From 1d23017a5082a03cd73bb254fd8da5be60228c8a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?H=C3=A5vard=20Bakke?= <havard.bakke@pexip.com>
Date: Tue, 25 Nov 2025 22:16:42 +0100
Subject: [PATCH] Add Azure authentication action with service principal and
 workload identity support

---
 README.md                    | 53 +++++++++++++++++++++++++++++++++++
 auth-azure-action/action.yml | 54 ++++++++++++++++++++++++++++++++++++
 2 files changed, 107 insertions(+)
 create mode 100644 auth-azure-action/action.yml

diff --git a/README.md b/README.md
index 124700d..76386cc 100644
--- a/README.md
+++ b/README.md
@@ -13,6 +13,7 @@ GitHub Actions workflows and actions accessible to all Pexip workflows. This rep
 
 ### Authentication
 
+- **[auth-azure-action](auth-azure-action)** - Authenticate with Microsoft Azure using service principal credentials or workload identity (OIDC)
 - **[auth-gcp-action](auth-gcp-action)** - Authenticate with Google Cloud Platform using service account key or workload identity federation
 - **[auth-github-action](auth-github-action)** - Authenticate with GitHub Container Registry
 
@@ -160,6 +161,54 @@ steps:
       dockerfile: Dockerfile
 ```
 
+### Example: Authenticate with Azure
+
+Azure authentication supports two methods:
+
+#### Service Principal (credentials JSON)
+
+```yaml
+steps:
+  - name: Checkout
+    uses: actions/checkout@v4
+
+  - uses: pexip/shared-github-actions/auth-azure-action@master
+    with:
+      credentials: ${{ secrets.AZURE_CREDENTIALS }}
+      registry: myregistry.azurecr.io
+```
+
+The `AZURE_CREDENTIALS` secret should contain JSON in this format:
+```json
+{
+  "clientId": "<client-id>",
+  "clientSecret": "<client-secret>",
+  "subscriptionId": "<subscription-id>",
+  "tenantId": "<tenant-id>"
+}
+```
+
+#### Workload Identity (OIDC)
+
+For enhanced security without storing secrets, use OIDC/Workload Identity:
+
+```yaml
+permissions:
+  id-token: write
+  contents: read
+
+steps:
+  - name: Checkout
+    uses: actions/checkout@v4
+
+  - uses: pexip/shared-github-actions/auth-azure-action@master
+    with:
+      client_id: ${{ secrets.AZURE_CLIENT_ID }}
+      tenant_id: ${{ secrets.AZURE_TENANT_ID }}
+      subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+      registry: myregistry.azurecr.io
+```
+
 ### Example: Create a Release
 
 ```yaml
@@ -185,6 +234,10 @@ Configure these secrets in your repository settings:
 
 ### Optional Secrets
 
+- **`AZURE_CREDENTIALS`** - Azure service principal credentials JSON (if using auth-azure-action with service principal)
+- **`AZURE_CLIENT_ID`** - Azure application client ID (if using auth-azure-action with workload identity)
+- **`AZURE_TENANT_ID`** - Azure AD tenant ID (if using auth-azure-action with workload identity)
+- **`AZURE_SUBSCRIPTION_ID`** - Azure subscription ID (if using auth-azure-action with workload identity)
 - **`jira_webhook`** - Jira automation webhook URL for release integration
 
 ### Required Variables
diff --git a/auth-azure-action/action.yml b/auth-azure-action/action.yml
new file mode 100644
index 0000000..26fb0df
--- /dev/null
+++ b/auth-azure-action/action.yml
@@ -0,0 +1,54 @@
+name: Authenticate towards Azure
+description: Authenticate towards Microsoft Azure
+author: "havard.bakke@pexip.com"
+
+inputs:
+  registry:
+    required: false
+    description: The Azure Container Registry to authenticate against (e.g., myregistry.azurecr.io)
+  credentials:
+    required: false
+    description: Azure service principal credentials JSON (for service principal auth)
+  client_id:
+    required: false
+    description: The Azure application (service principal) client ID (for OIDC/workload identity)
+  tenant_id:
+    required: false
+    description: The Azure AD tenant ID (for OIDC/workload identity)
+  subscription_id:
+    required: false
+    description: The Azure subscription ID (for OIDC/workload identity)
+
+runs:
+  using: "composite"
+  steps:
+    - name: Validate authentication inputs
+      shell: bash
+      run: |
+        if [ -z "${{ inputs.credentials }}" ] && [ -z "${{ inputs.client_id }}" ]; then
+          echo "Error: Either credentials (service principal) or client_id (workload identity) must be provided"
+          exit 1
+        fi
+        if [ -n "${{ inputs.client_id }}" ] && ([ -z "${{ inputs.tenant_id }}" ] || [ -z "${{ inputs.subscription_id }}" ]); then
+          echo "Error: tenant_id and subscription_id are required when using workload identity (client_id)"
+          exit 1
+        fi
+
+    - name: Authenticate towards Azure (service principal)
+      if: ${{ inputs.credentials != '' }}
+      uses: azure/login@v2
+      with:
+        creds: ${{ inputs.credentials }}
+
+    - name: Authenticate towards Azure (workload identity/OIDC)
+      if: ${{ inputs.credentials == '' }}
+      uses: azure/login@v2
+      with:
+        client-id: ${{ inputs.client_id }}
+        tenant-id: ${{ inputs.tenant_id }}
+        subscription-id: ${{ inputs.subscription_id }}
+
+    - name: Login to Azure Container Registry
+      if: ${{ inputs.registry != '' }}
+      shell: bash
+      run: az acr login --name $(echo ${{ inputs.registry }} | cut -d'.' -f1)