Use OIDC keys for the OSPO API (dotnet#40674)

BillWagner · IEvangelist · web-flow · commit 91ed98836711 · 2024-04-30T15:21:02.000Z
* Use OIDC keys for the OSPO API Relies on dotnet/docs-tools#335 Update the YML files for the OIDC authorization protocol * Apply suggestions from code review Co-authored-by: David Pine <david.pine@microsoft.com> --------- Co-authored-by: David Pine <david.pine@microsoft.com>
diff --git a/.github/workflows/quest-bulk.yml b/.github/workflows/quest-bulk.yml
@@ -21,16 +21,28 @@ jobs:
         run: |
           echo "Reason: ${{ github.event.inputs.reason }}"
 
+      - name: Azure OpenID Connect
+        uses: azure/login@v2
+        with:
+          client-id: ${{ secrets.CLIENT_ID }}
+          tenant-id: ${{ secrets.TENANT_ID }}
+          audience: ${{ secrets.OSMP_API_AUDIENCE }}
+          allow-no-subscriptions: true
+ 
+      - name: OSMP API access
+        run: |
+          TOKEN=$(az account get-access-token --query 'accessToken' -o tsv --resource ${{ secrets.OSMP_API_AUDIENCE }})
+          echo "AZURE_ACCESS_TOKEN=$TOKEN" >> $GITHUB_ENV
+     
       - name: bulk-sequester
         id: bulk-sequester
         uses: dotnet/docs-tools/actions/sequester@main
         env:
           ImportOptions__ApiKeys__GitHubToken: ${{ secrets.GITHUB_TOKEN }}
-          ImportOptions__ApiKeys__OSPOKey: ${{ secrets.OSPO_KEY }}
           ImportOptions__ApiKeys__QuestKey: ${{ secrets.QUEST_KEY }}
+          ImportOptions__ApiKeys__AzureAccessToken: ${{ env.AZURE_ACCESS_TOKEN }}
           ImportOptions__ApiKeys__SequesterPrivateKey: ${{ secrets.SEQUESTER_PRIVATEKEY }}
           ImportOptions__ApiKeys__SequesterAppID: ${{ secrets.SEQUESTER_APPID }}
-          
         with:
           org: ${{ github.repository_owner }}
           repo: ${{ github.repository }}
diff --git a/.github/workflows/quest.yml b/.github/workflows/quest.yml
@@ -30,14 +30,27 @@ jobs:
           echo "Reason: ${{ github.event.inputs.reason }}"
           echo "Issue number: ${{ github.event.inputs.issue }}"
 
+      - name: Azure OpenID Connect
+        uses: azure/login@v2
+        with:
+          client-id: ${{ secrets.CLIENT_ID }}
+          tenant-id: ${{ secrets.TENANT_ID }}
+          audience: ${{ secrets.OSMP_API_AUDIENCE }}
+          allow-no-subscriptions: true
+ 
+      - name: OSMP API access
+        run: |
+          TOKEN=$(az account get-access-token --query 'accessToken' -o tsv --resource ${{ secrets.OSMP_API_AUDIENCE }})
+          echo "AZURE_ACCESS_TOKEN=$TOKEN" >> $GITHUB_ENV
+
       # This step occurs when ran manually, passing the manual issue number input
       - name: manual-sequester
         if: ${{ github.event_name == 'workflow_dispatch' }}
         id: manual-sequester
         uses: dotnet/docs-tools/actions/sequester@main
         env:
           ImportOptions__ApiKeys__GitHubToken: ${{ secrets.GITHUB_TOKEN }}
-          ImportOptions__ApiKeys__OSPOKey: ${{ secrets.OSPO_KEY }}
+          ImportOptions__ApiKeys__AzureAccessToken: ${{ env.AZURE_ACCESS_TOKEN }}
           ImportOptions__ApiKeys__QuestKey: ${{ secrets.QUEST_KEY }}
           ImportOptions__ApiKeys__SequesterPrivateKey: ${{ secrets.SEQUESTER_PRIVATEKEY }}
           ImportOptions__ApiKeys__SequesterAppID: ${{ secrets.SEQUESTER_APPID }}
@@ -53,12 +66,11 @@ jobs:
         uses: dotnet/docs-tools/actions/sequester@main
         env:
           ImportOptions__ApiKeys__GitHubToken: ${{ secrets.GITHUB_TOKEN }}
-          ImportOptions__ApiKeys__OSPOKey: ${{ secrets.OSPO_KEY }}
+          ImportOptions__ApiKeys__AzureAccessToken: $AZURE_ACCESS_TOKEN
           ImportOptions__ApiKeys__QuestKey: ${{ secrets.QUEST_KEY }}
           ImportOptions__ApiKeys__SequesterPrivateKey: ${{ secrets.SEQUESTER_PRIVATEKEY }}
           ImportOptions__ApiKeys__SequesterAppID: ${{ secrets.SEQUESTER_APPID }}
         with:
           org: ${{ github.repository_owner }}
           repo: ${{ github.repository }}
           issue: ${{ github.event.issue.number }}
-          
diff --git a/.github/workflows/whats-new.yml b/.github/workflows/whats-new.yml
@@ -25,10 +25,23 @@ jobs:
         run: |
           echo "Reason: ${{ github.event.inputs.reason }}"
 
+      - name: Azure OpenID Connect
+        uses: azure/login@v2
+        with:
+          client-id: ${{ secrets.CLIENT_ID }}
+          tenant-id: ${{ secrets.TENANT_ID }}
+          audience: ${{ secrets.OSMP_API_AUDIENCE }}
+          allow-no-subscriptions: true
+ 
+      - name: OSMP API access
+        run: |
+          TOKEN=$(az account get-access-token --query 'accessToken' -o tsv --resource ${{ secrets.OSMP_API_AUDIENCE }})
+          echo "AZURE_ACCESS_TOKEN=$TOKEN" >> $GITHUB_ENV
+     
       - uses: dotnet/docs-tools/WhatsNew.Cli@main
         env:
           GitHubKey: ${{ secrets.GITHUB_TOKEN }}
-          OspoKey: ${{ secrets.OSPO_KEY }}
+          AZURE_ACCESS_TOKEN: ${{ env.AZURE_ACCESS_TOKEN }}
         with:
           owner: dotnet
           repo: docs
