refactor: remove Azure OIDC token fetching steps from desktop release

[MODSetter]

Description

Motivation and Context

FIX #

Screenshots

API Changes

• This PR includes API changes

Change Type

• Bug fix
• New feature
• Performance improvement
• Refactoring
• Documentation
• Dependency/Build system
• Breaking change
• Other (specify):

Testing Performed

• Tested locally
• Manual/QA verification

Checklist

• Follows project coding standards and conventions
• Documentation updated as needed
• Dependencies updated as needed
• No lint/build errors or new warnings
• All relevant tests are passing

High-level PR Summary

This PR simplifies the Windows desktop release workflow by removing Azure OIDC token fetching steps and switching from federated token authentication to client-secret based authentication. The change removes the Azure login step and the PowerShell script that fetched GitHub OIDC tokens, replacing the AZURE_FEDERATED_TOKEN environment variable with AZURE_CLIENT_SECRET in the build step. This is done because electron-builder 26 does not yet support OIDC federated tokens for Azure signing, requiring a fallback to client-secret authentication.

⏱️ Estimated Review Time: 5-15 minutes

💡 Review Order Suggestion

Order	File Path
1	.github/workflows/desktop-release.yml

Summary by CodeRabbit

• Chores
  • Updated Windows code signing authentication method for improved reliability and maintainability of the desktop release process.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
surf-sense-frontend	Ready	Preview, Comment	Apr 21, 2026 5:56pm

[coderabbitai]

📝 Walkthrough

Walkthrough

The desktop release workflow's Azure code signing authentication method was changed from OIDC federated token-based login to client-secret authentication. The azure/login action and associated OIDC token-fetching PowerShell step were removed, and the AZURE_FEDERATED_TOKEN environment variable was replaced with AZURE_CLIENT_SECRET for the packaging job.

Changes

Cohort / File(s)	Summary
Azure Signing Authentication Configuration .github/workflows/desktop-release.yml	Removed azure/login@v2 action and OIDC token-fetching PowerShell step; replaced AZURE_FEDERATED_TOKEN environment variable with AZURE_CLIENT_SECRET for Azure TrustedSigning, while maintaining conditional population of tenant and client IDs.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• feat: add GitHub OIDC token fetching for Azure signing  #1284: Directly inverse change — added OIDC-token step and AZURE_FEDERATED_TOKEN env var for Azure signing that this PR removes and replaces with client-secret authentication.

Poem

🐰 Hop, hop, the tokens dance away,
No OIDC tricks shall cloud our day,
Client secrets guide the Azure way,
Windows binaries signed come what may!
⭐

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately summarizes the main change: removal of Azure OIDC token fetching steps from the desktop release workflow, which is the primary focus of the changeset.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch dev

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[recurseml]

Review by RecurseML

🔍 Review performed on e421342..291a7e2

✨ No bugs found, your code is sparkling clean

✅ Files analyzed, no issues (1)

• .github/workflows/desktop-release.yml

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

.github/workflows/desktop-release.yml (1)

66-67: ⚠️ Potential issue | 🟡 Minor

Stale comment references OIDC federated credential.

The rationale now reads inaccurately since signing uses client-secret auth. Consider updating to reflect the current gating reason (e.g., single signing credential / production-tag policy) to avoid confusing future maintainers.

📝 Proposed edit

           # Sign Windows builds only on production v* tags (not beta-v*, not workflow_dispatch).
-          # This matches the single OIDC federated credential configured in Entra ID.
+          # Signing uses the Azure service principal's client secret; restrict to production tags
+          # to minimize credential exposure and match the Entra ID app's intended usage.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/desktop-release.yml around lines 66 - 67, Update the stale
comment that currently reads "Sign Windows builds only on production v* tags
(not beta-v*, not workflow_dispatch). This matches the single OIDC federated
credential configured in Entra ID." to reflect the current authentication method
and gating rationale: mention that signing uses client-secret auth (or a single
signing credential) and that signing is intentionally limited to production v*
tags, not beta or manual dispatches; edit the comment near the Windows signing
step so it references "single signing credential / client-secret auth" and
"production v* tag policy" instead of the OIDC federated credential terminology.

🧹 Nitpick comments (1)

.github/workflows/desktop-release.yml (1)

23-26: id-token: write permission is no longer required.

With the azure/login OIDC step removed, nothing in this workflow requests a federated GitHub OIDC token. You can drop id-token: write to adhere to least-privilege.

🔒 Proposed change

 permissions:
   contents: write
-  id-token: write

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/desktop-release.yml around lines 23 - 26, The workflow's
permissions block unnecessarily grants id-token: write; remove the `id-token:
write` entry from the `permissions:` section (the lines defining `contents:
write` and `id-token: write`) so only required permissions remain (e.g., keep
`contents: write`) and adhere to least-privilege since `azure/login`/OIDC is no
longer used.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Outside diff comments:
In @.github/workflows/desktop-release.yml:
- Around line 66-67: Update the stale comment that currently reads "Sign Windows
builds only on production v* tags (not beta-v*, not workflow_dispatch). This
matches the single OIDC federated credential configured in Entra ID." to reflect
the current authentication method and gating rationale: mention that signing
uses client-secret auth (or a single signing credential) and that signing is
intentionally limited to production v* tags, not beta or manual dispatches; edit
the comment near the Windows signing step so it references "single signing
credential / client-secret auth" and "production v* tag policy" instead of the
OIDC federated credential terminology.

---

Nitpick comments:
In @.github/workflows/desktop-release.yml:
- Around line 23-26: The workflow's permissions block unnecessarily grants
id-token: write; remove the `id-token: write` entry from the `permissions:`
section (the lines defining `contents: write` and `id-token: write`) so only
required permissions remain (e.g., keep `contents: write`) and adhere to
least-privilege since `azure/login`/OIDC is no longer used.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: a6124e9a-47a6-44dd-bb0c-dd55c6571e86

📥 Commits

Reviewing files that changed from the base of the PR and between e421342 and 291a7e2.

📒 Files selected for processing (1)

• .github/workflows/desktop-release.yml