Merge pull request #730 from microsoft/psl-oidc

ci: Migrated GitHub Actions authentication from client secrets to OIDC and Integrated Smoke Testing Automation into the pipeline

Author: Prajwal-Microsoft

.github/workflows/deploy-orchestrator.yml

@@ -4,7 +4,7 @@ on:
   workflow_call:
     inputs:
       runner_os:
-        description: 'Runner OS (ubuntu-latest, windows-latest, or devcontainer)'
+        description: 'Runner OS (ubuntu-latest or windows-latest)'
         required: true
         type: string
       azure_location:
@@ -69,11 +69,7 @@ on:
 
 env:
   AZURE_DEV_COLLECT_TELEMETRY: ${{ vars.AZURE_DEV_COLLECT_TELEMETRY }}
-permissions:
-  contents: read
-  actions: read
-  packages: write  # Required by job-deploy → job-deploy-devcontainer to push devcontainer image to GHCR
-  
+
 jobs:
   docker-build:
     uses: ./.github/workflows/job-docker-build.yml
@@ -104,8 +100,7 @@ jobs:
     secrets: inherit
 
   e2e-test:
-    # if: "!cancelled() && ((needs.deploy.result == 'success' && needs.deploy.outputs.WEB_APPURL != '') || (inputs.existing_webapp_url != '' && inputs.existing_webapp_url != null)) && (inputs.trigger_type != 'workflow_dispatch' || (inputs.run_e2e_tests != 'None' && inputs.run_e2e_tests != '' && inputs.run_e2e_tests != null))"
-    if: false # Temporarily disable E2E tests
+    if: "!cancelled() && ((needs.deploy.result == 'success' && needs.deploy.outputs.WEB_APPURL != '') || (inputs.existing_webapp_url != '' && inputs.existing_webapp_url != null)) && (inputs.trigger_type != 'workflow_dispatch' || (inputs.run_e2e_tests != 'None' && inputs.run_e2e_tests != '' && inputs.run_e2e_tests != null))"
     needs: [docker-build, deploy]
     uses: ./.github/workflows/test-automation-v2.yml
     with:

.github/workflows/deploy-ci.yml .github/workflows/deploy-v2.yml.github/workflows/deploy-ci.yml renamed to .github/workflows/deploy-v2.yml

@@ -27,7 +27,6 @@ on:
         type: choice
         options:
           - 'codespace'
-          - 'Devcontainer'
           - 'Local'
         default: 'codespace'
 
@@ -116,7 +115,8 @@ on:
 permissions:
   contents: read
   actions: read
-  packages: write  # Required by deploy-orchestrator → job-deploy → job-deploy-devcontainer for GHCR
+  id-token: write  # Required for OIDC-based Azure authentication
+  packages: write  # Required for GHCR operations
 jobs:
   validate-inputs:
     runs-on: ubuntu-latest
@@ -157,8 +157,8 @@ jobs:
           
           # Validate runner_os (specific allowed values) and derive actual runner
           RUNNER_OS_INPUT="${INPUT_RUNNER_OS:-codespace}"
-          if [[ "$RUNNER_OS_INPUT" != "codespace" && "$RUNNER_OS_INPUT" != "Devcontainer" && "$RUNNER_OS_INPUT" != "Local" ]]; then
-            echo "❌ ERROR: runner_os must be one of: codespace, Devcontainer, Local, got: '$RUNNER_OS_INPUT'"
+          if [[ "$RUNNER_OS_INPUT" != "codespace" && "$RUNNER_OS_INPUT" != "Local" ]]; then
+            echo "❌ ERROR: runner_os must be one of: codespace, Local, got: '$RUNNER_OS_INPUT'"
             VALIDATION_FAILED=true
           else
             echo "✅ runner_os: '$RUNNER_OS_INPUT' is valid"
@@ -167,8 +167,6 @@ jobs:
           # Derive actual runner from runner_os input
           if [[ "$RUNNER_OS_INPUT" == "codespace" ]]; then
             RUNNER_OS="ubuntu-latest"
-          elif [[ "$RUNNER_OS_INPUT" == "Devcontainer" ]]; then
-            RUNNER_OS="devcontainer"
           else
             RUNNER_OS="windows-latest"
           fi

.github/workflows/deploy-windows.yml

@@ -31,9 +31,11 @@ on:
 permissions:
   contents: read
   actions: read
+  id-token: write  # Required for OIDC-based Azure authentication
 jobs:
   build-and-push:
     runs-on: ubuntu-latest
+    environment: production
 
     steps:
       - name: Checkout repository
@@ -42,13 +44,18 @@ jobs:
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
 
-      - name: Log in to Azure Container Registry
+      - name: Login to Azure (OIDC)
         if: ${{ (github.event_name == 'push' && (github.ref_name == 'main' || github.ref_name == 'dev' || github.ref_name == 'demo')) || (github.event_name == 'workflow_dispatch' && (github.ref_name == 'dependabotchanges'||github.ref_name == 'main' || github.ref_name == 'dev' || github.ref_name == 'demo')) }}
-        uses: azure/docker-login@v2 
+        uses: azure/login@v2
         with:
-          login-server: ${{ secrets.ACR_LOGIN_SERVER }}
-          username: ${{ secrets.ACR_USERNAME }}
-          password: ${{ secrets.ACR_PASSWORD }}
+          client-id: ${{ secrets.AZURE_CLIENT_ID }}
+          tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+          subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+
+      - name: Log in to Azure Container Registry
+        if: ${{ (github.event_name == 'push' && (github.ref_name == 'main' || github.ref_name == 'dev' || github.ref_name == 'demo')) || (github.event_name == 'workflow_dispatch' && (github.ref_name == 'dependabotchanges'||github.ref_name == 'main' || github.ref_name == 'dev' || github.ref_name == 'demo')) }}
+        shell: bash
+        run: az acr login --name ${{ secrets.ACR_LOGIN_SERVER }}
 
       - name: Get current date
         id: date