diff --git a/.github/actions/oidc-auth-flow/action.yml b/.github/actions/oidc-auth-flow/action.yml new file mode 100644 index 0000000..77f9aab --- /dev/null +++ b/.github/actions/oidc-auth-flow/action.yml @@ -0,0 +1,36 @@ +name: Azure OIDC auth flow +description: "Azure OpenID Connect authentication flow" + +inputs: + client-id: + description: "The Azure AD application client ID" + required: true + tenant-id: + description: "The Azure AD tenant ID" + required: true + audience: + description: "The audience for the access token" + required: true + +outputs: + access-token: + description: "The Azure OIDC bearer access token" + value: ${{ steps.api-access.outputs.AZURE_ACCESS_TOKEN }} + +runs: + using: "composite" + steps: + - name: Azure OpenID Connect + uses: azure/login@v2 + with: + client-id: ${{ inputs.client-id }} + tenant-id: ${{ inputs.tenant-id }} + audience: ${{ inputs.audience }} + allow-no-subscriptions: true + + - name: OSMP API access + id: api-access + shell: bash + run: | + TOKEN=$(az account get-access-token --query 'accessToken' -o tsv --resource ${{ inputs.audience }}) + echo "AZURE_ACCESS_TOKEN=$(echo $TOKEN)" >> $GITHUB_OUTPUT diff --git a/.github/workflows/quest-bulk.yml b/.github/workflows/quest-bulk.yml index 79dffae..32de0c5 100644 --- a/.github/workflows/quest-bulk.yml +++ b/.github/workflows/quest-bulk.yml @@ -25,17 +25,12 @@ jobs: echo "Reason: ${{ github.event.inputs.reason }}" - name: Azure OpenID Connect - uses: azure/login@v2 + id: azure-oidc-auth + uses: dotnet/docs-tools/.github/actions/azure-oidc-auth@main with: client-id: ${{ secrets.CLIENT_ID }} tenant-id: ${{ secrets.TENANT_ID }} audience: ${{ secrets.OSMP_API_AUDIENCE }} - allow-no-subscriptions: true - - - name: OSMP API access - run: | - TOKEN=$(az account get-access-token --query 'accessToken' -o tsv --resource ${{ secrets.OSMP_API_AUDIENCE }}) - echo "AZURE_ACCESS_TOKEN=$TOKEN" >> $GITHUB_ENV - name: bulk-sequester id: bulk-sequester @@ -43,7 +38,7 @@ jobs: env: ImportOptions__ApiKeys__GitHubToken: ${{ secrets.GITHUB_TOKEN }} ImportOptions__ApiKeys__QuestKey: ${{ secrets.QUEST_KEY }} - ImportOptions__ApiKeys__AzureAccessToken: ${{ env.AZURE_ACCESS_TOKEN }} + ImportOptions__ApiKeys__AzureAccessToken: ${{ steps.azure-oidc-auth.outputs.access-token }} ImportOptions__ApiKeys__SequesterPrivateKey: ${{ secrets.SEQUESTER_PRIVATEKEY }} ImportOptions__ApiKeys__SequesterAppID: ${{ secrets.SEQUESTER_APPID }} with: diff --git a/.github/workflows/quest.yml b/.github/workflows/quest.yml index 18cc9be..17eaa20 100644 --- a/.github/workflows/quest.yml +++ b/.github/workflows/quest.yml @@ -32,17 +32,12 @@ jobs: echo "Issue number: ${{ github.event.inputs.issue }}" - name: Azure OpenID Connect - uses: azure/login@v2 + id: azure-oidc-auth + uses: dotnet/docs-tools/.github/actions/azure-oidc-auth@main with: client-id: ${{ secrets.CLIENT_ID }} tenant-id: ${{ secrets.TENANT_ID }} audience: ${{ secrets.OSMP_API_AUDIENCE }} - allow-no-subscriptions: true - - - name: OSMP API access - run: | - TOKEN=$(az account get-access-token --query 'accessToken' -o tsv --resource ${{ secrets.OSMP_API_AUDIENCE }}) - echo "AZURE_ACCESS_TOKEN=$TOKEN" >> $GITHUB_ENV # This step occurs when ran manually, passing the manual issue number input - name: manual-sequester @@ -51,7 +46,7 @@ jobs: uses: dotnet/docs-tools/actions/sequester@main env: ImportOptions__ApiKeys__GitHubToken: ${{ secrets.GITHUB_TOKEN }} - ImportOptions__ApiKeys__AzureAccessToken: ${{ env.AZURE_ACCESS_TOKEN }} + ImportOptions__ApiKeys__AzureAccessToken: ${{ steps.azure-oidc-auth.outputs.access-token }} ImportOptions__ApiKeys__QuestKey: ${{ secrets.QUEST_KEY }} ImportOptions__ApiKeys__SequesterPrivateKey: ${{ secrets.SEQUESTER_PRIVATEKEY }} ImportOptions__ApiKeys__SequesterAppID: ${{ secrets.SEQUESTER_APPID }} @@ -67,7 +62,7 @@ jobs: uses: dotnet/docs-tools/actions/sequester@main env: ImportOptions__ApiKeys__GitHubToken: ${{ secrets.GITHUB_TOKEN }} - ImportOptions__ApiKeys__AzureAccessToken: $AZURE_ACCESS_TOKEN + ImportOptions__ApiKeys__AzureAccessToken: ${{ steps.azure-oidc-auth.outputs.access-token }} ImportOptions__ApiKeys__QuestKey: ${{ secrets.QUEST_KEY }} ImportOptions__ApiKeys__SequesterPrivateKey: ${{ secrets.SEQUESTER_PRIVATEKEY }} ImportOptions__ApiKeys__SequesterAppID: ${{ secrets.SEQUESTER_APPID }}