Merge pull request #231574 from schaffererin/sp-role

Adding note about role and scope per GH feedback

Author: prmerger-automator[bot]

articles/aks/node-upgrade-github-actions.md

@@ -41,9 +41,9 @@ This article also assumes you have a [GitHub][github] account to create your act
 `cron` is a utility that allows you to run a set of commands, or job, on an automated schedule. To create job to update your AKS nodes on an automated schedule, you'll need a repository to host your actions. Usually, GitHub actions are configured in the same repository as your application, but you can use any repository. For this article we'll be using your [profile repository][profile-repository]. If you don't have one, create a new repository with the same name as your GitHub username.
 
 1. Navigate to your repository on GitHub
-1. Click on the **Actions** tab at the top of the page.
-1. If you already set up a workflow in this repository, you'll be directed to the list of completed runs, in this case, click on the **New Workflow** button. If this is your first workflow in the repository, GitHub will present you with some project templates, click on the **Set up a workflow yourself** link below the description text.
-1. Change the workflow `name` and `on` tags similar to the below. GitHub Actions use the same [POSIX cron syntax][cron-syntax] as any Linux-based system. In this schedule, we're telling the workflow to run every 15 days at 3am.
+2. Select the **Actions** tab at the top of the page.
+3. If you already set up a workflow in this repository, you'll be directed to the list of completed runs, in this case, select the **New Workflow** button. If this is your first workflow in the repository, GitHub will present you with some project templates, select the **Set up a workflow yourself** link below the description text.
+4. Change the workflow `name` and `on` tags similar to the below. GitHub Actions use the same [POSIX cron syntax][cron-syntax] as any Linux-based system. In this schedule, we're telling the workflow to run every 15 days at 3am.
 
     ```yml
     name: Upgrade cluster node images
@@ -52,7 +52,7 @@ This article also assumes you have a [GitHub][github] account to create your act
         - cron: '0 3 */15 * *'
     ```
 
-1. Create a new job using the below. This job is named `upgrade-node`, runs on an Ubuntu agent, and will connect to your Azure CLI account to execute the needed steps to upgrade the nodes.
+5. Create a new job using the below. This job is named `upgrade-node`, runs on an Ubuntu agent, and will connect to your Azure CLI account to execute the needed steps to upgrade the nodes.
 
     ```yml
     name: Upgrade cluster node images
@@ -73,15 +73,15 @@ In the `steps` key, you'll define all the work the workflow will execute to upgr
 Download and sign in to the Azure CLI.
 
 1. On the right-hand side of the GitHub Actions screen, find the *marketplace search bar* and type **"Azure Login"**.
-1. You'll get as a result, an Action called **Azure Login** published **by Azure**:
+2. You'll get as a result, an Action called **Azure Login** published **by Azure**:
 
       :::image type="content" source="media/node-upgrade-github-actions/azure-login-search.png" alt-text="Search results showing two lines, the first action is called 'Azure Login' and the second 'Azure Container Registry Login'":::
 
-1. Click on **Azure Login**. On the next screen, click the **copy icon** in the top right of the code sample.
+3. Select **Azure Login**. On the next screen, select the **copy icon** in the top right of the code sample.
 
-    :::image type="content" source="media/node-upgrade-github-actions/azure-login.png" alt-text="Azure Login action result pane with code sample below, red square around a copy icon highlights the click spot":::
+    :::image type="content" source="media/node-upgrade-github-actions/azure-login.png" alt-text="Azure Login action result pane with code sample below, red square around a copy icon highlights the select spot":::
 
-1. Paste the following under the `steps` key:
+4. Paste the following under the `steps` key:
 
       ```yml
       name: Upgrade cluster node images
@@ -101,7 +101,10 @@ Download and sign in to the Azure CLI.
                 creds: ${{ secrets.AZURE_CREDENTIALS }}
       ```
 
-1. From the Azure CLI, run the following command to generate a new username and password.
+5. From the Azure CLI, run the following command to generate a new username and password.
+
+    > [!NOTE]
+    > This example creates the `Contributor` role at the *Subscription* scope. You may provide the role and scope that meets your needs. For more information, see [Azure built-in roles][azure-built-in-roles] and [Azure RBAC scope levels][azure-rbac-scope-levels].
 
     ```azurecli-interactive
     az ad sp create-for-rbac --role Contributor --scopes /subscriptions/{subscriptionID} -o json
@@ -124,13 +127,13 @@ Download and sign in to the Azure CLI.
     }
     ```
 
-1. **In a new browser window** navigate to your GitHub repository and open the **Settings** tab of the repository. Click **Secrets** then, click on **New Repository Secret**.
-1. For *Name*, use `AZURE_CREDENTIALS`.
-1.  For *Value*, add the entire contents from the output of the previous step where you created a new username and password.
+6. **In a new browser window** navigate to your GitHub repository and open the **Settings** tab of the repository. Select **Secrets** then, select **New Repository Secret**.
+7. For *Name*, use `AZURE_CREDENTIALS`.
+8. For *Value*, add the entire contents from the output of the previous step where you created a new username and password.
 
     :::image type="content" source="media/node-upgrade-github-actions/azure-credential-secret.png" alt-text="Form showing AZURE_CREDENTIALS as secret title, and the output of the executed command pasted as JSON":::
 
-1. Click **Add Secret**.
+9. Select **Add Secret**.
 
 The CLI used by your action will be logged to your Azure account and ready to run commands.
 
@@ -140,7 +143,7 @@ To create the steps to execute Azure CLI commands.
 
     :::image type="content" source="media/node-upgrade-github-actions/azure-cli-action.png" alt-text="Search result for 'Azure CLI Action' with first result being shown as made by Azure":::
 
-1. Click the copy button on the *GitHub marketplace result* and paste the contents of the action in the main editor, below the *Azure Login* step, similar to the following:
+1. Select the copy button on the *GitHub marketplace result* and paste the contents of the action in the main editor, below the *Azure Login* step, similar to the following:
 
     ```yml
     name: Upgrade cluster node images
@@ -168,7 +171,7 @@ To create the steps to execute Azure CLI commands.
     > You can decouple the `-g` and `-n` parameters from the command by adding them to secrets similar to the previous steps. Replace the `{resourceGroupName}` and `{aksClusterName}` placeholders by their secret counterparts, for example `${{secrets.RESOURCE_GROUP_NAME}}` and `${{secrets.AKS_CLUSTER_NAME}}`
 
 1. Rename the file to `upgrade-node-images`.
-1. Click **Start Commit**, add a message title, and save the workflow.
+1. Select **Start Commit**, add a message title, and save the workflow.
 
 Once you create the commit, the workflow will be saved and ready for execution.
 
@@ -226,4 +229,6 @@ jobs:
 [system-pools]: use-system-pools.md
 [spot-pools]: spot-node-pool.md
 [use-multiple-node-pools]: use-multiple-node-pools.md
-[auto-upgrade-node-image]: auto-upgrade-node-image.md
+[auto-upgrade-node-image]: auto-upgrade-node-image.md
+[azure-built-in-roles]: ../role-based-access-control/built-in-roles.md
+[azure-rbac-scope-levels]: ../role-based-access-control/scope-overview.md#scope-format