Merge pull request #216550 from juliakm/users/jukullam/update-for-oidc-includes

Update to reference newer GitHub secrets UI navigation

Author: BCS2022

articles/aks/kubernetes-action.md

@@ -95,8 +95,8 @@ The following shows an example output from the above command.
 ```
 
 In your GitHub repository, create the below secrets for your action to use. To create a secret:
-1. Navigate to the repository's settings, and click *Secrets* then *Actions*.  
-1. For each secret, click *New Repository Secret* and enter the name and value of the secret.
+1. Navigate to the repository's settings, and select **Security > Secrets and variables > Actions**. 
+1. For each secret, click **New Repository Secret** and enter the name and value of the secret.
 
 For more details on creating secrets, see [Encrypted Secrets][github-actions-secrets].
 

articles/app-service/app-service-sql-asp-github-actions.md

@@ -69,9 +69,7 @@ In the example, replace the placeholders with your subscription ID, resource gro
 
 ## Configure the GitHub secret for authentication
 
-In [GitHub](https://github.com/), browse your repository, select **Settings > Secrets > Add a new secret**.
-
-To use [user-level credentials](#generate-deployment-credentials), paste the entire JSON output from the Azure CLI command into the secret's value field. Name the secret `AZURE_CREDENTIALS`.
+[!INCLUDE [include](~/articles/reusable-content/github-actions/create-secrets-service-principal.md)]
 
 ## Add GitHub secrets for your build
 

articles/app-service/app-service-sql-github-actions.md

@@ -70,9 +70,7 @@ In the example, replace the placeholders with your subscription ID, resource gro
 
 ## Configure the GitHub secret for authentication
 
-In [GitHub](https://github.com/), browse your repository, select **Settings > Secrets > Add a new secret**.
-
-To use [user-level credentials](#generate-deployment-credentials), paste the entire JSON output from the Azure CLI command into the secret's value field. Give the secret the name `AZURE_CREDENTIALS`.
+[!INCLUDE [include](~/articles/reusable-content/github-actions/create-secrets-service-principal.md)]
 
 ## Add a SQL Server secret
 

articles/app-service/deploy-container-github-action.md

@@ -126,7 +126,7 @@ OpenID Connect is an authentication method that uses short-lived tokens. Setting
 
 # [Publish profile](#tab/publish-profile)
 
-In [GitHub](https://github.com/), browse your repository, select **Settings > Secrets > Add a new secret**.
+In [GitHub](https://github.com/), browse your repository. Select **Settings > Security > Secrets and variables > Actions > New repository secret**.
 
 To use [app-level credentials](#generate-deployment-credentials), paste the contents of the downloaded publish profile file into the secret's value field. Name the secret `AZURE_WEBAPP_PUBLISH_PROFILE`.
 
@@ -140,7 +140,7 @@ When you configure your GitHub workflow, you use the `AZURE_WEBAPP_PUBLISH_PROFI
 
 # [Service principal](#tab/service-principal)
 
-In [GitHub](https://github.com/), browse your repository, select **Settings > Secrets > Add a new secret**.
+In [GitHub](https://github.com/), browse your repository. Select **Settings > Security > Secrets and variables > Actions > New repository secret**.
 
 To use [user-level credentials](#generate-deployment-credentials), paste the entire JSON output from the Azure CLI command into the secret's value field. Give the secret the name like `AZURE_CREDENTIALS`.
 
@@ -156,7 +156,7 @@ When you configure the workflow file later, you use the secret for the input `cr
 
 You need to provide your application's **Client ID**, **Tenant ID** and **Subscription ID** to the login action. These values can either be provided directly in the workflow or can be stored in GitHub secrets and referenced in your workflow. Saving the values as GitHub secrets is the more secure option.
 
-1. Open your GitHub repository and go to **Settings**.
+1. Open your GitHub repository and go to **Settings > Security > Secrets and variables > Actions > New repository secret**.
 
 1. Create secrets for `AZURE_CLIENT_ID`, `AZURE_TENANT_ID`, and `AZURE_SUBSCRIPTION_ID`. Use these values from your Active Directory application for your GitHub secrets. You can find these values in the Azure portal by searching for your active directory application. 
 

articles/app-service/deploy-github-actions.md

@@ -160,7 +160,7 @@ To learn how to create a Create an active directory application, service princip
 
 # [Publish profile](#tab/applevel)
 
-In [GitHub](https://github.com/), browse your repository, select **Settings > Secrets > Add a new secret**.
+In [GitHub](https://github.com/), browse your repository. Select **Settings > Security > Secrets and variables > Actions > New repository secret**.
 
 To use [app-level credentials](#generate-deployment-credentials), paste the contents of the downloaded publish profile file into the secret's value field. Name the secret `AZURE_WEBAPP_PUBLISH_PROFILE`.
 
@@ -174,7 +174,7 @@ When you configure your GitHub workflow, you use the `AZURE_WEBAPP_PUBLISH_PROFI
 
 # [Service principal](#tab/userlevel)
 
-In [GitHub](https://github.com/), browse your repository, select **Settings > Secrets > Add a new secret**.
+In [GitHub](https://github.com/), browse your repository. Select **Settings > Security > Secrets and variables > Actions > New repository secret**.
 
 To use [user-level credentials](#generate-deployment-credentials), paste the entire JSON output from the Azure CLI command into the secret's value field. Give the secret the name `AZURE_CREDENTIALS`.
 
@@ -190,7 +190,7 @@ When you configure the workflow file later, you use the secret for the input `cr
 
 You need to provide your application's **Client ID**, **Tenant ID** and **Subscription ID** to the login action. These values can either be provided directly in the workflow or can be stored in GitHub secrets and referenced in your workflow. Saving the values as GitHub secrets is the more secure option.
 
-1. Open your GitHub repository and go to **Settings**.
+1. Open your GitHub repository and go to **Settings > Security > Secrets and variables > Actions > New repository secret**.
 
 1. Create secrets for `AZURE_CLIENT_ID`, `AZURE_TENANT_ID`, and `AZURE_SUBSCRIPTION_ID`. Use these values from your Active Directory application for your GitHub secrets:
 

articles/azure-functions/functions-how-to-github-actions.md

@@ -48,11 +48,15 @@ To download the publishing profile of your function app:
 
 ### Add the GitHub secret
 
-1. In [GitHub](https://github.com), browse to your repository, select **Settings** > **Secrets** > **Add a new secret**.
+1. In [GitHub](https://github.com/), go to your repository.
 
-   :::image type="content" source="media/functions-how-to-github-actions/add-secret.png" alt-text="Add Secret":::
+1. Select **Security > Secrets and variables > Actions**.
 
-1. Add a new secret using `AZURE_FUNCTIONAPP_PUBLISH_PROFILE` for **Name**, the content of the publishing profile file for **Value**, and then select **Add secret**.
+1. Select **New repository secret**.
+
+1. Add a new secret with the name `AZURE_FUNCTIONAPP_PUBLISH_PROFILE` and the value set to the contents of the publishing profile file.
+
+1. Select **Add secret**.
 
 GitHub can now authenticate to your function app in Azure.
 

articles/azure-resource-manager/bicep/deploy-github-actions.md

@@ -111,7 +111,7 @@ Create secrets for your Azure credentials, resource group, and subscriptions.
 
 1. In [GitHub](https://github.com/), navigate to your repository.
 
-1. Select **Settings > Secrets > New secret**.
+1. Select **Security > Secrets and variables > Actions > New repository secret**. 
 
 1. Paste the entire JSON output from the Azure CLI command into the secret's value field. Name the secret `AZURE_CREDENTIALS`.
 

articles/azure-resource-manager/templates/deploy-github-actions.md

@@ -32,120 +32,12 @@ The file has two sections:
 
 ## Generate deployment credentials
 
-# [Service principal](#tab/userlevel)
+[!INCLUDE [include](~/articles/reusable-content/github-actions/generate-deployment-credentials.md)]
 
-You can create a [service principal](../../active-directory/develop/app-objects-and-service-principals.md#service-principal-object) with the [az ad sp create-for-rbac](/cli/azure/ad/sp#az-ad-sp-create-for-rbac) command in the [Azure CLI](/cli/azure/). Run this command with [Azure Cloud Shell](https://shell.azure.com/) in the Azure portal or by selecting the **Try it** button.
-
-Create a resource group if you do not already have one.
-
-```azurecli-interactive
-    az group create -n {MyResourceGroup} -l {location}
-```
-
-Replace the placeholder `myApp` with the name of your application.
-
-```azurecli-interactive
-   az ad sp create-for-rbac --name {myApp} --role contributor --scopes /subscriptions/{subscription-id}/resourceGroups/{MyResourceGroup} --sdk-auth
-```
-
-In the example above, replace the placeholders with your subscription ID and resource group name. The output is a JSON object with the role assignment credentials that provide access to your App Service app similar to below. Copy this JSON object for later. You will only need the sections with the `clientId`, `clientSecret`, `subscriptionId`, and `tenantId` values.
-
-```output
-  {
-    "clientId": "<GUID>",
-    "clientSecret": "<GUID>",
-    "subscriptionId": "<GUID>",
-    "tenantId": "<GUID>",
-    (...)
-  }
-```
-
-> [!IMPORTANT]
-> It is always a good practice to grant minimum access. The scope in the previous example is limited to the resource group.
-
-# [OpenID Connect](#tab/openid)
-
-
-OpenID Connect is an authentication method that uses short-lived tokens. Setting up [OpenID Connect with GitHub Actions](https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect) is more complex process that offers hardened security. 
-
-1.  If you do not have an existing application, register a [new Active Directory application and service principal that can access resources](../../active-directory/develop/howto-create-service-principal-portal.md). Create the Active Directory application. 
-
-    ```azurecli-interactive
-    az ad app create --display-name myApp
-    ```
-
-    This command will output JSON with an `appId` that is your `client-id`. Save the value to use as the `AZURE_CLIENT_ID` GitHub secret later. 
-
-    You'll use the `objectId` value when creating federated credentials with Graph API and reference it as the `APPLICATION-OBJECT-ID`.
-
-1. Create a service principal. Replace the `$appID` with the appId from your JSON output. 
-
-    This command generates JSON output with a different `objectId` and will be used in the next step. The new  `objectId` is the `assignee-object-id`. 
-    
-    Copy the `appOwnerTenantId` to use as a GitHub secret for `AZURE_TENANT_ID` later. 
-
-    ```azurecli-interactive
-     az ad sp create --id $appId
-    ```
-
-1. Create a new role assignment by subscription and object. By default, the role assignment will be tied to your default subscription. Replace `$subscriptionId` with your subscription ID, `$resourceGroupName` with your resource group name, and `$assigneeObjectId` with the generated `assignee-object-id`. Learn [how to manage Azure subscriptions with the Azure CLI](/cli/azure/manage-azure-subscriptions-azure-cli). 
-
-    ```azurecli-interactive
-    az role assignment create --role contributor --subscription $subscriptionId --assignee-object-id  $assigneeObjectId --assignee-principal-type ServicePrincipal --scopes /subscriptions/$subscriptionId/resourceGroups/$resourceGroupName/providers/Microsoft.Web/sites/
-    ```
-
-1. Run the following command to [create a new federated identity credential](/graph/api/application-post-federatedidentitycredentials?view=graph-rest-beta&preserve-view=true) for your active directory application.
-
-    * Replace `APPLICATION-OBJECT-ID` with the **objectId (generated while creating app)** for your Active Directory application.
-    * Set a value for `CREDENTIAL-NAME` to reference later.
-    * Set the `subject`. The value of this is defined by GitHub depending on your workflow:
-      * Jobs in your GitHub Actions environment: `repo:< Organization/Repository >:environment:< Name >`
-      * For Jobs not tied to an environment, include the ref path for branch/tag based on the ref path used for triggering the workflow: `repo:< Organization/Repository >:ref:< ref path>`.  For example, `repo:n-username/ node_express:ref:refs/heads/my-branch` or `repo:n-username/ node_express:ref:refs/tags/my-tag`.
-      * For workflows triggered by a pull request event: `repo:< Organization/Repository >:pull_request`.
-    
-    ```azurecli
-    az rest --method POST --uri 'https://graph.microsoft.com/beta/applications/<APPLICATION-OBJECT-ID>/federatedIdentityCredentials' --body '{"name":"<CREDENTIAL-NAME>","issuer":"https://token.actions.githubusercontent.com","subject":"repo:organization/repository:ref:refs/heads/main","description":"Testing","audiences":["api://AzureADTokenExchange"]}' 
-    ```
-    
-    To learn how to create a Create an active directory application, service principal, and federated credentials in Azure portal, see [Connect GitHub and Azure](/azure/developer/github/connect-from-azure#use-the-azure-login-action-with-openid-connect).
-    
-
----
 ## Configure the GitHub secrets
 
-# [Service principal](#tab/userlevel)
-
-You need to create secrets for your Azure credentials, resource group, and subscriptions.
-
-1. In [GitHub](https://github.com/), browse your repository.
-
-1. Select **Settings > Secrets > New secret**.
-
-1. Paste the entire JSON output from the Azure CLI command into the secret's value field. Give the secret the name `AZURE_CREDENTIALS`.
+[!INCLUDE [include](~/articles/reusable-content/github-actions/create-secrets-with-openid.md)]
 
-1. Create another secret named `AZURE_RG`. Add the name of your resource group to the secret's value field (example: `myResourceGroup`).
-
-1. Create an additional secret named `AZURE_SUBSCRIPTION`. Add your subscription ID to the secret's value field (example: `90fd3f9d-4c61-432d-99ba-1273f236afa2`).
-
-# [OpenID Connect](#tab/openid)
-
-You need to provide your application's **Client ID**, **Tenant ID**, and **Subscription ID** to the login action. These values can either be provided directly in the workflow or can be stored in GitHub secrets and referenced in your workflow. Saving the values as GitHub secrets is the more secure option.
-
-1. Open your GitHub repository and go to **Settings**.
-
-1. Select **Settings > Secrets > New secret**.
-
-1. Create secrets for `AZURE_CLIENT_ID`, `AZURE_TENANT_ID`, and `AZURE_SUBSCRIPTION_ID`. Use these values from your Active Directory application for your GitHub secrets:
-
-    |GitHub Secret  | Active Directory Application  |
-    |---------|---------|
-    |AZURE_CLIENT_ID     |      Application (client) ID   |
-    |AZURE_TENANT_ID     |     Directory (tenant) ID    |
-    |AZURE_SUBSCRIPTION_ID     |     Subscription ID    |
-
-1. Save each secret by selecting **Add secret**.
-
----
 ## Add Resource Manager template
 
 Add a Resource Manager template to your GitHub repository. This template creates a storage account.

articles/container-instances/container-instances-github-action.md

@@ -112,7 +112,7 @@ az role assignment create \
 
 ### Save credentials to GitHub repo
 
-1. In the GitHub UI, navigate to your forked repository and select **Settings** > **Secrets** > **Actions**. 
+1. In the GitHub UI, navigate to your forked repository and select **Security > Secrets and variables > Actions**.
 
 1. Select **New repository secret** to add the following secrets:
 

articles/container-registry/github-action-scan.md

@@ -48,9 +48,9 @@ In this example, you'll create a three secrets that you can use to authenticate
 
     :::image type="content" source="media/github-action-scan/github-repo-settings.png" alt-text="Select Settings in the navigation.":::
 
-1. Select **Secrets** and then **New Secret**.
+1. Select **Security > Secrets and variables > Actions**. 
 
-    :::image type="content" source="media/github-action-scan/azure-secret-add.png" alt-text="Choose to add a secret.":::
+1. Select **New repository secret**.
 
 1. Paste the following values for each secret created with the following values from the Azure portal by navigating to the **Access Keys** in the Container Registry.