Rename OIDC workflow #32
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# taken and modified from https://github.com/hashicorp/go-azure-sdk/blob/main/.github/workflows/pr-acceptance-tests.yml | |
# This test requires creating a GitHub OIDC app registration | |
# First create an Azure Application Registration | |
# Then in `Certificates & secrets` add Federated Credentials | |
# select GitHub Actions deploying Azure Resources | |
# And add the repository and branch | |
# Then set the relevant subscription/client IDs in GitHub Action secrets and you're good to go | |
# More detailed instrucitons for configuring GHA Azure OIDC Authentication are available here https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-azure | |
name: OIDC Acceptance Test | |
on: | |
push: | |
branches: | |
- main | |
permissions: | |
contents: read | |
id-token: write | |
jobs: | |
secrets-check: | |
runs-on: ubuntu-latest | |
outputs: | |
available: ${{ steps.check-secrets.outputs.available }} | |
steps: | |
# we check for the ACTIONS_ID_TOKEN_REQUEST_URL variable as a proxy for other secrets | |
# it will be unset when running for a PR from a fork | |
- id: check-secrets | |
run: | | |
if [[ "${ACTIONS_ID_TOKEN_REQUEST_URL}" == "" ]]; then | |
echo "available=false" | tee ${GITHUB_OUTPUT} | |
else | |
echo "available=true" | tee ${GITHUB_OUTPUT} | |
fi | |
test-oidc: | |
runs-on: ubuntu-latest | |
needs: [secrets-check] | |
if: needs.secrets-check.outputs.available == 'true' | |
steps: | |
- name: Set OIDC Token | |
run: | | |
echo "ARM_OIDC_TOKEN=$(curl -H "Accept: application/json; api-version=2.0" -H "Authorization: Bearer ${ACTIONS_ID_TOKEN_REQUEST_TOKEN}" -H "Content-Type: application/json" -G --data-urlencode "audience=api://AzureADTokenExchange" "${ACTIONS_ID_TOKEN_REQUEST_URL}" | jq -r '.value')" >>${GITHUB_ENV} | |
- name: Install Go | |
uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9 # v4.0.0 | |
with: | |
go-version: '1.19.5' | |
- name: Checkout | |
uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 | |
- name: Setup `packer` | |
uses: hashicorp/setup-packer@main | |
id: setup | |
- name: Build the plugin | |
run: make | |
- name: Try to run an AzureARM build with our OIDC token | |
run: packer build -force ./example/oidc-example.pkr.hcl | |
env: | |
ARM_CLIENT_ID: ${{ secrets.ARM_CLIENT_ID}} | |
ARM_SUBSCRIPTION_ID: ${{ secrets.ARM_SUBSCRIPTION_ID}} |