Merge pull request #216015 from juliakm/users/jukullam/mysql-gh-actions-include

LJSpiller · web-flow · commit c6b8803544ba · 2022-10-26T15:35:27.000-04:00
Update MySQL article to use include file for GitHub Actions
diff --git a/.openpublishing.publish.config.json b/.openpublishing.publish.config.json
@@ -867,7 +867,7 @@
       "branch_mapping": {}
     },
     {
-      "path_to_root": "reusable-content",
+      "path_to_root": "articles/reusable-content",
       "url": "https://github.com/MicrosoftDocs/reusable-content",
       "branch": "main",
       "branch_mapping": {}
diff --git a/articles/machine-learning/how-to-devops-machine-learning.md b/articles/machine-learning/how-to-devops-machine-learning.md
@@ -44,9 +44,9 @@ https://github.com/azure/azureml-examples
 
 ## Step 2: Sign in to Azure Pipelines
 
-[!INCLUDE [include](~/reusable-content/devops-pipelines/sign-in-azure-pipelines.md)]
+[!INCLUDE [include](~/articles/reusable-content/devops-pipelines/sign-in-azure-pipelines.md)]
 
-[!INCLUDE [include](~/reusable-content/devops-pipelines/create-project.md)]
+[!INCLUDE [include](~/articles/reusable-content/devops-pipelines/create-project.md)]
 
 ## Step 3: Create an Azure Resource Manager connection
 
diff --git a/articles/mysql/single-server/quickstart-mysql-github-actions.md b/articles/mysql/single-server/quickstart-mysql-github-actions.md
@@ -7,7 +7,7 @@ ms.subservice: single-server
 ms.topic: quickstart
 ms.author: jukullam
 ms.custom: github-actions-azure, mode-other
-ms.date: 06/20/2022
+ms.date: 10/26/2022
 ---
 
 # Quickstart: Use GitHub Actions to connect to Azure MySQL
@@ -44,79 +44,8 @@ The file has two sections:
 |**Deploy** | 1. Deploy the database. |
 
 ## Generate deployment credentials
-# [Service principal](#tab/userlevel)
 
-You can create a [service principal](../../active-directory/develop/app-objects-and-service-principals.md) with the [az ad sp create-for-rbac](/cli/azure/ad/sp#az-ad-sp-create-for-rbac&preserve-view=true) command in the [Azure CLI](/cli/azure/). Run this command with [Azure Cloud Shell](https://shell.azure.com/) in the Azure portal or by selecting the **Try it** button.
-
-Replace the placeholders `server-name` with the name of your MySQL server hosted on Azure. Replace the `subscription-id` and `resource-group` with the subscription ID and resource group connected to your MySQL server.
-
-```azurecli-interactive
-   az ad sp create-for-rbac --name {server-name} --role contributor \
-                            --scopes /subscriptions/{subscription-id}/resourceGroups/{resource-group} \
-                            --sdk-auth
-```
-
-The output is a JSON object with the role assignment credentials that provide access to your database similar to below. Copy this output JSON object for later.
-
-```output
-  {
-    "clientId": "<GUID>",
-    "clientSecret": "<GUID>",
-    "subscriptionId": "<GUID>",
-    "tenantId": "<GUID>",
-    (...)
-  }
-```
-
-> [!IMPORTANT]
-> It's always a good practice to grant minimum access. The scope in the previous example is limited to the specific server and not the entire resource group.
-
-# [OpenID Connect](#tab/openid)
-
-OpenID Connect is an authentication method that uses short-lived tokens. Setting up [OpenID Connect with GitHub Actions](https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect) is more complex process that offers hardened security. 
-
-1.  If you do not have an existing application, register a [new Active Directory application and service principal that can access resources](../../active-directory/develop/howto-create-service-principal-portal.md). Create the Active Directory application. 
-
-    ```azurecli-interactive
-    az ad app create --display-name myApp
-    ```
-
-    This command will output JSON with an `appId` that is your `client-id`. Save the value to use as the `AZURE_CLIENT_ID` GitHub secret later. 
-
-    You'll use the `objectId` value when creating federated credentials with Graph API and reference it as the `APPLICATION-OBJECT-ID`.
-
-1. Create a service principal. Replace the `$appID` with the appId from your JSON output. 
-
-    This command generates JSON output with a different `objectId` and will be used in the next step. The new  `objectId` is the `assignee-object-id`. 
-    
-    Copy the `appOwnerTenantId` to use as a GitHub secret for `AZURE_TENANT_ID` later. 
-
-    ```azurecli-interactive
-     az ad sp create --id $appId
-    ```
-
-1. Create a new role assignment by subscription and object. By default, the role assignment will be tied to your default subscription. Replace `$subscriptionId` with your subscription ID, `$resourceGroupName` with your resource group name, and `$assigneeObjectId` with the generated `assignee-object-id`. Learn [how to manage Azure subscriptions with the Azure CLI](/cli/azure/manage-azure-subscriptions-azure-cli). 
-
-    ```azurecli-interactive
-    az role assignment create --role contributor --subscription $subscriptionId --assignee-object-id  $assigneeObjectId --assignee-principal-type ServicePrincipal --scopes /subscriptions/$subscriptionId/resourceGroups/$resourceGroupName/providers/Microsoft.Web/sites/
-    ```
-
-1. Run the following command to [create a new federated identity credential](/graph/api/application-post-federatedidentitycredentials?view=graph-rest-beta&preserve-view=true) for your active directory application.
-
-    * Replace `APPLICATION-OBJECT-ID` with the **objectId (generated while creating app)** for your Active Directory application.
-    * Set a value for `CREDENTIAL-NAME` to reference later.
-    * Set the `subject`. The value of this is defined by GitHub depending on your workflow:
-      * Jobs in your GitHub Actions environment: `repo:< Organization/Repository >:environment:< Name >`
-      * For Jobs not tied to an environment, include the ref path for branch/tag based on the ref path used for triggering the workflow: `repo:< Organization/Repository >:ref:< ref path>`.  For example, `repo:n-username/ node_express:ref:refs/heads/my-branch` or `repo:n-username/ node_express:ref:refs/tags/my-tag`.
-      * For workflows triggered by a pull request event: `repo:< Organization/Repository >:pull_request`.
-    
-    ```azurecli
-    az rest --method POST --uri 'https://graph.microsoft.com/beta/applications/<APPLICATION-OBJECT-ID>/federatedIdentityCredentials' --body '{"name":"<CREDENTIAL-NAME>","issuer":"https://token.actions.githubusercontent.com","subject":"repo:organization/repository:ref:refs/heads/main","description":"Testing","audiences":["api://AzureADTokenExchange"]}' 
-    ```
-    
-    To learn how to create a Create an active directory application, service principal, and federated credentials in Azure portal, see [Connect GitHub and Azure](/azure/developer/github/connect-from-azure#use-the-azure-login-action-with-openid-connect).
-    
----
+[!INCLUDE [include](~/articles/reusable-content/github-actions/generate-deployment-credentials.md)]
 
 ## Copy the MySQL connection string
 
@@ -134,45 +63,8 @@ In the Azure portal, go to your Azure Database for MySQL server and open **Setti
 You'll use the connection string as a GitHub secret.
 
 ## Configure GitHub secrets
-# [Service principal](#tab/userlevel)
-
-1. In [GitHub](https://github.com/), browse your repository.
-
-2. Select **Settings > Secrets > New secret**.
 
-3. Paste the entire JSON output from the Azure CLI command into the secret's value field. Give the secret the name `AZURE_CREDENTIALS`.
-
-    When you configure the workflow file later, you use the secret for the input `creds` of the Azure Login action. For example:
-
-    ```yaml
-    - uses: azure/login@v1
-        with:
-            creds: ${{ secrets.AZURE_CREDENTIALS }}
-   ```
-
-4. Select **New secret** again.
-
-5. Paste the connection string value into the secret's value field. Give the secret the name `AZURE_MYSQL_CONNECTION_STRING`.
-
-# [OpenID Connect](#tab/openid)
-
-You need to provide your application's **Client ID**, **Tenant ID**, and **Subscription ID** to the login action. These values can either be provided directly in the workflow or can be stored in GitHub secrets and referenced in your workflow. Saving the values as GitHub secrets is the more secure option.
-
-1. Open your GitHub repository and go to **Settings**.
-
-1. Select **Settings > Secrets > New secret**.
-
-1. Create secrets for `AZURE_CLIENT_ID`, `AZURE_TENANT_ID`, and `AZURE_SUBSCRIPTION_ID`. Use these values from your Active Directory application for your GitHub secrets:
-
-    |GitHub Secret  | Active Directory Application  |
-    |---------|---------|
-    |AZURE_CLIENT_ID     |      Application (client) ID   |
-    |AZURE_TENANT_ID     |     Directory (tenant) ID    |
-    |AZURE_SUBSCRIPTION_ID     |     Subscription ID    |
-
-1. Save each secret by selecting **Add secret**.
-
----
+[!INCLUDE [include](~/articles/reusable-content/github-actions/create-secrets-with-openid.md)]
 
 ## Add your workflow
 

Original file line number	Diff line number	Diff line change
`@@ -867,7 +867,7 @@`
`867`	`867`	`"branch_mapping": {}`
`868`	`868`	`},`
`869`	`869`	`{`
`870`		`- "path_to_root": "reusable-content",`
	`870`	`+ "path_to_root": "articles/reusable-content",`
`871`	`871`	`"url": "https://github.com/MicrosoftDocs/reusable-content",`
`872`	`872`	`"branch": "main",`
`873`	`873`	`"branch_mapping": {}`