[IDP-3236] Use IDP managed secrets solution for CI and publish workflows

heqianwang · heqianwang · commit 2dc9508cd870 · 2025-03-31T12:18:00.000-04:00
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -14,6 +14,12 @@ concurrency:
   group: ${{ github.workflow }}-${{github.event_name}}-${{ github.head_ref || github.ref_name }}
   cancel-in-progress: true
 
+# We are using OpenID Connect to authenticate with Azure with secret.
+# https://docs.github.com/en/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-azure
+permissions:
+  id-token: write
+  contents: read
+
 jobs:
   ci:
     strategy:
@@ -67,3 +73,5 @@ jobs:
 
 
 
+
+
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
@@ -5,6 +5,12 @@ on:
     branches: ["main"]
     tags: ["*.*.*"]
 
+# We are using OpenID Connect to authenticate with Azure with secret.
+# https://docs.github.com/en/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-azure
+permissions:
+  id-token: write
+  contents: read
+
 jobs:
   main:
     runs-on: [self-hosted, idp]
@@ -48,3 +54,4 @@ jobs:
 
 
 
+
