Skip to content

Commit 91ed988

Browse files
Use OIDC keys for the OSPO API (dotnet#40674)
* Use OIDC keys for the OSPO API Relies on dotnet/docs-tools#335 Update the YML files for the OIDC authorization protocol * Apply suggestions from code review Co-authored-by: David Pine <[email protected]> --------- Co-authored-by: David Pine <[email protected]>
1 parent 89ab86f commit 91ed988

File tree

3 files changed

+43
-6
lines changed

3 files changed

+43
-6
lines changed

.github/workflows/quest-bulk.yml

Lines changed: 14 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -21,16 +21,28 @@ jobs:
2121
run: |
2222
echo "Reason: ${{ github.event.inputs.reason }}"
2323
24+
- name: Azure OpenID Connect
25+
uses: azure/login@v2
26+
with:
27+
client-id: ${{ secrets.CLIENT_ID }}
28+
tenant-id: ${{ secrets.TENANT_ID }}
29+
audience: ${{ secrets.OSMP_API_AUDIENCE }}
30+
allow-no-subscriptions: true
31+
32+
- name: OSMP API access
33+
run: |
34+
TOKEN=$(az account get-access-token --query 'accessToken' -o tsv --resource ${{ secrets.OSMP_API_AUDIENCE }})
35+
echo "AZURE_ACCESS_TOKEN=$TOKEN" >> $GITHUB_ENV
36+
2437
- name: bulk-sequester
2538
id: bulk-sequester
2639
uses: dotnet/docs-tools/actions/sequester@main
2740
env:
2841
ImportOptions__ApiKeys__GitHubToken: ${{ secrets.GITHUB_TOKEN }}
29-
ImportOptions__ApiKeys__OSPOKey: ${{ secrets.OSPO_KEY }}
3042
ImportOptions__ApiKeys__QuestKey: ${{ secrets.QUEST_KEY }}
43+
ImportOptions__ApiKeys__AzureAccessToken: ${{ env.AZURE_ACCESS_TOKEN }}
3144
ImportOptions__ApiKeys__SequesterPrivateKey: ${{ secrets.SEQUESTER_PRIVATEKEY }}
3245
ImportOptions__ApiKeys__SequesterAppID: ${{ secrets.SEQUESTER_APPID }}
33-
3446
with:
3547
org: ${{ github.repository_owner }}
3648
repo: ${{ github.repository }}

.github/workflows/quest.yml

Lines changed: 15 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -30,14 +30,27 @@ jobs:
3030
echo "Reason: ${{ github.event.inputs.reason }}"
3131
echo "Issue number: ${{ github.event.inputs.issue }}"
3232
33+
- name: Azure OpenID Connect
34+
uses: azure/login@v2
35+
with:
36+
client-id: ${{ secrets.CLIENT_ID }}
37+
tenant-id: ${{ secrets.TENANT_ID }}
38+
audience: ${{ secrets.OSMP_API_AUDIENCE }}
39+
allow-no-subscriptions: true
40+
41+
- name: OSMP API access
42+
run: |
43+
TOKEN=$(az account get-access-token --query 'accessToken' -o tsv --resource ${{ secrets.OSMP_API_AUDIENCE }})
44+
echo "AZURE_ACCESS_TOKEN=$TOKEN" >> $GITHUB_ENV
45+
3346
# This step occurs when ran manually, passing the manual issue number input
3447
- name: manual-sequester
3548
if: ${{ github.event_name == 'workflow_dispatch' }}
3649
id: manual-sequester
3750
uses: dotnet/docs-tools/actions/sequester@main
3851
env:
3952
ImportOptions__ApiKeys__GitHubToken: ${{ secrets.GITHUB_TOKEN }}
40-
ImportOptions__ApiKeys__OSPOKey: ${{ secrets.OSPO_KEY }}
53+
ImportOptions__ApiKeys__AzureAccessToken: ${{ env.AZURE_ACCESS_TOKEN }}
4154
ImportOptions__ApiKeys__QuestKey: ${{ secrets.QUEST_KEY }}
4255
ImportOptions__ApiKeys__SequesterPrivateKey: ${{ secrets.SEQUESTER_PRIVATEKEY }}
4356
ImportOptions__ApiKeys__SequesterAppID: ${{ secrets.SEQUESTER_APPID }}
@@ -53,12 +66,11 @@ jobs:
5366
uses: dotnet/docs-tools/actions/sequester@main
5467
env:
5568
ImportOptions__ApiKeys__GitHubToken: ${{ secrets.GITHUB_TOKEN }}
56-
ImportOptions__ApiKeys__OSPOKey: ${{ secrets.OSPO_KEY }}
69+
ImportOptions__ApiKeys__AzureAccessToken: $AZURE_ACCESS_TOKEN
5770
ImportOptions__ApiKeys__QuestKey: ${{ secrets.QUEST_KEY }}
5871
ImportOptions__ApiKeys__SequesterPrivateKey: ${{ secrets.SEQUESTER_PRIVATEKEY }}
5972
ImportOptions__ApiKeys__SequesterAppID: ${{ secrets.SEQUESTER_APPID }}
6073
with:
6174
org: ${{ github.repository_owner }}
6275
repo: ${{ github.repository }}
6376
issue: ${{ github.event.issue.number }}
64-

.github/workflows/whats-new.yml

Lines changed: 14 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -25,10 +25,23 @@ jobs:
2525
run: |
2626
echo "Reason: ${{ github.event.inputs.reason }}"
2727
28+
- name: Azure OpenID Connect
29+
uses: azure/login@v2
30+
with:
31+
client-id: ${{ secrets.CLIENT_ID }}
32+
tenant-id: ${{ secrets.TENANT_ID }}
33+
audience: ${{ secrets.OSMP_API_AUDIENCE }}
34+
allow-no-subscriptions: true
35+
36+
- name: OSMP API access
37+
run: |
38+
TOKEN=$(az account get-access-token --query 'accessToken' -o tsv --resource ${{ secrets.OSMP_API_AUDIENCE }})
39+
echo "AZURE_ACCESS_TOKEN=$TOKEN" >> $GITHUB_ENV
40+
2841
- uses: dotnet/docs-tools/WhatsNew.Cli@main
2942
env:
3043
GitHubKey: ${{ secrets.GITHUB_TOKEN }}
31-
OspoKey: ${{ secrets.OSPO_KEY }}
44+
AZURE_ACCESS_TOKEN: ${{ env.AZURE_ACCESS_TOKEN }}
3245
with:
3346
owner: dotnet
3447
repo: docs

0 commit comments

Comments
 (0)