From 00292cfffa41ce47c6e87ca0504a5f8fa31d8aa9 Mon Sep 17 00:00:00 2001 From: Bill Wagner Date: Tue, 30 Apr 2024 10:12:04 -0400 Subject: [PATCH 1/2] Use OIDC keys for the OSPO API Relies on dotnet/docs-tools#335 Update the YML files for the OIDC authorization protocol --- .github/workflows/quest-bulk.yml | 16 ++++++++++++++-- .github/workflows/quest.yml | 18 +++++++++++++++--- .github/workflows/whats-new.yml | 15 ++++++++++++++- 3 files changed, 43 insertions(+), 6 deletions(-) diff --git a/.github/workflows/quest-bulk.yml b/.github/workflows/quest-bulk.yml index 14fc58caa6446..f57f73750599e 100644 --- a/.github/workflows/quest-bulk.yml +++ b/.github/workflows/quest-bulk.yml @@ -21,16 +21,28 @@ jobs: run: | echo "Reason: ${{ github.event.inputs.reason }}" + - name: Azure OpenID Connect + uses: azure/login@v1 + with: + client-id: ${{ secrets.CLIENT_ID }} + tenant-id: ${{ secrets.TENANT_ID }} + audience: ${{ secrets.OSMP_API_AUDIENCE }} + allow-no-subscriptions: true + + - name: OSMP API access + run: | + TOKEN=$(az account get-access-token --query 'accessToken' -o tsv --resource ${{ secrets.OSMP_API_AUDIENCE }}) + echo "AZURE_ACCESS_TOKEN=$TOKEN" >> $GITHUB_ENV + - name: bulk-sequester id: bulk-sequester uses: dotnet/docs-tools/actions/sequester@main env: ImportOptions__ApiKeys__GitHubToken: ${{ secrets.GITHUB_TOKEN }} - ImportOptions__ApiKeys__OSPOKey: ${{ secrets.OSPO_KEY }} ImportOptions__ApiKeys__QuestKey: ${{ secrets.QUEST_KEY }} + ImportOptions__ApiKeys__AzureAccessToken: ${{ env.AZURE_ACCESS_TOKEN }} ImportOptions__ApiKeys__SequesterPrivateKey: ${{ secrets.SEQUESTER_PRIVATEKEY }} ImportOptions__ApiKeys__SequesterAppID: ${{ secrets.SEQUESTER_APPID }} - with: org: ${{ github.repository_owner }} repo: ${{ github.repository }} diff --git a/.github/workflows/quest.yml b/.github/workflows/quest.yml index acd7e2c5450b8..bb987c0ff7276 100644 --- a/.github/workflows/quest.yml +++ b/.github/workflows/quest.yml @@ -30,6 +30,19 @@ jobs: echo "Reason: ${{ github.event.inputs.reason }}" echo "Issue number: ${{ github.event.inputs.issue }}" + - name: Azure OpenID Connect + uses: azure/login@v1 + with: + client-id: ${{ secrets.CLIENT_ID }} + tenant-id: ${{ secrets.TENANT_ID }} + audience: ${{ secrets.OSMP_API_AUDIENCE }} + allow-no-subscriptions: true + + - name: OSMP API access + run: | + TOKEN=$(az account get-access-token --query 'accessToken' -o tsv --resource ${{ secrets.OSMP_API_AUDIENCE }}) + echo "AZURE_ACCESS_TOKEN=$TOKEN" >> $GITHUB_ENV + # This step occurs when ran manually, passing the manual issue number input - name: manual-sequester if: ${{ github.event_name == 'workflow_dispatch' }} @@ -37,7 +50,7 @@ jobs: uses: dotnet/docs-tools/actions/sequester@main env: ImportOptions__ApiKeys__GitHubToken: ${{ secrets.GITHUB_TOKEN }} - ImportOptions__ApiKeys__OSPOKey: ${{ secrets.OSPO_KEY }} + ImportOptions__ApiKeys__AzureAccessToken: ${{ env.AZURE_ACCESS_TOKEN }} ImportOptions__ApiKeys__QuestKey: ${{ secrets.QUEST_KEY }} ImportOptions__ApiKeys__SequesterPrivateKey: ${{ secrets.SEQUESTER_PRIVATEKEY }} ImportOptions__ApiKeys__SequesterAppID: ${{ secrets.SEQUESTER_APPID }} @@ -53,7 +66,7 @@ jobs: uses: dotnet/docs-tools/actions/sequester@main env: ImportOptions__ApiKeys__GitHubToken: ${{ secrets.GITHUB_TOKEN }} - ImportOptions__ApiKeys__OSPOKey: ${{ secrets.OSPO_KEY }} + ImportOptions__ApiKeys__AzureAccessToken: $AZURE_ACCESS_TOKEN ImportOptions__ApiKeys__QuestKey: ${{ secrets.QUEST_KEY }} ImportOptions__ApiKeys__SequesterPrivateKey: ${{ secrets.SEQUESTER_PRIVATEKEY }} ImportOptions__ApiKeys__SequesterAppID: ${{ secrets.SEQUESTER_APPID }} @@ -61,4 +74,3 @@ jobs: org: ${{ github.repository_owner }} repo: ${{ github.repository }} issue: ${{ github.event.issue.number }} - diff --git a/.github/workflows/whats-new.yml b/.github/workflows/whats-new.yml index 449c35e883320..34026fbffb6fb 100644 --- a/.github/workflows/whats-new.yml +++ b/.github/workflows/whats-new.yml @@ -25,10 +25,23 @@ jobs: run: | echo "Reason: ${{ github.event.inputs.reason }}" + - name: Azure OpenID Connect + uses: azure/login@v1 + with: + client-id: ${{ secrets.CLIENT_ID }} + tenant-id: ${{ secrets.TENANT_ID }} + audience: ${{ secrets.OSMP_API_AUDIENCE }} + allow-no-subscriptions: true + + - name: OSMP API access + run: | + TOKEN=$(az account get-access-token --query 'accessToken' -o tsv --resource ${{ secrets.OSMP_API_AUDIENCE }}) + echo "AZURE_ACCESS_TOKEN=$TOKEN" >> $GITHUB_ENV + - uses: dotnet/docs-tools/WhatsNew.Cli@main env: GitHubKey: ${{ secrets.GITHUB_TOKEN }} - OspoKey: ${{ secrets.OSPO_KEY }} + AZURE_ACCESS_TOKEN: ${{ env.AZURE_ACCESS_TOKEN }} with: owner: dotnet repo: docs From cc9cb99848e92328abb68f4fc6fb9dd61b4dd0be Mon Sep 17 00:00:00 2001 From: Bill Wagner Date: Tue, 30 Apr 2024 11:00:22 -0400 Subject: [PATCH 2/2] Apply suggestions from code review Co-authored-by: David Pine --- .github/workflows/quest-bulk.yml | 2 +- .github/workflows/quest.yml | 2 +- .github/workflows/whats-new.yml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/quest-bulk.yml b/.github/workflows/quest-bulk.yml index f57f73750599e..f3a707adf2110 100644 --- a/.github/workflows/quest-bulk.yml +++ b/.github/workflows/quest-bulk.yml @@ -22,7 +22,7 @@ jobs: echo "Reason: ${{ github.event.inputs.reason }}" - name: Azure OpenID Connect - uses: azure/login@v1 + uses: azure/login@v2 with: client-id: ${{ secrets.CLIENT_ID }} tenant-id: ${{ secrets.TENANT_ID }} diff --git a/.github/workflows/quest.yml b/.github/workflows/quest.yml index bb987c0ff7276..918f59ee5313a 100644 --- a/.github/workflows/quest.yml +++ b/.github/workflows/quest.yml @@ -31,7 +31,7 @@ jobs: echo "Issue number: ${{ github.event.inputs.issue }}" - name: Azure OpenID Connect - uses: azure/login@v1 + uses: azure/login@v2 with: client-id: ${{ secrets.CLIENT_ID }} tenant-id: ${{ secrets.TENANT_ID }} diff --git a/.github/workflows/whats-new.yml b/.github/workflows/whats-new.yml index 34026fbffb6fb..45659520fc17a 100644 --- a/.github/workflows/whats-new.yml +++ b/.github/workflows/whats-new.yml @@ -26,7 +26,7 @@ jobs: echo "Reason: ${{ github.event.inputs.reason }}" - name: Azure OpenID Connect - uses: azure/login@v1 + uses: azure/login@v2 with: client-id: ${{ secrets.CLIENT_ID }} tenant-id: ${{ secrets.TENANT_ID }}