Support azure oidc using github token

[edwardrf]

Description

Support azure oidc using github token

Linked Issues

https://github.com/DefangLabs/portal/issues/728

Checklist

• I have performed a self-review of my code
• I have added appropriate tests
• I have updated the Defang CLI docs and/or README to reflect my changes, if necessary

Summary by CodeRabbit

• New Features

  • Added support for Azure authentication via GitHub Actions OIDC, enabling secure credential exchange in GitHub Actions workflows with automatic fallback to existing authentication methods.

• Tests

  • Added test coverage for GitHub Actions OIDC authentication, including validation of environment variable configurations.

[coderabbitai]

📝 Walkthrough

Walkthrough

This PR adds GitHub Actions OIDC federation support to Azure authentication in the Defang platform. The changes introduce a new authentication pathway that exchanges GitHub-issued OIDC tokens for Azure credentials when running in GitHub Actions CI, with appropriate fallback to existing credential paths if the new pathway is not applicable.

Changes

GitHub OIDC for Azure Authentication

Layer / File(s)	Summary
GitHub OIDC authentication setup src/pkg/clouds/azure/login.go	Import GitHub OIDC helper, define githubFederationAudience constant for token exchange, and document the new GitHub Actions OIDC pathway as the first credential priority alongside updated success comment.
GitHub OIDC implementation src/pkg/clouds/azure/login.go	Modify Authenticate method to call tryGithubOIDC first; implement tryGithubOIDC to conditionally build and validate Azure credentials from GitHub Actions OIDC environment variables using azidentity.NewClientAssertionCredential.
GitHub OIDC testing src/pkg/clouds/azure/login_test.go	Add unsetEnv test helper for reliable environment variable cleanup and introduce three test cases validating tryGithubOIDC behavior when not in GitHub Actions or when required federation environment variables are absent.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Suggested reviewers

• lionello
• jordanstephens

Poem

A rabbit hops through Azure's gate,
With GitHub's OIDC token—no more wait!
Fed by identity, claimed and true,
Actions now flow in CI's blue.
🐰✨ Federated credentials—magic is here!

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 16.67% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main change: adding Azure OIDC authentication support using GitHub tokens, which is the primary focus of both modified files.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch edw/azure-oidc

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 golangci-lint (2.12.2)

level=warning msg="The linter 'gomodguard' is deprecated (since v2.12.0) due to: new major version. Replaced by gomodguard_v2."
level=warning msg="Suggested new configuration:\nlinters:\n enable:\n - gomodguard_v2\n"
level=warning msg="[linters_context] running gomodguard failed: unable to read module file go.mod: current working directory must have a go.mod file: if you are not using go modules it is suggested to disable this linter"
level=error msg="[linters_context] typechecking error: pattern ./...: directory prefix . does not contain main module or its selected dependencies"

Tip

💬 Introducing Slack Agent: The best way for teams to turn conversations into code.

Slack Agent is built on CodeRabbit's deep understanding of your code, so your team can collaborate across the entire SDLC without losing context.

• Generate code and open pull requests
• Plan features and break down work
• Investigate incidents and troubleshoot customer tickets together
• Automate recurring tasks and respond to alerts with triggers
• Summarize progress and report instantly

Built for teams:

• Shared memory across your entire org—no repeating context
• Per-thread sandboxes to safely plan and execute work
• Governance built-in—scoped access, auditability, and budget controls

One agent for your entire SDLC. Right inside Slack.

👉 Get started

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (1)

src/pkg/clouds/azure/login.go (1)

285-287: ⚡ Quick win

Wrap error with context for better debuggability.

The error from testAzureCredential is returned unwrapped. Adding context would help identify that this failure occurred specifically in the GitHub OIDC path during debugging.

♻️ Suggested fix

 	if err := testAzureCredential(ctx, a.SubscriptionID, cred); err != nil {
-		return nil, err
+		return nil, fmt.Errorf("GitHub-OIDC credential failed subscription validation: %w", err)
 	}

As per coding guidelines: "Wrap errors with context using fmt.Errorf with %w verb".

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/pkg/clouds/azure/login.go` around lines 285 - 287, The call returning the
error from testAzureCredential is returning the raw error; update the return to
wrap that error with context (e.g., using fmt.Errorf) so it indicates the
failure happened while testing Azure credentials in the GitHub OIDC path;
specifically wrap the error returned from testAzureCredential(ctx,
a.SubscriptionID, cred) (referencing testAzureCredential, a.SubscriptionID and
cred) using fmt.Errorf("testing Azure credential for GitHub OIDC: %w", err) and
return that wrapped error.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@src/pkg/clouds/azure/login.go`:
- Around line 285-287: The call returning the error from testAzureCredential is
returning the raw error; update the return to wrap that error with context
(e.g., using fmt.Errorf) so it indicates the failure happened while testing
Azure credentials in the GitHub OIDC path; specifically wrap the error returned
from testAzureCredential(ctx, a.SubscriptionID, cred) (referencing
testAzureCredential, a.SubscriptionID and cred) using fmt.Errorf("testing Azure
credential for GitHub OIDC: %w", err) and return that wrapped error.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: f510e263-bbeb-44b3-8062-d1ffd46e77e6

📥 Commits

Reviewing files that changed from the base of the PR and between b570941 and e6b0a06.

📒 Files selected for processing (2)

• src/pkg/clouds/azure/login.go
• src/pkg/clouds/azure/login_test.go