates the Azure secret from the repo, following the below
guidance:

https://docs.github.com/en/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-azure

The federated identity is scoped to the `ci` environment, meaning:

 * I had to specify this environment in some YAMLs. I don't believe there's any
   downside to this.
 * As previously, the CI works seamlessly both from PRs and in the manual
   workflow.

I also deleted the tools/packaging/kata-deploy/action folder as it doesn't seem
to be used anymore, and it contains a reference to the secret.

Signed-off-by: Aurélien Bombo <abombo@microsoft.com>
@sprt sprt force-pushed the sprt/azure-oidc branch from 4ce2034 to 9dd3807 Compare June 6, 2025 20:26
@sprt sprt mentioned this pull request Jun 6, 2025
Open
25 tasks
@sprt sprt removed the do-not-merge PR has problems or depends on another label Jun 6, 2025
@sprt sprt merged commit f34010c into main Jun 10, 2025
280 of 310 checks passed
@sprt
Copy link
Contributor Author

sprt commented Jun 10, 2025

Forced-merged as a YAML change with 2 approvals.

@stevenhorsman stevenhorsman deleted the sprt/azure-oidc branch July 22, 2025 10:44
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@danmihai1 danmihai1 danmihai1 approved these changes

@stevenhorsman stevenhorsman stevenhorsman approved these changes

@fidencio fidencio Awaiting requested review from fidencio

@zvonkok zvonkok Awaiting requested review from zvonkok

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@sprt @danmihai1 @stevenhorsman