Skip to content

Commit

Permalink
Use OIDC for triggering npm publishing pipelines (#4649)
Browse files Browse the repository at this point in the history
  • Loading branch information
@JamesBurnside
JamesBurnside committed May 23, 2024
1 parent 172dd5d commit 5c68bd1
Show file tree
Hide file tree
Showing 4 changed files with 55 additions and 17 deletions.
17 changes: 16 additions & 1 deletion .github/workflows/alpha-release.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -103,12 +103,27 @@ jobs:
- name: Upload tarball to blob storage
run: az storage blob upload -f "packages/communication-react/release/azure-communication-react-${{ steps.version.outputs.version }}.tgz" -c "drops/azure-communication-services/react/npm/${{ steps.version.outputs.version }}" --account-name azuresdkpartnerdrops --auth-mode login

# Get access token to trigger the release pipeline based on OIDC login
#
# Ideally we would use `az pipelines release create` CLI, but it does not support release variables: https://github.com/Azure/azure-cli-extensions/issues/953
# Instead, we use the az CLI to generate a PAT and then use that to trigger the release pipeline
#
# NOTES:
# - 590cfd2a-581c-4dcb-a12e-6568ce786175 is the GUID of the Azure Partner Pipelines ADO project
# - 499b84ac-1321-427f-aa17-267ca6975798 is generic GUID of Azure DevOps resource
- name: Get Azure DevOps Access Token
id: az-devops-access-token
run: |
az extension add --name azure-devops
az devops configure --defaults organization=https://dev.azure.com/azure-sdk project=590cfd2a-581c-4dcb-a12e-6568ce786175
echo "token=$(az account get-access-token --resource 499b84ac-1321-427f-aa17-267ca6975798 --query accessToken -o tsv)" >> $GITHUB_OUTPUT
- name: Trigger alpha package release pipeline
uses: Azure/pipelines@v1.2
with:
azure-devops-project-url: 'https://dev.azure.com/azure-sdk/internal'
azure-pipeline-name: 'azuresdkpartnerdrops to npm'
azure-devops-token: '${{ secrets.AZURE_SDK_RELEASE_PIPELINE_DEVOPS_TOKEN }}'
azure-devops-token: ${{ steps.az-devops-access-token.outputs.token }}
azure-pipeline-variables: '{"accessLevel": "public", "BlobPath": "azure-communication-services/react/npm/${{ steps.version.outputs.version }}", "registry": "https://registry.npmjs.org/", "skipDiff": "False", "tag": "dev"}'

# Push git tags
Expand Down
17 changes: 16 additions & 1 deletion .github/workflows/nightly-cd.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -150,12 +150,27 @@ jobs:
- name: Upload tarball to blob storage
run: az storage blob upload -f "packages/communication-react/release/azure-communication-react-${{ steps.version.outputs.version }}.tgz" -c "drops/azure-communication-services/react/npm/${{ steps.version.outputs.version }}" --account-name azuresdkpartnerdrops --auth-mode login

# Get access token to trigger the release pipeline based on OIDC login
#
# Ideally we would use `az pipelines release create` CLI, but it does not support release variables: https://github.com/Azure/azure-cli-extensions/issues/953
# Instead, we use the az CLI to generate a PAT and then use that to trigger the release pipeline
#
# NOTES:
# - 590cfd2a-581c-4dcb-a12e-6568ce786175 is the GUID of the Azure Partner Pipelines ADO project
# - 499b84ac-1321-427f-aa17-267ca6975798 is generic GUID of Azure DevOps resource
- name: Get Azure DevOps Access Token
id: az-devops-access-token
run: |
az extension add --name azure-devops
az devops configure --defaults organization=https://dev.azure.com/azure-sdk project=590cfd2a-581c-4dcb-a12e-6568ce786175
echo "token=$(az account get-access-token --resource 499b84ac-1321-427f-aa17-267ca6975798 --query accessToken -o tsv)" >> $GITHUB_OUTPUT
- name: Trigger alpha package release pipeline
uses: Azure/pipelines@v1.2
with:
azure-devops-project-url: 'https://dev.azure.com/azure-sdk/internal'
azure-pipeline-name: 'azuresdkpartnerdrops to npm'
azure-devops-token: '${{ secrets.AZURE_SDK_RELEASE_PIPELINE_DEVOPS_TOKEN }}'
azure-devops-token: ${{ steps.az-devops-access-token.outputs.token }}
azure-pipeline-variables: '{"accessLevel": "public", "BlobPath": "azure-communication-services/react/npm/${{ steps.version.outputs.version }}", "registry": "https://registry.npmjs.org/", "skipDiff": "False", "tag": "dev"}'

# Push git tags
Expand Down
17 changes: 16 additions & 1 deletion .github/workflows/npm-release-publish.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -139,12 +139,27 @@ jobs:
- name: Upload tarball to blob storage
run: az storage blob upload -f "packages/communication-react/release/azure-communication-react-${{ steps.version.outputs.version }}.tgz" -c "drops/azure-communication-services/react/npm/${{ steps.version.outputs.version }}" --account-name azuresdkpartnerdrops --auth-mode login

# Get access token to trigger the release pipeline based on OIDC login
#
# Ideally we would use `az pipelines release create` CLI, but it does not support release variables: https://github.com/Azure/azure-cli-extensions/issues/953
# Instead, we use the az CLI to generate a PAT and then use that to trigger the release pipeline
#
# NOTES:
# - 590cfd2a-581c-4dcb-a12e-6568ce786175 is the GUID of the Azure Partner Pipelines ADO project
# - 499b84ac-1321-427f-aa17-267ca6975798 is generic GUID of Azure DevOps resource
- name: Get Azure DevOps Access Token
id: az-devops-access-token
run: |
az extension add --name azure-devops
az devops configure --defaults organization=https://dev.azure.com/azure-sdk project=590cfd2a-581c-4dcb-a12e-6568ce786175
echo "token=$(az account get-access-token --resource 499b84ac-1321-427f-aa17-267ca6975798 --query accessToken -o tsv)" >> $GITHUB_OUTPUT
- name: Trigger package release pipeline
uses: Azure/pipelines@v1.2
with:
azure-devops-project-url: 'https://dev.azure.com/azure-sdk/internal'
azure-pipeline-name: 'azuresdkpartnerdrops to npm'
azure-devops-token: '${{ secrets.AZURE_SDK_RELEASE_PIPELINE_DEVOPS_TOKEN }}'
azure-devops-token: ${{ steps.az-devops-access-token.outputs.token }}
azure-pipeline-variables: '{"accessLevel": "public", "BlobPath": "azure-communication-services/react/npm/${{ steps.version.outputs.version }}", "registry": "https://registry.npmjs.org/", "skipDiff": "False", "tag": "${{ github.event.inputs.npm-tag }}"}'

- name: Check if npm package published successfully
Expand Down
21 changes: 7 additions & 14 deletions docs/releases/updating-npm-publishing-credentials.md
View file
Original file line number Diff line number Diff line change
@@ -1,23 +1,16 @@
# Updating npm publishing credentials

**Update: we now used Managed Identities for authentication. As such we no longer have personal access tokens that need rotated regularly.**

Our GitHub actions that publish our npm package require access for two places:

1. The Azure Blob Store that we upload the npm tarball to.
1. The ADO release pipeline that publishes tarball to npm.

For more information on these visit the internal wiki page: <https://dev.azure.com/azure-sdk/internal/_wiki/wikis/internal.wiki/1/Partner-Release-Pipeline>.

## Required keys and tokens

1. `AZURE_SDK_RELEASE_PIPELINE_DEVOPS_TOKEN`. **⚠ This will expire periodically and need updating ⚠**. This is a personal access token. An account with access to the [ADO release pipeline](https://dev.azure.com/azure-sdk/internal/_wiki/wikis/internal.wiki/1/Partner-Release-Pipeline) should create a new access token when the old one expires. To gain access to this release page you must belong to the appropriate security group; follow the instructions on the [internal wiki page](https://dev.azure.com/azure-sdk/internal/_wiki/wikis/internal.wiki/1/Partner-Release-Pipeline). For more information on how to create a personal access token see: [Use personal access tokens - Create a PAT](https://docs.microsoft.com/azure/devops/organizations/accounts/use-personal-access-tokens-to-authenticate?view=azure-devops#create-a-pat).
* Request access to release pipelines through `myaccess`, Request for project Azure SDK Partners. Link can also be found in the [internal wiki page](https://dev.azure.com/azure-sdk/internal/_wiki/wikis/internal.wiki/1/Partner-Release-Pipeline)
* PAT Token should have the following scope:
* Release (Read, write, & execute)
* Code (Read, write)
* Build (Read, execute)

1. `NPM_DEPLOY_AZURE_CLIENT_ID`, `NPM_DEPLOY_AZURE_TENANT_ID` and `NPM_DEPLOY_AZURE_SUBSCRIPTION_ID`. These shouldn't change. They are the OIDC (OpenID Connect) details that are used to authenticate access to Azure Blob Store. See [internal documenatation](https://skype.visualstudio.com/SPOOL/_wiki/wikis/SPOOL.wiki/49092/Updating-npm-publishing-credentials) for more details.
Both of these use OpenID Connect tokens for authentication. To authorize OIDC tokens the following GitHub secrets need set:

# Troubleshooting
- `NPM_DEPLOY_AZURE_CLIENT_ID`
- `NPM_DEPLOY_AZURE_TENANT_ID`
- `NPM_DEPLOY_AZURE_SUBSCRIPTION_ID`.

1. If you experience a 401 error, try rotating AZURE_SDK_RELEASE_PIPELINE_DEVOPS_TOKEN and rerun the job.
These shouldn't change. See [internal documenatation](https://skype.visualstudio.com/SPOOL/_wiki/wikis/SPOOL.wiki/49092/Updating-npm-publishing-credentials) for more details where these are and how they are used for authorization.

0 comments on commit 5c68bd1

Please sign in to comment.