Merge pull request #223345 from juliakm/users/jukullam/update-gha-for-oidc-jan9

Update credentials to OIDC for GitHub Actions tutorials

Author: 19BMG00

articles/app-service/app-service-sql-asp-github-actions.md

@@ -3,7 +3,7 @@ title: "Tutorial: Use GitHub Actions to deploy to App Service and connect to a d
 description: Deploy a database-backed ASP.NET core app to Azure with GitHub Actions
 ms.devlang: csharp
 ms.topic: tutorial
-ms.date: 09/13/2021
+ms.date: 01/09/2023
 ms.author: jukullam
 ms.custom: github-actions-azure
 ---
@@ -49,34 +49,18 @@ az group create --name {resource-group-name} --location {resource-group-location
 
 ## Generate deployment credentials
 
-You'll need to authenticate with a service principal for the resource deployment script to work. You can create a [service principal](../active-directory/develop/app-objects-and-service-principals.md#service-principal-object) with the [az ad sp create-for-rbac](/cli/azure/ad/sp#az-ad-sp-create-for-rbac) command in the [Azure CLI](/cli/azure/). Run this command with [Azure Cloud Shell](https://shell.azure.com/) in the Azure portal or by selecting the **Try it** button.
-
-```azurecli-interactive
-    az ad sp create-for-rbac --name "{service-principal-name}" --sdk-auth --role contributor --scopes /subscriptions/{subscription-id}
-```
-
-In the example, replace the placeholders with your subscription ID, resource group name, and service principal name. The output is a JSON object with the role assignment credentials that provide access to your App Service app. Copy this JSON object for later. For help, go to [configure deployment credentials](https://github.com/Azure/login#configure-deployment-credentials).
-
-```output
-  {
-    "clientId": "<GUID>",
-    "clientSecret": "<GUID>",
-    "subscriptionId": "<GUID>",
-    "tenantId": "<GUID>",
-    (...)
-  }
-```
+[!INCLUDE [include](~/articles/reusable-content/github-actions/generate-openid-credentials.md)]
 
 ## Configure the GitHub secret for authentication
 
-[!INCLUDE [include](~/articles/reusable-content/github-actions/create-secrets-service-principal.md)]
+[!INCLUDE [include](~/articles/reusable-content/github-actions/create-secrets-openid-only.md)]
 
 ## Add GitHub secrets for your build
 
 1. Create [two new secrets](https://docs.github.com/en/actions/reference/encrypted-secrets#creating-encrypted-secrets-for-a-repository) in your GitHub repository for `SQLADMIN_PASS` and `SQLADMIN_LOGIN`. Make sure you choose a complex password, otherwise the create step for the SQL database server will fail. You won't be able to access this password again so save it separately.
 
 2. Create an `AZURE_SUBSCRIPTION_ID` secret for your Azure subscription ID. If you do not know your subscription ID, use this command in the Azure Shell to find it. Copy the value in the `SubscriptionId` column.
-    ```azurecli
+    ```azurecliu
     az account list -o table
     ```
  

articles/app-service/app-service-sql-github-actions.md

@@ -3,7 +3,7 @@ title: "Tutorial: Use GitHub Actions to deploy to an App Service custom containe
 description: Learn how to deploy an ASP.NET core app to Azure and to Azure SQL Database with GitHub Actions
 ms.devlang: csharp
 ms.topic: tutorial
-ms.date: 04/22/2021
+ms.date: 01/09/2023
 ms.author: jukullam
 ms.custom: github-actions-azure
 ---
@@ -47,30 +47,11 @@ Open the Azure Cloud Shell at https://shell.azure.com. You can alternately use t
 
 ## Generate deployment credentials
 
-You'll need to authenticate with a service principal for the resource deployment script to work. You can create a [service principal](../active-directory/develop/app-objects-and-service-principals.md#service-principal-object) with the [az ad sp create-for-rbac](/cli/azure/ad/sp#az-ad-sp-create-for-rbac) command in the [Azure CLI](/cli/azure/). Run this command with [Azure Cloud Shell](https://shell.azure.com/) in the Azure portal or by selecting the **Try it** button.
-
-```azurecli-interactive
-    az ad sp create-for-rbac --name "{service-principal-name}" --sdk-auth --role contributor --scopes /subscriptions/{subscription-id}/resourceGroups/{resource-group-name}
-```
-
-In the example, replace the placeholders with your subscription ID, resource group name, and service principal name. The output is a JSON object with the role assignment credentials that provide access to your App Service app. Copy this JSON object for later. For help, go to [configure deployment credentials](https://github.com/Azure/login#configure-deployment-credentials).
-
-```output
-  {
-    "clientId": "<GUID>",
-    "clientSecret": "<GUID>",
-    "subscriptionId": "<GUID>",
-    "tenantId": "<GUID>",
-    (...)
-  }
-```
-
-> [!IMPORTANT]
-> It is always a good practice to grant minimum access. The scope in the previous example is limited to the specific App Service app and not the entire resource group.
+[!INCLUDE [include](~/articles/reusable-content/github-actions/generate-openid-credentials.md)]
 
 ## Configure the GitHub secret for authentication
 
-[!INCLUDE [include](~/articles/reusable-content/github-actions/create-secrets-service-principal.md)]
+[!INCLUDE [include](~/articles/reusable-content/github-actions/create-secrets-openid-only.md)]
 
 ## Add a SQL Server secret