Skip to content

Commit

Permalink
Use OIDC keys for the OSPO API (#465)
Browse files Browse the repository at this point in the history 
* Use OIDC keys for the OSPO API

* Update quest-bulk.yml

Add the id-token permissions

* Update quest.yml

---------

Co-authored-by: Bill Wagner <[email protected]>
  • Loading branch information
@davidbritch @BillWagner
davidbritch and BillWagner authored May 3, 2024
1 parent 5aa6155 commit 9632798
Show file tree
Hide file tree
Showing 2 changed files with 31 additions and 4 deletions.
16 changes: 15 additions & 1 deletion .github/workflows/quest-bulk.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,7 @@ jobs:
runs-on: ubuntu-latest
permissions:
issues: write
id-token:write
if: ${{ github.repository_owner == 'dotnet' }}

steps:
Expand All @@ -22,12 +23,25 @@ jobs:
run: |
echo "Reason: ${{ github.event.inputs.reason }}"
- name: Azure OpenID Connect
uses: azure/login@v2
with:
client-id: ${{ secrets.CLIENT_ID }}
tenant-id: ${{ secrets.TENANT_ID }}
audience: ${{ secrets.OSMP_API_AUDIENCE }}
allow-no-subscriptions: true

- name: OSMP API access
run: |
TOKEN=$(az account get-access-token --query 'accessToken' -o tsv --resource ${{ secrets.OSMP_API_AUDIENCE }})
echo "AZURE_ACCESS_TOKEN=$TOKEN" >> $GITHUB_ENV
- name: bulk-sequester
id: bulk-sequester
uses: dotnet/docs-tools/actions/sequester@main
env:
ImportOptions__ApiKeys__GitHubToken: ${{ secrets.GITHUB_TOKEN }}
ImportOptions__ApiKeys__OSPOKey: ${{ secrets.OSPO_KEY }}
ImportOptions__ApiKeys__AzureAccessToken: ${{ env.AZURE_ACCESS_TOKEN }}
ImportOptions__ApiKeys__QuestKey: ${{ secrets.QUEST_KEY }}
ImportOptions__ApiKeys__SequesterPrivateKey: ${{ secrets.SEQUESTER_PRIVATEKEY }}
ImportOptions__ApiKeys__SequesterAppID: ${{ secrets.SEQUESTER_APPID }}
Expand Down
19 changes: 16 additions & 3 deletions .github/workflows/quest.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,7 @@ jobs:
runs-on: ubuntu-latest
permissions:
issues: write
id-token: write

steps:
- name: "Print manual run reason"
Expand All @@ -29,14 +30,27 @@ jobs:
echo "Reason: ${{ github.event.inputs.reason }}"
echo "Issue number: ${{ github.event.inputs.issue }}"
- name: Azure OpenID Connect
uses: azure/login@v2
with:
client-id: ${{ secrets.CLIENT_ID }}
tenant-id: ${{ secrets.TENANT_ID }}
audience: ${{ secrets.OSMP_API_AUDIENCE }}
allow-no-subscriptions: true

- name: OSMP API access
run: |
TOKEN=$(az account get-access-token --query 'accessToken' -o tsv --resource ${{ secrets.OSMP_API_AUDIENCE }})
echo "AZURE_ACCESS_TOKEN=$TOKEN" >> $GITHUB_ENV
# This step occurs when ran manually, passing the manual issue number input
- name: manual-sequester
if: ${{ github.event_name == 'workflow_dispatch' }}
id: manual-sequester
uses: dotnet/docs-tools/actions/sequester@main
env:
ImportOptions__ApiKeys__GitHubToken: ${{ secrets.GITHUB_TOKEN }}
ImportOptions__ApiKeys__OSPOKey: ${{ secrets.OSPO_KEY }}
ImportOptions__ApiKeys__AzureAccessToken: ${{ env.AZURE_ACCESS_TOKEN }}
ImportOptions__ApiKeys__QuestKey: ${{ secrets.QUEST_KEY }}
ImportOptions__ApiKeys__SequesterPrivateKey: ${{ secrets.SEQUESTER_PRIVATEKEY }}
ImportOptions__ApiKeys__SequesterAppID: ${{ secrets.SEQUESTER_APPID }}
Expand All @@ -52,12 +66,11 @@ jobs:
uses: dotnet/docs-tools/actions/sequester@main
env:
ImportOptions__ApiKeys__GitHubToken: ${{ secrets.GITHUB_TOKEN }}
ImportOptions__ApiKeys__OSPOKey: ${{ secrets.OSPO_KEY }}
ImportOptions__ApiKeys__AzureAccessToken: $AZURE_ACCESS_TOKEN
ImportOptions__ApiKeys__QuestKey: ${{ secrets.QUEST_KEY }}
ImportOptions__ApiKeys__SequesterPrivateKey: ${{ secrets.SEQUESTER_PRIVATEKEY }}
ImportOptions__ApiKeys__SequesterAppID: ${{ secrets.SEQUESTER_APPID }}
with:
org: ${{ github.repository_owner }}
repo: ${{ github.repository }}
issue: ${{ github.event.issue.number }}

0 comments on commit 9632798

Please sign in to comment.