Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Use OIDC for triggering npm publishing pipelines #4649

Merged
merged 10 commits into from
May 23, 2024
17 changes: 16 additions & 1 deletion .github/workflows/alpha-release.yml
Original file line number Diff line number Diff line change
Expand Up @@ -103,12 +103,27 @@ jobs:
- name: Upload tarball to blob storage
run: az storage blob upload -f "packages/communication-react/release/azure-communication-react-${{ steps.version.outputs.version }}.tgz" -c "drops/azure-communication-services/react/npm/${{ steps.version.outputs.version }}" --account-name azuresdkpartnerdrops --auth-mode login

# Get access token to trigger the release pipeline based on OIDC login
#
# Ideally we would use `az pipelines release create` CLI, but it does not support release variables: https://github.com/Azure/azure-cli-extensions/issues/953
# Instead, we use the az CLI to generate a PAT and then use that to trigger the release pipeline
#
# NOTES:
# - 590cfd2a-581c-4dcb-a12e-6568ce786175 is the GUID of the Azure Partner Pipelines ADO project
# - 499b84ac-1321-427f-aa17-267ca6975798 is generic GUID of Azure DevOps resource
- name: Get Azure DevOps Access Token
id: az-devops-access-token
run: |
az extension add --name azure-devops
az devops configure --defaults organization=https://dev.azure.com/azure-sdk project=590cfd2a-581c-4dcb-a12e-6568ce786175
JamesBurnside marked this conversation as resolved.
Show resolved Hide resolved
echo "token=$(az account get-access-token --resource 499b84ac-1321-427f-aa17-267ca6975798 --query accessToken -o tsv)" >> $GITHUB_OUTPUT

- name: Trigger alpha package release pipeline
uses: Azure/pipelines@v1.2
with:
azure-devops-project-url: 'https://dev.azure.com/azure-sdk/internal'
azure-pipeline-name: 'azuresdkpartnerdrops to npm'
azure-devops-token: '${{ secrets.AZURE_SDK_RELEASE_PIPELINE_DEVOPS_TOKEN }}'
azure-devops-token: ${{ steps.az-devops-access-token.outputs.token }}
azure-pipeline-variables: '{"accessLevel": "public", "BlobPath": "azure-communication-services/react/npm/${{ steps.version.outputs.version }}", "registry": "https://registry.npmjs.org/", "skipDiff": "False", "tag": "dev"}'

# Push git tags
Expand Down
17 changes: 16 additions & 1 deletion .github/workflows/nightly-cd.yml
Original file line number Diff line number Diff line change
Expand Up @@ -150,12 +150,27 @@ jobs:
- name: Upload tarball to blob storage
run: az storage blob upload -f "packages/communication-react/release/azure-communication-react-${{ steps.version.outputs.version }}.tgz" -c "drops/azure-communication-services/react/npm/${{ steps.version.outputs.version }}" --account-name azuresdkpartnerdrops --auth-mode login

# Get access token to trigger the release pipeline based on OIDC login
#
# Ideally we would use `az pipelines release create` CLI, but it does not support release variables: https://github.com/Azure/azure-cli-extensions/issues/953
# Instead, we use the az CLI to generate a PAT and then use that to trigger the release pipeline
#
# NOTES:
# - 590cfd2a-581c-4dcb-a12e-6568ce786175 is the GUID of the Azure Partner Pipelines ADO project
# - 499b84ac-1321-427f-aa17-267ca6975798 is generic GUID of Azure DevOps resource
- name: Get Azure DevOps Access Token
id: az-devops-access-token
run: |
az extension add --name azure-devops
az devops configure --defaults organization=https://dev.azure.com/azure-sdk project=590cfd2a-581c-4dcb-a12e-6568ce786175
echo "token=$(az account get-access-token --resource 499b84ac-1321-427f-aa17-267ca6975798 --query accessToken -o tsv)" >> $GITHUB_OUTPUT

- name: Trigger alpha package release pipeline
uses: Azure/pipelines@v1.2
with:
azure-devops-project-url: 'https://dev.azure.com/azure-sdk/internal'
azure-pipeline-name: 'azuresdkpartnerdrops to npm'
azure-devops-token: '${{ secrets.AZURE_SDK_RELEASE_PIPELINE_DEVOPS_TOKEN }}'
azure-devops-token: ${{ steps.az-devops-access-token.outputs.token }}
azure-pipeline-variables: '{"accessLevel": "public", "BlobPath": "azure-communication-services/react/npm/${{ steps.version.outputs.version }}", "registry": "https://registry.npmjs.org/", "skipDiff": "False", "tag": "dev"}'

# Push git tags
Expand Down
17 changes: 16 additions & 1 deletion .github/workflows/npm-release-publish.yml
Original file line number Diff line number Diff line change
Expand Up @@ -139,12 +139,27 @@ jobs:
- name: Upload tarball to blob storage
run: az storage blob upload -f "packages/communication-react/release/azure-communication-react-${{ steps.version.outputs.version }}.tgz" -c "drops/azure-communication-services/react/npm/${{ steps.version.outputs.version }}" --account-name azuresdkpartnerdrops --auth-mode login

# Get access token to trigger the release pipeline based on OIDC login
#
# Ideally we would use `az pipelines release create` CLI, but it does not support release variables: https://github.com/Azure/azure-cli-extensions/issues/953
# Instead, we use the az CLI to generate a PAT and then use that to trigger the release pipeline
#
# NOTES:
# - 590cfd2a-581c-4dcb-a12e-6568ce786175 is the GUID of the Azure Partner Pipelines ADO project
# - 499b84ac-1321-427f-aa17-267ca6975798 is generic GUID of Azure DevOps resource
- name: Get Azure DevOps Access Token
id: az-devops-access-token
run: |
az extension add --name azure-devops
az devops configure --defaults organization=https://dev.azure.com/azure-sdk project=590cfd2a-581c-4dcb-a12e-6568ce786175
echo "token=$(az account get-access-token --resource 499b84ac-1321-427f-aa17-267ca6975798 --query accessToken -o tsv)" >> $GITHUB_OUTPUT

- name: Trigger package release pipeline
uses: Azure/pipelines@v1.2
with:
azure-devops-project-url: 'https://dev.azure.com/azure-sdk/internal'
azure-pipeline-name: 'azuresdkpartnerdrops to npm'
azure-devops-token: '${{ secrets.AZURE_SDK_RELEASE_PIPELINE_DEVOPS_TOKEN }}'
azure-devops-token: ${{ steps.az-devops-access-token.outputs.token }}
azure-pipeline-variables: '{"accessLevel": "public", "BlobPath": "azure-communication-services/react/npm/${{ steps.version.outputs.version }}", "registry": "https://registry.npmjs.org/", "skipDiff": "False", "tag": "${{ github.event.inputs.npm-tag }}"}'

- name: Check if npm package published successfully
Expand Down
21 changes: 7 additions & 14 deletions docs/releases/updating-npm-publishing-credentials.md
Original file line number Diff line number Diff line change
@@ -1,23 +1,16 @@
# Updating npm publishing credentials

**Update: we now used Managed Identities for authentication. As such we no longer have personal access tokens that need rotated regularly.**

Our GitHub actions that publish our npm package require access for two places:

1. The Azure Blob Store that we upload the npm tarball to.
1. The ADO release pipeline that publishes tarball to npm.

For more information on these visit the internal wiki page: <https://dev.azure.com/azure-sdk/internal/_wiki/wikis/internal.wiki/1/Partner-Release-Pipeline>.

## Required keys and tokens

1. `AZURE_SDK_RELEASE_PIPELINE_DEVOPS_TOKEN`. **⚠ This will expire periodically and need updating ⚠**. This is a personal access token. An account with access to the [ADO release pipeline](https://dev.azure.com/azure-sdk/internal/_wiki/wikis/internal.wiki/1/Partner-Release-Pipeline) should create a new access token when the old one expires. To gain access to this release page you must belong to the appropriate security group; follow the instructions on the [internal wiki page](https://dev.azure.com/azure-sdk/internal/_wiki/wikis/internal.wiki/1/Partner-Release-Pipeline). For more information on how to create a personal access token see: [Use personal access tokens - Create a PAT](https://docs.microsoft.com/azure/devops/organizations/accounts/use-personal-access-tokens-to-authenticate?view=azure-devops#create-a-pat).
* Request access to release pipelines through `myaccess`, Request for project Azure SDK Partners. Link can also be found in the [internal wiki page](https://dev.azure.com/azure-sdk/internal/_wiki/wikis/internal.wiki/1/Partner-Release-Pipeline)
* PAT Token should have the following scope:
* Release (Read, write, & execute)
* Code (Read, write)
* Build (Read, execute)

1. `NPM_DEPLOY_AZURE_CLIENT_ID`, `NPM_DEPLOY_AZURE_TENANT_ID` and `NPM_DEPLOY_AZURE_SUBSCRIPTION_ID`. These shouldn't change. They are the OIDC (OpenID Connect) details that are used to authenticate access to Azure Blob Store. See [internal documenatation](https://skype.visualstudio.com/SPOOL/_wiki/wikis/SPOOL.wiki/49092/Updating-npm-publishing-credentials) for more details.
Both of these use OpenID Connect tokens for authentication. To authorize OIDC tokens the following GitHub secrets need set:

# Troubleshooting
- `NPM_DEPLOY_AZURE_CLIENT_ID`
- `NPM_DEPLOY_AZURE_TENANT_ID`
- `NPM_DEPLOY_AZURE_SUBSCRIPTION_ID`.

1. If you experience a 401 error, try rotating AZURE_SDK_RELEASE_PIPELINE_DEVOPS_TOKEN and rerun the job.
These shouldn't change. See [internal documenatation](https://skype.visualstudio.com/SPOOL/_wiki/wikis/SPOOL.wiki/49092/Updating-npm-publishing-credentials) for more details where these are and how they are used for authorization.
Loading